diff options
Diffstat (limited to 'src/_cffi_src')
58 files changed, 3225 insertions, 3482 deletions
diff --git a/src/_cffi_src/build_commoncrypto.py b/src/_cffi_src/build_commoncrypto.py deleted file mode 100644 index 1c2692a7..00000000 --- a/src/_cffi_src/build_commoncrypto.py +++ /dev/null @@ -1,29 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from _cffi_src.utils import build_ffi_for_binding - - -ffi = build_ffi_for_binding( - module_name="_commoncrypto", - module_prefix="_cffi_src.commoncrypto.", - modules=[ - "cf", - "common_digest", - "common_hmac", - "common_key_derivation", - "common_cryptor", - "common_symmetric_key_wrap", - "secimport", - "secitem", - "seckey", - "seckeychain", - "sectransform", - ], - extra_link_args=[ - "-framework", "Security", "-framework", "CoreFoundation" - ], -) diff --git a/src/_cffi_src/build_constant_time.py b/src/_cffi_src/build_constant_time.py deleted file mode 100644 index 6d9a8f54..00000000 --- a/src/_cffi_src/build_constant_time.py +++ /dev/null @@ -1,28 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import os -import sys - -from _cffi_src.utils import build_ffi, extra_link_args - - -with open(os.path.join( - os.path.dirname(__file__), "hazmat_src/constant_time.h" -)) as f: - types = f.read() - -with open(os.path.join( - os.path.dirname(__file__), "hazmat_src/constant_time.c" -)) as f: - functions = f.read() - -ffi = build_ffi( - module_name="_constant_time", - cdef_source=types, - verify_source=functions, - extra_link_args=extra_link_args(sys.platform), -) diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index dac3e4d8..a09d6d8e 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -6,66 +6,83 @@ from __future__ import absolute_import, division, print_function import os import sys +from distutils import dist +from distutils.ccompiler import get_default_compiler +from distutils.command.config import config -from _cffi_src.utils import build_ffi_for_binding, extra_link_args +from _cffi_src.utils import ( + build_ffi_for_binding, compiler_type, extra_link_args +) def _get_openssl_libraries(platform): + if os.environ.get("CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS", None): + return [] # OpenSSL goes by a different library name on different operating systems. - if platform != "win32": + if platform == "win32" and compiler_type() == "msvc": + windows_link_legacy_openssl = os.environ.get( + "CRYPTOGRAPHY_WINDOWS_LINK_LEGACY_OPENSSL", None + ) + if windows_link_legacy_openssl is None: + # Link against the 1.1.0 names + # CRYPTOGRAPHY_OPENSSL_110_OR_GREATER + libs = ["libssl", "libcrypto"] + else: + # Link against the 1.0.2 and lower names + libs = ["libeay32", "ssleay32"] + return libs + ["advapi32", "crypt32", "gdi32", "user32", "ws2_32"] + else: + # darwin, linux, mingw all use this path # In some circumstances, the order in which these libs are # specified on the linker command-line is significant; # libssl must come before libcrypto - # (http://marc.info/?l=openssl-users&m=135361825921871) - return ["ssl", "crypto"] - else: - link_type = os.environ.get("PYCA_WINDOWS_LINK_TYPE", "static") - return _get_openssl_windows_libraries(link_type) + # (https://marc.info/?l=openssl-users&m=135361825921871) + # -lpthread required due to usage of pthread an potential + # existance of a static part containing e.g. pthread_atfork + # (https://github.com/pyca/cryptography/issues/5084) + return ["ssl", "crypto", "pthread"] -def _get_openssl_windows_libraries(link_type): - if link_type == "dynamic": - return ["libeay32", "ssleay32", "advapi32"] - elif link_type == "static" or link_type == "": - return ["libeay32mt", "ssleay32mt", "advapi32", - "crypt32", "gdi32", "user32", "ws2_32"] +def _extra_compile_args(platform): + """ + We set -Wconversion args here so that we only do Wconversion checks on the + code we're compiling and not on cffi itself (as passing -Wconversion in + CFLAGS would do). We set no error on sign conversion because some + function signatures in OpenSSL have changed from long -> unsigned long + in the past. Since that isn't a precision issue we don't care. + When we drop support for CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 we can + revisit this. + """ + # make sure the compiler used supports the flags to be added + is_gcc = False + if get_default_compiler() == "unix": + d = dist.Distribution() + cmd = config(d) + cmd._check_compiler() + is_gcc = ("gcc" in cmd.compiler.compiler[0] or + "clang" in cmd.compiler.compiler[0]) + if is_gcc or not (platform in ["win32", "hp-ux11", "sunos5"] or + platform.startswith("aix")): + return ["-Wconversion", "-Wno-error=sign-conversion"] else: - raise ValueError( - "PYCA_WINDOWS_LINK_TYPE must be 'static' or 'dynamic'" - ) - - -_OSX_PRE_INCLUDE = """ -#ifdef __APPLE__ -#include <AvailabilityMacros.h> -#define __ORIG_DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER \ - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER -#undef DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER -#define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER -#endif -""" - -_OSX_POST_INCLUDE = """ -#ifdef __APPLE__ -#undef DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER -#define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER \ - __ORIG_DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER -#endif -""" + return [] ffi = build_ffi_for_binding( module_name="_openssl", module_prefix="_cffi_src.openssl.", modules=[ + # This goes first so we can define some cryptography-wide symbols. + "cryptography", + "aes", "asn1", "bignum", "bio", "cmac", - "cms", "conf", "crypto", + "ct", "dh", "dsa", "ec", @@ -74,12 +91,14 @@ ffi = build_ffi_for_binding( "engine", "err", "evp", + "fips", "hmac", "nid", "objects", + "ocsp", "opensslv", + "osrandom_engine", "pem", - "pkcs7", "pkcs12", "rand", "rsa", @@ -87,10 +106,18 @@ ffi = build_ffi_for_binding( "x509", "x509name", "x509v3", - "x509_vfy" + "x509_vfy", + "pkcs7", + "callbacks", ], - pre_include=_OSX_PRE_INCLUDE, - post_include=_OSX_POST_INCLUDE, libraries=_get_openssl_libraries(sys.platform), - extra_link_args=extra_link_args(sys.platform), + # These args are passed here so that we only do Wconversion checks on the + # code we're compiling and not on cffi itself (as passing -Wconversion in + # CFLAGS would do). We set no error on sign convesrion because some + # function signatures in OpenSSL have changed from long -> unsigned long + # in the past. Since that isn't a precision issue we don't care. + # When we drop support for CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 we can + # revisit this. + extra_compile_args=_extra_compile_args(sys.platform), + extra_link_args=extra_link_args(compiler_type()), ) diff --git a/src/_cffi_src/build_padding.py b/src/_cffi_src/build_padding.py index 5df93d80..4c5096a1 100644 --- a/src/_cffi_src/build_padding.py +++ b/src/_cffi_src/build_padding.py @@ -5,9 +5,8 @@ from __future__ import absolute_import, division, print_function import os -import sys -from _cffi_src.utils import build_ffi, extra_link_args +from _cffi_src.utils import build_ffi, compiler_type, extra_link_args with open(os.path.join( @@ -24,5 +23,5 @@ ffi = build_ffi( module_name="_padding", cdef_source=types, verify_source=functions, - extra_link_args=extra_link_args(sys.platform), + extra_link_args=extra_link_args(compiler_type()), ) diff --git a/src/_cffi_src/commoncrypto/__init__.py b/src/_cffi_src/commoncrypto/__init__.py deleted file mode 100644 index 4b540884..00000000 --- a/src/_cffi_src/commoncrypto/__init__.py +++ /dev/null @@ -1,5 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function diff --git a/src/_cffi_src/commoncrypto/cf.py b/src/_cffi_src/commoncrypto/cf.py deleted file mode 100644 index 77d2d7cc..00000000 --- a/src/_cffi_src/commoncrypto/cf.py +++ /dev/null @@ -1,105 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -INCLUDES = """ -#include <CoreFoundation/CoreFoundation.h> -""" - -TYPES = """ -typedef bool Boolean; -typedef signed long OSStatus; -typedef unsigned char UInt8; -typedef uint32_t UInt32; - -typedef const void * CFAllocatorRef; -const CFAllocatorRef kCFAllocatorDefault; -typedef ... *CFDataRef; -typedef signed long long CFIndex; -typedef ... *CFStringRef; -typedef ... *CFArrayRef; -typedef ... *CFBooleanRef; -typedef ... *CFErrorRef; -typedef ... *CFNumberRef; -typedef ... *CFTypeRef; -typedef ... *CFDictionaryRef; -typedef ... *CFMutableDictionaryRef; -typedef struct { - ...; -} CFDictionaryKeyCallBacks; -typedef struct { - ...; -} CFDictionaryValueCallBacks; -typedef struct { - ...; -} CFRange; - -typedef UInt32 CFStringEncoding; -enum { - kCFStringEncodingASCII = 0x0600 -}; - -enum { - kCFNumberSInt8Type = 1, - kCFNumberSInt16Type = 2, - kCFNumberSInt32Type = 3, - kCFNumberSInt64Type = 4, - kCFNumberFloat32Type = 5, - kCFNumberFloat64Type = 6, - kCFNumberCharType = 7, - kCFNumberShortType = 8, - kCFNumberIntType = 9, - kCFNumberLongType = 10, - kCFNumberLongLongType = 11, - kCFNumberFloatType = 12, - kCFNumberDoubleType = 13, - kCFNumberCFIndexType = 14, - kCFNumberNSIntegerType = 15, - kCFNumberCGFloatType = 16, - kCFNumberMaxType = 16 -}; -typedef int CFNumberType; - -const CFDictionaryKeyCallBacks kCFTypeDictionaryKeyCallBacks; -const CFDictionaryValueCallBacks kCFTypeDictionaryValueCallBacks; - -const CFBooleanRef kCFBooleanTrue; -const CFBooleanRef kCFBooleanFalse; -""" - -FUNCTIONS = """ -CFDataRef CFDataCreate(CFAllocatorRef, const UInt8 *, CFIndex); -CFStringRef CFStringCreateWithCString(CFAllocatorRef, const char *, - CFStringEncoding); -CFDictionaryRef CFDictionaryCreate(CFAllocatorRef, const void **, - const void **, CFIndex, - const CFDictionaryKeyCallBacks *, - const CFDictionaryValueCallBacks *); -CFMutableDictionaryRef CFDictionaryCreateMutable( - CFAllocatorRef, - CFIndex, - const CFDictionaryKeyCallBacks *, - const CFDictionaryValueCallBacks * -); -void CFDictionarySetValue(CFMutableDictionaryRef, const void *, const void *); -CFIndex CFArrayGetCount(CFArrayRef); -const void *CFArrayGetValueAtIndex(CFArrayRef, CFIndex); -CFIndex CFDataGetLength(CFDataRef); -void CFDataGetBytes(CFDataRef, CFRange, UInt8 *); -CFRange CFRangeMake(CFIndex, CFIndex); -void CFShow(CFTypeRef); -Boolean CFBooleanGetValue(CFBooleanRef); -CFNumberRef CFNumberCreate(CFAllocatorRef, CFNumberType, const void *); -void CFRelease(CFTypeRef); -CFTypeRef CFRetain(CFTypeRef); -""" - -MACROS = """ -""" - -CUSTOMIZATIONS = """ -""" - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/commoncrypto/common_cryptor.py b/src/_cffi_src/commoncrypto/common_cryptor.py deleted file mode 100644 index fc6eef91..00000000 --- a/src/_cffi_src/commoncrypto/common_cryptor.py +++ /dev/null @@ -1,101 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -INCLUDES = """ -#include <CommonCrypto/CommonCryptor.h> -""" - -TYPES = """ -enum { - kCCAlgorithmAES128 = 0, - kCCAlgorithmDES, - kCCAlgorithm3DES, - kCCAlgorithmCAST, - kCCAlgorithmRC4, - kCCAlgorithmRC2, - kCCAlgorithmBlowfish -}; -typedef uint32_t CCAlgorithm; -enum { - kCCSuccess = 0, - kCCParamError = -4300, - kCCBufferTooSmall = -4301, - kCCMemoryFailure = -4302, - kCCAlignmentError = -4303, - kCCDecodeError = -4304, - kCCUnimplemented = -4305 -}; -typedef int32_t CCCryptorStatus; -typedef uint32_t CCOptions; -enum { - kCCEncrypt = 0, - kCCDecrypt, -}; -typedef uint32_t CCOperation; -typedef ... *CCCryptorRef; - -enum { - kCCModeOptionCTR_LE = 0x0001, - kCCModeOptionCTR_BE = 0x0002 -}; - -typedef uint32_t CCModeOptions; - -enum { - kCCModeECB = 1, - kCCModeCBC = 2, - kCCModeCFB = 3, - kCCModeCTR = 4, - kCCModeF8 = 5, - kCCModeLRW = 6, - kCCModeOFB = 7, - kCCModeXTS = 8, - kCCModeRC4 = 9, - kCCModeCFB8 = 10, - kCCModeGCM = 11 -}; -typedef uint32_t CCMode; -enum { - ccNoPadding = 0, - ccPKCS7Padding = 1, -}; -typedef uint32_t CCPadding; -""" - -FUNCTIONS = """ -CCCryptorStatus CCCryptorCreateWithMode(CCOperation, CCMode, CCAlgorithm, - CCPadding, const void *, const void *, - size_t, const void *, size_t, int, - CCModeOptions, CCCryptorRef *); -CCCryptorStatus CCCryptorCreate(CCOperation, CCAlgorithm, CCOptions, - const void *, size_t, const void *, - CCCryptorRef *); -CCCryptorStatus CCCryptorUpdate(CCCryptorRef, const void *, size_t, void *, - size_t, size_t *); -CCCryptorStatus CCCryptorFinal(CCCryptorRef, void *, size_t, size_t *); -CCCryptorStatus CCCryptorRelease(CCCryptorRef); - -CCCryptorStatus CCCryptorGCMAddIV(CCCryptorRef, const void *, size_t); -CCCryptorStatus CCCryptorGCMAddAAD(CCCryptorRef, const void *, size_t); -CCCryptorStatus CCCryptorGCMEncrypt(CCCryptorRef, const void *, size_t, - void *); -CCCryptorStatus CCCryptorGCMDecrypt(CCCryptorRef, const void *, size_t, - void *); -CCCryptorStatus CCCryptorGCMFinal(CCCryptorRef, const void *, size_t *); -CCCryptorStatus CCCryptorGCMReset(CCCryptorRef); -""" - -MACROS = """ -""" - -CUSTOMIZATIONS = """ -/* Not defined in the public header */ -enum { - kCCModeGCM = 11 -}; -""" - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/commoncrypto/common_digest.py b/src/_cffi_src/commoncrypto/common_digest.py deleted file mode 100644 index a76fc508..00000000 --- a/src/_cffi_src/commoncrypto/common_digest.py +++ /dev/null @@ -1,60 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -INCLUDES = """ -#include <CommonCrypto/CommonDigest.h> -""" - -TYPES = """ -typedef uint32_t CC_LONG; -typedef uint64_t CC_LONG64; -typedef struct CC_MD5state_st { - ...; -} CC_MD5_CTX; -typedef struct CC_SHA1state_st { - ...; -} CC_SHA1_CTX; -typedef struct CC_SHA256state_st { - ...; -} CC_SHA256_CTX; -typedef struct CC_SHA512state_st { - ...; -} CC_SHA512_CTX; -""" - -FUNCTIONS = """ -int CC_MD5_Init(CC_MD5_CTX *); -int CC_MD5_Update(CC_MD5_CTX *, const void *, CC_LONG); -int CC_MD5_Final(unsigned char *, CC_MD5_CTX *); - -int CC_SHA1_Init(CC_SHA1_CTX *); -int CC_SHA1_Update(CC_SHA1_CTX *, const void *, CC_LONG); -int CC_SHA1_Final(unsigned char *, CC_SHA1_CTX *); - -int CC_SHA224_Init(CC_SHA256_CTX *); -int CC_SHA224_Update(CC_SHA256_CTX *, const void *, CC_LONG); -int CC_SHA224_Final(unsigned char *, CC_SHA256_CTX *); - -int CC_SHA256_Init(CC_SHA256_CTX *); -int CC_SHA256_Update(CC_SHA256_CTX *, const void *, CC_LONG); -int CC_SHA256_Final(unsigned char *, CC_SHA256_CTX *); - -int CC_SHA384_Init(CC_SHA512_CTX *); -int CC_SHA384_Update(CC_SHA512_CTX *, const void *, CC_LONG); -int CC_SHA384_Final(unsigned char *, CC_SHA512_CTX *); - -int CC_SHA512_Init(CC_SHA512_CTX *); -int CC_SHA512_Update(CC_SHA512_CTX *, const void *, CC_LONG); -int CC_SHA512_Final(unsigned char *, CC_SHA512_CTX *); -""" - -MACROS = """ -""" - -CUSTOMIZATIONS = """ -""" - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/commoncrypto/common_hmac.py b/src/_cffi_src/commoncrypto/common_hmac.py deleted file mode 100644 index fcd0c0f4..00000000 --- a/src/_cffi_src/commoncrypto/common_hmac.py +++ /dev/null @@ -1,39 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -INCLUDES = """ -#include <CommonCrypto/CommonHMAC.h> -""" - -TYPES = """ -typedef struct { - ...; -} CCHmacContext; -enum { - kCCHmacAlgSHA1, - kCCHmacAlgMD5, - kCCHmacAlgSHA256, - kCCHmacAlgSHA384, - kCCHmacAlgSHA512, - kCCHmacAlgSHA224 -}; -typedef uint32_t CCHmacAlgorithm; -""" - -FUNCTIONS = """ -void CCHmacInit(CCHmacContext *, CCHmacAlgorithm, const void *, size_t); -void CCHmacUpdate(CCHmacContext *, const void *, size_t); -void CCHmacFinal(CCHmacContext *, void *); - -""" - -MACROS = """ -""" - -CUSTOMIZATIONS = """ -""" - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/commoncrypto/common_key_derivation.py b/src/_cffi_src/commoncrypto/common_key_derivation.py deleted file mode 100644 index 19525852..00000000 --- a/src/_cffi_src/commoncrypto/common_key_derivation.py +++ /dev/null @@ -1,41 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -INCLUDES = """ -#include <CommonCrypto/CommonKeyDerivation.h> -""" - -TYPES = """ -enum { - kCCPBKDF2 = 2, -}; -typedef uint32_t CCPBKDFAlgorithm; -enum { - kCCPRFHmacAlgSHA1 = 1, - kCCPRFHmacAlgSHA224 = 2, - kCCPRFHmacAlgSHA256 = 3, - kCCPRFHmacAlgSHA384 = 4, - kCCPRFHmacAlgSHA512 = 5, -}; -typedef uint32_t CCPseudoRandomAlgorithm; -typedef unsigned int uint; -""" - -FUNCTIONS = """ -int CCKeyDerivationPBKDF(CCPBKDFAlgorithm, const char *, size_t, - const uint8_t *, size_t, CCPseudoRandomAlgorithm, - uint, uint8_t *, size_t); -uint CCCalibratePBKDF(CCPBKDFAlgorithm, size_t, size_t, - CCPseudoRandomAlgorithm, size_t, uint32_t); -""" - -MACROS = """ -""" - -CUSTOMIZATIONS = """ -""" - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/commoncrypto/common_symmetric_key_wrap.py b/src/_cffi_src/commoncrypto/common_symmetric_key_wrap.py deleted file mode 100644 index ea9e459d..00000000 --- a/src/_cffi_src/commoncrypto/common_symmetric_key_wrap.py +++ /dev/null @@ -1,37 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -INCLUDES = """ -#include <CommonCrypto/CommonSymmetricKeywrap.h> -""" - -TYPES = """ -enum { - kCCWRAPAES = 1, -}; - -typedef uint32_t CCWrappingAlgorithm; -""" - -FUNCTIONS = """ -int CCSymmetricKeyWrap(CCWrappingAlgorithm, const uint8_t *, const size_t, - const uint8_t *, size_t, const uint8_t *, size_t, - uint8_t *, size_t *); -int CCSymmetricKeyUnwrap(CCWrappingAlgorithm algorithm, const uint8_t *, - const size_t, const uint8_t *, size_t, - const uint8_t *, size_t, uint8_t *, size_t *); -size_t CCSymmetricWrappedSize(CCWrappingAlgorithm, size_t); -size_t CCSymmetricUnwrappedSize(CCWrappingAlgorithm, size_t); - -""" - -MACROS = """ -""" - -CUSTOMIZATIONS = """ -""" - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/commoncrypto/secimport.py b/src/_cffi_src/commoncrypto/secimport.py deleted file mode 100644 index 41a799f9..00000000 --- a/src/_cffi_src/commoncrypto/secimport.py +++ /dev/null @@ -1,88 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -INCLUDES = """ -#include <Security/SecImportExport.h> -""" - -TYPES = """ -typedef ... *SecAccessRef; - -CFStringRef kSecImportExportPassphrase; -CFStringRef kSecImportExportKeychain; -CFStringRef kSecImportExportAccess; - -typedef uint32_t SecExternalItemType; -enum { - kSecItemTypeUnknown, - kSecItemTypePrivateKey, - kSecItemTypePublicKey, - kSecItemTypeSessionKey, - kSecItemTypeCertificate, - kSecItemTypeAggregate -}; - - -typedef uint32_t SecExternalFormat; -enum { - kSecFormatUnknown = 0, - kSecFormatOpenSSL, - kSecFormatSSH, - kSecFormatBSAFE, - kSecFormatRawKey, - kSecFormatWrappedPKCS8, - kSecFormatWrappedOpenSSL, - kSecFormatWrappedSSH, - kSecFormatWrappedLSH, - kSecFormatX509Cert, - kSecFormatPEMSequence, - kSecFormatPKCS7, - kSecFormatPKCS12, - kSecFormatNetscapeCertSequence, - kSecFormatSSHv2 -}; - -typedef uint32_t SecItemImportExportFlags; -enum { - kSecKeyImportOnlyOne = 0x00000001, - kSecKeySecurePassphrase = 0x00000002, - kSecKeyNoAccessControl = 0x00000004 -}; -typedef uint32_t SecKeyImportExportFlags; - -typedef struct { - /* for import and export */ - uint32_t version; - SecKeyImportExportFlags flags; - CFTypeRef passphrase; - CFStringRef alertTitle; - CFStringRef alertPrompt; - - /* for import only */ - SecAccessRef accessRef; - CFArrayRef keyUsage; - - CFArrayRef keyAttributes; -} SecItemImportExportKeyParameters; -""" - -FUNCTIONS = """ -OSStatus SecItemImport(CFDataRef, CFStringRef, SecExternalFormat *, - SecExternalItemType *, SecItemImportExportFlags, - const SecItemImportExportKeyParameters *, - SecKeychainRef, CFArrayRef *); -OSStatus SecPKCS12Import(CFDataRef, CFDictionaryRef, CFArrayRef *); -OSStatus SecItemExport(CFTypeRef, SecExternalFormat, SecItemImportExportFlags, - const SecItemImportExportKeyParameters *, CFDataRef *); -""" - -MACROS = """ -""" - -CUSTOMIZATIONS = """ -""" - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/commoncrypto/seckey.py b/src/_cffi_src/commoncrypto/seckey.py deleted file mode 100644 index 01d42e6a..00000000 --- a/src/_cffi_src/commoncrypto/seckey.py +++ /dev/null @@ -1,26 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -INCLUDES = """ -#include <Security/SecKey.h> -""" - -TYPES = """ -typedef ... *SecKeyRef; -""" - -FUNCTIONS = """ -OSStatus SecKeyGeneratePair(CFDictionaryRef, SecKeyRef *, SecKeyRef *); -size_t SecKeyGetBlockSize(SecKeyRef); -""" - -MACROS = """ -""" - -CUSTOMIZATIONS = """ -""" - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/commoncrypto/seckeychain.py b/src/_cffi_src/commoncrypto/seckeychain.py deleted file mode 100644 index 6a2cb4be..00000000 --- a/src/_cffi_src/commoncrypto/seckeychain.py +++ /dev/null @@ -1,27 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -INCLUDES = """ -#include <Security/SecKeychain.h> -""" - -TYPES = """ -typedef ... *SecKeychainRef; -""" - -FUNCTIONS = """ -OSStatus SecKeychainCreate(const char *, UInt32, const void *, Boolean, - SecAccessRef, SecKeychainRef *); -OSStatus SecKeychainDelete(SecKeychainRef); -""" - -MACROS = """ -""" - -CUSTOMIZATIONS = """ -""" - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/commoncrypto/sectransform.py b/src/_cffi_src/commoncrypto/sectransform.py deleted file mode 100644 index bed94953..00000000 --- a/src/_cffi_src/commoncrypto/sectransform.py +++ /dev/null @@ -1,70 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -INCLUDES = """ -#include <Security/SecDigestTransform.h> -#include <Security/SecSignVerifyTransform.h> -#include <Security/SecEncryptTransform.h> -""" - -TYPES = """ -typedef ... *SecTransformRef; - -CFStringRef kSecImportExportPassphrase; -CFStringRef kSecImportExportKeychain; -CFStringRef kSecImportExportAccess; - -CFStringRef kSecEncryptionMode; -CFStringRef kSecEncryptKey; -CFStringRef kSecIVKey; -CFStringRef kSecModeCBCKey; -CFStringRef kSecModeCFBKey; -CFStringRef kSecModeECBKey; -CFStringRef kSecModeNoneKey; -CFStringRef kSecModeOFBKey; -CFStringRef kSecOAEPEncodingParametersAttributeName; -CFStringRef kSecPaddingKey; -CFStringRef kSecPaddingNoneKey; -CFStringRef kSecPaddingOAEPKey; -CFStringRef kSecPaddingPKCS1Key; -CFStringRef kSecPaddingPKCS5Key; -CFStringRef kSecPaddingPKCS7Key; - -const CFStringRef kSecTransformInputAttributeName; -const CFStringRef kSecTransformOutputAttributeName; -const CFStringRef kSecTransformDebugAttributeName; -const CFStringRef kSecTransformTransformName; -const CFStringRef kSecTransformAbortAttributeName; - -CFStringRef kSecInputIsAttributeName; -CFStringRef kSecInputIsPlainText; -CFStringRef kSecInputIsDigest; -CFStringRef kSecInputIsRaw; - -const CFStringRef kSecDigestTypeAttribute; -const CFStringRef kSecDigestLengthAttribute; -const CFStringRef kSecDigestMD5; -const CFStringRef kSecDigestSHA1; -const CFStringRef kSecDigestSHA2; -""" - -FUNCTIONS = """ -Boolean SecTransformSetAttribute(SecTransformRef, CFStringRef, CFTypeRef, - CFErrorRef *); -SecTransformRef SecDecryptTransformCreate(SecKeyRef, CFErrorRef *); -SecTransformRef SecEncryptTransformCreate(SecKeyRef, CFErrorRef *); -SecTransformRef SecVerifyTransformCreate(SecKeyRef, CFDataRef, CFErrorRef *); -SecTransformRef SecSignTransformCreate(SecKeyRef, CFErrorRef *) ; -CFTypeRef SecTransformExecute(SecTransformRef, CFErrorRef *); -""" - -MACROS = """ -""" - -CUSTOMIZATIONS = """ -""" - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/hazmat_src/constant_time.c b/src/_cffi_src/hazmat_src/constant_time.c deleted file mode 100644 index 0a48fe83..00000000 --- a/src/_cffi_src/hazmat_src/constant_time.c +++ /dev/null @@ -1,22 +0,0 @@ -// This file is dual licensed under the terms of the Apache License, Version -// 2.0, and the BSD License. See the LICENSE file in the root of this -// repository for complete details. - -uint8_t Cryptography_constant_time_bytes_eq(uint8_t *a, size_t len_a, - uint8_t *b, size_t len_b) { - size_t i = 0; - uint8_t mismatch = 0; - if (len_a != len_b) { - return 0; - } - for (i = 0; i < len_a; i++) { - mismatch |= a[i] ^ b[i]; - } - - /* Make sure any bits set are copied to the lowest bit */ - mismatch |= mismatch >> 4; - mismatch |= mismatch >> 2; - mismatch |= mismatch >> 1; - /* Now check the low bit to see if it's set */ - return (mismatch & 1) == 0; -} diff --git a/src/_cffi_src/hazmat_src/constant_time.h b/src/_cffi_src/hazmat_src/constant_time.h deleted file mode 100644 index 593479f6..00000000 --- a/src/_cffi_src/hazmat_src/constant_time.h +++ /dev/null @@ -1,6 +0,0 @@ -// This file is dual licensed under the terms of the Apache License, Version -// 2.0, and the BSD License. See the LICENSE file in the root of this -// repository for complete details. - -uint8_t Cryptography_constant_time_bytes_eq(uint8_t *, size_t, uint8_t *, - size_t); diff --git a/src/_cffi_src/hazmat_src/padding.c b/src/_cffi_src/hazmat_src/padding.c index 570bad9f..a6e05dee 100644 --- a/src/_cffi_src/hazmat_src/padding.c +++ b/src/_cffi_src/hazmat_src/padding.c @@ -4,25 +4,25 @@ /* Returns the value of the input with the most-significant-bit copied to all of the bits. */ -static uint8_t Cryptography_DUPLICATE_MSB_TO_ALL(uint8_t a) { - return (1 - (a >> (sizeof(uint8_t) * 8 - 1))) - 1; +static uint16_t Cryptography_DUPLICATE_MSB_TO_ALL(uint16_t a) { + return (1 - (a >> (sizeof(uint16_t) * 8 - 1))) - 1; } -/* This returns 0xFF if a < b else 0x00, but does so in a constant time +/* This returns 0xFFFF if a < b else 0x0000, but does so in a constant time fashion */ -static uint8_t Cryptography_constant_time_lt(uint8_t a, uint8_t b) { +static uint16_t Cryptography_constant_time_lt(uint16_t a, uint16_t b) { a -= b; return Cryptography_DUPLICATE_MSB_TO_ALL(a); } uint8_t Cryptography_check_pkcs7_padding(const uint8_t *data, - uint8_t block_len) { - uint8_t i; - uint8_t pad_size = data[block_len - 1]; - uint8_t mismatch = 0; + uint16_t block_len) { + uint16_t i; + uint16_t pad_size = data[block_len - 1]; + uint16_t mismatch = 0; for (i = 0; i < block_len; i++) { unsigned int mask = Cryptography_constant_time_lt(i, pad_size); - uint8_t b = data[block_len - 1 - i]; + uint16_t b = data[block_len - 1 - i]; mismatch |= (mask & (pad_size ^ b)); } @@ -31,6 +31,32 @@ uint8_t Cryptography_check_pkcs7_padding(const uint8_t *data, mismatch |= Cryptography_constant_time_lt(block_len, pad_size); /* Make sure any bits set are copied to the lowest bit */ + mismatch |= mismatch >> 8; + mismatch |= mismatch >> 4; + mismatch |= mismatch >> 2; + mismatch |= mismatch >> 1; + /* Now check the low bit to see if it's set */ + return (mismatch & 1) == 0; +} + +uint8_t Cryptography_check_ansix923_padding(const uint8_t *data, + uint16_t block_len) { + uint16_t i; + uint16_t pad_size = data[block_len - 1]; + uint16_t mismatch = 0; + /* Skip the first one with the pad size */ + for (i = 1; i < block_len; i++) { + unsigned int mask = Cryptography_constant_time_lt(i, pad_size); + uint16_t b = data[block_len - 1 - i]; + mismatch |= (mask & b); + } + + /* Check to make sure the pad_size was within the valid range. */ + mismatch |= ~Cryptography_constant_time_lt(0, pad_size); + mismatch |= Cryptography_constant_time_lt(block_len, pad_size); + + /* Make sure any bits set are copied to the lowest bit */ + mismatch |= mismatch >> 8; mismatch |= mismatch >> 4; mismatch |= mismatch >> 2; mismatch |= mismatch >> 1; diff --git a/src/_cffi_src/hazmat_src/padding.h b/src/_cffi_src/hazmat_src/padding.h index 4d218b1a..fb023c17 100644 --- a/src/_cffi_src/hazmat_src/padding.h +++ b/src/_cffi_src/hazmat_src/padding.h @@ -3,3 +3,4 @@ // repository for complete details. uint8_t Cryptography_check_pkcs7_padding(const uint8_t *, uint8_t); +uint8_t Cryptography_check_ansix923_padding(const uint8_t *, uint8_t); diff --git a/src/_cffi_src/openssl/aes.py b/src/_cffi_src/openssl/aes.py index 15da9b62..5c9dee6d 100644 --- a/src/_cffi_src/openssl/aes.py +++ b/src/_cffi_src/openssl/aes.py @@ -9,53 +9,18 @@ INCLUDES = """ """ TYPES = """ -static const int Cryptography_HAS_AES_WRAP; - -struct aes_key_st { - ...; -}; -typedef struct aes_key_st AES_KEY; +typedef ... AES_KEY; """ FUNCTIONS = """ int AES_set_encrypt_key(const unsigned char *, const int, AES_KEY *); int AES_set_decrypt_key(const unsigned char *, const int, AES_KEY *); -""" -MACROS = """ -/* these can be moved back to FUNCTIONS once we drop support for 0.9.8h. - This should be when we drop RHEL/CentOS 5, which is on 0.9.8e. */ int AES_wrap_key(AES_KEY *, const unsigned char *, unsigned char *, const unsigned char *, unsigned int); int AES_unwrap_key(AES_KEY *, const unsigned char *, unsigned char *, const unsigned char *, unsigned int); - -/* The ctr128_encrypt function is only useful in 0.9.8. You should use EVP for - this in 1.0.0+. It is defined in macros because the function signature - changed after 0.9.8 */ -void AES_ctr128_encrypt(const unsigned char *, unsigned char *, - const size_t, const AES_KEY *, - unsigned char[], unsigned char[], unsigned int *); - """ CUSTOMIZATIONS = """ -/* OpenSSL 0.9.8h+ */ -#if OPENSSL_VERSION_NUMBER >= 0x0090808fL -static const long Cryptography_HAS_AES_WRAP = 1; -#else -static const long Cryptography_HAS_AES_WRAP = 0; -int (*AES_wrap_key)(AES_KEY *, const unsigned char *, unsigned char *, - const unsigned char *, unsigned int) = NULL; -int (*AES_unwrap_key)(AES_KEY *, const unsigned char *, unsigned char *, - const unsigned char *, unsigned int) = NULL; -#endif - """ - -CONDITIONAL_NAMES = { - "Cryptography_HAS_AES_WRAP": [ - "AES_wrap_key", - "AES_unwrap_key", - ], -} diff --git a/src/_cffi_src/openssl/asn1.py b/src/_cffi_src/openssl/asn1.py index c18708c5..3e148ce0 100644 --- a/src/_cffi_src/openssl/asn1.py +++ b/src/_cffi_src/openssl/asn1.py @@ -9,26 +9,8 @@ INCLUDES = """ """ TYPES = """ -/* - * TODO: This typedef is wrong. - * - * This is due to limitations of cffi. - * See https://bitbucket.org/cffi/cffi/issue/69 - * - * For another possible work-around (not used here because it involves more - * complicated use of the cffi API which falls outside the general pattern used - * by this package), see - * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ - * - * The work-around used here is to just be sure to declare a type that is at - * least as large as the real type. Maciej explains: - * - * <fijal> I think you want to declare your value too large (e.g. long) - * <fijal> that way you'll never pass garbage - */ -typedef intptr_t time_t; - -typedef int ASN1_BOOLEAN; +typedef int... time_t; + typedef ... ASN1_INTEGER; struct asn1_string_st { @@ -40,121 +22,88 @@ struct asn1_string_st { typedef struct asn1_string_st ASN1_OCTET_STRING; typedef struct asn1_string_st ASN1_IA5STRING; -typedef ... ASN1_BIT_STRING; +typedef struct asn1_string_st ASN1_BIT_STRING; +typedef struct asn1_string_st ASN1_TIME; typedef ... ASN1_OBJECT; -typedef ... ASN1_STRING; -typedef ... ASN1_TYPE; -typedef ... ASN1_GENERALIZEDTIME; -typedef ... ASN1_ENUMERATED; -typedef ... ASN1_ITEM; -typedef ... ASN1_VALUE; - +typedef struct asn1_string_st ASN1_STRING; +typedef struct asn1_string_st ASN1_UTF8STRING; typedef struct { + int type; ...; -} ASN1_TIME; -typedef ... ASN1_ITEM_EXP; - -typedef ... ASN1_UTCTIME; +} ASN1_TYPE; +typedef ... ASN1_GENERALIZEDTIME; +typedef ... ASN1_ENUMERATED; +typedef ... ASN1_NULL; static const int V_ASN1_GENERALIZEDTIME; -static const int MBSTRING_FLAG; -static const int MBSTRING_ASC; -static const int MBSTRING_BMP; static const int MBSTRING_UTF8; -static const int MBSTRING_UNIV; """ FUNCTIONS = """ -ASN1_OBJECT *ASN1_OBJECT_new(void); void ASN1_OBJECT_free(ASN1_OBJECT *); -/* ASN1 OBJECT IDENTIFIER */ -ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **, const unsigned char **, long); -int i2d_ASN1_OBJECT(ASN1_OBJECT *, unsigned char **); - /* ASN1 STRING */ -ASN1_STRING *ASN1_STRING_new(void); -ASN1_STRING *ASN1_STRING_type_new(int); -void ASN1_STRING_free(ASN1_STRING *); unsigned char *ASN1_STRING_data(ASN1_STRING *); int ASN1_STRING_set(ASN1_STRING *, const void *, int); -int ASN1_STRING_type(ASN1_STRING *); -int ASN1_STRING_to_UTF8(unsigned char **, ASN1_STRING *); /* ASN1 OCTET STRING */ ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(void); void ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *); int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *, const unsigned char *, int); +/* ASN1 IA5STRING */ +ASN1_IA5STRING *ASN1_IA5STRING_new(void); + /* ASN1 INTEGER */ -ASN1_INTEGER *ASN1_INTEGER_new(void); void ASN1_INTEGER_free(ASN1_INTEGER *); int ASN1_INTEGER_set(ASN1_INTEGER *, long); -int i2a_ASN1_INTEGER(BIO *, ASN1_INTEGER *); /* ASN1 TIME */ ASN1_TIME *ASN1_TIME_new(void); void ASN1_TIME_free(ASN1_TIME *); -ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *, - ASN1_GENERALIZEDTIME **); ASN1_TIME *ASN1_TIME_set(ASN1_TIME *, time_t); - -/* ASN1 UTCTIME */ -ASN1_UTCTIME *ASN1_UTCTIME_new(void); -void ASN1_UTCTIME_free(ASN1_UTCTIME *); -int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *, time_t); -ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *, time_t); +int ASN1_TIME_set_string(ASN1_TIME *, const char *); /* ASN1 GENERALIZEDTIME */ -int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *, const char *); +ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *, time_t); void ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *); /* ASN1 ENUMERATED */ ASN1_ENUMERATED *ASN1_ENUMERATED_new(void); void ASN1_ENUMERATED_free(ASN1_ENUMERATED *); int ASN1_ENUMERATED_set(ASN1_ENUMERATED *, long); -long ASN1_ENUMERATED_get(ASN1_ENUMERATED *); -ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **, const unsigned char **, long, - const ASN1_ITEM *); int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *, int, int); -""" +/* These became const ASN1_* in 1.1.0 */ +int ASN1_STRING_type(ASN1_STRING *); +int ASN1_STRING_to_UTF8(unsigned char **, ASN1_STRING *); +long ASN1_ENUMERATED_get(ASN1_ENUMERATED *); +int i2a_ASN1_INTEGER(BIO *, ASN1_INTEGER *); + +/* This became const ASN1_TIME in 1.1.0f */ +ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *, + ASN1_GENERALIZEDTIME **); + +ASN1_UTF8STRING *ASN1_UTF8STRING_new(void); +void ASN1_UTF8STRING_free(ASN1_UTF8STRING *); -MACROS = """ +ASN1_BIT_STRING *ASN1_BIT_STRING_new(void); void ASN1_BIT_STRING_free(ASN1_BIT_STRING *); /* This is not a macro, but is const on some versions of OpenSSL */ int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *, int); -ASN1_TIME *M_ASN1_TIME_dup(void *); -const ASN1_ITEM *ASN1_ITEM_ptr(ASN1_ITEM_EXP *); -/* These aren't macros these arguments are all const X on openssl > 1.0.x */ - -int ASN1_TIME_print(BIO *, ASN1_TIME *); int ASN1_STRING_length(ASN1_STRING *); -ASN1_STRING *ASN1_STRING_dup(ASN1_STRING *); -int ASN1_STRING_cmp(ASN1_STRING *, ASN1_STRING *); -int ASN1_UTCTIME_print(BIO *, ASN1_UTCTIME *); - -ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *); -int ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *, ASN1_OCTET_STRING *); - -ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *); -int ASN1_INTEGER_cmp(ASN1_INTEGER *, ASN1_INTEGER *); -long ASN1_INTEGER_get(ASN1_INTEGER *); +int ASN1_STRING_set_default_mask_asc(char *); BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *, BIGNUM *); ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *, ASN1_INTEGER *); -/* These isn't a macro the arg is const on openssl 1.0.2+ */ -int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *); -int ASN1_UTCTIME_check(ASN1_UTCTIME *); +int i2d_ASN1_TYPE(ASN1_TYPE *, unsigned char **); +ASN1_TYPE *d2i_ASN1_TYPE(ASN1_TYPE **, const unsigned char **, long); -/* Not a macro, const on openssl 1.0 */ -int ASN1_STRING_set_default_mask_asc(char *); +ASN1_NULL *ASN1_NULL_new(void); """ CUSTOMIZATIONS = """ """ - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/openssl/bignum.py b/src/_cffi_src/openssl/bignum.py index d974e04e..75101839 100644 --- a/src/_cffi_src/openssl/bignum.py +++ b/src/_cffi_src/openssl/bignum.py @@ -10,30 +10,21 @@ INCLUDES = """ TYPES = """ typedef ... BN_CTX; +typedef ... BN_MONT_CTX; typedef ... BIGNUM; -/* - * TODO: This typedef is wrong. - * - * This is due to limitations of cffi. - * See https://bitbucket.org/cffi/cffi/issue/69 - * - * For another possible work-around (not used here because it involves more - * complicated use of the cffi API which falls outside the general pattern used - * by this package), see - * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ - * - * The work-around used here is to just be sure to declare a type that is at - * least as large as the real type. Maciej explains: - * - * <fijal> I think you want to declare your value too large (e.g. long) - * <fijal> that way you'll never pass garbage - */ -typedef uintptr_t BN_ULONG; +typedef int... BN_ULONG; """ FUNCTIONS = """ +#define BN_FLG_CONSTTIME ... + +void BN_set_flags(BIGNUM *, int); + BIGNUM *BN_new(void); void BN_free(BIGNUM *); +void BN_clear_free(BIGNUM *); + +int BN_rand_range(BIGNUM *, const BIGNUM *); BN_CTX *BN_CTX_new(void); void BN_CTX_free(BN_CTX *); @@ -42,17 +33,18 @@ void BN_CTX_start(BN_CTX *); BIGNUM *BN_CTX_get(BN_CTX *); void BN_CTX_end(BN_CTX *); -BIGNUM *BN_copy(BIGNUM *, const BIGNUM *); +BN_MONT_CTX *BN_MONT_CTX_new(void); +int BN_MONT_CTX_set(BN_MONT_CTX *, const BIGNUM *, BN_CTX *); +void BN_MONT_CTX_free(BN_MONT_CTX *); + BIGNUM *BN_dup(const BIGNUM *); int BN_set_word(BIGNUM *, BN_ULONG); -BN_ULONG BN_get_word(const BIGNUM *); const BIGNUM *BN_value_one(void); char *BN_bn2hex(const BIGNUM *); int BN_hex2bn(BIGNUM **, const char *); -int BN_dec2bn(BIGNUM **, const char *); int BN_bn2bin(const BIGNUM *, unsigned char *); BIGNUM *BN_bin2bn(const unsigned char *, int, BIGNUM *); @@ -60,11 +52,9 @@ BIGNUM *BN_bin2bn(const unsigned char *, int, BIGNUM *); int BN_num_bits(const BIGNUM *); int BN_cmp(const BIGNUM *, const BIGNUM *); +int BN_is_negative(const BIGNUM *); int BN_add(BIGNUM *, const BIGNUM *, const BIGNUM *); int BN_sub(BIGNUM *, const BIGNUM *, const BIGNUM *); -int BN_mul(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); -int BN_sqr(BIGNUM *, const BIGNUM *, BN_CTX *); -int BN_div(BIGNUM *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int BN_nnmod(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int BN_mod_add(BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); @@ -72,34 +62,24 @@ int BN_mod_sub(BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int BN_mod_mul(BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); -int BN_mod_sqr(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); -int BN_exp(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int BN_mod_exp(BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); -int BN_gcd(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); +int BN_mod_exp_mont(BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *, + BN_CTX *, BN_MONT_CTX *); +int BN_mod_exp_mont_consttime(BIGNUM *, const BIGNUM *, const BIGNUM *, + const BIGNUM *, BN_CTX *, BN_MONT_CTX *); BIGNUM *BN_mod_inverse(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); -int BN_set_bit(BIGNUM *, int); -int BN_clear_bit(BIGNUM *, int); - -int BN_is_bit_set(const BIGNUM *, int); +int BN_num_bytes(const BIGNUM *); -int BN_mask_bits(BIGNUM *, int); -""" - -MACROS = """ -int BN_zero(BIGNUM *); -int BN_one(BIGNUM *); int BN_mod(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); -int BN_lshift(BIGNUM *, const BIGNUM *, int); -int BN_lshift1(BIGNUM *, BIGNUM *); - -int BN_rshift(BIGNUM *, BIGNUM *, int); -int BN_rshift1(BIGNUM *, BIGNUM *); +/* The following 3 prime methods are exposed for Tribler. */ +int BN_generate_prime_ex(BIGNUM *, int, int, const BIGNUM *, + const BIGNUM *, BN_GENCB *); +int BN_is_prime_ex(const BIGNUM *, int, BN_CTX *, BN_GENCB *); +const int BN_prime_checks_for_size(int); """ CUSTOMIZATIONS = """ """ - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/openssl/bio.py b/src/_cffi_src/openssl/bio.py index 6cc1bcb2..8f5a3e6a 100644 --- a/src/_cffi_src/openssl/bio.py +++ b/src/_cffi_src/openssl/bio.py @@ -9,164 +9,42 @@ INCLUDES = """ """ TYPES = """ -typedef struct bio_st BIO; -typedef void bio_info_cb(BIO *, int, const char *, int, long, long); -struct bio_method_st { - int type; - const char *name; - int (*bwrite)(BIO *, const char *, int); - int (*bread)(BIO *, char *, int); - int (*bputs)(BIO *, const char *); - int (*bgets)(BIO *, char *, int); - long (*ctrl)(BIO *, int, long, void *); - int (*create)(BIO *); - int (*destroy)(BIO *); - long (*callback_ctrl)(BIO *, int, bio_info_cb *); - ...; -}; -typedef struct bio_method_st BIO_METHOD; -struct bio_st { - BIO_METHOD *method; - long (*callback)(struct bio_st *, int, const char *, int, long, long); - char *cb_arg; - int init; - int shutdown; - int flags; - int retry_reason; - int num; - void *ptr; - struct bio_st *next_bio; - struct bio_st *prev_bio; - int references; - unsigned long num_read; - unsigned long num_write; - ...; -}; -typedef ... BUF_MEM; - -static const int BIO_TYPE_MEM; -static const int BIO_TYPE_FILE; -static const int BIO_TYPE_FD; -static const int BIO_TYPE_SOCKET; -static const int BIO_TYPE_CONNECT; -static const int BIO_TYPE_ACCEPT; -static const int BIO_TYPE_NULL; -static const int BIO_CLOSE; -static const int BIO_NOCLOSE; -static const int BIO_TYPE_SOURCE_SINK; -static const int BIO_CTRL_RESET; -static const int BIO_CTRL_EOF; -static const int BIO_CTRL_SET; -static const int BIO_CTRL_SET_CLOSE; -static const int BIO_CTRL_FLUSH; -static const int BIO_CTRL_DUP; -static const int BIO_CTRL_GET_CLOSE; -static const int BIO_CTRL_INFO; -static const int BIO_CTRL_GET; -static const int BIO_CTRL_PENDING; -static const int BIO_CTRL_WPENDING; -static const int BIO_C_FILE_SEEK; -static const int BIO_C_FILE_TELL; -static const int BIO_TYPE_NONE; -static const int BIO_TYPE_PROXY_CLIENT; -static const int BIO_TYPE_PROXY_SERVER; -static const int BIO_TYPE_NBIO_TEST; -static const int BIO_TYPE_BER; -static const int BIO_TYPE_BIO; -static const int BIO_TYPE_DESCRIPTOR; -static const int BIO_FLAGS_READ; -static const int BIO_FLAGS_WRITE; -static const int BIO_FLAGS_IO_SPECIAL; -static const int BIO_FLAGS_RWS; -static const int BIO_FLAGS_SHOULD_RETRY; -static const int BIO_TYPE_NULL_FILTER; -static const int BIO_TYPE_SSL; -static const int BIO_TYPE_MD; -static const int BIO_TYPE_BUFFER; -static const int BIO_TYPE_CIPHER; -static const int BIO_TYPE_BASE64; -static const int BIO_TYPE_FILTER; +typedef ... BIO; +typedef ... BIO_METHOD; """ FUNCTIONS = """ -BIO *BIO_new(BIO_METHOD *); -int BIO_set(BIO *, BIO_METHOD *); int BIO_free(BIO *); -void BIO_vfree(BIO *); void BIO_free_all(BIO *); -BIO *BIO_push(BIO *, BIO *); -BIO *BIO_pop(BIO *); -BIO *BIO_next(BIO *); -BIO *BIO_find_type(BIO *, int); -BIO_METHOD *BIO_s_mem(void); -BIO *BIO_new_mem_buf(void *, int); -BIO_METHOD *BIO_s_file(void); BIO *BIO_new_file(const char *, const char *); -BIO *BIO_new_fp(FILE *, int); -BIO_METHOD *BIO_s_fd(void); -BIO *BIO_new_fd(int, int); -BIO_METHOD *BIO_s_socket(void); -BIO *BIO_new_socket(int, int); -BIO_METHOD *BIO_s_null(void); -long BIO_ctrl(BIO *, int, long, void *); -long BIO_callback_ctrl( - BIO *, - int, - void (*)(struct bio_st *, int, const char *, int, long, long) -); -char *BIO_ptr_ctrl(BIO *, int, long); -long BIO_int_ctrl(BIO *, int, long, int); +BIO *BIO_new_dgram(int, int); size_t BIO_ctrl_pending(BIO *); -size_t BIO_ctrl_wpending(BIO *); int BIO_read(BIO *, void *, int); int BIO_gets(BIO *, char *, int); int BIO_write(BIO *, const void *, int); -int BIO_puts(BIO *, const char *); -BIO_METHOD *BIO_f_null(void); -BIO_METHOD *BIO_f_buffer(void); -""" +/* Added in 1.1.0 */ +int BIO_up_ref(BIO *); -MACROS = """ -long BIO_set_fd(BIO *, long, int); -long BIO_get_fd(BIO *, char *); +BIO *BIO_new(BIO_METHOD *); +BIO_METHOD *BIO_s_mem(void); +BIO_METHOD *BIO_s_datagram(void); +BIO *BIO_new_mem_buf(const void *, int); long BIO_set_mem_eof_return(BIO *, int); long BIO_get_mem_data(BIO *, char **); -long BIO_set_mem_buf(BIO *, BUF_MEM *, int); -long BIO_get_mem_ptr(BIO *, BUF_MEM **); -long BIO_set_fp(BIO *, FILE *, int); -long BIO_get_fp(BIO *, FILE **); -long BIO_read_filename(BIO *, char *); -long BIO_write_filename(BIO *, char *); -long BIO_append_filename(BIO *, char *); -long BIO_rw_filename(BIO *, char *); int BIO_should_read(BIO *); int BIO_should_write(BIO *); int BIO_should_io_special(BIO *); -int BIO_retry_type(BIO *); int BIO_should_retry(BIO *); int BIO_reset(BIO *); -int BIO_seek(BIO *, int); -int BIO_tell(BIO *); -int BIO_flush(BIO *); -int BIO_eof(BIO *); -int BIO_set_close(BIO *,long); -int BIO_get_close(BIO *); -int BIO_pending(BIO *); -int BIO_wpending(BIO *); -int BIO_get_info_callback(BIO *, bio_info_cb **); -int BIO_set_info_callback(BIO *, bio_info_cb *); -long BIO_get_buffer_num_lines(BIO *); -long BIO_set_read_buffer_size(BIO *, long); -long BIO_set_write_buffer_size(BIO *, long); -long BIO_set_buffer_size(BIO *, long); -long BIO_set_buffer_read_data(BIO *, void *, long); - -/* The following was a macro in 0.9.8e. Once we drop support for RHEL/CentOS 5 - we should move this back to FUNCTIONS. */ -int BIO_method_type(const BIO *); +void BIO_set_retry_read(BIO *); +void BIO_clear_retry_flags(BIO *); """ CUSTOMIZATIONS = """ +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL +int BIO_up_ref(BIO *b) { + CRYPTO_add(&b->references, 1, CRYPTO_LOCK_BIO); + return 1; +} +#endif """ - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/openssl/callbacks.py b/src/_cffi_src/openssl/callbacks.py new file mode 100644 index 00000000..8ee01e0e --- /dev/null +++ b/src/_cffi_src/openssl/callbacks.py @@ -0,0 +1,168 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +INCLUDES = """ +#include <openssl/ssl.h> +#include <openssl/x509.h> +#include <openssl/x509_vfy.h> +#include <openssl/crypto.h> + +#ifdef _WIN32 +#define WIN32_LEAN_AND_MEAN +#include <Windows.h> +#include <Wincrypt.h> +#include <Winsock2.h> +#else +#include <stdio.h> +#include <stdlib.h> +#include <pthread.h> +#endif +""" + +TYPES = """ +typedef struct { + char *password; + int length; + int called; + int error; + int maxsize; +} CRYPTOGRAPHY_PASSWORD_DATA; +""" + +FUNCTIONS = """ +int Cryptography_setup_ssl_threads(void); +int Cryptography_pem_password_cb(char *, int, int, void *); +""" + +CUSTOMIZATIONS = """ +/* This code is derived from the locking code found in the Python _ssl module's + locking callback for OpenSSL. + + Copyright 2001-2016 Python Software Foundation; All Rights Reserved. + + It has been subsequently modified to use cross platform locking without + using CPython APIs by Armin Rigo of the PyPy project. +*/ + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 +#ifdef _WIN32 +typedef CRITICAL_SECTION Cryptography_mutex; +static __inline void cryptography_mutex_init(Cryptography_mutex *mutex) { + InitializeCriticalSection(mutex); +} +static __inline void cryptography_mutex_lock(Cryptography_mutex *mutex) { + EnterCriticalSection(mutex); +} +static __inline void cryptography_mutex_unlock(Cryptography_mutex *mutex) { + LeaveCriticalSection(mutex); +} +#else +typedef pthread_mutex_t Cryptography_mutex; +#define ASSERT_STATUS(call) \ + if ((call) != 0) { \ + perror("Fatal error in callback initialization: " #call); \ + abort(); \ + } +static inline void cryptography_mutex_init(Cryptography_mutex *mutex) { +#if !defined(pthread_mutexattr_default) +# define pthread_mutexattr_default ((pthread_mutexattr_t *)NULL) +#endif + ASSERT_STATUS(pthread_mutex_init(mutex, pthread_mutexattr_default)); +} +static inline void cryptography_mutex_lock(Cryptography_mutex *mutex) { + ASSERT_STATUS(pthread_mutex_lock(mutex)); +} +static inline void cryptography_mutex_unlock(Cryptography_mutex *mutex) { + ASSERT_STATUS(pthread_mutex_unlock(mutex)); +} +#endif + + +static int _ssl_locks_count = 0; +static Cryptography_mutex *_ssl_locks = NULL; + +static void _ssl_thread_locking_function(int mode, int n, const char *file, + int line) { + /* this function is needed to perform locking on shared data + structures. (Note that OpenSSL uses a number of global data + structures that will be implicitly shared whenever multiple + threads use OpenSSL.) Multi-threaded applications will + crash at random if it is not set. + + locking_function() must be able to handle up to + CRYPTO_num_locks() different mutex locks. It sets the n-th + lock if mode & CRYPTO_LOCK, and releases it otherwise. + + file and line are the file number of the function setting the + lock. They can be useful for debugging. + */ + + if ((_ssl_locks == NULL) || + (n < 0) || (n >= _ssl_locks_count)) { + return; + } + + if (mode & CRYPTO_LOCK) { + cryptography_mutex_lock(_ssl_locks + n); + } else { + cryptography_mutex_unlock(_ssl_locks + n); + } +} + +static void init_mutexes(void) { + int i; + for (i = 0; i < _ssl_locks_count; i++) { + cryptography_mutex_init(_ssl_locks + i); + } +} + + +int Cryptography_setup_ssl_threads(void) { + if (_ssl_locks == NULL) { + _ssl_locks_count = CRYPTO_num_locks(); + _ssl_locks = calloc(_ssl_locks_count, sizeof(Cryptography_mutex)); + if (_ssl_locks == NULL) { + return 0; + } + init_mutexes(); + CRYPTO_set_locking_callback(_ssl_thread_locking_function); +#ifndef _WIN32 + pthread_atfork(NULL, NULL, &init_mutexes); +#endif + } + return 1; +} +#else +int (*Cryptography_setup_ssl_threads)(void) = NULL; +#endif + +typedef struct { + char *password; + int length; + int called; + int error; + int maxsize; +} CRYPTOGRAPHY_PASSWORD_DATA; + +int Cryptography_pem_password_cb(char *buf, int size, + int rwflag, void *userdata) { + /* The password cb is only invoked if OpenSSL decides the private + key is encrypted. So this path only occurs if it needs a password */ + CRYPTOGRAPHY_PASSWORD_DATA *st = (CRYPTOGRAPHY_PASSWORD_DATA *)userdata; + st->called += 1; + st->maxsize = size; + if (st->length == 0) { + st->error = -1; + return 0; + } else if (st->length < size) { + memcpy(buf, st->password, st->length); + return st->length; + } else { + st->error = -2; + return 0; + } +} +""" diff --git a/src/_cffi_src/openssl/cmac.py b/src/_cffi_src/openssl/cmac.py index c01a449f..557abd1c 100644 --- a/src/_cffi_src/openssl/cmac.py +++ b/src/_cffi_src/openssl/cmac.py @@ -5,20 +5,16 @@ from __future__ import absolute_import, division, print_function INCLUDES = """ -#if OPENSSL_VERSION_NUMBER >= 0x10001000L +#if !defined(OPENSSL_NO_CMAC) #include <openssl/cmac.h> #endif """ TYPES = """ -static const int Cryptography_HAS_CMAC; typedef ... CMAC_CTX; """ FUNCTIONS = """ -""" - -MACROS = """ CMAC_CTX *CMAC_CTX_new(void); int CMAC_Init(CMAC_CTX *, const void *, size_t, const EVP_CIPHER *, ENGINE *); int CMAC_Update(CMAC_CTX *, const void *, size_t); @@ -28,29 +24,4 @@ void CMAC_CTX_free(CMAC_CTX *); """ CUSTOMIZATIONS = """ -#if OPENSSL_VERSION_NUMBER < 0x10001000L - -static const long Cryptography_HAS_CMAC = 0; -typedef void CMAC_CTX; -CMAC_CTX *(*CMAC_CTX_new)(void) = NULL; -int (*CMAC_Init)(CMAC_CTX *, const void *, size_t, const EVP_CIPHER *, - ENGINE *) = NULL; -int (*CMAC_Update)(CMAC_CTX *, const void *, size_t) = NULL; -int (*CMAC_Final)(CMAC_CTX *, unsigned char *, size_t *) = NULL; -int (*CMAC_CTX_copy)(CMAC_CTX *, const CMAC_CTX *) = NULL; -void (*CMAC_CTX_free)(CMAC_CTX *) = NULL; -#else -static const long Cryptography_HAS_CMAC = 1; -#endif """ - -CONDITIONAL_NAMES = { - "Cryptography_HAS_CMAC": [ - "CMAC_CTX_new", - "CMAC_Init", - "CMAC_Update", - "CMAC_Final", - "CMAC_CTX_copy", - "CMAC_CTX_free", - ], -} diff --git a/src/_cffi_src/openssl/cms.py b/src/_cffi_src/openssl/cms.py deleted file mode 100644 index a43df5d9..00000000 --- a/src/_cffi_src/openssl/cms.py +++ /dev/null @@ -1,152 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -INCLUDES = """ -#if !defined(OPENSSL_NO_CMS) && OPENSSL_VERSION_NUMBER >= 0x0090808fL -/* The next define should really be in the OpenSSL header, but it is missing. - Failing to include this on Windows causes compilation failures. */ -#if defined(OPENSSL_SYS_WINDOWS) -#include <windows.h> -#endif -#include <openssl/cms.h> -#endif -""" - -TYPES = """ -static const long Cryptography_HAS_CMS; - -typedef ... CMS_ContentInfo; -typedef ... CMS_SignerInfo; -typedef ... CMS_CertificateChoices; -typedef ... CMS_RevocationInfoChoice; -typedef ... CMS_RecipientInfo; -typedef ... CMS_ReceiptRequest; -typedef ... CMS_Receipt; - -static const int CMS_TEXT; -static const int CMS_NOCERTS; -static const int CMS_NO_CONTENT_VERIFY; -static const int CMS_NO_ATTR_VERIFY; -static const int CMS_NOSIGS; -static const int CMS_NOINTERN; -static const int CMS_NO_SIGNER_CERT_VERIFY; -static const int CMS_NOVERIFY; -static const int CMS_DETACHED; -static const int CMS_BINARY; -static const int CMS_NOATTR; -static const int CMS_NOSMIMECAP; -static const int CMS_NOOLDMIMETYPE; -static const int CMS_CRLFEOL; -static const int CMS_STREAM; -static const int CMS_NOCRL; -static const int CMS_PARTIAL; -static const int CMS_REUSE_DIGEST; -static const int CMS_USE_KEYID; -static const int CMS_DEBUG_DECRYPT; -""" - -FUNCTIONS = """ -""" - -MACROS = """ -BIO *BIO_new_CMS(BIO *, CMS_ContentInfo *); -int i2d_CMS_bio_stream(BIO *, CMS_ContentInfo *, BIO *, int); -int PEM_write_bio_CMS_stream(BIO *, CMS_ContentInfo *, BIO *, int); -int CMS_final(CMS_ContentInfo *, BIO *, BIO *, unsigned int); -CMS_ContentInfo *CMS_sign(X509 *, EVP_PKEY *, Cryptography_STACK_OF_X509 *, - BIO *, unsigned int); -int CMS_verify(CMS_ContentInfo *, Cryptography_STACK_OF_X509 *, X509_STORE *, - BIO *, BIO *, unsigned int); -CMS_ContentInfo *CMS_encrypt(Cryptography_STACK_OF_X509 *, BIO *, - const EVP_CIPHER *, unsigned int); -int CMS_decrypt(CMS_ContentInfo *, EVP_PKEY *, X509 *, BIO *, BIO *, - unsigned int); -CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *, X509 *, EVP_PKEY *, - const EVP_MD *, unsigned int); -""" - -CUSTOMIZATIONS = """ -#if !defined(OPENSSL_NO_CMS) && OPENSSL_VERSION_NUMBER >= 0x0090808fL -static const long Cryptography_HAS_CMS = 1; -#else -static const long Cryptography_HAS_CMS = 0; -typedef void CMS_ContentInfo; -typedef void CMS_SignerInfo; -typedef void CMS_CertificateChoices; -typedef void CMS_RevocationInfoChoice; -typedef void CMS_RecipientInfo; -typedef void CMS_ReceiptRequest; -typedef void CMS_Receipt; -const long CMS_TEXT = 0; -const long CMS_NOCERTS = 0; -const long CMS_NO_CONTENT_VERIFY = 0; -const long CMS_NO_ATTR_VERIFY = 0; -const long CMS_NOSIGS = 0; -const long CMS_NOINTERN = 0; -const long CMS_NO_SIGNER_CERT_VERIFY = 0; -const long CMS_NOVERIFY = 0; -const long CMS_DETACHED = 0; -const long CMS_BINARY = 0; -const long CMS_NOATTR = 0; -const long CMS_NOSMIMECAP = 0; -const long CMS_NOOLDMIMETYPE = 0; -const long CMS_CRLFEOL = 0; -const long CMS_STREAM = 0; -const long CMS_NOCRL = 0; -const long CMS_PARTIAL = 0; -const long CMS_REUSE_DIGEST = 0; -const long CMS_USE_KEYID = 0; -const long CMS_DEBUG_DECRYPT = 0; -BIO *(*BIO_new_CMS)(BIO *, CMS_ContentInfo *) = NULL; -int (*i2d_CMS_bio_stream)(BIO *, CMS_ContentInfo *, BIO *, int) = NULL; -int (*PEM_write_bio_CMS_stream)(BIO *, CMS_ContentInfo *, BIO *, int) = NULL; -int (*CMS_final)(CMS_ContentInfo *, BIO *, BIO *, unsigned int) = NULL; -CMS_ContentInfo *(*CMS_sign)(X509 *, EVP_PKEY *, Cryptography_STACK_OF_X509 *, - BIO *, unsigned int) = NULL; -int (*CMS_verify)(CMS_ContentInfo *, Cryptography_STACK_OF_X509 *, - X509_STORE *, BIO *, BIO *, unsigned int) = NULL; -CMS_ContentInfo *(*CMS_encrypt)(Cryptography_STACK_OF_X509 *, BIO *, - const EVP_CIPHER *, unsigned int) = NULL; -int (*CMS_decrypt)(CMS_ContentInfo *, EVP_PKEY *, X509 *, BIO *, BIO *, - unsigned int) = NULL; -CMS_SignerInfo *(*CMS_add1_signer)(CMS_ContentInfo *, X509 *, EVP_PKEY *, - const EVP_MD *, unsigned int) = NULL; -#endif -""" - -CONDITIONAL_NAMES = { - "Cryptography_HAS_CMS": [ - "BIO_new_CMS", - "i2d_CMS_bio_stream", - "PEM_write_bio_CMS_stream", - "CMS_final", - "CMS_sign", - "CMS_verify", - "CMS_encrypt", - "CMS_decrypt", - "CMS_add1_signer", - "CMS_TEXT", - "CMS_NOCERTS", - "CMS_NO_CONTENT_VERIFY", - "CMS_NO_ATTR_VERIFY", - "CMS_NOSIGS", - "CMS_NOINTERN", - "CMS_NO_SIGNER_CERT_VERIFY", - "CMS_NOVERIFY", - "CMS_DETACHED", - "CMS_BINARY", - "CMS_NOATTR", - "CMS_NOSMIMECAP", - "CMS_NOOLDMIMETYPE", - "CMS_CRLFEOL", - "CMS_STREAM", - "CMS_NOCRL", - "CMS_PARTIAL", - "CMS_REUSE_DIGEST", - "CMS_USE_KEYID", - "CMS_DEBUG_DECRYPT", - ] -} diff --git a/src/_cffi_src/openssl/conf.py b/src/_cffi_src/openssl/conf.py index cab246f0..9db0162a 100644 --- a/src/_cffi_src/openssl/conf.py +++ b/src/_cffi_src/openssl/conf.py @@ -9,18 +9,13 @@ INCLUDES = """ """ TYPES = """ -typedef ... CONF; """ FUNCTIONS = """ void OPENSSL_config(const char *); +/* This is a macro in 1.1.0 */ void OPENSSL_no_config(void); """ -MACROS = """ -""" - CUSTOMIZATIONS = """ """ - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/openssl/crypto.py b/src/_cffi_src/openssl/crypto.py index 641e95a8..d8835442 100644 --- a/src/_cffi_src/openssl/crypto.py +++ b/src/_cffi_src/openssl/crypto.py @@ -9,50 +9,125 @@ INCLUDES = """ """ TYPES = """ -typedef ... CRYPTO_THREADID; +static const long Cryptography_HAS_LOCKING_CALLBACKS; +static const long Cryptography_HAS_MEM_FUNCTIONS; +static const long Cryptography_HAS_OPENSSL_CLEANUP; static const int SSLEAY_VERSION; static const int SSLEAY_CFLAGS; static const int SSLEAY_PLATFORM; static const int SSLEAY_DIR; static const int SSLEAY_BUILT_ON; +static const int OPENSSL_VERSION; +static const int OPENSSL_CFLAGS; +static const int OPENSSL_BUILT_ON; +static const int OPENSSL_PLATFORM; +static const int OPENSSL_DIR; static const int CRYPTO_MEM_CHECK_ON; static const int CRYPTO_MEM_CHECK_OFF; static const int CRYPTO_MEM_CHECK_ENABLE; static const int CRYPTO_MEM_CHECK_DISABLE; -static const int CRYPTO_LOCK; -static const int CRYPTO_UNLOCK; -static const int CRYPTO_READ; -static const int CRYPTO_WRITE; -static const int CRYPTO_LOCK_SSL; """ FUNCTIONS = """ -unsigned long SSLeay(void); -const char *SSLeay_version(int); - -void CRYPTO_free(void *); int CRYPTO_mem_ctrl(int); -int CRYPTO_is_mem_check_on(void); -void CRYPTO_mem_leaks(struct bio_st *); -void CRYPTO_cleanup_all_ex_data(void); -int CRYPTO_num_locks(void); -void CRYPTO_set_locking_callback(void(*)(int, int, const char *, int)); -void CRYPTO_set_id_callback(unsigned long (*)(void)); -unsigned long (*CRYPTO_get_id_callback(void))(void); + +void OPENSSL_cleanup(void); + +/* as of 1.1.0 OpenSSL does its own locking *angelic chorus*. This function + is now a noop macro. We can delete this once we drop 1.0.2 support. */ void (*CRYPTO_get_locking_callback(void))(int, int, const char *, int); -void CRYPTO_lock(int, int, const char *, int); +/* SSLeay was removed in 1.1.0 */ +unsigned long SSLeay(void); +const char *SSLeay_version(int); +/* these functions were added to replace the SSLeay functions in 1.1.0 */ +unsigned long OpenSSL_version_num(void); +const char *OpenSSL_version(int); + +/* this is a macro in 1.1.0 */ +void *OPENSSL_malloc(size_t); void OPENSSL_free(void *); -""" -MACROS = """ -void CRYPTO_add(int *, int, int); -void CRYPTO_malloc_init(void); -void CRYPTO_malloc_debug_init(void); + +/* Signature changed significantly in 1.1.0, only expose there for sanity */ +int Cryptography_CRYPTO_set_mem_functions( + void *(*)(size_t, const char *, int), + void *(*)(void *, size_t, const char *, int), + void (*)(void *, const char *, int)); + +void *Cryptography_malloc_wrapper(size_t, const char *, int); +void *Cryptography_realloc_wrapper(void *, size_t, const char *, int); +void Cryptography_free_wrapper(void *, const char *, int); """ CUSTOMIZATIONS = """ -""" +/* In 1.1.0 SSLeay has finally been retired. We bidirectionally define the + values so you can use either one. This is so we can use the new function + names no matter what OpenSSL we're running on, but users on older pyOpenSSL + releases won't see issues if they're running OpenSSL 1.1.0 */ +#if !defined(SSLEAY_VERSION) +# define SSLeay OpenSSL_version_num +# define SSLeay_version OpenSSL_version +# define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER +# define SSLEAY_VERSION OPENSSL_VERSION +# define SSLEAY_CFLAGS OPENSSL_CFLAGS +# define SSLEAY_BUILT_ON OPENSSL_BUILT_ON +# define SSLEAY_PLATFORM OPENSSL_PLATFORM +# define SSLEAY_DIR OPENSSL_DIR +#endif +#if !defined(OPENSSL_VERSION) +# define OpenSSL_version_num SSLeay +# define OpenSSL_version SSLeay_version +# define OPENSSL_VERSION SSLEAY_VERSION +# define OPENSSL_CFLAGS SSLEAY_CFLAGS +# define OPENSSL_BUILT_ON SSLEAY_BUILT_ON +# define OPENSSL_PLATFORM SSLEAY_PLATFORM +# define OPENSSL_DIR SSLEAY_DIR +#endif +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 +static const long Cryptography_HAS_LOCKING_CALLBACKS = 1; +#else +static const long Cryptography_HAS_LOCKING_CALLBACKS = 0; +#endif + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 +static const long Cryptography_HAS_OPENSSL_CLEANUP = 0; + +void (*OPENSSL_cleanup)(void) = NULL; + +/* This function has a significantly different signature pre-1.1.0. since it is + * for testing only, we don't bother to expose it on older OpenSSLs. + */ +static const long Cryptography_HAS_MEM_FUNCTIONS = 0; +int (*Cryptography_CRYPTO_set_mem_functions)( + void *(*)(size_t, const char *, int), + void *(*)(void *, size_t, const char *, int), + void (*)(void *, const char *, int)) = NULL; -CONDITIONAL_NAMES = {} +#else +static const long Cryptography_HAS_OPENSSL_CLEANUP = 1; +static const long Cryptography_HAS_MEM_FUNCTIONS = 1; + +int Cryptography_CRYPTO_set_mem_functions( + void *(*m)(size_t, const char *, int), + void *(*r)(void *, size_t, const char *, int), + void (*f)(void *, const char *, int) +) { + return CRYPTO_set_mem_functions(m, r, f); +} +#endif + +void *Cryptography_malloc_wrapper(size_t size, const char *path, int line) { + return malloc(size); +} + +void *Cryptography_realloc_wrapper(void *ptr, size_t size, const char *path, + int line) { + return realloc(ptr, size); +} + +void Cryptography_free_wrapper(void *ptr, const char *path, int line) { + free(ptr); +} +""" diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py new file mode 100644 index 00000000..cd583313 --- /dev/null +++ b/src/_cffi_src/openssl/cryptography.py @@ -0,0 +1,71 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +INCLUDES = """ +/* define our OpenSSL API compatibility level to 1.0.1. Any symbols older than + that will raise an error during compilation. We can raise this number again + after we drop 1.0.2 support in the distant future. */ +#define OPENSSL_API_COMPAT 0x10001000L + +#include <openssl/opensslv.h> + + +#if defined(LIBRESSL_VERSION_NUMBER) +#define CRYPTOGRAPHY_IS_LIBRESSL 1 +#else +#define CRYPTOGRAPHY_IS_LIBRESSL 0 +#endif + +/* + LibreSSL removed e_os2.h from the public headers so we'll only include it + if we're using vanilla OpenSSL. +*/ +#if !CRYPTOGRAPHY_IS_LIBRESSL +#include <openssl/e_os2.h> +#endif +#if defined(_WIN32) +#define WIN32_LEAN_AND_MEAN +#include <windows.h> +#include <Wincrypt.h> +#include <Winsock2.h> +#endif + +#define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL) +#define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL) +#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) + +#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I \ + (OPENSSL_VERSION_NUMBER < 0x1000209f || CRYPTOGRAPHY_IS_LIBRESSL) +#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 \ + (OPENSSL_VERSION_NUMBER < 0x10100000 || CRYPTOGRAPHY_IS_LIBRESSL) +#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ + (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) +#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \ + (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL) +#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \ + (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL) +""" + +TYPES = """ +static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER; +static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER; +static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; + +static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I; +static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; +static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; + +static const int CRYPTOGRAPHY_IS_LIBRESSL; +""" + +FUNCTIONS = """ +""" + +CUSTOMIZATIONS = """ +""" diff --git a/src/_cffi_src/openssl/ct.py b/src/_cffi_src/openssl/ct.py new file mode 100644 index 00000000..71125dd1 --- /dev/null +++ b/src/_cffi_src/openssl/ct.py @@ -0,0 +1,111 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +INCLUDES = """ +#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER +#include <openssl/ct.h> + +typedef STACK_OF(SCT) Cryptography_STACK_OF_SCT; +#endif +""" + +TYPES = """ +static const long Cryptography_HAS_SCT; + +typedef enum { + SCT_VERSION_NOT_SET, + SCT_VERSION_V1 +} sct_version_t; + +typedef enum { + CT_LOG_ENTRY_TYPE_NOT_SET, + CT_LOG_ENTRY_TYPE_X509, + CT_LOG_ENTRY_TYPE_PRECERT +} ct_log_entry_type_t; + +typedef enum { + SCT_SOURCE_UNKNOWN, + SCT_SOURCE_TLS_EXTENSION, + SCT_SOURCE_X509V3_EXTENSION, + SCT_SOURCE_OCSP_STAPLED_RESPONSE +} sct_source_t; + +typedef ... SCT; +typedef ... Cryptography_STACK_OF_SCT; +""" + +FUNCTIONS = """ +sct_version_t SCT_get_version(const SCT *); + +ct_log_entry_type_t SCT_get_log_entry_type(const SCT *); + +size_t SCT_get0_log_id(const SCT *, unsigned char **); + +size_t SCT_get0_signature(const SCT *, unsigned char **); + +uint64_t SCT_get_timestamp(const SCT *); + +int SCT_set_source(SCT *, sct_source_t); + +int sk_SCT_num(const Cryptography_STACK_OF_SCT *); +SCT *sk_SCT_value(const Cryptography_STACK_OF_SCT *, int); + +void SCT_LIST_free(Cryptography_STACK_OF_SCT *); + +int sk_SCT_push(Cryptography_STACK_OF_SCT *, SCT *); +Cryptography_STACK_OF_SCT *sk_SCT_new_null(void); +SCT *SCT_new(void); +int SCT_set1_log_id(SCT *, unsigned char *, size_t); +void SCT_set_timestamp(SCT *, uint64_t); +int SCT_set_version(SCT *, sct_version_t); +int SCT_set_log_entry_type(SCT *, ct_log_entry_type_t); +""" + +CUSTOMIZATIONS = """ +#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER +static const long Cryptography_HAS_SCT = 1; +#else +static const long Cryptography_HAS_SCT = 0; + +typedef enum { + SCT_VERSION_NOT_SET, + SCT_VERSION_V1 +} sct_version_t; +typedef enum { + CT_LOG_ENTRY_TYPE_NOT_SET, + CT_LOG_ENTRY_TYPE_X509, + CT_LOG_ENTRY_TYPE_PRECERT +} ct_log_entry_type_t; +typedef enum { + SCT_SOURCE_UNKNOWN, + SCT_SOURCE_TLS_EXTENSION, + SCT_SOURCE_X509V3_EXTENSION, + SCT_SOURCE_OCSP_STAPLED_RESPONSE +} sct_source_t; +typedef void SCT; +typedef void Cryptography_STACK_OF_SCT; + +sct_version_t (*SCT_get_version)(const SCT *) = NULL; +ct_log_entry_type_t (*SCT_get_log_entry_type)(const SCT *) = NULL; +size_t (*SCT_get0_log_id)(const SCT *, unsigned char **) = NULL; +size_t (*SCT_get0_signature)(const SCT *, unsigned char **) = NULL; +uint64_t (*SCT_get_timestamp)(const SCT *) = NULL; + +int (*SCT_set_source)(SCT *, sct_source_t) = NULL; + +int (*sk_SCT_num)(const Cryptography_STACK_OF_SCT *) = NULL; +SCT *(*sk_SCT_value)(const Cryptography_STACK_OF_SCT *, int) = NULL; + +void (*SCT_LIST_free)(Cryptography_STACK_OF_SCT *) = NULL; +int (*sk_SCT_push)(Cryptography_STACK_OF_SCT *, SCT *) = NULL; +Cryptography_STACK_OF_SCT *(*sk_SCT_new_null)(void) = NULL; +SCT *(*SCT_new)(void) = NULL; +int (*SCT_set1_log_id)(SCT *, unsigned char *, size_t) = NULL; +void (*SCT_set_timestamp)(SCT *, uint64_t) = NULL; +int (*SCT_set_version)(SCT *, sct_version_t) = NULL; +int (*SCT_set_log_entry_type)(SCT *, ct_log_entry_type_t) = NULL; +#endif +""" diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py index b66e7196..0e1df23a 100644 --- a/src/_cffi_src/openssl/dh.py +++ b/src/_cffi_src/openssl/dh.py @@ -9,44 +9,230 @@ INCLUDES = """ """ TYPES = """ -typedef struct dh_st { - /* Prime number (shared) */ - BIGNUM *p; - /* Generator of Z_p (shared) */ - BIGNUM *g; - /* Private DH value x */ - BIGNUM *priv_key; - /* Public DH value g^x */ - BIGNUM *pub_key; - /* X9.42/RFC 2631 */ - BIGNUM *q; - BIGNUM *j; - ...; -} DH; +typedef ... DH; + +const long DH_NOT_SUITABLE_GENERATOR; """ FUNCTIONS = """ DH *DH_new(void); void DH_free(DH *); int DH_size(const DH *); -DH *DH_generate_parameters(int, int, void (*)(int, int, void *), void *); -int DH_check(const DH *, int *); -int DH_check_pub_key(const DH *, const BIGNUM *, int *); int DH_generate_key(DH *); int DH_compute_key(unsigned char *, const BIGNUM *, DH *); -int DH_set_ex_data(DH *, int, void *); -void *DH_get_ex_data(DH *, int); -DH *d2i_DHparams(DH **, const unsigned char **, long); -int i2d_DHparams(const DH *, unsigned char **); -int DHparams_print_fp(FILE *, const DH *); -int DHparams_print(BIO *, const DH *); -""" +DH *DHparams_dup(DH *); + +/* added in 1.1.0 when the DH struct was opaqued */ +void DH_get0_pqg(const DH *, const BIGNUM **, const BIGNUM **, + const BIGNUM **); +int DH_set0_pqg(DH *, BIGNUM *, BIGNUM *, BIGNUM *); +void DH_get0_key(const DH *, const BIGNUM **, const BIGNUM **); +int DH_set0_key(DH *, BIGNUM *, BIGNUM *); -MACROS = """ +int Cryptography_DH_check(const DH *, int *); int DH_generate_parameters_ex(DH *, int, int, BN_GENCB *); +DH *d2i_DHparams_bio(BIO *, DH **); +int i2d_DHparams_bio(BIO *, DH *); +DH *Cryptography_d2i_DHxparams_bio(BIO *bp, DH **x); +int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x); """ CUSTOMIZATIONS = """ -""" +/* These functions were added in OpenSSL 1.1.0 */ +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL +void DH_get0_pqg(const DH *dh, + const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +{ + if (p != NULL) + *p = dh->p; + if (q != NULL) + *q = dh->q; + if (g != NULL) + *g = dh->g; +} + +int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + /* If the fields p and g in d are NULL, the corresponding input + * parameters MUST be non-NULL. q may remain NULL. + */ + if ((dh->p == NULL && p == NULL) + || (dh->g == NULL && g == NULL)) + return 0; + + if (p != NULL) { + BN_free(dh->p); + dh->p = p; + } + if (q != NULL) { + BN_free(dh->q); + dh->q = q; + } + if (g != NULL) { + BN_free(dh->g); + dh->g = g; + } + + if (q != NULL) { + dh->length = BN_num_bits(q); + } + + return 1; +} + +void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) +{ + if (pub_key != NULL) + *pub_key = dh->pub_key; + if (priv_key != NULL) + *priv_key = dh->priv_key; +} + +int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) +{ + /* If the field pub_key in dh is NULL, the corresponding input + * parameters MUST be non-NULL. The priv_key field may + * be left NULL. + */ + if (dh->pub_key == NULL && pub_key == NULL) + return 0; + + if (pub_key != NULL) { + BN_free(dh->pub_key); + dh->pub_key = pub_key; + } + if (priv_key != NULL) { + BN_free(dh->priv_key); + dh->priv_key = priv_key; + } + + return 1; +} +#endif -CONDITIONAL_NAMES = {} +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 +#ifndef DH_CHECK_Q_NOT_PRIME +#define DH_CHECK_Q_NOT_PRIME 0x10 +#endif + +#ifndef DH_CHECK_INVALID_Q_VALUE +#define DH_CHECK_INVALID_Q_VALUE 0x20 +#endif + +#ifndef DH_CHECK_INVALID_J_VALUE +#define DH_CHECK_INVALID_J_VALUE 0x40 +#endif + +/* DH_check implementation taken from OpenSSL 1.1.0pre6 */ + +/*- + * Check that p is a safe prime and + * if g is 2, 3 or 5, check that it is a suitable generator + * where + * for 2, p mod 24 == 11 + * for 3, p mod 12 == 5 + * for 5, p mod 10 == 3 or 7 + * should hold. + */ + +int Cryptography_DH_check(const DH *dh, int *ret) +{ + int ok = 0, r; + BN_CTX *ctx = NULL; + BN_ULONG l; + BIGNUM *t1 = NULL, *t2 = NULL; + + *ret = 0; + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + BN_CTX_start(ctx); + t1 = BN_CTX_get(ctx); + if (t1 == NULL) + goto err; + t2 = BN_CTX_get(ctx); + if (t2 == NULL) + goto err; + + if (dh->q) { + if (BN_cmp(dh->g, BN_value_one()) <= 0) + *ret |= DH_NOT_SUITABLE_GENERATOR; + else if (BN_cmp(dh->g, dh->p) >= 0) + *ret |= DH_NOT_SUITABLE_GENERATOR; + else { + /* Check g^q == 1 mod p */ + if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx)) + goto err; + if (!BN_is_one(t1)) + *ret |= DH_NOT_SUITABLE_GENERATOR; + } + r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL); + if (r < 0) + goto err; + if (!r) + *ret |= DH_CHECK_Q_NOT_PRIME; + /* Check p == 1 mod q i.e. q divides p - 1 */ + if (!BN_div(t1, t2, dh->p, dh->q, ctx)) + goto err; + if (!BN_is_one(t2)) + *ret |= DH_CHECK_INVALID_Q_VALUE; + if (dh->j && BN_cmp(dh->j, t1)) + *ret |= DH_CHECK_INVALID_J_VALUE; + + } else if (BN_is_word(dh->g, DH_GENERATOR_2)) { + l = BN_mod_word(dh->p, 24); + if (l == (BN_ULONG)-1) + goto err; + if (l != 11) + *ret |= DH_NOT_SUITABLE_GENERATOR; + } else if (BN_is_word(dh->g, DH_GENERATOR_5)) { + l = BN_mod_word(dh->p, 10); + if (l == (BN_ULONG)-1) + goto err; + if ((l != 3) && (l != 7)) + *ret |= DH_NOT_SUITABLE_GENERATOR; + } else + *ret |= DH_UNABLE_TO_CHECK_GENERATOR; + + r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL); + if (r < 0) + goto err; + if (!r) + *ret |= DH_CHECK_P_NOT_PRIME; + else if (!dh->q) { + if (!BN_rshift1(t1, dh->p)) + goto err; + r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL); + if (r < 0) + goto err; + if (!r) + *ret |= DH_CHECK_P_NOT_SAFE_PRIME; + } + ok = 1; + err: + if (ctx != NULL) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + return (ok); +} +#else +int Cryptography_DH_check(const DH *dh, int *ret) { + return DH_check(dh, ret); +} +#endif + +/* These functions were added in OpenSSL 1.1.0f commit d0c50e80a8 */ +/* Define our own to simplify support across all versions. */ +#if defined(EVP_PKEY_DHX) && EVP_PKEY_DHX != -1 +DH *Cryptography_d2i_DHxparams_bio(BIO *bp, DH **x) { + return ASN1_d2i_bio_of(DH, DH_new, d2i_DHxparams, bp, x); +} +int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x) { + return ASN1_i2d_bio_of_const(DH, i2d_DHxparams, bp, x); +} +#else +DH *(*Cryptography_d2i_DHxparams_bio)(BIO *bp, DH **x) = NULL; +int (*Cryptography_i2d_DHxparams_bio)(BIO *bp, DH *x) = NULL; +#endif +""" diff --git a/src/_cffi_src/openssl/dsa.py b/src/_cffi_src/openssl/dsa.py index 99a685df..938c18fc 100644 --- a/src/_cffi_src/openssl/dsa.py +++ b/src/_cffi_src/openssl/dsa.py @@ -9,48 +9,95 @@ INCLUDES = """ """ TYPES = """ -typedef struct dsa_st { - /* Prime number (public) */ - BIGNUM *p; - /* Subprime (160-bit, q | p-1, public) */ - BIGNUM *q; - /* Generator of subgroup (public) */ - BIGNUM *g; - /* Private key x */ - BIGNUM *priv_key; - /* Public key y = g^x */ - BIGNUM *pub_key; - ...; -} DSA; -typedef struct { - BIGNUM *r; - BIGNUM *s; -} DSA_SIG; +typedef ... DSA; """ FUNCTIONS = """ -DSA *DSA_generate_parameters(int, unsigned char *, int, int *, unsigned long *, - void (*)(int, int, void *), void *); int DSA_generate_key(DSA *); DSA *DSA_new(void); void DSA_free(DSA *); -DSA_SIG *DSA_SIG_new(void); -void DSA_SIG_free(DSA_SIG *); -int i2d_DSA_SIG(const DSA_SIG *, unsigned char **); -DSA_SIG *d2i_DSA_SIG(DSA_SIG **, const unsigned char **, long); +DSA *DSAparams_dup(DSA *); int DSA_size(const DSA *); int DSA_sign(int, const unsigned char *, int, unsigned char *, unsigned int *, DSA *); int DSA_verify(int, const unsigned char *, int, const unsigned char *, int, DSA *); -""" -MACROS = """ +/* added in 1.1.0 to access the opaque struct */ +void DSA_get0_pqg(const DSA *, const BIGNUM **, const BIGNUM **, + const BIGNUM **); +int DSA_set0_pqg(DSA *, BIGNUM *, BIGNUM *, BIGNUM *); +void DSA_get0_key(const DSA *, const BIGNUM **, const BIGNUM **); +int DSA_set0_key(DSA *, BIGNUM *, BIGNUM *); int DSA_generate_parameters_ex(DSA *, int, unsigned char *, int, int *, unsigned long *, BN_GENCB *); """ CUSTOMIZATIONS = """ -""" +/* These functions were added in OpenSSL 1.1.0 */ +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL +void DSA_get0_pqg(const DSA *d, + const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +{ + if (p != NULL) + *p = d->p; + if (q != NULL) + *q = d->q; + if (g != NULL) + *g = d->g; +} +int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + /* If the fields p, q and g in d are NULL, the corresponding input + * parameters MUST be non-NULL. + */ + if ((d->p == NULL && p == NULL) + || (d->q == NULL && q == NULL) + || (d->g == NULL && g == NULL)) + return 0; + + if (p != NULL) { + BN_free(d->p); + d->p = p; + } + if (q != NULL) { + BN_free(d->q); + d->q = q; + } + if (g != NULL) { + BN_free(d->g); + d->g = g; + } -CONDITIONAL_NAMES = {} + return 1; +} +void DSA_get0_key(const DSA *d, + const BIGNUM **pub_key, const BIGNUM **priv_key) +{ + if (pub_key != NULL) + *pub_key = d->pub_key; + if (priv_key != NULL) + *priv_key = d->priv_key; +} +int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) +{ + /* If the field pub_key in d is NULL, the corresponding input + * parameters MUST be non-NULL. The priv_key field may + * be left NULL. + */ + if (d->pub_key == NULL && pub_key == NULL) + return 0; + + if (pub_key != NULL) { + BN_free(d->pub_key); + d->pub_key = pub_key; + } + if (priv_key != NULL) { + BN_free(d->priv_key); + d->priv_key = priv_key; + } + + return 1; +} +#endif +""" diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py index c5052d36..6432fc22 100644 --- a/src/_cffi_src/openssl/ec.py +++ b/src/_cffi_src/openssl/ec.py @@ -5,19 +5,12 @@ from __future__ import absolute_import, division, print_function INCLUDES = """ -#ifndef OPENSSL_NO_EC #include <openssl/ec.h> -#endif - #include <openssl/obj_mac.h> """ TYPES = """ -static const int Cryptography_HAS_EC; -static const int Cryptography_HAS_EC_1_0_1; -static const int Cryptography_HAS_EC_NISTP_64_GCC_128; static const int Cryptography_HAS_EC2M; -static const int Cryptography_HAS_EC_1_0_2; static const int OPENSSL_EC_NAMED_CURVE; @@ -29,32 +22,18 @@ typedef struct { int nid; const char *comment; } EC_builtin_curve; -typedef enum { ... } point_conversion_form_t; +typedef enum { + POINT_CONVERSION_COMPRESSED, + POINT_CONVERSION_UNCOMPRESSED, + ... +} point_conversion_form_t; """ FUNCTIONS = """ -""" - -MACROS = """ -EC_GROUP *EC_GROUP_new(const EC_METHOD *); void EC_GROUP_free(EC_GROUP *); -void EC_GROUP_clear_free(EC_GROUP *); -EC_GROUP *EC_GROUP_new_curve_GFp( - const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); -EC_GROUP *EC_GROUP_new_curve_GF2m( - const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); EC_GROUP *EC_GROUP_new_by_curve_name(int); -int EC_GROUP_set_curve_GFp( - EC_GROUP *, const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); -int EC_GROUP_get_curve_GFp( - const EC_GROUP *, BIGNUM *, BIGNUM *, BIGNUM *, BN_CTX *); -int EC_GROUP_set_curve_GF2m( - EC_GROUP *, const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); -int EC_GROUP_get_curve_GF2m( - const EC_GROUP *, BIGNUM *, BIGNUM *, BIGNUM *, BN_CTX *); - int EC_GROUP_get_degree(const EC_GROUP *); const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *); @@ -63,15 +42,10 @@ int EC_GROUP_get_curve_name(const EC_GROUP *); size_t EC_get_builtin_curves(EC_builtin_curve *, size_t); +EC_KEY *EC_KEY_new(void); void EC_KEY_free(EC_KEY *); -int EC_KEY_get_flags(const EC_KEY *); -void EC_KEY_set_flags(EC_KEY *, int); -void EC_KEY_clear_flags(EC_KEY *, int); EC_KEY *EC_KEY_new_by_curve_name(int); -EC_KEY *EC_KEY_copy(EC_KEY *, const EC_KEY *); -EC_KEY *EC_KEY_dup(const EC_KEY *); -int EC_KEY_up_ref(EC_KEY *); const EC_GROUP *EC_KEY_get0_group(const EC_KEY *); int EC_GROUP_get_order(const EC_GROUP *, BIGNUM *, BN_CTX *); int EC_KEY_set_group(EC_KEY *, const EC_GROUP *); @@ -79,43 +53,14 @@ const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *); int EC_KEY_set_private_key(EC_KEY *, const BIGNUM *); const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *); int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *); -unsigned int EC_KEY_get_enc_flags(const EC_KEY *); -void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int); -point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *); -void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t); -void *EC_KEY_get_key_method_data( - EC_KEY *, - void *(*)(void *), - void (*)(void *), - void (*)(void *) -); -void EC_KEY_insert_key_method_data( - EC_KEY *, - void *, - void *(*)(void *), - void (*)(void *), - void (*)(void *) -); void EC_KEY_set_asn1_flag(EC_KEY *, int); -int EC_KEY_precompute_mult(EC_KEY *, BN_CTX *); int EC_KEY_generate_key(EC_KEY *); -int EC_KEY_check_key(const EC_KEY *); int EC_KEY_set_public_key_affine_coordinates(EC_KEY *, BIGNUM *, BIGNUM *); EC_POINT *EC_POINT_new(const EC_GROUP *); void EC_POINT_free(EC_POINT *); void EC_POINT_clear_free(EC_POINT *); -int EC_POINT_copy(EC_POINT *, const EC_POINT *); EC_POINT *EC_POINT_dup(const EC_POINT *, const EC_GROUP *); -const EC_METHOD *EC_POINT_method_of(const EC_POINT *); - -int EC_POINT_set_to_infinity(const EC_GROUP *, EC_POINT *); - -int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *, EC_POINT *, - const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); - -int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *, - const EC_POINT *, BIGNUM *, BIGNUM *, BIGNUM *, BN_CTX *); int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *, const BIGNUM *, const BIGNUM *, BN_CTX *); @@ -142,18 +87,6 @@ size_t EC_POINT_point2oct(const EC_GROUP *, const EC_POINT *, int EC_POINT_oct2point(const EC_GROUP *, EC_POINT *, const unsigned char *, size_t, BN_CTX *); -BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *, - point_conversion_form_t form, BIGNUM *, BN_CTX *); - -EC_POINT *EC_POINT_bn2point(const EC_GROUP *, const BIGNUM *, - EC_POINT *, BN_CTX *); - -char *EC_POINT_point2hex(const EC_GROUP *, const EC_POINT *, - point_conversion_form_t form, BN_CTX *); - -EC_POINT *EC_POINT_hex2point(const EC_GROUP *, const char *, - EC_POINT *, BN_CTX *); - int EC_POINT_add(const EC_GROUP *, EC_POINT *, const EC_POINT *, const EC_POINT *, BN_CTX *); @@ -165,209 +98,20 @@ int EC_POINT_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); int EC_POINT_cmp( const EC_GROUP *, const EC_POINT *, const EC_POINT *, BN_CTX *); -int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); -int EC_POINTs_make_affine(const EC_GROUP *, size_t, EC_POINT *[], BN_CTX *); - -int EC_POINTs_mul( - const EC_GROUP *, EC_POINT *, const BIGNUM *, - size_t, const EC_POINT *[], const BIGNUM *[], BN_CTX *); - int EC_POINT_mul(const EC_GROUP *, EC_POINT *, const BIGNUM *, const EC_POINT *, const BIGNUM *, BN_CTX *); -int EC_GROUP_precompute_mult(EC_GROUP *, BN_CTX *); -int EC_GROUP_have_precompute_mult(const EC_GROUP *); - -const EC_METHOD *EC_GFp_simple_method(); -const EC_METHOD *EC_GFp_mont_method(); -const EC_METHOD *EC_GFp_nist_method(); - -const EC_METHOD *EC_GFp_nistp224_method(); -const EC_METHOD *EC_GFp_nistp256_method(); -const EC_METHOD *EC_GFp_nistp521_method(); - -const EC_METHOD *EC_GF2m_simple_method(); - int EC_METHOD_get_field_type(const EC_METHOD *); const char *EC_curve_nid2nist(int); + +int EC_GROUP_get_asn1_flag(const EC_GROUP *); """ CUSTOMIZATIONS = """ -#ifdef OPENSSL_NO_EC -static const long Cryptography_HAS_EC = 0; - -typedef void EC_KEY; -typedef void EC_GROUP; -typedef void EC_POINT; -typedef void EC_METHOD; -typedef struct { - int nid; - const char *comment; -} EC_builtin_curve; -typedef long point_conversion_form_t; - -static const int OPENSSL_EC_NAMED_CURVE = 0; - -void (*EC_KEY_free)(EC_KEY *) = NULL; -size_t (*EC_get_builtin_curves)(EC_builtin_curve *, size_t) = NULL; -EC_KEY *(*EC_KEY_new_by_curve_name)(int) = NULL; -EC_KEY *(*EC_KEY_copy)(EC_KEY *, const EC_KEY *) = NULL; -EC_KEY *(*EC_KEY_dup)(const EC_KEY *) = NULL; -int (*EC_KEY_up_ref)(EC_KEY *) = NULL; -const EC_GROUP *(*EC_KEY_get0_group)(const EC_KEY *) = NULL; -int (*EC_GROUP_get_order)(const EC_GROUP *, BIGNUM *, BN_CTX *) = NULL; -int (*EC_KEY_set_group)(EC_KEY *, const EC_GROUP *) = NULL; -const BIGNUM *(*EC_KEY_get0_private_key)(const EC_KEY *) = NULL; -int (*EC_KEY_set_private_key)(EC_KEY *, const BIGNUM *) = NULL; -const EC_POINT *(*EC_KEY_get0_public_key)(const EC_KEY *) = NULL; -int (*EC_KEY_set_public_key)(EC_KEY *, const EC_POINT *) = NULL; -unsigned int (*EC_KEY_get_enc_flags)(const EC_KEY *) = NULL; -void (*EC_KEY_set_enc_flags)(EC_KEY *eckey, unsigned int) = NULL; -point_conversion_form_t (*EC_KEY_get_conv_form)(const EC_KEY *) = NULL; -void (*EC_KEY_set_conv_form)(EC_KEY *, point_conversion_form_t) = NULL; -void *(*EC_KEY_get_key_method_data)( - EC_KEY *, void *(*)(void *), void (*)(void *), void (*)(void *)) = NULL; -void (*EC_KEY_insert_key_method_data)( - EC_KEY *, void *, - void *(*)(void *), void (*)(void *), void (*)(void *)) = NULL; -void (*EC_KEY_set_asn1_flag)(EC_KEY *, int) = NULL; -int (*EC_KEY_precompute_mult)(EC_KEY *, BN_CTX *) = NULL; -int (*EC_KEY_generate_key)(EC_KEY *) = NULL; -int (*EC_KEY_check_key)(const EC_KEY *) = NULL; - -EC_GROUP *(*EC_GROUP_new)(const EC_METHOD *); -void (*EC_GROUP_free)(EC_GROUP *); -void (*EC_GROUP_clear_free)(EC_GROUP *); - -EC_GROUP *(*EC_GROUP_new_curve_GFp)( - const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); - -EC_GROUP *(*EC_GROUP_new_by_curve_name)(int); - -int (*EC_GROUP_set_curve_GFp)( - EC_GROUP *, const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); - -int (*EC_GROUP_get_curve_GFp)( - const EC_GROUP *, BIGNUM *, BIGNUM *, BIGNUM *, BN_CTX *); - -int (*EC_GROUP_get_degree)(const EC_GROUP *) = NULL; - -const EC_METHOD *(*EC_GROUP_method_of)(const EC_GROUP *) = NULL; -const EC_POINT *(*EC_GROUP_get0_generator)(const EC_GROUP *) = NULL; -int (*EC_GROUP_get_curve_name)(const EC_GROUP *) = NULL; - -EC_POINT *(*EC_POINT_new)(const EC_GROUP *) = NULL; -void (*EC_POINT_free)(EC_POINT *) = NULL; -void (*EC_POINT_clear_free)(EC_POINT *) = NULL; -int (*EC_POINT_copy)(EC_POINT *, const EC_POINT *) = NULL; -EC_POINT *(*EC_POINT_dup)(const EC_POINT *, const EC_GROUP *) = NULL; -const EC_METHOD *(*EC_POINT_method_of)(const EC_POINT *) = NULL; -int (*EC_POINT_set_to_infinity)(const EC_GROUP *, EC_POINT *) = NULL; -int (*EC_POINT_set_Jprojective_coordinates_GFp)(const EC_GROUP *, EC_POINT *, - const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *) = NULL; - -int (*EC_POINT_get_Jprojective_coordinates_GFp)(const EC_GROUP *, - const EC_POINT *, BIGNUM *, BIGNUM *, BIGNUM *, BN_CTX *) = NULL; - -int (*EC_POINT_set_affine_coordinates_GFp)(const EC_GROUP *, EC_POINT *, - const BIGNUM *, const BIGNUM *, BN_CTX *) = NULL; - -int (*EC_POINT_get_affine_coordinates_GFp)(const EC_GROUP *, - const EC_POINT *, BIGNUM *, BIGNUM *, BN_CTX *) = NULL; - -int (*EC_POINT_set_compressed_coordinates_GFp)(const EC_GROUP *, EC_POINT *, - const BIGNUM *, int, BN_CTX *) = NULL; - -size_t (*EC_POINT_point2oct)(const EC_GROUP *, const EC_POINT *, - point_conversion_form_t, - unsigned char *, size_t, BN_CTX *) = NULL; - -int (*EC_POINT_oct2point)(const EC_GROUP *, EC_POINT *, - const unsigned char *, size_t, BN_CTX *) = NULL; - -BIGNUM *(*EC_POINT_point2bn)(const EC_GROUP *, const EC_POINT *, - point_conversion_form_t form, BIGNUM *, BN_CTX *) = NULL; - -EC_POINT *(*EC_POINT_bn2point)(const EC_GROUP *, const BIGNUM *, - EC_POINT *, BN_CTX *) = NULL; - -char *(*EC_POINT_point2hex)(const EC_GROUP *, const EC_POINT *, - point_conversion_form_t form, BN_CTX *) = NULL; - -EC_POINT *(*EC_POINT_hex2point)(const EC_GROUP *, const char *, - EC_POINT *, BN_CTX *) = NULL; - -int (*EC_POINT_add)(const EC_GROUP *, EC_POINT *, const EC_POINT *, - const EC_POINT *, BN_CTX *) = NULL; - -int (*EC_POINT_dbl)(const EC_GROUP *, EC_POINT *, const EC_POINT *, - BN_CTX *) = NULL; - -int (*EC_POINT_invert)(const EC_GROUP *, EC_POINT *, BN_CTX *) = NULL; -int (*EC_POINT_is_at_infinity)(const EC_GROUP *, const EC_POINT *) = NULL; - -int (*EC_POINT_is_on_curve)(const EC_GROUP *, const EC_POINT *, - BN_CTX *) = NULL; - -int (*EC_POINT_cmp)( - const EC_GROUP *, const EC_POINT *, const EC_POINT *, BN_CTX *) = NULL; - -int (*EC_POINT_make_affine)(const EC_GROUP *, EC_POINT *, BN_CTX *) = NULL; - -int (*EC_POINTs_make_affine)(const EC_GROUP *, size_t, EC_POINT *[], - BN_CTX *) = NULL; - -int (*EC_POINTs_mul)( - const EC_GROUP *, EC_POINT *, const BIGNUM *, - size_t, const EC_POINT *[], const BIGNUM *[], BN_CTX *) = NULL; - -int (*EC_POINT_mul)(const EC_GROUP *, EC_POINT *, const BIGNUM *, - const EC_POINT *, const BIGNUM *, BN_CTX *) = NULL; - -int (*EC_GROUP_precompute_mult)(EC_GROUP *, BN_CTX *) = NULL; -int (*EC_GROUP_have_precompute_mult)(const EC_GROUP *) = NULL; - -const EC_METHOD *(*EC_GFp_simple_method)() = NULL; -const EC_METHOD *(*EC_GFp_mont_method)() = NULL; -const EC_METHOD *(*EC_GFp_nist_method)() = NULL; - -int (*EC_METHOD_get_field_type)(const EC_METHOD *) = NULL; - -#else -static const long Cryptography_HAS_EC = 1; -#endif - -#if defined(OPENSSL_NO_EC) || OPENSSL_VERSION_NUMBER < 0x1000100f -static const long Cryptography_HAS_EC_1_0_1 = 0; - -int (*EC_KEY_get_flags)(const EC_KEY *) = NULL; -void (*EC_KEY_set_flags)(EC_KEY *, int) = NULL; -void (*EC_KEY_clear_flags)(EC_KEY *, int) = NULL; - -int (*EC_KEY_set_public_key_affine_coordinates)( - EC_KEY *, BIGNUM *, BIGNUM *) = NULL; -#else -static const long Cryptography_HAS_EC_1_0_1 = 1; -#endif - - -#if defined(OPENSSL_NO_EC) || OPENSSL_VERSION_NUMBER < 0x1000100f || \ - defined(OPENSSL_NO_EC_NISTP_64_GCC_128) -static const long Cryptography_HAS_EC_NISTP_64_GCC_128 = 0; - -const EC_METHOD *(*EC_GFp_nistp224_method)(void) = NULL; -const EC_METHOD *(*EC_GFp_nistp256_method)(void) = NULL; -const EC_METHOD *(*EC_GFp_nistp521_method)(void) = NULL; -#else -static const long Cryptography_HAS_EC_NISTP_64_GCC_128 = 1; -#endif - -#if defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_EC2M) +#if defined(OPENSSL_NO_EC2M) static const long Cryptography_HAS_EC2M = 0; -const EC_METHOD *(*EC_GF2m_simple_method)() = NULL; - int (*EC_POINT_set_affine_coordinates_GF2m)(const EC_GROUP *, EC_POINT *, const BIGNUM *, const BIGNUM *, BN_CTX *) = NULL; @@ -376,121 +120,7 @@ int (*EC_POINT_get_affine_coordinates_GF2m)(const EC_GROUP *, int (*EC_POINT_set_compressed_coordinates_GF2m)(const EC_GROUP *, EC_POINT *, const BIGNUM *, int, BN_CTX *) = NULL; - -int (*EC_GROUP_set_curve_GF2m)( - EC_GROUP *, const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); - -int (*EC_GROUP_get_curve_GF2m)( - const EC_GROUP *, BIGNUM *, BIGNUM *, BIGNUM *, BN_CTX *); - -EC_GROUP *(*EC_GROUP_new_curve_GF2m)( - const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); #else static const long Cryptography_HAS_EC2M = 1; #endif - -#if defined(OPENSSL_NO_EC) || OPENSSL_VERSION_NUMBER < 0x1000200f || \ - defined(LIBRESSL_VERSION_NUMBER) -static const long Cryptography_HAS_EC_1_0_2 = 0; -const char *(*EC_curve_nid2nist)(int) = NULL; -#else -static const long Cryptography_HAS_EC_1_0_2 = 1; -#endif """ - -CONDITIONAL_NAMES = { - "Cryptography_HAS_EC": [ - "OPENSSL_EC_NAMED_CURVE", - "EC_GROUP_new", - "EC_GROUP_free", - "EC_GROUP_clear_free", - "EC_GROUP_new_curve_GFp", - "EC_GROUP_new_by_curve_name", - "EC_GROUP_set_curve_GFp", - "EC_GROUP_get_curve_GFp", - "EC_GROUP_method_of", - "EC_GROUP_get0_generator", - "EC_GROUP_get_curve_name", - "EC_GROUP_get_degree", - "EC_KEY_free", - "EC_get_builtin_curves", - "EC_KEY_new_by_curve_name", - "EC_KEY_copy", - "EC_KEY_dup", - "EC_KEY_up_ref", - "EC_KEY_set_group", - "EC_KEY_get0_private_key", - "EC_KEY_set_private_key", - "EC_KEY_set_public_key", - "EC_KEY_get_enc_flags", - "EC_KEY_set_enc_flags", - "EC_KEY_set_conv_form", - "EC_KEY_get_key_method_data", - "EC_KEY_insert_key_method_data", - "EC_KEY_set_asn1_flag", - "EC_KEY_precompute_mult", - "EC_KEY_generate_key", - "EC_KEY_check_key", - "EC_POINT_new", - "EC_POINT_free", - "EC_POINT_clear_free", - "EC_POINT_copy", - "EC_POINT_dup", - "EC_POINT_method_of", - "EC_POINT_set_to_infinity", - "EC_POINT_set_Jprojective_coordinates_GFp", - "EC_POINT_get_Jprojective_coordinates_GFp", - "EC_POINT_set_affine_coordinates_GFp", - "EC_POINT_get_affine_coordinates_GFp", - "EC_POINT_set_compressed_coordinates_GFp", - "EC_POINT_point2oct", - "EC_POINT_oct2point", - "EC_POINT_point2bn", - "EC_POINT_bn2point", - "EC_POINT_point2hex", - "EC_POINT_hex2point", - "EC_POINT_add", - "EC_POINT_dbl", - "EC_POINT_invert", - "EC_POINT_is_at_infinity", - "EC_POINT_is_on_curve", - "EC_POINT_cmp", - "EC_POINT_make_affine", - "EC_POINTs_make_affine", - "EC_POINTs_mul", - "EC_POINT_mul", - "EC_GROUP_precompute_mult", - "EC_GROUP_have_precompute_mult", - "EC_GFp_simple_method", - "EC_GFp_mont_method", - "EC_GFp_nist_method", - "EC_METHOD_get_field_type", - ], - - "Cryptography_HAS_EC_1_0_1": [ - "EC_KEY_get_flags", - "EC_KEY_set_flags", - "EC_KEY_clear_flags", - "EC_KEY_set_public_key_affine_coordinates", - ], - - "Cryptography_HAS_EC_NISTP_64_GCC_128": [ - "EC_GFp_nistp224_method", - "EC_GFp_nistp256_method", - "EC_GFp_nistp521_method", - ], - - "Cryptography_HAS_EC2M": [ - "EC_GF2m_simple_method", - "EC_POINT_set_affine_coordinates_GF2m", - "EC_POINT_get_affine_coordinates_GF2m", - "EC_POINT_set_compressed_coordinates_GF2m", - "EC_GROUP_set_curve_GF2m", - "EC_GROUP_get_curve_GF2m", - "EC_GROUP_new_curve_GF2m", - ], - - "Cryptography_HAS_EC_1_0_2": [ - "EC_curve_nid2nist", - ], -} diff --git a/src/_cffi_src/openssl/ecdh.py b/src/_cffi_src/openssl/ecdh.py index 6c7e010c..c73cc9f3 100644 --- a/src/_cffi_src/openssl/ecdh.py +++ b/src/_cffi_src/openssl/ecdh.py @@ -5,55 +5,17 @@ from __future__ import absolute_import, division, print_function INCLUDES = """ -#ifndef OPENSSL_NO_ECDH #include <openssl/ecdh.h> -#endif """ TYPES = """ -static const int Cryptography_HAS_ECDH; """ FUNCTIONS = """ -""" - -MACROS = """ int ECDH_compute_key(void *, size_t, const EC_POINT *, EC_KEY *, void *(*)(const void *, size_t, void *, size_t *)); - -int ECDH_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *, - CRYPTO_EX_free *); - -int ECDH_set_ex_data(EC_KEY *, int, void *); - -void *ECDH_get_ex_data(EC_KEY *, int); +long SSL_CTX_set_ecdh_auto(SSL_CTX *, int); """ CUSTOMIZATIONS = """ -#ifdef OPENSSL_NO_ECDH -static const long Cryptography_HAS_ECDH = 0; - -int (*ECDH_compute_key)(void *, size_t, const EC_POINT *, EC_KEY *, - void *(*)(const void *, size_t, void *, - size_t *)) = NULL; - -int (*ECDH_get_ex_new_index)(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *, - CRYPTO_EX_free *) = NULL; - -int (*ECDH_set_ex_data)(EC_KEY *, int, void *) = NULL; - -void *(*ECDH_get_ex_data)(EC_KEY *, int) = NULL; - -#else -static const long Cryptography_HAS_ECDH = 1; -#endif """ - -CONDITIONAL_NAMES = { - "Cryptography_HAS_ECDH": [ - "ECDH_compute_key", - "ECDH_get_ex_new_index", - "ECDH_set_ex_data", - "ECDH_get_ex_data", - ], -} diff --git a/src/_cffi_src/openssl/ecdsa.py b/src/_cffi_src/openssl/ecdsa.py index db21025c..44a778a6 100644 --- a/src/_cffi_src/openssl/ecdsa.py +++ b/src/_cffi_src/openssl/ecdsa.py @@ -5,18 +5,13 @@ from __future__ import absolute_import, division, print_function INCLUDES = """ -#ifndef OPENSSL_NO_ECDSA #include <openssl/ecdsa.h> -#endif """ TYPES = """ static const int Cryptography_HAS_ECDSA; -typedef struct { - BIGNUM *r; - BIGNUM *s; -} ECDSA_SIG; +typedef ... ECDSA_SIG; typedef ... CRYPTO_EX_new; typedef ... CRYPTO_EX_dup; @@ -24,98 +19,20 @@ typedef ... CRYPTO_EX_free; """ FUNCTIONS = """ -""" - -MACROS = """ ECDSA_SIG *ECDSA_SIG_new(); void ECDSA_SIG_free(ECDSA_SIG *); int i2d_ECDSA_SIG(const ECDSA_SIG *, unsigned char **); ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **s, const unsigned char **, long); ECDSA_SIG *ECDSA_do_sign(const unsigned char *, int, EC_KEY *); -ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *, int, const BIGNUM *, - const BIGNUM *, EC_KEY *); int ECDSA_do_verify(const unsigned char *, int, const ECDSA_SIG *, EC_KEY *); -int ECDSA_sign_setup(EC_KEY *, BN_CTX *, BIGNUM **, BIGNUM **); int ECDSA_sign(int, const unsigned char *, int, unsigned char *, unsigned int *, EC_KEY *); -int ECDSA_sign_ex(int, const unsigned char *, int dgstlen, unsigned char *, - unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *); int ECDSA_verify(int, const unsigned char *, int, const unsigned char *, int, EC_KEY *); int ECDSA_size(const EC_KEY *); -const ECDSA_METHOD *ECDSA_OpenSSL(); -void ECDSA_set_default_method(const ECDSA_METHOD *); -const ECDSA_METHOD *ECDSA_get_default_method(); -int ECDSA_get_ex_new_index(long, void *, CRYPTO_EX_new *, - CRYPTO_EX_dup *, CRYPTO_EX_free *); -int ECDSA_set_method(EC_KEY *, const ECDSA_METHOD *); -int ECDSA_set_ex_data(EC_KEY *, int, void *); -void *ECDSA_get_ex_data(EC_KEY *, int); """ CUSTOMIZATIONS = """ -#ifdef OPENSSL_NO_ECDSA -static const long Cryptography_HAS_ECDSA = 0; - -typedef struct { - BIGNUM *r; - BIGNUM *s; -} ECDSA_SIG; - -ECDSA_SIG* (*ECDSA_SIG_new)() = NULL; -void (*ECDSA_SIG_free)(ECDSA_SIG *) = NULL; -int (*i2d_ECDSA_SIG)(const ECDSA_SIG *, unsigned char **) = NULL; -ECDSA_SIG* (*d2i_ECDSA_SIG)(ECDSA_SIG **s, const unsigned char **, - long) = NULL; -ECDSA_SIG* (*ECDSA_do_sign)(const unsigned char *, int, EC_KEY *eckey) = NULL; -ECDSA_SIG* (*ECDSA_do_sign_ex)(const unsigned char *, int, const BIGNUM *, - const BIGNUM *, EC_KEY *) = NULL; -int (*ECDSA_do_verify)(const unsigned char *, int, const ECDSA_SIG *, - EC_KEY *) = NULL; -int (*ECDSA_sign_setup)(EC_KEY *, BN_CTX *, BIGNUM **, BIGNUM **) = NULL; -int (*ECDSA_sign)(int, const unsigned char *, int, unsigned char *, - unsigned int *, EC_KEY *) = NULL; -int (*ECDSA_sign_ex)(int, const unsigned char *, int dgstlen, unsigned char *, - unsigned int *, const BIGNUM *, const BIGNUM *, - EC_KEY *) = NULL; -int (*ECDSA_verify)(int, const unsigned char *, int, const unsigned char *, - int, EC_KEY *) = NULL; -int (*ECDSA_size)(const EC_KEY *) = NULL; - -const ECDSA_METHOD* (*ECDSA_OpenSSL)() = NULL; -void (*ECDSA_set_default_method)(const ECDSA_METHOD *) = NULL; -const ECDSA_METHOD* (*ECDSA_get_default_method)() = NULL; -int (*ECDSA_set_method)(EC_KEY *, const ECDSA_METHOD *) = NULL; -int (*ECDSA_get_ex_new_index)(long, void *, CRYPTO_EX_new *, - CRYPTO_EX_dup *, CRYPTO_EX_free *) = NULL; -int (*ECDSA_set_ex_data)(EC_KEY *, int, void *) = NULL; -void* (*ECDSA_get_ex_data)(EC_KEY *, int) = NULL; -#else static const long Cryptography_HAS_ECDSA = 1; -#endif """ - -CONDITIONAL_NAMES = { - "Cryptography_HAS_ECDSA": [ - "ECDSA_SIG_new", - "ECDSA_SIG_free", - "i2d_ECDSA_SIG", - "d2i_ECDSA_SIG", - "ECDSA_do_sign", - "ECDSA_do_sign_ex", - "ECDSA_do_verify", - "ECDSA_sign_setup", - "ECDSA_sign", - "ECDSA_sign_ex", - "ECDSA_verify", - "ECDSA_size", - "ECDSA_OpenSSL", - "ECDSA_set_default_method", - "ECDSA_get_default_method", - "ECDSA_set_method", - "ECDSA_get_ex_new_index", - "ECDSA_set_ex_data", - "ECDSA_get_ex_data", - ], -} diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py index bc5c1906..fa503a26 100644 --- a/src/_cffi_src/openssl/engine.py +++ b/src/_cffi_src/openssl/engine.py @@ -9,169 +9,42 @@ INCLUDES = """ """ TYPES = """ -static const long Cryptography_HAS_ENGINE_CRYPTODEV; - -struct rand_meth_st { - void (*seed)(const void *buf, int num); - int (*bytes)(unsigned char *buf, int num); - void (*cleanup)(void); - void (*add)(const void *buf, int num, double entropy); - int (*pseudorand)(unsigned char *buf, int num); - int (*status)(void); -}; - typedef ... ENGINE; -typedef ... RSA_METHOD; -typedef ... DSA_METHOD; -typedef ... ECDH_METHOD; -typedef ... ECDSA_METHOD; -typedef ... DH_METHOD; -typedef struct rand_meth_st RAND_METHOD; -typedef ... STORE_METHOD; -typedef int(*ENGINE_GEN_INT_FUNC_PTR)(ENGINE*); -typedef ... *ENGINE_CTRL_FUNC_PTR; -typedef ... *ENGINE_LOAD_KEY_PTR; -typedef ... *ENGINE_CIPHERS_PTR; -typedef ... *ENGINE_DIGESTS_PTR; -typedef ... ENGINE_CMD_DEFN; -typedef ... UI_METHOD; -static const unsigned int ENGINE_METHOD_RSA; -static const unsigned int ENGINE_METHOD_DSA; -static const unsigned int ENGINE_METHOD_RAND; -static const unsigned int ENGINE_METHOD_ECDH; -static const unsigned int ENGINE_METHOD_ECDSA; -static const unsigned int ENGINE_METHOD_CIPHERS; -static const unsigned int ENGINE_METHOD_DIGESTS; -static const unsigned int ENGINE_METHOD_STORE; -static const unsigned int ENGINE_METHOD_ALL; -static const unsigned int ENGINE_METHOD_NONE; +static const long Cryptography_HAS_ENGINE; """ FUNCTIONS = """ -ENGINE *ENGINE_get_first(void); -ENGINE *ENGINE_get_last(void); -ENGINE *ENGINE_get_next(ENGINE *); -ENGINE *ENGINE_get_prev(ENGINE *); -int ENGINE_add(ENGINE *); -int ENGINE_remove(ENGINE *); ENGINE *ENGINE_by_id(const char *); int ENGINE_init(ENGINE *); int ENGINE_finish(ENGINE *); -void ENGINE_load_openssl(void); -void ENGINE_load_dynamic(void); -void ENGINE_load_builtin_engines(void); -void ENGINE_cleanup(void); -ENGINE *ENGINE_get_default_RSA(void); -ENGINE *ENGINE_get_default_DSA(void); -ENGINE *ENGINE_get_default_ECDH(void); -ENGINE *ENGINE_get_default_ECDSA(void); -ENGINE *ENGINE_get_default_DH(void); ENGINE *ENGINE_get_default_RAND(void); -ENGINE *ENGINE_get_cipher_engine(int); -ENGINE *ENGINE_get_digest_engine(int); -int ENGINE_set_default_RSA(ENGINE *); -int ENGINE_set_default_DSA(ENGINE *); -int ENGINE_set_default_ECDH(ENGINE *); -int ENGINE_set_default_ECDSA(ENGINE *); -int ENGINE_set_default_DH(ENGINE *); int ENGINE_set_default_RAND(ENGINE *); -int ENGINE_set_default_ciphers(ENGINE *); -int ENGINE_set_default_digests(ENGINE *); -int ENGINE_set_default_string(ENGINE *, const char *); -int ENGINE_set_default(ENGINE *, unsigned int); -unsigned int ENGINE_get_table_flags(void); -void ENGINE_set_table_flags(unsigned int); -int ENGINE_register_RSA(ENGINE *); -void ENGINE_unregister_RSA(ENGINE *); -void ENGINE_register_all_RSA(void); -int ENGINE_register_DSA(ENGINE *); -void ENGINE_unregister_DSA(ENGINE *); -void ENGINE_register_all_DSA(void); -int ENGINE_register_ECDH(ENGINE *); -void ENGINE_unregister_ECDH(ENGINE *); -void ENGINE_register_all_ECDH(void); -int ENGINE_register_ECDSA(ENGINE *); -void ENGINE_unregister_ECDSA(ENGINE *); -void ENGINE_register_all_ECDSA(void); -int ENGINE_register_DH(ENGINE *); -void ENGINE_unregister_DH(ENGINE *); -void ENGINE_register_all_DH(void); -int ENGINE_register_RAND(ENGINE *); void ENGINE_unregister_RAND(ENGINE *); -void ENGINE_register_all_RAND(void); -int ENGINE_register_STORE(ENGINE *); -void ENGINE_unregister_STORE(ENGINE *); -void ENGINE_register_all_STORE(void); -int ENGINE_register_ciphers(ENGINE *); -void ENGINE_unregister_ciphers(ENGINE *); -void ENGINE_register_all_ciphers(void); -int ENGINE_register_digests(ENGINE *); -void ENGINE_unregister_digests(ENGINE *); -void ENGINE_register_all_digests(void); -int ENGINE_register_complete(ENGINE *); -int ENGINE_register_all_complete(void); -int ENGINE_ctrl(ENGINE *, int, long, void *, void (*)(void)); -int ENGINE_cmd_is_executable(ENGINE *, int); int ENGINE_ctrl_cmd(ENGINE *, const char *, long, void *, void (*)(void), int); -int ENGINE_ctrl_cmd_string(ENGINE *, const char *, const char *, int); - -ENGINE *ENGINE_new(void); int ENGINE_free(ENGINE *); -int ENGINE_up_ref(ENGINE *); -int ENGINE_set_id(ENGINE *, const char *); -int ENGINE_set_name(ENGINE *, const char *); -int ENGINE_set_RSA(ENGINE *, const RSA_METHOD *); -int ENGINE_set_DSA(ENGINE *, const DSA_METHOD *); -int ENGINE_set_ECDH(ENGINE *, const ECDH_METHOD *); -int ENGINE_set_ECDSA(ENGINE *, const ECDSA_METHOD *); -int ENGINE_set_DH(ENGINE *, const DH_METHOD *); -int ENGINE_set_RAND(ENGINE *, const RAND_METHOD *); -int ENGINE_set_STORE(ENGINE *, const STORE_METHOD *); -int ENGINE_set_destroy_function(ENGINE *, ENGINE_GEN_INT_FUNC_PTR); -int ENGINE_set_init_function(ENGINE *, ENGINE_GEN_INT_FUNC_PTR); -int ENGINE_set_finish_function(ENGINE *, ENGINE_GEN_INT_FUNC_PTR); -int ENGINE_set_ctrl_function(ENGINE *, ENGINE_CTRL_FUNC_PTR); -int ENGINE_set_load_privkey_function(ENGINE *, ENGINE_LOAD_KEY_PTR); -int ENGINE_set_load_pubkey_function(ENGINE *, ENGINE_LOAD_KEY_PTR); -int ENGINE_set_ciphers(ENGINE *, ENGINE_CIPHERS_PTR); -int ENGINE_set_digests(ENGINE *, ENGINE_DIGESTS_PTR); -int ENGINE_set_flags(ENGINE *, int); -int ENGINE_set_cmd_defns(ENGINE *, const ENGINE_CMD_DEFN *); -const char *ENGINE_get_id(const ENGINE *); const char *ENGINE_get_name(const ENGINE *); -const RSA_METHOD *ENGINE_get_RSA(const ENGINE *); -const DSA_METHOD *ENGINE_get_DSA(const ENGINE *); -const ECDH_METHOD *ENGINE_get_ECDH(const ENGINE *); -const ECDSA_METHOD *ENGINE_get_ECDSA(const ENGINE *); -const DH_METHOD *ENGINE_get_DH(const ENGINE *); -const RAND_METHOD *ENGINE_get_RAND(const ENGINE *); -const STORE_METHOD *ENGINE_get_STORE(const ENGINE *); -const EVP_CIPHER *ENGINE_get_cipher(ENGINE *, int); -const EVP_MD *ENGINE_get_digest(ENGINE *, int); -int ENGINE_get_flags(const ENGINE *); -const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *); -EVP_PKEY *ENGINE_load_private_key(ENGINE *, const char *, UI_METHOD *, void *); -EVP_PKEY *ENGINE_load_public_key(ENGINE *, const char *, UI_METHOD *, void *); -void ENGINE_add_conf_module(void); -""" - -MACROS = """ -void ENGINE_load_cryptodev(void); """ CUSTOMIZATIONS = """ -#if defined(LIBRESSL_VERSION_NUMBER) -static const long Cryptography_HAS_ENGINE_CRYPTODEV = 0; -void (*ENGINE_load_cryptodev)(void) = NULL; +#ifdef OPENSSL_NO_ENGINE +static const long Cryptography_HAS_ENGINE = 0; + +ENGINE *(*ENGINE_by_id)(const char *) = NULL; +int (*ENGINE_init)(ENGINE *) = NULL; +int (*ENGINE_finish)(ENGINE *) = NULL; +ENGINE *(*ENGINE_get_default_RAND)(void) = NULL; +int (*ENGINE_set_default_RAND)(ENGINE *) = NULL; +void (*ENGINE_unregister_RAND)(ENGINE *) = NULL; +int (*ENGINE_ctrl_cmd)(ENGINE *, const char *, long, void *, + void (*)(void), int) = NULL; + +int (*ENGINE_free)(ENGINE *) = NULL; +const char *(*ENGINE_get_id)(const ENGINE *) = NULL; +const char *(*ENGINE_get_name)(const ENGINE *) = NULL; + #else -static const long Cryptography_HAS_ENGINE_CRYPTODEV = 1; +static const long Cryptography_HAS_ENGINE = 1; #endif """ - -CONDITIONAL_NAMES = { - "Cryptography_HAS_ENGINE_CRYPTODEV": [ - "ENGINE_load_cryptodev" - ] -} diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py index 0ee19c9e..ecdc6e3d 100644 --- a/src/_cffi_src/openssl/err.py +++ b/src/_cffi_src/openssl/err.py @@ -9,17 +9,9 @@ INCLUDES = """ """ TYPES = """ -static const int Cryptography_HAS_REMOVE_THREAD_STATE; -static const int Cryptography_HAS_098H_ERROR_CODES; -static const int Cryptography_HAS_098C_CAMELLIA_CODES; static const int Cryptography_HAS_EC_CODES; static const int Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR; - -struct ERR_string_data_st { - unsigned long error; - const char *string; -}; -typedef struct ERR_string_data_st ERR_STRING_DATA; +static const int Cryptography_HAS_EVP_R_MEMORY_LIMIT_EXCEEDED; static const int ERR_LIB_DH; static const int ERR_LIB_EVP; @@ -28,55 +20,17 @@ static const int ERR_LIB_PEM; static const int ERR_LIB_ASN1; static const int ERR_LIB_RSA; static const int ERR_LIB_PKCS12; +static const int ERR_LIB_SSL; +static const int ERR_LIB_X509; -static const int ASN1_F_ASN1_ENUMERATED_TO_BN; -static const int ASN1_F_ASN1_EX_C2I; -static const int ASN1_F_ASN1_FIND_END; -static const int ASN1_F_ASN1_GENERALIZEDTIME_SET; -static const int ASN1_F_ASN1_GENERATE_V3; -static const int ASN1_F_ASN1_GET_OBJECT; -static const int ASN1_F_ASN1_ITEM_I2D_FP; -static const int ASN1_F_ASN1_ITEM_PACK; -static const int ASN1_F_ASN1_ITEM_SIGN; -static const int ASN1_F_ASN1_ITEM_UNPACK; -static const int ASN1_F_ASN1_ITEM_VERIFY; -static const int ASN1_F_ASN1_MBSTRING_NCOPY; -static const int ASN1_F_ASN1_TEMPLATE_EX_D2I; -static const int ASN1_F_ASN1_TEMPLATE_NEW; -static const int ASN1_F_ASN1_TEMPLATE_NOEXP_D2I; -static const int ASN1_F_ASN1_TIME_SET; -static const int ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING; -static const int ASN1_F_ASN1_TYPE_GET_OCTETSTRING; -static const int ASN1_F_ASN1_UNPACK_STRING; -static const int ASN1_F_ASN1_UTCTIME_SET; -static const int ASN1_F_ASN1_VERIFY; -static const int ASN1_F_BITSTR_CB; -static const int ASN1_F_BN_TO_ASN1_ENUMERATED; -static const int ASN1_F_BN_TO_ASN1_INTEGER; -static const int ASN1_F_D2I_ASN1_TYPE_BYTES; -static const int ASN1_F_D2I_ASN1_UINTEGER; -static const int ASN1_F_D2I_ASN1_UTCTIME; -static const int ASN1_F_D2I_NETSCAPE_RSA; -static const int ASN1_F_D2I_NETSCAPE_RSA_2; -static const int ASN1_F_D2I_PRIVATEKEY; -static const int ASN1_F_D2I_X509; -static const int ASN1_F_D2I_X509_CINF; -static const int ASN1_F_D2I_X509_PKEY; -static const int ASN1_F_I2D_ASN1_SET; -static const int ASN1_F_I2D_ASN1_TIME; -static const int ASN1_F_I2D_DSA_PUBKEY; -static const int ASN1_F_LONG_C2I; -static const int ASN1_F_OID_MODULE_INIT; -static const int ASN1_F_PARSE_TAGGING; -static const int ASN1_F_PKCS5_PBE_SET; -static const int ASN1_F_X509_CINF_NEW; +static const int ERR_R_MALLOC_FAILURE; +static const int EVP_R_MEMORY_LIMIT_EXCEEDED; static const int ASN1_R_BOOLEAN_IS_WRONG_LENGTH; static const int ASN1_R_BUFFER_TOO_SMALL; static const int ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER; static const int ASN1_R_DATA_IS_WRONG; static const int ASN1_R_DECODE_ERROR; -static const int ASN1_R_DECODING_ERROR; static const int ASN1_R_DEPTH_EXCEEDED; static const int ASN1_R_ENCODE_ERROR; static const int ASN1_R_ERROR_GETTING_TIME; @@ -88,122 +42,46 @@ static const int ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM; static const int ASN1_R_UNKNOWN_OBJECT_TYPE; static const int ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE; static const int ASN1_R_UNKNOWN_TAG; -static const int ASN1_R_UNKOWN_FORMAT; static const int ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE; -static const int ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM; static const int ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE; static const int ASN1_R_UNSUPPORTED_TYPE; static const int ASN1_R_WRONG_TAG; -static const int ASN1_R_WRONG_TYPE; - -static const int DH_F_COMPUTE_KEY; +static const int ASN1_R_NO_CONTENT_TYPE; +static const int ASN1_R_NO_MULTIPART_BODY_FAILURE; +static const int ASN1_R_NO_MULTIPART_BOUNDARY; +static const int ASN1_R_HEADER_TOO_LONG; static const int DH_R_INVALID_PUBKEY; -static const int EVP_F_AES_INIT_KEY; -static const int EVP_F_D2I_PKEY; -static const int EVP_F_DSA_PKEY2PKCS8; -static const int EVP_F_DSAPKEY2PKCS8; -static const int EVP_F_ECDSA_PKEY2PKCS8; -static const int EVP_F_ECKEY_PKEY2PKCS8; -static const int EVP_F_EVP_CIPHER_CTX_CTRL; -static const int EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH; -static const int EVP_F_EVP_CIPHERINIT_EX; -static const int EVP_F_EVP_DECRYPTFINAL_EX; -static const int EVP_F_EVP_DIGESTINIT_EX; static const int EVP_F_EVP_ENCRYPTFINAL_EX; -static const int EVP_F_EVP_MD_CTX_COPY_EX; -static const int EVP_F_EVP_OPENINIT; -static const int EVP_F_EVP_PBE_ALG_ADD; -static const int EVP_F_EVP_PBE_CIPHERINIT; -static const int EVP_F_EVP_PKCS82PKEY; -static const int EVP_F_EVP_PKEY2PKCS8_BROKEN; -static const int EVP_F_EVP_PKEY_COPY_PARAMETERS; -static const int EVP_F_EVP_PKEY_DECRYPT; -static const int EVP_F_EVP_PKEY_ENCRYPT; -static const int EVP_F_EVP_PKEY_GET1_DH; -static const int EVP_F_EVP_PKEY_GET1_DSA; -static const int EVP_F_EVP_PKEY_GET1_ECDSA; -static const int EVP_F_EVP_PKEY_GET1_EC_KEY; -static const int EVP_F_EVP_PKEY_GET1_RSA; -static const int EVP_F_EVP_PKEY_NEW; -static const int EVP_F_EVP_RIJNDAEL; -static const int EVP_F_EVP_SIGNFINAL; -static const int EVP_F_EVP_VERIFYFINAL; -static const int EVP_F_PKCS5_PBE_KEYIVGEN; -static const int EVP_F_PKCS5_V2_PBE_KEYIVGEN; -static const int EVP_F_PKCS8_SET_BROKEN; -static const int EVP_F_RC2_MAGIC_TO_METH; -static const int EVP_F_RC5_CTRL; static const int EVP_R_AES_KEY_SETUP_FAILED; -static const int EVP_R_ASN1_LIB; -static const int EVP_R_BAD_BLOCK_LENGTH; static const int EVP_R_BAD_DECRYPT; -static const int EVP_R_BAD_KEY_LENGTH; -static const int EVP_R_BN_DECODE_ERROR; -static const int EVP_R_BN_PUBKEY_ERROR; static const int EVP_R_CIPHER_PARAMETER_ERROR; static const int EVP_R_CTRL_NOT_IMPLEMENTED; static const int EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED; static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH; static const int EVP_R_DECODE_ERROR; static const int EVP_R_DIFFERENT_KEY_TYPES; -static const int EVP_R_ENCODE_ERROR; static const int EVP_R_INITIALIZATION_ERROR; static const int EVP_R_INPUT_NOT_INITIALIZED; static const int EVP_R_INVALID_KEY_LENGTH; -static const int EVP_R_IV_TOO_LARGE; static const int EVP_R_KEYGEN_FAILURE; static const int EVP_R_MISSING_PARAMETERS; static const int EVP_R_NO_CIPHER_SET; static const int EVP_R_NO_DIGEST_SET; -static const int EVP_R_NO_DSA_PARAMETERS; -static const int EVP_R_NO_SIGN_FUNCTION_CONFIGURED; -static const int EVP_R_NO_VERIFY_FUNCTION_CONFIGURED; -static const int EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE; static const int EVP_R_PUBLIC_KEY_NOT_RSA; static const int EVP_R_UNKNOWN_PBE_ALGORITHM; -static const int EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS; static const int EVP_R_UNSUPPORTED_CIPHER; static const int EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION; static const int EVP_R_UNSUPPORTED_KEYLENGTH; static const int EVP_R_UNSUPPORTED_SALT_TYPE; static const int EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM; static const int EVP_R_WRONG_FINAL_BLOCK_LENGTH; -static const int EVP_R_WRONG_PUBLIC_KEY_TYPE; - -static const int EC_F_EC_GROUP_NEW_BY_CURVE_NAME; +static const int EVP_R_CAMELLIA_KEY_SETUP_FAILED; static const int EC_R_UNKNOWN_GROUP; -static const int PEM_F_D2I_PKCS8PRIVATEKEY_BIO; -static const int PEM_F_D2I_PKCS8PRIVATEKEY_FP; -static const int PEM_F_DO_PK8PKEY; -static const int PEM_F_DO_PK8PKEY_FP; -static const int PEM_F_LOAD_IV; -static const int PEM_F_PEM_ASN1_READ; -static const int PEM_F_PEM_ASN1_READ_BIO; -static const int PEM_F_PEM_ASN1_WRITE; -static const int PEM_F_PEM_ASN1_WRITE_BIO; -static const int PEM_F_PEM_DEF_CALLBACK; -static const int PEM_F_PEM_DO_HEADER; -static const int PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY; -static const int PEM_F_PEM_GET_EVP_CIPHER_INFO; -static const int PEM_F_PEM_PK8PKEY; -static const int PEM_F_PEM_READ; -static const int PEM_F_PEM_READ_BIO; -static const int PEM_F_PEM_READ_BIO_PRIVATEKEY; -static const int PEM_F_PEM_READ_PRIVATEKEY; -static const int PEM_F_PEM_SEALFINAL; -static const int PEM_F_PEM_SEALINIT; -static const int PEM_F_PEM_SIGNFINAL; -static const int PEM_F_PEM_WRITE; -static const int PEM_F_PEM_WRITE_BIO; -static const int PEM_F_PEM_X509_INFO_READ; -static const int PEM_F_PEM_X509_INFO_READ_BIO; -static const int PEM_F_PEM_X509_INFO_WRITE_BIO; - static const int PEM_R_BAD_BASE64_DECODE; static const int PEM_R_BAD_DECRYPT; static const int PEM_R_BAD_END_LINE; @@ -215,116 +93,79 @@ static const int PEM_R_NOT_DEK_INFO; static const int PEM_R_NOT_ENCRYPTED; static const int PEM_R_NOT_PROC_TYPE; static const int PEM_R_PROBLEMS_GETTING_PASSWORD; -static const int PEM_R_PUBLIC_KEY_NO_RSA; static const int PEM_R_READ_KEY; static const int PEM_R_SHORT_HEADER; static const int PEM_R_UNSUPPORTED_CIPHER; static const int PEM_R_UNSUPPORTED_ENCRYPTION; -static const int PKCS12_F_PKCS12_PBE_CRYPT; - static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR; +static const int RSA_R_BAD_PAD_BYTE_COUNT; static const int RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE; +static const int RSA_R_DATA_TOO_LARGE_FOR_MODULUS; static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY; static const int RSA_R_BLOCK_TYPE_IS_NOT_01; static const int RSA_R_BLOCK_TYPE_IS_NOT_02; static const int RSA_R_PKCS_DECODING_ERROR; +static const int RSA_R_OAEP_DECODING_ERROR; + +static const int SSL_TLSEXT_ERR_OK; +static const int SSL_TLSEXT_ERR_ALERT_WARNING; +static const int SSL_TLSEXT_ERR_ALERT_FATAL; +static const int SSL_TLSEXT_ERR_NOACK; + +static const int SSL_AD_CLOSE_NOTIFY; +static const int SSL_AD_UNEXPECTED_MESSAGE; +static const int SSL_AD_BAD_RECORD_MAC; +static const int SSL_AD_RECORD_OVERFLOW; +static const int SSL_AD_DECOMPRESSION_FAILURE; +static const int SSL_AD_HANDSHAKE_FAILURE; +static const int SSL_AD_BAD_CERTIFICATE; +static const int SSL_AD_UNSUPPORTED_CERTIFICATE; +static const int SSL_AD_CERTIFICATE_REVOKED; +static const int SSL_AD_CERTIFICATE_EXPIRED; +static const int SSL_AD_CERTIFICATE_UNKNOWN; +static const int SSL_AD_ILLEGAL_PARAMETER; +static const int SSL_AD_UNKNOWN_CA; +static const int SSL_AD_ACCESS_DENIED; +static const int SSL_AD_DECODE_ERROR; +static const int SSL_AD_DECRYPT_ERROR; +static const int SSL_AD_PROTOCOL_VERSION; +static const int SSL_AD_INSUFFICIENT_SECURITY; +static const int SSL_AD_INTERNAL_ERROR; +static const int SSL_AD_USER_CANCELLED; +static const int SSL_AD_NO_RENEGOTIATION; + +static const int SSL_AD_UNSUPPORTED_EXTENSION; +static const int SSL_AD_CERTIFICATE_UNOBTAINABLE; +static const int SSL_AD_UNRECOGNIZED_NAME; +static const int SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; +static const int SSL_AD_BAD_CERTIFICATE_HASH_VALUE; +static const int SSL_AD_UNKNOWN_PSK_IDENTITY; + +static const int X509_R_CERT_ALREADY_IN_HASH_TABLE; +static const int X509_R_KEY_VALUES_MISMATCH; """ FUNCTIONS = """ -void ERR_load_crypto_strings(void); -void ERR_load_SSL_strings(void); -void ERR_free_strings(void); -char *ERR_error_string(unsigned long, char *); void ERR_error_string_n(unsigned long, char *, size_t); const char *ERR_lib_error_string(unsigned long); const char *ERR_func_error_string(unsigned long); const char *ERR_reason_error_string(unsigned long); -void ERR_print_errors(BIO *); -void ERR_print_errors_fp(FILE *); unsigned long ERR_get_error(void); unsigned long ERR_peek_error(void); unsigned long ERR_peek_last_error(void); -unsigned long ERR_get_error_line(const char **, int *); -unsigned long ERR_peek_error_line(const char **, int *); -unsigned long ERR_peek_last_error_line(const char **, int *); -unsigned long ERR_get_error_line_data(const char **, int *, - const char **, int *); -unsigned long ERR_peek_error_line_data(const char **, - int *, const char **, int *); -unsigned long ERR_peek_last_error_line_data(const char **, - int *, const char **, int *); +void ERR_clear_error(void); void ERR_put_error(int, int, int, const char *, int); -void ERR_add_error_data(int, ...); -int ERR_get_next_error_library(void); -""" -MACROS = """ -unsigned long ERR_PACK(int, int, int); int ERR_GET_LIB(unsigned long); int ERR_GET_FUNC(unsigned long); int ERR_GET_REASON(unsigned long); -int ERR_FATAL_ERROR(unsigned long); -/* introduced in 1.0.0 so we have to handle this specially to continue - * supporting 0.9.8 - */ -void ERR_remove_thread_state(const CRYPTO_THREADID *); -/* These were added in OpenSSL 0.9.8h. When we drop support for RHEL/CentOS 5 - we should be able to move these back to TYPES. */ -static const int ASN1_F_B64_READ_ASN1; -static const int ASN1_F_B64_WRITE_ASN1; -static const int ASN1_F_SMIME_READ_ASN1; -static const int ASN1_F_SMIME_TEXT; -static const int ASN1_R_NO_CONTENT_TYPE; -static const int ASN1_R_NO_MULTIPART_BODY_FAILURE; -static const int ASN1_R_NO_MULTIPART_BOUNDARY; -/* These were added in OpenSSL 0.9.8c. */ -static const int EVP_F_CAMELLIA_INIT_KEY; -static const int EVP_R_CAMELLIA_KEY_SETUP_FAILED; """ CUSTOMIZATIONS = """ -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -static const long Cryptography_HAS_REMOVE_THREAD_STATE = 1; -#else -static const long Cryptography_HAS_REMOVE_THREAD_STATE = 0; -typedef uint32_t CRYPTO_THREADID; -void (*ERR_remove_thread_state)(const CRYPTO_THREADID *) = NULL; -#endif - -/* OpenSSL 0.9.8h+ */ -#if OPENSSL_VERSION_NUMBER >= 0x0090808fL -static const long Cryptography_HAS_098H_ERROR_CODES = 1; -#else -static const long Cryptography_HAS_098H_ERROR_CODES = 0; -static const int ASN1_F_B64_READ_ASN1 = 0; -static const int ASN1_F_B64_WRITE_ASN1 = 0; -static const int ASN1_F_SMIME_READ_ASN1 = 0; -static const int ASN1_F_SMIME_TEXT = 0; -static const int ASN1_R_NO_CONTENT_TYPE = 0; -static const int ASN1_R_NO_MULTIPART_BODY_FAILURE = 0; -static const int ASN1_R_NO_MULTIPART_BOUNDARY = 0; -#endif - -/* OpenSSL 0.9.8c+ */ -#ifdef EVP_F_CAMELLIA_INIT_KEY -static const long Cryptography_HAS_098C_CAMELLIA_CODES = 1; -#else -static const long Cryptography_HAS_098C_CAMELLIA_CODES = 0; -static const int EVP_F_CAMELLIA_INIT_KEY = 0; -static const int EVP_R_CAMELLIA_KEY_SETUP_FAILED = 0; -#endif - -// OpenSSL without EC. e.g. RHEL -#ifndef OPENSSL_NO_EC static const long Cryptography_HAS_EC_CODES = 1; -#else -static const long Cryptography_HAS_EC_CODES = 0; -static const int EC_R_UNKNOWN_GROUP = 0; -static const int EC_F_EC_GROUP_NEW_BY_CURVE_NAME = 0; -#endif #ifdef RSA_R_PKCS_DECODING_ERROR static const long Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR = 1; @@ -332,30 +173,11 @@ static const long Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR = 1; static const long Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR = 0; static const long RSA_R_PKCS_DECODING_ERROR = 0; #endif -""" -CONDITIONAL_NAMES = { - "Cryptography_HAS_REMOVE_THREAD_STATE": [ - "ERR_remove_thread_state" - ], - "Cryptography_HAS_098H_ERROR_CODES": [ - "ASN1_F_B64_READ_ASN1", - "ASN1_F_B64_WRITE_ASN1", - "ASN1_F_SMIME_READ_ASN1", - "ASN1_F_SMIME_TEXT", - "ASN1_R_NO_CONTENT_TYPE", - "ASN1_R_NO_MULTIPART_BODY_FAILURE", - "ASN1_R_NO_MULTIPART_BOUNDARY", - ], - "Cryptography_HAS_098C_CAMELLIA_CODES": [ - "EVP_F_CAMELLIA_INIT_KEY", - "EVP_R_CAMELLIA_KEY_SETUP_FAILED" - ], - "Cryptography_HAS_EC_CODES": [ - "EC_R_UNKNOWN_GROUP", - "EC_F_EC_GROUP_NEW_BY_CURVE_NAME" - ], - "Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR": [ - "RSA_R_PKCS_DECODING_ERROR" - ] -} +#ifdef EVP_R_MEMORY_LIMIT_EXCEEDED +static const long Cryptography_HAS_EVP_R_MEMORY_LIMIT_EXCEEDED = 1; +#else +static const long EVP_R_MEMORY_LIMIT_EXCEEDED = 0; +static const long Cryptography_HAS_EVP_R_MEMORY_LIMIT_EXCEEDED = 0; +#endif +""" diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 93aa83de..a0767021 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -10,78 +10,69 @@ INCLUDES = """ TYPES = """ typedef ... EVP_CIPHER; -typedef struct { - const EVP_CIPHER *cipher; - ENGINE *engine; - int encrypt; - ...; -} EVP_CIPHER_CTX; +typedef ... EVP_CIPHER_CTX; typedef ... EVP_MD; -typedef struct env_md_ctx_st { - ...; -} EVP_MD_CTX; - -typedef struct evp_pkey_st { - int type; - ...; -} EVP_PKEY; +typedef ... EVP_MD_CTX; + +typedef ... EVP_PKEY; typedef ... EVP_PKEY_CTX; static const int EVP_PKEY_RSA; static const int EVP_PKEY_DSA; static const int EVP_PKEY_DH; +static const int EVP_PKEY_DHX; static const int EVP_PKEY_EC; +static const int EVP_PKEY_X25519; +static const int EVP_PKEY_ED25519; +static const int EVP_PKEY_X448; +static const int EVP_PKEY_ED448; +static const int EVP_PKEY_POLY1305; static const int EVP_MAX_MD_SIZE; -static const int EVP_CTRL_GCM_SET_IVLEN; -static const int EVP_CTRL_GCM_GET_TAG; -static const int EVP_CTRL_GCM_SET_TAG; +static const int EVP_CTRL_AEAD_SET_IVLEN; +static const int EVP_CTRL_AEAD_GET_TAG; +static const int EVP_CTRL_AEAD_SET_TAG; -static const int Cryptography_HAS_GCM; -static const int Cryptography_HAS_PBKDF2_HMAC; -static const int Cryptography_HAS_PKEY_CTX; +static const int Cryptography_HAS_SCRYPT; +static const int Cryptography_HAS_EVP_PKEY_DHX; +static const int Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint; +static const int Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY; +static const long Cryptography_HAS_RAW_KEY; +static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF; """ FUNCTIONS = """ const EVP_CIPHER *EVP_get_cipherbyname(const char *); -int EVP_EncryptInit_ex(EVP_CIPHER_CTX *, const EVP_CIPHER *, ENGINE *, - const unsigned char *, const unsigned char *); int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *, int); -int EVP_EncryptUpdate(EVP_CIPHER_CTX *, unsigned char *, int *, - const unsigned char *, int); -int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *, unsigned char *, int *); -int EVP_DecryptInit_ex(EVP_CIPHER_CTX *, const EVP_CIPHER *, ENGINE *, - const unsigned char *, const unsigned char *); -int EVP_DecryptUpdate(EVP_CIPHER_CTX *, unsigned char *, int *, - const unsigned char *, int); -int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *, unsigned char *, int *); int EVP_CipherInit_ex(EVP_CIPHER_CTX *, const EVP_CIPHER *, ENGINE *, const unsigned char *, const unsigned char *, int); int EVP_CipherUpdate(EVP_CIPHER_CTX *, unsigned char *, int *, const unsigned char *, int); int EVP_CipherFinal_ex(EVP_CIPHER_CTX *, unsigned char *, int *); int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *); -void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *); EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *); int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *, int); +const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *); -EVP_MD_CTX *EVP_MD_CTX_create(void); int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *); int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, ENGINE *); int EVP_DigestUpdate(EVP_MD_CTX *, const void *, size_t); int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *); -int EVP_MD_CTX_cleanup(EVP_MD_CTX *); -void EVP_MD_CTX_destroy(EVP_MD_CTX *); +int EVP_DigestFinalXOF(EVP_MD_CTX *, unsigned char *, size_t); const EVP_MD *EVP_get_digestbyname(const char *); EVP_PKEY *EVP_PKEY_new(void); void EVP_PKEY_free(EVP_PKEY *); int EVP_PKEY_type(int); -int EVP_PKEY_bits(EVP_PKEY *); int EVP_PKEY_size(EVP_PKEY *); RSA *EVP_PKEY_get1_RSA(EVP_PKEY *); DSA *EVP_PKEY_get1_DSA(EVP_PKEY *); DH *EVP_PKEY_get1_DH(EVP_PKEY *); +int EVP_PKEY_encrypt(EVP_PKEY_CTX *, unsigned char *, size_t *, + const unsigned char *, size_t); +int EVP_PKEY_decrypt(EVP_PKEY_CTX *, unsigned char *, size_t *, + const unsigned char *, size_t); + int EVP_SignInit(EVP_MD_CTX *, const EVP_MD *); int EVP_SignUpdate(EVP_MD_CTX *, const void *, size_t); int EVP_SignFinal(EVP_MD_CTX *, unsigned char *, unsigned int *, EVP_PKEY *); @@ -91,49 +82,70 @@ int EVP_VerifyUpdate(EVP_MD_CTX *, const void *, size_t); int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int, EVP_PKEY *); -const EVP_MD *EVP_md5(void); -const EVP_MD *EVP_sha1(void); -const EVP_MD *EVP_ripemd160(void); -const EVP_MD *EVP_sha224(void); -const EVP_MD *EVP_sha256(void); -const EVP_MD *EVP_sha384(void); -const EVP_MD *EVP_sha512(void); +int EVP_DigestSignInit(EVP_MD_CTX *, EVP_PKEY_CTX **, const EVP_MD *, + ENGINE *, EVP_PKEY *); +int EVP_DigestSignUpdate(EVP_MD_CTX *, const void *, size_t); +int EVP_DigestSignFinal(EVP_MD_CTX *, unsigned char *, size_t *); +int EVP_DigestVerifyInit(EVP_MD_CTX *, EVP_PKEY_CTX **, const EVP_MD *, + ENGINE *, EVP_PKEY *); + int PKCS5_PBKDF2_HMAC_SHA1(const char *, int, const unsigned char *, int, int, int, unsigned char *); -int EVP_PKEY_set1_RSA(EVP_PKEY *, struct rsa_st *); -int EVP_PKEY_set1_DSA(EVP_PKEY *, struct dsa_st *); -int EVP_PKEY_set1_DH(EVP_PKEY *, DH *); +EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *, ENGINE *); +EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int, ENGINE *); +EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *); +void EVP_PKEY_CTX_free(EVP_PKEY_CTX *); +int EVP_PKEY_sign_init(EVP_PKEY_CTX *); +int EVP_PKEY_sign(EVP_PKEY_CTX *, unsigned char *, size_t *, + const unsigned char *, size_t); +int EVP_PKEY_verify_init(EVP_PKEY_CTX *); +int EVP_PKEY_verify(EVP_PKEY_CTX *, const unsigned char *, size_t, + const unsigned char *, size_t); +int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *); +int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *); -int EVP_PKEY_get_attr_count(const EVP_PKEY *); -int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *, int, int); -int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *, ASN1_OBJECT *, int); -X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *, int); -X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *, int); -int EVP_PKEY_add1_attr(EVP_PKEY *, X509_ATTRIBUTE *); -int EVP_PKEY_add1_attr_by_OBJ(EVP_PKEY *, const ASN1_OBJECT *, int, - const unsigned char *, int); -int EVP_PKEY_add1_attr_by_NID(EVP_PKEY *, int, int, - const unsigned char *, int); -int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *, const char *, int, - const unsigned char *, int); +int EVP_PKEY_set1_RSA(EVP_PKEY *, RSA *); +int EVP_PKEY_set1_DSA(EVP_PKEY *, DSA *); +int EVP_PKEY_set1_DH(EVP_PKEY *, DH *); int EVP_PKEY_cmp(const EVP_PKEY *, const EVP_PKEY *); -EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *); -""" +int EVP_PKEY_keygen_init(EVP_PKEY_CTX *); +int EVP_PKEY_keygen(EVP_PKEY_CTX *, EVP_PKEY **); +int EVP_PKEY_derive_init(EVP_PKEY_CTX *); +int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *, EVP_PKEY *); +int EVP_PKEY_derive(EVP_PKEY_CTX *, unsigned char *, size_t *); +int EVP_PKEY_set_type(EVP_PKEY *, int); + +int EVP_PKEY_id(const EVP_PKEY *); +int Cryptography_EVP_PKEY_id(const EVP_PKEY *); + +/* in 1.1.0 _create and _destroy were renamed to _new and _free. The following + two functions wrap both the old and new functions so we can call them + without worrying about what OpenSSL we're running against. */ +EVP_MD_CTX *Cryptography_EVP_MD_CTX_new(void); +void Cryptography_EVP_MD_CTX_free(EVP_MD_CTX *); +/* Added in 1.1.1 */ +int EVP_DigestSign(EVP_MD_CTX *, unsigned char *, size_t *, + const unsigned char *, size_t); +int EVP_DigestVerify(EVP_MD_CTX *, const unsigned char *, size_t, + const unsigned char *, size_t); +/* Added in 1.1.0 */ +size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *, unsigned char **); +int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *, const unsigned char *, + size_t); + +/* EVP_PKEY * became const in 1.1.0 */ +int EVP_PKEY_bits(EVP_PKEY *); -MACROS = """ void OpenSSL_add_all_algorithms(void); int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); -int EVP_PKEY_assign_DSA(EVP_PKEY *, DSA *); -int EVP_PKEY_assign_EC_KEY(EVP_PKEY *, EC_KEY *); EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *); int EVP_PKEY_set1_EC_KEY(EVP_PKEY *, EC_KEY *); -int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *); int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); int PKCS5_PBKDF2_HMAC(const char *, int, const unsigned char *, int, int, @@ -141,125 +153,126 @@ int PKCS5_PBKDF2_HMAC(const char *, int, const unsigned char *, int, int, int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *, const EVP_MD *); -/* These aren't macros, but must be in this section because they're not - available in 0.9.8. */ -EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *, ENGINE *); -EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int, ENGINE *); -EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *); -void EVP_PKEY_CTX_free(EVP_PKEY_CTX *); -int EVP_PKEY_sign_init(EVP_PKEY_CTX *); -int EVP_PKEY_sign(EVP_PKEY_CTX *, unsigned char *, size_t *, - const unsigned char *, size_t); -int EVP_PKEY_verify_init(EVP_PKEY_CTX *); -int EVP_PKEY_verify(EVP_PKEY_CTX *, const unsigned char *, size_t, - const unsigned char *, size_t); -int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *); -int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *); -int EVP_PKEY_id(const EVP_PKEY *); +int EVP_PBE_scrypt(const char *, size_t, const unsigned char *, size_t, + uint64_t, uint64_t, uint64_t, uint64_t, unsigned char *, + size_t); -/* The following were macros in 0.9.8e. Once we drop support for RHEL/CentOS 5 - we should move these back to FUNCTIONS. */ -const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *); -int EVP_CIPHER_block_size(const EVP_CIPHER *); -const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *); -int EVP_MD_size(const EVP_MD *); - -/* Must be in macros because EVP_PKEY_CTX is undefined in 0.9.8 */ -int Cryptography_EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, - size_t *outlen, const unsigned char *in, - size_t inlen); -int Cryptography_EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, - size_t *outlen, const unsigned char *in, - size_t inlen); +EVP_PKEY *EVP_PKEY_new_raw_private_key(int, ENGINE *, const unsigned char *, + size_t); +EVP_PKEY *EVP_PKEY_new_raw_public_key(int, ENGINE *, const unsigned char *, + size_t); +int EVP_PKEY_get_raw_private_key(const EVP_PKEY *, unsigned char *, size_t *); +int EVP_PKEY_get_raw_public_key(const EVP_PKEY *, unsigned char *, size_t *); """ CUSTOMIZATIONS = """ -#ifdef EVP_CTRL_GCM_SET_TAG -const long Cryptography_HAS_GCM = 1; +#ifdef EVP_PKEY_DHX +const long Cryptography_HAS_EVP_PKEY_DHX = 1; #else -const long Cryptography_HAS_GCM = 0; -const long EVP_CTRL_GCM_GET_TAG = -1; -const long EVP_CTRL_GCM_SET_TAG = -1; -const long EVP_CTRL_GCM_SET_IVLEN = -1; +const long Cryptography_HAS_EVP_PKEY_DHX = 0; +const long EVP_PKEY_DHX = -1; #endif -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -const long Cryptography_HAS_PBKDF2_HMAC = 1; -const long Cryptography_HAS_PKEY_CTX = 1; - -/* OpenSSL 0.9.8 defines EVP_PKEY_encrypt and EVP_PKEY_decrypt functions, - but they are a completely different signature from the ones in 1.0.0+. - These wrapper functions allows us to safely declare them on any version and - conditionally remove them on 0.9.8. */ -int Cryptography_EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, - size_t *outlen, const unsigned char *in, - size_t inlen) { - return EVP_PKEY_encrypt(ctx, out, outlen, in, inlen); + +int Cryptography_EVP_PKEY_id(const EVP_PKEY *key) { + return EVP_PKEY_id(key); } -int Cryptography_EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, - size_t *outlen, const unsigned char *in, - size_t inlen) { - return EVP_PKEY_decrypt(ctx, out, outlen, in, inlen); + +EVP_MD_CTX *Cryptography_EVP_MD_CTX_new(void) { +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 + return EVP_MD_CTX_create(); +#else + return EVP_MD_CTX_new(); +#endif } +void Cryptography_EVP_MD_CTX_free(EVP_MD_CTX *ctx) { +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 + EVP_MD_CTX_destroy(ctx); #else -const long Cryptography_HAS_PBKDF2_HMAC = 0; -int (*PKCS5_PBKDF2_HMAC)(const char *, int, const unsigned char *, int, int, - const EVP_MD *, int, unsigned char *) = NULL; -const long Cryptography_HAS_PKEY_CTX = 0; -typedef void EVP_PKEY_CTX; -int (*EVP_PKEY_CTX_set_signature_md)(EVP_PKEY_CTX *, const EVP_MD *) = NULL; -int (*EVP_PKEY_sign_init)(EVP_PKEY_CTX *) = NULL; -int (*EVP_PKEY_sign)(EVP_PKEY_CTX *, unsigned char *, size_t *, - const unsigned char *, size_t) = NULL; -int (*EVP_PKEY_verify_init)(EVP_PKEY_CTX *) = NULL; -int (*EVP_PKEY_verify)(EVP_PKEY_CTX *, const unsigned char *, size_t, - const unsigned char *, size_t) = NULL; -EVP_PKEY_CTX *(*EVP_PKEY_CTX_new)(EVP_PKEY *, ENGINE *) = NULL; -EVP_PKEY_CTX *(*EVP_PKEY_CTX_new_id)(int, ENGINE *) = NULL; -EVP_PKEY_CTX *(*EVP_PKEY_CTX_dup)(EVP_PKEY_CTX *) = NULL; -void (*EVP_PKEY_CTX_free)(EVP_PKEY_CTX *) = NULL; -int (*EVP_PKEY_encrypt_init)(EVP_PKEY_CTX *) = NULL; -int (*EVP_PKEY_decrypt_init)(EVP_PKEY_CTX *) = NULL; -int (*Cryptography_EVP_PKEY_encrypt)(EVP_PKEY_CTX *, unsigned char *, size_t *, - const unsigned char *, size_t) = NULL; -int (*Cryptography_EVP_PKEY_decrypt)(EVP_PKEY_CTX *, unsigned char *, size_t *, - const unsigned char *, size_t) = NULL; -int (*EVP_PKEY_id)(const EVP_PKEY *) = NULL; + EVP_MD_CTX_free(ctx); #endif -#ifdef OPENSSL_NO_EC -int (*EVP_PKEY_assign_EC_KEY)(EVP_PKEY *, EC_KEY *) = NULL; -EC_KEY *(*EVP_PKEY_get1_EC_KEY)(EVP_PKEY *) = NULL; -int (*EVP_PKEY_set1_EC_KEY)(EVP_PKEY *, EC_KEY *) = NULL; +} +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || defined(OPENSSL_NO_SCRYPT) +static const long Cryptography_HAS_SCRYPT = 0; +int (*EVP_PBE_scrypt)(const char *, size_t, const unsigned char *, size_t, + uint64_t, uint64_t, uint64_t, uint64_t, unsigned char *, + size_t) = NULL; +#else +static const long Cryptography_HAS_SCRYPT = 1; #endif -""" -CONDITIONAL_NAMES = { - "Cryptography_HAS_GCM": [ - "EVP_CTRL_GCM_GET_TAG", - "EVP_CTRL_GCM_SET_TAG", - "EVP_CTRL_GCM_SET_IVLEN", - ], - "Cryptography_HAS_PBKDF2_HMAC": [ - "PKCS5_PBKDF2_HMAC" - ], - "Cryptography_HAS_PKEY_CTX": [ - "EVP_PKEY_CTX_new", - "EVP_PKEY_CTX_new_id", - "EVP_PKEY_CTX_dup", - "EVP_PKEY_CTX_free", - "EVP_PKEY_sign", - "EVP_PKEY_sign_init", - "EVP_PKEY_verify", - "EVP_PKEY_verify_init", - "Cryptography_EVP_PKEY_encrypt", - "EVP_PKEY_encrypt_init", - "Cryptography_EVP_PKEY_decrypt", - "EVP_PKEY_decrypt_init", - "EVP_PKEY_CTX_set_signature_md", - "EVP_PKEY_id", - ], - "Cryptography_HAS_EC": [ - "EVP_PKEY_assign_EC_KEY", - "EVP_PKEY_get1_EC_KEY", - "EVP_PKEY_set1_EC_KEY", - ] -} +#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER +static const long Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint = 1; +#else +static const long Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint = 0; +size_t (*EVP_PKEY_get1_tls_encodedpoint)(EVP_PKEY *, unsigned char **) = NULL; +int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *, + size_t) = NULL; +#endif + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 +static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0; +static const long Cryptography_HAS_RAW_KEY = 0; +static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0; +int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL; +int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *, + const unsigned char *tbs, size_t) = NULL; +int (*EVP_DigestVerify)(EVP_MD_CTX *, const unsigned char *, size_t, + const unsigned char *, size_t) = NULL; +EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *, + size_t) = NULL; +EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *, + size_t) = NULL; +int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *, + size_t *) = NULL; +int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *, + size_t *) = NULL; +#else +static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1; +static const long Cryptography_HAS_RAW_KEY = 1; +static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1; +#endif + +/* OpenSSL 1.1.0+ does this define for us, but if not present we'll do it */ +#if !defined(EVP_CTRL_AEAD_SET_IVLEN) +# define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN +#endif +#if !defined(EVP_CTRL_AEAD_GET_TAG) +# define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG +#endif +#if !defined(EVP_CTRL_AEAD_SET_TAG) +# define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG +#endif + +/* This is tied to X25519 support so we reuse the Cryptography_HAS_X25519 + conditional to remove it. OpenSSL 1.1.0 didn't have this define, but + 1.1.1 will when it is released. We can remove this in the distant + future when we drop 1.1.0 support. */ +#ifndef EVP_PKEY_X25519 +#define EVP_PKEY_X25519 NID_X25519 +#endif + +/* This is tied to X448 support so we reuse the Cryptography_HAS_X448 + conditional to remove it. OpenSSL 1.1.1 adds this define. We can remove + this in the distant future when we drop 1.1.0 support. */ +#ifndef EVP_PKEY_X448 +#define EVP_PKEY_X448 NID_X448 +#endif + +/* This is tied to ED25519 support so we reuse the Cryptography_HAS_ED25519 + conditional to remove it. */ +#ifndef EVP_PKEY_ED25519 +#define EVP_PKEY_ED25519 NID_ED25519 +#endif + +/* This is tied to ED448 support so we reuse the Cryptography_HAS_ED448 + conditional to remove it. */ +#ifndef EVP_PKEY_ED448 +#define EVP_PKEY_ED448 NID_ED448 +#endif + +/* This is tied to poly1305 support so we reuse the Cryptography_HAS_POLY1305 + conditional to remove it. */ +#ifndef EVP_PKEY_POLY1305 +#define EVP_PKEY_POLY1305 NID_poly1305 +#endif +""" diff --git a/src/_cffi_src/commoncrypto/secitem.py b/src/_cffi_src/openssl/fips.py index dd255430..c92bca49 100644 --- a/src/_cffi_src/commoncrypto/secitem.py +++ b/src/_cffi_src/openssl/fips.py @@ -5,25 +5,24 @@ from __future__ import absolute_import, division, print_function INCLUDES = """ -#include <Security/SecItem.h> +#include <openssl/crypto.h> """ TYPES = """ -const CFTypeRef kSecAttrKeyType; -const CFTypeRef kSecAttrKeySizeInBits; -const CFTypeRef kSecAttrIsPermanent; -const CFTypeRef kSecAttrKeyTypeRSA; -const CFTypeRef kSecAttrKeyTypeDSA; -const CFTypeRef kSecUseKeychain; +static const long Cryptography_HAS_FIPS; """ FUNCTIONS = """ -""" - -MACROS = """ +int FIPS_mode_set(int); +int FIPS_mode(void); """ CUSTOMIZATIONS = """ +#if CRYPTOGRAPHY_IS_LIBRESSL +static const long Cryptography_HAS_FIPS = 0; +int (*FIPS_mode_set)(int) = NULL; +int (*FIPS_mode)(void) = NULL; +#else +static const long Cryptography_HAS_FIPS = 1; +#endif """ - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/openssl/hmac.py b/src/_cffi_src/openssl/hmac.py index 86bbdfc2..b006e642 100644 --- a/src/_cffi_src/openssl/hmac.py +++ b/src/_cffi_src/openssl/hmac.py @@ -9,77 +9,40 @@ INCLUDES = """ """ TYPES = """ -typedef struct { ...; } HMAC_CTX; +typedef ... HMAC_CTX; """ FUNCTIONS = """ -void HMAC_CTX_init(HMAC_CTX *); -void HMAC_CTX_cleanup(HMAC_CTX *); +int HMAC_Init_ex(HMAC_CTX *, const void *, int, const EVP_MD *, ENGINE *); +int HMAC_Update(HMAC_CTX *, const unsigned char *, size_t); +int HMAC_Final(HMAC_CTX *, unsigned char *, unsigned int *); +int HMAC_CTX_copy(HMAC_CTX *, HMAC_CTX *); -int Cryptography_HMAC_Init_ex(HMAC_CTX *, const void *, int, const EVP_MD *, - ENGINE *); -int Cryptography_HMAC_Update(HMAC_CTX *, const unsigned char *, size_t); -int Cryptography_HMAC_Final(HMAC_CTX *, unsigned char *, unsigned int *); -int Cryptography_HMAC_CTX_copy(HMAC_CTX *, HMAC_CTX *); -""" - -MACROS = """ +HMAC_CTX *Cryptography_HMAC_CTX_new(void); +void Cryptography_HMAC_CTX_free(HMAC_CTX *ctx); """ CUSTOMIZATIONS = """ -int Cryptography_HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len, - const EVP_MD *md, ENGINE *impl) { -#if OPENSSL_VERSION_NUMBER >= 0x010000000 - return HMAC_Init_ex(ctx, key, key_len, md, impl); +HMAC_CTX *Cryptography_HMAC_CTX_new(void) { +#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER + return HMAC_CTX_new(); #else - HMAC_Init_ex(ctx, key, key_len, md, impl); - return 1; + /* This uses OPENSSL_zalloc in 1.1.0, which is malloc + memset */ + HMAC_CTX *ctx = (HMAC_CTX *)OPENSSL_malloc(sizeof(HMAC_CTX)); + memset(ctx, 0, sizeof(HMAC_CTX)); + return ctx; #endif } -int Cryptography_HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, - size_t data_len) { -#if OPENSSL_VERSION_NUMBER >= 0x010000000 - return HMAC_Update(ctx, data, data_len); -#else - HMAC_Update(ctx, data, data_len); - return 1; -#endif -} -int Cryptography_HMAC_Final(HMAC_CTX *ctx, unsigned char *digest, - unsigned int *outlen) { -#if OPENSSL_VERSION_NUMBER >= 0x010000000 - return HMAC_Final(ctx, digest, outlen); +void Cryptography_HMAC_CTX_free(HMAC_CTX *ctx) { +#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER + return HMAC_CTX_free(ctx); #else - HMAC_Final(ctx, digest, outlen); - return 1; -#endif -} - -int Cryptography_HMAC_CTX_copy(HMAC_CTX *dst_ctx, HMAC_CTX *src_ctx) { -#if OPENSSL_VERSION_NUMBER >= 0x010000000 - return HMAC_CTX_copy(dst_ctx, src_ctx); -#else - HMAC_CTX_init(dst_ctx); - if (!EVP_MD_CTX_copy_ex(&dst_ctx->i_ctx, &src_ctx->i_ctx)) { - goto err; - } - if (!EVP_MD_CTX_copy_ex(&dst_ctx->o_ctx, &src_ctx->o_ctx)) { - goto err; + if (ctx != NULL) { + HMAC_CTX_cleanup(ctx); + OPENSSL_free(ctx); } - if (!EVP_MD_CTX_copy_ex(&dst_ctx->md_ctx, &src_ctx->md_ctx)) { - goto err; - } - memcpy(dst_ctx->key, src_ctx->key, HMAC_MAX_MD_CBLOCK); - dst_ctx->key_length = src_ctx->key_length; - dst_ctx->md = src_ctx->md; - return 1; - - err: - return 0; #endif } """ - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/openssl/nid.py b/src/_cffi_src/openssl/nid.py index c2c0552b..cdd4c0db 100644 --- a/src/_cffi_src/openssl/nid.py +++ b/src/_cffi_src/openssl/nid.py @@ -9,240 +9,56 @@ INCLUDES = """ """ TYPES = """ -static const int Cryptography_HAS_ECDSA_SHA2_NIDS; +static const int Cryptography_HAS_X25519; +static const int Cryptography_HAS_X448; +static const int Cryptography_HAS_ED448; +static const int Cryptography_HAS_ED25519; +static const int Cryptography_HAS_POLY1305; static const int NID_undef; -static const int NID_dsa; -static const int NID_dsaWithSHA; -static const int NID_dsaWithSHA1; -static const int NID_md2; -static const int NID_md4; -static const int NID_md5; -static const int NID_mdc2; -static const int NID_ripemd160; -static const int NID_sha; -static const int NID_sha1; -static const int NID_sha256; -static const int NID_sha384; -static const int NID_sha512; -static const int NID_sha224; -static const int NID_sha; -static const int NID_ecdsa_with_SHA1; -static const int NID_ecdsa_with_SHA224; -static const int NID_ecdsa_with_SHA256; -static const int NID_ecdsa_with_SHA384; -static const int NID_ecdsa_with_SHA512; static const int NID_pbe_WithSHA1And3_Key_TripleDES_CBC; -static const int NID_X9_62_c2pnb163v1; -static const int NID_X9_62_c2pnb163v2; -static const int NID_X9_62_c2pnb163v3; -static const int NID_X9_62_c2pnb176v1; -static const int NID_X9_62_c2tnb191v1; -static const int NID_X9_62_c2tnb191v2; -static const int NID_X9_62_c2tnb191v3; -static const int NID_X9_62_c2onb191v4; -static const int NID_X9_62_c2onb191v5; -static const int NID_X9_62_c2pnb208w1; -static const int NID_X9_62_c2tnb239v1; -static const int NID_X9_62_c2tnb239v2; -static const int NID_X9_62_c2tnb239v3; -static const int NID_X9_62_c2onb239v4; -static const int NID_X9_62_c2onb239v5; -static const int NID_X9_62_c2pnb272w1; -static const int NID_X9_62_c2pnb304w1; -static const int NID_X9_62_c2tnb359v1; -static const int NID_X9_62_c2pnb368w1; -static const int NID_X9_62_c2tnb431r1; -static const int NID_X9_62_prime192v1; -static const int NID_X9_62_prime192v2; -static const int NID_X9_62_prime192v3; -static const int NID_X9_62_prime239v1; -static const int NID_X9_62_prime239v2; -static const int NID_X9_62_prime239v3; -static const int NID_X9_62_prime256v1; -static const int NID_secp112r1; -static const int NID_secp112r2; -static const int NID_secp128r1; -static const int NID_secp128r2; -static const int NID_secp160k1; -static const int NID_secp160r1; -static const int NID_secp160r2; -static const int NID_sect163k1; -static const int NID_sect163r1; -static const int NID_sect163r2; -static const int NID_secp192k1; -static const int NID_secp224k1; -static const int NID_secp224r1; -static const int NID_secp256k1; -static const int NID_secp384r1; -static const int NID_secp521r1; -static const int NID_sect113r1; -static const int NID_sect113r2; -static const int NID_sect131r1; -static const int NID_sect131r2; -static const int NID_sect193r1; -static const int NID_sect193r2; -static const int NID_sect233k1; -static const int NID_sect233r1; -static const int NID_sect239k1; -static const int NID_sect283k1; -static const int NID_sect283r1; -static const int NID_sect409k1; -static const int NID_sect409r1; -static const int NID_sect571k1; -static const int NID_sect571r1; -static const int NID_wap_wsg_idm_ecid_wtls1; -static const int NID_wap_wsg_idm_ecid_wtls3; -static const int NID_wap_wsg_idm_ecid_wtls4; -static const int NID_wap_wsg_idm_ecid_wtls5; -static const int NID_wap_wsg_idm_ecid_wtls6; -static const int NID_wap_wsg_idm_ecid_wtls7; -static const int NID_wap_wsg_idm_ecid_wtls8; -static const int NID_wap_wsg_idm_ecid_wtls9; -static const int NID_wap_wsg_idm_ecid_wtls10; -static const int NID_wap_wsg_idm_ecid_wtls11; -static const int NID_wap_wsg_idm_ecid_wtls12; -static const int NID_ipsec3; -static const int NID_ipsec4; -static const char *const SN_X9_62_c2pnb163v1; -static const char *const SN_X9_62_c2pnb163v2; -static const char *const SN_X9_62_c2pnb163v3; -static const char *const SN_X9_62_c2pnb176v1; -static const char *const SN_X9_62_c2tnb191v1; -static const char *const SN_X9_62_c2tnb191v2; -static const char *const SN_X9_62_c2tnb191v3; -static const char *const SN_X9_62_c2onb191v4; -static const char *const SN_X9_62_c2onb191v5; -static const char *const SN_X9_62_c2pnb208w1; -static const char *const SN_X9_62_c2tnb239v1; -static const char *const SN_X9_62_c2tnb239v2; -static const char *const SN_X9_62_c2tnb239v3; -static const char *const SN_X9_62_c2onb239v4; -static const char *const SN_X9_62_c2onb239v5; -static const char *const SN_X9_62_c2pnb272w1; -static const char *const SN_X9_62_c2pnb304w1; -static const char *const SN_X9_62_c2tnb359v1; -static const char *const SN_X9_62_c2pnb368w1; -static const char *const SN_X9_62_c2tnb431r1; -static const char *const SN_X9_62_prime192v1; -static const char *const SN_X9_62_prime192v2; -static const char *const SN_X9_62_prime192v3; -static const char *const SN_X9_62_prime239v1; -static const char *const SN_X9_62_prime239v2; -static const char *const SN_X9_62_prime239v3; -static const char *const SN_X9_62_prime256v1; -static const char *const SN_secp112r1; -static const char *const SN_secp112r2; -static const char *const SN_secp128r1; -static const char *const SN_secp128r2; -static const char *const SN_secp160k1; -static const char *const SN_secp160r1; -static const char *const SN_secp160r2; -static const char *const SN_sect163k1; -static const char *const SN_sect163r1; -static const char *const SN_sect163r2; -static const char *const SN_secp192k1; -static const char *const SN_secp224k1; -static const char *const SN_secp224r1; -static const char *const SN_secp256k1; -static const char *const SN_secp384r1; -static const char *const SN_secp521r1; -static const char *const SN_sect113r1; -static const char *const SN_sect113r2; -static const char *const SN_sect131r1; -static const char *const SN_sect131r2; -static const char *const SN_sect193r1; -static const char *const SN_sect193r2; -static const char *const SN_sect233k1; -static const char *const SN_sect233r1; -static const char *const SN_sect239k1; -static const char *const SN_sect283k1; -static const char *const SN_sect283r1; -static const char *const SN_sect409k1; -static const char *const SN_sect409r1; -static const char *const SN_sect571k1; -static const char *const SN_sect571r1; -static const char *const SN_wap_wsg_idm_ecid_wtls1; -static const char *const SN_wap_wsg_idm_ecid_wtls3; -static const char *const SN_wap_wsg_idm_ecid_wtls4; -static const char *const SN_wap_wsg_idm_ecid_wtls5; -static const char *const SN_wap_wsg_idm_ecid_wtls6; -static const char *const SN_wap_wsg_idm_ecid_wtls7; -static const char *const SN_wap_wsg_idm_ecid_wtls8; -static const char *const SN_wap_wsg_idm_ecid_wtls9; -static const char *const SN_wap_wsg_idm_ecid_wtls10; -static const char *const SN_wap_wsg_idm_ecid_wtls11; -static const char *const SN_wap_wsg_idm_ecid_wtls12; -static const char *const SN_ipsec3; -static const char *const SN_ipsec4; +static const int NID_X25519; +static const int NID_X448; +static const int NID_ED25519; +static const int NID_ED448; +static const int NID_poly1305; -static const int NID_subject_key_identifier; -static const int NID_authority_key_identifier; -static const int NID_policy_constraints; -static const int NID_ext_key_usage; -static const int NID_info_access; -static const int NID_key_usage; static const int NID_subject_alt_name; -static const int NID_issuer_alt_name; -static const int NID_basic_constraints; -static const int NID_issuing_distribution_point; -static const int NID_certificate_issuer; -static const int NID_name_constraints; -static const int NID_crl_distribution_points; -static const int NID_certificate_policies; -static const int NID_inhibit_any_policy; - -static const int NID_private_key_usage_period; -static const int NID_crl_number; static const int NID_crl_reason; -static const int NID_invalidity_date; -static const int NID_delta_crl; -static const int NID_any_policy; -static const int NID_policy_mappings; -static const int NID_target_information; -static const int NID_no_rev_avail; - -static const int NID_commonName; -static const int NID_countryName; -static const int NID_localityName; -static const int NID_stateOrProvinceName; -static const int NID_organizationName; -static const int NID_organizationalUnitName; -static const int NID_serialNumber; -static const int NID_surname; -static const int NID_givenName; -static const int NID_title; -static const int NID_generationQualifier; -static const int NID_dnQualifier; -static const int NID_pseudonym; -static const int NID_domainComponent; -static const int NID_pkcs9_emailAddress; """ FUNCTIONS = """ """ -MACROS = """ -""" - CUSTOMIZATIONS = """ -/* OpenSSL 0.9.8g+ */ -#if OPENSSL_VERSION_NUMBER >= 0x0090807fL -static const long Cryptography_HAS_ECDSA_SHA2_NIDS = 1; +#ifndef NID_X25519 +static const long Cryptography_HAS_X25519 = 0; +static const int NID_X25519 = 0; #else -static const long Cryptography_HAS_ECDSA_SHA2_NIDS = 0; -static const int NID_ecdsa_with_SHA224 = 0; -static const int NID_ecdsa_with_SHA256 = 0; -static const int NID_ecdsa_with_SHA384 = 0; -static const int NID_ecdsa_with_SHA512 = 0; +static const long Cryptography_HAS_X25519 = 1; +#endif +#ifndef NID_ED25519 +static const long Cryptography_HAS_ED25519 = 0; +static const int NID_ED25519 = 0; +#else +static const long Cryptography_HAS_ED25519 = 1; +#endif +#ifndef NID_X448 +static const long Cryptography_HAS_X448 = 0; +static const int NID_X448 = 0; +#else +static const long Cryptography_HAS_X448 = 1; +#endif +#ifndef NID_ED448 +static const long Cryptography_HAS_ED448 = 0; +static const int NID_ED448 = 0; +#else +static const long Cryptography_HAS_ED448 = 1; +#endif +#ifndef NID_poly1305 +static const long Cryptography_HAS_POLY1305 = 0; +static const int NID_poly1305 = 0; +#else +static const long Cryptography_HAS_POLY1305 = 1; #endif """ - -CONDITIONAL_NAMES = { - "Cryptography_HAS_ECDSA_SHA2_NIDS": [ - "NID_ecdsa_with_SHA224", - "NID_ecdsa_with_SHA256", - "NID_ecdsa_with_SHA384", - "NID_ecdsa_with_SHA512", - ], -} diff --git a/src/_cffi_src/openssl/objects.py b/src/_cffi_src/openssl/objects.py index 9c480b37..265ac75c 100644 --- a/src/_cffi_src/openssl/objects.py +++ b/src/_cffi_src/openssl/objects.py @@ -9,6 +9,14 @@ INCLUDES = """ """ TYPES = """ +typedef struct { + int type; + int alias; + const char *name; + const char *data; +} OBJ_NAME; + +static const long OBJ_NAME_TYPE_MD_METH; """ FUNCTIONS = """ @@ -24,13 +32,10 @@ int OBJ_obj2txt(char *, int, const ASN1_OBJECT *, int); int OBJ_cmp(const ASN1_OBJECT *, const ASN1_OBJECT *); ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *); int OBJ_create(const char *, const char *, const char *); +void OBJ_NAME_do_all(int, void (*) (const OBJ_NAME *, void *), void *); +/* OBJ_cleanup became a macro in 1.1.0 */ void OBJ_cleanup(void); """ -MACROS = """ -""" - CUSTOMIZATIONS = """ """ - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/openssl/ocsp.py b/src/_cffi_src/openssl/ocsp.py new file mode 100644 index 00000000..829314a3 --- /dev/null +++ b/src/_cffi_src/openssl/ocsp.py @@ -0,0 +1,170 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +INCLUDES = """ +#include <openssl/ocsp.h> +""" + +TYPES = """ +typedef ... OCSP_REQUEST; +typedef ... OCSP_ONEREQ; +typedef ... OCSP_RESPONSE; +typedef ... OCSP_BASICRESP; +typedef ... OCSP_SINGLERESP; +typedef ... OCSP_CERTID; +typedef ... OCSP_RESPDATA; +static const long OCSP_NOCERTS; +static const long OCSP_RESPID_KEY; +""" + +FUNCTIONS = """ +int OCSP_response_status(OCSP_RESPONSE *); +OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *); +int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *); +const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *); +Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs(const OCSP_BASICRESP *); +const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at( + const OCSP_BASICRESP *); +const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *); +int OCSP_resp_get0_id(const OCSP_BASICRESP *, const ASN1_OCTET_STRING **, + const X509_NAME **); +const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *); +const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *); +X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *, int); +int OCSP_resp_count(OCSP_BASICRESP *); +OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *, int); +int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *); +X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *, int); + +int OCSP_single_get0_status(OCSP_SINGLERESP *, int *, ASN1_GENERALIZEDTIME **, + ASN1_GENERALIZEDTIME **, ASN1_GENERALIZEDTIME **); + +int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *); +X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *, int); +int OCSP_request_onereq_count(OCSP_REQUEST *); +OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *, int); +int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *); +X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *, int); +OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *); +OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *, OCSP_CERTID *); +OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *, const X509 *, const X509 *); +void OCSP_CERTID_free(OCSP_CERTID *); + + +OCSP_BASICRESP *OCSP_BASICRESP_new(void); +void OCSP_BASICRESP_free(OCSP_BASICRESP *); +OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *, OCSP_CERTID *, int, + int, ASN1_TIME *, ASN1_TIME *, + ASN1_TIME *); +int OCSP_basic_add1_nonce(OCSP_BASICRESP *, unsigned char *, int); +int OCSP_basic_add1_cert(OCSP_BASICRESP *, X509 *); +int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *, X509_EXTENSION *, int); +int OCSP_basic_sign(OCSP_BASICRESP *, X509 *, EVP_PKEY *, const EVP_MD *, + Cryptography_STACK_OF_X509 *, unsigned long); +OCSP_RESPONSE *OCSP_response_create(int, OCSP_BASICRESP *); +void OCSP_RESPONSE_free(OCSP_RESPONSE *); + +OCSP_REQUEST *OCSP_REQUEST_new(void); +void OCSP_REQUEST_free(OCSP_REQUEST *); +int OCSP_request_add1_nonce(OCSP_REQUEST *, unsigned char *, int); +int OCSP_REQUEST_add_ext(OCSP_REQUEST *, X509_EXTENSION *, int); +int OCSP_id_get0_info(ASN1_OCTET_STRING **, ASN1_OBJECT **, + ASN1_OCTET_STRING **, ASN1_INTEGER **, OCSP_CERTID *); +OCSP_REQUEST *d2i_OCSP_REQUEST_bio(BIO *, OCSP_REQUEST **); +OCSP_RESPONSE *d2i_OCSP_RESPONSE_bio(BIO *, OCSP_RESPONSE **); +int i2d_OCSP_REQUEST_bio(BIO *, OCSP_REQUEST *); +int i2d_OCSP_RESPONSE_bio(BIO *, OCSP_RESPONSE *); +int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char **); +""" + +CUSTOMIZATIONS = """ +#if ( \ + CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && \ + CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ + ) +/* These structs come from ocsp_lcl.h and are needed to de-opaque the struct + for the getters in OpenSSL 1.1.0 through 1.1.0i */ +struct ocsp_responder_id_st { + int type; + union { + X509_NAME *byName; + ASN1_OCTET_STRING *byKey; + } value; +}; +struct ocsp_response_data_st { + ASN1_INTEGER *version; + OCSP_RESPID responderId; + ASN1_GENERALIZEDTIME *producedAt; + STACK_OF(OCSP_SINGLERESP) *responses; + STACK_OF(X509_EXTENSION) *responseExtensions; +}; +struct ocsp_basic_response_st { + OCSP_RESPDATA tbsResponseData; + X509_ALGOR signatureAlgorithm; + ASN1_BIT_STRING *signature; + STACK_OF(X509) *certs; +}; +#endif + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 +/* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */ +const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single) +{ + return single->certId; +} +const Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs( + const OCSP_BASICRESP *bs) +{ + return bs->certs; +} +int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, + const ASN1_OCTET_STRING **pid, + const X509_NAME **pname) +{ + const OCSP_RESPID *rid = bs->tbsResponseData->responderId; + + if (rid->type == V_OCSP_RESPID_NAME) { + *pname = rid->value.byName; + *pid = NULL; + } else if (rid->type == V_OCSP_RESPID_KEY) { + *pid = rid->value.byKey; + *pname = NULL; + } else { + return 0; + } + return 1; +} +const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at( + const OCSP_BASICRESP* bs) +{ + return bs->tbsResponseData->producedAt; +} +const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs) +{ + return bs->signature; +} +#endif + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J +const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs) +{ +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 + return bs->signatureAlgorithm; +#else + return &bs->signatureAlgorithm; +#endif +} + +const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs) +{ +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 + return bs->tbsResponseData; +#else + return &bs->tbsResponseData; +#endif +} +#endif +""" diff --git a/src/_cffi_src/openssl/opensslv.py b/src/_cffi_src/openssl/opensslv.py index e6c5f269..9b0c6893 100644 --- a/src/_cffi_src/openssl/opensslv.py +++ b/src/_cffi_src/openssl/opensslv.py @@ -18,10 +18,5 @@ static const char *const OPENSSL_VERSION_TEXT; FUNCTIONS = """ """ -MACROS = """ -""" - CUSTOMIZATIONS = """ """ - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/openssl/osrandom_engine.py b/src/_cffi_src/openssl/osrandom_engine.py new file mode 100644 index 00000000..ed1068ef --- /dev/null +++ b/src/_cffi_src/openssl/osrandom_engine.py @@ -0,0 +1,24 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +import os + +HERE = os.path.dirname(os.path.abspath(__file__)) + +with open(os.path.join(HERE, "src/osrandom_engine.h")) as f: + INCLUDES = f.read() + +TYPES = """ +static const char *const Cryptography_osrandom_engine_name; +static const char *const Cryptography_osrandom_engine_id; +""" + +FUNCTIONS = """ +int Cryptography_add_osrandom_engine(void); +""" + +with open(os.path.join(HERE, "src/osrandom_engine.c")) as f: + CUSTOMIZATIONS = f.read() diff --git a/src/_cffi_src/openssl/pem.py b/src/_cffi_src/openssl/pem.py index 8ec3fefd..09b523d6 100644 --- a/src/_cffi_src/openssl/pem.py +++ b/src/_cffi_src/openssl/pem.py @@ -51,10 +51,6 @@ int PEM_write_bio_PKCS7(BIO *, PKCS7 *); DH *PEM_read_bio_DHparams(BIO *, DH **, pem_password_cb *, void *); -DSA *PEM_read_bio_DSAPrivateKey(BIO *, DSA **, pem_password_cb *, void *); - -RSA *PEM_read_bio_RSAPrivateKey(BIO *, RSA **, pem_password_cb *, void *); - int PEM_write_bio_DSAPrivateKey(BIO *, DSA *, const EVP_CIPHER *, unsigned char *, int, pem_password_cb *, void *); @@ -63,36 +59,21 @@ int PEM_write_bio_RSAPrivateKey(BIO *, RSA *, const EVP_CIPHER *, unsigned char *, int, pem_password_cb *, void *); -DSA *PEM_read_bio_DSA_PUBKEY(BIO *, DSA **, pem_password_cb *, void *); - RSA *PEM_read_bio_RSAPublicKey(BIO *, RSA **, pem_password_cb *, void *); -int PEM_write_bio_DSA_PUBKEY(BIO *, DSA *); - int PEM_write_bio_RSAPublicKey(BIO *, const RSA *); EVP_PKEY *PEM_read_bio_PUBKEY(BIO *, EVP_PKEY **, pem_password_cb *, void *); int PEM_write_bio_PUBKEY(BIO *, EVP_PKEY *); -""" - -MACROS = """ int PEM_write_bio_ECPrivateKey(BIO *, EC_KEY *, const EVP_CIPHER *, unsigned char *, int, pem_password_cb *, void *); +int PEM_write_bio_DHparams(BIO *, DH *); +int PEM_write_bio_DHxparams(BIO *, DH *); """ CUSTOMIZATIONS = """ -// Cryptography_HAS_EC is provided by ec.py so we don't need to define it here -#ifdef OPENSSL_NO_EC -int (*PEM_write_bio_ECPrivateKey)(BIO *, EC_KEY *, const EVP_CIPHER *, - unsigned char *, int, pem_password_cb *, - void *) = NULL; +#if !defined(EVP_PKEY_DHX) || EVP_PKEY_DHX == -1 +int (*PEM_write_bio_DHxparams)(BIO *, DH *) = NULL; #endif - """ - -CONDITIONAL_NAMES = { - "Cryptography_HAS_EC": [ - "PEM_write_bio_ECPrivateKey" - ] -} diff --git a/src/_cffi_src/openssl/pkcs12.py b/src/_cffi_src/openssl/pkcs12.py index fa7564ac..21a8481f 100644 --- a/src/_cffi_src/openssl/pkcs12.py +++ b/src/_cffi_src/openssl/pkcs12.py @@ -17,9 +17,6 @@ void PKCS12_free(PKCS12 *); PKCS12 *d2i_PKCS12_bio(BIO *, PKCS12 **); int i2d_PKCS12_bio(BIO *, PKCS12 *); -""" - -MACROS = """ int PKCS12_parse(PKCS12 *, const char *, EVP_PKEY **, X509 **, Cryptography_STACK_OF_X509 **); PKCS12 *PKCS12_create(char *, char *, EVP_PKEY *, X509 *, @@ -28,5 +25,3 @@ PKCS12 *PKCS12_create(char *, char *, EVP_PKEY *, X509 *, CUSTOMIZATIONS = """ """ - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/openssl/pkcs7.py b/src/_cffi_src/openssl/pkcs7.py index df82afef..1bece5b7 100644 --- a/src/_cffi_src/openssl/pkcs7.py +++ b/src/_cffi_src/openssl/pkcs7.py @@ -10,7 +10,33 @@ INCLUDES = """ TYPES = """ typedef struct { + Cryptography_STACK_OF_X509 *cert; + Cryptography_STACK_OF_X509_CRL *crl; + ...; +} PKCS7_SIGNED; + +typedef struct { + Cryptography_STACK_OF_X509 *cert; + Cryptography_STACK_OF_X509_CRL *crl; + ...; +} PKCS7_SIGN_ENVELOPE; + +typedef ... PKCS7_DIGEST; +typedef ... PKCS7_ENCRYPT; +typedef ... PKCS7_ENVELOPE; + +typedef struct { ASN1_OBJECT *type; + union { + char *ptr; + ASN1_OCTET_STRING *data; + PKCS7_SIGNED *sign; + PKCS7_ENVELOPE *enveloped; + PKCS7_SIGN_ENVELOPE *signed_and_enveloped; + PKCS7_DIGEST *digest; + PKCS7_ENCRYPT *encrypted; + ASN1_TYPE *other; + } d; ...; } PKCS7; @@ -44,15 +70,14 @@ Cryptography_STACK_OF_X509 *PKCS7_get0_signers(PKCS7 *, PKCS7 *PKCS7_encrypt(Cryptography_STACK_OF_X509 *, BIO *, const EVP_CIPHER *, int); int PKCS7_decrypt(PKCS7 *, EVP_PKEY *, X509 *, BIO *, int); -""" -MACROS = """ +BIO *PKCS7_dataInit(PKCS7 *, BIO *); +int PKCS7_type_is_encrypted(PKCS7 *); int PKCS7_type_is_signed(PKCS7 *); int PKCS7_type_is_enveloped(PKCS7 *); int PKCS7_type_is_signedAndEnveloped(PKCS7 *); int PKCS7_type_is_data(PKCS7 *); +int PKCS7_type_is_digest(PKCS7 *); """ CUSTOMIZATIONS = "" - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/openssl/rand.py b/src/_cffi_src/openssl/rand.py index 6330482c..c0cd6836 100644 --- a/src/_cffi_src/openssl/rand.py +++ b/src/_cffi_src/openssl/rand.py @@ -9,43 +9,23 @@ INCLUDES = """ """ TYPES = """ +typedef ... RAND_METHOD; + static const long Cryptography_HAS_EGD; """ FUNCTIONS = """ -void ERR_load_RAND_strings(void); -void RAND_seed(const void *, int); +int RAND_set_rand_method(const RAND_METHOD *); void RAND_add(const void *, int, double); int RAND_status(void); -const char *RAND_file_name(char *, size_t); -int RAND_load_file(const char *, long); -int RAND_write_file(const char *); -void RAND_cleanup(void); int RAND_bytes(unsigned char *, int); -int RAND_pseudo_bytes(unsigned char *, int); -""" - -MACROS = """ -int RAND_egd(const char *); -int RAND_egd_bytes(const char *, int); -int RAND_query_egd_bytes(const char *, unsigned char *, int); +/* ERR_load_RAND_strings started returning an int in 1.1.0. Unfortunately we + can't declare a conditional signature like that. Since it always returns + 1 we'll just lie about the signature to preserve compatibility for + pyOpenSSL (which calls this in its rand.py as of mid-2016) */ +void ERR_load_RAND_strings(void); """ CUSTOMIZATIONS = """ -#if defined(LIBRESSL_VERSION_NUMBER) static const long Cryptography_HAS_EGD = 0; -int (*RAND_egd)(const char *) = NULL; -int (*RAND_egd_bytes)(const char *, int) = NULL; -int (*RAND_query_egd_bytes)(const char *, unsigned char *, int) = NULL; -#else -static const long Cryptography_HAS_EGD = 1; -#endif """ - -CONDITIONAL_NAMES = { - "Cryptography_HAS_EGD": [ - "RAND_egd", - "RAND_egd_bytes", - "RAND_query_egd_bytes", - ] -} diff --git a/src/_cffi_src/openssl/rsa.py b/src/_cffi_src/openssl/rsa.py index 8bac7895..4b915463 100644 --- a/src/_cffi_src/openssl/rsa.py +++ b/src/_cffi_src/openssl/rsa.py @@ -9,28 +9,17 @@ INCLUDES = """ """ TYPES = """ -typedef struct rsa_st { - BIGNUM *n; - BIGNUM *e; - BIGNUM *d; - BIGNUM *p; - BIGNUM *q; - BIGNUM *dmp1; - BIGNUM *dmq1; - BIGNUM *iqmp; - ...; -} RSA; +typedef ... RSA; typedef ... BN_GENCB; static const int RSA_PKCS1_PADDING; -static const int RSA_SSLV23_PADDING; static const int RSA_NO_PADDING; static const int RSA_PKCS1_OAEP_PADDING; -static const int RSA_X931_PADDING; static const int RSA_PKCS1_PSS_PADDING; static const int RSA_F4; static const int Cryptography_HAS_PSS_PADDING; -static const int Cryptography_HAS_MGF1_MD; +static const int Cryptography_HAS_RSA_OAEP_MD; +static const int Cryptography_HAS_RSA_OAEP_LABEL; """ FUNCTIONS = """ @@ -41,7 +30,6 @@ int RSA_generate_key_ex(RSA *, int, BIGNUM *, BN_GENCB *); int RSA_check_key(const RSA *); RSA *RSAPublicKey_dup(RSA *); int RSA_blinding_on(RSA *, BN_CTX *); -void RSA_blinding_off(RSA *); int RSA_public_encrypt(int, const unsigned char *, unsigned char *, RSA *, int); int RSA_private_encrypt(int, const unsigned char *, unsigned char *, @@ -51,49 +39,146 @@ int RSA_public_decrypt(int, const unsigned char *, unsigned char *, int RSA_private_decrypt(int, const unsigned char *, unsigned char *, RSA *, int); int RSA_print(BIO *, const RSA *, int); -int RSA_verify_PKCS1_PSS(RSA *, const unsigned char *, const EVP_MD *, - const unsigned char *, int); -int RSA_padding_add_PKCS1_PSS(RSA *, unsigned char *, const unsigned char *, - const EVP_MD *, int); -int RSA_padding_add_PKCS1_OAEP(unsigned char *, int, const unsigned char *, - int, const unsigned char *, int); -int RSA_padding_check_PKCS1_OAEP(unsigned char *, int, const unsigned char *, - int, int, const unsigned char *, int); -""" -MACROS = """ +/* added in 1.1.0 when the RSA struct was opaqued */ +int RSA_set0_key(RSA *, BIGNUM *, BIGNUM *, BIGNUM *); +int RSA_set0_factors(RSA *, BIGNUM *, BIGNUM *); +int RSA_set0_crt_params(RSA *, BIGNUM *, BIGNUM *, BIGNUM *); +void RSA_get0_key(const RSA *, const BIGNUM **, const BIGNUM **, + const BIGNUM **); +void RSA_get0_factors(const RSA *, const BIGNUM **, const BIGNUM **); +void RSA_get0_crt_params(const RSA *, const BIGNUM **, const BIGNUM **, + const BIGNUM **); int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *, int); int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *, int); int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *, EVP_MD *); +int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *, unsigned char *, int); + +int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *, EVP_MD *); """ CUSTOMIZATIONS = """ -#if OPENSSL_VERSION_NUMBER >= 0x10000000 static const long Cryptography_HAS_PSS_PADDING = 1; + +#if defined(EVP_PKEY_CTX_set_rsa_oaep_md) +static const long Cryptography_HAS_RSA_OAEP_MD = 1; #else -/* see evp.py for the definition of Cryptography_HAS_PKEY_CTX */ -static const long Cryptography_HAS_PSS_PADDING = 0; -int (*EVP_PKEY_CTX_set_rsa_padding)(EVP_PKEY_CTX *, int) = NULL; -int (*EVP_PKEY_CTX_set_rsa_pss_saltlen)(EVP_PKEY_CTX *, int) = NULL; -static const long RSA_PKCS1_PSS_PADDING = 0; +static const long Cryptography_HAS_RSA_OAEP_MD = 0; +int (*EVP_PKEY_CTX_set_rsa_oaep_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL; #endif -#if OPENSSL_VERSION_NUMBER >= 0x1000100f -static const long Cryptography_HAS_MGF1_MD = 1; + +#if defined(EVP_PKEY_CTX_set0_rsa_oaep_label) +static const long Cryptography_HAS_RSA_OAEP_LABEL = 1; #else -static const long Cryptography_HAS_MGF1_MD = 0; -int (*EVP_PKEY_CTX_set_rsa_mgf1_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL; +static const long Cryptography_HAS_RSA_OAEP_LABEL = 0; +int (*EVP_PKEY_CTX_set0_rsa_oaep_label)(EVP_PKEY_CTX *, unsigned char *, + int) = NULL; #endif -""" -CONDITIONAL_NAMES = { - "Cryptography_HAS_PKEY_CTX": [ - "EVP_PKEY_CTX_set_rsa_padding", - "EVP_PKEY_CTX_set_rsa_pss_saltlen", - ], - "Cryptography_HAS_PSS_PADDING": [ - "RSA_PKCS1_PSS_PADDING", - ], - "Cryptography_HAS_MGF1_MD": [ - "EVP_PKEY_CTX_set_rsa_mgf1_md", - ], +/* These functions were added in OpenSSL 1.1.0 */ +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL +int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) +{ + /* If the fields n and e in r are NULL, the corresponding input + * parameters MUST be non-NULL for n and e. d may be + * left NULL (in case only the public key is used). + */ + if ((r->n == NULL && n == NULL) + || (r->e == NULL && e == NULL)) + return 0; + + if (n != NULL) { + BN_free(r->n); + r->n = n; + } + if (e != NULL) { + BN_free(r->e); + r->e = e; + } + if (d != NULL) { + BN_free(r->d); + r->d = d; + } + + return 1; +} + +int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) +{ + /* If the fields p and q in r are NULL, the corresponding input + * parameters MUST be non-NULL. + */ + if ((r->p == NULL && p == NULL) + || (r->q == NULL && q == NULL)) + return 0; + + if (p != NULL) { + BN_free(r->p); + r->p = p; + } + if (q != NULL) { + BN_free(r->q); + r->q = q; + } + + return 1; } + +int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) +{ + /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input + * parameters MUST be non-NULL. + */ + if ((r->dmp1 == NULL && dmp1 == NULL) + || (r->dmq1 == NULL && dmq1 == NULL) + || (r->iqmp == NULL && iqmp == NULL)) + return 0; + + if (dmp1 != NULL) { + BN_free(r->dmp1); + r->dmp1 = dmp1; + } + if (dmq1 != NULL) { + BN_free(r->dmq1); + r->dmq1 = dmq1; + } + if (iqmp != NULL) { + BN_free(r->iqmp); + r->iqmp = iqmp; + } + + return 1; +} + +void RSA_get0_key(const RSA *r, + const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) +{ + if (n != NULL) + *n = r->n; + if (e != NULL) + *e = r->e; + if (d != NULL) + *d = r->d; +} + +void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) +{ + if (p != NULL) + *p = r->p; + if (q != NULL) + *q = r->q; +} + +void RSA_get0_crt_params(const RSA *r, + const BIGNUM **dmp1, const BIGNUM **dmq1, + const BIGNUM **iqmp) +{ + if (dmp1 != NULL) + *dmp1 = r->dmp1; + if (dmq1 != NULL) + *dmq1 = r->dmq1; + if (iqmp != NULL) + *iqmp = r->iqmp; +} +#endif +""" diff --git a/src/_cffi_src/openssl/src/osrandom_engine.c b/src/_cffi_src/openssl/src/osrandom_engine.c new file mode 100644 index 00000000..dc7b1d5e --- /dev/null +++ b/src/_cffi_src/openssl/src/osrandom_engine.c @@ -0,0 +1,659 @@ +/* osurandom engine + * + * Windows CryptGenRandom() + * macOS >= 10.12 getentropy() + * OpenBSD 5.6+ getentropy() + * other BSD getentropy() if SYS_getentropy is defined + * Linux 3.17+ getrandom() with fallback to /dev/urandom + * other /dev/urandom with cached fd + * + * The /dev/urandom, getrandom and getentropy code is derived from Python's + * Python/random.c, written by Antoine Pitrou and Victor Stinner. + * + * Copyright 2001-2016 Python Software Foundation; All Rights Reserved. + */ + +#ifdef __linux__ +#include <poll.h> +#endif + +#ifndef OPENSSL_NO_ENGINE +/* OpenSSL has ENGINE support so build the engine. */ +static const char *Cryptography_osrandom_engine_id = "osrandom"; + +/**************************************************************************** + * Windows + */ +#if CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_CRYPTGENRANDOM +static const char *Cryptography_osrandom_engine_name = "osrandom_engine CryptGenRandom()"; +static HCRYPTPROV hCryptProv = 0; + +static int osrandom_init(ENGINE *e) { + if (hCryptProv != 0) { + return 1; + } + if (CryptAcquireContext(&hCryptProv, NULL, NULL, + PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { + return 1; + } else { + ERR_Cryptography_OSRandom_error( + CRYPTOGRAPHY_OSRANDOM_F_INIT, + CRYPTOGRAPHY_OSRANDOM_R_CRYPTACQUIRECONTEXT, + __FILE__, __LINE__ + ); + return 0; + } +} + +static int osrandom_rand_bytes(unsigned char *buffer, int size) { + if (hCryptProv == 0) { + return 0; + } + + if (!CryptGenRandom(hCryptProv, (DWORD)size, buffer)) { + ERR_Cryptography_OSRandom_error( + CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES, + CRYPTOGRAPHY_OSRANDOM_R_CRYPTGENRANDOM, + __FILE__, __LINE__ + ); + return 0; + } + return 1; +} + +static int osrandom_finish(ENGINE *e) { + if (CryptReleaseContext(hCryptProv, 0)) { + hCryptProv = 0; + return 1; + } else { + ERR_Cryptography_OSRandom_error( + CRYPTOGRAPHY_OSRANDOM_F_FINISH, + CRYPTOGRAPHY_OSRANDOM_R_CRYPTRELEASECONTEXT, + __FILE__, __LINE__ + ); + return 0; + } +} + +static int osrandom_rand_status(void) { + return hCryptProv != 0; +} + +static const char *osurandom_get_implementation(void) { + return "CryptGenRandom"; +} + +#endif /* CRYPTOGRAPHY_OSRANDOM_ENGINE_CRYPTGENRANDOM */ + +/**************************************************************************** + * /dev/urandom helpers for all non-BSD Unix platforms + */ +#ifdef CRYPTOGRAPHY_OSRANDOM_NEEDS_DEV_URANDOM + +static struct { + int fd; + dev_t st_dev; + ino_t st_ino; +} urandom_cache = { -1 }; + +static int open_cloexec(const char *path) { + int open_flags = O_RDONLY; +#ifdef O_CLOEXEC + open_flags |= O_CLOEXEC; +#endif + + int fd = open(path, open_flags); + if (fd == -1) { + return -1; + } + +#ifndef O_CLOEXEC + int flags = fcntl(fd, F_GETFD); + if (flags == -1) { + return -1; + } + if (fcntl(fd, F_SETFD, flags | FD_CLOEXEC) == -1) { + return -1; + } +#endif + return fd; +} + +#ifdef __linux__ +/* On Linux, we open("/dev/random") and use poll() to wait until it's readable + * before we read from /dev/urandom, this ensures that we don't read from + * /dev/urandom before the kernel CSPRNG is initialized. This isn't necessary on + * other platforms because they don't have the same _bug_ as Linux does with + * /dev/urandom and early boot. */ +static int wait_on_devrandom(void) { + struct pollfd pfd = {}; + int ret = 0; + int random_fd = open_cloexec("/dev/random"); + if (random_fd < 0) { + return -1; + } + pfd.fd = random_fd; + pfd.events = POLLIN; + pfd.revents = 0; + do { + ret = poll(&pfd, 1, -1); + } while (ret < 0 && (errno == EINTR || errno == EAGAIN)); + close(random_fd); + return ret; +} +#endif + +/* return -1 on error */ +static int dev_urandom_fd(void) { + int fd = -1; + struct stat st; + + /* Check that fd still points to the correct device */ + if (urandom_cache.fd >= 0) { + if (fstat(urandom_cache.fd, &st) + || st.st_dev != urandom_cache.st_dev + || st.st_ino != urandom_cache.st_ino) { + /* Somebody replaced our FD. Invalidate our cache but don't + * close the fd. */ + urandom_cache.fd = -1; + } + } + if (urandom_cache.fd < 0) { +#ifdef __linux__ + if (wait_on_devrandom() < 0) { + goto error; + } +#endif + + fd = open_cloexec("/dev/urandom"); + if (fd < 0) { + goto error; + } + if (fstat(fd, &st)) { + goto error; + } + /* Another thread initialized the fd */ + if (urandom_cache.fd >= 0) { + close(fd); + return urandom_cache.fd; + } + urandom_cache.st_dev = st.st_dev; + urandom_cache.st_ino = st.st_ino; + urandom_cache.fd = fd; + } + return urandom_cache.fd; + + error: + if (fd != -1) { + close(fd); + } + ERR_Cryptography_OSRandom_error( + CRYPTOGRAPHY_OSRANDOM_F_DEV_URANDOM_FD, + CRYPTOGRAPHY_OSRANDOM_R_DEV_URANDOM_OPEN_FAILED, + __FILE__, __LINE__ + ); + return -1; +} + +static int dev_urandom_read(unsigned char *buffer, int size) { + int fd; + int n; + + fd = dev_urandom_fd(); + if (fd < 0) { + return 0; + } + + while (size > 0) { + do { + n = (int)read(fd, buffer, (size_t)size); + } while (n < 0 && errno == EINTR); + + if (n <= 0) { + ERR_Cryptography_OSRandom_error( + CRYPTOGRAPHY_OSRANDOM_F_DEV_URANDOM_READ, + CRYPTOGRAPHY_OSRANDOM_R_DEV_URANDOM_READ_FAILED, + __FILE__, __LINE__ + ); + return 0; + } + buffer += n; + size -= n; + } + return 1; +} + +static void dev_urandom_close(void) { + if (urandom_cache.fd >= 0) { + int fd; + struct stat st; + + if (fstat(urandom_cache.fd, &st) + && st.st_dev == urandom_cache.st_dev + && st.st_ino == urandom_cache.st_ino) { + fd = urandom_cache.fd; + urandom_cache.fd = -1; + close(fd); + } + } +} +#endif /* CRYPTOGRAPHY_OSRANDOM_NEEDS_DEV_URANDOM */ + +/**************************************************************************** + * BSD getentropy + */ +#if CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_GETENTROPY +static const char *Cryptography_osrandom_engine_name = "osrandom_engine getentropy()"; + +static int getentropy_works = CRYPTOGRAPHY_OSRANDOM_GETENTROPY_NOT_INIT; + +static int osrandom_init(ENGINE *e) { +#if !defined(__APPLE__) + getentropy_works = CRYPTOGRAPHY_OSRANDOM_GETENTROPY_WORKS; +#else + if (__builtin_available(macOS 10.12, *)) { + getentropy_works = CRYPTOGRAPHY_OSRANDOM_GETENTROPY_WORKS; + } else { + getentropy_works = CRYPTOGRAPHY_OSRANDOM_GETENTROPY_FALLBACK; + int fd = dev_urandom_fd(); + if (fd < 0) { + return 0; + } + } +#endif + return 1; +} + +static int osrandom_rand_bytes(unsigned char *buffer, int size) { + int len; + int res; + + switch(getentropy_works) { +#if defined(__APPLE__) + case CRYPTOGRAPHY_OSRANDOM_GETENTROPY_FALLBACK: + return dev_urandom_read(buffer, size); +#endif + case CRYPTOGRAPHY_OSRANDOM_GETENTROPY_WORKS: + while (size > 0) { + /* OpenBSD and macOS restrict maximum buffer size to 256. */ + len = size > 256 ? 256 : size; +/* on mac, availability is already checked using `__builtin_available` above */ +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wunguarded-availability" + res = getentropy(buffer, (size_t)len); +#pragma clang diagnostic pop + if (res < 0) { + ERR_Cryptography_OSRandom_error( + CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES, + CRYPTOGRAPHY_OSRANDOM_R_GETENTROPY_FAILED, + __FILE__, __LINE__ + ); + return 0; + } + buffer += len; + size -= len; + } + return 1; + } + __builtin_unreachable(); +} + +static int osrandom_finish(ENGINE *e) { + return 1; +} + +static int osrandom_rand_status(void) { + return 1; +} + +static const char *osurandom_get_implementation(void) { + switch(getentropy_works) { + case CRYPTOGRAPHY_OSRANDOM_GETENTROPY_FALLBACK: + return "/dev/urandom"; + case CRYPTOGRAPHY_OSRANDOM_GETENTROPY_WORKS: + return "getentropy"; + } + __builtin_unreachable(); +} +#endif /* CRYPTOGRAPHY_OSRANDOM_ENGINE_GETENTROPY */ + +/**************************************************************************** + * Linux getrandom engine with fallback to dev_urandom + */ + +#if CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_GETRANDOM +static const char *Cryptography_osrandom_engine_name = "osrandom_engine getrandom()"; + +static int getrandom_works = CRYPTOGRAPHY_OSRANDOM_GETRANDOM_NOT_INIT; + +static int osrandom_init(ENGINE *e) { + /* We try to detect working getrandom until we succeed. */ + if (getrandom_works != CRYPTOGRAPHY_OSRANDOM_GETRANDOM_WORKS) { + long n; + char dest[1]; + /* if the kernel CSPRNG is not initialized this will block */ + n = syscall(SYS_getrandom, dest, sizeof(dest), 0); + if (n == sizeof(dest)) { + getrandom_works = CRYPTOGRAPHY_OSRANDOM_GETRANDOM_WORKS; + } else { + int e = errno; + switch(e) { + case ENOSYS: + /* Fallback: Kernel does not support the syscall. */ + getrandom_works = CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK; + break; + case EPERM: + /* Fallback: seccomp prevents syscall */ + getrandom_works = CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK; + break; + default: + /* EINTR cannot occur for buflen < 256. */ + ERR_Cryptography_OSRandom_error( + CRYPTOGRAPHY_OSRANDOM_F_INIT, + CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_INIT_FAILED_UNEXPECTED, + "errno", e + ); + getrandom_works = CRYPTOGRAPHY_OSRANDOM_GETRANDOM_INIT_FAILED; + break; + } + } + } + + /* fallback to dev urandom */ + if (getrandom_works == CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK) { + int fd = dev_urandom_fd(); + if (fd < 0) { + return 0; + } + } + return 1; +} + +static int osrandom_rand_bytes(unsigned char *buffer, int size) { + long n; + + switch(getrandom_works) { + case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_INIT_FAILED: + ERR_Cryptography_OSRandom_error( + CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES, + CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_INIT_FAILED, + __FILE__, __LINE__ + ); + return 0; + case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_NOT_INIT: + ERR_Cryptography_OSRandom_error( + CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES, + CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_NOT_INIT, + __FILE__, __LINE__ + ); + return 0; + case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK: + return dev_urandom_read(buffer, size); + case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_WORKS: + while (size > 0) { + do { + n = syscall(SYS_getrandom, buffer, size, 0); + } while (n < 0 && errno == EINTR); + + if (n <= 0) { + ERR_Cryptography_OSRandom_error( + CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES, + CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_FAILED, + __FILE__, __LINE__ + ); + return 0; + } + buffer += n; + size -= (int)n; + } + return 1; + } + __builtin_unreachable(); +} + +static int osrandom_finish(ENGINE *e) { + dev_urandom_close(); + return 1; +} + +static int osrandom_rand_status(void) { + switch(getrandom_works) { + case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_INIT_FAILED: + return 0; + case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_NOT_INIT: + return 0; + case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK: + return urandom_cache.fd >= 0; + case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_WORKS: + return 1; + } + __builtin_unreachable(); +} + +static const char *osurandom_get_implementation(void) { + switch(getrandom_works) { + case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_INIT_FAILED: + return "<failed>"; + case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_NOT_INIT: + return "<not initialized>"; + case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK: + return "/dev/urandom"; + case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_WORKS: + return "getrandom"; + } + __builtin_unreachable(); +} +#endif /* CRYPTOGRAPHY_OSRANDOM_ENGINE_GETRANDOM */ + +/**************************************************************************** + * dev_urandom engine for all remaining platforms + */ + +#if CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_DEV_URANDOM +static const char *Cryptography_osrandom_engine_name = "osrandom_engine /dev/urandom"; + +static int osrandom_init(ENGINE *e) { + int fd = dev_urandom_fd(); + if (fd < 0) { + return 0; + } + return 1; +} + +static int osrandom_rand_bytes(unsigned char *buffer, int size) { + return dev_urandom_read(buffer, size); +} + +static int osrandom_finish(ENGINE *e) { + dev_urandom_close(); + return 1; +} + +static int osrandom_rand_status(void) { + return urandom_cache.fd >= 0; +} + +static const char *osurandom_get_implementation(void) { + return "/dev/urandom"; +} +#endif /* CRYPTOGRAPHY_OSRANDOM_ENGINE_DEV_URANDOM */ + +/**************************************************************************** + * ENGINE boiler plate + */ + +/* This replicates the behavior of the OpenSSL FIPS RNG, which returns a + -1 in the event that there is an error when calling RAND_pseudo_bytes. */ +static int osrandom_pseudo_rand_bytes(unsigned char *buffer, int size) { + int res = osrandom_rand_bytes(buffer, size); + if (res == 0) { + return -1; + } else { + return res; + } +} + +static RAND_METHOD osrandom_rand = { + NULL, + osrandom_rand_bytes, + NULL, + NULL, + osrandom_pseudo_rand_bytes, + osrandom_rand_status, +}; + +static const ENGINE_CMD_DEFN osrandom_cmd_defns[] = { + {CRYPTOGRAPHY_OSRANDOM_GET_IMPLEMENTATION, + "get_implementation", + "Get CPRNG implementation.", + ENGINE_CMD_FLAG_NO_INPUT}, + {0, NULL, NULL, 0} +}; + +static int osrandom_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) { + const char *name; + size_t len; + + switch (cmd) { + case CRYPTOGRAPHY_OSRANDOM_GET_IMPLEMENTATION: + /* i: buffer size, p: char* buffer */ + name = osurandom_get_implementation(); + len = strlen(name); + if ((p == NULL) && (i == 0)) { + /* return required buffer len */ + return (int)len; + } + if ((p == NULL) || i < 0 || ((size_t)i <= len)) { + /* no buffer or buffer too small */ + ENGINEerr(ENGINE_F_ENGINE_CTRL, ENGINE_R_INVALID_ARGUMENT); + return 0; + } + strncpy((char *)p, name, len); + return (int)len; + default: + ENGINEerr(ENGINE_F_ENGINE_CTRL, ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED); + return 0; + } +} + +/* error reporting */ +#define ERR_FUNC(func) ERR_PACK(0, func, 0) +#define ERR_REASON(reason) ERR_PACK(0, 0, reason) + +static ERR_STRING_DATA CRYPTOGRAPHY_OSRANDOM_lib_name[] = { + {0, "osrandom_engine"}, + {0, NULL} +}; + +static ERR_STRING_DATA CRYPTOGRAPHY_OSRANDOM_str_funcs[] = { + {ERR_FUNC(CRYPTOGRAPHY_OSRANDOM_F_INIT), + "osrandom_init"}, + {ERR_FUNC(CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES), + "osrandom_rand_bytes"}, + {ERR_FUNC(CRYPTOGRAPHY_OSRANDOM_F_FINISH), + "osrandom_finish"}, + {ERR_FUNC(CRYPTOGRAPHY_OSRANDOM_F_DEV_URANDOM_FD), + "dev_urandom_fd"}, + {ERR_FUNC(CRYPTOGRAPHY_OSRANDOM_F_DEV_URANDOM_READ), + "dev_urandom_read"}, + {0, NULL} +}; + +static ERR_STRING_DATA CRYPTOGRAPHY_OSRANDOM_str_reasons[] = { + {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_CRYPTACQUIRECONTEXT), + "CryptAcquireContext() failed."}, + {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_CRYPTGENRANDOM), + "CryptGenRandom() failed."}, + {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_CRYPTRELEASECONTEXT), + "CryptReleaseContext() failed."}, + {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_GETENTROPY_FAILED), + "getentropy() failed"}, + {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_DEV_URANDOM_OPEN_FAILED), + "open('/dev/urandom') failed."}, + {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_DEV_URANDOM_READ_FAILED), + "Reading from /dev/urandom fd failed."}, + {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_INIT_FAILED), + "getrandom() initialization failed."}, + {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_INIT_FAILED_UNEXPECTED), + "getrandom() initialization failed with unexpected errno."}, + {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_FAILED), + "getrandom() syscall failed."}, + {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_NOT_INIT), + "getrandom() engine was not properly initialized."}, + {0, NULL} +}; + +static int Cryptography_OSRandom_lib_error_code = 0; + +static void ERR_load_Cryptography_OSRandom_strings(void) +{ + if (Cryptography_OSRandom_lib_error_code == 0) { + Cryptography_OSRandom_lib_error_code = ERR_get_next_error_library(); + ERR_load_strings(Cryptography_OSRandom_lib_error_code, + CRYPTOGRAPHY_OSRANDOM_lib_name); + ERR_load_strings(Cryptography_OSRandom_lib_error_code, + CRYPTOGRAPHY_OSRANDOM_str_funcs); + ERR_load_strings(Cryptography_OSRandom_lib_error_code, + CRYPTOGRAPHY_OSRANDOM_str_reasons); + } +} + +static void ERR_Cryptography_OSRandom_error(int function, int reason, + char *file, int line) +{ + ERR_PUT_error(Cryptography_OSRandom_lib_error_code, function, reason, + file, line); +} + +/* Returns 1 if successfully added, 2 if engine has previously been added, + and 0 for error. */ +int Cryptography_add_osrandom_engine(void) { + ENGINE *e; + + ERR_load_Cryptography_OSRandom_strings(); + + e = ENGINE_by_id(Cryptography_osrandom_engine_id); + if (e != NULL) { + ENGINE_free(e); + return 2; + } else { + ERR_clear_error(); + } + + e = ENGINE_new(); + if (e == NULL) { + return 0; + } + if (!ENGINE_set_id(e, Cryptography_osrandom_engine_id) || + !ENGINE_set_name(e, Cryptography_osrandom_engine_name) || + !ENGINE_set_RAND(e, &osrandom_rand) || + !ENGINE_set_init_function(e, osrandom_init) || + !ENGINE_set_finish_function(e, osrandom_finish) || + !ENGINE_set_cmd_defns(e, osrandom_cmd_defns) || + !ENGINE_set_ctrl_function(e, osrandom_ctrl)) { + ENGINE_free(e); + return 0; + } + if (!ENGINE_add(e)) { + ENGINE_free(e); + return 0; + } + if (!ENGINE_free(e)) { + return 0; + } + + return 1; +} + +#else +/* If OpenSSL has no ENGINE support then we don't want + * to compile the osrandom engine, but we do need some + * placeholders */ +static const char *Cryptography_osrandom_engine_id = "no-engine-support"; +static const char *Cryptography_osrandom_engine_name = "osrandom_engine disabled due to no engine support"; + +int Cryptography_add_osrandom_engine(void) { + return 0; +} + +#endif diff --git a/src/_cffi_src/openssl/src/osrandom_engine.h b/src/_cffi_src/openssl/src/osrandom_engine.h new file mode 100644 index 00000000..cf394f22 --- /dev/null +++ b/src/_cffi_src/openssl/src/osrandom_engine.h @@ -0,0 +1,114 @@ +#ifndef OPENSSL_NO_ENGINE +/* OpenSSL has ENGINE support so include all of this. */ +#ifdef _WIN32 + #include <Wincrypt.h> +#else + #include <fcntl.h> + #include <unistd.h> + /* for defined(BSD) */ + #include <sys/param.h> + + #ifdef BSD + /* for SYS_getentropy */ + #include <sys/syscall.h> + #endif + + #ifdef __APPLE__ + #include <sys/random.h> + /* To support weak linking we need to declare this as a weak import even if + * it's not present in sys/random (e.g. macOS < 10.12). */ + extern int getentropy(void *buffer, size_t size) __attribute((weak_import)); + #endif + + #ifdef __linux__ + /* for SYS_getrandom */ + #include <sys/syscall.h> + #ifndef GRND_NONBLOCK + #define GRND_NONBLOCK 0x0001 + #endif /* GRND_NONBLOCK */ + + #ifndef SYS_getrandom + /* We only bother to define the constants for platforms where we ship + * wheels, since that's the predominant way you get a situation where + * you don't have SYS_getrandom at compile time but do have the syscall + * at runtime */ + #if defined __x86_64__ + #define SYS_getrandom 318 + #elif defined(__i386__) + #define SYS_getrandom 355 + #endif + #endif + #endif /* __linux__ */ +#endif /* _WIN32 */ + +#define CRYPTOGRAPHY_OSRANDOM_ENGINE_CRYPTGENRANDOM 1 +#define CRYPTOGRAPHY_OSRANDOM_ENGINE_GETENTROPY 2 +#define CRYPTOGRAPHY_OSRANDOM_ENGINE_GETRANDOM 3 +#define CRYPTOGRAPHY_OSRANDOM_ENGINE_DEV_URANDOM 4 + +#ifndef CRYPTOGRAPHY_OSRANDOM_ENGINE + #if defined(_WIN32) + /* Windows */ + #define CRYPTOGRAPHY_OSRANDOM_ENGINE CRYPTOGRAPHY_OSRANDOM_ENGINE_CRYPTGENRANDOM + #elif defined(BSD) && defined(SYS_getentropy) + /* OpenBSD 5.6+ & macOS with SYS_getentropy defined, although < 10.12 will fallback + * to urandom */ + #define CRYPTOGRAPHY_OSRANDOM_ENGINE CRYPTOGRAPHY_OSRANDOM_ENGINE_GETENTROPY + #elif defined(__linux__) && defined(SYS_getrandom) + /* Linux 3.17+ */ + #define CRYPTOGRAPHY_OSRANDOM_ENGINE CRYPTOGRAPHY_OSRANDOM_ENGINE_GETRANDOM + #else + /* Keep this as last entry, fall back to /dev/urandom */ + #define CRYPTOGRAPHY_OSRANDOM_ENGINE CRYPTOGRAPHY_OSRANDOM_ENGINE_DEV_URANDOM + #endif +#endif /* CRYPTOGRAPHY_OSRANDOM_ENGINE */ + +/* Fallbacks need /dev/urandom helper functions. */ +#if CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_GETRANDOM || \ + CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_DEV_URANDOM || \ + (CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_GETENTROPY && \ + defined(__APPLE__)) + #define CRYPTOGRAPHY_OSRANDOM_NEEDS_DEV_URANDOM 1 +#endif + +enum { + CRYPTOGRAPHY_OSRANDOM_GETRANDOM_INIT_FAILED = -2, + CRYPTOGRAPHY_OSRANDOM_GETRANDOM_NOT_INIT, + CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK, + CRYPTOGRAPHY_OSRANDOM_GETRANDOM_WORKS +}; + +enum { + CRYPTOGRAPHY_OSRANDOM_GETENTROPY_NOT_INIT, + CRYPTOGRAPHY_OSRANDOM_GETENTROPY_FALLBACK, + CRYPTOGRAPHY_OSRANDOM_GETENTROPY_WORKS +}; + +/* engine ctrl */ +#define CRYPTOGRAPHY_OSRANDOM_GET_IMPLEMENTATION ENGINE_CMD_BASE + +/* error reporting */ +static void ERR_load_Cryptography_OSRandom_strings(void); +static void ERR_Cryptography_OSRandom_error(int function, int reason, + char *file, int line); + +#define CRYPTOGRAPHY_OSRANDOM_F_INIT 100 +#define CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES 101 +#define CRYPTOGRAPHY_OSRANDOM_F_FINISH 102 +#define CRYPTOGRAPHY_OSRANDOM_F_DEV_URANDOM_FD 300 +#define CRYPTOGRAPHY_OSRANDOM_F_DEV_URANDOM_READ 301 + +#define CRYPTOGRAPHY_OSRANDOM_R_CRYPTACQUIRECONTEXT 100 +#define CRYPTOGRAPHY_OSRANDOM_R_CRYPTGENRANDOM 101 +#define CRYPTOGRAPHY_OSRANDOM_R_CRYPTRELEASECONTEXT 102 + +#define CRYPTOGRAPHY_OSRANDOM_R_GETENTROPY_FAILED 200 + +#define CRYPTOGRAPHY_OSRANDOM_R_DEV_URANDOM_OPEN_FAILED 300 +#define CRYPTOGRAPHY_OSRANDOM_R_DEV_URANDOM_READ_FAILED 301 + +#define CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_INIT_FAILED 400 +#define CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_INIT_FAILED_UNEXPECTED 402 +#define CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_FAILED 403 +#define CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_NOT_INIT 404 +#endif diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index fa0aefc8..4ba86693 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -11,20 +11,26 @@ typedef STACK_OF(SSL_CIPHER) Cryptography_STACK_OF_SSL_CIPHER; """ TYPES = """ -/* - * Internally invented symbols to tell which versions of SSL/TLS are supported. -*/ +static const long Cryptography_HAS_SSL_ST; +static const long Cryptography_HAS_TLS_ST; static const long Cryptography_HAS_SSL2; static const long Cryptography_HAS_SSL3_METHOD; static const long Cryptography_HAS_TLSv1_1; static const long Cryptography_HAS_TLSv1_2; +static const long Cryptography_HAS_TLSv1_3; static const long Cryptography_HAS_SECURE_RENEGOTIATION; static const long Cryptography_HAS_COMPRESSION; static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB; static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP; static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE; -static const long Cryptography_HAS_GET_SERVER_TMP_KEY; static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE; +static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS; +static const long Cryptography_HAS_DTLS; +static const long Cryptography_HAS_SIGALGS; +static const long Cryptography_HAS_PSK; +static const long Cryptography_HAS_CIPHER_DETAILS; +static const long Cryptography_HAS_VERIFIED_CHAIN; +static const long Cryptography_HAS_KEYLOG; /* Internally invented symbol to tell us if SNI is supported */ static const long Cryptography_HAS_TLSEXT_HOSTNAME; @@ -38,13 +44,13 @@ static const long Cryptography_HAS_RELEASE_BUFFERS; * supported */ static const long Cryptography_HAS_OP_NO_COMPRESSION; - static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING; static const long Cryptography_HAS_SSL_SET_SSL_CTX; static const long Cryptography_HAS_SSL_OP_NO_TICKET; -static const long Cryptography_HAS_NETBSD_D1_METH; -static const long Cryptography_HAS_NEXTPROTONEG; static const long Cryptography_HAS_ALPN; +static const long Cryptography_HAS_NEXTPROTONEG; +static const long Cryptography_HAS_SET_CERT_CB; +static const long Cryptography_HAS_CUSTOM_EXT; static const long SSL_FILETYPE_PEM; static const long SSL_FILETYPE_ASN1; @@ -53,6 +59,7 @@ static const long SSL_ERROR_ZERO_RETURN; static const long SSL_ERROR_WANT_READ; static const long SSL_ERROR_WANT_WRITE; static const long SSL_ERROR_WANT_X509_LOOKUP; +static const long SSL_ERROR_WANT_CONNECT; static const long SSL_ERROR_SYSCALL; static const long SSL_ERROR_SSL; static const long SSL_SENT_SHUTDOWN; @@ -62,6 +69,9 @@ static const long SSL_OP_NO_SSLv3; static const long SSL_OP_NO_TLSv1; static const long SSL_OP_NO_TLSv1_1; static const long SSL_OP_NO_TLSv1_2; +static const long SSL_OP_NO_TLSv1_3; +static const long SSL_OP_NO_DTLSv1; +static const long SSL_OP_NO_DTLSv1_2; static const long SSL_OP_NO_COMPRESSION; static const long SSL_OP_SINGLE_DH_USE; static const long SSL_OP_EPHEMERAL_RSA; @@ -92,6 +102,7 @@ static const long SSL_VERIFY_PEER; static const long SSL_VERIFY_FAIL_IF_NO_PEER_CERT; static const long SSL_VERIFY_CLIENT_ONCE; static const long SSL_VERIFY_NONE; +static const long SSL_VERIFY_POST_HANDSHAKE; static const long SSL_SESS_CACHE_OFF; static const long SSL_SESS_CACHE_CLIENT; static const long SSL_SESS_CACHE_SERVER; @@ -125,41 +136,32 @@ static const long SSL_MODE_ENABLE_PARTIAL_WRITE; static const long SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; static const long SSL_MODE_AUTO_RETRY; static const long SSL3_RANDOM_SIZE; +static const long TLS_ST_BEFORE; +static const long TLS_ST_OK; + +static const long OPENSSL_NPN_NEGOTIATED; typedef ... SSL_METHOD; typedef ... SSL_CTX; -typedef struct { - int master_key_length; - unsigned char master_key[...]; - ...; -} SSL_SESSION; - -typedef struct { - unsigned char server_random[...]; - unsigned char client_random[...]; - ...; -} SSL3_STATE; +typedef ... SSL_SESSION; -typedef struct { - int version; - int type; - SSL3_STATE *s3; - SSL_SESSION *session; - ...; -} SSL; +typedef ... SSL; static const long TLSEXT_NAMETYPE_host_name; +static const long TLSEXT_STATUSTYPE_ocsp; typedef ... SSL_CIPHER; typedef ... Cryptography_STACK_OF_SSL_CIPHER; typedef ... COMP_METHOD; + +typedef struct { + const char *name; + unsigned long id; +} SRTP_PROTECTION_PROFILE; """ FUNCTIONS = """ -void SSL_load_error_strings(void); -int SSL_library_init(void); - /* SSL */ const char *SSL_state_string_long(const SSL *); SSL_SESSION *SSL_get1_session(SSL *); @@ -174,6 +176,10 @@ void (*SSL_get_info_callback(const SSL *))(const SSL *, int, int); SSL *SSL_new(SSL_CTX *); void SSL_free(SSL *); int SSL_set_fd(SSL *, int); +SSL_CTX *SSL_get_SSL_CTX(const SSL *); +SSL_CTX *SSL_set_SSL_CTX(SSL *, SSL_CTX *); +BIO *SSL_get_rbio(const SSL *); +BIO *SSL_get_wbio(const SSL *); void SSL_set_bio(SSL *, BIO *, BIO *); void SSL_set_connect_state(SSL *); void SSL_set_accept_state(SSL *); @@ -182,9 +188,15 @@ int SSL_get_shutdown(const SSL *); int SSL_pending(const SSL *); int SSL_write(SSL *, const void *, int); int SSL_read(SSL *, void *, int); +int SSL_peek(SSL *, void *, int); +X509 *SSL_get_certificate(const SSL *); X509 *SSL_get_peer_certificate(const SSL *); int SSL_get_ex_data_X509_STORE_CTX_idx(void); +/* Added in 1.0.2 */ +X509_VERIFY_PARAM *SSL_get0_param(SSL *); +X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *); + int SSL_use_certificate(SSL *, X509 *); int SSL_use_certificate_ASN1(SSL *, const unsigned char *, int); int SSL_use_certificate_file(SSL *, const char *, int); @@ -193,12 +205,19 @@ int SSL_use_PrivateKey_ASN1(int, SSL *, const unsigned char *, long); int SSL_use_PrivateKey_file(SSL *, const char *, int); int SSL_check_private_key(const SSL *); +int SSL_get_sigalgs(SSL *, int, int *, int *, int *, unsigned char *, + unsigned char *); + Cryptography_STACK_OF_X509 *SSL_get_peer_cert_chain(const SSL *); +Cryptography_STACK_OF_X509 *SSL_get0_verified_chain(const SSL *); Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *); int SSL_get_error(const SSL *, int); +long SSL_get_verify_result(const SSL *ssl); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); +int SSL_renegotiate(SSL *); +int SSL_renegotiate_pending(SSL *); const char *SSL_get_cipher_list(const SSL *, int); Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *); @@ -224,40 +243,116 @@ int SSL_CTX_use_PrivateKey_ASN1(int, SSL_CTX *, const unsigned char *, long); int SSL_CTX_use_PrivateKey_file(SSL_CTX *, const char *, int); int SSL_CTX_check_private_key(const SSL_CTX *); void SSL_CTX_set_cert_verify_callback(SSL_CTX *, - int (*)(X509_STORE_CTX *,void *), + int (*)(X509_STORE_CTX *, void *), void *); +void SSL_CTX_set_cookie_generate_cb(SSL_CTX *, + int (*)( + SSL *, + unsigned char *, + unsigned int * + )); +long SSL_CTX_get_read_ahead(SSL_CTX *); +long SSL_CTX_set_read_ahead(SSL_CTX *, long); + +int SSL_CTX_use_psk_identity_hint(SSL_CTX *, const char *); +void SSL_CTX_set_psk_server_callback(SSL_CTX *, + unsigned int (*)( + SSL *, + const char *, + unsigned char *, + unsigned int + )); +void SSL_CTX_set_psk_client_callback(SSL_CTX *, + unsigned int (*)( + SSL *, + const char *, + char *, + unsigned int, + unsigned char *, + unsigned int + )); + +int SSL_CTX_set_session_id_context(SSL_CTX *, const unsigned char *, + unsigned int); + void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); int SSL_CTX_add_client_CA(SSL_CTX *, X509 *); void SSL_CTX_set_client_CA_list(SSL_CTX *, Cryptography_STACK_OF_X509_NAME *); +void SSL_CTX_set_info_callback(SSL_CTX *, void (*)(const SSL *, int, int)); +void (*SSL_CTX_get_info_callback(SSL_CTX *))(const SSL *, int, int); + +void SSL_CTX_set_keylog_callback(SSL_CTX *, + void (*)(const SSL *, const char *)); +void (*SSL_CTX_get_keylog_callback(SSL_CTX *))(const SSL *, const char *); + +long SSL_CTX_set1_sigalgs_list(SSL_CTX *, const char *); + /* SSL_SESSION */ void SSL_SESSION_free(SSL_SESSION *); /* Information about actually used cipher */ const char *SSL_CIPHER_get_name(const SSL_CIPHER *); int SSL_CIPHER_get_bits(const SSL_CIPHER *, int *); -char *SSL_CIPHER_get_version(const SSL_CIPHER *); +/* the modern signature of this is uint32_t, but older openssl declared it + as unsigned long. To make our compiler flags happy we'll declare it as a + 64-bit wide value, which should always be safe */ +uint64_t SSL_CIPHER_get_id(const SSL_CIPHER *); +int SSL_CIPHER_is_aead(const SSL_CIPHER *); +int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *); +int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *); +int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *); +int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *); size_t SSL_get_finished(const SSL *, void *, size_t); size_t SSL_get_peer_finished(const SSL *, void *, size_t); -""" +Cryptography_STACK_OF_X509_NAME *SSL_load_client_CA_file(const char *); + +const char *SSL_get_servername(const SSL *, const int); +/* Function signature changed to const char * in 1.1.0 */ +const char *SSL_CIPHER_get_version(const SSL_CIPHER *); +/* These became macros in 1.1.0 */ +int SSL_library_init(void); +void SSL_load_error_strings(void); + +/* these CRYPTO_EX_DATA functions became macros in 1.1.0 */ +int SSL_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *, + CRYPTO_EX_free *); +int SSL_set_ex_data(SSL *, int, void *); +int SSL_CTX_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *, + CRYPTO_EX_free *); +int SSL_CTX_set_ex_data(SSL_CTX *, int, void *); + +SSL_SESSION *SSL_get_session(const SSL *); +const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *, unsigned int *); +long SSL_SESSION_get_time(const SSL_SESSION *); +long SSL_SESSION_get_timeout(const SSL_SESSION *); +int SSL_SESSION_has_ticket(const SSL_SESSION *); +long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *); + +/* not a macro, but older OpenSSLs don't pass the args as const */ +char *SSL_CIPHER_description(const SSL_CIPHER *, char *, int); +int SSL_SESSION_print(BIO *, const SSL_SESSION *); -MACROS = """ /* not macros, but will be conditionally bound so can't live in functions */ const COMP_METHOD *SSL_get_current_compression(SSL *); const COMP_METHOD *SSL_get_current_expansion(SSL *); const char *SSL_COMP_get_name(const COMP_METHOD *); -int SSL_CTX_set_client_cert_engine(SSL_CTX *, ENGINE *); unsigned long SSL_set_mode(SSL *, unsigned long); +unsigned long SSL_clear_mode(SSL *, unsigned long); unsigned long SSL_get_mode(SSL *); unsigned long SSL_set_options(SSL *, unsigned long); unsigned long SSL_get_options(SSL *); +void SSL_set_app_data(SSL *, char *); +char * SSL_get_app_data(SSL *); +void SSL_set_read_ahead(SSL *, int); + int SSL_want_read(const SSL *); int SSL_want_write(const SSL *); @@ -267,8 +362,10 @@ long SSL_get_secure_renegotiation_support(SSL *); /* Defined as unsigned long because SSL_OP_ALL is greater than signed 32-bit and Windows defines long as 32-bit. */ unsigned long SSL_CTX_set_options(SSL_CTX *, unsigned long); +unsigned long SSL_CTX_clear_options(SSL_CTX *, unsigned long); unsigned long SSL_CTX_get_options(SSL_CTX *); unsigned long SSL_CTX_set_mode(SSL_CTX *, unsigned long); +unsigned long SSL_CTX_clear_mode(SSL_CTX *, unsigned long); unsigned long SSL_CTX_get_mode(SSL_CTX *); unsigned long SSL_CTX_set_session_cache_mode(SSL_CTX *, unsigned long); unsigned long SSL_CTX_get_session_cache_mode(SSL_CTX *); @@ -280,15 +377,6 @@ unsigned long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *); /* methods */ -/* SSLv2 support is compiled out of some versions of OpenSSL. These will - * get special support when we generate the bindings so that if they are - * available they will be wrapped, but if they are not they won't cause - * problems (like link errors). - */ -const SSL_METHOD *SSLv2_method(void); -const SSL_METHOD *SSLv2_server_method(void); -const SSL_METHOD *SSLv2_client_method(void); - /* * TLSv1_1 and TLSv1_2 are recent additions. Only sufficiently new versions of * OpenSSL support them. @@ -313,6 +401,11 @@ const SSL_METHOD *DTLSv1_method(void); const SSL_METHOD *DTLSv1_server_method(void); const SSL_METHOD *DTLSv1_client_method(void); +/* Added in 1.0.2 */ +const SSL_METHOD *DTLS_method(void); +const SSL_METHOD *DTLS_server_method(void); +const SSL_METHOD *DTLS_client_method(void); + const SSL_METHOD *SSLv23_method(void); const SSL_METHOD *SSLv23_server_method(void); const SSL_METHOD *SSLv23_client_method(void); @@ -325,39 +418,28 @@ const SSL_CIPHER *SSL_get_current_cipher(const SSL *); const char *SSL_get_version(const SSL *); int SSL_version(const SSL *); -/* SNI APIs were introduced in OpenSSL 1.0.0. To continue to support - * earlier versions some special handling of these is necessary. - */ -const char *SSL_get_servername(const SSL *, const int); +void *SSL_CTX_get_ex_data(const SSL_CTX *, int); +void *SSL_get_ex_data(const SSL *, int); + void SSL_set_tlsext_host_name(SSL *, char *); void SSL_CTX_set_tlsext_servername_callback( SSL_CTX *, - int (*)(const SSL *, int *, void *)); + int (*)(SSL *, int *, void *)); +void SSL_CTX_set_tlsext_servername_arg( + SSL_CTX *, void *); -/* These were added in OpenSSL 0.9.8h, but since version testing in OpenSSL - is fraught with peril thanks to OS distributions we check some constants - to determine if they are supported or not */ long SSL_set_tlsext_status_ocsp_resp(SSL *, unsigned char *, int); long SSL_get_tlsext_status_ocsp_resp(SSL *, const unsigned char **); long SSL_set_tlsext_status_type(SSL *, long); long SSL_CTX_set_tlsext_status_cb(SSL_CTX *, int(*)(SSL *, void *)); long SSL_CTX_set_tlsext_status_arg(SSL_CTX *, void *); -long SSL_session_reused(SSL *); - -/* The following were macros in 0.9.8e. Once we drop support for RHEL/CentOS 5 - we should move these back to FUNCTIONS. */ -void SSL_CTX_set_info_callback(SSL_CTX *, void (*)(const SSL *, int, int)); -void (*SSL_CTX_get_info_callback(SSL_CTX *))(const SSL *, int, int); -/* This function does not exist in 0.9.8e. Once we drop support for - RHEL/CentOS 5 this can be moved back to FUNCTIONS. */ -SSL_CTX *SSL_set_SSL_CTX(SSL *, SSL_CTX *); +int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *, const char *); +int SSL_set_tlsext_use_srtp(SSL *, const char *); +SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *); -const SSL_METHOD *Cryptography_SSL_CTX_get_method(const SSL_CTX *); +long SSL_session_reused(SSL *); -/* NPN APIs were introduced in OpenSSL 1.0.1. To continue to support earlier - * versions some special handling of these is necessary. - */ void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *, int (*)(SSL *, const unsigned char **, @@ -379,7 +461,7 @@ void SSL_get0_next_proto_negotiated(const SSL *, const unsigned char **, unsigned *); int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *); -SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int); +const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int); /* ALPN APIs were introduced in OpenSSL 1.0.2. To continue to support earlier * versions some special handling of these is necessary. @@ -397,29 +479,172 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *, void SSL_get0_alpn_selected(const SSL *, const unsigned char **, unsigned *); long SSL_get_server_tmp_key(SSL *, EVP_PKEY **); + +/* SSL_CTX_set_cert_cb is introduced in OpenSSL 1.0.2. To continue to support + * earlier versions some special handling of these is necessary. + */ +void SSL_CTX_set_cert_cb(SSL_CTX *, int (*)(SSL *, void *), void *); +void SSL_set_cert_cb(SSL *, int (*)(SSL *, void *), void *); + +/* Added in 1.0.2 */ +const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *); + +int SSL_SESSION_set1_id_context(SSL_SESSION *, const unsigned char *, + unsigned int); +/* Added in 1.1.0 for the great opaquing of structs */ +size_t SSL_SESSION_get_master_key(const SSL_SESSION *, unsigned char *, + size_t); +size_t SSL_get_client_random(const SSL *, unsigned char *, size_t); +size_t SSL_get_server_random(const SSL *, unsigned char *, size_t); +int SSL_export_keying_material(SSL *, unsigned char *, size_t, const char *, + size_t, const unsigned char *, size_t, int); + +long SSL_CTX_sess_number(SSL_CTX *); +long SSL_CTX_sess_connect(SSL_CTX *); +long SSL_CTX_sess_connect_good(SSL_CTX *); +long SSL_CTX_sess_connect_renegotiate(SSL_CTX *); +long SSL_CTX_sess_accept(SSL_CTX *); +long SSL_CTX_sess_accept_good(SSL_CTX *); +long SSL_CTX_sess_accept_renegotiate(SSL_CTX *); +long SSL_CTX_sess_hits(SSL_CTX *); +long SSL_CTX_sess_cb_hits(SSL_CTX *); +long SSL_CTX_sess_misses(SSL_CTX *); +long SSL_CTX_sess_timeouts(SSL_CTX *); +long SSL_CTX_sess_cache_full(SSL_CTX *); + +/* DTLS support */ +long Cryptography_DTLSv1_get_timeout(SSL *, time_t *, long *); +long DTLSv1_handle_timeout(SSL *); +long DTLS_set_link_mtu(SSL *, long); +long DTLS_get_link_min_mtu(SSL *); + +/* Custom extensions. */ +typedef int (*custom_ext_add_cb)(SSL *, unsigned int, + const unsigned char **, + size_t *, int *, + void *); + +typedef void (*custom_ext_free_cb)(SSL *, unsigned int, + const unsigned char *, + void *); + +typedef int (*custom_ext_parse_cb)(SSL *, unsigned int, + const unsigned char *, + size_t, int *, + void *); + +int SSL_CTX_add_client_custom_ext(SSL_CTX *, unsigned int, + custom_ext_add_cb, + custom_ext_free_cb, void *, + custom_ext_parse_cb, + void *); + +int SSL_CTX_add_server_custom_ext(SSL_CTX *, unsigned int, + custom_ext_add_cb, + custom_ext_free_cb, void *, + custom_ext_parse_cb, + void *); + +int SSL_extension_supported(unsigned int); + +int SSL_CTX_set_ciphersuites(SSL_CTX *, const char *); +int SSL_verify_client_post_handshake(SSL *); +void SSL_CTX_set_post_handshake_auth(SSL_CTX *, int); +void SSL_set_post_handshake_auth(SSL *, int); + +uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *); +int SSL_write_early_data(SSL *, const void *, size_t, size_t *); +int SSL_read_early_data(SSL *, void *, size_t, size_t *); +int SSL_CTX_set_max_early_data(SSL_CTX *, uint32_t); """ CUSTOMIZATIONS = """ -/** Secure renegotiation is supported in OpenSSL >= 0.9.8m - * But some Linux distributions have back ported some features. - */ -#ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION -static const long Cryptography_HAS_SECURE_RENEGOTIATION = 0; -long (*SSL_get_secure_renegotiation_support)(SSL *) = NULL; -const long SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 0; -const long SSL_OP_LEGACY_SERVER_CONNECT = 0; +#if CRYPTOGRAPHY_IS_LIBRESSL +const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) { + return ctx->method; +} +#endif + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 +static const long Cryptography_HAS_VERIFIED_CHAIN = 0; +Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL; #else -static const long Cryptography_HAS_SECURE_RENEGOTIATION = 1; +static const long Cryptography_HAS_VERIFIED_CHAIN = 1; #endif -#ifdef OPENSSL_NO_SSL2 -static const long Cryptography_HAS_SSL2 = 0; -SSL_METHOD* (*SSLv2_method)(void) = NULL; -SSL_METHOD* (*SSLv2_client_method)(void) = NULL; -SSL_METHOD* (*SSLv2_server_method)(void) = NULL; + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 +static const long Cryptography_HAS_KEYLOG = 0; +void (*SSL_CTX_set_keylog_callback)(SSL_CTX *, + void (*) (const SSL *, const char *) + ) = NULL; +void (*(*SSL_CTX_get_keylog_callback)(SSL_CTX *))( + const SSL *, + const char * + ) = NULL; #else -static const long Cryptography_HAS_SSL2 = 1; +static const long Cryptography_HAS_KEYLOG = 1; +#endif + +/* Added in 1.1.0 in the great opaquing, but we need to define it for older + OpenSSLs. Such is our burden. */ +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL +/* from ssl/ssl_lib.c */ +size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen) +{ + if (outlen == 0) + return sizeof(ssl->s3->client_random); + if (outlen > sizeof(ssl->s3->client_random)) + outlen = sizeof(ssl->s3->client_random); + memcpy(out, ssl->s3->client_random, outlen); + return outlen; +} +/* Added in 1.1.0 as well */ +/* from ssl/ssl_lib.c */ +size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen) +{ + if (outlen == 0) + return sizeof(ssl->s3->server_random); + if (outlen > sizeof(ssl->s3->server_random)) + outlen = sizeof(ssl->s3->server_random); + memcpy(out, ssl->s3->server_random, outlen); + return outlen; +} +/* Added in 1.1.0 as well */ +/* from ssl/ssl_lib.c */ +size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, + unsigned char *out, size_t outlen) +{ + if (session->master_key_length < 0) { + /* Should never happen */ + return 0; + } + if (outlen == 0) + return session->master_key_length; + if (outlen > (size_t)session->master_key_length) + outlen = session->master_key_length; + memcpy(out, session->master_key, outlen); + return outlen; +} +/* from ssl/ssl_sess.c */ +int SSL_SESSION_has_ticket(const SSL_SESSION *s) +{ + return (s->tlsext_ticklen > 0) ? 1 : 0; +} +/* from ssl/ssl_sess.c */ +unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s) +{ + return s->tlsext_tick_lifetime_hint; +} #endif +static const long Cryptography_HAS_SECURE_RENEGOTIATION = 1; + +/* Cryptography now compiles out all SSLv2 bindings. This exists to allow + * clients that use it to check for SSLv2 support to keep functioning as + * expected. + */ +static const long Cryptography_HAS_SSL2 = 0; + #ifdef OPENSSL_NO_SSL3_METHOD static const long Cryptography_HAS_SSL3_METHOD = 0; SSL_METHOD* (*SSLv3_method)(void) = NULL; @@ -429,308 +654,172 @@ SSL_METHOD* (*SSLv3_server_method)(void) = NULL; static const long Cryptography_HAS_SSL3_METHOD = 1; #endif -#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1; -#else -static const long Cryptography_HAS_TLSEXT_HOSTNAME = 0; -void (*SSL_set_tlsext_host_name)(SSL *, char *) = NULL; -const char* (*SSL_get_servername)(const SSL *, const int) = NULL; -void (*SSL_CTX_set_tlsext_servername_callback)( - SSL_CTX *, - int (*)(const SSL *, int *, void *)) = NULL; -#endif - -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB = 1; -#else -static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB = 0; -long (*SSL_CTX_set_tlsext_status_cb)(SSL_CTX *, int(*)(SSL *, void *)) = NULL; -long (*SSL_CTX_set_tlsext_status_arg)(SSL_CTX *, void *) = NULL; -#endif - -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP = 1; -#else -static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP = 0; -long (*SSL_set_tlsext_status_ocsp_resp)(SSL *, unsigned char *, int) = NULL; -long (*SSL_get_tlsext_status_ocsp_resp)(SSL *, const unsigned char **) = NULL; -#endif - -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE = 1; -#else -static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE = 0; -long (*SSL_set_tlsext_status_type)(SSL *, long) = NULL; -#endif - -#ifdef SSL_MODE_RELEASE_BUFFERS static const long Cryptography_HAS_RELEASE_BUFFERS = 1; -#else -static const long Cryptography_HAS_RELEASE_BUFFERS = 0; -const long SSL_MODE_RELEASE_BUFFERS = 0; -#endif - -#ifdef SSL_OP_NO_COMPRESSION static const long Cryptography_HAS_OP_NO_COMPRESSION = 1; -#else -static const long Cryptography_HAS_OP_NO_COMPRESSION = 0; -const long SSL_OP_NO_COMPRESSION = 0; -#endif - -#ifdef SSL_OP_NO_TLSv1_1 static const long Cryptography_HAS_TLSv1_1 = 1; -#else -static const long Cryptography_HAS_TLSv1_1 = 0; -static const long SSL_OP_NO_TLSv1_1 = 0; -SSL_METHOD* (*TLSv1_1_method)(void) = NULL; -SSL_METHOD* (*TLSv1_1_client_method)(void) = NULL; -SSL_METHOD* (*TLSv1_1_server_method)(void) = NULL; -#endif - -#ifdef SSL_OP_NO_TLSv1_2 static const long Cryptography_HAS_TLSv1_2 = 1; +static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1; +static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1; +static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1; +static const long Cryptography_HAS_NEXTPROTONEG = 1; +static const long Cryptography_HAS_ALPN = 1; + +#if CRYPTOGRAPHY_IS_LIBRESSL +void (*SSL_CTX_set_cert_cb)(SSL_CTX *, int (*)(SSL *, void *), void *) = NULL; +void (*SSL_set_cert_cb)(SSL *, int (*)(SSL *, void *), void *) = NULL; +static const long Cryptography_HAS_SET_CERT_CB = 0; #else -static const long Cryptography_HAS_TLSv1_2 = 0; -static const long SSL_OP_NO_TLSv1_2 = 0; -SSL_METHOD* (*TLSv1_2_method)(void) = NULL; -SSL_METHOD* (*TLSv1_2_client_method)(void) = NULL; -SSL_METHOD* (*TLSv1_2_server_method)(void) = NULL; +static const long Cryptography_HAS_SET_CERT_CB = 1; #endif -#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING -static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1; +/* In OpenSSL 1.0.2i+ the handling of COMP_METHOD when OPENSSL_NO_COMP was + changed and we no longer need to typedef void */ +#if (defined(OPENSSL_NO_COMP) && CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I) || \ + CRYPTOGRAPHY_IS_LIBRESSL +static const long Cryptography_HAS_COMPRESSION = 0; +typedef void COMP_METHOD; #else -static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 0; -const long SSL_OP_MSIE_SSLV2_RSA_PADDING = 0; +static const long Cryptography_HAS_COMPRESSION = 1; #endif -#ifdef OPENSSL_NO_EC -long (*SSL_CTX_set_tmp_ecdh)(SSL_CTX *, EC_KEY *) = NULL; -#endif +static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE = 1; -#ifdef SSL_OP_NO_TICKET -static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1; +static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS = 1; + +/* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were + removed */ +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 +static const long Cryptography_HAS_SSL_ST = 1; #else -static const long Cryptography_HAS_SSL_OP_NO_TICKET = 0; -const long SSL_OP_NO_TICKET = 0; +static const long Cryptography_HAS_SSL_ST = 0; +static const long SSL_ST_BEFORE = 0; +static const long SSL_ST_OK = 0; +static const long SSL_ST_INIT = 0; +static const long SSL_ST_RENEGOTIATE = 0; #endif - -/* OpenSSL 0.9.8f+ */ -#if OPENSSL_VERSION_NUMBER >= 0x00908070L -static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1; +#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER +static const long Cryptography_HAS_TLS_ST = 1; #else -static const long Cryptography_HAS_SSL_SET_SSL_CTX = 0; -static const long TLSEXT_NAMETYPE_host_name = 0; -SSL_CTX *(*SSL_set_SSL_CTX)(SSL *, SSL_CTX *) = NULL; +static const long Cryptography_HAS_TLS_ST = 0; +static const long TLS_ST_BEFORE = 0; +static const long TLS_ST_OK = 0; #endif -/* NetBSD shipped without including d1_meth.c. This workaround checks to see - if the version of NetBSD we're currently running on is old enough to - have the bug and provides an empty implementation so we can link and - then remove the function from the ffi object. */ -#ifdef __NetBSD__ -# include <sys/param.h> -# if (__NetBSD_Version__ < 699003800) -static const long Cryptography_HAS_NETBSD_D1_METH = 0; -const SSL_METHOD *DTLSv1_method(void) { - return NULL; -} -# else -static const long Cryptography_HAS_NETBSD_D1_METH = 1; -# endif -#else -static const long Cryptography_HAS_NETBSD_D1_METH = 1; +#if CRYPTOGRAPHY_IS_LIBRESSL +static const long SSL_OP_NO_DTLSv1 = 0; +static const long SSL_OP_NO_DTLSv1_2 = 0; +long (*DTLS_set_link_mtu)(SSL *, long) = NULL; +long (*DTLS_get_link_min_mtu)(SSL *) = NULL; #endif -/* Workaround for #794 caused by cffi const** bug. */ -const SSL_METHOD *Cryptography_SSL_CTX_get_method(const SSL_CTX *ctx) { - return ctx->method; +static const long Cryptography_HAS_DTLS = 1; +/* Wrap DTLSv1_get_timeout to avoid cffi to handle a 'struct timeval'. */ +long Cryptography_DTLSv1_get_timeout(SSL *ssl, time_t *ptv_sec, + long *ptv_usec) { + struct timeval tv = { 0 }; + long r = DTLSv1_get_timeout(ssl, &tv); + + if (r == 1) { + if (ptv_sec) { + *ptv_sec = tv.tv_sec; + } + + if (ptv_usec) { + *ptv_usec = tv.tv_usec; + } + } + + return r; } -/* Because OPENSSL defines macros that claim lack of support for things, rather - * than macros that claim support for things, we need to do a version check in - * addition to a definition check. NPN was added in 1.0.1: for any version - * before that, there is no compatibility. - */ -#if defined(OPENSSL_NO_NEXTPROTONEG) || OPENSSL_VERSION_NUMBER < 0x1000100fL -static const long Cryptography_HAS_NEXTPROTONEG = 0; -void (*SSL_CTX_set_next_protos_advertised_cb)(SSL_CTX *, - int (*)(SSL *, - const unsigned char **, - unsigned int *, - void *), - void *) = NULL; -void (*SSL_CTX_set_next_proto_select_cb)(SSL_CTX *, - int (*)(SSL *, - unsigned char **, - unsigned char *, - const unsigned char *, - unsigned int, - void *), - void *) = NULL; -int (*SSL_select_next_proto)(unsigned char **, unsigned char *, - const unsigned char *, unsigned int, - const unsigned char *, unsigned int) = NULL; -void (*SSL_get0_next_proto_negotiated)(const SSL *, - const unsigned char **, - unsigned *) = NULL; +#if CRYPTOGRAPHY_IS_LIBRESSL +static const long Cryptography_HAS_SIGALGS = 0; +const int (*SSL_get_sigalgs)(SSL *, int, int *, int *, int *, unsigned char *, + unsigned char *) = NULL; +const long (*SSL_CTX_set1_sigalgs_list)(SSL_CTX *, const char *) = NULL; #else -static const long Cryptography_HAS_NEXTPROTONEG = 1; +static const long Cryptography_HAS_SIGALGS = 1; #endif -/* ALPN was added in OpenSSL 1.0.2. */ -#if OPENSSL_VERSION_NUMBER < 0x10002001L && !defined(LIBRESSL_VERSION_NUMBER) -int (*SSL_CTX_set_alpn_protos)(SSL_CTX *, - const unsigned char *, - unsigned) = NULL; -int (*SSL_set_alpn_protos)(SSL *, const unsigned char *, unsigned) = NULL; -void (*SSL_CTX_set_alpn_select_cb)(SSL_CTX *, - int (*) (SSL *, - const unsigned char **, +#if CRYPTOGRAPHY_IS_LIBRESSL || defined(OPENSSL_NO_PSK) +static const long Cryptography_HAS_PSK = 0; +int (*SSL_CTX_use_psk_identity_hint)(SSL_CTX *, const char *) = NULL; +void (*SSL_CTX_set_psk_server_callback)(SSL_CTX *, + unsigned int (*)( + SSL *, + const char *, unsigned char *, - const unsigned char *, + unsigned int + )) = NULL; +void (*SSL_CTX_set_psk_client_callback)(SSL_CTX *, + unsigned int (*)( + SSL *, + const char *, + char *, unsigned int, - void *), - void *) = NULL; -void (*SSL_get0_alpn_selected)(const SSL *, - const unsigned char **, - unsigned *) = NULL; -static const long Cryptography_HAS_ALPN = 0; + unsigned char *, + unsigned int + )) = NULL; #else -static const long Cryptography_HAS_ALPN = 1; +static const long Cryptography_HAS_PSK = 1; #endif -#if defined(OPENSSL_NO_COMP) || defined(LIBRESSL_VERSION_NUMBER) -static const long Cryptography_HAS_COMPRESSION = 0; -typedef void COMP_METHOD; +#if !CRYPTOGRAPHY_IS_LIBRESSL +static const long Cryptography_HAS_CUSTOM_EXT = 1; #else -static const long Cryptography_HAS_COMPRESSION = 1; +static const long Cryptography_HAS_CUSTOM_EXT = 0; +typedef int (*custom_ext_add_cb)(SSL *, unsigned int, + const unsigned char **, + size_t *, int *, + void *); +typedef void (*custom_ext_free_cb)(SSL *, unsigned int, + const unsigned char *, + void *); +typedef int (*custom_ext_parse_cb)(SSL *, unsigned int, + const unsigned char *, + size_t, int *, + void *); +int (*SSL_CTX_add_client_custom_ext)(SSL_CTX *, unsigned int, + custom_ext_add_cb, + custom_ext_free_cb, void *, + custom_ext_parse_cb, + void *) = NULL; +int (*SSL_CTX_add_server_custom_ext)(SSL_CTX *, unsigned int, + custom_ext_add_cb, + custom_ext_free_cb, void *, + custom_ext_parse_cb, + void *) = NULL; +int (*SSL_extension_supported)(unsigned int) = NULL; #endif -#if defined(SSL_CTRL_GET_SERVER_TMP_KEY) -static const long Cryptography_HAS_GET_SERVER_TMP_KEY = 1; +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL +int (*SSL_CIPHER_is_aead)(const SSL_CIPHER *) = NULL; +int (*SSL_CIPHER_get_cipher_nid)(const SSL_CIPHER *) = NULL; +int (*SSL_CIPHER_get_digest_nid)(const SSL_CIPHER *) = NULL; +int (*SSL_CIPHER_get_kx_nid)(const SSL_CIPHER *) = NULL; +int (*SSL_CIPHER_get_auth_nid)(const SSL_CIPHER *) = NULL; +static const long Cryptography_HAS_CIPHER_DETAILS = 0; #else -static const long Cryptography_HAS_GET_SERVER_TMP_KEY = 0; -long (*SSL_get_server_tmp_key)(SSL *, EVP_PKEY **) = NULL; +static const long Cryptography_HAS_CIPHER_DETAILS = 1; #endif -/* Added in 0.9.8i */ -#if OPENSSL_VERSION_NUMBER < 0x0090809fL -int (*SSL_CTX_set_client_cert_engine)(SSL_CTX *, ENGINE *) = NULL; -static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE = 0; -# else -static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE = 1; +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 +static const long Cryptography_HAS_TLSv1_3 = 0; +static const long SSL_OP_NO_TLSv1_3 = 0; +static const long SSL_VERIFY_POST_HANDSHAKE = 0; +int (*SSL_CTX_set_ciphersuites)(SSL_CTX *, const char *) = NULL; +int (*SSL_verify_client_post_handshake)(SSL *) = NULL; +void (*SSL_CTX_set_post_handshake_auth)(SSL_CTX *, int) = NULL; +void (*SSL_set_post_handshake_auth)(SSL *, int) = NULL; +uint32_t (*SSL_SESSION_get_max_early_data)(const SSL_SESSION *) = NULL; +int (*SSL_write_early_data)(SSL *, const void *, size_t, size_t *) = NULL; +int (*SSL_read_early_data)(SSL *, void *, size_t, size_t *) = NULL; +int (*SSL_CTX_set_max_early_data)(SSL_CTX *, uint32_t) = NULL; +#else +static const long Cryptography_HAS_TLSv1_3 = 1; #endif - """ - -CONDITIONAL_NAMES = { - "Cryptography_HAS_TLSv1_1": [ - "SSL_OP_NO_TLSv1_1", - "TLSv1_1_method", - "TLSv1_1_server_method", - "TLSv1_1_client_method", - ], - - "Cryptography_HAS_TLSv1_2": [ - "SSL_OP_NO_TLSv1_2", - "TLSv1_2_method", - "TLSv1_2_server_method", - "TLSv1_2_client_method", - ], - - "Cryptography_HAS_SSL2": [ - "SSLv2_method", - "SSLv2_client_method", - "SSLv2_server_method", - ], - - "Cryptography_HAS_SSL3_METHOD": [ - "SSLv3_method", - "SSLv3_client_method", - "SSLv3_server_method", - ], - - "Cryptography_HAS_TLSEXT_HOSTNAME": [ - "SSL_set_tlsext_host_name", - "SSL_get_servername", - "SSL_CTX_set_tlsext_servername_callback", - ], - - "Cryptography_HAS_TLSEXT_STATUS_REQ_CB": [ - "SSL_CTX_set_tlsext_status_cb", - "SSL_CTX_set_tlsext_status_arg" - ], - - "Cryptography_HAS_STATUS_REQ_OCSP_RESP": [ - "SSL_set_tlsext_status_ocsp_resp", - "SSL_get_tlsext_status_ocsp_resp", - ], - - "Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE": [ - "SSL_set_tlsext_status_type", - ], - - "Cryptography_HAS_RELEASE_BUFFERS": [ - "SSL_MODE_RELEASE_BUFFERS", - ], - - "Cryptography_HAS_OP_NO_COMPRESSION": [ - "SSL_OP_NO_COMPRESSION", - ], - - "Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING": [ - "SSL_OP_MSIE_SSLV2_RSA_PADDING", - ], - - "Cryptography_HAS_EC": [ - "SSL_CTX_set_tmp_ecdh", - ], - - "Cryptography_HAS_SSL_OP_NO_TICKET": [ - "SSL_OP_NO_TICKET", - ], - - "Cryptography_HAS_SSL_SET_SSL_CTX": [ - "SSL_set_SSL_CTX", - "TLSEXT_NAMETYPE_host_name", - ], - - "Cryptography_HAS_NETBSD_D1_METH": [ - "DTLSv1_method", - ], - - "Cryptography_HAS_NEXTPROTONEG": [ - "SSL_CTX_set_next_protos_advertised_cb", - "SSL_CTX_set_next_proto_select_cb", - "SSL_select_next_proto", - "SSL_get0_next_proto_negotiated", - ], - - "Cryptography_HAS_SECURE_RENEGOTIATION": [ - "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", - "SSL_OP_LEGACY_SERVER_CONNECT", - "SSL_get_secure_renegotiation_support", - ], - - "Cryptography_HAS_ALPN": [ - "SSL_CTX_set_alpn_protos", - "SSL_set_alpn_protos", - "SSL_CTX_set_alpn_select_cb", - "SSL_get0_alpn_selected", - ], - - "Cryptography_HAS_COMPRESSION": [ - "SSL_get_current_compression", - "SSL_get_current_expansion", - "SSL_COMP_get_name", - ], - - "Cryptography_HAS_GET_SERVER_TMP_KEY": [ - "SSL_get_server_tmp_key", - ], - - "Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE": [ - "SSL_CTX_set_client_cert_engine", - ], -} diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 6bd117b0..0135a89a 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -30,86 +30,18 @@ typedef struct { } X509_ALGOR; typedef ... X509_ATTRIBUTE; - -typedef struct { - X509_ALGOR *signature; - ...; -} X509_CINF; - -typedef struct { - ASN1_OBJECT *object; - ASN1_BOOLEAN critical; - ASN1_OCTET_STRING *value; -} X509_EXTENSION; - +typedef ... X509_EXTENSION; typedef ... X509_EXTENSIONS; - -typedef struct { - X509_ALGOR *sig_alg; - ...; -} X509_REQ; - -typedef struct { - ASN1_INTEGER *serialNumber; - ASN1_TIME *revocationDate; - X509_EXTENSIONS *extensions; - int sequence; - ...; -} X509_REVOKED; - -typedef struct { - Cryptography_STACK_OF_X509_REVOKED *revoked; - ...; -} X509_CRL_INFO; - -typedef struct { - X509_CRL_INFO *crl; - X509_ALGOR *sig_alg; - ...; -} X509_CRL; - -typedef struct { - X509_ALGOR *sig_alg; - X509_CINF *cert_info; - ...; -} X509; +typedef ... X509_REQ; +typedef ... X509_REVOKED; +typedef ... X509_CRL; +typedef ... X509; typedef ... NETSCAPE_SPKI; typedef ... PKCS8_PRIV_KEY_INFO; -static const int X509_FLAG_COMPAT; -static const int X509_FLAG_NO_HEADER; -static const int X509_FLAG_NO_VERSION; -static const int X509_FLAG_NO_SERIAL; -static const int X509_FLAG_NO_SIGNAME; -static const int X509_FLAG_NO_ISSUER; -static const int X509_FLAG_NO_VALIDITY; -static const int X509_FLAG_NO_SUBJECT; -static const int X509_FLAG_NO_PUBKEY; -static const int X509_FLAG_NO_EXTENSIONS; -static const int X509_FLAG_NO_SIGDUMP; -static const int X509_FLAG_NO_AUX; -static const int X509_FLAG_NO_ATTRIBUTES; - -static const int XN_FLAG_SEP_MASK; -static const int XN_FLAG_COMPAT; -static const int XN_FLAG_SEP_COMMA_PLUS; -static const int XN_FLAG_SEP_CPLUS_SPC; -static const int XN_FLAG_SEP_SPLUS_SPC; -static const int XN_FLAG_SEP_MULTILINE; -static const int XN_FLAG_DN_REV; -static const int XN_FLAG_FN_MASK; -static const int XN_FLAG_FN_SN; -static const int XN_FLAG_FN_LN; -static const int XN_FLAG_FN_OID; -static const int XN_FLAG_FN_NONE; -static const int XN_FLAG_SPC_EQ; -static const int XN_FLAG_DUMP_UNKNOWN_FIELDS; -static const int XN_FLAG_FN_ALIGN; -static const int XN_FLAG_RFC2253; -static const int XN_FLAG_ONELINE; -static const int XN_FLAG_MULTILINE; +typedef void (*sk_X509_EXTENSION_freefunc)(X509_EXTENSION *); """ FUNCTIONS = """ @@ -117,6 +49,7 @@ X509 *X509_new(void); void X509_free(X509 *); X509 *X509_dup(X509 *); int X509_cmp(const X509 *, const X509 *); +int X509_up_ref(X509 *); int X509_print_ex(BIO *, X509 *, unsigned long, unsigned long); @@ -134,27 +67,15 @@ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *, long); unsigned long X509_subject_name_hash(X509 *); -X509_NAME *X509_get_subject_name(X509 *); int X509_set_subject_name(X509 *, X509_NAME *); -X509_NAME *X509_get_issuer_name(X509 *); int X509_set_issuer_name(X509 *, X509_NAME *); -int X509_get_ext_count(X509 *); int X509_add_ext(X509 *, X509_EXTENSION *, int); -X509_EXTENSION *X509_delete_ext(X509 *, int); X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *); -X509_EXTENSION *X509_get_ext(X509 *, int); -int X509_get_ext_by_NID(X509 *, int, int); -int X509_EXTENSION_get_critical(X509_EXTENSION *); ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *); void X509_EXTENSION_free(X509_EXTENSION *); -X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **, - ASN1_OBJECT *, int, - ASN1_OCTET_STRING *); - -int i2d_X509(X509 *, unsigned char **); int X509_REQ_set_version(X509_REQ *, long); X509_REQ *X509_REQ_new(void); @@ -163,11 +84,16 @@ int X509_REQ_set_pubkey(X509_REQ *, EVP_PKEY *); int X509_REQ_set_subject_name(X509_REQ *, X509_NAME *); int X509_REQ_sign(X509_REQ *, EVP_PKEY *, const EVP_MD *); int X509_REQ_verify(X509_REQ *, EVP_PKEY *); -int X509_REQ_digest(const X509_REQ *, const EVP_MD *, - unsigned char *, unsigned int *); EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *); -int X509_REQ_print(BIO *, X509_REQ *); int X509_REQ_print_ex(BIO *, X509_REQ *, unsigned long, unsigned long); +int X509_REQ_add_extensions(X509_REQ *, X509_EXTENSIONS *); +X509_EXTENSIONS *X509_REQ_get_extensions(X509_REQ *); +X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *, int); +int X509_REQ_get_attr_by_OBJ(const X509_REQ *, const ASN1_OBJECT *, int); +void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *, int, int, void *); +ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *, int); +int X509_REQ_add1_attr_by_txt(X509_REQ *, const char *, int, + const unsigned char *, int); int X509V3_EXT_print(BIO *, X509_EXTENSION *, unsigned long, int); ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *); @@ -177,18 +103,18 @@ void X509_REVOKED_free(X509_REVOKED *); int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *); -int X509_REVOKED_get_ext_count(X509_REVOKED *); -X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *, int); int X509_REVOKED_add_ext(X509_REVOKED *, X509_EXTENSION*, int); int X509_REVOKED_add1_ext_i2d(X509_REVOKED *, int, void *, int, unsigned long); +X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *, int); + +int X509_REVOKED_set_revocationDate(X509_REVOKED *, ASN1_TIME *); X509_CRL *X509_CRL_new(void); +X509_CRL *X509_CRL_dup(X509_CRL *); X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **); -X509_EXTENSION *X509_CRL_get_ext(X509_CRL *, int); int X509_CRL_add0_revoked(X509_CRL *, X509_REVOKED *); int X509_CRL_add_ext(X509_CRL *, X509_EXTENSION *, int); int X509_CRL_cmp(const X509_CRL *, const X509_CRL *); -int X509_CRL_get_ext_count(X509_CRL *); int X509_CRL_print(BIO *, X509_CRL *); int X509_CRL_set_issuer_name(X509_CRL *, X509_NAME *); int X509_CRL_set_version(X509_CRL *, long); @@ -224,43 +150,59 @@ int X509_set_serialNumber(X509 *, ASN1_INTEGER *); const char *X509_verify_cert_error_string(long); -const char *X509_get_default_cert_area(void); const char *X509_get_default_cert_dir(void); const char *X509_get_default_cert_file(void); const char *X509_get_default_cert_dir_env(void); const char *X509_get_default_cert_file_env(void); -const char *X509_get_default_private_dir(void); - -int i2d_RSA_PUBKEY(RSA *, unsigned char **); -RSA *d2i_RSA_PUBKEY(RSA **, const unsigned char **, long); -RSA *d2i_RSAPublicKey(RSA **, const unsigned char **, long); -RSA *d2i_RSAPrivateKey(RSA **, const unsigned char **, long); -int i2d_DSA_PUBKEY(DSA *, unsigned char **); -DSA *d2i_DSA_PUBKEY(DSA **, const unsigned char **, long); -DSA *d2i_DSAPublicKey(DSA **, const unsigned char **, long); -DSA *d2i_DSAPrivateKey(DSA **, const unsigned char **, long); - -RSA *d2i_RSAPrivateKey_bio(BIO *, RSA **); + int i2d_RSAPrivateKey_bio(BIO *, RSA *); RSA *d2i_RSAPublicKey_bio(BIO *, RSA **); int i2d_RSAPublicKey_bio(BIO *, RSA *); -RSA *d2i_RSA_PUBKEY_bio(BIO *, RSA **); -int i2d_RSA_PUBKEY_bio(BIO *, RSA *); -DSA *d2i_DSA_PUBKEY_bio(BIO *, DSA **); -int i2d_DSA_PUBKEY_bio(BIO *, DSA *); -DSA *d2i_DSAPrivateKey_bio(BIO *, DSA **); int i2d_DSAPrivateKey_bio(BIO *, DSA *); -PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *, - PKCS8_PRIV_KEY_INFO **); -void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *); -""" +/* These became const X509 in 1.1.0 */ +int X509_get_ext_count(X509 *); +X509_EXTENSION *X509_get_ext(X509 *, int); +X509_NAME *X509_get_subject_name(X509 *); +X509_NAME *X509_get_issuer_name(X509 *); + +/* This became const ASN1_OBJECT * in 1.1.0 */ +X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **, + ASN1_OBJECT *, int, + ASN1_OCTET_STRING *); + + +/* This became const X509_EXTENSION * in 1.1.0 */ +int X509_EXTENSION_get_critical(X509_EXTENSION *); + +/* This became const X509_REVOKED * in 1.1.0 */ +int X509_REVOKED_get_ext_count(X509_REVOKED *); +X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *, int); + +/* This became const X509_CRL * in 1.1.0 */ +X509_EXTENSION *X509_CRL_get_ext(X509_CRL *, int); +int X509_CRL_get_ext_count(X509_CRL *); + +int X509_CRL_get0_by_serial(X509_CRL *, X509_REVOKED **, ASN1_INTEGER *); + +X509_REVOKED *X509_REVOKED_dup(X509_REVOKED *); +X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *); + +/* new in 1.0.2 */ +int i2d_re_X509_tbs(X509 *, unsigned char **); +int X509_get_signature_nid(const X509 *); + +const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *); + +void X509_get0_signature(const ASN1_BIT_STRING **, + const X509_ALGOR **, const X509 *); -MACROS = """ long X509_get_version(X509 *); ASN1_TIME *X509_get_notBefore(X509 *); ASN1_TIME *X509_get_notAfter(X509 *); +ASN1_TIME *X509_getm_notBefore(X509 *); +ASN1_TIME *X509_getm_notAfter(X509 *); long X509_REQ_get_version(X509_REQ *); X509_NAME *X509_REQ_get_subject_name(X509_REQ *); @@ -275,8 +217,10 @@ X509_EXTENSIONS *sk_X509_EXTENSION_new_null(void); int sk_X509_EXTENSION_num(X509_EXTENSIONS *); X509_EXTENSION *sk_X509_EXTENSION_value(X509_EXTENSIONS *, int); int sk_X509_EXTENSION_push(X509_EXTENSIONS *, X509_EXTENSION *); +int sk_X509_EXTENSION_insert(X509_EXTENSIONS *, X509_EXTENSION *, int); X509_EXTENSION *sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int); void sk_X509_EXTENSION_free(X509_EXTENSIONS *); +void sk_X509_EXTENSION_pop_free(X509_EXTENSIONS *, sk_X509_EXTENSION_freefunc); int sk_X509_REVOKED_num(Cryptography_STACK_OF_X509_REVOKED *); X509_REVOKED *sk_X509_REVOKED_value(Cryptography_STACK_OF_X509_REVOKED *, int); @@ -287,12 +231,7 @@ int sk_X509_CRL_num(Cryptography_STACK_OF_X509_CRL *); int sk_X509_CRL_push(Cryptography_STACK_OF_X509_CRL *, X509_CRL *); X509_CRL *sk_X509_CRL_value(Cryptography_STACK_OF_X509_CRL *, int); -int i2d_RSAPublicKey(RSA *, unsigned char **); -int i2d_RSAPrivateKey(RSA *, unsigned char **); -int i2d_DSAPublicKey(DSA *, unsigned char **); -int i2d_DSAPrivateKey(DSA *, unsigned char **); - -int X509_CRL_get_version(X509_CRL *); +long X509_CRL_get_version(X509_CRL *); ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *); ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *); X509_NAME *X509_CRL_get_issuer(X509_CRL *); @@ -303,61 +242,102 @@ int X509_CRL_set_lastUpdate(X509_CRL *, ASN1_TIME *); int X509_CRL_set_nextUpdate(X509_CRL *, ASN1_TIME *); int X509_set_notBefore(X509 *, ASN1_TIME *); int X509_set_notAfter(X509 *, ASN1_TIME *); +int X509_set1_notBefore(X509 *, ASN1_TIME *); +int X509_set1_notAfter(X509 *, ASN1_TIME *); -/* These use STACK_OF(X509_EXTENSION) in 0.9.8e. Once we drop support for - RHEL/CentOS 5 we should move these back to FUNCTIONS. */ -int X509_REQ_add_extensions(X509_REQ *, X509_EXTENSIONS *); -X509_EXTENSIONS *X509_REQ_get_extensions(X509_REQ *); - -int i2d_EC_PUBKEY(EC_KEY *, unsigned char **); -EC_KEY *d2i_EC_PUBKEY(EC_KEY **, const unsigned char **, long); EC_KEY *d2i_EC_PUBKEY_bio(BIO *, EC_KEY **); int i2d_EC_PUBKEY_bio(BIO *, EC_KEY *); -EC_KEY *d2i_ECPrivateKey(EC_KEY **, const unsigned char **, long); EC_KEY *d2i_ECPrivateKey_bio(BIO *, EC_KEY **); -int i2d_ECPrivateKey(EC_KEY *, unsigned char **); int i2d_ECPrivateKey_bio(BIO *, EC_KEY *); -EC_KEY *o2i_ECPublicKey(EC_KEY **, const unsigned char **, long); -int i2o_ECPublicKey(EC_KEY *, unsigned char **); - // declared in safestack int sk_ASN1_OBJECT_num(Cryptography_STACK_OF_ASN1_OBJECT *); ASN1_OBJECT *sk_ASN1_OBJECT_value(Cryptography_STACK_OF_ASN1_OBJECT *, int); void sk_ASN1_OBJECT_free(Cryptography_STACK_OF_ASN1_OBJECT *); +Cryptography_STACK_OF_ASN1_OBJECT *sk_ASN1_OBJECT_new_null(void); +int sk_ASN1_OBJECT_push(Cryptography_STACK_OF_ASN1_OBJECT *, ASN1_OBJECT *); + +/* these functions were added in 1.1.0 */ +const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *); +const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *); +void X509_CRL_get0_signature(const X509_CRL *, const ASN1_BIT_STRING **, + const X509_ALGOR **); +int i2d_re_X509_REQ_tbs(X509_REQ *, unsigned char **); +int i2d_re_X509_CRL_tbs(X509_CRL *, unsigned char **); +void X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, + const X509_ALGOR **); """ CUSTOMIZATIONS = """ -/* OpenSSL 0.9.8e does not have this definition. */ -#if OPENSSL_VERSION_NUMBER <= 0x0090805fL -typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; -#endif -#ifdef OPENSSL_NO_EC -int (*i2d_EC_PUBKEY)(EC_KEY *, unsigned char **) = NULL; -EC_KEY *(*d2i_EC_PUBKEY)(EC_KEY **, const unsigned char **, long) = NULL; -EC_KEY *(*d2i_EC_PUBKEY_bio)(BIO *, EC_KEY **) = NULL; -int (*i2d_EC_PUBKEY_bio)(BIO *, EC_KEY *) = NULL; -EC_KEY *(*d2i_ECPrivateKey)(EC_KEY **, const unsigned char **, long) = NULL; -EC_KEY *(*d2i_ECPrivateKey_bio)(BIO *, EC_KEY **) = NULL; -int (*i2d_ECPrivateKey)(EC_KEY *, unsigned char **) = NULL; -int (*i2d_ECPrivateKey_bio)(BIO *, EC_KEY *) = NULL; - -EC_KEY *(*o2i_ECPublicKey)(EC_KEY **, const unsigned char **, long) = NULL; -int (*i2o_ECPublicKey)(EC_KEY *, unsigned char **) = NULL; +#if CRYPTOGRAPHY_IS_LIBRESSL +int i2d_re_X509_tbs(X509 *x, unsigned char **pp) +{ + /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1 + but older OpenSSLs don't have the enc ASN1_ENCODING member in the + X509 struct. Setting modified to 1 marks the encoding + (x->cert_info->enc.enc) as invalid, but since the entire struct isn't + present we don't care. */ + return i2d_X509_CINF(x->cert_info, pp); +} #endif -""" -CONDITIONAL_NAMES = { - "Cryptography_HAS_EC": [ - "i2d_EC_PUBKEY", - "d2i_EC_PUBKEY", - "d2i_EC_PUBKEY_bio", - "i2d_EC_PUBKEY_bio", - "d2i_ECPrivateKey", - "d2i_ECPrivateKey_bio", - "i2d_ECPrivateKey", - "i2d_ECPrivateKey_bio", - "i2o_ECPublicKey", - "o2i_ECPublicKey", - ] +/* Being kept around for pyOpenSSL */ +X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) { + return X509_REVOKED_dup(rev); } +/* Added in 1.1.0 but we need it in all versions now due to the great + opaquing. */ +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 +int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) +{ + req->req_info->enc.modified = 1; + return i2d_X509_REQ_INFO(req->req_info, pp); +} +int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) { + crl->crl->enc.modified = 1; + return i2d_X509_CRL_INFO(crl->crl, pp); +} + +#if !CRYPTOGRAPHY_IS_LIBRESSL +int X509_up_ref(X509 *x) { + return CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); +} + +const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x) +{ + return x->cert_info->signature; +} + +/* from x509/x509_req.c */ +void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig, + const X509_ALGOR **palg) +{ + if (psig != NULL) + *psig = req->signature; + if (palg != NULL) + *palg = req->sig_alg; +} +void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, + const X509_ALGOR **palg) +{ + if (psig != NULL) + *psig = crl->signature; + if (palg != NULL) + *palg = crl->sig_alg; +} +const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *x) +{ + return x->revocationDate; +} +const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *x) +{ + return x->serialNumber; +} + +#define X509_set1_notBefore X509_set_notBefore +#define X509_set1_notAfter X509_set_notAfter +#define X509_getm_notAfter X509_get_notAfter +#define X509_getm_notBefore X509_get_notBefore +#endif +#endif +""" diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py index 23ac8483..d2bc5f4e 100644 --- a/src/_cffi_src/openssl/x509_vfy.py +++ b/src/_cffi_src/openssl/x509_vfy.py @@ -15,36 +15,23 @@ INCLUDES = """ * Note that the result is an opaque type. */ typedef STACK_OF(ASN1_OBJECT) Cryptography_STACK_OF_ASN1_OBJECT; +typedef STACK_OF(X509_OBJECT) Cryptography_STACK_OF_X509_OBJECT; """ TYPES = """ -static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES; -static const long Cryptography_HAS_102_VERIFICATION_PARAMS; -static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST; -static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN; -static const long Cryptography_HAS_100_VERIFICATION_ERROR_CODES; -static const long Cryptography_HAS_100_VERIFICATION_PARAMS; -static const long Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE; +static const long Cryptography_HAS_102_VERIFICATION; +static const long Cryptography_HAS_110_VERIFICATION_PARAMS; +static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER; typedef ... Cryptography_STACK_OF_ASN1_OBJECT; +typedef ... Cryptography_STACK_OF_X509_OBJECT; +typedef ... X509_OBJECT; typedef ... X509_STORE; typedef ... X509_VERIFY_PARAM; +typedef ... X509_STORE_CTX; -typedef struct x509_store_ctx_st X509_STORE_CTX; -struct x509_store_ctx_st { - X509_STORE *ctx; - int current_method; - X509 *cert; - Cryptography_STACK_OF_X509 *untrusted; - Cryptography_STACK_OF_X509_CRL *crls; - X509_VERIFY_PARAM *param; - void *other_ctx; - int (*verify)(X509_STORE_CTX *); - int (*verify_cb)(int, X509_STORE_CTX *); - int (*get_issuer)(X509 **, X509_STORE_CTX *, X509 *); - ...; -}; +typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **, X509_STORE_CTX *, X509 *); /* While these are defined in the source as ints, they're tagged here as longs, just in case they ever grow to large, such as what we saw @@ -136,6 +123,16 @@ static const long X509_V_FLAG_SUITEB_128_LOS_ONLY; static const long X509_V_FLAG_SUITEB_192_LOS; static const long X509_V_FLAG_SUITEB_128_LOS; static const long X509_V_FLAG_PARTIAL_CHAIN; + +static const long X509_LU_X509; +static const long X509_LU_CRL; + +static const long X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT; +static const long X509_CHECK_FLAG_NO_WILDCARDS; +static const long X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; +static const long X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS; +static const long X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS; +static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; """ FUNCTIONS = """ @@ -151,7 +148,6 @@ int X509_STORE_set_default_paths(X509_STORE *); int X509_STORE_set_flags(X509_STORE *, unsigned long); void X509_STORE_free(X509_STORE *); - /* X509_STORE_CTX */ X509_STORE_CTX *X509_STORE_CTX_new(void); void X509_STORE_CTX_cleanup(X509_STORE_CTX *); @@ -175,6 +171,7 @@ int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *); X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *); int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *, int, void *); void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *, int); +int X509_STORE_CTX_get1_issuer(X509 **, X509_STORE_CTX *, X509 *); /* X509_VERIFY_PARAM */ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); @@ -189,9 +186,11 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *, Cryptography_STACK_OF_ASN1_OBJECT *); void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *, int); int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *); -""" +void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *); +/* this CRYPTO_EX_DATA function became a macro in 1.1.0 */ +int X509_STORE_CTX_get_ex_new_index(long, void *, CRYPTO_EX_new *, + CRYPTO_EX_dup *, CRYPTO_EX_free *); -MACROS = """ /* X509_STORE_CTX */ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *, Cryptography_STACK_OF_X509_CRL *); @@ -205,143 +204,74 @@ int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const char *, int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *, size_t); int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *); + +int sk_X509_OBJECT_num(Cryptography_STACK_OF_X509_OBJECT *); +X509_OBJECT *sk_X509_OBJECT_value(Cryptography_STACK_OF_X509_OBJECT *, int); +X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *); +Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *); +X509 *X509_OBJECT_get0_X509(X509_OBJECT *); +int X509_OBJECT_get_type(const X509_OBJECT *); + +/* added in 1.1.0 */ +X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *); +X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *); +void X509_STORE_set_get_issuer(X509_STORE *, X509_STORE_CTX_get_issuer_fn); """ CUSTOMIZATIONS = """ -/* OpenSSL 1.0.2+ verification error codes */ -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) -static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 1; +#if !CRYPTOGRAPHY_IS_LIBRESSL +static const long Cryptography_HAS_102_VERIFICATION = 1; #else -static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 0; +static const long Cryptography_HAS_102_VERIFICATION = 0; static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0; static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0; static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0; static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0; static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0; static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0; -static const long X509_V_ERR_HOSTNAME_MISMATCH = 0; -static const long X509_V_ERR_EMAIL_MISMATCH = 0; -static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0; -#endif - -/* OpenSSL 1.0.2+ verification parameters */ -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) -static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1; -#else -static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0; -/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately - below because it shows up in some earlier 3rd party OpenSSL packages. */ static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0; static const long X509_V_FLAG_SUITEB_192_LOS = 0; static const long X509_V_FLAG_SUITEB_128_LOS = 0; - -int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const char *, - size_t) = NULL; -int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const char *, - size_t) = NULL; -int (*X509_VERIFY_PARAM_set1_ip)(X509_VERIFY_PARAM *, const unsigned char *, - size_t) = NULL; -int (*X509_VERIFY_PARAM_set1_ip_asc)(X509_VERIFY_PARAM *, const char *) = NULL; -void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *, - unsigned int) = NULL; #endif -/* OpenSSL 1.0.2+ or Solaris's backport */ -#ifdef X509_V_FLAG_PARTIAL_CHAIN -static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 1; -#else -static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 0; -static const long X509_V_FLAG_PARTIAL_CHAIN = 0; +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL +static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 0; +#ifndef X509_CHECK_FLAG_NEVER_CHECK_SUBJECT +static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = 0; #endif - -/* OpenSSL 1.0.2+, *or* Fedora 20's flavor of OpenSSL 1.0.1e... */ -#ifdef X509_V_FLAG_TRUSTED_FIRST -static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST = 1; #else -static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST = 0; -static const long X509_V_FLAG_TRUSTED_FIRST = 0; +static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 1; #endif -/* OpenSSL 1.0.0+ verification error codes */ -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -static const long Cryptography_HAS_100_VERIFICATION_ERROR_CODES = 1; -#else -static const long Cryptography_HAS_100_VERIFICATION_ERROR_CODES = 0; -static const long X509_V_ERR_DIFFERENT_CRL_SCOPE = 0; -static const long X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE = 0; -static const long X509_V_ERR_PERMITTED_VIOLATION = 0; -static const long X509_V_ERR_EXCLUDED_VIOLATION = 0; -static const long X509_V_ERR_SUBTREE_MINMAX = 0; -static const long X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE = 0; -static const long X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = 0; -static const long X509_V_ERR_UNSUPPORTED_NAME_SYNTAX = 0; -static const long X509_V_ERR_CRL_PATH_VALIDATION_ERROR = 0; -#endif +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL +Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *ctx) { + return ctx->objs; +} +X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store) { + return store->param; +} +int X509_OBJECT_get_type(const X509_OBJECT *x) { + return x->type; +} -/* OpenSSL 1.0.0+ verification parameters */ -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -static const long Cryptography_HAS_100_VERIFICATION_PARAMS = 1; -#else -static const long Cryptography_HAS_100_VERIFICATION_PARAMS = 0; -static const long X509_V_FLAG_EXTENDED_CRL_SUPPORT = 0; -static const long X509_V_FLAG_USE_DELTAS = 0; +/* from x509/x509_vfy.c */ +X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) +{ + return ctx->cert; +} + +X509 *X509_OBJECT_get0_X509(X509_OBJECT *x) { + return x->data.x509; +} #endif -/* OpenSSL 0.9.8recent+ */ -#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE -static const long Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE = 1; +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 +static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 0; +typedef void *X509_STORE_CTX_get_issuer_fn; +X509_STORE_CTX_get_issuer_fn (*X509_STORE_get_get_issuer)(X509_STORE *) = NULL; +void (*X509_STORE_set_get_issuer)(X509_STORE *, + X509_STORE_CTX_get_issuer_fn) = NULL; #else -static const long Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE = 0; -static const long X509_V_FLAG_CHECK_SS_SIGNATURE = 0; +static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 1; #endif """ - -CONDITIONAL_NAMES = { - "Cryptography_HAS_102_VERIFICATION_ERROR_CODES": [ - 'X509_V_ERR_SUITE_B_INVALID_VERSION', - 'X509_V_ERR_SUITE_B_INVALID_ALGORITHM', - 'X509_V_ERR_SUITE_B_INVALID_CURVE', - 'X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM', - 'X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED', - 'X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256', - 'X509_V_ERR_HOSTNAME_MISMATCH', - 'X509_V_ERR_EMAIL_MISMATCH', - 'X509_V_ERR_IP_ADDRESS_MISMATCH' - ], - "Cryptography_HAS_102_VERIFICATION_PARAMS": [ - "X509_V_FLAG_SUITEB_128_LOS_ONLY", - "X509_V_FLAG_SUITEB_192_LOS", - "X509_V_FLAG_SUITEB_128_LOS", - "X509_VERIFY_PARAM_set1_host", - "X509_VERIFY_PARAM_set1_email", - "X509_VERIFY_PARAM_set1_ip", - "X509_VERIFY_PARAM_set1_ip_asc", - "X509_VERIFY_PARAM_set_hostflags", - ], - "Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST": [ - "X509_V_FLAG_TRUSTED_FIRST", - ], - "Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN": [ - "X509_V_FLAG_PARTIAL_CHAIN", - ], - "Cryptography_HAS_100_VERIFICATION_ERROR_CODES": [ - 'X509_V_ERR_DIFFERENT_CRL_SCOPE', - 'X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE', - 'X509_V_ERR_UNNESTED_RESOURCE', - 'X509_V_ERR_PERMITTED_VIOLATION', - 'X509_V_ERR_EXCLUDED_VIOLATION', - 'X509_V_ERR_SUBTREE_MINMAX', - 'X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE', - 'X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX', - 'X509_V_ERR_UNSUPPORTED_NAME_SYNTAX', - 'X509_V_ERR_CRL_PATH_VALIDATION_ERROR', - ], - "Cryptography_HAS_100_VERIFICATION_PARAMS": [ - "Cryptography_HAS_100_VERIFICATION_PARAMS", - "X509_V_FLAG_EXTENDED_CRL_SUPPORT", - "X509_V_FLAG_USE_DELTAS", - ], - "Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE": [ - "X509_V_FLAG_CHECK_SS_SIGNATURE", - ] -} diff --git a/src/_cffi_src/openssl/x509name.py b/src/_cffi_src/openssl/x509name.py index be5b3a75..f88c8b06 100644 --- a/src/_cffi_src/openssl/x509name.py +++ b/src/_cffi_src/openssl/x509name.py @@ -15,49 +15,73 @@ typedef STACK_OF(X509_NAME_ENTRY) Cryptography_STACK_OF_X509_NAME_ENTRY; """ TYPES = """ +typedef ... Cryptography_STACK_OF_X509_NAME_ENTRY; typedef ... X509_NAME; typedef ... X509_NAME_ENTRY; typedef ... Cryptography_STACK_OF_X509_NAME; -typedef ... Cryptography_STACK_OF_X509_NAME_ENTRY; """ FUNCTIONS = """ X509_NAME *X509_NAME_new(void); void X509_NAME_free(X509_NAME *); -int X509_NAME_entry_count(X509_NAME *); -X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *, int); -ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *); -ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *); unsigned long X509_NAME_hash(X509_NAME *); int i2d_X509_NAME(X509_NAME *, unsigned char **); int X509_NAME_add_entry_by_txt(X509_NAME *, const char *, int, const unsigned char *, int, int, int); -int X509_NAME_add_entry_by_OBJ(X509_NAME *, ASN1_OBJECT *, int, - unsigned char *, int, int, int); -int X509_NAME_add_entry_by_NID(X509_NAME *, int, int, unsigned char *, - int, int, int); X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *, int); void X509_NAME_ENTRY_free(X509_NAME_ENTRY *); int X509_NAME_get_index_by_NID(X509_NAME *, int, int); int X509_NAME_cmp(const X509_NAME *, const X509_NAME *); -char *X509_NAME_oneline(X509_NAME *, char *, int); X509_NAME *X509_NAME_dup(X509_NAME *); -""" +int Cryptography_X509_NAME_ENTRY_set(X509_NAME_ENTRY *); +/* These became const X509_NAME * in 1.1.0 */ +int X509_NAME_entry_count(X509_NAME *); +X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *, int); +char *X509_NAME_oneline(X509_NAME *, char *, int); +int X509_NAME_print_ex(BIO *, X509_NAME *, int, unsigned long); + +/* These became const X509_NAME_ENTRY * in 1.1.0 */ +ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *); +ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *); +int X509_NAME_add_entry(X509_NAME *, X509_NAME_ENTRY *, int, int); + +/* this became const unsigned char * in 1.1.0 */ +int X509_NAME_add_entry_by_NID(X509_NAME *, int, int, unsigned char *, + int, int, int); + +/* These became const ASN1_OBJECT * in 1.1.0 */ +X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **, + ASN1_OBJECT *, int, + const unsigned char *, int); +int X509_NAME_add_entry_by_OBJ(X509_NAME *, ASN1_OBJECT *, int, + unsigned char *, int, int, int); -MACROS = """ Cryptography_STACK_OF_X509_NAME *sk_X509_NAME_new_null(void); int sk_X509_NAME_num(Cryptography_STACK_OF_X509_NAME *); int sk_X509_NAME_push(Cryptography_STACK_OF_X509_NAME *, X509_NAME *); X509_NAME *sk_X509_NAME_value(Cryptography_STACK_OF_X509_NAME *, int); void sk_X509_NAME_free(Cryptography_STACK_OF_X509_NAME *); int sk_X509_NAME_ENTRY_num(Cryptography_STACK_OF_X509_NAME_ENTRY *); +Cryptography_STACK_OF_X509_NAME_ENTRY *sk_X509_NAME_ENTRY_new_null(void); +int sk_X509_NAME_ENTRY_push(Cryptography_STACK_OF_X509_NAME_ENTRY *, + X509_NAME_ENTRY *); X509_NAME_ENTRY *sk_X509_NAME_ENTRY_value( Cryptography_STACK_OF_X509_NAME_ENTRY *, int); +Cryptography_STACK_OF_X509_NAME_ENTRY *sk_X509_NAME_ENTRY_dup( + Cryptography_STACK_OF_X509_NAME_ENTRY * +); """ CUSTOMIZATIONS = """ +#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER +int Cryptography_X509_NAME_ENTRY_set(X509_NAME_ENTRY *ne) { + return X509_NAME_ENTRY_set(ne); +} +#else +int Cryptography_X509_NAME_ENTRY_set(X509_NAME_ENTRY *ne) { + return ne->set; +} +#endif """ - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py index 166fa59d..59681206 100644 --- a/src/_cffi_src/openssl/x509v3.py +++ b/src/_cffi_src/openssl/x509v3.py @@ -14,11 +14,8 @@ INCLUDES = """ * together with another opaque typedef for the same name in the TYPES section. * Note that the result is an opaque type. */ -#if OPENSSL_VERSION_NUMBER >= 0x10000000 typedef LHASH_OF(CONF_VALUE) Cryptography_LHASH_OF_CONF_VALUE; -#else -typedef LHASH Cryptography_LHASH_OF_CONF_VALUE; -#endif + typedef STACK_OF(ACCESS_DESCRIPTION) Cryptography_STACK_OF_ACCESS_DESCRIPTION; typedef STACK_OF(DIST_POINT) Cryptography_STACK_OF_DIST_POINT; typedef STACK_OF(POLICYQUALINFO) Cryptography_STACK_OF_POLICYQUALINFO; @@ -33,6 +30,8 @@ typedef ... Cryptography_STACK_OF_POLICYQUALINFO; typedef ... Cryptography_STACK_OF_POLICYINFO; typedef ... Cryptography_STACK_OF_ASN1_INTEGER; typedef ... Cryptography_STACK_OF_GENERAL_SUBTREE; +typedef ... EXTENDED_KEY_USAGE; +typedef ... CONF; typedef struct { X509 *issuer_cert; @@ -42,12 +41,6 @@ typedef struct { typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char **, long); -typedef struct { - ASN1_ITEM_EXP *it; - X509V3_EXT_D2I d2i; - ...; -} X509V3_EXT_METHOD; - static const int GEN_OTHERNAME; static const int GEN_EMAIL; static const int GEN_X400; @@ -59,7 +52,8 @@ static const int GEN_IPADD; static const int GEN_RID; typedef struct { - ...; + ASN1_OBJECT *type_id; + ASN1_TYPE *value; } OTHERNAME; typedef struct { @@ -76,6 +70,11 @@ typedef struct { Cryptography_STACK_OF_GENERAL_SUBTREE *excludedSubtrees; } NAME_CONSTRAINTS; +typedef struct { + ASN1_INTEGER *requireExplicitPolicy; + ASN1_INTEGER *inhibitPolicyMapping; +} POLICY_CONSTRAINTS; + typedef struct { int type; @@ -143,6 +142,15 @@ typedef struct { } DIST_POINT; typedef struct { + DIST_POINT_NAME *distpoint; + int onlyuser; + int onlyCA; + ASN1_BIT_STRING *onlysomereasons; + int indirectCRL; + int onlyattr; +} ISSUING_DIST_POINT; + +typedef struct { ASN1_STRING *organization; Cryptography_STACK_OF_ASN1_INTEGER *noticenos; } NOTICEREF; @@ -165,35 +173,55 @@ typedef struct { ASN1_OBJECT *policyid; Cryptography_STACK_OF_POLICYQUALINFO *qualifiers; } POLICYINFO; + +typedef void (*sk_GENERAL_NAME_freefunc)(GENERAL_NAME *); +typedef void (*sk_DIST_POINT_freefunc)(DIST_POINT *); +typedef void (*sk_POLICYINFO_freefunc)(POLICYINFO *); +typedef void (*sk_ACCESS_DESCRIPTION_freefunc)(ACCESS_DESCRIPTION *); """ FUNCTIONS = """ int X509V3_EXT_add_alias(int, int); void X509V3_set_ctx(X509V3_CTX *, X509 *, X509 *, X509_REQ *, X509_CRL *, int); -X509_EXTENSION *X509V3_EXT_nconf(CONF *, X509V3_CTX *, char *, char *); int GENERAL_NAME_print(BIO *, GENERAL_NAME *); +GENERAL_NAMES *GENERAL_NAMES_new(void); void GENERAL_NAMES_free(GENERAL_NAMES *); void *X509V3_EXT_d2i(X509_EXTENSION *); -""" - -MACROS = """ +int X509_check_ca(X509 *); +/* X509 became a const arg in 1.1.0 */ +void *X509_get_ext_d2i(X509 *, int, int *, int *); +/* The last two char * args became const char * in 1.1.0 */ +X509_EXTENSION *X509V3_EXT_nconf(CONF *, X509V3_CTX *, char *, char *); /* This is a macro defined by a call to DECLARE_ASN1_FUNCTIONS in the x509v3.h header. */ -int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *, unsigned char **); BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void); void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *); /* This is a macro defined by a call to DECLARE_ASN1_FUNCTIONS in the x509v3.h header. */ +AUTHORITY_KEYID *AUTHORITY_KEYID_new(void); void AUTHORITY_KEYID_free(AUTHORITY_KEYID *); NAME_CONSTRAINTS *NAME_CONSTRAINTS_new(void); void NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *); +OTHERNAME *OTHERNAME_new(void); +void OTHERNAME_free(OTHERNAME *); + +POLICY_CONSTRAINTS *POLICY_CONSTRAINTS_new(void); +void POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *); + void *X509V3_set_ctx_nodb(X509V3_CTX *); + +int i2d_GENERAL_NAMES(GENERAL_NAMES *, unsigned char **); +GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **, const unsigned char **, + long); + int sk_GENERAL_NAME_num(struct stack_st_GENERAL_NAME *); int sk_GENERAL_NAME_push(struct stack_st_GENERAL_NAME *, GENERAL_NAME *); GENERAL_NAME *sk_GENERAL_NAME_value(struct stack_st_GENERAL_NAME *, int); +void sk_GENERAL_NAME_pop_free(struct stack_st_GENERAL_NAME *, + sk_GENERAL_NAME_freefunc); Cryptography_STACK_OF_ACCESS_DESCRIPTION *sk_ACCESS_DESCRIPTION_new_null(void); int sk_ACCESS_DESCRIPTION_num(Cryptography_STACK_OF_ACCESS_DESCRIPTION *); @@ -201,29 +229,56 @@ ACCESS_DESCRIPTION *sk_ACCESS_DESCRIPTION_value( Cryptography_STACK_OF_ACCESS_DESCRIPTION *, int ); void sk_ACCESS_DESCRIPTION_free(Cryptography_STACK_OF_ACCESS_DESCRIPTION *); +void sk_ACCESS_DESCRIPTION_pop_free(Cryptography_STACK_OF_ACCESS_DESCRIPTION *, + sk_ACCESS_DESCRIPTION_freefunc); int sk_ACCESS_DESCRIPTION_push(Cryptography_STACK_OF_ACCESS_DESCRIPTION *, ACCESS_DESCRIPTION *); +ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void); +void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *); + X509_EXTENSION *X509V3_EXT_conf_nid(Cryptography_LHASH_OF_CONF_VALUE *, X509V3_CTX *, int, char *); -/* These aren't macros these functions are all const X on openssl > 1.0.x */ -const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *); -const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int); - +Cryptography_STACK_OF_DIST_POINT *sk_DIST_POINT_new_null(void); void sk_DIST_POINT_free(Cryptography_STACK_OF_DIST_POINT *); int sk_DIST_POINT_num(Cryptography_STACK_OF_DIST_POINT *); DIST_POINT *sk_DIST_POINT_value(Cryptography_STACK_OF_DIST_POINT *, int); +int sk_DIST_POINT_push(Cryptography_STACK_OF_DIST_POINT *, DIST_POINT *); +void sk_DIST_POINT_pop_free(Cryptography_STACK_OF_DIST_POINT *, + sk_DIST_POINT_freefunc); +void CRL_DIST_POINTS_free(Cryptography_STACK_OF_DIST_POINT *); void sk_POLICYINFO_free(Cryptography_STACK_OF_POLICYINFO *); int sk_POLICYINFO_num(Cryptography_STACK_OF_POLICYINFO *); POLICYINFO *sk_POLICYINFO_value(Cryptography_STACK_OF_POLICYINFO *, int); +int sk_POLICYINFO_push(Cryptography_STACK_OF_POLICYINFO *, POLICYINFO *); +Cryptography_STACK_OF_POLICYINFO *sk_POLICYINFO_new_null(void); +void sk_POLICYINFO_pop_free(Cryptography_STACK_OF_POLICYINFO *, + sk_POLICYINFO_freefunc); +void CERTIFICATEPOLICIES_free(Cryptography_STACK_OF_POLICYINFO *); + +POLICYINFO *POLICYINFO_new(void); +void POLICYINFO_free(POLICYINFO *); + +POLICYQUALINFO *POLICYQUALINFO_new(void); +void POLICYQUALINFO_free(POLICYQUALINFO *); + +NOTICEREF *NOTICEREF_new(void); +void NOTICEREF_free(NOTICEREF *); + +USERNOTICE *USERNOTICE_new(void); +void USERNOTICE_free(USERNOTICE *); void sk_POLICYQUALINFO_free(Cryptography_STACK_OF_POLICYQUALINFO *); int sk_POLICYQUALINFO_num(Cryptography_STACK_OF_POLICYQUALINFO *); POLICYQUALINFO *sk_POLICYQUALINFO_value(Cryptography_STACK_OF_POLICYQUALINFO *, int); +int sk_POLICYQUALINFO_push(Cryptography_STACK_OF_POLICYQUALINFO *, + POLICYQUALINFO *); +Cryptography_STACK_OF_POLICYQUALINFO *sk_POLICYQUALINFO_new_null(void); +Cryptography_STACK_OF_GENERAL_SUBTREE *sk_GENERAL_SUBTREE_new_null(void); void sk_GENERAL_SUBTREE_free(Cryptography_STACK_OF_GENERAL_SUBTREE *); int sk_GENERAL_SUBTREE_num(Cryptography_STACK_OF_GENERAL_SUBTREE *); GENERAL_SUBTREE *sk_GENERAL_SUBTREE_value( @@ -232,14 +287,28 @@ GENERAL_SUBTREE *sk_GENERAL_SUBTREE_value( int sk_GENERAL_SUBTREE_push(Cryptography_STACK_OF_GENERAL_SUBTREE *, GENERAL_SUBTREE *); +GENERAL_SUBTREE *GENERAL_SUBTREE_new(void); + void sk_ASN1_INTEGER_free(Cryptography_STACK_OF_ASN1_INTEGER *); int sk_ASN1_INTEGER_num(Cryptography_STACK_OF_ASN1_INTEGER *); ASN1_INTEGER *sk_ASN1_INTEGER_value(Cryptography_STACK_OF_ASN1_INTEGER *, int); +int sk_ASN1_INTEGER_push(Cryptography_STACK_OF_ASN1_INTEGER *, ASN1_INTEGER *); +Cryptography_STACK_OF_ASN1_INTEGER *sk_ASN1_INTEGER_new_null(void); X509_EXTENSION *X509V3_EXT_i2d(int, int, void *); + +DIST_POINT *DIST_POINT_new(void); +void DIST_POINT_free(DIST_POINT *); + +DIST_POINT_NAME *DIST_POINT_NAME_new(void); +void DIST_POINT_NAME_free(DIST_POINT_NAME *); + +GENERAL_NAME *GENERAL_NAME_new(void); +void GENERAL_NAME_free(GENERAL_NAME *); + +ISSUING_DIST_POINT *ISSUING_DIST_POINT_new(void); +void ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *); """ CUSTOMIZATIONS = """ """ - -CONDITIONAL_NAMES = {} diff --git a/src/_cffi_src/utils.py b/src/_cffi_src/utils.py index 65f9f120..eecd6ea1 100644 --- a/src/_cffi_src/utils.py +++ b/src/_cffi_src/utils.py @@ -4,61 +4,53 @@ from __future__ import absolute_import, division, print_function +import os import sys +from distutils.ccompiler import new_compiler +from distutils.dist import Distribution from cffi import FFI -def build_ffi_for_binding(module_name, module_prefix, modules, pre_include="", - post_include="", libraries=[], extra_compile_args=[], - extra_link_args=[]): +# Load the cryptography __about__ to get the current package version +base_src = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) +about = {} +with open(os.path.join(base_src, "cryptography", "__about__.py")) as f: + exec(f.read(), about) + + +def build_ffi_for_binding(module_name, module_prefix, modules, libraries=[], + extra_compile_args=[], extra_link_args=[]): """ Modules listed in ``modules`` should have the following attributes: * ``INCLUDES``: A string containing C includes. * ``TYPES``: A string containing C declarations for types. - * ``FUNCTIONS``: A string containing C declarations for functions. - * ``MACROS``: A string containing C declarations for any macros. + * ``FUNCTIONS``: A string containing C declarations for functions & macros. * ``CUSTOMIZATIONS``: A string containing arbitrary top-level C code, this can be used to do things like test for a define and provide an alternate implementation based on that. - * ``CONDITIONAL_NAMES``: A dict mapping strings of condition names from the - library to a list of names which will not be present without the - condition. """ types = [] includes = [] functions = [] - macros = [] customizations = [] for name in modules: __import__(module_prefix + name) module = sys.modules[module_prefix + name] types.append(module.TYPES) - macros.append(module.MACROS) functions.append(module.FUNCTIONS) includes.append(module.INCLUDES) customizations.append(module.CUSTOMIZATIONS) - # We include functions here so that if we got any of their definitions - # wrong, the underlying C compiler will explode. In C you are allowed - # to re-declare a function if it has the same signature. That is: - # int foo(int); - # int foo(int); - # is legal, but the following will fail to compile: - # int foo(int); - # int foo(short); verify_source = "\n".join( - [pre_include] + includes + - [post_include] + - functions + customizations ) ffi = build_ffi( module_name, - cdef_source="\n".join(types + functions + macros), + cdef_source="\n".join(types + functions), verify_source=verify_source, libraries=libraries, extra_compile_args=extra_compile_args, @@ -71,6 +63,11 @@ def build_ffi_for_binding(module_name, module_prefix, modules, pre_include="", def build_ffi(module_name, cdef_source, verify_source, libraries=[], extra_compile_args=[], extra_link_args=[]): ffi = FFI() + # Always add the CRYPTOGRAPHY_PACKAGE_VERSION to the shared object + cdef_source += "\nstatic const char *const CRYPTOGRAPHY_PACKAGE_VERSION;" + verify_source += '\n#define CRYPTOGRAPHY_PACKAGE_VERSION "{}"'.format( + about["__version__"] + ) ffi.cdef(cdef_source) ffi.set_source( module_name, @@ -82,10 +79,23 @@ def build_ffi(module_name, cdef_source, verify_source, libraries=[], return ffi -def extra_link_args(platform): - if platform != "win32": - return [] +def extra_link_args(compiler_type): + if compiler_type == 'msvc': + # Enable NX and ASLR for Windows builds on MSVC. These are enabled by + # default on Python 3.3+ but not on 2.x. + return ['/NXCOMPAT', '/DYNAMICBASE'] else: - # Enable NX and ASLR for Windows builds. These are enabled by default - # on Python 3.3+ but not on 2.x. - return ["/NXCOMPAT", "/DYNAMICBASE"] + return [] + + +def compiler_type(): + """ + Gets the compiler type from distutils. On Windows with MSVC it will be + "msvc". On macOS and linux it is "unix". + """ + dist = Distribution() + dist.parse_config_files() + cmd = dist.get_command_obj('build') + cmd.ensure_finalized() + compiler = new_compiler(compiler=cmd.compiler) + return compiler.compiler_type |