From ba61c2738e5a79480d135c280316e29080a4a777 Mon Sep 17 00:00:00 2001
From: Scott Sturdivant <scott.sturdivant@gmail.com>
Date: Tue, 26 Sep 2017 19:29:55 -0600
Subject: Expose FIPS funcs for OpenSSL. (#3939)

* Expose FIPS funcs for OpenSSL.

* Remove FIPS customization / conditionals.

It seems that the FIPS functions are always defined, regardless of if
the FIPS module is present.

* Do not include FIPS_selftest_check func.

* Libressl does not have FIPS.
---
 src/_cffi_src/build_openssl.py                     |  1 +
 src/_cffi_src/openssl/fips.py                      | 28 ++++++++++++++++++++++
 .../hazmat/bindings/openssl/_conditional.py        |  8 +++++++
 3 files changed, 37 insertions(+)
 create mode 100644 src/_cffi_src/openssl/fips.py

(limited to 'src')

diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
index 86ee5007..7ec235ff 100644
--- a/src/_cffi_src/build_openssl.py
+++ b/src/_cffi_src/build_openssl.py
@@ -76,6 +76,7 @@ ffi = build_ffi_for_binding(
         "engine",
         "err",
         "evp",
+        "fips",
         "hmac",
         "nid",
         "objects",
diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py
new file mode 100644
index 00000000..c92bca49
--- /dev/null
+++ b/src/_cffi_src/openssl/fips.py
@@ -0,0 +1,28 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/crypto.h>
+"""
+
+TYPES = """
+static const long Cryptography_HAS_FIPS;
+"""
+
+FUNCTIONS = """
+int FIPS_mode_set(int);
+int FIPS_mode(void);
+"""
+
+CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_FIPS = 0;
+int (*FIPS_mode_set)(int) = NULL;
+int (*FIPS_mode)(void) = NULL;
+#else
+static const long Cryptography_HAS_FIPS = 1;
+#endif
+"""
diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py
index 8eb67760..866cf4a6 100644
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -243,6 +243,13 @@ def cryptography_has_evp_pkey_get_set_tls_encodedpoint():
     ]
 
 
+def cryptography_has_fips():
+    return [
+        "FIPS_set_mode",
+        "FIPS_mode",
+    ]
+
+
 # This is a mapping of
 # {condition: function-returning-names-dependent-on-that-condition} so we can
 # loop over them and delete unsupported names at runtime. It will be removed
@@ -292,4 +299,5 @@ CONDITIONAL_NAMES = {
     "Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint": (
         cryptography_has_evp_pkey_get_set_tls_encodedpoint
     ),
+    "Cryptography_HAS_FIPS": cryptography_has_fips,
 }
-- 
cgit v1.2.3