Merge branch 'master' into common-crypto-backend

* master: (24 commits)
  Expose the innards of DH and DSA
  More bindings for asymmetric stuff
  Tell cffi these opaque types are pointers.
  rename variable to be less confusing and terrible
  Document when the common crypto bindings were added
  Expose a name needed for ECDHE -- the NIDs are always available
  Expose the nids for the various eliptical curve things. I don't understand what these mean.
  Specify the epub theme to fix the epub build on RTD.
  Added forgotten decl
  reversed
  Allow these to not be defined because lololol fedora/centos
  add conditional ERR_remove_thread_state. PyOpenSSL uses this
  Don't require sphinx spelling to be installed, for readthedocs benefit
  This is also a requirement
  oops
  Start binding some stuff for ECDHE in pyOpenSSL.
  check if openssl is installed via homebrew on osx. install if not
  Verify the tag len for GCM
  remove comment that's no longer needed
  Make just one call to ffi.cdef for most of the definitions
  ...

19 files changed, 332 insertions, 47 deletions

diff --git a/.travis.yml b/.travis.yml
index babea99b..a70bb8cf 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -30,10 +30,10 @@ install:
     - ./.travis/install.sh
 
 script:
-    - if [[ "$(uname -s)" == "Darwin" ]]; then eval "$(pyenv init -)"; fi && source ~/.venv/bin/activate && tox -e $TOX_ENV
+    - ./.travis/run.sh
 
 after_success:
-    - coveralls
+    - source ~/.venv/bin/activate && coveralls
 
 notifications:
     irc:
@@ -64,21 +64,6 @@ matrix:
           env: TOX_ENV=pypy
           compiler: gcc
         - os: osx
-          env: TOX_ENV=py26
-          compiler: clang
-        - os: osx
-          env: TOX_ENV=py27
-          compiler: clang
-        - os: osx
-          env: TOX_ENV=py32
-          compiler: clang
-        - os: osx
-          env: TOX_ENV=py33
-          compiler: clang
-        - os: osx
-          env: TOX_ENV=pypy
-          compiler: clang
-        - os: osx
           env: TOX_ENV=py26 OPENSSL=0.9.8
           compiler: gcc
         - os: osx
diff --git a/.travis/install.sh b/.travis/install.sh
index e6ea2537..1e3b1702 100755
--- a/.travis/install.sh
+++ b/.travis/install.sh
@@ -3,10 +3,17 @@
 set -e
 set -x
 
-if [[ "${OPENSSL}" == "0.9.8" && "$(uname -s)" != "Darwin" ]]; then
-    sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu/ lucid main"
-    sudo apt-get -y update
-    sudo apt-get install -y --force-yes libssl-dev/lucid
+if [[ "${OPENSSL}" == "0.9.8" ]]; then
+    if [[ "$(uname -s)" != "Darwin" ]]; then
+        sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu/ lucid main"
+        sudo apt-get -y update
+        sudo apt-get install -y --force-yes libssl-dev/lucid
+    else
+        # travis has openssl installed via brew already, but let's be sure
+        if [[ "$(brew list | grep openssl)" != "openssl" ]]; then
+            brew install openssl
+        fi
+    fi
 fi
 
 if [[ "${TOX_ENV}" == "docs" && "$(name -s)" != "Darwin" ]]; then
diff --git a/.travis/run.sh b/.travis/run.sh
new file mode 100755
index 00000000..4c01d67a
--- /dev/null
+++ b/.travis/run.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+set -x
+
+if [[ "$(uname -s)" == "Darwin" ]]; then
+    eval "$(pyenv init -)"
+    if [[ "${OPENSSL}" != "0.9.8" ]]; then
+        # so set our flags to use homebrew openssl
+        export ARCHFLAGS="-arch x86_64"
+        export LDFLAGS="-L/usr/local/opt/openssl/lib"
+        export CFLAGS="-I/usr/local/opt/openssl/include"
+    fi
+fi
+source ~/.venv/bin/activate
+tox -e $TOX_ENV
diff --git a/cryptography/hazmat/bindings/openssl/bignum.py b/cryptography/hazmat/bindings/openssl/bignum.py
index 59efd171..6545f329 100644
--- a/cryptography/hazmat/bindings/openssl/bignum.py
+++ b/cryptography/hazmat/bindings/openssl/bignum.py
@@ -47,6 +47,9 @@ char *BN_bn2hex(const BIGNUM *);
 int BN_hex2bn(BIGNUM **, const char *);
 int BN_dec2bn(BIGNUM **, const char *);
 
+int BN_bn2bin(const BIGNUM *, unsigned char *);
+BIGNUM *BN_bin2bn(const unsigned char *, int, BIGNUM *);
+
 int BN_num_bits(const BIGNUM *);
 """
 
diff --git a/cryptography/hazmat/bindings/openssl/binding.py b/cryptography/hazmat/bindings/openssl/binding.py
index 8a4e1dd3..88299d14 100644
--- a/cryptography/hazmat/bindings/openssl/binding.py
+++ b/cryptography/hazmat/bindings/openssl/binding.py
@@ -48,6 +48,7 @@ class Binding(object):
         "crypto",
         "dh",
         "dsa",
+        "ec",
         "engine",
         "err",
         "evp",
diff --git a/cryptography/hazmat/bindings/openssl/crypto.py b/cryptography/hazmat/bindings/openssl/crypto.py
index 189867bd..40d91bf2 100644
--- a/cryptography/hazmat/bindings/openssl/crypto.py
+++ b/cryptography/hazmat/bindings/openssl/crypto.py
@@ -16,6 +16,8 @@ INCLUDES = """
 """
 
 TYPES = """
+typedef ... CRYPTO_THREADID;
+
 static const int SSLEAY_VERSION;
 static const int SSLEAY_CFLAGS;
 static const int SSLEAY_PLATFORM;
diff --git a/cryptography/hazmat/bindings/openssl/dh.py b/cryptography/hazmat/bindings/openssl/dh.py
index 3c12fbc6..edbe0e39 100644
--- a/cryptography/hazmat/bindings/openssl/dh.py
+++ b/cryptography/hazmat/bindings/openssl/dh.py
@@ -16,7 +16,13 @@ INCLUDES = """
 """
 
 TYPES = """
-typedef ... DH;
+typedef struct dh_st {
+    BIGNUM *p;              // prime number (shared)
+    BIGNUM *g;              // generator of Z_p (shared)
+    BIGNUM *priv_key;       // private DH value x
+    BIGNUM *pub_key;        // public DH value g^x
+    ...;
+} DH;
 """
 
 FUNCTIONS = """
diff --git a/cryptography/hazmat/bindings/openssl/dsa.py b/cryptography/hazmat/bindings/openssl/dsa.py
index 3b77d7ae..9068e057 100644
--- a/cryptography/hazmat/bindings/openssl/dsa.py
+++ b/cryptography/hazmat/bindings/openssl/dsa.py
@@ -16,7 +16,14 @@ INCLUDES = """
 """
 
 TYPES = """
-typedef ... DSA;
+typedef struct dsa_st {
+    BIGNUM *p;              // prime number (public)
+    BIGNUM *q;              // 160-bit subprime, q | p-1 (public)
+    BIGNUM *g;              // generator of subgroup (public)
+    BIGNUM *priv_key;       // private key x
+    BIGNUM *pub_key;        // public key y = g^x
+    ...;
+} DSA;
 """
 
 FUNCTIONS = """
diff --git a/cryptography/hazmat/bindings/openssl/ec.py b/cryptography/hazmat/bindings/openssl/ec.py
new file mode 100644
index 00000000..9f10365a
--- /dev/null
+++ b/cryptography/hazmat/bindings/openssl/ec.py
@@ -0,0 +1,56 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+INCLUDES = """
+#include <openssl/ec.h>
+#include <openssl/obj_mac.h>
+"""
+
+TYPES = """
+static const int Cryptography_HAS_EC;
+
+typedef ... EC_KEY;
+
+static const int NID_X9_62_prime192v1;
+static const int NID_X9_62_prime192v2;
+static const int NID_X9_62_prime192v3;
+static const int NID_X9_62_prime239v1;
+static const int NID_X9_62_prime239v2;
+static const int NID_X9_62_prime239v3;
+static const int NID_X9_62_prime256v1;
+"""
+
+FUNCTIONS = """
+EC_KEY *EC_KEY_new_by_curve_name(int);
+void EC_KEY_free(EC_KEY *);
+"""
+
+MACROS = """
+"""
+
+CUSTOMIZATIONS = """
+#ifdef OPENSSL_NO_EC
+static const long Cryptography_HAS_EC = 0;
+EC_KEY* (*EC_KEY_new_by_curve_name)(int) = NULL;
+void (*EC_KEY_free)(EC_KEY *) = NULL;
+#else
+static const long Cryptography_HAS_EC = 1;
+#endif
+"""
+
+CONDITIONAL_NAMES = {
+    "Cryptography_HAS_EC": [
+        "EC_KEY_new_by_curve_name",
+        "EC_KEY_free",
+    ],
+}
diff --git a/cryptography/hazmat/bindings/openssl/engine.py b/cryptography/hazmat/bindings/openssl/engine.py
index 390bfde1..77118e81 100644
--- a/cryptography/hazmat/bindings/openssl/engine.py
+++ b/cryptography/hazmat/bindings/openssl/engine.py
@@ -24,11 +24,11 @@ typedef ... ECDSA_METHOD;
 typedef ... DH_METHOD;
 typedef ... RAND_METHOD;
 typedef ... STORE_METHOD;
-typedef ... ENGINE_GEN_INT_FUNC_PTR;
-typedef ... ENGINE_CTRL_FUNC_PTR;
-typedef ... ENGINE_LOAD_KEY_PTR;
-typedef ... ENGINE_CIPHERS_PTR;
-typedef ... ENGINE_DIGESTS_PTR;
+typedef ... *ENGINE_GEN_INT_FUNC_PTR;
+typedef ... *ENGINE_CTRL_FUNC_PTR;
+typedef ... *ENGINE_LOAD_KEY_PTR;
+typedef ... *ENGINE_CIPHERS_PTR;
+typedef ... *ENGINE_DIGESTS_PTR;
 typedef ... ENGINE_CMD_DEFN;
 typedef ... UI_METHOD;
 
diff --git a/cryptography/hazmat/bindings/openssl/err.py b/cryptography/hazmat/bindings/openssl/err.py
index 1b66bd2a..ddb60ef7 100644
--- a/cryptography/hazmat/bindings/openssl/err.py
+++ b/cryptography/hazmat/bindings/openssl/err.py
@@ -16,24 +16,166 @@ INCLUDES = """
 """
 
 TYPES = """
+static const int Cryptography_HAS_REMOVE_THREAD_STATE;
+
 struct ERR_string_data_st {
     unsigned long error;
     const char *string;
 };
 typedef struct ERR_string_data_st ERR_STRING_DATA;
 
-static const int ASN1_R_BAD_PASSWORD_READ;
 
 static const int ERR_LIB_EVP;
 static const int ERR_LIB_PEM;
+static const int ERR_LIB_ASN1;
+
+static const int ASN1_F_ASN1_ENUMERATED_TO_BN;
+static const int ASN1_F_ASN1_EX_C2I;
+static const int ASN1_F_ASN1_FIND_END;
+static const int ASN1_F_ASN1_GENERALIZEDTIME_SET;
+static const int ASN1_F_ASN1_GENERATE_V3;
+static const int ASN1_F_ASN1_GET_OBJECT;
+static const int ASN1_F_ASN1_ITEM_I2D_FP;
+static const int ASN1_F_ASN1_ITEM_PACK;
+static const int ASN1_F_ASN1_ITEM_SIGN;
+static const int ASN1_F_ASN1_ITEM_UNPACK;
+static const int ASN1_F_ASN1_ITEM_VERIFY;
+static const int ASN1_F_ASN1_MBSTRING_NCOPY;
+static const int ASN1_F_ASN1_TEMPLATE_EX_D2I;
+static const int ASN1_F_ASN1_TEMPLATE_NEW;
+static const int ASN1_F_ASN1_TEMPLATE_NOEXP_D2I;
+static const int ASN1_F_ASN1_TIME_SET;
+static const int ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING;
+static const int ASN1_F_ASN1_TYPE_GET_OCTETSTRING;
+static const int ASN1_F_ASN1_UNPACK_STRING;
+static const int ASN1_F_ASN1_UTCTIME_SET;
+static const int ASN1_F_ASN1_VERIFY;
+static const int ASN1_F_B64_READ_ASN1;
+static const int ASN1_F_B64_WRITE_ASN1;
+static const int ASN1_F_BITSTR_CB;
+static const int ASN1_F_BN_TO_ASN1_ENUMERATED;
+static const int ASN1_F_BN_TO_ASN1_INTEGER;
+static const int ASN1_F_D2I_ASN1_TYPE_BYTES;
+static const int ASN1_F_D2I_ASN1_UINTEGER;
+static const int ASN1_F_D2I_ASN1_UTCTIME;
+static const int ASN1_F_D2I_NETSCAPE_RSA;
+static const int ASN1_F_D2I_NETSCAPE_RSA_2;
+static const int ASN1_F_D2I_PRIVATEKEY;
+static const int ASN1_F_D2I_X509;
+static const int ASN1_F_D2I_X509_CINF;
+static const int ASN1_F_D2I_X509_PKEY;
+static const int ASN1_F_I2D_ASN1_SET;
+static const int ASN1_F_I2D_ASN1_TIME;
+static const int ASN1_F_I2D_DSA_PUBKEY;
+static const int ASN1_F_LONG_C2I;
+static const int ASN1_F_OID_MODULE_INIT;
+static const int ASN1_F_PARSE_TAGGING;
+static const int ASN1_F_PKCS5_PBE_SET;
+static const int ASN1_F_SMIME_READ_ASN1;
+static const int ASN1_F_SMIME_TEXT;
+static const int ASN1_F_X509_CINF_NEW;
+static const int ASN1_R_BOOLEAN_IS_WRONG_LENGTH;
+static const int ASN1_R_BUFFER_TOO_SMALL;
+static const int ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER;
+static const int ASN1_R_DATA_IS_WRONG;
+static const int ASN1_R_DECODE_ERROR;
+static const int ASN1_R_DECODING_ERROR;
+static const int ASN1_R_DEPTH_EXCEEDED;
+static const int ASN1_R_ENCODE_ERROR;
+static const int ASN1_R_ERROR_GETTING_TIME;
+static const int ASN1_R_ERROR_LOADING_SECTION;
+static const int ASN1_R_MSTRING_WRONG_TAG;
+static const int ASN1_R_NESTED_ASN1_STRING;
+static const int ASN1_R_NO_CONTENT_TYPE;
+static const int ASN1_R_NO_MATCHING_CHOICE_TYPE;
+static const int ASN1_R_NO_MULTIPART_BODY_FAILURE;
+static const int ASN1_R_NO_MULTIPART_BOUNDARY;
+static const int ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM;
+static const int ASN1_R_UNKNOWN_OBJECT_TYPE;
+static const int ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE;
+static const int ASN1_R_UNKNOWN_TAG;
+static const int ASN1_R_UNKOWN_FORMAT;
+static const int ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE;
+static const int ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM;
+static const int ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE;
+static const int ASN1_R_UNSUPPORTED_TYPE;
+static const int ASN1_R_WRONG_TAG;
+static const int ASN1_R_WRONG_TYPE;
 
+static const int EVP_F_AES_INIT_KEY;
+static const int EVP_F_CAMELLIA_INIT_KEY;
+static const int EVP_F_D2I_PKEY;
+static const int EVP_F_DSA_PKEY2PKCS8;
+static const int EVP_F_DSAPKEY2PKCS8;
+static const int EVP_F_ECDSA_PKEY2PKCS8;
+static const int EVP_F_ECKEY_PKEY2PKCS8;
+static const int EVP_F_EVP_CIPHER_CTX_CTRL;
+static const int EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH;
+static const int EVP_F_EVP_CIPHERINIT_EX;
 static const int EVP_F_EVP_DECRYPTFINAL_EX;
+static const int EVP_F_EVP_DIGESTINIT_EX;
 static const int EVP_F_EVP_ENCRYPTFINAL_EX;
-
+static const int EVP_F_EVP_MD_CTX_COPY_EX;
+static const int EVP_F_EVP_OPENINIT;
+static const int EVP_F_EVP_PBE_ALG_ADD;
+static const int EVP_F_EVP_PBE_CIPHERINIT;
+static const int EVP_F_EVP_PKCS82PKEY;
+static const int EVP_F_EVP_PKEY2PKCS8_BROKEN;
+static const int EVP_F_EVP_PKEY_COPY_PARAMETERS;
+static const int EVP_F_EVP_PKEY_DECRYPT;
+static const int EVP_F_EVP_PKEY_ENCRYPT;
+static const int EVP_F_EVP_PKEY_GET1_DH;
+static const int EVP_F_EVP_PKEY_GET1_DSA;
+static const int EVP_F_EVP_PKEY_GET1_ECDSA;
+static const int EVP_F_EVP_PKEY_GET1_EC_KEY;
+static const int EVP_F_EVP_PKEY_GET1_RSA;
+static const int EVP_F_EVP_PKEY_NEW;
+static const int EVP_F_EVP_RIJNDAEL;
+static const int EVP_F_EVP_SIGNFINAL;
+static const int EVP_F_EVP_VERIFYFINAL;
+static const int EVP_F_PKCS5_PBE_KEYIVGEN;
+static const int EVP_F_PKCS5_V2_PBE_KEYIVGEN;
+static const int EVP_F_PKCS8_SET_BROKEN;
+static const int EVP_F_RC2_MAGIC_TO_METH;
+static const int EVP_F_RC5_CTRL;
+static const int EVP_R_AES_KEY_SETUP_FAILED;
+static const int EVP_R_ASN1_LIB;
+static const int EVP_R_BAD_BLOCK_LENGTH;
+static const int EVP_R_BAD_KEY_LENGTH;
+static const int EVP_R_BN_DECODE_ERROR;
+static const int EVP_R_BN_PUBKEY_ERROR;
+static const int EVP_R_CAMELLIA_KEY_SETUP_FAILED;
+static const int EVP_R_CIPHER_PARAMETER_ERROR;
+static const int EVP_R_CTRL_NOT_IMPLEMENTED;
+static const int EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED;
 static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH;
+static const int EVP_R_DECODE_ERROR;
+static const int EVP_R_DIFFERENT_KEY_TYPES;
+static const int EVP_R_DISABLED_FOR_FIPS;
+static const int EVP_R_ENCODE_ERROR;
+static const int EVP_R_INITIALIZATION_ERROR;
+static const int EVP_R_INPUT_NOT_INITIALIZED;
+static const int EVP_R_INVALID_KEY_LENGTH;
+static const int EVP_R_IV_TOO_LARGE;
+static const int EVP_R_KEYGEN_FAILURE;
+static const int EVP_R_MISSING_PARAMETERS;
+static const int EVP_R_NO_CIPHER_SET;
+static const int EVP_R_NO_DIGEST_SET;
+static const int EVP_R_NO_DSA_PARAMETERS;
+static const int EVP_R_NO_SIGN_FUNCTION_CONFIGURED;
+static const int EVP_R_NO_VERIFY_FUNCTION_CONFIGURED;
+static const int EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE;
+static const int EVP_R_PUBLIC_KEY_NOT_RSA;
+static const int EVP_R_UNKNOWN_PBE_ALGORITHM;
+static const int EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS;
+static const int EVP_R_UNSUPPORTED_CIPHER;
+static const int EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION;
+static const int EVP_R_UNSUPPORTED_KEYLENGTH;
+static const int EVP_R_UNSUPPORTED_SALT_TYPE;
+static const int EVP_R_WRONG_FINAL_BLOCK_LENGTH;
+static const int EVP_R_WRONG_PUBLIC_KEY_TYPE;
 
 static const int PEM_F_D2I_PKCS8PRIVATEKEY_BIO;
-static const int PEM_F_D2I_PKCS8PRIVATEKEY_BIO;
 static const int PEM_F_D2I_PKCS8PRIVATEKEY_FP;
 static const int PEM_F_DO_PK8PKEY;
 static const int PEM_F_DO_PK8PKEY_FP;
@@ -50,7 +192,6 @@ static const int PEM_F_PEM_PK8PKEY;
 static const int PEM_F_PEM_READ;
 static const int PEM_F_PEM_READ_BIO;
 static const int PEM_F_PEM_READ_BIO_PRIVATEKEY;
-static const int PEM_F_PEM_READ_BIO_PRIVATEKEY;
 static const int PEM_F_PEM_READ_PRIVATEKEY;
 static const int PEM_F_PEM_SEALFINAL;
 static const int PEM_F_PEM_SEALINIT;
@@ -66,12 +207,11 @@ static const int PEM_R_BAD_DECRYPT;
 static const int PEM_R_BAD_END_LINE;
 static const int PEM_R_BAD_IV_CHARS;
 static const int PEM_R_BAD_PASSWORD_READ;
-static const int PEM_R_BAD_PASSWORD_READ;
 static const int PEM_R_ERROR_CONVERTING_PRIVATE_KEY;
+static const int PEM_R_NO_START_LINE;
 static const int PEM_R_NOT_DEK_INFO;
 static const int PEM_R_NOT_ENCRYPTED;
 static const int PEM_R_NOT_PROC_TYPE;
-static const int PEM_R_NO_START_LINE;
 static const int PEM_R_PROBLEMS_GETTING_PASSWORD;
 static const int PEM_R_PUBLIC_KEY_NO_RSA;
 static const int PEM_R_READ_KEY;
@@ -114,9 +254,24 @@ int ERR_GET_LIB(unsigned long);
 int ERR_GET_FUNC(unsigned long);
 int ERR_GET_REASON(unsigned long);
 int ERR_FATAL_ERROR(unsigned long);
+/* introduced in 1.0.0 so we have to handle this specially to continue
+ * supporting 0.9.8
+ */
+void ERR_remove_thread_state(const CRYPTO_THREADID *);
 """
 
 CUSTOMIZATIONS = """
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+static const long Cryptography_HAS_REMOVE_THREAD_STATE = 1;
+#else
+static const long Cryptography_HAS_REMOVE_THREAD_STATE = 0;
+typedef uint32_t CRYPTO_THREADID;
+void (*ERR_remove_thread_state)(const CRYPTO_THREADID *);
+#endif
 """
 
-CONDITIONAL_NAMES = {}
+CONDITIONAL_NAMES = {
+    "Cryptography_HAS_REMOVE_THREAD_STATE": [
+        "ERR_remove_thread_state"
+    ],
+}
diff --git a/cryptography/hazmat/bindings/openssl/pem.py b/cryptography/hazmat/bindings/openssl/pem.py
index ee5552c5..8b717c2d 100644
--- a/cryptography/hazmat/bindings/openssl/pem.py
+++ b/cryptography/hazmat/bindings/openssl/pem.py
@@ -27,7 +27,7 @@ int PEM_write_bio_PrivateKey(BIO *, EVP_PKEY *, const EVP_CIPHER *,
                              unsigned char *, int, pem_password_cb *, void *);
 
 EVP_PKEY *PEM_read_bio_PrivateKey(BIO *, EVP_PKEY **, pem_password_cb *,
-                                  void *);
+                                 void *);
 
 int PEM_write_bio_PKCS8PrivateKey(BIO *, EVP_PKEY *, const EVP_CIPHER *,
                                   char *, int, pem_password_cb *, void *);
@@ -48,6 +48,29 @@ int PEM_write_bio_X509_CRL(BIO *, X509_CRL *);
 
 PKCS7 *PEM_read_bio_PKCS7(BIO *, PKCS7 **, pem_password_cb *, void *);
 DH *PEM_read_bio_DHparams(BIO *, DH **, pem_password_cb *, void *);
+
+DSA *PEM_read_bio_DSAPrivateKey(BIO *, DSA **, pem_password_cb *, void *);
+
+RSA *PEM_read_bio_RSAPrivateKey(BIO *, RSA **, pem_password_cb *, void *);
+
+int PEM_write_bio_DSAPrivateKey(BIO *, DSA *, const EVP_CIPHER *,
+                                unsigned char *, int,
+                                pem_password_cb *, void *);
+
+int PEM_write_bio_RSAPrivateKey(BIO *, RSA *, const EVP_CIPHER *,
+                                unsigned char *, int,
+                                pem_password_cb *, void *);
+
+DSA *PEM_read_bio_DSA_PUBKEY(BIO *, DSA **, pem_password_cb *, void *);
+
+RSA *PEM_read_bio_RSAPublicKey(BIO *, RSA **, pem_password_cb *, void *);
+
+int PEM_write_bio_DSA_PUBKEY(BIO *, DSA *);
+
+int PEM_write_bio_RSAPublicKey(BIO *, const RSA *);
+
+EVP_PKEY *PEM_read_bio_PUBKEY(BIO *, EVP_PKEY **, pem_password_cb *, void *);
+int PEM_write_bio_PUBKEY(BIO *, EVP_PKEY *);
 """
 
 MACROS = """
diff --git a/cryptography/hazmat/bindings/openssl/ssl.py b/cryptography/hazmat/bindings/openssl/ssl.py
index d0d5ae2d..cd872d18 100644
--- a/cryptography/hazmat/bindings/openssl/ssl.py
+++ b/cryptography/hazmat/bindings/openssl/ssl.py
@@ -77,6 +77,7 @@ static const int SSL_OP_NO_QUERY_MTU;
 static const int SSL_OP_COOKIE_EXCHANGE;
 static const int SSL_OP_NO_TICKET;
 static const int SSL_OP_ALL;
+static const int SSL_OP_SINGLE_ECDH_USE;
 static const int SSL_VERIFY_PEER;
 static const int SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 static const int SSL_VERIFY_CLIENT_ONCE;
@@ -231,6 +232,7 @@ long SSL_CTX_get_mode(SSL_CTX *);
 long SSL_CTX_set_session_cache_mode(SSL_CTX *, long);
 long SSL_CTX_get_session_cache_mode(SSL_CTX *);
 long SSL_CTX_set_tmp_dh(SSL_CTX *, DH *);
+long SSL_CTX_set_tmp_ecdh(SSL_CTX *, EC_KEY *);
 long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *);
 
 /*- These aren't macros these functions are all const X on openssl > 1.0.x -*/
@@ -345,6 +347,10 @@ static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
 static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 0;
 const long SSL_OP_MSIE_SSLV2_RSA_PADDING = 0;
 #endif
+
+#ifdef OPENSSL_NO_EC
+long (*SSL_CTX_set_tmp_ecdh)(SSL_CTX *, EC_KEY *) = NULL;
+#endif
 """
 
 CONDITIONAL_NAMES = {
@@ -385,4 +391,8 @@ CONDITIONAL_NAMES = {
     "Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING": [
         "SSL_OP_MSIE_SSLV2_RSA_PADDING",
     ],
+
+    "Cryptography_HAS_EC": [
+        "EC_KEY_new_by_curve_name",
+    ]
 }
diff --git a/cryptography/hazmat/bindings/utils.py b/cryptography/hazmat/bindings/utils.py
index 69290eb3..b8253483 100644
--- a/cryptography/hazmat/bindings/utils.py
+++ b/cryptography/hazmat/bindings/utils.py
@@ -34,6 +34,7 @@ def build_ffi(module_prefix, modules, pre_include, post_include, libraries):
         condition.
     """
     ffi = cffi.FFI()
+    types = []
     includes = []
     functions = []
     macros = []
@@ -43,20 +44,13 @@ def build_ffi(module_prefix, modules, pre_include, post_include, libraries):
         __import__(module_name)
         module = sys.modules[module_name]
 
-        ffi.cdef(module.TYPES)
-
+        types.append(module.TYPES)
         macros.append(module.MACROS)
         functions.append(module.FUNCTIONS)
         includes.append(module.INCLUDES)
         customizations.append(module.CUSTOMIZATIONS)
 
-    # loop over the functions & macros after declaring all the types
-    # so we can set interdependent types in different files and still
-    # have them all defined before we parse the funcs & macros
-    for func in functions:
-        ffi.cdef(func)
-    for macro in macros:
-        ffi.cdef(macro)
+    ffi.cdef("\n".join(types + functions + macros))
 
     # We include functions here so that if we got any of their definitions
     # wrong, the underlying C compiler will explode. In C you are allowed
diff --git a/dev-requirements.txt b/dev-requirements.txt
index b2a6c79c..70a2b9bf 100644
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -5,6 +5,7 @@ iso8601
 pretend
 pytest
 sphinx
+sphinxcontrib-spelling
 sphinx_rtd_theme
 tox
 twine
diff --git a/docs/changelog.rst b/docs/changelog.rst
index 41db635e..289992f4 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -1,9 +1,12 @@
 Changelog
 =========
+
 0.2 - 2014-XX-XX
 ~~~~~~~~~~~~~~~~
 
-* In development.
+**In development**
+
+* Added initial CommonCrypto bindings.
 
 0.1 - 2014-01-08
 ~~~~~~~~~~~~~~~~
diff --git a/docs/conf.py b/docs/conf.py
index a42dcb22..3486fb38 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -19,6 +19,11 @@ try:
 except ImportError:
     sphinx_rtd_theme = None
 
+try:
+    from sphinxcontrib import spelling
+except ImportError:
+    spelling = None
+
 
 # If extensions (or modules to document with autodoc) are in another directory,
 # add these directories to sys.path here. If the directory is relative to the
@@ -38,9 +43,11 @@ extensions = [
     'sphinx.ext.intersphinx',
     'sphinx.ext.viewcode',
     'cryptography-docs',
-    'sphinxcontrib.spelling',
 ]
 
+if spelling is not None:
+    extensions.append('sphinxcontrib.spelling')
+
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
 
@@ -263,3 +270,5 @@ texinfo_documents = [
 
 # Example configuration for intersphinx: refer to the Python standard library.
 intersphinx_mapping = {'http://docs.python.org/': None}
+
+epub_theme = 'epub'
diff --git a/docs/hazmat/bindings/commoncrypto.rst b/docs/hazmat/bindings/commoncrypto.rst
index 25535e02..c4f614c2 100644
--- a/docs/hazmat/bindings/commoncrypto.rst
+++ b/docs/hazmat/bindings/commoncrypto.rst
@@ -5,6 +5,8 @@ CommonCrypto Binding
 
 .. currentmodule:: cryptography.hazmat.bindings.commoncrypto.binding
 
+.. versionadded:: 0.2
+
 These are `CFFI`_ bindings to the `CommonCrypto`_ C library. It is available on
 Mac OS X.
 
diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index 83165690..7d954046 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -324,6 +324,11 @@ Modes
             return (iv, ciphertext, encryptor.tag)
 
         def decrypt(key, associated_data, iv, ciphertext, tag):
+            if len(tag) != 16:
+                raise ValueError(
+                    "tag must be 16 bytes -- truncation not supported"
+                )
+
             # Construct a Cipher object, with the key, iv, and additionally the
             # GCM tag used for authenticating the message.
             decryptor = Cipher(