LibreSSL support

CHANGELOG.rst

@@ -68,6 +68,7 @@ Changelog
   :mod:`~cryptography.hazmat.primitives.asymmetric.rsa`.
 * Added support for parsing X.509 names. See the
   :doc:`X.509 documentation</x509>` for more information.
+* Fixed building against LibreSSL, a compile-time substitute for OpenSSL.
 
 0.7.2 - 2015-01-16
 ~~~~~~~~~~~~~~~~~~

src/cryptography/hazmat/bindings/openssl/engine.py

@@ -9,6 +9,8 @@
 """
 
 TYPES = """
+static const long Cryptography_HAS_ENGINE_CRYPTODEV;
+
 typedef ... ENGINE;
 typedef ... RSA_METHOD;
 typedef ... DSA_METHOD;
@@ -49,7 +51,6 @@
 int ENGINE_finish(ENGINE *);
 void ENGINE_load_openssl(void);
 void ENGINE_load_dynamic(void);
-void ENGINE_load_cryptodev(void);
 void ENGINE_load_builtin_engines(void);
 void ENGINE_cleanup(void);
 ENGINE *ENGINE_get_default_RSA(void);
@@ -148,9 +149,20 @@
 """
 
 MACROS = """
+void ENGINE_load_cryptodev(void);
 """
 
 CUSTOMIZATIONS = """
+#if defined(LIBRESSL_VERSION_NUMBER)
+static const long Cryptography_HAS_ENGINE_CRYPTODEV = 0;
+void (*ENGINE_load_cryptodev)(void) = NULL;
+#else
+static const long Cryptography_HAS_ENGINE_CRYPTODEV = 1;
+#endif
 """
 
-CONDITIONAL_NAMES = {}
+CONDITIONAL_NAMES = {
+    "Cryptography_HAS_ENGINE_CRYPTODEV": [
+        "ENGINE_load_cryptodev"
+    ]
+}

src/cryptography/hazmat/bindings/openssl/rand.py

@@ -9,16 +9,14 @@
 """
 
 TYPES = """
+static const long Cryptography_HAS_EGD;
 """
 
 FUNCTIONS = """
 void ERR_load_RAND_strings(void);
 void RAND_seed(const void *, int);
 void RAND_add(const void *, int, double);
 int RAND_status(void);
-int RAND_egd(const char *);
-int RAND_egd_bytes(const char *, int);
-int RAND_query_egd_bytes(const char *, unsigned char *, int);
 const char *RAND_file_name(char *, size_t);
 int RAND_load_file(const char *, long);
 int RAND_write_file(const char *);
@@ -28,9 +26,26 @@
 """
 
 MACROS = """
+int RAND_egd(const char *);
+int RAND_egd_bytes(const char *, int);
+int RAND_query_egd_bytes(const char *, unsigned char *, int);
 """
 
 CUSTOMIZATIONS = """
+#if defined(LIBRESSL_VERSION_NUMBER)
+static const long Cryptography_HAS_EGD = 0;
+int (*RAND_egd)(const char *) = NULL;
+int (*RAND_egd_bytes)(const char *, int) = NULL;
+int (*RAND_query_egd_bytes)(const char *, unsigned char *, int) = NULL;
+#else
+static const long Cryptography_HAS_EGD = 1;
+#endif
 """
 
-CONDITIONAL_NAMES = {}
+CONDITIONAL_NAMES = {
+    "Cryptography_HAS_EGD": [
+        "RAND_egd",
+        "RAND_egd_bytes",
+        "RAND_query_egd_bytes",
+    ]
+}

src/cryptography/hazmat/bindings/openssl/ssl.py

@@ -19,6 +19,7 @@
 static const long Cryptography_HAS_TLSv1_1;
 static const long Cryptography_HAS_TLSv1_2;
 static const long Cryptography_HAS_SECURE_RENEGOTIATION;
+static const long Cryptography_HAS_COMPRESSION;
 
 /* Internally invented symbol to tell us if SNI is supported */
 static const long Cryptography_HAS_TLSEXT_HOSTNAME;
@@ -189,10 +190,6 @@
 const char *SSL_get_cipher_list(const SSL *, int);
 Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *);
 
-const COMP_METHOD *SSL_get_current_compression(SSL *);
-const COMP_METHOD *SSL_get_current_expansion(SSL *);
-const char *SSL_COMP_get_name(const COMP_METHOD *);
-
 /*  context */
 void SSL_CTX_free(SSL_CTX *);
 long SSL_CTX_set_timeout(SSL_CTX *, long);
@@ -232,6 +229,11 @@
 """
 
 MACROS = """
+/* not macros, but will be conditionally bound so can't live in functions */
+const COMP_METHOD *SSL_get_current_compression(SSL *);
+const COMP_METHOD *SSL_get_current_expansion(SSL *);
+const char *SSL_COMP_get_name(const COMP_METHOD *);
+
 unsigned long SSL_set_mode(SSL *, unsigned long);
 unsigned long SSL_get_mode(SSL *);
 
@@ -544,6 +546,17 @@
 #else
 static const long Cryptography_HAS_ALPN = 1;
 #endif
+/* LibreSSL has removed support for compression, and with it the
+ * COMP_METHOD use in ssl.h. This is a hack to make the function types
+ * in this code match those in ssl.h.
+ */
+#ifdef LIBRESSL_VERSION_NUMBER
+static const long Cryptography_HAS_COMPRESSION = 0;
+typedef void COMP_METHOD;
+#else
+static const long Cryptography_HAS_COMPRESSION = 1;
+#endif
+
 """
 
 CONDITIONAL_NAMES = {
@@ -626,5 +639,11 @@
         "SSL_set_alpn_protos",
         "SSL_CTX_set_alpn_select_cb",
         "SSL_get0_alpn_selected",
+    ],
+
+    "Cryptography_HAS_COMPRESSION": [
+        "SSL_get_current_compression",
+        "SSL_get_current_expansion",
+        "SSL_COMP_get_name",
     ]
 }

src/cryptography/hazmat/bindings/openssl/x509_vfy.py

@@ -191,7 +191,7 @@
 
 CUSTOMIZATIONS = """
 /* OpenSSL 1.0.2+ verification error codes */
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
 static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 1;
 #else
 static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 0;
@@ -207,7 +207,7 @@
 #endif
 
 /* OpenSSL 1.0.2+ verification parameters */
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
 static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1;
 #else
 static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0;

tests/hazmat/backends/test_openssl.py

@@ -71,10 +71,13 @@ def test_openssl_version_text(self):
 
         Unfortunately, this define does not appear to have a
         formal content definition, so for now we'll test to see
-        if it starts with OpenSSL as that appears to be true
-        for every OpenSSL.
+        if it starts with OpenSSL or LibreSSL as that appears
+        to be true for every OpenSSL-alike.
         """
-        assert backend.openssl_version_text().startswith("OpenSSL")
+        assert (
+            backend.openssl_version_text().startswith("OpenSSL") or
+            backend.openssl_version_text().startswith("LibreSSL")
+        )
 
     def test_supports_cipher(self):
         assert backend.cipher_supported(None, None) is False