Merge pull request #1679 from reaperhulk/libre-support

LibreSSL support

4 files changed, 58 insertions, 12 deletions

diff --git a/src/cryptography/hazmat/bindings/openssl/engine.py b/src/cryptography/hazmat/bindings/openssl/engine.py
index 33c79982..3ebfa6c1 100644
--- a/src/cryptography/hazmat/bindings/openssl/engine.py
+++ b/src/cryptography/hazmat/bindings/openssl/engine.py
@@ -9,6 +9,8 @@ INCLUDES = """
 """
 
 TYPES = """
+static const long Cryptography_HAS_ENGINE_CRYPTODEV;
+
 typedef ... ENGINE;
 typedef ... RSA_METHOD;
 typedef ... DSA_METHOD;
@@ -49,7 +51,6 @@ int ENGINE_init(ENGINE *);
 int ENGINE_finish(ENGINE *);
 void ENGINE_load_openssl(void);
 void ENGINE_load_dynamic(void);
-void ENGINE_load_cryptodev(void);
 void ENGINE_load_builtin_engines(void);
 void ENGINE_cleanup(void);
 ENGINE *ENGINE_get_default_RSA(void);
@@ -148,9 +149,20 @@ void ENGINE_add_conf_module(void);
 """
 
 MACROS = """
+void ENGINE_load_cryptodev(void);
 """
 
 CUSTOMIZATIONS = """
+#if defined(LIBRESSL_VERSION_NUMBER)
+static const long Cryptography_HAS_ENGINE_CRYPTODEV = 0;
+void (*ENGINE_load_cryptodev)(void) = NULL;
+#else
+static const long Cryptography_HAS_ENGINE_CRYPTODEV = 1;
+#endif
 """
 
-CONDITIONAL_NAMES = {}
+CONDITIONAL_NAMES = {
+    "Cryptography_HAS_ENGINE_CRYPTODEV": [
+        "ENGINE_load_cryptodev"
+    ]
+}
diff --git a/src/cryptography/hazmat/bindings/openssl/rand.py b/src/cryptography/hazmat/bindings/openssl/rand.py
index c30af921..6330482c 100644
--- a/src/cryptography/hazmat/bindings/openssl/rand.py
+++ b/src/cryptography/hazmat/bindings/openssl/rand.py
@@ -9,6 +9,7 @@ INCLUDES = """
 """
 
 TYPES = """
+static const long Cryptography_HAS_EGD;
 """
 
 FUNCTIONS = """
@@ -16,9 +17,6 @@ void ERR_load_RAND_strings(void);
 void RAND_seed(const void *, int);
 void RAND_add(const void *, int, double);
 int RAND_status(void);
-int RAND_egd(const char *);
-int RAND_egd_bytes(const char *, int);
-int RAND_query_egd_bytes(const char *, unsigned char *, int);
 const char *RAND_file_name(char *, size_t);
 int RAND_load_file(const char *, long);
 int RAND_write_file(const char *);
@@ -28,9 +26,26 @@ int RAND_pseudo_bytes(unsigned char *, int);
 """
 
 MACROS = """
+int RAND_egd(const char *);
+int RAND_egd_bytes(const char *, int);
+int RAND_query_egd_bytes(const char *, unsigned char *, int);
 """
 
 CUSTOMIZATIONS = """
+#if defined(LIBRESSL_VERSION_NUMBER)
+static const long Cryptography_HAS_EGD = 0;
+int (*RAND_egd)(const char *) = NULL;
+int (*RAND_egd_bytes)(const char *, int) = NULL;
+int (*RAND_query_egd_bytes)(const char *, unsigned char *, int) = NULL;
+#else
+static const long Cryptography_HAS_EGD = 1;
+#endif
 """
 
-CONDITIONAL_NAMES = {}
+CONDITIONAL_NAMES = {
+    "Cryptography_HAS_EGD": [
+        "RAND_egd",
+        "RAND_egd_bytes",
+        "RAND_query_egd_bytes",
+    ]
+}
diff --git a/src/cryptography/hazmat/bindings/openssl/ssl.py b/src/cryptography/hazmat/bindings/openssl/ssl.py
index bf627139..bc4b2e79 100644
--- a/src/cryptography/hazmat/bindings/openssl/ssl.py
+++ b/src/cryptography/hazmat/bindings/openssl/ssl.py
@@ -19,6 +19,7 @@ static const long Cryptography_HAS_SSL3_METHOD;
 static const long Cryptography_HAS_TLSv1_1;
 static const long Cryptography_HAS_TLSv1_2;
 static const long Cryptography_HAS_SECURE_RENEGOTIATION;
+static const long Cryptography_HAS_COMPRESSION;
 
 /* Internally invented symbol to tell us if SNI is supported */
 static const long Cryptography_HAS_TLSEXT_HOSTNAME;
@@ -189,10 +190,6 @@ int SSL_shutdown(SSL *);
 const char *SSL_get_cipher_list(const SSL *, int);
 Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *);
 
-const COMP_METHOD *SSL_get_current_compression(SSL *);
-const COMP_METHOD *SSL_get_current_expansion(SSL *);
-const char *SSL_COMP_get_name(const COMP_METHOD *);
-
 /*  context */
 void SSL_CTX_free(SSL_CTX *);
 long SSL_CTX_set_timeout(SSL_CTX *, long);
@@ -232,6 +229,11 @@ size_t SSL_get_peer_finished(const SSL *, void *, size_t);
 """
 
 MACROS = """
+/* not macros, but will be conditionally bound so can't live in functions */
+const COMP_METHOD *SSL_get_current_compression(SSL *);
+const COMP_METHOD *SSL_get_current_expansion(SSL *);
+const char *SSL_COMP_get_name(const COMP_METHOD *);
+
 unsigned long SSL_set_mode(SSL *, unsigned long);
 unsigned long SSL_get_mode(SSL *);
 
@@ -544,6 +546,17 @@ static const long Cryptography_HAS_ALPN = 0;
 #else
 static const long Cryptography_HAS_ALPN = 1;
 #endif
+/* LibreSSL has removed support for compression, and with it the
+ * COMP_METHOD use in ssl.h. This is a hack to make the function types
+ * in this code match those in ssl.h.
+ */
+#ifdef LIBRESSL_VERSION_NUMBER
+static const long Cryptography_HAS_COMPRESSION = 0;
+typedef void COMP_METHOD;
+#else
+static const long Cryptography_HAS_COMPRESSION = 1;
+#endif
+
 """
 
 CONDITIONAL_NAMES = {
@@ -626,5 +639,11 @@ CONDITIONAL_NAMES = {
         "SSL_set_alpn_protos",
         "SSL_CTX_set_alpn_select_cb",
         "SSL_get0_alpn_selected",
+    ],
+
+    "Cryptography_HAS_COMPRESSION": [
+        "SSL_get_current_compression",
+        "SSL_get_current_expansion",
+        "SSL_COMP_get_name",
     ]
 }
diff --git a/src/cryptography/hazmat/bindings/openssl/x509_vfy.py b/src/cryptography/hazmat/bindings/openssl/x509_vfy.py
index 6f05f4d7..1f75b86f 100644
--- a/src/cryptography/hazmat/bindings/openssl/x509_vfy.py
+++ b/src/cryptography/hazmat/bindings/openssl/x509_vfy.py
@@ -191,7 +191,7 @@ int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *);
 
 CUSTOMIZATIONS = """
 /* OpenSSL 1.0.2+ verification error codes */
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
 static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 1;
 #else
 static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 0;
@@ -207,7 +207,7 @@ static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
 #endif
 
 /* OpenSSL 1.0.2+ verification parameters */
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
 static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1;
 #else
 static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0;