OpenSSL 1.1.0 support (#2826)

* make pre5 work

* add a blank line to make the diff happier

* 1.1.0-pre6 working

* support the changes since 1.1.0-pre6

* fixes

* add 1.1.0 to travis

* expose the symbol

* better testing for numericstring

* handle libre...

* actually use the 1.1.0 we compile

* cache the ossl-110 dir on travis

* add some newlines

* changelog entry for 1.1.0 support

* note that we test on 1.1.0

* proper skip on this test

* reorder

9 files changed, 50 insertions, 9 deletions

diff --git a/.travis.yml b/.travis.yml
index 74e8b264..1b33c6f5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -6,6 +6,7 @@ cache:
     directories:
         - $HOME/.cache/pip
         - $HOME/ossl-100t
+        - $HOME/ossl-110
 
 matrix:
     include:
@@ -30,6 +31,10 @@ matrix:
         - python: 3.5
           env: TOXENV=py35 OPENSSL=1.0.0
         - python: 2.7
+          env: TOXENV=py27 OPENSSL=1.1.0
+        - python: 3.5
+          env: TOXENV=py35 OPENSSL=1.1.0
+        - python: 2.7
           env: TOXENV=docs
           addons:
               apt:
diff --git a/.travis/install.sh b/.travis/install.sh
index b8ff31ad..5c09b258 100755
--- a/.travis/install.sh
+++ b/.travis/install.sh
@@ -63,6 +63,10 @@ else
         OPENSSL_VERSION_NUMBER="1.0.0t"
         OPENSSL_DIR="ossl-100t"
     fi
+    if [[ "${OPENSSL}" == "1.1.0" ]]; then
+        OPENSSL_VERSION_NUMBER="1.1.0"
+        OPENSSL_DIR="ossl-110"
+    fi
     # download, compile, and install if it's not already present via travis
     # cache
     if [ -n "$OPENSSL_DIR" ]; then
@@ -72,7 +76,8 @@ else
             cd openssl-$OPENSSL_VERSION_NUMBER
             ./config shared no-asm no-ssl2 -fPIC --prefix="$HOME/$OPENSSL_DIR"
             # modify the shlib version to a unique one to make sure the dynamic
-            # linker doesn't load the system one.
+            # linker doesn't load the system one. This isn't required for 1.1.0 at the
+            # moment since our Travis builders have a diff shlib version, but it doesn't hurt
             sed -i "s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=100/" Makefile
             sed -i "s/^SHLIB_MINOR=.*/SHLIB_MINOR=0.0/" Makefile
             sed -i "s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=100.0.0/" Makefile
diff --git a/.travis/run.sh b/.travis/run.sh
index 5c8b53f9..22beba06 100755
--- a/.travis/run.sh
+++ b/.travis/run.sh
@@ -29,6 +29,9 @@ else
     if [[ "${OPENSSL}" == "1.0.0" ]]; then
         OPENSSL_DIR="ossl-100t"
     fi
+    if [[ "${OPENSSL}" == "1.1.0" ]]; then
+        OPENSSL_DIR="ossl-110"
+    fi
 
     if [ -n "$OPENSSL_DIR" ]; then
         export PATH="$HOME/$OPENSSL_DIR/bin:$PATH"
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index fad6454e..f8740739 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -24,6 +24,7 @@ Changelog
   :class:`~cryptography.x509.CertificateRevocationListBuilder`, and
   :class:`~cryptography.x509.RevokedCertificateBuilder` now accept timezone
   aware ``datetime`` objects as method arguments
+* ``cryptography`` now supports OpenSSL 1.1.0 as a compilation target.
 
 
 1.4 - 2016-06-04
diff --git a/docs/installation.rst b/docs/installation.rst
index 2e1b3ae4..3d10c367 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -34,6 +34,7 @@ OpenSSL releases:
 * ``OpenSSL 1.0.1j-freebsd``
 * ``OpenSSL 1.0.1f``
 * ``OpenSSL 1.0.2-latest``
+* ``OpenSSL 1.1.0``
 
 .. warning::
     OpenSSL 1.0.0 is no longer supported by the OpenSSL project. Cryptography
diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
index c3b0a1dc..69824010 100644
--- a/src/_cffi_src/openssl/cryptography.py
+++ b/src/_cffi_src/openssl/cryptography.py
@@ -36,12 +36,22 @@ INCLUDES = """
     (OPENSSL_VERSION_NUMBER < 0x10100000)
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 \
     (OPENSSL_VERSION_NUMBER < 0x10100005)
+
+#if defined(LIBRESSL_VERSION_NUMBER)
+#define CRYPTOGRAPHY_IS_LIBRESSL 1
+#else
+#define CRYPTOGRAPHY_IS_LIBRESSL 0
+#endif
 """
 
 TYPES = """
 static const int CRYPTOGRAPHY_OPENSSL_101_OR_GREATER;
 
+static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
+
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_101;
+
+static const int CRYPTOGRAPHY_IS_LIBRESSL;
 """
 
 FUNCTIONS = """
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 3449e217..a1de1a89 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1475,7 +1475,9 @@ class Backend(object):
             check_y = self._lib.BN_CTX_get(bn_ctx)
 
             res = set_func(group, point, bn_x, bn_y, bn_ctx)
-            self.openssl_assert(res == 1)
+            if res != 1:
+                self._consume_errors()
+                raise ValueError("EC point not on curve")
 
             res = get_func(group, point, check_x, check_y, bn_ctx)
             self.openssl_assert(res == 1)
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 38f11347..4ec8d84e 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -728,10 +728,18 @@ class TestGOSTCertificate(object):
             x509.load_der_x509_certificate,
             backend
         )
-        with pytest.raises(ValueError) as exc:
-            cert.subject
-
-        # We assert on the message in this case because if the certificate
-        # fails to load it will also raise a ValueError and this test could
-        # erroneously pass.
-        assert str(exc.value) == "Unsupported ASN1 string type. Type: 18"
+        if (
+            not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER or
+            backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
+        ):
+            with pytest.raises(ValueError) as exc:
+                cert.subject
+
+            # We assert on the message in this case because if the certificate
+            # fails to load it will also raise a ValueError and this test could
+            # erroneously pass.
+            assert str(exc.value) == "Unsupported ASN1 string type. Type: 18"
+        else:
+            assert cert.subject.get_attributes_for_oid(
+                x509.ObjectIdentifier("1.2.643.3.131.1.1")
+            )[0].value == "007710474375"
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index f41bcf35..1c395c25 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -21,6 +21,12 @@ class TestOpenSSL(object):
 
     def test_crypto_lock_init(self):
         b = Binding()
+        if (
+            b.lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and
+            not b.lib.CRYPTOGRAPHY_IS_LIBRESSL
+        ):
+            pytest.skip("Requires an older OpenSSL. Must be < 1.1.0")
+
         b.init_static_locks()
         lock_cb = b.lib.CRYPTO_get_locking_callback()
         assert lock_cb != b.ffi.NULL