Fix legacy crypto support for OpenSSL 3 (#61)

Closes #60

.github/workflows/ci.yml

@@ -166,8 +166,8 @@ jobs:
  - name: Run test suite
  run: python run.py ci-driver
 
- build-ubuntu-openssl3:
- name: Python ${{ matrix.python }} on (Docker) ubuntu-22.04 x64
+ build-ubuntu-openssl3-py3:
+ name: Python 3 on (Docker) ubuntu-22.04 x64
  runs-on: ubuntu-latest
  container: ubuntu:22.04
  steps:
@@ -181,6 +181,22 @@ jobs:
  - name: Run test suite (cffi)
  run: python run.py ci-driver cffi
 
+ build-ubuntu-openssl3-py2:
+ name: Python 2 on (Docker) ubuntu-22.04 x64
+ runs-on: ubuntu-latest
+ container: ubuntu:22.04
+ steps:
+ - uses: actions/checkout@master
+ - name: Install Python and OpenSSL
+ run: DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends python2 python-setuptools openssl curl ca-certificates git
+ - name: Install dependencies
+ run: python2 run.py deps
+ - name: Run test suite
+ run: python2 run.py ci-driver
+ - name: Run test suite (cffi)
+ run: python2 run.py ci-driver cffi
+
+
  build-ubuntu-old:
  name: Python ${{ matrix.python }} on ubuntu-18.04 x64
  runs-on: ubuntu-18.04

oscrypto/_openssl/_libcrypto.py

@@ -44,9 +44,11 @@
 # like PKCS12
 libcrypto_legacy_support = True
 if libcrypto_version_info >= (3, ):
- if libcrypto.OSSL_PROVIDER_available(null(), "legacy".encode("ascii")):
- libcrypto.OSSL_PROVIDER_load(null(), "legacy".encode("ascii"))
- else:
+
+ libcrypto.OSSL_PROVIDER_load(null(), "legacy".encode("ascii"))
+ libcrypto.OSSL_PROVIDER_load(null(), "default".encode("ascii"))
+
+ if libcrypto.OSSL_PROVIDER_available(null(), "legacy".encode("ascii")) == 0:
  libcrypto_legacy_support = False
 
 

tests/__init__.py

@@ -139,6 +139,7 @@ def test_classes():
  from .test_symmetric import SymmetricTests
  from .test_trust_list import TrustListTests
  from .test_init import InitTests
+ from .test_legacy_module import LegacyProviderTests
 
  test_classes = [
  KDFTests,
@@ -147,6 +148,7 @@ def test_classes():
  SymmetricTests,
  TrustListTests,
  InitTests,
+ LegacyProviderTests,
  ]
  if not os.environ.get('OSCRYPTO_SKIP_INTERNET_TESTS'):
  from .test_tls import TLSTests

tests/test_legacy_module.py

@@ -0,0 +1,55 @@
+# coding: utf-8
+from __future__ import unicode_literals, division, absolute_import, print_function
+
+from oscrypto import backend
+
+from ._unittest_compat import patch
+from .unittest_data import data_decorator
+
+import sys
+import unittest
+
+patch()
+
+if sys.version_info < (3,):
+ byte_cls = str
+else:
+ byte_cls = bytes
+
+_backend = backend()
+
+if _backend == 'openssl':
+ from oscrypto._openssl._libcrypto import libcrypto_legacy_support, libcrypto
+ supports_legacy = libcrypto_legacy_support
+
+ from oscrypto._openssl._libcrypto_ctypes import version_info
+ from oscrypto._ffi import null
+
+
+@data_decorator
+class LegacyProviderTests(unittest.TestCase):
+
+ # OSSL_PROVIDER_available and the legacy provider only exist since OpenSSL 3
+
+ def test_checkLegacy(self):
+ if (_backend != 'openssl' or version_info < (3, )):
+ if (sys.version_info < (2, 7)):
+ # Python 2.6 doesn't support "skipTest", so just return
+ return
+ self.skipTest("This test only makes sense with OpenSSL 3")
+
+ # OSSL_PROVIDER_available does NOT express if a provider can be loaded.
+ # It expresses if a provider has been loaded and can be used.
+
+ is_avail = libcrypto.OSSL_PROVIDER_available(null(), "legacy".encode("ascii"))
+ self.assertEqual(is_avail, libcrypto_legacy_support, "legacy provider loaded but libcrypto claims it's not")
+
+ if not is_avail:
+ # Currently not loaded. See if we can load it
+ # If we can (if "is_avail" is true after this), then oscrypto should have automatically loaded it
+ # to allow the user to use legacy encryptions.
+ libcrypto.OSSL_PROVIDER_load(null(), "legacy".encode("ascii"))
+ libcrypto.OSSL_PROVIDER_load(null(), "default".encode("ascii"))
+ is_avail = libcrypto.OSSL_PROVIDER_available(null(), "legacy".encode("ascii"))
+
+ self.assertEqual(is_avail, libcrypto_legacy_support, "legacy provider should have been loaded")