repair CI (#1116)

* repair CI

* more fixes

* pypy39 requires latest cryptography

* Apply suggestions from code review

Co-authored-by: Alex Gaynor <[email protected]>

* use constant

* bump minimum version

* remove unneeded try

* fix

Co-authored-by: Alex Gaynor <[email protected]>

Author: reaperhulk

.github/workflows/ci.yml

@@ -23,15 +23,14 @@ jobs:
           - {VERSION: "3.8", TOXENV: "py38-cryptographyMain"}
           - {VERSION: "3.9", TOXENV: "py39-cryptographyMain"}
           - {VERSION: "3.10", TOXENV: "py310-cryptographyMain"}
-          - {VERSION: "pypy-3.7", TOXENV: "pypy3-cryptographyMain"}
           - {VERSION: "pypy-3.8", TOXENV: "pypy3-cryptographyMain"}
+          - {VERSION: "pypy-3.9", TOXENV: "pypy3-cryptographyMain"}
           # -cryptographyMinimum
           - {VERSION: "3.6", TOXENV: "py36-cryptographyMinimum"}
           - {VERSION: "3.7", TOXENV: "py37-cryptographyMinimum"}
           - {VERSION: "3.8", TOXENV: "py38-cryptographyMinimum"}
           - {VERSION: "3.9", TOXENV: "py39-cryptographyMinimum"}
           - {VERSION: "3.10", TOXENV: "py310-cryptographyMinimum"}
-          - {VERSION: "pypy-3.7", TOXENV: "pypy3-cryptographyMinimum"}
           - {VERSION: "pypy-3.8", TOXENV: "pypy3-cryptographyMinimum"}
           # Cryptography wheels
           - {VERSION: "3.9", TOXENV: "py39-cryptographyMinimum-useWheel"}
@@ -42,7 +41,6 @@ jobs:
           - {VERSION: "3.7", TOXENV: "py37-twistedTrunk"}
           # Meta
           - {VERSION: "3.9", TOXENV: "check-manifest"}
-          - {VERSION: "3.9", TOXENV: "pypi-readme"}
           - {VERSION: "3.9", TOXENV: "flake8"}
           - {VERSION: "3.9", TOXENV: "docs"}
     name: "${{ matrix.PYTHON.TOXENV }}"
@@ -69,11 +67,11 @@ jobs:
         TEST:
           - {CONTAINER: "ubuntu-bionic", TOXENV: "py36"}
           # cryptographyMain used since there's no wheel
-          - {CONTAINER: "ubuntu-rolling", TOXENV: "py39-cryptographyMain"}
+          - {CONTAINER: "ubuntu-rolling", TOXENV: "py310-cryptographyMain"}
     name: "${{ matrix.TEST.TOXENV }} on ${{ matrix.TEST.CONTAINER }}"
     steps:
       - uses: actions/checkout@v3
-      - run: tox -v
+      - run: /venv/bin/tox -v
         env:
           TOXENV: ${{ matrix.TEST.TOXENV }}
           RUSTUP_HOME: /root/.rustup

CHANGELOG.rst

@@ -11,6 +11,7 @@ Backward-incompatible changes:
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 - Remove support for SSLv2 and SSLv3.
+- The minimum ``cryptography`` version is now 37.0.2.
 
 Deprecations:
 ^^^^^^^^^^^^^

setup.py

@@ -96,7 +96,7 @@ def find_meta(meta):
         package_dir={"": "src"},
         install_requires=[
             # Fix cryptographyMinimum in tox.ini when changing this!
-            "cryptography>=35.0",
+            "cryptography>=37.0.2",
         ],
         extras_require={
             "test": ["flaky", "pretend", "pytest>=3.0.1"],

src/OpenSSL/SSL.py

@@ -1685,6 +1685,24 @@ def _raise_ssl_error(self, ssl, result):
             else:
                 # TODO: This is untested.
                 _raise_current_error()
+        elif error == _lib.SSL_ERROR_SSL and _lib.ERR_peek_error() != 0:
+            # In 3.0.x an unexpected EOF no longer triggers syscall error
+            # but we want to maintain compatibility so we check here and
+            # raise syscall if it is an EOF. Since we're not actually sure
+            # what else could raise SSL_ERROR_SSL we check for the presence
+            # of the OpenSSL 3 constant SSL_R_UNEXPECTED_EOF_WHILE_READING
+            # and if it's not present we just raise an error, which matches
+            # the behavior before we added this elif section
+            peeked_error = _lib.ERR_peek_error()
+            reason = _lib.ERR_GET_REASON(peeked_error)
+            if _lib.Cryptography_HAS_UNEXPECTED_EOF_WHILE_READING:
+                _openssl_assert(
+                    reason == _lib.SSL_R_UNEXPECTED_EOF_WHILE_READING
+                )
+                _lib.ERR_clear_error()
+                raise SysCallError(-1, "Unexpected EOF")
+            else:
+                _raise_current_error()
         elif error == _lib.SSL_ERROR_NONE:
             pass
         else:

tests/test_crypto.py

@@ -2077,8 +2077,8 @@ def test_nullbyte_subjectAltName(self):
             b"DNS:altnull.python.org\x00example.com, "
             b"email:[email protected]\x00[email protected], "
             b"URI:http://null.python.org\x00http://example.org, "
-            b"IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1\n"
-            == str(ext).encode("ascii")
+            b"IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1"
+            == str(ext).encode("ascii").strip()
         )
 
     def test_invalid_digest_algorithm(self):
@@ -4090,7 +4090,11 @@ def test_untrusted_self_signed(self):
         with pytest.raises(X509StoreContextError) as exc:
             store_ctx.verify_certificate()
 
-        assert exc.value.args[0][2] == "self signed certificate"
+        # OpenSSL 1.1.x and 3.0.x have different error messages
+        assert exc.value.args[0][2] in [
+            "self signed certificate",
+            "self-signed certificate",
+        ]
         assert exc.value.certificate.get_subject().CN == "Testing Root CA"
 
     def test_invalid_chain_no_root(self):

tests/test_ssl.py

@@ -517,15 +517,20 @@ def test_set_cipher_list_no_cipher_match(self, context):
         """
         with pytest.raises(Error) as excinfo:
             context.set_cipher_list(b"imaginary-cipher")
-        assert excinfo.value.args == (
-            [
-                (
-                    "SSL routines",
-                    "SSL_CTX_set_cipher_list",
-                    "no cipher match",
-                )
-            ],
-        )
+        assert excinfo.value.args[0][0] in [
+            # 1.1.x
+            (
+                "SSL routines",
+                "SSL_CTX_set_cipher_list",
+                "no cipher match",
+            ),
+            # 3.0.x
+            (
+                "SSL routines",
+                "",
+                "no cipher match",
+            ),
+        ]
 
     def test_load_client_ca(self, context, ca_file):
         """
@@ -564,13 +569,20 @@ def test_set_session_id_fail(self, context):
         with pytest.raises(Error) as e:
             context.set_session_id(b"abc" * 1000)
 
-        assert [
+        assert e.value.args[0][0] in [
+            # 1.1.x
             (
                 "SSL routines",
                 "SSL_CTX_set_session_id_context",
                 "ssl session id context too long",
-            )
-        ] == e.value.args[0]
+            ),
+            # 3.0.x
+            (
+                "SSL routines",
+                "",
+                "ssl session id context too long",
+            ),
+        ]
 
     def test_set_session_id_unicode(self, context):
         """

tox.ini

@@ -1,5 +1,5 @@
 [tox]
-envlist = {pypy,pypy3,py36,py37,py38,py39,py310}{,-cryptographyMain,-cryptographyMinimum}{,-useWheel}{,-randomorder},py37-twistedTrunk,pypi-readme,check-manifest,flake8,docs,coverage-report
+envlist = {pypy,pypy3,py36,py37,py38,py39,py310}{,-cryptographyMain,-cryptographyMinimum}{,-useWheel}{,-randomorder},py37-twistedTrunk,check-manifest,flake8,docs,coverage-report
 
 [testenv]
 whitelist_externals =
@@ -10,7 +10,7 @@ extras =
 deps =
     coverage>=4.2
     cryptographyMain: git+https://github.com/pyca/cryptography.git
-    cryptographyMinimum: cryptography==35.0
+    cryptographyMinimum: cryptography==37.0.2
     randomorder: pytest-randomly
 setenv =
     # Do not allow the executing environment to pollute the test environment
@@ -44,13 +44,6 @@ commands =
     black --check .
     flake8 .
 
-[testenv:pypi-readme]
-deps =
-    readme_renderer
-skip_install = true
-commands =
-    python setup.py check -r -s
-
 [testenv:check-manifest]
 deps =
     check-manifest