From fc8c29dd00c6e18be331a10ac90c0ccc55f07f81 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 10 Jul 2020 21:13:46 -0400 Subject: [PATCH 1/7] Attempt to build against BoringSSL in CI --- .github/workflows/build_openssl.sh | 17 +++++++++++++++++ .github/workflows/ci.yml | 3 +++ tox.ini | 5 +++++ 3 files changed, 25 insertions(+) diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index 440cdcecc69f..6b5ee79960de 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -43,4 +43,21 @@ elif [[ "${TYPE}" == "libressl" ]]; then shlib_sed make -j"$(nproc)" install popd +elif [[ "${TYPE}" == "boringssl" ]]; then + git clone https://boringssl.googlesource.com/boringssl + pushd boringssl + git checkout "${VERSION}" + mkdir build + pushd build + cmake .. -DCMAKE_POSITION_INDEPENDENT_CODE=ON + make -j"$(nproc)" + mkdir -p "${OSSL_PATH}/lib/" + mkdir -p "${OSSL_PATH}/include/" + mkdir -p "${OSSL_PATH}/bin/" + cp -r ../src/include/openssl "${OSSL_PATH}/include/" + cp libssl.a "${OSSL_PATH}/lib/" + cp libcrypto.a "${OSSL_PATH}/lib/" + cp bssl "${OSSL_PATH}/bin/openssl" + popd + popd fi diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 07139624e146..7e112ed9ff4b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,6 +41,8 @@ jobs: - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.3.5"}} - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.4.1"}} - {VERSION: "3.10", TOXENV: "py310"} + # Latest commit on the main-with-bazel branch, as of October 11, 2021 + - {VERSION: "3.10", TOXENV: "backend-import", OPENSSL: {TYPE: "boringssl", VERSION: "1285d5305ad69ceb519de76cd74e743aed1efd89"}} RUST: - stable name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.TOXARGS }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}" @@ -113,6 +115,7 @@ jobs: env: TOXENV: ${{ matrix.PYTHON.TOXENV }} CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} + - uses: ./.github/actions/upload-coverage with: name: "tox -e ${{ matrix.PYTHON.TOXENV }} ${{ env.OSSL_INFO }}" diff --git a/tox.ini b/tox.ini index bba8d7d7891e..9fde3290a136 100644 --- a/tox.ini +++ b/tox.ini @@ -23,6 +23,11 @@ commands = pip list pytest -n auto --capture=no --strict-markers --durations=10 {posargs} tests/ +[testenv:backend-import] +basepython = python3 +commands: + coverage run -m cryptography.hazmat.backends.openssl.backend + [testenv:docs] extras = docs From 7d99a7a1341cf805b2394f292f977968ad31a0b4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 11 Oct 2021 20:28:43 -0400 Subject: [PATCH 2/7] Check for BoringSSL in the SSL bindings --- src/_cffi_src/openssl/ssl.py | 22 +++++++++++++++++++ .../hazmat/bindings/openssl/_conditional.py | 10 +++++++++ 2 files changed, 32 insertions(+) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index f4408b0cca60..9caa2a07f5f8 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -25,6 +25,7 @@ static const long Cryptography_HAS_KEYLOG; static const long Cryptography_HAS_GET_PROTO_VERSION; static const long Cryptography_HAS_TLSEXT_HOSTNAME; +static const long Cryptography_HAS_SSL_COOKIE; /* Internally invented symbol to tell us if SSL_MODE_RELEASE_BUFFERS is * supported @@ -726,4 +727,25 @@ #else static const long Cryptography_HAS_GET_PROTO_VERSION = 1; #endif + +#if CRYPTOGRAPHY_IS_BORINGSSL +static const long Cryptography_HAS_SSL_COOKIE = 0; + +static const long SSL_OP_COOKIE_EXCHANGE = 0; +int (*DTLSv1_listen)(SSL *, BIO_ADDR *) = NULL; +void (*SSL_CTX_set_cookie_generate_cb)(SSL_CTX *, + int (*)( + SSL *, + unsigned char *, + unsigned int * + )) = NULL; +void (*SSL_CTX_set_cookie_verify_cb)(SSL_CTX *, + int (*)( + SSL *, + const unsigned char *, + unsigned int + )) = NULL; +#else +static const long Cryptography_HAS_SSL_COOKIE = 1; +#endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 4e43f15d2fef..3f847aad382b 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -259,6 +259,15 @@ def cryptography_has_300_fips(): ] +def cryptography_has_ssl_cookie(): + return [ + "SSL_OP_COOKIE_EXCHANGE", + "DTLSv1_listen", + "SSL_CTX_set_cookie_generate_cb", + "SSL_CTX_set_cookie_verify_cb", + ] + + # This is a mapping of # {condition: function-returning-names-dependent-on-that-condition} so we can # loop over them and delete unsupported names at runtime. It will be removed @@ -311,4 +320,5 @@ def cryptography_has_300_fips(): ), "Cryptography_HAS_DTLS_GET_DATA_MTU": cryptography_has_dtls_get_data_mtu, "Cryptography_HAS_300_FIPS": cryptography_has_300_fips, + "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie, } From 6c3b3676ce678a632416b07e93f3ce3974d1ce60 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Oct 2021 13:58:35 -0400 Subject: [PATCH 3/7] Check for BoringSSL in the err bindings --- src/_cffi_src/openssl/err.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py index c11e5c4828bc..a913d9493f4d 100644 --- a/src/_cffi_src/openssl/err.py +++ b/src/_cffi_src/openssl/err.py @@ -54,4 +54,13 @@ #if !CRYPTOGRAPHY_OPENSSL_111D_OR_GREATER || CRYPTOGRAPHY_IS_BORINGSSL static const int EVP_R_XTS_DUPLICATED_KEYS = 0; #endif + +#if CRYPTOGRAPHY_IS_BORINGSSL +static const int ERR_LIB_PKCS12 = 0; +static const int EVP_F_EVP_ENCRYPTFINAL_EX = 0; +static const int EVP_R_BAD_DECRYPT = 0; +static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH = 0; +static const int EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM = 0; +static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR = 0; +#endif """ From 13d46c80b89a18c9683b20dc818283a44913572c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Oct 2021 14:04:43 -0400 Subject: [PATCH 4/7] Check for BoringSSL in the pkcs7 bindings --- src/_cffi_src/openssl/pkcs7.py | 22 ++++++++++++++++++- .../hazmat/bindings/openssl/_conditional.py | 12 ++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/src/_cffi_src/openssl/pkcs7.py b/src/_cffi_src/openssl/pkcs7.py index b58b293a5c0c..c802facf81ae 100644 --- a/src/_cffi_src/openssl/pkcs7.py +++ b/src/_cffi_src/openssl/pkcs7.py @@ -8,6 +8,8 @@ """ TYPES = """ +static const long Cryptography_HAS_PKCS7_FUNCS; + typedef struct { Cryptography_STACK_OF_X509 *cert; Cryptography_STACK_OF_X509_CRL *crl; @@ -80,4 +82,22 @@ int PKCS7_type_is_data(PKCS7 *); """ -CUSTOMIZATIONS = "" +CUSTOMIZATIONS = """ +#if CRYPTOGRAPHY_IS_BORINGSSL +static const long Cryptography_HAS_PKCS7_FUNCS = 0; + +int (*SMIME_write_PKCS7)(BIO *, PKCS7 *, BIO *, int) = NULL; +int (*PEM_write_bio_PKCS7_stream)(BIO *, PKCS7 *, BIO *, int) = NULL; +PKCS7_SIGNER_INFO *(*PKCS7_sign_add_signer)(PKCS7 *, X509 *, EVP_PKEY *, + const EVP_MD *, int) = NULL; +int (*PKCS7_final)(PKCS7 *, BIO *, int); +int (*PKCS7_verify)(PKCS7 *, Cryptography_STACK_OF_X509 *, X509_STORE *, BIO *, + BIO *, int) = NULL; +PKCS7 *(*SMIME_read_PKCS7)(BIO *, BIO **) = NULL; +Cryptography_STACK_OF_X509 *(*PKCS7_get0_signers)(PKCS7 *, + Cryptography_STACK_OF_X509 *, + int) = NULL; +#else +static const long Cryptography_HAS_PKCS7_FUNCS = 1; +#endif +""" diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 3f847aad382b..6776f4994a81 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -268,6 +268,17 @@ def cryptography_has_ssl_cookie(): ] +def cryptography_has_pkcs7_funcs(): + return [ + "SMIME_write_PKCS7", + "PEM_write_bio_PKCS7_stream", + "PKCS7_sign_add_signer", + "PKCS7_final", + "PKCS7_verify", + "SMIME_read_PKCS7", + "PKCS7_get0_signers", + ] + # This is a mapping of # {condition: function-returning-names-dependent-on-that-condition} so we can # loop over them and delete unsupported names at runtime. It will be removed @@ -321,4 +332,5 @@ def cryptography_has_ssl_cookie(): "Cryptography_HAS_DTLS_GET_DATA_MTU": cryptography_has_dtls_get_data_mtu, "Cryptography_HAS_300_FIPS": cryptography_has_300_fips, "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie, + "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs, } From b68f0dcb80adc9e88c338da71fd074fc37d09f24 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Oct 2021 14:12:13 -0400 Subject: [PATCH 5/7] Check for BoringSSL in the bignum bindings --- src/_cffi_src/openssl/bignum.py | 11 +++++++++++ .../hazmat/bindings/openssl/_conditional.py | 10 ++++++++++ 2 files changed, 21 insertions(+) diff --git a/src/_cffi_src/openssl/bignum.py b/src/_cffi_src/openssl/bignum.py index fdfd835e3d18..d724dee74721 100644 --- a/src/_cffi_src/openssl/bignum.py +++ b/src/_cffi_src/openssl/bignum.py @@ -8,6 +8,8 @@ """ TYPES = """ +static const long Cryptography_HAS_BN_FLAGS; + typedef ... BN_CTX; typedef ... BN_MONT_CTX; typedef ... BIGNUM; @@ -81,4 +83,13 @@ """ CUSTOMIZATIONS = """ +#if CRYPTOGRAPHY_IS_BORINGSSL +static const long Cryptography_HAS_BN_FLAGS = 0; + +static const int BN_FLG_CONSTTIME = 0; +void (*BN_set_flags)(BIGNUM *, int) = NULL; +int (*BN_prime_checks_for_size)(int) = NULL; +#else +static const long Cryptography_HAS_BN_FLAGS = 1; +#endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 6776f4994a81..cbdb1ae8182b 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -279,6 +279,15 @@ def cryptography_has_pkcs7_funcs(): "PKCS7_get0_signers", ] + +def cryptography_has_bn_flags(): + return [ + "BN_FLG_CONSTTIME", + "BN_set_flags", + "BN_prime_checks_for_size", + ] + + # This is a mapping of # {condition: function-returning-names-dependent-on-that-condition} so we can # loop over them and delete unsupported names at runtime. It will be removed @@ -333,4 +342,5 @@ def cryptography_has_pkcs7_funcs(): "Cryptography_HAS_300_FIPS": cryptography_has_300_fips, "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie, "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs, + "Cryptography_HAS_BN_FLAGS": cryptography_has_bn_flags, } From 1f9979044970226332ba4537d388bc9c6fc91bda Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Oct 2021 14:44:31 -0400 Subject: [PATCH 6/7] Check for BoringSSL in the EVP bindings --- src/_cffi_src/openssl/evp.py | 8 ++++++++ src/cryptography/hazmat/bindings/openssl/_conditional.py | 7 +++++++ 2 files changed, 15 insertions(+) diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 425c817d35c4..ad7a0e71abcb 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -37,6 +37,7 @@ static const long Cryptography_HAS_RAW_KEY; static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF; static const long Cryptography_HAS_300_FIPS; +static const long Cryptography_HAS_EVP_PKEY_DH; """ FUNCTIONS = """ @@ -280,4 +281,11 @@ int (*EVP_default_properties_is_fips_enabled)(OSSL_LIB_CTX *) = NULL; int (*EVP_default_properties_enable_fips)(OSSL_LIB_CTX *, int) = NULL; #endif + +#if CRYPTOGRAPHY_IS_BORINGSSL +static const long Cryptography_HAS_EVP_PKEY_DH = 0; +int (*EVP_PKEY_set1_DH)(EVP_PKEY *, DH *) = NULL; +#else +static const long Cryptography_HAS_EVP_PKEY_DH = 1; +#endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index cbdb1ae8182b..98a3d836a904 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -288,6 +288,12 @@ def cryptography_has_bn_flags(): ] +def cryptography_has_evp_pkey_dh(): + return [ + "EVP_PKEY_set1_DH", + ] + + # This is a mapping of # {condition: function-returning-names-dependent-on-that-condition} so we can # loop over them and delete unsupported names at runtime. It will be removed @@ -343,4 +349,5 @@ def cryptography_has_bn_flags(): "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie, "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs, "Cryptography_HAS_BN_FLAGS": cryptography_has_bn_flags, + "Cryptography_HAS_EVP_PKEY_DH": cryptography_has_evp_pkey_dh, } From 417606fe0fe3f28e61d1ab675cbea0d30d57f398 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Oct 2021 14:51:00 -0400 Subject: [PATCH 7/7] Check for BoringSSL in the X.509 verify bindings --- src/_cffi_src/openssl/x509_vfy.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py index 2487c999de9c..6a52c2de980a 100644 --- a/src/_cffi_src/openssl/x509_vfy.py +++ b/src/_cffi_src/openssl/x509_vfy.py @@ -242,4 +242,8 @@ #else static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 1; #endif + +#if CRYPTOGRAPHY_IS_BORINGSSL +static const long X509_V_FLAG_NO_CHECK_TIME = 0; +#endif """