diff options
| -rw-r--r-- | CHANGELOG.rst | 1 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/engine.py | 16 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/rand.py | 23 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/ssl.py | 27 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/x509_vfy.py | 4 | ||||
| -rw-r--r-- | tests/hazmat/backends/test_openssl.py | 9 |
6 files changed, 65 insertions, 15 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 97b0d6c7..85c0f581 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -68,6 +68,7 @@ Changelog :mod:`~cryptography.hazmat.primitives.asymmetric.rsa`. * Added support for parsing X.509 names. See the :doc:`X.509 documentation</x509>` for more information. +* Fixed building against LibreSSL, a compile-time substitute for OpenSSL. 0.7.2 - 2015-01-16 ~~~~~~~~~~~~~~~~~~ diff --git a/src/cryptography/hazmat/bindings/openssl/engine.py b/src/cryptography/hazmat/bindings/openssl/engine.py index 33c79982..3ebfa6c1 100644 --- a/src/cryptography/hazmat/bindings/openssl/engine.py +++ b/src/cryptography/hazmat/bindings/openssl/engine.py @@ -9,6 +9,8 @@ INCLUDES = """ """ TYPES = """ +static const long Cryptography_HAS_ENGINE_CRYPTODEV; + typedef ... ENGINE; typedef ... RSA_METHOD; typedef ... DSA_METHOD; @@ -49,7 +51,6 @@ int ENGINE_init(ENGINE *); int ENGINE_finish(ENGINE *); void ENGINE_load_openssl(void); void ENGINE_load_dynamic(void); -void ENGINE_load_cryptodev(void); void ENGINE_load_builtin_engines(void); void ENGINE_cleanup(void); ENGINE *ENGINE_get_default_RSA(void); @@ -148,9 +149,20 @@ void ENGINE_add_conf_module(void); """ MACROS = """ +void ENGINE_load_cryptodev(void); """ CUSTOMIZATIONS = """ +#if defined(LIBRESSL_VERSION_NUMBER) +static const long Cryptography_HAS_ENGINE_CRYPTODEV = 0; +void (*ENGINE_load_cryptodev)(void) = NULL; +#else +static const long Cryptography_HAS_ENGINE_CRYPTODEV = 1; +#endif """ -CONDITIONAL_NAMES = {} +CONDITIONAL_NAMES = { + "Cryptography_HAS_ENGINE_CRYPTODEV": [ + "ENGINE_load_cryptodev" + ] +} diff --git a/src/cryptography/hazmat/bindings/openssl/rand.py b/src/cryptography/hazmat/bindings/openssl/rand.py index c30af921..6330482c 100644 --- a/src/cryptography/hazmat/bindings/openssl/rand.py +++ b/src/cryptography/hazmat/bindings/openssl/rand.py @@ -9,6 +9,7 @@ INCLUDES = """ """ TYPES = """ +static const long Cryptography_HAS_EGD; """ FUNCTIONS = """ @@ -16,9 +17,6 @@ void ERR_load_RAND_strings(void); void RAND_seed(const void *, int); void RAND_add(const void *, int, double); int RAND_status(void); -int RAND_egd(const char *); -int RAND_egd_bytes(const char *, int); -int RAND_query_egd_bytes(const char *, unsigned char *, int); const char *RAND_file_name(char *, size_t); int RAND_load_file(const char *, long); int RAND_write_file(const char *); @@ -28,9 +26,26 @@ int RAND_pseudo_bytes(unsigned char *, int); """ MACROS = """ +int RAND_egd(const char *); +int RAND_egd_bytes(const char *, int); +int RAND_query_egd_bytes(const char *, unsigned char *, int); """ CUSTOMIZATIONS = """ +#if defined(LIBRESSL_VERSION_NUMBER) +static const long Cryptography_HAS_EGD = 0; +int (*RAND_egd)(const char *) = NULL; +int (*RAND_egd_bytes)(const char *, int) = NULL; +int (*RAND_query_egd_bytes)(const char *, unsigned char *, int) = NULL; +#else +static const long Cryptography_HAS_EGD = 1; +#endif """ -CONDITIONAL_NAMES = {} +CONDITIONAL_NAMES = { + "Cryptography_HAS_EGD": [ + "RAND_egd", + "RAND_egd_bytes", + "RAND_query_egd_bytes", + ] +} diff --git a/src/cryptography/hazmat/bindings/openssl/ssl.py b/src/cryptography/hazmat/bindings/openssl/ssl.py index bf627139..bc4b2e79 100644 --- a/src/cryptography/hazmat/bindings/openssl/ssl.py +++ b/src/cryptography/hazmat/bindings/openssl/ssl.py @@ -19,6 +19,7 @@ static const long Cryptography_HAS_SSL3_METHOD; static const long Cryptography_HAS_TLSv1_1; static const long Cryptography_HAS_TLSv1_2; static const long Cryptography_HAS_SECURE_RENEGOTIATION; +static const long Cryptography_HAS_COMPRESSION; /* Internally invented symbol to tell us if SNI is supported */ static const long Cryptography_HAS_TLSEXT_HOSTNAME; @@ -189,10 +190,6 @@ int SSL_shutdown(SSL *); const char *SSL_get_cipher_list(const SSL *, int); Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *); -const COMP_METHOD *SSL_get_current_compression(SSL *); -const COMP_METHOD *SSL_get_current_expansion(SSL *); -const char *SSL_COMP_get_name(const COMP_METHOD *); - /* context */ void SSL_CTX_free(SSL_CTX *); long SSL_CTX_set_timeout(SSL_CTX *, long); @@ -232,6 +229,11 @@ size_t SSL_get_peer_finished(const SSL *, void *, size_t); """ MACROS = """ +/* not macros, but will be conditionally bound so can't live in functions */ +const COMP_METHOD *SSL_get_current_compression(SSL *); +const COMP_METHOD *SSL_get_current_expansion(SSL *); +const char *SSL_COMP_get_name(const COMP_METHOD *); + unsigned long SSL_set_mode(SSL *, unsigned long); unsigned long SSL_get_mode(SSL *); @@ -544,6 +546,17 @@ static const long Cryptography_HAS_ALPN = 0; #else static const long Cryptography_HAS_ALPN = 1; #endif +/* LibreSSL has removed support for compression, and with it the + * COMP_METHOD use in ssl.h. This is a hack to make the function types + * in this code match those in ssl.h. + */ +#ifdef LIBRESSL_VERSION_NUMBER +static const long Cryptography_HAS_COMPRESSION = 0; +typedef void COMP_METHOD; +#else +static const long Cryptography_HAS_COMPRESSION = 1; +#endif + """ CONDITIONAL_NAMES = { @@ -626,5 +639,11 @@ CONDITIONAL_NAMES = { "SSL_set_alpn_protos", "SSL_CTX_set_alpn_select_cb", "SSL_get0_alpn_selected", + ], + + "Cryptography_HAS_COMPRESSION": [ + "SSL_get_current_compression", + "SSL_get_current_expansion", + "SSL_COMP_get_name", ] } diff --git a/src/cryptography/hazmat/bindings/openssl/x509_vfy.py b/src/cryptography/hazmat/bindings/openssl/x509_vfy.py index 6f05f4d7..1f75b86f 100644 --- a/src/cryptography/hazmat/bindings/openssl/x509_vfy.py +++ b/src/cryptography/hazmat/bindings/openssl/x509_vfy.py @@ -191,7 +191,7 @@ int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *); CUSTOMIZATIONS = """ /* OpenSSL 1.0.2+ verification error codes */ -#if OPENSSL_VERSION_NUMBER >= 0x10002000L +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 1; #else static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 0; @@ -207,7 +207,7 @@ static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0; #endif /* OpenSSL 1.0.2+ verification parameters */ -#if OPENSSL_VERSION_NUMBER >= 0x10002000L +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1; #else static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0; diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 21e902f1..2bf66a0c 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -71,10 +71,13 @@ class TestOpenSSL(object): Unfortunately, this define does not appear to have a formal content definition, so for now we'll test to see - if it starts with OpenSSL as that appears to be true - for every OpenSSL. + if it starts with OpenSSL or LibreSSL as that appears + to be true for every OpenSSL-alike. """ - assert backend.openssl_version_text().startswith("OpenSSL") + assert ( + backend.openssl_version_text().startswith("OpenSSL") or + backend.openssl_version_text().startswith("LibreSSL") + ) def test_supports_cipher(self): assert backend.cipher_supported(None, None) is False |