12 files changed, 166 insertions, 10 deletions

diff --git a/src/_cffi_src/build_commoncrypto.py b/src/_cffi_src/build_commoncrypto.py
index 4e69b6d1..09e020a2 100644
--- a/src/_cffi_src/build_commoncrypto.py
+++ b/src/_cffi_src/build_commoncrypto.py
@@ -17,10 +17,12 @@ ffi = build_ffi_for_binding(
         "common_key_derivation",
         "common_cryptor",
         "common_symmetric_key_wrap",
+        "seccertificate",
         "secimport",
         "secitem",
         "seckey",
         "seckeychain",
+        "secpolicy",
         "sectransform",
         "sectrust",
     ],
diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
index ebbe8865..ba6e17b3 100644
--- a/src/_cffi_src/build_openssl.py
+++ b/src/_cffi_src/build_openssl.py
@@ -37,7 +37,11 @@ def _osx_libraries(build_static):
         return ["ssl", "crypto"]
 
 
-_OSX_PRE_INCLUDE = """
+_PRE_INCLUDE = """
+#include <openssl/e_os2.h>
+#if defined(OPENSSL_SYS_WINDOWS)
+#include <windows.h>
+#endif
 #ifdef __APPLE__
 #include <AvailabilityMacros.h>
 #define __ORIG_DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER \
@@ -47,7 +51,7 @@ _OSX_PRE_INCLUDE = """
 #endif
 """
 
-_OSX_POST_INCLUDE = """
+_POST_INCLUDE = """
 #ifdef __APPLE__
 #undef DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
 #define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER \
@@ -79,6 +83,7 @@ ffi = build_ffi_for_binding(
         "hmac",
         "nid",
         "objects",
+        "ocsp",
         "opensslv",
         "pem",
         "pkcs12",
@@ -92,8 +97,8 @@ ffi = build_ffi_for_binding(
         "pkcs7",
         "callbacks",
     ],
-    pre_include=_OSX_PRE_INCLUDE,
-    post_include=_OSX_POST_INCLUDE,
+    pre_include=_PRE_INCLUDE,
+    post_include=_POST_INCLUDE,
     libraries=_get_openssl_libraries(sys.platform),
     extra_link_args=extra_link_args(compiler_type()),
 )
diff --git a/src/_cffi_src/commoncrypto/cf.py b/src/_cffi_src/commoncrypto/cf.py
index 9d4387e6..02e58d90 100644
--- a/src/_cffi_src/commoncrypto/cf.py
+++ b/src/_cffi_src/commoncrypto/cf.py
@@ -20,6 +20,7 @@ typedef ... *CFDataRef;
 typedef signed long long CFIndex;
 typedef ... *CFStringRef;
 typedef ... *CFArrayRef;
+typedef ... *CFMutableArrayRef;
 typedef ... *CFBooleanRef;
 typedef ... *CFErrorRef;
 typedef ... *CFNumberRef;
@@ -35,6 +36,9 @@ typedef struct {
 typedef struct {
     ...;
 } CFRange;
+typedef struct {
+    ...;
+} CFArrayCallBacks;
 
 typedef UInt32 CFStringEncoding;
 enum {
@@ -65,6 +69,8 @@ typedef int CFNumberType;
 const CFDictionaryKeyCallBacks kCFTypeDictionaryKeyCallBacks;
 const CFDictionaryValueCallBacks kCFTypeDictionaryValueCallBacks;
 
+const CFArrayCallBacks kCFTypeArrayCallBacks;
+
 const CFBooleanRef kCFBooleanTrue;
 const CFBooleanRef kCFBooleanFalse;
 """
@@ -94,6 +100,10 @@ Boolean CFBooleanGetValue(CFBooleanRef);
 CFNumberRef CFNumberCreate(CFAllocatorRef, CFNumberType, const void *);
 void CFRelease(CFTypeRef);
 CFTypeRef CFRetain(CFTypeRef);
+
+CFMutableArrayRef CFArrayCreateMutable(CFAllocatorRef, CFIndex,
+                                       const CFArrayCallBacks *);
+void CFArrayAppendValue(CFMutableArrayRef, const void *);
 """
 
 MACROS = """
diff --git a/src/_cffi_src/commoncrypto/seccertificate.py b/src/_cffi_src/commoncrypto/seccertificate.py
new file mode 100644
index 00000000..2b54b0ee
--- /dev/null
+++ b/src/_cffi_src/commoncrypto/seccertificate.py
@@ -0,0 +1,23 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <Security/SecCertificate.h>
+"""
+
+TYPES = """
+typedef ... *SecCertificateRef;
+"""
+
+FUNCTIONS = """
+SecCertificateRef SecCertificateCreateWithData(CFAllocatorRef, CFDataRef);
+"""
+
+MACROS = """
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/src/_cffi_src/commoncrypto/secpolicy.py b/src/_cffi_src/commoncrypto/secpolicy.py
new file mode 100644
index 00000000..e132cfae
--- /dev/null
+++ b/src/_cffi_src/commoncrypto/secpolicy.py
@@ -0,0 +1,23 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <Security/SecPolicy.h>
+"""
+
+TYPES = """
+typedef ... *SecPolicyRef;
+"""
+
+FUNCTIONS = """
+SecPolicyRef SecPolicyCreateSSL(Boolean, CFStringRef);
+"""
+
+MACROS = """
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/src/_cffi_src/commoncrypto/sectrust.py b/src/_cffi_src/commoncrypto/sectrust.py
index b787afad..842c36c7 100644
--- a/src/_cffi_src/commoncrypto/sectrust.py
+++ b/src/_cffi_src/commoncrypto/sectrust.py
@@ -9,13 +9,30 @@ INCLUDES = """
 """
 
 TYPES = """
+typedef ... *SecTrustRef;
+typedef uint32_t SecTrustResultType;
+
+enum {
+    kSecTrustResultInvalid,
+    kSecTrustResultProceed,
+    kSecTrustResultDeny,
+    kSecTrustResultUnspecified,
+    kSecTrustResultRecoverableTrustFailure,
+    kSecTrustResultFatalTrustFailure,
+    kSecTrustResultOtherError
+};
 """
 
 FUNCTIONS = """
+OSStatus SecTrustEvaluate(SecTrustRef, SecTrustResultType *);
 OSStatus SecTrustCopyAnchorCertificates(CFArrayRef *);
 """
 
 MACROS = """
+/* The first argument changed from CFArrayRef to CFTypeRef in 10.8, so this
+ * has to go here for compatibility.
+ */
+OSStatus SecTrustCreateWithCertificates(CFTypeRef, CFTypeRef, SecTrustRef *);
 """
 
 CUSTOMIZATIONS = """
diff --git a/src/_cffi_src/openssl/bio.py b/src/_cffi_src/openssl/bio.py
index ac866831..6439e63a 100644
--- a/src/_cffi_src/openssl/bio.py
+++ b/src/_cffi_src/openssl/bio.py
@@ -99,7 +99,6 @@ BIO *BIO_pop(BIO *);
 BIO *BIO_next(BIO *);
 BIO *BIO_find_type(BIO *, int);
 BIO_METHOD *BIO_s_mem(void);
-BIO *BIO_new_mem_buf(void *, int);
 BIO_METHOD *BIO_s_file(void);
 BIO *BIO_new_file(const char *, const char *);
 BIO *BIO_new_fp(FILE *, int);
@@ -127,6 +126,8 @@ BIO_METHOD *BIO_f_buffer(void);
 """
 
 MACROS = """
+/* BIO_new_mem_buf became const void * in 1.0.2g */
+BIO *BIO_new_mem_buf(void *, int);
 long BIO_set_fd(BIO *, long, int);
 long BIO_get_fd(BIO *, char *);
 long BIO_set_mem_eof_return(BIO *, int);
diff --git a/src/_cffi_src/openssl/cms.py b/src/_cffi_src/openssl/cms.py
index fef7325c..dbe276e9 100644
--- a/src/_cffi_src/openssl/cms.py
+++ b/src/_cffi_src/openssl/cms.py
@@ -6,11 +6,6 @@ from __future__ import absolute_import, division, print_function
 
 INCLUDES = """
 #if !defined(OPENSSL_NO_CMS) && OPENSSL_VERSION_NUMBER >= 0x0090808fL
-/* The next define should really be in the OpenSSL header, but it is missing.
-   Failing to include this on Windows causes compilation failures. */
-#if defined(OPENSSL_SYS_WINDOWS)
-#include <windows.h>
-#endif
 #include <openssl/cms.h>
 #endif
 """
diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py
index 9d97be16..4ba90662 100644
--- a/src/_cffi_src/openssl/err.py
+++ b/src/_cffi_src/openssl/err.py
@@ -226,6 +226,7 @@ static const int PKCS12_F_PKCS12_PBE_CRYPT;
 static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR;
 
 static const int RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
+static const int RSA_R_DATA_TOO_LARGE_FOR_MODULUS;
 static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY;
 static const int RSA_R_BLOCK_TYPE_IS_NOT_01;
 static const int RSA_R_BLOCK_TYPE_IS_NOT_02;
diff --git a/src/_cffi_src/openssl/ocsp.py b/src/_cffi_src/openssl/ocsp.py
new file mode 100644
index 00000000..5865dba1
--- /dev/null
+++ b/src/_cffi_src/openssl/ocsp.py
@@ -0,0 +1,67 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/ocsp.h>
+"""
+
+TYPES = """
+typedef ... OCSP_REQUEST;
+typedef ... OCSP_ONEREQ;
+typedef ... OCSP_RESPONSE;
+typedef ... OCSP_BASICRESP;
+typedef ... OCSP_SINGLERESP;
+typedef ... OCSP_CERTID;
+"""
+
+FUNCTIONS = """
+int OCSP_response_status(OCSP_RESPONSE *);
+OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *);
+int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *);
+X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *, int);
+int OCSP_resp_count(OCSP_BASICRESP *);
+OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *, int);
+int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *);
+X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *, int);
+
+int OCSP_single_get0_status(OCSP_SINGLERESP *, int *, ASN1_GENERALIZEDTIME **,
+                            ASN1_GENERALIZEDTIME **, ASN1_GENERALIZEDTIME **);
+
+int OCSP_request_onereq_count(OCSP_REQUEST *);
+OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *, int);
+int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *);
+X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *, int);
+OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *);
+
+
+OCSP_BASICRESP *OCSP_BASICRESP_new(void);
+void OCSP_BASICRESP_free(OCSP_BASICRESP *);
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *, OCSP_CERTID *, int,
+                                        int, ASN1_TIME *, ASN1_TIME *,
+                                        ASN1_TIME *);
+int OCSP_basic_add1_nonce(OCSP_BASICRESP *, unsigned char *, int);
+int OCSP_basic_add1_cert(OCSP_BASICRESP *, X509 *);
+int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *, int, void *, int,
+                                unsigned long);
+int OCSP_basic_sign(OCSP_BASICRESP *, X509 *, EVP_PKEY *, const EVP_MD *,
+                    Cryptography_STACK_OF_X509 *, unsigned long);
+OCSP_RESPONSE *OCSP_response_create(int, OCSP_BASICRESP *);
+
+OCSP_REQUEST *OCSP_REQUEST_new(void);
+void OCSP_REQUEST_free(OCSP_REQUEST *);
+int OCSP_request_add1_nonce(OCSP_REQUEST *, unsigned char *, int);
+int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *, int, void *, int, unsigned long);
+"""
+
+MACROS = """
+OCSP_REQUEST *d2i_OCSP_REQUEST_bio(BIO *, OCSP_REQUEST **);
+OCSP_RESPONSE *d2i_OCSP_RESPONSE_bio(BIO *, OCSP_RESPONSE **);
+int i2d_OCSP_REQUEST_bio(BIO *, OCSP_REQUEST *);
+int i2d_OCSP_RESPONSE_bio(BIO *, OCSP_RESPONSE *);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index 64e4e2f0..98b396da 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -234,6 +234,8 @@ int SSL_CTX_check_private_key(const SSL_CTX *);
 void SSL_CTX_set_cert_verify_callback(SSL_CTX *,
                                       int (*)(X509_STORE_CTX *,void *),
                                       void *);
+int SSL_CTX_set_session_id_context(SSL_CTX *, const unsigned char *,
+                                   unsigned int);
 
 void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *);
 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
@@ -260,6 +262,8 @@ int SSL_set_ex_data(SSL *, int, void *);
 int SSL_CTX_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *,
                              CRYPTO_EX_free *);
 int SSL_CTX_set_ex_data(SSL_CTX *, int, void *);
+
+Cryptography_STACK_OF_X509_NAME *SSL_load_client_CA_file(const char *);
 """
 
 MACROS = """
diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py
index 51c8410a..3612f1c2 100644
--- a/src/_cffi_src/openssl/x509v3.py
+++ b/src/_cffi_src/openssl/x509v3.py
@@ -78,6 +78,11 @@ typedef struct {
     Cryptography_STACK_OF_GENERAL_SUBTREE *excludedSubtrees;
 } NAME_CONSTRAINTS;
 
+typedef struct {
+    ASN1_INTEGER *requireExplicitPolicy;
+    ASN1_INTEGER *inhibitPolicyMapping;
+} POLICY_CONSTRAINTS;
+
 
 typedef struct {
     int type;
@@ -200,6 +205,9 @@ int Cryptography_i2d_NAME_CONSTRAINTS(NAME_CONSTRAINTS *, unsigned char **);
 OTHERNAME *OTHERNAME_new(void);
 void OTHERNAME_free(OTHERNAME *);
 
+POLICY_CONSTRAINTS *POLICY_CONSTRAINTS_new(void);
+void POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *);
+
 void *X509V3_set_ctx_nodb(X509V3_CTX *);
 
 int i2d_GENERAL_NAMES(GENERAL_NAMES *, unsigned char **);