Switch to using officially support constants, now part of pyOpenSSL's public

API. The cryptography APIs we were previously using were not supported and aren't available in all releases.
2024-12-19 04:57:54 +00:00 · 2023-06-01 17:27:21 -04:00 · 2023-06-01 17:27:21 -04:00 · 96670ded65
commit 96670ded65
parent d510103f96
3 changed files with 8 additions and 12 deletions
--- a/newsfragments/3998.minor
+++ b/newsfragments/3998.minor
--- a/setup.py
+++ b/setup.py
@ -63,11 +63,10 @@ install_requires = [
    #   Twisted[conch] also depends on cryptography and Twisted[tls]
    #   transitively depends on cryptography.  So it's anyone's guess what
    #   version of cryptography will *really* be installed.
+    "cryptography >= 2.6",

-    # * cryptography 40 broke constants we need; should really be using them
-    # * via pyOpenSSL; will be fixed in
-    # * https://github.com/pyca/pyopenssl/issues/1201
-    "cryptography >= 2.6, < 40",
+    # * Used for custom HTTPS validation
+    "pyOpenSSL >= 23.2.0",

    # * The SFTP frontend depends on Twisted 11.0.0 to fix the SSH server
    #   rekeying bug <https://twistedmatrix.com/trac/ticket/4395>
--- a/src/allmydata/storage/http_client.py
+++ b/src/allmydata/storage/http_client.py
@ -46,7 +46,6 @@ import treq
 from treq.client import HTTPClient
 from treq.testing import StubTreq
 from OpenSSL import SSL
-from cryptography.hazmat.bindings.openssl.binding import Binding
 from werkzeug.http import parse_content_range_header

 from .http_common import (
@ -60,8 +59,6 @@ from .common import si_b2a, si_to_human_readable
 from ..util.hashutil import timing_safe_compare
 from ..util.deferredutil import async_to_deferred

-_OPENSSL = Binding().lib
-

 def _encode_si(si):  # type: (bytes) -> str
    """Encode the storage index into Unicode string."""
@ -256,11 +253,11 @@ class _TLSContextFactory(CertificateOptions):
            # not the usual TLS concerns about invalid CAs or revoked
            # certificates.
            things_are_ok = (
-                _OPENSSL.X509_V_OK,
-                _OPENSSL.X509_V_ERR_CERT_NOT_YET_VALID,
-                _OPENSSL.X509_V_ERR_CERT_HAS_EXPIRED,
-                _OPENSSL.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
-                _OPENSSL.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
+                SSL.X509VerificationCodes.OK,
+                SSL.X509VerificationCodes.ERR_CERT_NOT_YET_VALID,
+                SSL.X509VerificationCodes.ERR_CERT_HAS_EXPIRED,
+                SSL.X509VerificationCodes.ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
+                SSL.X509VerificationCodes.ERR_SELF_SIGNED_CERT_IN_CHAIN,
            )
            # TODO can we do this once instead of multiple times?
            if errno in things_are_ok and timing_safe_compare(