10 files changed, 77 insertions, 82 deletions

diff --git a/src/cryptography/exceptions.py b/src/cryptography/exceptions.py
index a4292eb8..29be22be 100644
--- a/src/cryptography/exceptions.py
+++ b/src/cryptography/exceptions.py
@@ -49,7 +49,9 @@ class InvalidSignature(Exception):
 
 
 class InternalError(Exception):
-    pass
+    def __init__(self, msg, err_code):
+        super(InternalError, self).__init__(msg)
+        self.err_code = err_code
 
 
 class InvalidKey(Exception):
diff --git a/src/cryptography/hazmat/backends/commoncrypto/backend.py b/src/cryptography/hazmat/backends/commoncrypto/backend.py
index 091fbb7c..315d67d8 100644
--- a/src/cryptography/hazmat/backends/commoncrypto/backend.py
+++ b/src/cryptography/hazmat/backends/commoncrypto/backend.py
@@ -227,7 +227,8 @@ class Backend(object):
         else:
             raise InternalError(
                 "The backend returned an unknown error, consider filing a bug."
-                " Code: {0}.".format(response)
+                " Code: {0}.".format(response),
+                response
             )
 
     def _release_cipher_ctx(self, ctx):
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index a476b1e9..ac025e95 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -15,9 +15,7 @@ import idna
 import six
 
 from cryptography import utils, x509
-from cryptography.exceptions import (
-    InternalError, UnsupportedAlgorithm, _Reasons
-)
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
 from cryptography.hazmat.backends.interfaces import (
     CMACBackend, CipherBackend, DERSerializationBackend, DSABackend,
     EllipticCurveBackend, HMACBackend, HashBackend, PBKDF2HMACBackend,
@@ -42,7 +40,7 @@ from cryptography.hazmat.backends.openssl.x509 import (
     _Certificate, _CertificateSigningRequest, _DISTPOINT_TYPE_FULLNAME,
     _DISTPOINT_TYPE_RELATIVENAME
 )
-from cryptography.hazmat.bindings.openssl.binding import Binding
+from cryptography.hazmat.bindings.openssl import binding
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
 from cryptography.hazmat.primitives.asymmetric.padding import (
@@ -58,14 +56,6 @@ from cryptography.x509.oid import ExtensionOID
 
 
 _MemoryBIO = collections.namedtuple("_MemoryBIO", ["bio", "char_ptr"])
-_OpenSSLError = collections.namedtuple("_OpenSSLError",
-                                       ["code", "lib", "func", "reason"])
-
-
-class UnhandledOpenSSLError(Exception):
-    def __init__(self, msg, errors):
-        super(UnhandledOpenSSLError, self).__init__(msg)
-        self.errors = errors
 
 
 def _encode_asn1_int(backend, x):
@@ -245,7 +235,7 @@ def _encode_basic_constraints(backend, basic_constraints):
         constraints, backend._lib.BASIC_CONSTRAINTS_free
     )
     constraints.ca = 255 if basic_constraints.ca else 0
-    if basic_constraints.ca:
+    if basic_constraints.ca and basic_constraints.path_length is not None:
         constraints.pathlen = _encode_asn1_int(
             backend, basic_constraints.path_length
         )
@@ -524,7 +514,7 @@ class Backend(object):
     name = "openssl"
 
     def __init__(self):
-        self._binding = Binding()
+        self._binding = binding.Binding()
         self._ffi = self._binding.ffi
         self._lib = self._binding.lib
 
@@ -541,14 +531,7 @@ class Backend(object):
         self.activate_osrandom_engine()
 
     def openssl_assert(self, ok):
-        if not ok:
-            errors = self._consume_errors()
-            raise UnhandledOpenSSLError(
-                "Unknown OpenSSL error. Please file an issue at https://github"
-                ".com/pyca/cryptography/issues with information on how to "
-                "reproduce this.",
-                errors
-            )
+        return binding._openssl_assert(self._lib, ok)
 
     def activate_builtin_random(self):
         # Obtain a new structural reference.
@@ -753,32 +736,8 @@ class Backend(object):
 
         return self._ffi.buffer(buf)[:]
 
-    def _err_string(self, code):
-        err_buf = self._ffi.new("char[]", 256)
-        self._lib.ERR_error_string_n(code, err_buf, 256)
-        return self._ffi.string(err_buf, 256)[:]
-
     def _consume_errors(self):
-        errors = []
-        while True:
-            code = self._lib.ERR_get_error()
-            if code == 0:
-                break
-
-            lib = self._lib.ERR_GET_LIB(code)
-            func = self._lib.ERR_GET_FUNC(code)
-            reason = self._lib.ERR_GET_REASON(code)
-
-            errors.append(_OpenSSLError(code, lib, func, reason))
-        return errors
-
-    def _unknown_error(self, error):
-        return InternalError(
-            "Unknown error code {0} from OpenSSL, "
-            "you should probably file a bug. {1}.".format(
-                error.code, self._err_string(error.code)
-            )
-        )
+        return binding._consume_errors(self._lib)
 
     def _bn_to_int(self, bn):
         assert bn != self._ffi.NULL
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index 4c1c7bc9..a80708aa 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -136,23 +136,21 @@ class _CipherContext(object):
             if not errors and isinstance(self._mode, modes.GCM):
                 raise InvalidTag
 
-            assert errors
-
-            if errors[0][1:] == (
-                self._backend._lib.ERR_LIB_EVP,
-                self._backend._lib.EVP_F_EVP_ENCRYPTFINAL_EX,
-                self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH
-            ) or errors[0][1:] == (
-                self._backend._lib.ERR_LIB_EVP,
-                self._backend._lib.EVP_F_EVP_DECRYPTFINAL_EX,
-                self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH
-            ):
-                raise ValueError(
-                    "The length of the provided data is not a multiple of "
-                    "the block length."
+            self._backend.openssl_assert(
+                errors[0][1:] == (
+                    self._backend._lib.ERR_LIB_EVP,
+                    self._backend._lib.EVP_F_EVP_ENCRYPTFINAL_EX,
+                    self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH
+                ) or errors[0][1:] == (
+                    self._backend._lib.ERR_LIB_EVP,
+                    self._backend._lib.EVP_F_EVP_DECRYPTFINAL_EX,
+                    self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH
                 )
-            else:
-                raise self._backend._unknown_error(errors[0])
+            )
+            raise ValueError(
+                "The length of the provided data is not a multiple of "
+                "the block length."
+            )
 
         if (isinstance(self._mode, modes.GCM) and
            self._operation == self._ENCRYPT):
diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py
index a442bfb7..9b4c1aff 100644
--- a/src/cryptography/hazmat/backends/openssl/dsa.py
+++ b/src/cryptography/hazmat/backends/openssl/dsa.py
@@ -83,7 +83,7 @@ class _DSASignatureContext(object):
             0, data_to_sign, len(data_to_sign), sig_buf,
             buflen, self._private_key._dsa_cdata)
         self._backend.openssl_assert(res == 1)
-        assert buflen[0]
+        self._backend.openssl_assert(buflen[0])
 
         return self._backend._ffi.buffer(sig_buf)[:buflen[0]]
 
diff --git a/src/cryptography/hazmat/backends/openssl/hashes.py b/src/cryptography/hazmat/backends/openssl/hashes.py
index a6b65f22..02ce5f0d 100644
--- a/src/cryptography/hazmat/backends/openssl/hashes.py
+++ b/src/cryptography/hazmat/backends/openssl/hashes.py
@@ -56,7 +56,7 @@ class _HashContext(object):
         outlen = self._backend._ffi.new("unsigned int *")
         res = self._backend._lib.EVP_DigestFinal_ex(self._ctx, buf, outlen)
         self._backend.openssl_assert(res != 0)
-        assert outlen[0] == self.algorithm.digest_size
+        self._backend.openssl_assert(outlen[0] == self.algorithm.digest_size)
         res = self._backend._lib.EVP_MD_CTX_cleanup(self._ctx)
         self._backend.openssl_assert(res == 1)
         return self._backend._ffi.buffer(buf)[:outlen[0]]
diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py
index 52c691a5..dcf2fbaf 100644
--- a/src/cryptography/hazmat/backends/openssl/hmac.py
+++ b/src/cryptography/hazmat/backends/openssl/hmac.py
@@ -71,7 +71,7 @@ class _HMACContext(object):
             self._ctx, buf, outlen
         )
         self._backend.openssl_assert(res != 0)
-        assert outlen[0] == self.algorithm.digest_size
+        self._backend.openssl_assert(outlen[0] == self.algorithm.digest_size)
         self._backend._lib.HMAC_CTX_cleanup(self._ctx)
         return self._backend._ffi.buffer(buf)[:outlen[0]]
 
diff --git a/src/cryptography/hazmat/bindings/commoncrypto/binding.py b/src/cryptography/hazmat/bindings/commoncrypto/binding.py
index 1695c041..dfe046b5 100644
--- a/src/cryptography/hazmat/bindings/commoncrypto/binding.py
+++ b/src/cryptography/hazmat/bindings/commoncrypto/binding.py
@@ -13,6 +13,3 @@ class Binding(object):
     """
     lib = lib
     ffi = ffi
-
-    def __init__(self):
-        pass
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index 50d7f6d5..47b1d6e2 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -4,14 +4,46 @@
 
 from __future__ import absolute_import, division, print_function
 
+import collections
 import os
 import threading
 import types
 
+from cryptography.exceptions import InternalError
 from cryptography.hazmat.bindings._openssl import ffi, lib
 from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES
 
 
+_OpenSSLError = collections.namedtuple("_OpenSSLError",
+                                       ["code", "lib", "func", "reason"])
+
+
+def _consume_errors(lib):
+    errors = []
+    while True:
+        code = lib.ERR_get_error()
+        if code == 0:
+            break
+
+        err_lib = lib.ERR_GET_LIB(code)
+        err_func = lib.ERR_GET_FUNC(code)
+        err_reason = lib.ERR_GET_REASON(code)
+
+        errors.append(_OpenSSLError(code, err_lib, err_func, err_reason))
+    return errors
+
+
+def _openssl_assert(lib, ok):
+    if not ok:
+        errors = _consume_errors(lib)
+        raise InternalError(
+            "Unknown OpenSSL error. Please file an issue at https://github.com"
+            "/pyca/cryptography/issues with information on how to reproduce "
+            "this.",
+            errors
+        )
+
+
 @ffi.callback("int (*)(unsigned char *, int)", error=-1)
 def _osrandom_rand_bytes(buf, size):
     signed = ffi.cast("char *", buf)
@@ -64,7 +96,7 @@ class Binding(object):
 
     @classmethod
     def _register_osrandom_engine(cls):
-        assert cls.lib.ERR_peek_error() == 0
+        _openssl_assert(cls.lib, cls.lib.ERR_peek_error() == 0)
         looked_up_engine = cls.lib.ENGINE_by_id(cls._osrandom_engine_id)
         if looked_up_engine != ffi.NULL:
             raise RuntimeError("osrandom engine already registered")
@@ -72,19 +104,19 @@ class Binding(object):
         cls.lib.ERR_clear_error()
 
         engine = cls.lib.ENGINE_new()
-        assert engine != cls.ffi.NULL
+        _openssl_assert(cls.lib, engine != cls.ffi.NULL)
         try:
             result = cls.lib.ENGINE_set_id(engine, cls._osrandom_engine_id)
-            assert result == 1
+            _openssl_assert(cls.lib, result == 1)
             result = cls.lib.ENGINE_set_name(engine, cls._osrandom_engine_name)
-            assert result == 1
+            _openssl_assert(cls.lib, result == 1)
             result = cls.lib.ENGINE_set_RAND(engine, cls._osrandom_method)
-            assert result == 1
+            _openssl_assert(cls.lib, result == 1)
             result = cls.lib.ENGINE_add(engine)
-            assert result == 1
+            _openssl_assert(cls.lib, result == 1)
         finally:
             result = cls.lib.ENGINE_free(engine)
-            assert result == 1
+            _openssl_assert(cls.lib, result == 1)
 
     @classmethod
     def _ensure_ffi_initialized(cls):
diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py
index 237d5968..dac4046d 100644
--- a/src/cryptography/utils.py
+++ b/src/cryptography/utils.py
@@ -58,6 +58,12 @@ class InterfaceNotImplemented(Exception):
     pass
 
 
+if hasattr(inspect, "signature"):
+    signature = inspect.signature
+else:
+    signature = inspect.getargspec
+
+
 def verify_interface(iface, klass):
     for method in iface.__abstractmethods__:
         if not hasattr(klass, method):
@@ -67,13 +73,13 @@ def verify_interface(iface, klass):
         if isinstance(getattr(iface, method), abc.abstractproperty):
             # Can't properly verify these yet.
             continue
-        spec = inspect.getargspec(getattr(iface, method))
-        actual = inspect.getargspec(getattr(klass, method))
-        if spec != actual:
+        sig = signature(getattr(iface, method))
+        actual = signature(getattr(klass, method))
+        if sig != actual:
             raise InterfaceNotImplemented(
                 "{0}.{1}'s signature differs from the expected. Expected: "
                 "{2!r}. Received: {3!r}".format(
-                    klass, method, spec, actual
+                    klass, method, sig, actual
                 )
             )