Prepare backports for 42.0.6 release (#10929)

* Upgrade openssl package for libressl 3.9.1 support

* Ensure a good error message when cffi module fails to import

* CHANGELOG

* Bump version for 42.0.6 release

* It's not FIPS anymore

* Resolve new clippy warnings (#10755)

The fixes themselves are of marginal value 🙃

* fix warning from latest nightly rust (#10486)

* fix warning from latest nightly rust

* Update lib.rs

Author: alex

.github/workflows/ci.yml

@@ -42,6 +42,7 @@ jobs:
           - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}}
+          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}}
           - {VERSION: "3.12", NOXSESSION: "tests-randomorder"}
           # Latest commit on the BoringSSL master branch, as of Jan 23, 2024.
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a4c3f8de4406c2382e43e88a638882fb1a32da32"}}

CHANGELOG.rst

@@ -1,6 +1,13 @@
 Changelog
 =========
 
+.. _v42-0-6:
+
+42.0.6 - 2024-05-04
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed compilation when using LibreSSL 3.9.1.
+
 .. _v42-0-5:
 
 42.0.5 - 2024-02-23

pyproject.toml

@@ -12,7 +12,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "cryptography"
-version = "42.0.5"
+version = "42.0.6"
 authors = [
     {name = "The Python Cryptographic Authority and individual contributors", email = "[email protected]"}
 ]

src/cryptography/__about__.py

@@ -10,7 +10,7 @@
     "__copyright__",
 ]
 
-__version__ = "42.0.5"
+__version__ = "42.0.6"
 
 
 __author__ = "The Python Cryptographic Authority and individual contributors"

src/cryptography/hazmat/backends/openssl/backend.py

@@ -535,20 +535,12 @@ def dh_x942_serialization_supported(self) -> bool:
         return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1
 
     def x25519_supported(self) -> bool:
-        # Beginning with OpenSSL 3.2.0, X25519 is considered FIPS.
-        if (
-            self._fips_enabled
-            and not self._lib.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER
-        ):
+        if self._fips_enabled:
             return False
         return True
 
     def x448_supported(self) -> bool:
-        # Beginning with OpenSSL 3.2.0, X448 is considered FIPS.
-        if (
-            self._fips_enabled
-            and not self._lib.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER
-        ):
+        if self._fips_enabled:
             return False
         return (
             not self._lib.CRYPTOGRAPHY_IS_LIBRESSL

src/rust/Cargo.lock

@@ -27,7 +27,7 @@ pub fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::types::PyMod
     // SAFETY: `PyInit__openssl` returns an owned reference.
     let openssl_mod = unsafe {
         let ptr = PyInit__openssl();
-        pyo3::types::PyModule::from_owned_ptr(py, ptr)
+        pyo3::types::PyModule::from_owned_ptr_or_err(py, ptr)?
     };
 
     Ok(openssl_mod)

src/rust/cryptography-cffi/src/lib.rs

@@ -3,6 +3,7 @@
 // for complete details.
 
 #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)]
+#![allow(unknown_lints, non_local_definitions)]
 
 use crate::error::CryptographyResult;
 #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]

src/rust/src/lib.rs

@@ -455,11 +455,18 @@ fn try_map_arc_data_mut_crl_iterator<E>(
     ) -> Result<crl::RevokedCertificate<'this>, E>,
 ) -> Result<OwnedRevokedCertificate, E> {
     OwnedRevokedCertificate::try_new(Arc::clone(it.borrow_owner()), |inner_it| {
-        // SAFETY: This is safe because `Arc::clone` ensures the data is
-        // alive, but Rust doesn't understand the lifetime relationship it
-        // produces. Open-coded implementation of the API discussed in
-        // https://github.com/joshua-maros/ouroboros/issues/38
-        it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) }))
+        it.with_dependent_mut(|_, value| {
+            // SAFETY: This is safe because `Arc::clone` ensures the data is
+            // alive, but Rust doesn't understand the lifetime relationship it
+            // produces. Open-coded implementation of the API discussed in
+            // https://github.com/joshua-maros/ouroboros/issues/38
+            f(inner_it, unsafe {
+                std::mem::transmute::<
+                    &mut Option<asn1::SequenceOf<'_, crl::RevokedCertificate<'_>>>,
+                    &mut Option<asn1::SequenceOf<'_, crl::RevokedCertificate<'_>>>,
+                >(value)
+            })
+        })
     })
 }
 

src/rust/src/x509/crl.rs

@@ -418,7 +418,11 @@ fn map_arc_data_ocsp_response(
             // alive, but Rust doesn't understand the lifetime relationship it
             // produces. Open-coded implementation of the API discussed in
             // https://github.com/joshua-maros/ouroboros/issues/38
-            f(inner_it.as_bytes(py), unsafe { std::mem::transmute(value) })
+            f(inner_it.as_bytes(py), unsafe {
+                std::mem::transmute::<&ocsp_resp::OCSPResponse<'_>, &ocsp_resp::OCSPResponse<'_>>(
+                    value,
+                )
+            })
         })
     })
 }
@@ -430,11 +434,18 @@ fn try_map_arc_data_mut_ocsp_response_iterator<E>(
     ) -> Result<ocsp_resp::SingleResponse<'this>, E>,
 ) -> Result<OwnedSingleResponse, E> {
     OwnedSingleResponse::try_new(Arc::clone(it.borrow_owner()), |inner_it| {
-        // SAFETY: This is safe because `Arc::clone` ensures the data is
-        // alive, but Rust doesn't understand the lifetime relationship it
-        // produces. Open-coded implementation of the API discussed in
-        // https://github.com/joshua-maros/ouroboros/issues/38
-        it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) }))
+        it.with_dependent_mut(|_, value| {
+            // SAFETY: This is safe because `Arc::clone` ensures the data is
+            // alive, but Rust doesn't understand the lifetime relationship it
+            // produces. Open-coded implementation of the API discussed in
+            // https://github.com/joshua-maros/ouroboros/issues/38
+            f(inner_it, unsafe {
+                std::mem::transmute::<
+                    &mut asn1::SequenceOf<'_, ocsp_resp::SingleResponse<'_>>,
+                    &mut asn1::SequenceOf<'_, ocsp_resp::SingleResponse<'_>>,
+                >(value)
+            })
+        })
     })
 }
 

src/rust/src/x509/ocsp_resp.rs

@@ -6,4 +6,4 @@
     "__version__",
 ]
 
-__version__ = "42.0.5"
+__version__ = "42.0.6"

vectors/cryptography_vectors/__about__.py

@@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi"
 
 [project]
 name = "cryptography_vectors"
-version = "42.0.5"
+version = "42.0.6"
 authors = [
     {name = "The Python Cryptographic Authority and individual contributors", email = "[email protected]"}
 ]