From 10a81a93b5b9a77a3022eaf4e24d28fa6e3fca0e Mon Sep 17 00:00:00 2001 From: Maximilian Hils Date: Tue, 25 Aug 2015 20:57:35 +0200 Subject: add set_cert_cb --- src/_cffi_src/openssl/ssl.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'src') diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 7a7968a1..798fcb16 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -45,6 +45,7 @@ static const long Cryptography_HAS_SSL_OP_NO_TICKET; static const long Cryptography_HAS_NETBSD_D1_METH; static const long Cryptography_HAS_NEXTPROTONEG; static const long Cryptography_HAS_ALPN; +static const long Cryptography_HAS_SET_CERT_CB; static const long SSL_FILETYPE_PEM; static const long SSL_FILETYPE_ASN1; @@ -406,6 +407,12 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *, void SSL_get0_alpn_selected(const SSL *, const unsigned char **, unsigned *); long SSL_get_server_tmp_key(SSL *, EVP_PKEY **); + +/* SSL_CTX_set_cert_cb is introduced in OpenSSL 1.0.2. To continue to support + * earlier versions some special handling of these is necessary. + */ +void SSL_CTX_set_cert_cb(SSL_CTX *, int (*)(SSL *, void *), void *); +void SSL_set_cert_cb(SSL *, int (*)(SSL *, void *), void *); """ CUSTOMIZATIONS = """ @@ -609,6 +616,16 @@ static const long Cryptography_HAS_ALPN = 0; static const long Cryptography_HAS_ALPN = 1; #endif +/* SSL_CTX_set_cert_cb was added in OpenSSL 1.0.2. */ +#if OPENSSL_VERSION_NUMBER < 0x10002001L || defined(LIBRESSL_VERSION_NUMBER) +void (*SSL_CTX_set_cert_cb)(SSL_CTX *, int (*)(SSL *, void *), void *) = NULL; +void (*SSL_set_cert_cb)(SSL *, int (*)(SSL *, void *), void *) = NULL; +static const long Cryptography_HAS_SET_CERT_CB = 0; +#else +static const long Cryptography_HAS_SET_CERT_CB = 1; +#endif + + #if defined(OPENSSL_NO_COMP) || defined(LIBRESSL_VERSION_NUMBER) static const long Cryptography_HAS_COMPRESSION = 0; typedef void COMP_METHOD; -- cgit v1.2.3 From 21569bf71e32ece2f5dc0dfc40373b7b95ea3167 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 25 Aug 2015 14:46:52 -0500 Subject: add conditional removal for SET_CERT_CB --- src/cryptography/hazmat/bindings/openssl/_conditional.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index adf00b02..670710b1 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -410,5 +410,9 @@ CONDITIONAL_NAMES = { ], "Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE": [ "X509_V_FLAG_CHECK_SS_SIGNATURE", - ] + ], + "Cryptography_HAS_SET_CERT_CB": [ + "SSL_CTX_set_cert_cb", + "SSL_set_cert_cb", + ], } -- cgit v1.2.3 From aad39497b8fd352dff4342d41d3eb69b0225dc10 Mon Sep 17 00:00:00 2001 From: Terry Chia Date: Fri, 28 Aug 2015 23:15:47 +0800 Subject: Add SSL_renegotiate binding. --- src/_cffi_src/openssl/ssl.py | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 798fcb16..f14aaba7 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -205,6 +205,7 @@ Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *); int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); +int SSL_renegotiate(SSL *); const char *SSL_get_cipher_list(const SSL *, int); Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *); -- cgit v1.2.3 From c6a73cb16f00889b53d368359059141d75a26be0 Mon Sep 17 00:00:00 2001 From: kjav Date: Fri, 28 Aug 2015 16:44:16 +0100 Subject: Added bindings for SSL_renegotiate_ --- src/_cffi_src/openssl/ssl.py | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index f14aaba7..a5423552 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -206,6 +206,8 @@ int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); int SSL_renegotiate(SSL *); +int SSL_renegotiate_abbreviated(SSL *); +int SSL_renegotiate_pending(SSL *); const char *SSL_get_cipher_list(const SSL *, int); Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *); -- cgit v1.2.3 From 729abcf1d552fd215aad864152d227d11580e0c7 Mon Sep 17 00:00:00 2001 From: kjav Date: Fri, 28 Aug 2015 16:54:22 +0100 Subject: Removed SSL_renegotiate_abbreviated binding As this is not supported in OpenSSL < 1.01 --- src/_cffi_src/openssl/ssl.py | 1 - 1 file changed, 1 deletion(-) (limited to 'src') diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index a5423552..ccabb872 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -206,7 +206,6 @@ int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); int SSL_renegotiate(SSL *); -int SSL_renegotiate_abbreviated(SSL *); int SSL_renegotiate_pending(SSL *); const char *SSL_get_cipher_list(const SSL *, int); Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *); -- cgit v1.2.3 From 1055431497ded70c1ef766ea7e543e6c4bc4f0da Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 29 Aug 2015 15:47:53 -0500 Subject: add support for static linking of the openssl backend on OS X --- src/_cffi_src/build_openssl.py | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 6a5bf2da..bd8cf73e 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -4,6 +4,7 @@ from __future__ import absolute_import, division, print_function +import os import sys from _cffi_src.utils import build_ffi_for_binding, extra_link_args @@ -11,15 +12,27 @@ from _cffi_src.utils import build_ffi_for_binding, extra_link_args def _get_openssl_libraries(platform): # OpenSSL goes by a different library name on different operating systems. - if platform != "win32": + if platform == "darwin": + return _osx_libraries( + os.environ.get("CRYPTOGRAPHY_BUILD_STATIC", None) + ) + elif platform == "win32": + return ["libeay32", "ssleay32", "advapi32", + "crypt32", "gdi32", "user32", "ws2_32"] + else: # In some circumstances, the order in which these libs are # specified on the linker command-line is significant; # libssl must come before libcrypto # (http://marc.info/?l=openssl-users&m=135361825921871) return ["ssl", "crypto"] + + +def _osx_libraries(build_static): + # For building statically we don't want to pass the -lssl or -lcrypto flags + if build_static == "1": + return [] else: - return ["libeay32", "ssleay32", "advapi32", - "crypt32", "gdi32", "user32", "ws2_32"] + return ["ssl", "crypto"] _OSX_PRE_INCLUDE = """ -- cgit v1.2.3 From 89656cd08cf0369677b298f30ba754cb62e5009b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 29 Aug 2015 18:18:53 -0500 Subject: Resolve an unusual test bug related to initializing the bindings To make calls against the "SSL" parts of OpenSSL you need to call SSL_library_init. There are multiple ways this can be called: * If you're using the same OpenSSL in cryptography as you are in your Python then Python will call it for you. * If you import the openssl backend. These tests need SSL_library_init to be called. When run in our CI SSL_library_init is called because during the parametrization step the OpenSSL backend is imported (thus triggering it). However, you can also run tests directly via py.test and without this change py.test tests/hazmat/bindings/test_openssl.py would crash if you had cryptography linked against a different OpenSSL than your Python used. --- src/cryptography/hazmat/backends/openssl/backend.py | 7 ------- src/cryptography/hazmat/bindings/openssl/binding.py | 6 ++++++ 2 files changed, 6 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 8c4abcd6..197bcb8c 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -529,13 +529,6 @@ class Backend(object): self._binding.init_static_locks() - # adds all ciphers/digests for EVP - self._lib.OpenSSL_add_all_algorithms() - # registers available SSL/TLS ciphers and digests - self._lib.SSL_library_init() - # loads error strings for libcrypto and libssl functions - self._lib.SSL_load_error_strings() - self._cipher_registry = {} self._register_default_ciphers() self.activate_osrandom_engine() diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index e18d89c5..50d7f6d5 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -92,6 +92,12 @@ class Binding(object): if not cls._lib_loaded: cls.lib = build_conditional_library(lib, CONDITIONAL_NAMES) cls._lib_loaded = True + # initialize the SSL library + cls.lib.SSL_library_init() + # adds all ciphers/digests for EVP + cls.lib.OpenSSL_add_all_algorithms() + # loads error strings for libcrypto and libssl functions + cls.lib.SSL_load_error_strings() cls._register_osrandom_engine() @classmethod -- cgit v1.2.3 From 7539dcb6e424e27f6bb270571b9410bd6ad36aac Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 29 Aug 2015 21:00:54 -0500 Subject: no need for None --- src/_cffi_src/build_openssl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index bd8cf73e..49d7464c 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -14,7 +14,7 @@ def _get_openssl_libraries(platform): # OpenSSL goes by a different library name on different operating systems. if platform == "darwin": return _osx_libraries( - os.environ.get("CRYPTOGRAPHY_BUILD_STATIC", None) + os.environ.get("CRYPTOGRAPHY_BUILD_STATIC") ) elif platform == "win32": return ["libeay32", "ssleay32", "advapi32", -- cgit v1.2.3 From 7402cf1c676ffb7ba48d6e90227bb4b1397af12d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 31 Aug 2015 12:34:30 -0500 Subject: rename env var to CRYPTOGRAPHY_OSX_NO_LINK_FLAGS --- src/_cffi_src/build_openssl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 49d7464c..defa69d3 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -14,7 +14,7 @@ def _get_openssl_libraries(platform): # OpenSSL goes by a different library name on different operating systems. if platform == "darwin": return _osx_libraries( - os.environ.get("CRYPTOGRAPHY_BUILD_STATIC") + os.environ.get("CRYPTOGRAPHY_OSX_NO_LINK_FLAGS") ) elif platform == "win32": return ["libeay32", "ssleay32", "advapi32", -- cgit v1.2.3