update to python3.7

lib/python3.7/site-packages/cryptography/hazmat/bindings/__init__.py

@@ -0,0 +1,5 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function

lib/python3.7/site-packages/cryptography/hazmat/bindings/openssl/__init__.py

@@ -0,0 +1,5 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function

lib/python3.7/site-packages/cryptography/hazmat/bindings/openssl/_conditional.py

@@ -0,0 +1,366 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+
+def cryptography_has_ec2m():
+    return [
+        "EC_POINT_set_affine_coordinates_GF2m",
+        "EC_POINT_get_affine_coordinates_GF2m",
+        "EC_POINT_set_compressed_coordinates_GF2m",
+    ]
+
+
+def cryptography_has_ec_1_0_2():
+    return [
+        "EC_curve_nid2nist",
+    ]
+
+
+def cryptography_has_set_ecdh_auto():
+    return [
+        "SSL_CTX_set_ecdh_auto",
+    ]
+
+
+def cryptography_has_rsa_r_pkcs_decoding_error():
+    return [
+        "RSA_R_PKCS_DECODING_ERROR"
+    ]
+
+
+def cryptography_has_rsa_oaep_md():
+    return [
+        "EVP_PKEY_CTX_set_rsa_oaep_md",
+    ]
+
+
+def cryptography_has_rsa_oaep_label():
+    return [
+        "EVP_PKEY_CTX_set0_rsa_oaep_label",
+    ]
+
+
+def cryptography_has_ssl3_method():
+    return [
+        "SSLv3_method",
+        "SSLv3_client_method",
+        "SSLv3_server_method",
+    ]
+
+
+def cryptography_has_alpn():
+    return [
+        "SSL_CTX_set_alpn_protos",
+        "SSL_set_alpn_protos",
+        "SSL_CTX_set_alpn_select_cb",
+        "SSL_get0_alpn_selected",
+    ]
+
+
+def cryptography_has_compression():
+    return [
+        "SSL_get_current_compression",
+        "SSL_get_current_expansion",
+        "SSL_COMP_get_name",
+    ]
+
+
+def cryptography_has_get_server_tmp_key():
+    return [
+        "SSL_get_server_tmp_key",
+    ]
+
+
+def cryptography_has_102_verification_error_codes():
+    return [
+        'X509_V_ERR_SUITE_B_INVALID_VERSION',
+        'X509_V_ERR_SUITE_B_INVALID_ALGORITHM',
+        'X509_V_ERR_SUITE_B_INVALID_CURVE',
+        'X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM',
+        'X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED',
+        'X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256',
+        'X509_V_ERR_HOSTNAME_MISMATCH',
+        'X509_V_ERR_EMAIL_MISMATCH',
+        'X509_V_ERR_IP_ADDRESS_MISMATCH'
+    ]
+
+
+def cryptography_has_102_verification_params():
+    return [
+        "X509_V_FLAG_SUITEB_128_LOS_ONLY",
+        "X509_V_FLAG_SUITEB_192_LOS",
+        "X509_V_FLAG_SUITEB_128_LOS",
+        "X509_VERIFY_PARAM_set1_host",
+        "X509_VERIFY_PARAM_set1_email",
+        "X509_VERIFY_PARAM_set1_ip",
+        "X509_VERIFY_PARAM_set1_ip_asc",
+        "X509_VERIFY_PARAM_set_hostflags",
+        "SSL_get0_param",
+        "X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT",
+        "X509_CHECK_FLAG_NO_WILDCARDS",
+        "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS",
+        "X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS",
+        "X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS"
+    ]
+
+
+def cryptography_has_110_verification_params():
+    return [
+        "X509_CHECK_FLAG_NEVER_CHECK_SUBJECT"
+    ]
+
+
+def cryptography_has_x509_v_flag_trusted_first():
+    return [
+        "X509_V_FLAG_TRUSTED_FIRST",
+    ]
+
+
+def cryptography_has_x509_v_flag_partial_chain():
+    return [
+        "X509_V_FLAG_PARTIAL_CHAIN",
+    ]
+
+
+def cryptography_has_set_cert_cb():
+    return [
+        "SSL_CTX_set_cert_cb",
+        "SSL_set_cert_cb",
+    ]
+
+
+def cryptography_has_ssl_st():
+    return [
+        "SSL_ST_BEFORE",
+        "SSL_ST_OK",
+        "SSL_ST_INIT",
+        "SSL_ST_RENEGOTIATE",
+    ]
+
+
+def cryptography_has_tls_st():
+    return [
+        "TLS_ST_BEFORE",
+        "TLS_ST_OK",
+    ]
+
+
+def cryptography_has_locking_callbacks():
+    return [
+        "CRYPTO_LOCK",
+        "CRYPTO_UNLOCK",
+        "CRYPTO_READ",
+        "CRYPTO_LOCK_SSL",
+        "CRYPTO_lock",
+        "Cryptography_setup_ssl_threads",
+    ]
+
+
+def cryptography_has_scrypt():
+    return [
+        "EVP_PBE_scrypt",
+    ]
+
+
+def cryptography_has_generic_dtls_method():
+    return [
+        "DTLS_method",
+        "DTLS_server_method",
+        "DTLS_client_method",
+        "SSL_OP_NO_DTLSv1",
+        "SSL_OP_NO_DTLSv1_2",
+        "DTLS_set_link_mtu",
+        "DTLS_get_link_min_mtu",
+    ]
+
+
+def cryptography_has_evp_pkey_dhx():
+    return [
+        "EVP_PKEY_DHX",
+    ]
+
+
+def cryptography_has_mem_functions():
+    return [
+        "Cryptography_CRYPTO_set_mem_functions",
+    ]
+
+
+def cryptography_has_sct():
+    return [
+        "SCT_get_version",
+        "SCT_get_log_entry_type",
+        "SCT_get0_log_id",
+        "SCT_get0_signature",
+        "SCT_get_timestamp",
+        "SCT_set_source",
+        "sk_SCT_num",
+        "sk_SCT_value",
+        "SCT_LIST_free",
+        "sk_SCT_push",
+        "sk_SCT_new_null",
+        "SCT_new",
+        "SCT_set1_log_id",
+        "SCT_set_timestamp",
+        "SCT_set_version",
+        "SCT_set_log_entry_type",
+    ]
+
+
+def cryptography_has_x509_store_ctx_get_issuer():
+    return [
+        "X509_STORE_get_get_issuer",
+        "X509_STORE_set_get_issuer",
+    ]
+
+
+def cryptography_has_x25519():
+    return [
+        "EVP_PKEY_X25519",
+        "NID_X25519",
+    ]
+
+
+def cryptography_has_ed25519():
+    return [
+        "NID_ED25519",
+    ]
+
+
+def cryptography_has_oneshot_evp_digest_sign_verify():
+    return [
+        "EVP_DigestSign",
+        "EVP_DigestVerify",
+    ]
+
+
+def cryptography_has_evp_pkey_get_set_tls_encodedpoint():
+    return [
+        "EVP_PKEY_get1_tls_encodedpoint",
+        "EVP_PKEY_set1_tls_encodedpoint",
+    ]
+
+
+def cryptography_has_fips():
+    return [
+        "FIPS_set_mode",
+        "FIPS_mode",
+    ]
+
+
+def cryptography_has_ssl_sigalgs():
+    return [
+        "SSL_CTX_set1_sigalgs_list",
+        "SSL_get_sigalgs",
+    ]
+
+
+def cryptography_has_psk():
+    return [
+        "SSL_CTX_use_psk_identity_hint",
+        "SSL_CTX_set_psk_server_callback",
+        "SSL_CTX_set_psk_client_callback",
+    ]
+
+
+def cryptography_has_custom_ext():
+    return [
+        "SSL_CTX_add_client_custom_ext",
+        "SSL_CTX_add_server_custom_ext",
+        "SSL_extension_supported",
+    ]
+
+
+def cryptography_has_openssl_cleanup():
+    return [
+        "OPENSSL_cleanup",
+    ]
+
+
+def cryptography_has_cipher_details():
+    return [
+        "SSL_CIPHER_is_aead",
+        "SSL_CIPHER_get_cipher_nid",
+        "SSL_CIPHER_get_digest_nid",
+        "SSL_CIPHER_get_kx_nid",
+        "SSL_CIPHER_get_auth_nid",
+    ]
+
+
+def cryptography_has_tlsv13():
+    return [
+        "SSL_OP_NO_TLSv1_3",
+        "SSL_VERIFY_POST_HANDSHAKE",
+        "SSL_CTX_set_ciphersuites",
+        "SSL_verify_client_post_handshake",
+        "SSL_CTX_set_post_handshake_auth",
+        "SSL_set_post_handshake_auth",
+    ]
+
+
+# This is a mapping of
+# {condition: function-returning-names-dependent-on-that-condition} so we can
+# loop over them and delete unsupported names at runtime. It will be removed
+# when cffi supports #if in cdef. We use functions instead of just a dict of
+# lists so we can use coverage to measure which are used.
+CONDITIONAL_NAMES = {
+    "Cryptography_HAS_EC2M": cryptography_has_ec2m,
+    "Cryptography_HAS_EC_1_0_2": cryptography_has_ec_1_0_2,
+    "Cryptography_HAS_SET_ECDH_AUTO": cryptography_has_set_ecdh_auto,
+    "Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR": (
+        cryptography_has_rsa_r_pkcs_decoding_error
+    ),
+    "Cryptography_HAS_RSA_OAEP_MD": cryptography_has_rsa_oaep_md,
+    "Cryptography_HAS_RSA_OAEP_LABEL": cryptography_has_rsa_oaep_label,
+    "Cryptography_HAS_SSL3_METHOD": cryptography_has_ssl3_method,
+    "Cryptography_HAS_ALPN": cryptography_has_alpn,
+    "Cryptography_HAS_COMPRESSION": cryptography_has_compression,
+    "Cryptography_HAS_GET_SERVER_TMP_KEY": cryptography_has_get_server_tmp_key,
+    "Cryptography_HAS_102_VERIFICATION_ERROR_CODES": (
+        cryptography_has_102_verification_error_codes
+    ),
+    "Cryptography_HAS_102_VERIFICATION_PARAMS": (
+        cryptography_has_102_verification_params
+    ),
+    "Cryptography_HAS_110_VERIFICATION_PARAMS": (
+        cryptography_has_110_verification_params
+    ),
+    "Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST": (
+        cryptography_has_x509_v_flag_trusted_first
+    ),
+    "Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN": (
+        cryptography_has_x509_v_flag_partial_chain
+    ),
+    "Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb,
+    "Cryptography_HAS_SSL_ST": cryptography_has_ssl_st,
+    "Cryptography_HAS_TLS_ST": cryptography_has_tls_st,
+    "Cryptography_HAS_LOCKING_CALLBACKS": cryptography_has_locking_callbacks,
+    "Cryptography_HAS_SCRYPT": cryptography_has_scrypt,
+    "Cryptography_HAS_GENERIC_DTLS_METHOD": (
+        cryptography_has_generic_dtls_method
+    ),
+    "Cryptography_HAS_EVP_PKEY_DHX": cryptography_has_evp_pkey_dhx,
+    "Cryptography_HAS_MEM_FUNCTIONS": cryptography_has_mem_functions,
+    "Cryptography_HAS_SCT": cryptography_has_sct,
+    "Cryptography_HAS_X509_STORE_CTX_GET_ISSUER": (
+        cryptography_has_x509_store_ctx_get_issuer
+    ),
+    "Cryptography_HAS_X25519": cryptography_has_x25519,
+    "Cryptography_HAS_ED25519": cryptography_has_ed25519,
+    "Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY": (
+        cryptography_has_oneshot_evp_digest_sign_verify
+    ),
+    "Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint": (
+        cryptography_has_evp_pkey_get_set_tls_encodedpoint
+    ),
+    "Cryptography_HAS_FIPS": cryptography_has_fips,
+    "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs,
+    "Cryptography_HAS_PSK": cryptography_has_psk,
+    "Cryptography_HAS_CUSTOM_EXT": cryptography_has_custom_ext,
+    "Cryptography_HAS_OPENSSL_CLEANUP": cryptography_has_openssl_cleanup,
+    "Cryptography_HAS_CIPHER_DETAILS": cryptography_has_cipher_details,
+    "Cryptography_HAS_TLSv1_3": cryptography_has_tlsv13,
+}

lib/python3.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py

@@ -0,0 +1,174 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import collections
+import threading
+import types
+import warnings
+
+from cryptography import utils
+from cryptography.exceptions import InternalError
+from cryptography.hazmat.bindings._openssl import ffi, lib
+from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES
+
+_OpenSSLErrorWithText = collections.namedtuple(
+    "_OpenSSLErrorWithText", ["code", "lib", "func", "reason", "reason_text"]
+)
+
+
+class _OpenSSLError(object):
+    def __init__(self, code, lib, func, reason):
+        self._code = code
+        self._lib = lib
+        self._func = func
+        self._reason = reason
+
+    def _lib_reason_match(self, lib, reason):
+        return lib == self.lib and reason == self.reason
+
+    code = utils.read_only_property("_code")
+    lib = utils.read_only_property("_lib")
+    func = utils.read_only_property("_func")
+    reason = utils.read_only_property("_reason")
+
+
+def _consume_errors(lib):
+    errors = []
+    while True:
+        code = lib.ERR_get_error()
+        if code == 0:
+            break
+
+        err_lib = lib.ERR_GET_LIB(code)
+        err_func = lib.ERR_GET_FUNC(code)
+        err_reason = lib.ERR_GET_REASON(code)
+
+        errors.append(_OpenSSLError(code, err_lib, err_func, err_reason))
+
+    return errors
+
+
+def _openssl_assert(lib, ok):
+    if not ok:
+        errors = _consume_errors(lib)
+        errors_with_text = []
+        for err in errors:
+            buf = ffi.new("char[]", 256)
+            lib.ERR_error_string_n(err.code, buf, len(buf))
+            err_text_reason = ffi.string(buf)
+
+            errors_with_text.append(
+                _OpenSSLErrorWithText(
+                    err.code, err.lib, err.func, err.reason, err_text_reason
+                )
+            )
+
+        raise InternalError(
+            "Unknown OpenSSL error. This error is commonly encountered when "
+            "another library is not cleaning up the OpenSSL error stack. If "
+            "you are using cryptography with another library that uses "
+            "OpenSSL try disabling it before reporting a bug. Otherwise "
+            "please file an issue at https://github.com/pyca/cryptography/"
+            "issues with information on how to reproduce "
+            "this. ({0!r})".format(errors_with_text),
+            errors_with_text
+        )
+
+
+def build_conditional_library(lib, conditional_names):
+    conditional_lib = types.ModuleType("lib")
+    conditional_lib._original_lib = lib
+    excluded_names = set()
+    for condition, names_cb in conditional_names.items():
+        if not getattr(lib, condition):
+            excluded_names.update(names_cb())
+
+    for attr in dir(lib):
+        if attr not in excluded_names:
+            setattr(conditional_lib, attr, getattr(lib, attr))
+
+    return conditional_lib
+
+
+class Binding(object):
+    """
+    OpenSSL API wrapper.
+    """
+    lib = None
+    ffi = ffi
+    _lib_loaded = False
+    _init_lock = threading.Lock()
+    _lock_init_lock = threading.Lock()
+
+    def __init__(self):
+        self._ensure_ffi_initialized()
+
+    @classmethod
+    def _register_osrandom_engine(cls):
+        # Clear any errors extant in the queue before we start. In many
+        # scenarios other things may be interacting with OpenSSL in the same
+        # process space and it has proven untenable to assume that they will
+        # reliably clear the error queue. Once we clear it here we will
+        # error on any subsequent unexpected item in the stack.
+        cls.lib.ERR_clear_error()
+        cls._osrandom_engine_id = cls.lib.Cryptography_osrandom_engine_id
+        cls._osrandom_engine_name = cls.lib.Cryptography_osrandom_engine_name
+        result = cls.lib.Cryptography_add_osrandom_engine()
+        _openssl_assert(cls.lib, result in (1, 2))
+
+    @classmethod
+    def _ensure_ffi_initialized(cls):
+        with cls._init_lock:
+            if not cls._lib_loaded:
+                cls.lib = build_conditional_library(lib, CONDITIONAL_NAMES)
+                cls._lib_loaded = True
+                # initialize the SSL library
+                cls.lib.SSL_library_init()
+                # adds all ciphers/digests for EVP
+                cls.lib.OpenSSL_add_all_algorithms()
+                # loads error strings for libcrypto and libssl functions
+                cls.lib.SSL_load_error_strings()
+                cls._register_osrandom_engine()
+
+    @classmethod
+    def init_static_locks(cls):
+        with cls._lock_init_lock:
+            cls._ensure_ffi_initialized()
+            # Use Python's implementation if available, importing _ssl triggers
+            # the setup for this.
+            __import__("_ssl")
+
+            if (not cls.lib.Cryptography_HAS_LOCKING_CALLBACKS or
+                    cls.lib.CRYPTO_get_locking_callback() != cls.ffi.NULL):
+                return
+
+            # If nothing else has setup a locking callback already, we set up
+            # our own
+            res = lib.Cryptography_setup_ssl_threads()
+            _openssl_assert(cls.lib, res == 1)
+
+
+def _verify_openssl_version(lib):
+    if (
+        lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
+        not lib.CRYPTOGRAPHY_IS_LIBRESSL
+    ):
+        warnings.warn(
+            "OpenSSL version 1.0.1 is no longer supported by the OpenSSL "
+            "project, please upgrade. A future version of cryptography will "
+            "drop support for it.",
+            utils.CryptographyDeprecationWarning
+        )
+
+
+# OpenSSL is not thread safe until the locks are initialized. We call this
+# method in module scope so that it executes with the import lock. On
+# Pythons < 3.4 this import lock is a global lock, which can prevent a race
+# condition registering the OpenSSL locks. On Python 3.4+ the import lock
+# is per module so this approach will not work.
+Binding.init_static_locks()
+
+_verify_openssl_version(Binding.lib)