fixes pyca#11450 -- warn on legacy provider load

enable disabling the legacy provider entirely

Author: alex

Diff for: .github/workflows/ci.yml

@@ -36,6 +36,7 @@ jobs:
           - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.4"}}
           - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.3"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.4", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}}
+          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.4", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "0"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.4", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}}
           - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.8"}}
           - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.4"}}

Diff for: CHANGELOG.rst

@@ -35,6 +35,13 @@ Changelog
   :meth:`VerifiedClient.subject <cryptography.x509.verification.VerifiedClient.subjects>`
   property can now be `None` since a custom extension policy may allow certificates
   without a Subject Alternative Name extension.
+* Changed the behavior when the OpenSSL 3 legacy provider fails to load.
+  Instead of raising an exception, a warning is now emitted. The
+  ``CRYPTOGRAPHY_OPENSSL_NO_LEGACY`` environment variable can still be used to
+  disable the legacy provider at runtime.
+* Added support for the ``CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY`` environment
+  variable during build time, which prevents the library from ever attempting
+  to load the legacy provider.
 
 .. _v44-0-2:
 

Diff for: docs/openssl.rst

@@ -41,5 +41,11 @@ disable the legacy provider in OpenSSL 3.x. This will disable legacy
 cryptographic algorithms, including ``Blowfish``, ``CAST5``, ``SEED``,
 ``ARC4``, and ``RC2`` (which is used by some encrypted serialization formats).
 
+Additionally, the ``CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY`` environment variable
+can be set during the build process to prevent the library from ever attempting
+to load the legacy provider.
+
+If loading the legacy provider is not disabled and the legacy provider fails to
+load, a warning is emitted.
 
 .. _`OpenSSL`: https://www.openssl.org/

Diff for: src/rust/Cargo.toml

@@ -33,4 +33,4 @@ name = "cryptography_rust"
 crate-type = ["cdylib"]
 
 [lints.rust]
-unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_330_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4"))'] }
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_330_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4"))'] }

Diff for: src/rust/build.rs

@@ -34,6 +34,11 @@ fn main() {
         println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_BORINGSSL");
     }
 
+    if env::var("CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY").map_or(false, |v| !v.is_empty() && v != "0")
+    {
+        println!("cargo:rustc-cfg=CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY");
+    }
+
     if let Ok(vars) = env::var("DEP_OPENSSL_CONF") {
         for var in vars.split(',') {
             println!("cargo:rustc-cfg=CRYPTOGRAPHY_OSSLCONF=\"{var}\"");

Diff for: src/rust/src/lib.rs

@@ -12,8 +12,10 @@ use std::env;
 use openssl::provider;
 
 #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]
-use crate::error::CryptographyResult;
+use pyo3::PyTypeInfo;
 
+#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]
+use crate::error::CryptographyResult;
 mod asn1;
 mod backend;
 mod buf;
@@ -53,19 +55,27 @@ fn is_fips_enabled() -> bool {
 }
 
 #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]
-fn _initialize_providers() -> CryptographyResult<LoadedProviders> {
+fn _initialize_providers(py: pyo3::Python<'_>) -> CryptographyResult<LoadedProviders> {
     // As of OpenSSL 3.0.0 we must register a legacy cipher provider
     // to get RC2 (needed for junk asymmetric private key
     // serialization), RC4, Blowfish, IDEA, SEED, etc. These things
     // are ugly legacy, but we aren't going to get rid of them
     // any time soon.
-    let load_legacy = env::var("CRYPTOGRAPHY_OPENSSL_NO_LEGACY")
-        .map(|v| v.is_empty() || v == "0")
-        .unwrap_or(true);
+
+    let load_legacy = !cfg!(CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY)
+        && !env::var("CRYPTOGRAPHY_OPENSSL_NO_LEGACY").map_or(false, |v| !v.is_empty() && v != "0");
+
     let legacy = if load_legacy {
         let legacy_result = provider::Provider::load(None, "legacy");
-        _legacy_provider_error(legacy_result.is_ok())?;
-        Some(legacy_result?)
+        if legacy_result.is_err() {
+            let message = crate::utils::cstr_from_literal!("OpenSSL 3's legacy provider failed to load. Legacy algorithms will not be available. If you need those algorithms, check your OpenSSL configuration.");
+            let warning_cls = pyo3::exceptions::PyWarning::type_object(py).into_any();
+            pyo3::PyErr::warn(py, &warning_cls, message, 1)?;
+
+            None
+        } else {
+            Some(legacy_result?)
+        }
     } else {
         None
     };
@@ -77,15 +87,6 @@ fn _initialize_providers() -> CryptographyResult<LoadedProviders> {
     })
 }
 
-fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> {
-    if !success {
-        return Err(pyo3::exceptions::PyRuntimeError::new_err(
-            "OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration."
-        ));
-    }
-    Ok(())
-}
-
 #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]
 #[pyo3::pyfunction]
 fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> {
@@ -224,7 +225,7 @@ mod _rust {
 
             cfg_if::cfg_if! {
                 if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] {
-                    let providers = super::super::_initialize_providers()?;
+                    let providers = super::super::_initialize_providers(openssl_mod.py())?;
                     if providers.legacy.is_some() {
                         openssl_mod.add("_legacy_provider_loaded", true)?;
                     } else {
@@ -262,14 +263,3 @@ mod _rust {
         Ok(())
     }
 }
-
-#[cfg(test)]
-mod tests {
-    use super::_legacy_provider_error;
-
-    #[test]
-    fn test_legacy_provider_error() {
-        assert!(_legacy_provider_error(true).is_ok());
-        assert!(_legacy_provider_error(false).is_err());
-    }
-}