Clean up OpenSSL code

README.md

@@ -8,7 +8,7 @@
 - python3-gi-cairo
 - gir1.2-gtk-3.0 (>=3.22)
 - python3-nbxmpp (>=0.9.90.4)
-- python3-openssl (>=0.14)
+- python3-openssl (>=16.2)
 - python3-cssutils (>=1.0.2)
 - python3-keyring
 - python3-precis-i18n

gajim/common/connection.py

@@ -1170,17 +1170,6 @@ class Connection(CommonConnection, ConnectionHandlers):
             app.nec.push_incoming_event(OurShowEvent(None, conn=self,
                 show='offline'))
             return False
-        if _con_type in ('tls', 'ssl') and con.Connection.ssl_lib != 'PYOPENSSL' \
-        and app.config.get_per('accounts', self.name,
-        'warn_when_insecure_ssl_connection') and \
-        not self.connection_auto_accepted:
-            # Pyopenssl is not used
-            app.nec.push_incoming_event(
-                NetworkEvent('insecure-ssl-connection',
-                             conn=self,
-                             xmpp_client=con,
-                             conn_type=_con_type))
-            return True
         return self.connection_accepted(con, con_type)
 
     def connection_accepted(self, con, con_type):

gajim/common/jingle_content.py

@@ -230,12 +230,8 @@ class JingleContent:
                 configpaths.get('MY_CERT'), SELF_SIGNED_CERTIFICATE) + '.cert'
             cert = load_cert_file(certpath)
             if cert:
-                try:
+                digest_algo = (cert.get_signature_algorithm()
-                    digest_algo = (cert.get_signature_algorithm()
+                               .decode('utf-8').split('With')[0])
-                                   .decode('utf-8').split('With')[0])
-                except AttributeError:
-                    # Old py-OpenSSL is missing get_signature_algorithm
-                    digest_algo = "sha256"
                 security.addChild('fingerprint').addData(cert.digest(
                     digest_algo).decode('utf-8'))
                 for m in ('x509', ): # supported authentication methods

gajim/common/jingle_ft.py

@@ -116,12 +116,11 @@ class JingleFileTransfer(JingleContent):
             State.CAND_SENT_AND_RECEIVED : StateCandSentAndRecv(self)
         }
 
-        if jingle_xtls.PYOPENSSL_PRESENT:
+        cert_name = os.path.join(configpaths.get('MY_CERT'),
-            cert_name = os.path.join(configpaths.get('MY_CERT'),
+                                 jingle_xtls.SELF_SIGNED_CERTIFICATE)
-                                     jingle_xtls.SELF_SIGNED_CERTIFICATE)
+        if not (os.path.exists(cert_name + '.cert')
-            if not (os.path.exists(cert_name + '.cert')
+                and os.path.exists(cert_name + '.pkey')):
-                    and os.path.exists(cert_name + '.pkey')):
+            jingle_xtls.make_certs(cert_name, 'gajim')
-                jingle_xtls.make_certs(cert_name, 'gajim')
 
     def __state_changed(self, nextstate, args=None):
         # Executes the next state action and sets the next state

gajim/common/jingle_xtls.py

@@ -15,15 +15,14 @@
 import logging
 import os
 
+from OpenSSL import SSL, crypto
+
 import nbxmpp
 from gajim.common import app
 from gajim.common import configpaths
 
 log = logging.getLogger('gajim.c.jingle_xtls')
 
-
-PYOPENSSL_PRESENT = False
-
 # key-exchange id -> [callback, args], accept that session once key-exchange completes
 pending_contents = {}
 
@@ -36,16 +35,8 @@ def approve_pending_content(id_):
     args = pending_contents[id_][1]
     cb(*args)
 
-try:
+TYPE_RSA = crypto.TYPE_RSA
-    import OpenSSL.SSL
+TYPE_DSA = crypto.TYPE_DSA
-    PYOPENSSL_PRESENT = True
-except ImportError:
-    log.info("PyOpenSSL not available")
-
-if PYOPENSSL_PRESENT:
-    from OpenSSL import SSL, crypto
-    TYPE_RSA = crypto.TYPE_RSA
-    TYPE_DSA = crypto.TYPE_DSA
 
 SELF_SIGNED_CERTIFICATE = 'localcert'
 DH_PARAMS = 'dh_params.pem'
@@ -76,13 +67,12 @@ def load_cert_file(cert_path, cert_store=None):
         elif 'END CERTIFICATE' in line and begin > -1:
             cert = ''.join(lines[begin:i+2])
             try:
-                x509cert = OpenSSL.crypto.load_certificate(
+                x509cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
-                    OpenSSL.crypto.FILETYPE_PEM, cert)
                 if cert_store:
                     cert_store.add_cert(x509cert)
                 f.close()
                 return x509cert
-            except OpenSSL.crypto.Error as exception_obj:
+            except crypto.Error as exception_obj:
                 log.warning('Unable to load a certificate from file %s: %s',
                             cert_path, exception_obj.args[0][0][2])
             except Exception:
@@ -190,12 +180,8 @@ def check_cert(jid, fingerprint):
     if os.path.exists(certpath):
         cert = load_cert_file(certpath)
         if cert:
-            try:
+            digest_algo = cert.get_signature_algorithm().decode('utf-8')\
-                digest_algo = cert.get_signature_algorithm().decode('utf-8').\
+                    .split('With')[0]
-                    split('With')[0]
-            except AttributeError:
-                # Old py-OpenSSL is missing get_signature_algorithm
-                digest_algo = "sha256"
             if cert.digest(digest_algo) == fingerprint:
                 return True
     return False

setup.cfg

@@ -24,7 +24,7 @@ install_requires =
     keyring
     nbxmpp>=0.9.90.4
     precis-i18n>=1.0.0
-    pyOpenSSL>=0.12
+    pyOpenSSL>=16.2
 
 [options.package_data]
 gajim =