diff options
Diffstat (limited to 'cryptography/hazmat/backends')
25 files changed, 663 insertions, 175 deletions
diff --git a/cryptography/hazmat/backends/interfaces.py b/cryptography/hazmat/backends/interfaces.py index 912476bb..9a570968 100644 --- a/cryptography/hazmat/backends/interfaces.py +++ b/cryptography/hazmat/backends/interfaces.py @@ -60,6 +60,13 @@ class HashBackend(six.with_metaclass(abc.ABCMeta)): class HMACBackend(six.with_metaclass(abc.ABCMeta)): @abc.abstractmethod + def hmac_supported(self, algorithm): + """ + Return True if the hash algorithm is supported for HMAC by this + backend. + """ + + @abc.abstractmethod def create_hmac_ctx(self, key, algorithm): """ Create a HashContext for calculating a message authentication code. diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index 719a523c..aeaf316e 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -16,7 +16,24 @@ INCLUDES = """ """ TYPES = """ -typedef ... time_t; +/* + * TODO: This typedef is wrong. + * + * This is due to limitations of cffi. + * See https://bitbucket.org/cffi/cffi/issue/69 + * + * For another possible work-around (not used here because it involves more + * complicated use of the cffi API which falls outside the general pattern used + * by this package), see + * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ + * + * The work-around used here is to just be sure to declare a type that is at + * least as large as the real type. Maciej explains: + * + * <fijal> I think you want to declare your value too large (e.g. long) + * <fijal> that way you'll never pass garbage + */ +typedef intptr_t time_t; typedef int ASN1_BOOLEAN; typedef ... ASN1_INTEGER; @@ -41,7 +58,7 @@ typedef ... ASN1_VALUE; typedef struct { ...; } ASN1_TIME; -typedef const ASN1_ITEM ASN1_ITEM_EXP; +typedef ... ASN1_ITEM_EXP; typedef ... ASN1_UTCTIME; @@ -51,7 +68,7 @@ static const int MBSTRING_UTF8; """ FUNCTIONS = """ -ASN1_OBJECT *ASN1_OBJECT_new(); +ASN1_OBJECT *ASN1_OBJECT_new(void); void ASN1_OBJECT_free(ASN1_OBJECT *); /* ASN1 OBJECT IDENTIFIER */ @@ -59,7 +76,7 @@ ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **, const unsigned char **, long); int i2d_ASN1_OBJECT(ASN1_OBJECT *, unsigned char **); /* ASN1 STRING */ -ASN1_STRING *ASN1_STRING_new(); +ASN1_STRING *ASN1_STRING_new(void); ASN1_STRING *ASN1_STRING_type_new(int); void ASN1_STRING_free(ASN1_STRING *); unsigned char *ASN1_STRING_data(ASN1_STRING *); @@ -68,18 +85,18 @@ int ASN1_STRING_type(ASN1_STRING *); int ASN1_STRING_to_UTF8(unsigned char **, ASN1_STRING *); /* ASN1 OCTET STRING */ -ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(); +ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(void); void ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *); int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *, const unsigned char *, int); /* ASN1 INTEGER */ -ASN1_INTEGER *ASN1_INTEGER_new(); +ASN1_INTEGER *ASN1_INTEGER_new(void); void ASN1_INTEGER_free(ASN1_INTEGER *); int ASN1_INTEGER_set(ASN1_INTEGER *, long); int i2a_ASN1_INTEGER(BIO *, ASN1_INTEGER *); /* ASN1 TIME */ -ASN1_TIME *ASN1_TIME_new(); +ASN1_TIME *ASN1_TIME_new(void); ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *, ASN1_GENERALIZEDTIME **); @@ -92,7 +109,7 @@ void ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *); int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *); /* ASN1 ENUMERATED */ -ASN1_ENUMERATED *ASN1_ENUMERATED_new(); +ASN1_ENUMERATED *ASN1_ENUMERATED_new(void); void ASN1_ENUMERATED_free(ASN1_ENUMERATED *); int ASN1_ENUMERATED_set(ASN1_ENUMERATED *, long); @@ -102,7 +119,7 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **, const unsigned char **, long, MACROS = """ ASN1_TIME *M_ASN1_TIME_dup(void *); -ASN1_ITEM *ASN1_ITEM_ptr(ASN1_ITEM *); +const ASN1_ITEM *ASN1_ITEM_ptr(ASN1_ITEM_EXP *); /* These aren't macros these arguments are all const X on openssl > 1.0.x */ @@ -118,7 +135,10 @@ int ASN1_INTEGER_cmp(ASN1_INTEGER *, ASN1_INTEGER *); long ASN1_INTEGER_get(ASN1_INTEGER *); BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *, BIGNUM *); +ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *, ASN1_INTEGER *); """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index bd092bec..6231aadb 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -56,7 +56,22 @@ _OSX_POST_INCLUDE = """ class Backend(object): """ OpenSSL API wrapper. + + Modules listed in the ``_modules`` listed should have the following + attributes: + + * ``INCLUDES``: A string containg C includes. + * ``TYPES``: A string containing C declarations for types. + * ``FUNCTIONS``: A string containing C declarations for functions. + * ``MACROS``: A string containing C declarations for any macros. + * ``CUSTOMIZATIONS``: A string containing arbitrary top-level C code, this + can be used to do things like test for a define and provide an + alternate implementation based on that. + * ``CONDITIONAL_NAMES``: A dict mapping strings of condition names from the + library to a list of names which will not be present without the + condition. """ + _module_prefix = "cryptography.hazmat.backends.openssl." _modules = [ "asn1", "bignum", @@ -70,6 +85,7 @@ class Backend(object): "evp", "hmac", "nid", + "objects", "opensslv", "pem", "pkcs7", @@ -102,7 +118,7 @@ class Backend(object): macros = [] customizations = [] for name in cls._modules: - module_name = "cryptography.hazmat.backends.openssl." + name + module_name = cls._module_prefix + name __import__(module_name) module = sys.modules[module_name] @@ -141,6 +157,14 @@ class Backend(object): libraries=["crypto", "ssl"], ) + for name in cls._modules: + module_name = cls._module_prefix + name + module = sys.modules[module_name] + for condition, names in module.CONDITIONAL_NAMES.items(): + if not getattr(lib, condition): + for name in names: + delattr(lib, name) + cls.ffi = ffi cls.lib = lib cls.lib.OpenSSL_add_all_algorithms() @@ -161,6 +185,9 @@ class Backend(object): digest = self.lib.EVP_get_digestbyname(algorithm.name.encode("ascii")) return digest != self.ffi.NULL + def hmac_supported(self, algorithm): + return self.hash_supported(algorithm) + def create_hash_ctx(self, algorithm): return _HashContext(self, algorithm) @@ -276,6 +303,11 @@ class _CipherContext(object): self._operation = operation self._tag = None + if isinstance(self._cipher, interfaces.BlockCipherAlgorithm): + self._block_size = self._cipher.block_size + else: + self._block_size = 1 + ctx = self._backend.lib.EVP_CIPHER_CTX_new() ctx = self._backend.ffi.gc(ctx, self._backend.lib.EVP_CIPHER_CTX_free) @@ -283,11 +315,19 @@ class _CipherContext(object): try: adapter = registry[type(cipher), type(mode)] except KeyError: - raise UnsupportedAlgorithm + raise UnsupportedAlgorithm( + "cipher {0} in {1} mode is not supported " + "by this backend".format( + cipher.name, mode.name if mode else mode) + ) evp_cipher = adapter(self._backend, cipher, mode) if evp_cipher == self._backend.ffi.NULL: - raise UnsupportedAlgorithm + raise UnsupportedAlgorithm( + "cipher {0} in {1} mode is not supported " + "by this backend".format( + cipher.name, mode.name if mode else mode) + ) if isinstance(mode, interfaces.ModeWithInitializationVector): iv_nonce = mode.initialization_vector @@ -309,16 +349,16 @@ class _CipherContext(object): assert res != 0 if isinstance(mode, GCM): res = self._backend.lib.EVP_CIPHER_CTX_ctrl( - ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_IVLEN, + ctx, self._backend.lib.EVP_CTRL_GCM_SET_IVLEN, len(iv_nonce), self._backend.ffi.NULL ) assert res != 0 if operation == self._DECRYPT: - if not mode.tag: - raise ValueError("Authentication tag must be supplied " - "when decrypting") + if not mode.tag or len(mode.tag) < 4: + raise ValueError("Authentication tag must be provided and " + "be 4 bytes or longer when decrypting") res = self._backend.lib.EVP_CIPHER_CTX_ctrl( - ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG, + ctx, self._backend.lib.EVP_CTRL_GCM_SET_TAG, len(mode.tag), mode.tag ) assert res != 0 @@ -341,7 +381,7 @@ class _CipherContext(object): def update(self, data): buf = self._backend.ffi.new("unsigned char[]", - len(data) + self._cipher.block_size - 1) + len(data) + self._block_size - 1) outlen = self._backend.ffi.new("int *") res = self._backend.lib.EVP_CipherUpdate(self._ctx, buf, outlen, data, len(data)) @@ -349,7 +389,7 @@ class _CipherContext(object): return self._backend.ffi.buffer(buf)[:outlen[0]] def finalize(self): - buf = self._backend.ffi.new("unsigned char[]", self._cipher.block_size) + buf = self._backend.ffi.new("unsigned char[]", self._block_size) outlen = self._backend.ffi.new("int *") res = self._backend.lib.EVP_CipherFinal_ex(self._ctx, buf, outlen) if res == 0: @@ -357,10 +397,10 @@ class _CipherContext(object): if (isinstance(self._mode, GCM) and self._operation == self._ENCRYPT): - block_byte_size = self._cipher.block_size // 8 + block_byte_size = self._block_size // 8 tag_buf = self._backend.ffi.new("unsigned char[]", block_byte_size) res = self._backend.lib.EVP_CIPHER_CTX_ctrl( - self._ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_GET_TAG, + self._ctx, self._backend.lib.EVP_CTRL_GCM_GET_TAG, block_byte_size, tag_buf ) assert res != 0 @@ -395,7 +435,11 @@ class _HashContext(object): self._backend.lib.EVP_MD_CTX_destroy) evp_md = self._backend.lib.EVP_get_digestbyname( algorithm.name.encode("ascii")) - assert evp_md != self._backend.ffi.NULL + if evp_md == self._backend.ffi.NULL: + raise UnsupportedAlgorithm( + "{0} is not a supported hash on this backend".format( + algorithm.name) + ) res = self._backend.lib.EVP_DigestInit_ex(ctx, evp_md, self._backend.ffi.NULL) assert res != 0 @@ -437,7 +481,11 @@ class _HMACContext(object): ctx = self._backend.ffi.gc(ctx, self._backend.lib.HMAC_CTX_cleanup) evp_md = self._backend.lib.EVP_get_digestbyname( algorithm.name.encode('ascii')) - assert evp_md != self._backend.ffi.NULL + if evp_md == self._backend.ffi.NULL: + raise UnsupportedAlgorithm( + "{0} is not a supported hash on this backend".format( + algorithm.name) + ) res = self._backend.lib.Cryptography_HMAC_Init_ex( ctx, key, len(key), evp_md, self._backend.ffi.NULL ) diff --git a/cryptography/hazmat/backends/openssl/bignum.py b/cryptography/hazmat/backends/openssl/bignum.py index 1b0fe5ab..59efd171 100644 --- a/cryptography/hazmat/backends/openssl/bignum.py +++ b/cryptography/hazmat/backends/openssl/bignum.py @@ -17,11 +17,28 @@ INCLUDES = """ TYPES = """ typedef ... BIGNUM; -typedef ... BN_ULONG; +/* + * TODO: This typedef is wrong. + * + * This is due to limitations of cffi. + * See https://bitbucket.org/cffi/cffi/issue/69 + * + * For another possible work-around (not used here because it involves more + * complicated use of the cffi API which falls outside the general pattern used + * by this package), see + * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ + * + * The work-around used here is to just be sure to declare a type that is at + * least as large as the real type. Maciej explains: + * + * <fijal> I think you want to declare your value too large (e.g. long) + * <fijal> that way you'll never pass garbage + */ +typedef uintptr_t BN_ULONG; """ FUNCTIONS = """ -BIGNUM *BN_new(); +BIGNUM *BN_new(void); void BN_free(BIGNUM *); int BN_set_word(BIGNUM *, BN_ULONG); @@ -38,3 +55,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/bio.py b/cryptography/hazmat/backends/openssl/bio.py index c23dd0d8..279ad223 100644 --- a/cryptography/hazmat/backends/openssl/bio.py +++ b/cryptography/hazmat/backends/openssl/bio.py @@ -50,6 +50,49 @@ struct bio_st { ...; }; typedef ... BUF_MEM; + +static const int BIO_TYPE_MEM; +static const int BIO_TYPE_FILE; +static const int BIO_TYPE_FD; +static const int BIO_TYPE_SOCKET; +static const int BIO_TYPE_CONNECT; +static const int BIO_TYPE_ACCEPT; +static const int BIO_TYPE_NULL; +static const int BIO_CLOSE; +static const int BIO_NOCLOSE; +static const int BIO_TYPE_SOURCE_SINK; +static const int BIO_CTRL_RESET; +static const int BIO_CTRL_EOF; +static const int BIO_CTRL_SET; +static const int BIO_CTRL_SET_CLOSE; +static const int BIO_CTRL_FLUSH; +static const int BIO_CTRL_DUP; +static const int BIO_CTRL_GET_CLOSE; +static const int BIO_CTRL_INFO; +static const int BIO_CTRL_GET; +static const int BIO_CTRL_PENDING; +static const int BIO_CTRL_WPENDING; +static const int BIO_C_FILE_SEEK; +static const int BIO_C_FILE_TELL; +static const int BIO_TYPE_NONE; +static const int BIO_TYPE_PROXY_CLIENT; +static const int BIO_TYPE_PROXY_SERVER; +static const int BIO_TYPE_NBIO_TEST; +static const int BIO_TYPE_BER; +static const int BIO_TYPE_BIO; +static const int BIO_TYPE_DESCRIPTOR; +static const int BIO_FLAGS_READ; +static const int BIO_FLAGS_WRITE; +static const int BIO_FLAGS_IO_SPECIAL; +static const int BIO_FLAGS_RWS; +static const int BIO_FLAGS_SHOULD_RETRY; +static const int BIO_TYPE_NULL_FILTER; +static const int BIO_TYPE_SSL; +static const int BIO_TYPE_MD; +static const int BIO_TYPE_BUFFER; +static const int BIO_TYPE_CIPHER; +static const int BIO_TYPE_BASE64; +static const int BIO_TYPE_FILTER; """ FUNCTIONS = """ @@ -63,16 +106,16 @@ BIO *BIO_pop(BIO *); BIO *BIO_next(BIO *); BIO *BIO_find_type(BIO *, int); int BIO_method_type(const BIO *); -BIO_METHOD *BIO_s_mem(); +BIO_METHOD *BIO_s_mem(void); BIO *BIO_new_mem_buf(void *, int); -BIO_METHOD *BIO_s_file(); +BIO_METHOD *BIO_s_file(void); BIO *BIO_new_file(const char *, const char *); BIO *BIO_new_fp(FILE *, int); -BIO_METHOD *BIO_s_fd(); +BIO_METHOD *BIO_s_fd(void); BIO *BIO_new_fd(int, int); -BIO_METHOD *BIO_s_socket(); +BIO_METHOD *BIO_s_socket(void); BIO *BIO_new_socket(int, int); -BIO_METHOD *BIO_s_null(); +BIO_METHOD *BIO_s_null(void); long BIO_ctrl(BIO *, int, long, void *); long BIO_callback_ctrl( BIO *, @@ -87,8 +130,8 @@ int BIO_read(BIO *, void *, int); int BIO_gets(BIO *, char *, int); int BIO_write(BIO *, const void *, int); int BIO_puts(BIO *, const char *); -BIO_METHOD *BIO_f_null(); -BIO_METHOD *BIO_f_buffer(); +BIO_METHOD *BIO_f_null(void); +BIO_METHOD *BIO_f_buffer(void); """ MACROS = """ @@ -100,10 +143,10 @@ long BIO_set_mem_buf(BIO *, BUF_MEM *, int); long BIO_get_mem_ptr(BIO *, BUF_MEM **); long BIO_set_fp(BIO *, FILE *, int); long BIO_get_fp(BIO *, FILE **); -int BIO_read_filename(BIO *, char *); -int BIO_write_filename(BIO *, char *); -int BIO_append_filename(BIO *, char *); -int BIO_rw_filename(BIO *, char *); +long BIO_read_filename(BIO *, char *); +long BIO_write_filename(BIO *, char *); +long BIO_append_filename(BIO *, char *); +long BIO_rw_filename(BIO *, char *); int BIO_should_read(BIO *); int BIO_should_write(BIO *); int BIO_should_io_special(BIO *); @@ -125,49 +168,9 @@ long BIO_set_read_buffer_size(BIO *, long); long BIO_set_write_buffer_size(BIO *, long); long BIO_set_buffer_size(BIO *, long); long BIO_set_buffer_read_data(BIO *, void *, long); -#define BIO_TYPE_MEM ... -#define BIO_TYPE_FILE ... -#define BIO_TYPE_FD ... -#define BIO_TYPE_SOCKET ... -#define BIO_TYPE_CONNECT ... -#define BIO_TYPE_ACCEPT ... -#define BIO_TYPE_NULL ... -#define BIO_CLOSE ... -#define BIO_NOCLOSE ... -#define BIO_TYPE_SOURCE_SINK ... -#define BIO_CTRL_RESET ... -#define BIO_CTRL_EOF ... -#define BIO_CTRL_SET ... -#define BIO_CTRL_SET_CLOSE ... -#define BIO_CTRL_FLUSH ... -#define BIO_CTRL_DUP ... -#define BIO_CTRL_GET_CLOSE ... -#define BIO_CTRL_INFO ... -#define BIO_CTRL_GET ... -#define BIO_CTRL_PENDING ... -#define BIO_CTRL_WPENDING ... -#define BIO_C_FILE_SEEK ... -#define BIO_C_FILE_TELL ... -#define BIO_TYPE_NONE ... -#define BIO_TYPE_PROXY_CLIENT ... -#define BIO_TYPE_PROXY_SERVER ... -#define BIO_TYPE_NBIO_TEST ... -#define BIO_TYPE_BER ... -#define BIO_TYPE_BIO ... -#define BIO_TYPE_DESCRIPTOR ... -#define BIO_FLAGS_READ ... -#define BIO_FLAGS_WRITE ... -#define BIO_FLAGS_IO_SPECIAL ... -#define BIO_FLAGS_RWS ... -#define BIO_FLAGS_SHOULD_RETRY ... -#define BIO_TYPE_NULL_FILTER ... -#define BIO_TYPE_SSL ... -#define BIO_TYPE_MD ... -#define BIO_TYPE_BUFFER ... -#define BIO_TYPE_CIPHER ... -#define BIO_TYPE_BASE64 ... -#define BIO_TYPE_FILTER ... """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/conf.py b/cryptography/hazmat/backends/openssl/conf.py index 4846252c..6d818cf1 100644 --- a/cryptography/hazmat/backends/openssl/conf.py +++ b/cryptography/hazmat/backends/openssl/conf.py @@ -27,3 +27,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/crypto.py b/cryptography/hazmat/backends/openssl/crypto.py index 773d9b14..835be14b 100644 --- a/cryptography/hazmat/backends/openssl/crypto.py +++ b/cryptography/hazmat/backends/openssl/crypto.py @@ -16,25 +16,38 @@ INCLUDES = """ """ TYPES = """ +static const int SSLEAY_VERSION; +static const int SSLEAY_CFLAGS; +static const int SSLEAY_PLATFORM; +static const int SSLEAY_DIR; +static const int SSLEAY_BUILT_ON; +static const int CRYPTO_MEM_CHECK_ON; +static const int CRYPTO_MEM_CHECK_OFF; +static const int CRYPTO_MEM_CHECK_ENABLE; +static const int CRYPTO_MEM_CHECK_DISABLE; """ FUNCTIONS = """ +unsigned long SSLeay(void); +const char *SSLeay_version(int); + void CRYPTO_free(void *); int CRYPTO_mem_ctrl(int); -int CRYPTO_is_mem_check_on(); +int CRYPTO_is_mem_check_on(void); void CRYPTO_mem_leaks(struct bio_st *); -void CRYPTO_cleanup_all_ex_data(); +void CRYPTO_cleanup_all_ex_data(void); + +void OPENSSL_free(void *); """ MACROS = """ void CRYPTO_add(int *, int, int); -void CRYPTO_malloc_init(); -void CRYPTO_malloc_debug_init(); -#define CRYPTO_MEM_CHECK_ON ... -#define CRYPTO_MEM_CHECK_OFF ... -#define CRYPTO_MEM_CHECK_ENABLE ... -#define CRYPTO_MEM_CHECK_DISABLE ... +void CRYPTO_malloc_init(void); +void CRYPTO_malloc_debug_init(void); + """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/dh.py b/cryptography/hazmat/backends/openssl/dh.py index b8fbf368..3c12fbc6 100644 --- a/cryptography/hazmat/backends/openssl/dh.py +++ b/cryptography/hazmat/backends/openssl/dh.py @@ -20,7 +20,7 @@ typedef ... DH; """ FUNCTIONS = """ -DH *DH_new(); +DH *DH_new(void); void DH_free(DH *); """ @@ -29,3 +29,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/dsa.py b/cryptography/hazmat/backends/openssl/dsa.py index e6c369a6..3b77d7ae 100644 --- a/cryptography/hazmat/backends/openssl/dsa.py +++ b/cryptography/hazmat/backends/openssl/dsa.py @@ -31,3 +31,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/engine.py b/cryptography/hazmat/backends/openssl/engine.py index 1f377665..390bfde1 100644 --- a/cryptography/hazmat/backends/openssl/engine.py +++ b/cryptography/hazmat/backends/openssl/engine.py @@ -17,11 +17,36 @@ INCLUDES = """ TYPES = """ typedef ... ENGINE; +typedef ... RSA_METHOD; +typedef ... DSA_METHOD; +typedef ... ECDH_METHOD; +typedef ... ECDSA_METHOD; +typedef ... DH_METHOD; +typedef ... RAND_METHOD; +typedef ... STORE_METHOD; +typedef ... ENGINE_GEN_INT_FUNC_PTR; +typedef ... ENGINE_CTRL_FUNC_PTR; +typedef ... ENGINE_LOAD_KEY_PTR; +typedef ... ENGINE_CIPHERS_PTR; +typedef ... ENGINE_DIGESTS_PTR; +typedef ... ENGINE_CMD_DEFN; +typedef ... UI_METHOD; + +static const unsigned int ENGINE_METHOD_RSA; +static const unsigned int ENGINE_METHOD_DSA; +static const unsigned int ENGINE_METHOD_RAND; +static const unsigned int ENGINE_METHOD_ECDH; +static const unsigned int ENGINE_METHOD_ECDSA; +static const unsigned int ENGINE_METHOD_CIPHERS; +static const unsigned int ENGINE_METHOD_DIGESTS; +static const unsigned int ENGINE_METHOD_STORE; +static const unsigned int ENGINE_METHOD_ALL; +static const unsigned int ENGINE_METHOD_NONE; """ FUNCTIONS = """ -ENGINE *ENGINE_get_first(); -ENGINE *ENGINE_get_last(); +ENGINE *ENGINE_get_first(void); +ENGINE *ENGINE_get_last(void); ENGINE *ENGINE_get_next(ENGINE *); ENGINE *ENGINE_get_prev(ENGINE *); int ENGINE_add(ENGINE *); @@ -29,16 +54,20 @@ int ENGINE_remove(ENGINE *); ENGINE *ENGINE_by_id(const char *); int ENGINE_init(ENGINE *); int ENGINE_finish(ENGINE *); -int ENGINE_free(ENGINE *); -void ENGINE_cleanup(); -void ENGINE_load_dynamic(); -void ENGINE_load_builtin_engines(); -int ENGINE_ctrl_cmd_string(ENGINE *, const char *, const char *, int); -int ENGINE_set_default(ENGINE *, unsigned int); -int ENGINE_register_complete(ENGINE *); - +void ENGINE_load_openssl(void); +void ENGINE_load_dynamic(void); +void ENGINE_load_cryptodev(void); +void ENGINE_load_builtin_engines(void); +void ENGINE_cleanup(void); +ENGINE *ENGINE_get_default_RSA(void); +ENGINE *ENGINE_get_default_DSA(void); +ENGINE *ENGINE_get_default_ECDH(void); +ENGINE *ENGINE_get_default_ECDSA(void); +ENGINE *ENGINE_get_default_DH(void); +ENGINE *ENGINE_get_default_RAND(void); +ENGINE *ENGINE_get_cipher_engine(int); +ENGINE *ENGINE_get_digest_engine(int); int ENGINE_set_default_RSA(ENGINE *); -int ENGINE_set_default_string(ENGINE *, const char *); int ENGINE_set_default_DSA(ENGINE *); int ENGINE_set_default_ECDH(ENGINE *); int ENGINE_set_default_ECDSA(ENGINE *); @@ -46,20 +75,89 @@ int ENGINE_set_default_DH(ENGINE *); int ENGINE_set_default_RAND(ENGINE *); int ENGINE_set_default_ciphers(ENGINE *); int ENGINE_set_default_digests(ENGINE *); +int ENGINE_set_default_string(ENGINE *, const char *); +int ENGINE_set_default(ENGINE *, unsigned int); +unsigned int ENGINE_get_table_flags(void); +void ENGINE_set_table_flags(unsigned int); +int ENGINE_register_RSA(ENGINE *); +void ENGINE_unregister_RSA(ENGINE *); +void ENGINE_register_all_RSA(void); +int ENGINE_register_DSA(ENGINE *); +void ENGINE_unregister_DSA(ENGINE *); +void ENGINE_register_all_DSA(void); +int ENGINE_register_ECDH(ENGINE *); +void ENGINE_unregister_ECDH(ENGINE *); +void ENGINE_register_all_ECDH(void); +int ENGINE_register_ECDSA(ENGINE *); +void ENGINE_unregister_ECDSA(ENGINE *); +void ENGINE_register_all_ECDSA(void); +int ENGINE_register_DH(ENGINE *); +void ENGINE_unregister_DH(ENGINE *); +void ENGINE_register_all_DH(void); +int ENGINE_register_RAND(ENGINE *); +void ENGINE_unregister_RAND(ENGINE *); +void ENGINE_register_all_RAND(void); +int ENGINE_register_STORE(ENGINE *); +void ENGINE_unregister_STORE(ENGINE *); +void ENGINE_register_all_STORE(void); +int ENGINE_register_ciphers(ENGINE *); +void ENGINE_unregister_ciphers(ENGINE *); +void ENGINE_register_all_ciphers(void); +int ENGINE_register_digests(ENGINE *); +void ENGINE_unregister_digests(ENGINE *); +void ENGINE_register_all_digests(void); +int ENGINE_register_complete(ENGINE *); +int ENGINE_register_all_complete(void); +int ENGINE_ctrl(ENGINE *, int, long, void *, void (*)(void)); +int ENGINE_cmd_is_executable(ENGINE *, int); +int ENGINE_ctrl_cmd(ENGINE *, const char *, long, void *, void (*)(void), int); +int ENGINE_ctrl_cmd_string(ENGINE *, const char *, const char *, int); + +ENGINE *ENGINE_new(void); +int ENGINE_free(ENGINE *); +int ENGINE_up_ref(ENGINE *); +int ENGINE_set_id(ENGINE *, const char *); +int ENGINE_set_name(ENGINE *, const char *); +int ENGINE_set_RSA(ENGINE *, const RSA_METHOD *); +int ENGINE_set_DSA(ENGINE *, const DSA_METHOD *); +int ENGINE_set_ECDH(ENGINE *, const ECDH_METHOD *); +int ENGINE_set_ECDSA(ENGINE *, const ECDSA_METHOD *); +int ENGINE_set_DH(ENGINE *, const DH_METHOD *); +int ENGINE_set_RAND(ENGINE *, const RAND_METHOD *); +int ENGINE_set_STORE(ENGINE *, const STORE_METHOD *); +int ENGINE_set_destroy_function(ENGINE *, ENGINE_GEN_INT_FUNC_PTR); +int ENGINE_set_init_function(ENGINE *, ENGINE_GEN_INT_FUNC_PTR); +int ENGINE_set_finish_function(ENGINE *, ENGINE_GEN_INT_FUNC_PTR); +int ENGINE_set_ctrl_function(ENGINE *, ENGINE_CTRL_FUNC_PTR); +int ENGINE_set_load_privkey_function(ENGINE *, ENGINE_LOAD_KEY_PTR); +int ENGINE_set_load_pubkey_function(ENGINE *, ENGINE_LOAD_KEY_PTR); +int ENGINE_set_ciphers(ENGINE *, ENGINE_CIPHERS_PTR); +int ENGINE_set_digests(ENGINE *, ENGINE_DIGESTS_PTR); +int ENGINE_set_flags(ENGINE *, int); +int ENGINE_set_cmd_defns(ENGINE *, const ENGINE_CMD_DEFN *); +const char *ENGINE_get_id(const ENGINE *); +const char *ENGINE_get_name(const ENGINE *); +const RSA_METHOD *ENGINE_get_RSA(const ENGINE *); +const DSA_METHOD *ENGINE_get_DSA(const ENGINE *); +const ECDH_METHOD *ENGINE_get_ECDH(const ENGINE *); +const ECDSA_METHOD *ENGINE_get_ECDSA(const ENGINE *); +const DH_METHOD *ENGINE_get_DH(const ENGINE *); +const RAND_METHOD *ENGINE_get_RAND(const ENGINE *); +const STORE_METHOD *ENGINE_get_STORE(const ENGINE *); + +const EVP_CIPHER *ENGINE_get_cipher(ENGINE *, int); +const EVP_MD *ENGINE_get_digest(ENGINE *, int); +int ENGINE_get_flags(const ENGINE *); +const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *); +EVP_PKEY *ENGINE_load_private_key(ENGINE *, const char *, UI_METHOD *, void *); +EVP_PKEY *ENGINE_load_public_key(ENGINE *, const char *, UI_METHOD *, void *); +void ENGINE_add_conf_module(void); """ MACROS = """ -#define ENGINE_METHOD_RSA ... -#define ENGINE_METHOD_DSA ... -#define ENGINE_METHOD_RAND ... -#define ENGINE_METHOD_ECDH ... -#define ENGINE_METHOD_ECDSA ... -#define ENGINE_METHOD_CIPHERS ... -#define ENGINE_METHOD_DIGESTS ... -#define ENGINE_METHOD_STORE ... -#define ENGINE_METHOD_ALL ... -#define ENGINE_METHOD_NONE ... """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/err.py b/cryptography/hazmat/backends/openssl/err.py index f31c2405..6b2a77b1 100644 --- a/cryptography/hazmat/backends/openssl/err.py +++ b/cryptography/hazmat/backends/openssl/err.py @@ -38,8 +38,8 @@ static const int ASN1_R_BAD_PASSWORD_READ; """ FUNCTIONS = """ -void ERR_load_crypto_strings(); -void ERR_free_strings(); +void ERR_load_crypto_strings(void); +void ERR_free_strings(void); char* ERR_error_string(unsigned long, char *); void ERR_error_string_n(unsigned long, char *, size_t); const char* ERR_lib_error_string(unsigned long); @@ -47,9 +47,9 @@ const char* ERR_func_error_string(unsigned long); const char* ERR_reason_error_string(unsigned long); void ERR_print_errors(BIO *); void ERR_print_errors_fp(FILE *); -unsigned long ERR_get_error(); -unsigned long ERR_peek_error(); -unsigned long ERR_peek_last_error(); +unsigned long ERR_get_error(void); +unsigned long ERR_peek_error(void); +unsigned long ERR_peek_last_error(void); unsigned long ERR_get_error_line(const char **, int *); unsigned long ERR_peek_error_line(const char **, int *); unsigned long ERR_peek_last_error_line(const char **, int *); @@ -61,7 +61,7 @@ unsigned long ERR_peek_last_error_line_data(const char **, int *, const char **, int *); void ERR_put_error(int, int, int, const char *, int); void ERR_add_error_data(int, ...); -int ERR_get_next_error_library(); +int ERR_get_next_error_library(void); """ MACROS = """ @@ -74,3 +74,5 @@ int ERR_FATAL_ERROR(unsigned long); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/evp.py b/cryptography/hazmat/backends/openssl/evp.py index 8cb44610..c426e52e 100644 --- a/cryptography/hazmat/backends/openssl/evp.py +++ b/cryptography/hazmat/backends/openssl/evp.py @@ -24,7 +24,9 @@ typedef struct { ...; } EVP_CIPHER_CTX; typedef ... EVP_MD; -typedef struct env_md_ctx_st EVP_MD_CTX; +typedef struct env_md_ctx_st { + ...; +} EVP_MD_CTX; typedef struct evp_pkey_st { int type; @@ -32,14 +34,15 @@ typedef struct evp_pkey_st { } EVP_PKEY; static const int EVP_PKEY_RSA; static const int EVP_PKEY_DSA; -static const int Cryptography_EVP_CTRL_GCM_SET_IVLEN; -static const int Cryptography_EVP_CTRL_GCM_GET_TAG; -static const int Cryptography_EVP_CTRL_GCM_SET_TAG; +static const int EVP_MAX_MD_SIZE; +static const int EVP_CTRL_GCM_SET_IVLEN; +static const int EVP_CTRL_GCM_GET_TAG; +static const int EVP_CTRL_GCM_SET_TAG; + +static const int Cryptography_HAS_GCM; """ FUNCTIONS = """ -void OpenSSL_add_all_algorithms(); - const EVP_CIPHER *EVP_get_cipherbyname(const char *); int EVP_EncryptInit_ex(EVP_CIPHER_CTX *, const EVP_CIPHER *, ENGINE *, const unsigned char *, const unsigned char *); @@ -61,11 +64,11 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *); const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *); int EVP_CIPHER_block_size(const EVP_CIPHER *); void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *); -EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(); +EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *); int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *, int); -EVP_MD_CTX *EVP_MD_CTX_create(); +EVP_MD_CTX *EVP_MD_CTX_create(void); int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *); int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, ENGINE *); int EVP_DigestUpdate(EVP_MD_CTX *, const void *, size_t); @@ -76,7 +79,7 @@ const EVP_MD *EVP_get_digestbyname(const char *); const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *); int EVP_MD_size(const EVP_MD *); -EVP_PKEY *EVP_PKEY_new(); +EVP_PKEY *EVP_PKEY_new(void); void EVP_PKEY_free(EVP_PKEY *); int EVP_PKEY_type(int); int EVP_PKEY_bits(EVP_PKEY *); @@ -90,9 +93,12 @@ int EVP_VerifyInit(EVP_MD_CTX *, const EVP_MD *); int EVP_VerifyUpdate(EVP_MD_CTX *, const void *, size_t); int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int, EVP_PKEY *); + +const EVP_MD *EVP_md5(void); """ MACROS = """ +void OpenSSL_add_all_algorithms(void); int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); int EVP_PKEY_assign_DSA(EVP_PKEY *, DSA *); int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *); @@ -101,12 +107,19 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); CUSTOMIZATIONS = """ #ifdef EVP_CTRL_GCM_SET_TAG -const int Cryptography_EVP_CTRL_GCM_GET_TAG = EVP_CTRL_GCM_GET_TAG; -const int Cryptography_EVP_CTRL_GCM_SET_TAG = EVP_CTRL_GCM_SET_TAG; -const int Cryptography_EVP_CTRL_GCM_SET_IVLEN = EVP_CTRL_GCM_SET_IVLEN; +const long Cryptography_HAS_GCM = 1; #else -const int Cryptography_EVP_CTRL_GCM_GET_TAG = -1; -const int Cryptography_EVP_CTRL_GCM_SET_TAG = -1; -const int Cryptography_EVP_CTRL_GCM_SET_IVLEN = -1; +const long Cryptography_HAS_GCM = 0; +const long EVP_CTRL_GCM_GET_TAG = -1; +const long EVP_CTRL_GCM_SET_TAG = -1; +const long EVP_CTRL_GCM_SET_IVLEN = -1; #endif """ + +CONDITIONAL_NAMES = { + "Cryptography_HAS_GCM": [ + "EVP_CTRL_GCM_GET_TAG", + "EVP_CTRL_GCM_SET_TAG", + "EVP_CTRL_GCM_SET_IVLEN", + ] +} diff --git a/cryptography/hazmat/backends/openssl/hmac.py b/cryptography/hazmat/backends/openssl/hmac.py index 10e67141..5f9e0945 100644 --- a/cryptography/hazmat/backends/openssl/hmac.py +++ b/cryptography/hazmat/backends/openssl/hmac.py @@ -88,3 +88,5 @@ int Cryptography_HMAC_CTX_copy(HMAC_CTX *dst_ctx, HMAC_CTX *src_ctx) { #endif } """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/nid.py b/cryptography/hazmat/backends/openssl/nid.py index 9816dde4..40aed19f 100644 --- a/cryptography/hazmat/backends/openssl/nid.py +++ b/cryptography/hazmat/backends/openssl/nid.py @@ -37,6 +37,7 @@ static const int NID_ecdsa_with_SHA384; static const int NID_ecdsa_with_SHA512; static const int NID_crl_reason; static const int NID_pbe_WithSHA1And3_Key_TripleDES_CBC; +static const int NID_subject_alt_name; """ FUNCTIONS = """ @@ -47,3 +48,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/objects.py b/cryptography/hazmat/backends/openssl/objects.py new file mode 100644 index 00000000..0abc42d6 --- /dev/null +++ b/cryptography/hazmat/backends/openssl/objects.py @@ -0,0 +1,43 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +INCLUDES = """ +#include <openssl/objects.h> +""" + +TYPES = """ +""" + +FUNCTIONS = """ +ASN1_OBJECT *OBJ_nid2obj(int); +const char *OBJ_nid2ln(int); +const char *OBJ_nid2sn(int); +int OBJ_obj2nid(const ASN1_OBJECT *); +int OBJ_ln2nid(const char *); +int OBJ_sn2nid(const char *); +int OBJ_txt2nid(const char *); +ASN1_OBJECT *OBJ_txt2obj(const char *, int); +int OBJ_obj2txt(char *, int, const ASN1_OBJECT *, int); +int OBJ_cmp(const ASN1_OBJECT *, const ASN1_OBJECT *); +ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *); +int OBJ_create(const char *, const char *, const char *); +void OBJ_cleanup(void); +""" + +MACROS = """ +""" + +CUSTOMIZATIONS = """ +""" + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/opensslv.py b/cryptography/hazmat/backends/openssl/opensslv.py index d463776c..397f4ca2 100644 --- a/cryptography/hazmat/backends/openssl/opensslv.py +++ b/cryptography/hazmat/backends/openssl/opensslv.py @@ -16,7 +16,8 @@ INCLUDES = """ """ TYPES = """ -static char *const OPENSSL_VERSION_TEXT; +static const int OPENSSL_VERSION_NUMBER; +static const char *const OPENSSL_VERSION_TEXT; """ FUNCTIONS = """ @@ -27,3 +28,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/pem.py b/cryptography/hazmat/backends/openssl/pem.py index cef7839f..ee5552c5 100644 --- a/cryptography/hazmat/backends/openssl/pem.py +++ b/cryptography/hazmat/backends/openssl/pem.py @@ -55,3 +55,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/pkcs12.py b/cryptography/hazmat/backends/openssl/pkcs12.py index d91d100f..bd01e756 100644 --- a/cryptography/hazmat/backends/openssl/pkcs12.py +++ b/cryptography/hazmat/backends/openssl/pkcs12.py @@ -28,10 +28,12 @@ int i2d_PKCS12_bio(BIO *, PKCS12 *); MACROS = """ int PKCS12_parse(PKCS12 *, const char *, EVP_PKEY **, X509 **, - struct stack_st_X509 **); + Cryptography_STACK_OF_X509 **); PKCS12 *PKCS12_create(char *, char *, EVP_PKEY *, X509 *, - struct stack_st_X509 *, int, int, int, int, int); + Cryptography_STACK_OF_X509 *, int, int, int, int, int); """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/pkcs7.py b/cryptography/hazmat/backends/openssl/pkcs7.py index 60ea3c52..43f9540b 100644 --- a/cryptography/hazmat/backends/openssl/pkcs7.py +++ b/cryptography/hazmat/backends/openssl/pkcs7.py @@ -35,3 +35,5 @@ int PKCS7_type_is_data(PKCS7 *); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/rand.py b/cryptography/hazmat/backends/openssl/rand.py index 848ee05a..0e645fbc 100644 --- a/cryptography/hazmat/backends/openssl/rand.py +++ b/cryptography/hazmat/backends/openssl/rand.py @@ -19,16 +19,17 @@ TYPES = """ """ FUNCTIONS = """ +void ERR_load_RAND_strings(void); void RAND_seed(const void *, int); void RAND_add(const void *, int, double); -int RAND_status(); +int RAND_status(void); int RAND_egd(const char *); int RAND_egd_bytes(const char *, int); int RAND_query_egd_bytes(const char *, unsigned char *, int); const char *RAND_file_name(char *, size_t); int RAND_load_file(const char *, long); int RAND_write_file(const char *); -void RAND_cleanup(); +void RAND_cleanup(void); int RAND_bytes(unsigned char *, int); int RAND_pseudo_bytes(unsigned char *, int); """ @@ -38,3 +39,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/rsa.py b/cryptography/hazmat/backends/openssl/rsa.py index ad0d37b4..a44ca4a6 100644 --- a/cryptography/hazmat/backends/openssl/rsa.py +++ b/cryptography/hazmat/backends/openssl/rsa.py @@ -33,10 +33,11 @@ static const int RSA_SSLV23_PADDING; static const int RSA_NO_PADDING; static const int RSA_PKCS1_OAEP_PADDING; static const int RSA_X931_PADDING; +static const int RSA_F4; """ FUNCTIONS = """ -RSA *RSA_new(); +RSA *RSA_new(void); void RSA_free(RSA *); int RSA_size(const RSA *); int RSA_generate_key_ex(RSA *, int, BIGNUM *, BN_GENCB *); @@ -50,6 +51,7 @@ int RSA_public_decrypt(int, const unsigned char *, unsigned char *, RSA *, int); int RSA_private_decrypt(int, const unsigned char *, unsigned char *, RSA *, int); +int RSA_print(BIO *, const RSA *, int); """ MACROS = """ @@ -57,3 +59,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 04611309..d0d5ae2d 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -16,6 +16,28 @@ INCLUDES = """ """ TYPES = """ +/* + * Internally invented symbols to tell which versions of SSL/TLS are supported. +*/ +static const int Cryptography_HAS_SSL2; +static const int Cryptography_HAS_TLSv1_1; +static const int Cryptography_HAS_TLSv1_2; + +/* Internally invented symbol to tell us if SNI is supported */ +static const int Cryptography_HAS_TLSEXT_HOSTNAME; + +/* Internally invented symbol to tell us if SSL_MODE_RELEASE_BUFFERS is + * supported + */ +static const int Cryptography_HAS_RELEASE_BUFFERS; + +/* Internally invented symbol to tell us if SSL_OP_NO_COMPRESSION is + * supported + */ +static const int Cryptography_HAS_OP_NO_COMPRESSION; + +static const int Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING; + static const int SSL_FILETYPE_PEM; static const int SSL_FILETYPE_ASN1; static const int SSL_ERROR_NONE; @@ -30,6 +52,9 @@ static const int SSL_RECEIVED_SHUTDOWN; static const int SSL_OP_NO_SSLv2; static const int SSL_OP_NO_SSLv3; static const int SSL_OP_NO_TLSv1; +static const int SSL_OP_NO_TLSv1_1; +static const int SSL_OP_NO_TLSv1_2; +static const int SSL_OP_NO_COMPRESSION; static const int SSL_OP_SINGLE_DH_USE; static const int SSL_OP_EPHEMERAL_RSA; static const int SSL_OP_MICROSOFT_SESS_ID_BUG; @@ -84,6 +109,7 @@ static const int SSL_CB_CONNECT_LOOP; static const int SSL_CB_CONNECT_EXIT; static const int SSL_CB_HANDSHAKE_START; static const int SSL_CB_HANDSHAKE_DONE; +static const int SSL_MODE_RELEASE_BUFFERS; static const int SSL_MODE_ENABLE_PARTIAL_WRITE; static const int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; static const int SSL_MODE_AUTO_RETRY; @@ -115,9 +141,8 @@ static const int TLSEXT_NAMETYPE_host_name; """ FUNCTIONS = """ -void SSL_load_error_strings(); - -int SSL_library_init(); +void SSL_load_error_strings(void); +int SSL_library_init(void); /* SSL */ SSL_CTX *SSL_set_SSL_CTX(SSL *, SSL_CTX *); @@ -126,6 +151,9 @@ int SSL_set_session(SSL *, SSL_SESSION *); int SSL_get_verify_mode(const SSL *); void SSL_set_verify_depth(SSL *, int); int SSL_get_verify_depth(const SSL *); +int (*SSL_get_verify_callback(const SSL *))(int, X509_STORE_CTX *); +void SSL_set_info_callback(SSL *ssl, void (*)(const SSL *, int, int)); +void (*SSL_get_info_callback(const SSL *))(const SSL *, int, int); SSL *SSL_new(SSL_CTX *); void SSL_free(SSL *); int SSL_set_fd(SSL *, int); @@ -138,6 +166,10 @@ int SSL_pending(const SSL *); int SSL_write(SSL *, const void *, int); int SSL_read(SSL *, void *, int); X509 *SSL_get_peer_certificate(const SSL *); + +Cryptography_STACK_OF_X509 *SSL_get_peer_cert_chain(const SSL *); +Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *); + int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); @@ -147,7 +179,11 @@ const char *SSL_get_cipher_list(const SSL *, int); void SSL_CTX_free(SSL_CTX *); long SSL_CTX_set_timeout(SSL_CTX *, long); int SSL_CTX_set_default_verify_paths(SSL_CTX *); +void SSL_CTX_set_verify(SSL_CTX *, int, int (*)(int, X509_STORE_CTX *)); void SSL_CTX_set_verify_depth(SSL_CTX *, int); +int (*SSL_CTX_get_verify_callback(const SSL_CTX *))(int, X509_STORE_CTX *); +void SSL_CTX_set_info_callback(SSL_CTX *, void (*)(const SSL *, int, int)); +void (*SSL_CTX_get_info_callback(SSL_CTX *))(const SSL *, int, int); int SSL_CTX_get_verify_mode(const SSL_CTX *); int SSL_CTX_get_verify_depth(const SSL_CTX *); int SSL_CTX_set_cipher_list(SSL_CTX *, const char *); @@ -163,6 +199,9 @@ void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); int SSL_CTX_add_client_CA(SSL_CTX *, X509 *); +void SSL_CTX_set_client_CA_list(SSL_CTX *, Cryptography_STACK_OF_X509_NAME *); + + /* X509_STORE_CTX */ int X509_STORE_CTX_get_error(X509_STORE_CTX *); void X509_STORE_CTX_set_error(X509_STORE_CTX *, int); @@ -173,7 +212,7 @@ X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *); void SSL_SESSION_free(SSL_SESSION *); """ -MACROS = MACROS = """ +MACROS = """ long SSL_set_mode(SSL *, long); long SSL_get_mode(SSL *); @@ -183,7 +222,7 @@ long SSL_get_options(SSL *); int SSL_want_read(const SSL *); int SSL_want_write(const SSL *); -int SSL_total_renegotiations(const SSL *); +long SSL_total_renegotiations(SSL *); long SSL_CTX_set_options(SSL_CTX *, long); long SSL_CTX_get_options(SSL_CTX *); @@ -197,20 +236,153 @@ long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *); /*- These aren't macros these functions are all const X on openssl > 1.0.x -*/ /* methods */ -const SSL_METHOD *SSLv3_method(); -const SSL_METHOD *SSLv3_server_method(); -const SSL_METHOD *SSLv3_client_method(); -const SSL_METHOD *TLSv1_method(); -const SSL_METHOD *TLSv1_server_method(); -const SSL_METHOD *TLSv1_client_method(); -const SSL_METHOD *SSLv23_method(); -const SSL_METHOD *SSLv23_server_method(); -const SSL_METHOD *SSLv23_client_method(); + +/* SSLv2 support is compiled out of some versions of OpenSSL. These will + * get special support when we generate the bindings so that if they are + * available they will be wrapped, but if they are not they won't cause + * problems (like link errors). + */ +const SSL_METHOD *SSLv2_method(void); +const SSL_METHOD *SSLv2_server_method(void); +const SSL_METHOD *SSLv2_client_method(void); + +/* + * TLSv1_1 and TLSv1_2 are recent additions. Only sufficiently new versions of + * OpenSSL support them. + */ +const SSL_METHOD *TLSv1_1_method(void); +const SSL_METHOD *TLSv1_1_server_method(void); +const SSL_METHOD *TLSv1_1_client_method(void); + +const SSL_METHOD *TLSv1_2_method(void); +const SSL_METHOD *TLSv1_2_server_method(void); +const SSL_METHOD *TLSv1_2_client_method(void); + +const SSL_METHOD *SSLv3_method(void); +const SSL_METHOD *SSLv3_server_method(void); +const SSL_METHOD *SSLv3_client_method(void); + +const SSL_METHOD *TLSv1_method(void); +const SSL_METHOD *TLSv1_server_method(void); +const SSL_METHOD *TLSv1_client_method(void); + +const SSL_METHOD *SSLv23_method(void); +const SSL_METHOD *SSLv23_server_method(void); +const SSL_METHOD *SSLv23_client_method(void); /*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/ -SSL_CTX *SSL_CTX_new(const SSL_METHOD *); +SSL_CTX *SSL_CTX_new(SSL_METHOD *); long SSL_CTX_get_timeout(const SSL_CTX *); + +/* SNI APIs were introduced in OpenSSL 1.0.0. To continue to support + * earlier versions some special handling of these is necessary. + */ +const char *SSL_get_servername(const SSL *, const int); +void SSL_set_tlsext_host_name(SSL *, char *); +void SSL_CTX_set_tlsext_servername_callback( + SSL_CTX *, + int (*)(const SSL *, int *, void *)); """ CUSTOMIZATIONS = """ +#ifdef OPENSSL_NO_SSL2 +static const long Cryptography_HAS_SSL2 = 0; +SSL_METHOD* (*SSLv2_method)(void) = NULL; +SSL_METHOD* (*SSLv2_client_method)(void) = NULL; +SSL_METHOD* (*SSLv2_server_method)(void) = NULL; +#else +static const long Cryptography_HAS_SSL2 = 1; +#endif + +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1; +#else +static const long Cryptography_HAS_TLSEXT_HOSTNAME = 0; +void (*SSL_set_tlsext_host_name)(SSL *, char *) = NULL; +const char* (*SSL_get_servername)(const SSL *, const int) = NULL; +void (*SSL_CTX_set_tlsext_servername_callback)( + SSL_CTX *, + int (*)(const SSL *, int *, void *)) = NULL; +#endif + +#ifdef SSL_MODE_RELEASE_BUFFERS +static const long Cryptography_HAS_RELEASE_BUFFERS = 1; +#else +static const long Cryptography_HAS_RELEASE_BUFFERS = 0; +const long SSL_MODE_RELEASE_BUFFERS = 0; +#endif + +#ifdef SSL_OP_NO_COMPRESSION +static const long Cryptography_HAS_OP_NO_COMPRESSION = 1; +#else +static const long Cryptography_HAS_OP_NO_COMPRESSION = 0; +const long SSL_OP_NO_COMPRESSION = 0; +#endif + +#ifdef SSL_OP_NO_TLSv1_1 +static const long Cryptography_HAS_TLSv1_1 = 1; +#else +static const long Cryptography_HAS_TLSv1_1 = 0; +static const long SSL_OP_NO_TLSv1_1 = 0; +SSL_METHOD* (*TLSv1_1_method)(void) = NULL; +SSL_METHOD* (*TLSv1_1_client_method)(void) = NULL; +SSL_METHOD* (*TLSv1_1_server_method)(void) = NULL; +#endif + +#ifdef SSL_OP_NO_TLSv1_2 +static const long Cryptography_HAS_TLSv1_2 = 1; +#else +static const long Cryptography_HAS_TLSv1_2 = 0; +static const long SSL_OP_NO_TLSv1_2 = 0; +SSL_METHOD* (*TLSv1_2_method)(void) = NULL; +SSL_METHOD* (*TLSv1_2_client_method)(void) = NULL; +SSL_METHOD* (*TLSv1_2_server_method)(void) = NULL; +#endif + +#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING +static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1; +#else +static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 0; +const long SSL_OP_MSIE_SSLV2_RSA_PADDING = 0; +#endif """ + +CONDITIONAL_NAMES = { + "Cryptography_HAS_TLSv1_1": [ + "SSL_OP_NO_TLSv1_1", + "TLSv1_1_method", + "TLSv1_1_server_method", + "TLSv1_1_client_method", + ], + + "Cryptography_HAS_TLSv1_2": [ + "SSL_OP_NO_TLSv1_2", + "TLSv1_2_method", + "TLSv1_2_server_method", + "TLSv1_2_client_method", + ], + + "Cryptography_HAS_SSL2": [ + "SSLv2_method", + "SSLv2_client_method", + "SSLv2_server_method", + ], + + "Cryptography_HAS_TLSEXT_HOSTNAME": [ + "SSL_set_tlsext_host_name", + "SSL_get_servername", + "SSL_CTX_set_tlsext_servername_callback", + ], + + "Cryptography_HAS_RELEASE_BUFFERS": [ + "SSL_MODE_RELEASE_BUFFERS", + ], + + "Cryptography_HAS_OP_NO_COMPRESSION": [ + "SSL_OP_NO_COMPRESSION", + ], + + "Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING": [ + "SSL_OP_MSIE_SSLV2_RSA_PADDING", + ], +} diff --git a/cryptography/hazmat/backends/openssl/x509.py b/cryptography/hazmat/backends/openssl/x509.py index b2ee672e..840254a2 100644 --- a/cryptography/hazmat/backends/openssl/x509.py +++ b/cryptography/hazmat/backends/openssl/x509.py @@ -13,9 +13,22 @@ INCLUDES = """ #include <openssl/ssl.h> + +/* + * This is part of a work-around for the difficulty cffi has in dealing with + * `STACK_OF(foo)` as the name of a type. We invent a new, simpler name that + * will be an alias for this type and use the alias throughout. This works + * together with another opaque typedef for the same name in the TYPES section. + * Note that the result is an opaque type. + */ +typedef STACK_OF(X509) Cryptography_STACK_OF_X509; +typedef STACK_OF(X509_REVOKED) Cryptography_STACK_OF_X509_REVOKED; """ TYPES = """ +typedef ... Cryptography_STACK_OF_X509; +typedef ... Cryptography_STACK_OF_X509_REVOKED; + typedef struct { ASN1_OBJECT *algorithm; ...; @@ -36,8 +49,6 @@ typedef ... X509_EXTENSIONS; typedef ... X509_REQ; -typedef ... x509_revoked_st; - typedef struct { ASN1_INTEGER *serialNumber; ASN1_TIME *revocationDate; @@ -47,7 +58,7 @@ typedef struct { } X509_REVOKED; typedef struct { - struct x509_revoked_st *revoked; + Cryptography_STACK_OF_X509_REVOKED *revoked; ...; } X509_CRL_INFO; @@ -66,7 +77,7 @@ typedef ... NETSCAPE_SPKI; """ FUNCTIONS = """ -X509 *X509_new(); +X509 *X509_new(void); void X509_free(X509 *); X509 *X509_dup(X509 *); @@ -101,7 +112,7 @@ ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *); void X509_EXTENSION_free(X509_EXTENSION *); int X509_REQ_set_version(X509_REQ *, long); -X509_REQ *X509_REQ_new(); +X509_REQ *X509_REQ_new(void); void X509_REQ_free(X509_REQ *); int X509_REQ_set_pubkey(X509_REQ *, EVP_PKEY *); int X509_REQ_sign(X509_REQ *, EVP_PKEY *, const EVP_MD *); @@ -113,7 +124,7 @@ int X509_REQ_print_ex(BIO *, X509_REQ *, unsigned long, unsigned long); int X509V3_EXT_print(BIO *, X509_EXTENSION *, unsigned long, int); ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *); -X509_REVOKED *X509_REVOKED_new(); +X509_REVOKED *X509_REVOKED_new(void); void X509_REVOKED_free(X509_REVOKED *); int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *); @@ -121,7 +132,7 @@ int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *); int X509_REVOKED_add1_ext_i2d(X509_REVOKED *, int, void *, int, unsigned long); X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **); -X509_CRL *X509_CRL_new(); +X509_CRL *X509_CRL_new(void); void X509_CRL_free(X509_CRL *); int X509_CRL_add0_revoked(X509_CRL *, X509_REVOKED *); int i2d_X509_CRL_bio(BIO *, X509_CRL *); @@ -134,7 +145,7 @@ int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *, EVP_PKEY *, const EVP_MD *); char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *); EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *); int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *, EVP_PKEY *); -NETSCAPE_SPKI *NETSCAPE_SPKI_new(); +NETSCAPE_SPKI *NETSCAPE_SPKI_new(void); void NETSCAPE_SPKI_free(NETSCAPE_SPKI *); /* ASN1 serialization */ @@ -151,7 +162,7 @@ ASN1_INTEGER *X509_get_serialNumber(X509 *); int X509_set_serialNumber(X509 *, ASN1_INTEGER *); /* X509_STORE */ -X509_STORE *X509_STORE_new(); +X509_STORE *X509_STORE_new(void); void X509_STORE_free(X509_STORE *); int X509_STORE_add_cert(X509_STORE *, X509 *); """ @@ -165,26 +176,28 @@ ASN1_TIME *X509_get_notAfter(X509 *); long X509_REQ_get_version(X509_REQ *); X509_NAME *X509_REQ_get_subject_name(X509_REQ *); -struct stack_st_X509 *sk_X509_new_null(); -void sk_X509_free(struct stack_st_X509 *); -int sk_X509_num(struct stack_st_X509 *); -int sk_X509_push(struct stack_st_X509 *, X509 *); -X509 *sk_X509_value(struct stack_st_X509 *, int); +Cryptography_STACK_OF_X509 *sk_X509_new_null(void); +void sk_X509_free(Cryptography_STACK_OF_X509 *); +int sk_X509_num(Cryptography_STACK_OF_X509 *); +int sk_X509_push(Cryptography_STACK_OF_X509 *, X509 *); +X509 *sk_X509_value(Cryptography_STACK_OF_X509 *, int); -X509_EXTENSIONS *sk_X509_EXTENSION_new_null(); +X509_EXTENSIONS *sk_X509_EXTENSION_new_null(void); int sk_X509_EXTENSION_num(X509_EXTENSIONS *); X509_EXTENSION *sk_X509_EXTENSION_value(X509_EXTENSIONS *, int); int sk_X509_EXTENSION_push(X509_EXTENSIONS *, X509_EXTENSION *); -void sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int); +X509_EXTENSION *sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int); void sk_X509_EXTENSION_free(X509_EXTENSIONS *); -int sk_X509_REVOKED_num(struct x509_revoked_st *); -X509_REVOKED *sk_X509_REVOKED_value(struct x509_revoked_st *, int); +int sk_X509_REVOKED_num(Cryptography_STACK_OF_X509_REVOKED *); +X509_REVOKED *sk_X509_REVOKED_value(Cryptography_STACK_OF_X509_REVOKED *, int); /* These aren't macros these arguments are all const X on openssl > 1.0.x */ -int X509_CRL_set_lastUpdate(X509_CRL *, const ASN1_TIME *); -int X509_CRL_set_nextUpdate(X509_CRL *, const ASN1_TIME *); +int X509_CRL_set_lastUpdate(X509_CRL *, ASN1_TIME *); +int X509_CRL_set_nextUpdate(X509_CRL *, ASN1_TIME *); """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/x509name.py b/cryptography/hazmat/backends/openssl/x509name.py index 896f0ae4..bf627d61 100644 --- a/cryptography/hazmat/backends/openssl/x509name.py +++ b/cryptography/hazmat/backends/openssl/x509name.py @@ -13,11 +13,17 @@ INCLUDES = """ #include <openssl/x509.h> + +/* + * See the comment above Cryptography_STACK_OF_X509 in x509.py + */ +typedef STACK_OF(X509_NAME) Cryptography_STACK_OF_X509_NAME; """ TYPES = """ typedef ... X509_NAME; typedef ... X509_NAME_ENTRY; +typedef ... Cryptography_STACK_OF_X509_NAME; """ FUNCTIONS = """ @@ -40,12 +46,14 @@ void X509_NAME_free(X509_NAME *); """ MACROS = """ -struct stack_st_X509_NAME *sk_X509_NAME_new_null(); -int sk_X509_NAME_num(struct stack_st_X509_NAME *); -int sk_X509_NAME_push(struct stack_st_X509_NAME *, X509_NAME *); -X509_NAME *sk_X509_NAME_value(struct stack_st_X509_NAME *, int); -void sk_X509_NAME_free(struct stack_st_X509_NAME *); +Cryptography_STACK_OF_X509_NAME *sk_X509_NAME_new_null(void); +int sk_X509_NAME_num(Cryptography_STACK_OF_X509_NAME *); +int sk_X509_NAME_push(Cryptography_STACK_OF_X509_NAME *, X509_NAME *); +X509_NAME *sk_X509_NAME_value(Cryptography_STACK_OF_X509_NAME *, int); +void sk_X509_NAME_free(Cryptography_STACK_OF_X509_NAME *); """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/x509v3.py b/cryptography/hazmat/backends/openssl/x509v3.py index bc26236c..6d2d2361 100644 --- a/cryptography/hazmat/backends/openssl/x509v3.py +++ b/cryptography/hazmat/backends/openssl/x509v3.py @@ -95,3 +95,5 @@ const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} |