[44.0.x] backports for libressl 4.1.0 support release#12848
Merged
reaperhulk merged 7 commits intopyca:44.0.xfrom May 2, 2025
Merged
[44.0.x] backports for libressl 4.1.0 support release#12848reaperhulk merged 7 commits intopyca:44.0.xfrom
reaperhulk merged 7 commits intopyca:44.0.xfrom
Conversation
* attempt to fix wycheproof in CI on centos stream9 skip RSA PSS with SHA224 * Update test_rsa.py * Update backend.py * fix * make OpenSSL 3.5 FIPS work This replaces the rsa_pss_cert.pem with a new one that uses a salt length matching the digest length (previously it was max length) * simplify * comment * fix * update with new wycheproof --------- Co-authored-by: Alex Gaynor <[email protected]>
Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.107 to 0.9.108. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-sys-v0.9.107...openssl-sys-v0.9.108) --- updated-dependencies: - dependency-name: openssl-sys dependency-version: 0.9.108 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR backports updates for LibreSSL 4.1.0 support and bumps the version from 44.0.2 to 44.0.3. Key changes include:
- Updating version numbers in various project files and metadata.
- Adjusting RSA PSS padding parameters in tests and backend to adhere to FIPS 186-4 requirements.
- Updating CI workflows and dependency configurations to include LibreSSL 4.1.0.
Reviewed Changes
Copilot reviewed 13 out of 15 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| vectors/pyproject.toml | Version bump from 44.0.2 to 44.0.3 |
| vectors/cryptography_vectors/about.py | Version bump from 44.0.2 to 44.0.3 |
| tests/x509/test_x509.py | Update expected salt length in PSS tests and refactor redundant PSS instantiation |
| tests/wycheproof/test_rsa.py | Update FIPS-related parameter checks and skip conditions for PSS signatures |
| tests/hazmat/primitives/test_rsa.py | Rename and adjust parameters for PSS tests for improved clarity and FIPS compliance |
| tests/hazmat/backends/test_openssl.py | Adjust PSS instantiation to use proper hash algorithm and salt length |
| src/cryptography/hazmat/backends/openssl/backend.py | Update FIPS check logic for PSS salt length |
| src/cryptography/about.py and pyproject.toml | Version bump consistency across files |
| Cargo.toml | Add dependencies for openssl and openssl-sys to support new backend requirements |
| .github/workflows/ci.yml | Update CI to include tests for LibreSSL 4.1.0 and OpenSSL 3.5.0 |
| .github/actions/fetch-vectors/action.yml | Update wycheproof reference to a newer commit |
Files not reviewed (2)
- CHANGELOG.rst: Language not supported
- vectors/cryptography_vectors/x509/custom/rsa_pss_cert.pem: Language not supported
Comments suppressed due to low confidence (1)
tests/hazmat/primitives/test_rsa.py:1219
- Changing from PSS.MAX_LENGTH to PSS.DIGEST_LENGTH aligns the test with FIPS 186-4 requirements. Please verify that this change is intentional and consistent with the expected behavior of the backend.
salt_length=padding.PSS.DIGEST_LENGTH,
* Update test_x448.py * Update test_x25519.py * Update test_x25519.py * Update test_x448.py
reaperhulk
approved these changes
May 2, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fixes #12822