Add more bindings to OpenSSL, to be used by the Python _ssl module. (#2868)

* Add more bindings to OpenSSL, all are used by the Python _ssl module.

* Add a conditional: SSL_CTX_clear_options() does not exist before 0.9.8m

* 80 cols

* Condionally define the TLSEXT error codes.

* Address review comments

* Remove all parameter names

4 files changed, 63 insertions, 0 deletions

diff --git a/src/_cffi_src/openssl/bio.py b/src/_cffi_src/openssl/bio.py
index df9b1b48..7e71dab1 100644
--- a/src/_cffi_src/openssl/bio.py
+++ b/src/_cffi_src/openssl/bio.py
@@ -158,6 +158,7 @@ long BIO_set_read_buffer_size(BIO *, long);
 long BIO_set_write_buffer_size(BIO *, long);
 long BIO_set_buffer_size(BIO *, long);
 long BIO_set_buffer_read_data(BIO *, void *, long);
+long BIO_set_nbio(BIO *, long);
 
 /* The following was a macro in 0.9.8e. Once we drop support for RHEL/CentOS 5
    we should move this back to FUNCTIONS. */
diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py
index d0211c34..4c7870aa 100644
--- a/src/_cffi_src/openssl/err.py
+++ b/src/_cffi_src/openssl/err.py
@@ -13,6 +13,7 @@ static const int Cryptography_HAS_REMOVE_THREAD_STATE;
 static const int Cryptography_HAS_098H_ERROR_CODES;
 static const int Cryptography_HAS_098C_CAMELLIA_CODES;
 static const int Cryptography_HAS_EC_CODES;
+static const int Cryptography_HAS_TLSEXT_ERROR_CODES;
 static const int Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR;
 
 struct ERR_string_data_st {
@@ -28,6 +29,8 @@ static const int ERR_LIB_PEM;
 static const int ERR_LIB_ASN1;
 static const int ERR_LIB_RSA;
 static const int ERR_LIB_PKCS12;
+static const int ERR_LIB_SSL;
+static const int ERR_LIB_X509;
 
 static const int ASN1_F_ASN1_ENUMERATED_TO_BN;
 static const int ASN1_F_ASN1_EX_C2I;
@@ -224,6 +227,15 @@ static const int RSA_R_BLOCK_TYPE_IS_NOT_02;
 static const int RSA_R_PKCS_DECODING_ERROR;
 static const int RSA_R_OAEP_DECODING_ERROR;
 static const int RSA_F_RSA_SIGN;
+
+static const int SSL_TLSEXT_ERR_OK;
+static const int SSL_TLSEXT_ERR_ALERT_WARNING;
+static const int SSL_TLSEXT_ERR_ALERT_FATAL;
+static const int SSL_TLSEXT_ERR_NOACK;
+
+static const int SSL_AD_INTERNAL_ERROR;
+static const int SSL_AD_ACCESS_DENIED;
+static const int SSL_AD_HANDSHAKE_FAILURE;
 """
 
 FUNCTIONS = """
@@ -319,6 +331,16 @@ static const int EC_R_UNKNOWN_GROUP = 0;
 static const int EC_F_EC_GROUP_NEW_BY_CURVE_NAME = 0;
 #endif
 
+#ifdef SSL_TLSEXT_ERR_OK
+static const int Cryptography_HAS_TLSEXT_ERROR_CODES = 1;
+#else
+static const int Cryptography_HAS_TLSEXT_ERROR_CODES = 0;
+static const int SSL_TLSEXT_ERR_OK = 0;
+static const int SSL_TLSEXT_ERR_ALERT_WARNING = 0;
+static const int SSL_TLSEXT_ERR_ALERT_FATAL = 0;
+static const int SSL_TLSEXT_ERR_NOACK = 0;
+#endif
+
 #ifdef RSA_R_PKCS_DECODING_ERROR
 static const long Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR = 1;
 #else
diff --git a/src/_cffi_src/openssl/pem.py b/src/_cffi_src/openssl/pem.py
index 4eb6bb45..99881dd7 100644
--- a/src/_cffi_src/openssl/pem.py
+++ b/src/_cffi_src/openssl/pem.py
@@ -46,6 +46,8 @@ X509_CRL *PEM_read_bio_X509_CRL(BIO *, X509_CRL **, pem_password_cb *, void *);
 
 int PEM_write_bio_X509_CRL(BIO *, X509_CRL *);
 
+X509 *PEM_read_bio_X509_AUX(BIO *, X509 **, pem_password_cb *, void *);
+
 PKCS7 *PEM_read_bio_PKCS7(BIO *, PKCS7 **, pem_password_cb *, void *);
 int PEM_write_bio_PKCS7(BIO *, PKCS7 *);
 
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index b3bc9ca2..8569661e 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -24,6 +24,7 @@ static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP;
 static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE;
 static const long Cryptography_HAS_GET_SERVER_TMP_KEY;
 static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE;
+static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS;
 
 /* Internally invented symbol to tell us if SNI is supported */
 static const long Cryptography_HAS_TLSEXT_HOSTNAME;
@@ -53,6 +54,7 @@ static const long SSL_ERROR_ZERO_RETURN;
 static const long SSL_ERROR_WANT_READ;
 static const long SSL_ERROR_WANT_WRITE;
 static const long SSL_ERROR_WANT_X509_LOOKUP;
+static const long SSL_ERROR_WANT_CONNECT;
 static const long SSL_ERROR_SYSCALL;
 static const long SSL_ERROR_SSL;
 static const long SSL_SENT_SHUTDOWN;
@@ -177,6 +179,9 @@ void (*SSL_get_info_callback(const SSL *))(const SSL *, int, int);
 SSL *SSL_new(SSL_CTX *);
 void SSL_free(SSL *);
 int SSL_set_fd(SSL *, int);
+SSL_CTX *SSL_get_SSL_CTX(const SSL *);
+BIO *SSL_get_rbio(const SSL *);
+BIO *SSL_get_wbio(const SSL *);
 void SSL_set_bio(SSL *, BIO *, BIO *);
 void SSL_set_connect_state(SSL *);
 void SSL_set_accept_state(SSL *);
@@ -287,6 +292,10 @@ unsigned long SSL_get_mode(SSL *);
 unsigned long SSL_set_options(SSL *, unsigned long);
 unsigned long SSL_get_options(SSL *);
 
+void SSL_set_app_data(SSL *, char *);
+char * SSL_get_app_data(SSL *);
+void SSL_set_read_ahead(SSL *, int);
+
 int SSL_want_read(const SSL *);
 int SSL_want_write(const SSL *);
 
@@ -296,6 +305,7 @@ long SSL_get_secure_renegotiation_support(SSL *);
 /* Defined as unsigned long because SSL_OP_ALL is greater than signed 32-bit
    and Windows defines long as 32-bit. */
 unsigned long SSL_CTX_set_options(SSL_CTX *, unsigned long);
+unsigned long SSL_CTX_clear_options(SSL_CTX *, unsigned long);
 unsigned long SSL_CTX_get_options(SSL_CTX *);
 unsigned long SSL_CTX_set_mode(SSL_CTX *, unsigned long);
 unsigned long SSL_CTX_get_mode(SSL_CTX *);
@@ -356,6 +366,8 @@ void SSL_set_tlsext_host_name(SSL *, char *);
 void SSL_CTX_set_tlsext_servername_callback(
     SSL_CTX *,
     int (*)(const SSL *, int *, void *));
+void SSL_CTX_set_tlsext_servername_arg(
+    SSL_CTX *, void *);
 
 /* These were added in OpenSSL 0.9.8h, but since version testing in OpenSSL
    is fraught with peril thanks to OS distributions we check some constants
@@ -435,6 +447,19 @@ size_t SSL_SESSION_get_master_key(const SSL_SESSION *, unsigned char *,
                                   size_t);
 size_t SSL_get_client_random(const SSL *, unsigned char *, size_t);
 size_t SSL_get_server_random(const SSL *, unsigned char *, size_t);
+
+long SSL_CTX_sess_number(SSL_CTX *);
+long SSL_CTX_sess_connect(SSL_CTX *);
+long SSL_CTX_sess_connect_good(SSL_CTX *);
+long SSL_CTX_sess_connect_renegotiate(SSL_CTX *);
+long SSL_CTX_sess_accept(SSL_CTX *);
+long SSL_CTX_sess_accept_good(SSL_CTX *);
+long SSL_CTX_sess_accept_renegotiate(SSL_CTX *);
+long SSL_CTX_sess_hits(SSL_CTX *);
+long SSL_CTX_sess_cb_hits(SSL_CTX *);
+long SSL_CTX_sess_misses(SSL_CTX *);
+long SSL_CTX_sess_timeouts(SSL_CTX *);
+long SSL_CTX_sess_cache_full(SSL_CTX *);
 """
 
 CUSTOMIZATIONS = """
@@ -545,6 +570,8 @@ const char* (*SSL_get_servername)(const SSL *, const int) = NULL;
 void (*SSL_CTX_set_tlsext_servername_callback)(
     SSL_CTX *,
     int (*)(const SSL *, int *, void *)) = NULL;
+void (*SSL_CTX_set_tlsext_servername_arg)(
+    SSL_CTX *, void *) = NULL;
 #endif
 
 #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
@@ -734,6 +761,17 @@ static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE = 0;
 static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE = 1;
 #endif
 
+/* SSL_CTX_clear_options() and SSL_clear_options() were first added in
+ * OpenSSL 0.9.8m but do not appear in some 0.9.9-dev versions such the
+ * 0.9.9 from "May 2008" that NetBSD 5.0 uses. */
+#if OPENSSL_VERSION_NUMBER >= 0x009080dfL && \
+    OPENSSL_VERSION_NUMBER != 0x00909000L
+static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS = 1;
+#else
+unsigned long (*SSL_CTX_clear_options)(SSL_CTX *, unsigned long) = NULL;
+static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS = 0;
+#endif
+
 /* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were
    removed */
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)