Begin building with BoringSSL in our CI, no tests yet

.github/workflows/build_openssl.sh

@@ -43,4 +43,21 @@ elif [[ "${TYPE}" == "libressl" ]]; then
   shlib_sed
   make -j"$(nproc)" install
   popd
+elif [[ "${TYPE}" == "boringssl" ]]; then
+  git clone https://boringssl.googlesource.com/boringssl
+  pushd boringssl
+  git checkout "${VERSION}"
+  mkdir build
+  pushd build
+  cmake .. -DCMAKE_POSITION_INDEPENDENT_CODE=ON
+  make -j"$(nproc)"
+  mkdir -p "${OSSL_PATH}/lib/"
+  mkdir -p "${OSSL_PATH}/include/"
+  mkdir -p "${OSSL_PATH}/bin/"
+  cp -r ../src/include/openssl "${OSSL_PATH}/include/"
+  cp libssl.a "${OSSL_PATH}/lib/"
+  cp libcrypto.a "${OSSL_PATH}/lib/"
+  cp bssl "${OSSL_PATH}/bin/openssl"
+  popd
+  popd
 fi

.github/workflows/ci.yml

@@ -41,6 +41,8 @@ jobs:
           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.3.5"}}
           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.4.1"}}
           - {VERSION: "3.10", TOXENV: "py310"}
+          # Latest commit on the main-with-bazel branch, as of October 11, 2021
+          - {VERSION: "3.10", TOXENV: "backend-import", OPENSSL: {TYPE: "boringssl", VERSION: "1285d5305ad69ceb519de76cd74e743aed1efd89"}}
         RUST:
           - stable
     name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.TOXARGS }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}"
@@ -113,6 +115,7 @@ jobs:
         env:
           TOXENV: ${{ matrix.PYTHON.TOXENV }}
           CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
+
       - uses: ./.github/actions/upload-coverage
         with:
           name: "tox -e ${{ matrix.PYTHON.TOXENV }} ${{ env.OSSL_INFO }}"

src/_cffi_src/openssl/bignum.py

@@ -8,6 +8,8 @@
 """
 
 TYPES = """
+static const long Cryptography_HAS_BN_FLAGS;
+
 typedef ... BN_CTX;
 typedef ... BN_MONT_CTX;
 typedef ... BIGNUM;
@@ -81,4 +83,13 @@
 """
 
 CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_IS_BORINGSSL
+static const long Cryptography_HAS_BN_FLAGS = 0;
+
+static const int BN_FLG_CONSTTIME = 0;
+void (*BN_set_flags)(BIGNUM *, int) = NULL;
+int (*BN_prime_checks_for_size)(int) = NULL;
+#else
+static const long Cryptography_HAS_BN_FLAGS = 1;
+#endif
 """

src/_cffi_src/openssl/err.py

@@ -54,4 +54,13 @@
 #if !CRYPTOGRAPHY_OPENSSL_111D_OR_GREATER || CRYPTOGRAPHY_IS_BORINGSSL
 static const int EVP_R_XTS_DUPLICATED_KEYS = 0;
 #endif
+
+#if CRYPTOGRAPHY_IS_BORINGSSL
+static const int ERR_LIB_PKCS12 = 0;
+static const int EVP_F_EVP_ENCRYPTFINAL_EX = 0;
+static const int EVP_R_BAD_DECRYPT = 0;
+static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH = 0;
+static const int EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM = 0;
+static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR = 0;
+#endif
 """

src/_cffi_src/openssl/evp.py

@@ -37,6 +37,7 @@
 static const long Cryptography_HAS_RAW_KEY;
 static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF;
 static const long Cryptography_HAS_300_FIPS;
+static const long Cryptography_HAS_EVP_PKEY_DH;
 """
 
 FUNCTIONS = """
@@ -280,4 +281,11 @@
 int (*EVP_default_properties_is_fips_enabled)(OSSL_LIB_CTX *) = NULL;
 int (*EVP_default_properties_enable_fips)(OSSL_LIB_CTX *, int) = NULL;
 #endif
+
+#if CRYPTOGRAPHY_IS_BORINGSSL
+static const long Cryptography_HAS_EVP_PKEY_DH = 0;
+int (*EVP_PKEY_set1_DH)(EVP_PKEY *, DH *) = NULL;
+#else
+static const long Cryptography_HAS_EVP_PKEY_DH = 1;
+#endif
 """

src/_cffi_src/openssl/pkcs7.py

@@ -8,6 +8,8 @@
 """
 
 TYPES = """
+static const long Cryptography_HAS_PKCS7_FUNCS;
+
 typedef struct {
     Cryptography_STACK_OF_X509 *cert;
     Cryptography_STACK_OF_X509_CRL *crl;
@@ -80,4 +82,22 @@
 int PKCS7_type_is_data(PKCS7 *);
 """
 
-CUSTOMIZATIONS = ""
+CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_IS_BORINGSSL
+static const long Cryptography_HAS_PKCS7_FUNCS = 0;
+
+int (*SMIME_write_PKCS7)(BIO *, PKCS7 *, BIO *, int) = NULL;
+int (*PEM_write_bio_PKCS7_stream)(BIO *, PKCS7 *, BIO *, int) = NULL;
+PKCS7_SIGNER_INFO *(*PKCS7_sign_add_signer)(PKCS7 *, X509 *, EVP_PKEY *,
+                                            const EVP_MD *, int) = NULL;
+int (*PKCS7_final)(PKCS7 *, BIO *, int);
+int (*PKCS7_verify)(PKCS7 *, Cryptography_STACK_OF_X509 *, X509_STORE *, BIO *,
+                    BIO *, int) = NULL;
+PKCS7 *(*SMIME_read_PKCS7)(BIO *, BIO **) = NULL;
+Cryptography_STACK_OF_X509 *(*PKCS7_get0_signers)(PKCS7 *,
+                                                  Cryptography_STACK_OF_X509 *,
+                                                  int) = NULL;
+#else
+static const long Cryptography_HAS_PKCS7_FUNCS = 1;
+#endif
+"""

src/_cffi_src/openssl/ssl.py

@@ -25,6 +25,7 @@
 static const long Cryptography_HAS_KEYLOG;
 static const long Cryptography_HAS_GET_PROTO_VERSION;
 static const long Cryptography_HAS_TLSEXT_HOSTNAME;
+static const long Cryptography_HAS_SSL_COOKIE;
 
 /* Internally invented symbol to tell us if SSL_MODE_RELEASE_BUFFERS is
  * supported
@@ -726,4 +727,25 @@
 #else
 static const long Cryptography_HAS_GET_PROTO_VERSION = 1;
 #endif
+
+#if CRYPTOGRAPHY_IS_BORINGSSL
+static const long Cryptography_HAS_SSL_COOKIE = 0;
+
+static const long SSL_OP_COOKIE_EXCHANGE = 0;
+int (*DTLSv1_listen)(SSL *, BIO_ADDR *) = NULL;
+void (*SSL_CTX_set_cookie_generate_cb)(SSL_CTX *,
+                                       int (*)(
+                                           SSL *,
+                                           unsigned char *,
+                                           unsigned int *
+                                       )) = NULL;
+void (*SSL_CTX_set_cookie_verify_cb)(SSL_CTX *,
+                                       int (*)(
+                                           SSL *,
+                                           const unsigned char *,
+                                           unsigned int
+                                       )) = NULL;
+#else
+static const long Cryptography_HAS_SSL_COOKIE = 1;
+#endif
 """

src/_cffi_src/openssl/x509_vfy.py

@@ -242,4 +242,8 @@
 #else
 static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 1;
 #endif
+
+#if CRYPTOGRAPHY_IS_BORINGSSL
+static const long X509_V_FLAG_NO_CHECK_TIME = 0;
+#endif
 """

src/cryptography/hazmat/bindings/openssl/_conditional.py

@@ -259,6 +259,41 @@ def cryptography_has_300_fips():
     ]
 
 
+def cryptography_has_ssl_cookie():
+    return [
+        "SSL_OP_COOKIE_EXCHANGE",
+        "DTLSv1_listen",
+        "SSL_CTX_set_cookie_generate_cb",
+        "SSL_CTX_set_cookie_verify_cb",
+    ]
+
+
+def cryptography_has_pkcs7_funcs():
+    return [
+        "SMIME_write_PKCS7",
+        "PEM_write_bio_PKCS7_stream",
+        "PKCS7_sign_add_signer",
+        "PKCS7_final",
+        "PKCS7_verify",
+        "SMIME_read_PKCS7",
+        "PKCS7_get0_signers",
+    ]
+
+
+def cryptography_has_bn_flags():
+    return [
+        "BN_FLG_CONSTTIME",
+        "BN_set_flags",
+        "BN_prime_checks_for_size",
+    ]
+
+
+def cryptography_has_evp_pkey_dh():
+    return [
+        "EVP_PKEY_set1_DH",
+    ]
+
+
 # This is a mapping of
 # {condition: function-returning-names-dependent-on-that-condition} so we can
 # loop over them and delete unsupported names at runtime. It will be removed
@@ -311,4 +346,8 @@ def cryptography_has_300_fips():
     ),
     "Cryptography_HAS_DTLS_GET_DATA_MTU": cryptography_has_dtls_get_data_mtu,
     "Cryptography_HAS_300_FIPS": cryptography_has_300_fips,
+    "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie,
+    "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs,
+    "Cryptography_HAS_BN_FLAGS": cryptography_has_bn_flags,
+    "Cryptography_HAS_EVP_PKEY_DH": cryptography_has_evp_pkey_dh,
 }

tox.ini

@@ -23,6 +23,11 @@ commands =
     pip list
     pytest -n auto --capture=no --strict-markers --durations=10 {posargs} tests/
 
+[testenv:backend-import]
+basepython = python3
+commands:
+    coverage run -m cryptography.hazmat.backends.openssl.backend
+
 [testenv:docs]
 extras =
     docs