diff --git a/Jenkinsfile b/Jenkinsfile index ca49527caa1a..5b748b428a49 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -63,6 +63,11 @@ def configs = [ imageName: 'pyca/cryptography-runner-jessie-libressl:2.6.4', toxenvs: ['py27'], ], + [ + label: 'docker', + imageName: 'pyca/cryptography-runner-jessie-libressl:2.7.2', + toxenvs: ['py27'], + ], [ label: 'docker', imageName: 'pyca/cryptography-runner-ubuntu-xenial', diff --git a/src/_cffi_src/openssl/crypto.py b/src/_cffi_src/openssl/crypto.py index dfff21bb766d..f78e60e0f6bf 100644 --- a/src/_cffi_src/openssl/crypto.py +++ b/src/_cffi_src/openssl/crypto.py @@ -92,7 +92,7 @@ # define OPENSSL_PLATFORM SSLEAY_PLATFORM # define OPENSSL_DIR SSLEAY_DIR #endif -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL static const long Cryptography_HAS_LOCKING_CALLBACKS = 1; #else static const long Cryptography_HAS_LOCKING_CALLBACKS = 0; diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 4f9378d338b8..adabc3ce6f0d 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -28,27 +28,51 @@ #include #endif +#if CRYPTOGRAPHY_IS_LIBRESSL #define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL) + (LIBRESSL_VERSION_NUMBER >= 0x20700000) #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL) + (LIBRESSL_VERSION_NUMBER >= 0x20700000) #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL) + (LIBRESSL_VERSION_NUMBER >= 0x20700000) #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) + (LIBRESSL_VERSION_NUMBER >= 0x20700000) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \ - (OPENSSL_VERSION_NUMBER < 0x10002000 || CRYPTOGRAPHY_IS_LIBRESSL) + (LIBRESSL_VERSION_NUMBER < 0x20700000) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I \ - (OPENSSL_VERSION_NUMBER < 0x1000209f || CRYPTOGRAPHY_IS_LIBRESSL) + (LIBRESSL_VERSION_NUMBER < 0x20700000) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 \ - (OPENSSL_VERSION_NUMBER < 0x10100000 || CRYPTOGRAPHY_IS_LIBRESSL) + (LIBRESSL_VERSION_NUMBER < 0x20700000) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE4 \ - (OPENSSL_VERSION_NUMBER < 0x10100004 || CRYPTOGRAPHY_IS_LIBRESSL) + (LIBRESSL_VERSION_NUMBER < 0x20700000) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 \ - (OPENSSL_VERSION_NUMBER < 0x10100005 || CRYPTOGRAPHY_IS_LIBRESSL) + (LIBRESSL_VERSION_NUMBER < 0x20700000) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE6 \ - (OPENSSL_VERSION_NUMBER < 0x10100006 || CRYPTOGRAPHY_IS_LIBRESSL) + (LIBRESSL_VERSION_NUMBER < 0x20700000) +#else +#define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x10002000) +#define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x100020cf) +#define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x10100000) +#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x1010006f) + +#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \ + (OPENSSL_VERSION_NUMBER < 0x10002000) +#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I \ + (OPENSSL_VERSION_NUMBER < 0x1000209f) +#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 \ + (OPENSSL_VERSION_NUMBER < 0x10100000) +#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE4 \ + (OPENSSL_VERSION_NUMBER < 0x10100004) +#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 \ + (OPENSSL_VERSION_NUMBER < 0x10100005) +#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE6 \ + (OPENSSL_VERSION_NUMBER < 0x10100006) +#endif """ TYPES = """ diff --git a/src/_cffi_src/openssl/ct.py b/src/_cffi_src/openssl/ct.py index 21018d7e4957..d918855709e9 100644 --- a/src/_cffi_src/openssl/ct.py +++ b/src/_cffi_src/openssl/ct.py @@ -5,7 +5,7 @@ from __future__ import absolute_import, division, print_function INCLUDES = """ -#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER +#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !CRYPTOGRAPHY_IS_LIBRESSL #include typedef STACK_OF(SCT) Cryptography_STACK_OF_SCT; @@ -55,7 +55,7 @@ """ CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER +#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !CRYPTOGRAPHY_IS_LIBRESSL static const long Cryptography_HAS_SCT = 1; #else static const long Cryptography_HAS_SCT = 0; diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index d9b11259dbcf..abbc8daf788e 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -671,7 +671,7 @@ /* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were removed */ -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL static const long Cryptography_HAS_SSL_ST = 1; #else static const long Cryptography_HAS_SSL_ST = 0; @@ -680,7 +680,7 @@ static const long SSL_ST_INIT = 0; static const long SSL_ST_RENEGOTIATE = 0; #endif -#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER +#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !CRYPTOGRAPHY_IS_LIBRESSL static const long Cryptography_HAS_TLS_ST = 1; #else static const long Cryptography_HAS_TLS_ST = 0; diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 2b845118d0a3..955f9304546a 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -360,7 +360,7 @@ /* Added in 1.0.2 but we need it in all versions now due to the great opaquing. */ -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 || CRYPTOGRAPHY_IS_LIBRESSL /* from x509/x_x509.c */ int i2d_re_X509_tbs(X509 *x, unsigned char **pp) { @@ -406,15 +406,6 @@ if (palg != NULL) *palg = req->sig_alg; } -int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) -{ - req->req_info->enc.modified = 1; - return i2d_X509_REQ_INFO(req->req_info, pp); -} -int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) { - crl->crl->enc.modified = 1; - return i2d_X509_CRL_INFO(crl->crl, pp); -} void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, const X509_ALGOR **palg) @@ -433,4 +424,17 @@ return x->serialNumber; } #endif + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL +int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) { + crl->crl->enc.modified = 1; + return i2d_X509_CRL_INFO(crl->crl, pp); +} + +int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) +{ + req->req_info->enc.modified = 1; + return i2d_X509_REQ_INFO(req->req_info, pp); +} +#endif """ diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py index 58069eb1f6b1..612d8b9b20e9 100644 --- a/src/_cffi_src/openssl/x509_vfy.py +++ b/src/_cffi_src/openssl/x509_vfy.py @@ -257,6 +257,20 @@ unsigned int) = NULL; #endif +#if CRYPTOGRAPHY_OPENSSL_102_OR_GREATER && CRYPTOGRAPHY_IS_LIBRESSL +static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0; +static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0; +static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0; +static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0; +static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0; +static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0; +/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately + below because it shows up in some earlier 3rd party OpenSSL packages. */ +static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0; +static const long X509_V_FLAG_SUITEB_192_LOS = 0; +static const long X509_V_FLAG_SUITEB_128_LOS = 0; +#endif + /* OpenSSL 1.0.2+ or Solaris's backport */ #ifdef X509_V_FLAG_PARTIAL_CHAIN static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 1; @@ -297,7 +311,7 @@ } #endif -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 0; typedef void *X509_STORE_CTX_get_issuer_fn; X509_STORE_CTX_get_issuer_fn (*X509_STORE_get_get_issuer)(X509_STORE *) = NULL;