Merge branch 'master' into add_name_to_oids

5 files changed, 46 insertions, 11 deletions

diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
index 6a5bf2da..defa69d3 100644
--- a/src/_cffi_src/build_openssl.py
+++ b/src/_cffi_src/build_openssl.py
@@ -4,6 +4,7 @@
 
 from __future__ import absolute_import, division, print_function
 
+import os
 import sys
 
 from _cffi_src.utils import build_ffi_for_binding, extra_link_args
@@ -11,15 +12,27 @@ from _cffi_src.utils import build_ffi_for_binding, extra_link_args
 
 def _get_openssl_libraries(platform):
     # OpenSSL goes by a different library name on different operating systems.
-    if platform != "win32":
+    if platform == "darwin":
+        return _osx_libraries(
+            os.environ.get("CRYPTOGRAPHY_OSX_NO_LINK_FLAGS")
+        )
+    elif platform == "win32":
+        return ["libeay32", "ssleay32", "advapi32",
+                "crypt32", "gdi32", "user32", "ws2_32"]
+    else:
         # In some circumstances, the order in which these libs are
         # specified on the linker command-line is significant;
         # libssl must come before libcrypto
         # (http://marc.info/?l=openssl-users&m=135361825921871)
         return ["ssl", "crypto"]
+
+
+def _osx_libraries(build_static):
+    # For building statically we don't want to pass the -lssl or -lcrypto flags
+    if build_static == "1":
+        return []
     else:
-        return ["libeay32", "ssleay32", "advapi32",
-                "crypt32", "gdi32", "user32", "ws2_32"]
+        return ["ssl", "crypto"]
 
 
 _OSX_PRE_INCLUDE = """
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index 7a7968a1..ccabb872 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -45,6 +45,7 @@ static const long Cryptography_HAS_SSL_OP_NO_TICKET;
 static const long Cryptography_HAS_NETBSD_D1_METH;
 static const long Cryptography_HAS_NEXTPROTONEG;
 static const long Cryptography_HAS_ALPN;
+static const long Cryptography_HAS_SET_CERT_CB;
 
 static const long SSL_FILETYPE_PEM;
 static const long SSL_FILETYPE_ASN1;
@@ -204,6 +205,8 @@ Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *);
 int SSL_get_error(const SSL *, int);
 int SSL_do_handshake(SSL *);
 int SSL_shutdown(SSL *);
+int SSL_renegotiate(SSL *);
+int SSL_renegotiate_pending(SSL *);
 const char *SSL_get_cipher_list(const SSL *, int);
 Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *);
 
@@ -406,6 +409,12 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *,
 void SSL_get0_alpn_selected(const SSL *, const unsigned char **, unsigned *);
 
 long SSL_get_server_tmp_key(SSL *, EVP_PKEY **);
+
+/* SSL_CTX_set_cert_cb is introduced in OpenSSL 1.0.2. To continue to support
+ * earlier versions some special handling of these is necessary.
+ */
+void SSL_CTX_set_cert_cb(SSL_CTX *, int (*)(SSL *, void *), void *);
+void SSL_set_cert_cb(SSL *, int (*)(SSL *, void *), void *);
 """
 
 CUSTOMIZATIONS = """
@@ -609,6 +618,16 @@ static const long Cryptography_HAS_ALPN = 0;
 static const long Cryptography_HAS_ALPN = 1;
 #endif
 
+/* SSL_CTX_set_cert_cb was added in OpenSSL 1.0.2. */
+#if OPENSSL_VERSION_NUMBER < 0x10002001L || defined(LIBRESSL_VERSION_NUMBER)
+void (*SSL_CTX_set_cert_cb)(SSL_CTX *, int (*)(SSL *, void *), void *) = NULL;
+void (*SSL_set_cert_cb)(SSL *, int (*)(SSL *, void *), void *) = NULL;
+static const long Cryptography_HAS_SET_CERT_CB = 0;
+#else
+static const long Cryptography_HAS_SET_CERT_CB = 1;
+#endif
+
+
 #if defined(OPENSSL_NO_COMP) || defined(LIBRESSL_VERSION_NUMBER)
 static const long Cryptography_HAS_COMPRESSION = 0;
 typedef void COMP_METHOD;
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 8c4abcd6..197bcb8c 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -529,13 +529,6 @@ class Backend(object):
 
         self._binding.init_static_locks()
 
-        # adds all ciphers/digests for EVP
-        self._lib.OpenSSL_add_all_algorithms()
-        # registers available SSL/TLS ciphers and digests
-        self._lib.SSL_library_init()
-        # loads error strings for libcrypto and libssl functions
-        self._lib.SSL_load_error_strings()
-
         self._cipher_registry = {}
         self._register_default_ciphers()
         self.activate_osrandom_engine()
diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py
index adf00b02..670710b1 100644
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -410,5 +410,9 @@ CONDITIONAL_NAMES = {
     ],
     "Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE": [
         "X509_V_FLAG_CHECK_SS_SIGNATURE",
-    ]
+    ],
+    "Cryptography_HAS_SET_CERT_CB": [
+        "SSL_CTX_set_cert_cb",
+        "SSL_set_cert_cb",
+    ],
 }
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index e18d89c5..50d7f6d5 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -92,6 +92,12 @@ class Binding(object):
             if not cls._lib_loaded:
                 cls.lib = build_conditional_library(lib, CONDITIONAL_NAMES)
                 cls._lib_loaded = True
+                # initialize the SSL library
+                cls.lib.SSL_library_init()
+                # adds all ciphers/digests for EVP
+                cls.lib.OpenSSL_add_all_algorithms()
+                # loads error strings for libcrypto and libssl functions
+                cls.lib.SSL_load_error_strings()
                 cls._register_osrandom_engine()
 
     @classmethod