Raise cryptography version and prepare the 24.3.0 release

CHANGELOG.rst

@@ -4,7 +4,7 @@ Changelog
 Versions are year-based with a strict backward-compatibility policy.
 The third digit is only for regressions.
 
-24.3.0 (UNRELEASED)
+24.3.0 (2024-11-27)
 -------------------
 
 Backward-incompatible changes:
@@ -25,6 +25,7 @@ Deprecations:
 Changes:
 ^^^^^^^^
 
+- ``cryptography`` maximum version has been increased to 44.0.x.
 * ``OpenSSL.SSL.Connection.get_certificate``, ``OpenSSL.SSL.Connection.get_peer_certificate``, ``OpenSSL.SSL.Connection.get_peer_cert_chain``, and ``OpenSSL.SSL.Connection.get_verified_chain`` now take an ``as_cryptography`` keyword-argument. When ``True`` is passed then ``cryptography.x509.Certificate`` are returned, instead of ``OpenSSL.crypto.X509``. In the future, passing ``False`` (the default) will be deprecated.
 
 

setup.py

@@ -94,7 +94,7 @@ def find_meta(meta):
         packages=find_packages(where="src"),
         package_dir={"": "src"},
         install_requires=[
-            "cryptography>=41.0.5,<44",
+            "cryptography>=41.0.5,<45",
         ],
         extras_require={
             "test": ["pytest-rerunfailures", "pretend", "pytest>=3.0.1"],

src/OpenSSL/SSL.py

@@ -4,11 +4,12 @@
 import socket
 import typing
 import warnings
+from collections.abc import Sequence
 from errno import errorcode
 from functools import partial, wraps
 from itertools import chain, count
 from sys import platform
-from typing import Any, Callable, List, Optional, Sequence, TypeVar
+from typing import Any, Callable, Optional, TypeVar
 from weakref import WeakValueDictionary
 
 from cryptography import x509
@@ -288,7 +289,7 @@ class _NoOverlappingProtocols:
 _ALPNSelectCallback = Callable[
     [
         "Connection",
-        typing.Union[List[bytes], _NoOverlappingProtocols],
+        typing.Union[list[bytes], _NoOverlappingProtocols],
     ],
     None,
 ]
@@ -766,7 +767,7 @@ def _asFileDescriptor(obj: Any) -> int:
         raise TypeError("argument must be an int, or have a fileno() method.")
     elif fd < 0:
         raise ValueError(
-            "file descriptor cannot be a negative integer (%i)" % (fd,)
+            f"file descriptor cannot be a negative integer ({fd:i})"
         )
 
     return fd
@@ -1952,19 +1953,17 @@ def _raise_ssl_error(self, ssl: Any, result: int) -> None:
             # TODO: This is untested.
             raise WantX509LookupError()
         elif error == _lib.SSL_ERROR_SYSCALL:
-            if _lib.ERR_peek_error() == 0:
-                if result < 0:
-                    if platform == "win32":
-                        errno = _ffi.getwinerror()[0]
-                    else:
-                        errno = _ffi.errno
-
-                    if errno != 0:
-                        raise SysCallError(errno, errorcode.get(errno))
-                raise SysCallError(-1, "Unexpected EOF")
-            else:
-                # TODO: This is untested.
-                _raise_current_error()
+            if result < 0:
+                if platform == "win32":
+                    errno = _ffi.getwinerror()[0]
+                else:
+                    errno = _ffi.errno
+
+                if errno != 0:
+                    _lib.ERR_clear_error()
+                    raise SysCallError(errno, errorcode.get(errno))
+            _lib.ERR_clear_error()
+            raise SysCallError(-1, "Unexpected EOF")
         elif error == _lib.SSL_ERROR_SSL and _lib.ERR_peek_error() != 0:
             # In 3.0.x an unexpected EOF no longer triggers syscall error
             # but we want to maintain compatibility so we check here and

src/OpenSSL/_util.py

@@ -1,7 +1,7 @@
 import os
 import sys
 import warnings
-from typing import Any, Callable, NoReturn, Type, Union
+from typing import Any, Callable, NoReturn, Union
 
 from cryptography.hazmat.bindings.openssl.binding import Binding
 
@@ -31,7 +31,7 @@ def text(charp: Any) -> str:
     return ffi.string(charp).decode("utf-8")
 
 
-def exception_from_error_queue(exception_type: Type[Exception]) -> NoReturn:
+def exception_from_error_queue(exception_type: type[Exception]) -> NoReturn:
     """
     Convert an OpenSSL library failure into a Python exception.
 
@@ -57,7 +57,7 @@ def exception_from_error_queue(exception_type: Type[Exception]) -> NoReturn:
     raise exception_type(errors)
 
 
-def make_assert(error: Type[Exception]) -> Callable[[bool], Any]:
+def make_assert(error: type[Exception]) -> Callable[[bool], Any]:
     """
     Create an assert function that uses :func:`exception_from_error_queue` to
     raise an exception wrapped by *error*.

src/OpenSSL/crypto.py

@@ -6,13 +6,12 @@
 import typing
 import warnings
 from base64 import b16encode
+from collections.abc import Iterable, Sequence
 from functools import partial
 from os import PathLike
 from typing import (
     Any,
     Callable,
-    Iterable,
-    Sequence,
     Union,
 )
 

src/OpenSSL/version.py

@@ -17,7 +17,7 @@
     "__version__",
 ]
 
-__version__ = "24.2.1"
+__version__ = "24.3.0"
 
 __title__ = "pyOpenSSL"
 __uri__ = "https://pyopenssl.org/"