updates

Backend/venv/lib/python3.12/site-packages/cryptography/hazmat/bindings/openssl/_conditional.py

@@ -4,17 +4,15 @@
 
 from __future__ import annotations
 
-import typing
 
-
-def cryptography_has_set_cert_cb() -> typing.List[str]:
+def cryptography_has_set_cert_cb() -> list[str]:
     return [
         "SSL_CTX_set_cert_cb",
         "SSL_set_cert_cb",
     ]
 
 
-def cryptography_has_ssl_st() -> typing.List[str]:
+def cryptography_has_ssl_st() -> list[str]:
     return [
         "SSL_ST_BEFORE",
         "SSL_ST_OK",
@@ -23,72 +21,20 @@ def cryptography_has_ssl_st() -> typing.List[str]:
     ]
 
 
-def cryptography_has_tls_st() -> typing.List[str]:
+def cryptography_has_tls_st() -> list[str]:
     return [
         "TLS_ST_BEFORE",
         "TLS_ST_OK",
     ]
 
 
-def cryptography_has_evp_pkey_dhx() -> typing.List[str]:
-    return [
-        "EVP_PKEY_DHX",
-    ]
-
-
-def cryptography_has_mem_functions() -> typing.List[str]:
-    return [
-        "Cryptography_CRYPTO_set_mem_functions",
-    ]
-
-
-def cryptography_has_x509_store_ctx_get_issuer() -> typing.List[str]:
-    return [
-        "X509_STORE_set_get_issuer",
-    ]
-
-
-def cryptography_has_ed448() -> typing.List[str]:
-    return [
-        "EVP_PKEY_ED448",
-        "NID_ED448",
-    ]
-
-
-def cryptography_has_ed25519() -> typing.List[str]:
-    return [
-        "NID_ED25519",
-        "EVP_PKEY_ED25519",
-    ]
-
-
-def cryptography_has_poly1305() -> typing.List[str]:
-    return [
-        "NID_poly1305",
-        "EVP_PKEY_POLY1305",
-    ]
-
-
-def cryptography_has_evp_digestfinal_xof() -> typing.List[str]:
-    return [
-        "EVP_DigestFinalXOF",
-    ]
-
-
-def cryptography_has_fips() -> typing.List[str]:
-    return [
-        "FIPS_mode_set",
-        "FIPS_mode",
-    ]
-
-
-def cryptography_has_ssl_sigalgs() -> typing.List[str]:
+def cryptography_has_ssl_sigalgs() -> list[str]:
     return [
         "SSL_CTX_set1_sigalgs_list",
     ]
 
 
-def cryptography_has_psk() -> typing.List[str]:
+def cryptography_has_psk() -> list[str]:
     return [
         "SSL_CTX_use_psk_identity_hint",
         "SSL_CTX_set_psk_server_callback",
@@ -96,7 +42,7 @@ def cryptography_has_psk() -> typing.List[str]:
     ]
 
 
-def cryptography_has_psk_tlsv13() -> typing.List[str]:
+def cryptography_has_psk_tlsv13() -> list[str]:
     return [
         "SSL_CTX_set_psk_find_session_callback",
         "SSL_CTX_set_psk_use_session_callback",
@@ -108,7 +54,7 @@ def cryptography_has_psk_tlsv13() -> typing.List[str]:
     ]
 
 
-def cryptography_has_custom_ext() -> typing.List[str]:
+def cryptography_has_custom_ext() -> list[str]:
     return [
         "SSL_CTX_add_client_custom_ext",
         "SSL_CTX_add_server_custom_ext",
@@ -116,10 +62,15 @@ def cryptography_has_custom_ext() -> typing.List[str]:
     ]
 
 
-def cryptography_has_tlsv13_functions() -> typing.List[str]:
+def cryptography_has_tlsv13_functions() -> list[str]:
+    return [
+        "SSL_CTX_set_ciphersuites",
+    ]
+
+
+def cryptography_has_tlsv13_hs_functions() -> list[str]:
     return [
         "SSL_VERIFY_POST_HANDSHAKE",
-        "SSL_CTX_set_ciphersuites",
         "SSL_verify_client_post_handshake",
         "SSL_CTX_set_post_handshake_auth",
         "SSL_set_post_handshake_auth",
@@ -130,16 +81,13 @@ def cryptography_has_tlsv13_functions() -> typing.List[str]:
     ]
 
 
-def cryptography_has_raw_key() -> typing.List[str]:
+def cryptography_has_ssl_verify_client_post_handshake() -> list[str]:
     return [
-        "EVP_PKEY_new_raw_private_key",
-        "EVP_PKEY_new_raw_public_key",
-        "EVP_PKEY_get_raw_private_key",
-        "EVP_PKEY_get_raw_public_key",
+        "SSL_verify_client_post_handshake",
     ]
 
 
-def cryptography_has_engine() -> typing.List[str]:
+def cryptography_has_engine() -> list[str]:
     return [
         "ENGINE_by_id",
         "ENGINE_init",
@@ -158,13 +106,13 @@ def cryptography_has_engine() -> typing.List[str]:
     ]
 
 
-def cryptography_has_verified_chain() -> typing.List[str]:
+def cryptography_has_verified_chain() -> list[str]:
     return [
         "SSL_get0_verified_chain",
     ]
 
 
-def cryptography_has_srtp() -> typing.List[str]:
+def cryptography_has_srtp() -> list[str]:
     return [
         "SSL_CTX_set_tlsext_use_srtp",
         "SSL_set_tlsext_use_srtp",
@@ -172,36 +120,19 @@ def cryptography_has_srtp() -> typing.List[str]:
     ]
 
 
-def cryptography_has_providers() -> typing.List[str]:
-    return [
-        "OSSL_PROVIDER_load",
-        "OSSL_PROVIDER_unload",
-        "ERR_LIB_PROV",
-        "PROV_R_WRONG_FINAL_BLOCK_LENGTH",
-        "PROV_R_BAD_DECRYPT",
-    ]
-
-
-def cryptography_has_op_no_renegotiation() -> typing.List[str]:
+def cryptography_has_op_no_renegotiation() -> list[str]:
     return [
         "SSL_OP_NO_RENEGOTIATION",
     ]
 
 
-def cryptography_has_dtls_get_data_mtu() -> typing.List[str]:
+def cryptography_has_dtls_get_data_mtu() -> list[str]:
     return [
         "DTLS_get_data_mtu",
     ]
 
 
-def cryptography_has_300_fips() -> typing.List[str]:
-    return [
-        "EVP_default_properties_is_fips_enabled",
-        "EVP_default_properties_enable_fips",
-    ]
-
-
-def cryptography_has_ssl_cookie() -> typing.List[str]:
+def cryptography_has_ssl_cookie() -> list[str]:
     return [
         "SSL_OP_COOKIE_EXCHANGE",
         "DTLSv1_listen",
@@ -210,67 +141,28 @@ def cryptography_has_ssl_cookie() -> typing.List[str]:
     ]
 
 
-def cryptography_has_pkcs7_funcs() -> typing.List[str]:
+def cryptography_has_prime_checks() -> list[str]:
     return [
-        "SMIME_write_PKCS7",
-        "PEM_write_bio_PKCS7_stream",
-        "PKCS7_sign_add_signer",
-        "PKCS7_final",
-        "PKCS7_verify",
-        "SMIME_read_PKCS7",
-        "PKCS7_get0_signers",
-    ]
-
-
-def cryptography_has_bn_flags() -> typing.List[str]:
-    return [
-        "BN_FLG_CONSTTIME",
-        "BN_set_flags",
         "BN_prime_checks_for_size",
     ]
 
 
-def cryptography_has_evp_pkey_dh() -> typing.List[str]:
-    return [
-        "EVP_PKEY_set1_DH",
-    ]
-
-
-def cryptography_has_300_evp_cipher() -> typing.List[str]:
-    return ["EVP_CIPHER_fetch", "EVP_CIPHER_free"]
-
-
-def cryptography_has_unexpected_eof_while_reading() -> typing.List[str]:
+def cryptography_has_unexpected_eof_while_reading() -> list[str]:
     return ["SSL_R_UNEXPECTED_EOF_WHILE_READING"]
 
 
-def cryptography_has_pkcs12_set_mac() -> typing.List[str]:
-    return ["PKCS12_set_mac"]
-
-
-def cryptography_has_ssl_op_ignore_unexpected_eof() -> typing.List[str]:
+def cryptography_has_ssl_op_ignore_unexpected_eof() -> list[str]:
     return [
         "SSL_OP_IGNORE_UNEXPECTED_EOF",
     ]
 
 
-def cryptography_has_get_extms_support() -> typing.List[str]:
+def cryptography_has_get_extms_support() -> list[str]:
     return ["SSL_get_extms_support"]
 
 
-def cryptography_has_evp_pkey_set_peer_ex() -> typing.List[str]:
-    return ["EVP_PKEY_derive_set_peer_ex"]
-
-
-def cryptography_has_evp_aead() -> typing.List[str]:
-    return [
-        "EVP_aead_chacha20_poly1305",
-        "EVP_AEAD_CTX_free",
-        "EVP_AEAD_CTX_seal",
-        "EVP_AEAD_CTX_open",
-        "EVP_AEAD_max_overhead",
-        "Cryptography_EVP_AEAD_CTX_new",
-    ]
+def cryptography_has_ssl_get0_group_name() -> list[str]:
+    return ["SSL_get0_group_name"]
 
 
 # This is a mapping of
@@ -282,48 +174,34 @@ CONDITIONAL_NAMES = {
     "Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb,
     "Cryptography_HAS_SSL_ST": cryptography_has_ssl_st,
     "Cryptography_HAS_TLS_ST": cryptography_has_tls_st,
-    "Cryptography_HAS_EVP_PKEY_DHX": cryptography_has_evp_pkey_dhx,
-    "Cryptography_HAS_MEM_FUNCTIONS": cryptography_has_mem_functions,
-    "Cryptography_HAS_X509_STORE_CTX_GET_ISSUER": (
-        cryptography_has_x509_store_ctx_get_issuer
-    ),
-    "Cryptography_HAS_ED448": cryptography_has_ed448,
-    "Cryptography_HAS_ED25519": cryptography_has_ed25519,
-    "Cryptography_HAS_POLY1305": cryptography_has_poly1305,
-    "Cryptography_HAS_FIPS": cryptography_has_fips,
     "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs,
     "Cryptography_HAS_PSK": cryptography_has_psk,
     "Cryptography_HAS_PSK_TLSv1_3": cryptography_has_psk_tlsv13,
     "Cryptography_HAS_CUSTOM_EXT": cryptography_has_custom_ext,
     "Cryptography_HAS_TLSv1_3_FUNCTIONS": cryptography_has_tlsv13_functions,
-    "Cryptography_HAS_RAW_KEY": cryptography_has_raw_key,
-    "Cryptography_HAS_EVP_DIGESTFINAL_XOF": (
-        cryptography_has_evp_digestfinal_xof
+    "Cryptography_HAS_TLSv1_3_HS_FUNCTIONS": (
+        cryptography_has_tlsv13_hs_functions
+    ),
+    "Cryptography_HAS_SSL_VERIFY_CLIENT_POST_HANDSHAKE": (
+        cryptography_has_ssl_verify_client_post_handshake
     ),
     "Cryptography_HAS_ENGINE": cryptography_has_engine,
     "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
     "Cryptography_HAS_SRTP": cryptography_has_srtp,
-    "Cryptography_HAS_PROVIDERS": cryptography_has_providers,
     "Cryptography_HAS_OP_NO_RENEGOTIATION": (
         cryptography_has_op_no_renegotiation
     ),
     "Cryptography_HAS_DTLS_GET_DATA_MTU": cryptography_has_dtls_get_data_mtu,
-    "Cryptography_HAS_300_FIPS": cryptography_has_300_fips,
     "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie,
-    "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs,
-    "Cryptography_HAS_BN_FLAGS": cryptography_has_bn_flags,
-    "Cryptography_HAS_EVP_PKEY_DH": cryptography_has_evp_pkey_dh,
-    "Cryptography_HAS_300_EVP_CIPHER": cryptography_has_300_evp_cipher,
+    "Cryptography_HAS_PRIME_CHECKS": cryptography_has_prime_checks,
     "Cryptography_HAS_UNEXPECTED_EOF_WHILE_READING": (
         cryptography_has_unexpected_eof_while_reading
     ),
-    "Cryptography_HAS_PKCS12_SET_MAC": cryptography_has_pkcs12_set_mac,
     "Cryptography_HAS_SSL_OP_IGNORE_UNEXPECTED_EOF": (
         cryptography_has_ssl_op_ignore_unexpected_eof
     ),
     "Cryptography_HAS_GET_EXTMS_SUPPORT": cryptography_has_get_extms_support,
-    "Cryptography_HAS_EVP_PKEY_SET_PEER_EX": (
-        cryptography_has_evp_pkey_set_peer_ex
+    "Cryptography_HAS_SSL_GET0_GROUP_NAME": (
+        cryptography_has_ssl_get0_group_name
     ),
-    "Cryptography_HAS_EVP_AEAD": (cryptography_has_evp_aead),
 }

Backend/venv/lib/python3.12/site-packages/cryptography/hazmat/bindings/openssl/binding.py

@@ -10,21 +10,18 @@ import threading
 import types
 import typing
 import warnings
+from collections.abc import Callable
 
 import cryptography
 from cryptography.exceptions import InternalError
 from cryptography.hazmat.bindings._rust import _openssl, openssl
 from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES
+from cryptography.utils import CryptographyDeprecationWarning
 
 
-def _openssl_assert(
-    lib,
-    ok: bool,
-    errors: typing.Optional[typing.List[openssl.OpenSSLError]] = None,
-) -> None:
+def _openssl_assert(ok: bool) -> None:
     if not ok:
-        if errors is None:
-            errors = openssl.capture_error_stack()
+        errors = openssl.capture_error_stack()
 
         raise InternalError(
             "Unknown OpenSSL error. This error is commonly encountered when "
@@ -33,25 +30,14 @@ def _openssl_assert(
             "OpenSSL try disabling it before reporting a bug. Otherwise "
             "please file an issue at https://github.com/pyca/cryptography/"
             "issues with information on how to reproduce "
-            "this. ({!r})".format(errors),
+            f"this. ({errors!r})",
             errors,
         )
 
 
-def _legacy_provider_error(loaded: bool) -> None:
-    if not loaded:
-        raise RuntimeError(
-            "OpenSSL 3.0's legacy provider failed to load. This is a fatal "
-            "error by default, but cryptography supports running without "
-            "legacy algorithms by setting the environment variable "
-            "CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error,"
-            " you have likely made a mistake with your OpenSSL configuration."
-        )
-
-
 def build_conditional_library(
     lib: typing.Any,
-    conditional_names: typing.Dict[str, typing.Callable[[], typing.List[str]]],
+    conditional_names: dict[str, Callable[[], list[str]]],
 ) -> typing.Any:
     conditional_lib = types.ModuleType("lib")
     conditional_lib._original_lib = lib  # type: ignore[attr-defined]
@@ -72,33 +58,14 @@ class Binding:
     OpenSSL API wrapper.
     """
 
-    lib: typing.ClassVar = None
+    lib: typing.ClassVar[typing.Any] = None
     ffi = _openssl.ffi
     _lib_loaded = False
     _init_lock = threading.Lock()
-    _legacy_provider: typing.Any = ffi.NULL
-    _legacy_provider_loaded = False
-    _default_provider: typing.Any = ffi.NULL
 
     def __init__(self) -> None:
         self._ensure_ffi_initialized()
 
-    def _enable_fips(self) -> None:
-        # This function enables FIPS mode for OpenSSL 3.0.0 on installs that
-        # have the FIPS provider installed properly.
-        _openssl_assert(self.lib, self.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)
-        self._base_provider = self.lib.OSSL_PROVIDER_load(
-            self.ffi.NULL, b"base"
-        )
-        _openssl_assert(self.lib, self._base_provider != self.ffi.NULL)
-        self.lib._fips_provider = self.lib.OSSL_PROVIDER_load(
-            self.ffi.NULL, b"fips"
-        )
-        _openssl_assert(self.lib, self.lib._fips_provider != self.ffi.NULL)
-
-        res = self.lib.EVP_default_properties_enable_fips(self.ffi.NULL, 1)
-        _openssl_assert(self.lib, res == 1)
-
     @classmethod
     def _ensure_ffi_initialized(cls) -> None:
         with cls._init_lock:
@@ -107,27 +74,6 @@ class Binding:
                     _openssl.lib, CONDITIONAL_NAMES
                 )
                 cls._lib_loaded = True
-                # As of OpenSSL 3.0.0 we must register a legacy cipher provider
-                # to get RC2 (needed for junk asymmetric private key
-                # serialization), RC4, Blowfish, IDEA, SEED, etc. These things
-                # are ugly legacy, but we aren't going to get rid of them
-                # any time soon.
-                if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
-                    if not os.environ.get("CRYPTOGRAPHY_OPENSSL_NO_LEGACY"):
-                        cls._legacy_provider = cls.lib.OSSL_PROVIDER_load(
-                            cls.ffi.NULL, b"legacy"
-                        )
-                        cls._legacy_provider_loaded = (
-                            cls._legacy_provider != cls.ffi.NULL
-                        )
-                        _legacy_provider_error(cls._legacy_provider_loaded)
-
-                    cls._default_provider = cls.lib.OSSL_PROVIDER_load(
-                        cls.ffi.NULL, b"default"
-                    )
-                    _openssl_assert(
-                        cls.lib, cls._default_provider != cls.ffi.NULL
-                    )
 
     @classmethod
     def init_static_locks(cls) -> None:
@@ -151,13 +97,11 @@ def _verify_package_version(version: str) -> None:
             "shared object. This can happen if you have multiple copies of "
             "cryptography installed in your Python path. Please try creating "
             "a new virtual environment to resolve this issue. "
-            "Loaded python version: {}, shared object version: {}".format(
-                version, so_package_version
-            )
+            f"Loaded python version: {version}, "
+            f"shared object version: {so_package_version}"
         )
 
     _openssl_assert(
-        _openssl.lib,
         _openssl.lib.OpenSSL_version_num() == openssl.openssl_version(),
     )
 
@@ -177,3 +121,17 @@ if (
         UserWarning,
         stacklevel=2,
     )
+
+if (
+    not openssl.CRYPTOGRAPHY_IS_LIBRESSL
+    and not openssl.CRYPTOGRAPHY_IS_BORINGSSL
+    and not openssl.CRYPTOGRAPHY_IS_AWSLC
+    and not openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
+):
+    warnings.warn(
+        "You are using OpenSSL < 3.0. Support for OpenSSL < 3.0 is deprecated "
+        "and will be removed in the next release. Please upgrade to OpenSSL "
+        "3.0 or later.",
+        CryptographyDeprecationWarning,
+        stacklevel=2,
+    )