From 9731d8a4bb7ee2cc8554eaf133bb85498a4c7d80 Mon Sep 17 00:00:00 2001
From: maxim-yurchuk <maxim-yurchuk@yandex-team.com>
Date: Wed, 9 Oct 2024 12:29:46 +0300
Subject: publishFullContrib: true for ydb
<HIDDEN_URL>
commit_hash:c82a80ac4594723cebf2c7387dec9c60217f603e
---
.../python/cryptography/py3/_cffi_src/__init__.py | 0
.../cryptography/py3/_cffi_src/build_openssl.py | 121 ++++
.../cryptography/py3/_cffi_src/build_padding.py | 27 +
.../py3/_cffi_src/hazmat_src/padding.c | 65 ++
.../py3/_cffi_src/hazmat_src/padding.h | 6 +
.../cryptography/py3/_cffi_src/openssl/__init__.py | 5 +
.../cryptography/py3/_cffi_src/openssl/aes.py | 23 +
.../cryptography/py3/_cffi_src/openssl/asn1.py | 108 ++++
.../cryptography/py3/_cffi_src/openssl/bignum.py | 85 +++
.../cryptography/py3/_cffi_src/openssl/bio.py | 44 ++
.../py3/_cffi_src/openssl/callbacks.py | 52 ++
.../cryptography/py3/_cffi_src/openssl/cmac.py | 27 +
.../cryptography/py3/_cffi_src/openssl/conf.py | 21 +
.../cryptography/py3/_cffi_src/openssl/crypto.py | 117 ++++
.../py3/_cffi_src/openssl/cryptography.py | 69 ++
.../cryptography/py3/_cffi_src/openssl/ct.py | 118 ++++
.../cryptography/py3/_cffi_src/openssl/dh.py | 166 +++++
.../cryptography/py3/_cffi_src/openssl/dsa.py | 37 ++
.../cryptography/py3/_cffi_src/openssl/ec.py | 126 ++++
.../cryptography/py3/_cffi_src/openssl/ecdh.py | 21 +
.../cryptography/py3/_cffi_src/openssl/ecdsa.py | 29 +
.../cryptography/py3/_cffi_src/openssl/engine.py | 65 ++
.../cryptography/py3/_cffi_src/openssl/err.py | 49 ++
.../cryptography/py3/_cffi_src/openssl/evp.py | 272 ++++++++
.../cryptography/py3/_cffi_src/openssl/fips.py | 28 +
.../cryptography/py3/_cffi_src/openssl/hmac.py | 26 +
.../cryptography/py3/_cffi_src/openssl/nid.py | 52 ++
.../cryptography/py3/_cffi_src/openssl/objects.py | 33 +
.../cryptography/py3/_cffi_src/openssl/ocsp.py | 166 +++++
.../cryptography/py3/_cffi_src/openssl/opensslv.py | 22 +
.../py3/_cffi_src/openssl/osrandom_engine.py | 24 +
.../cryptography/py3/_cffi_src/openssl/pem.py | 75 +++
.../cryptography/py3/_cffi_src/openssl/pkcs12.py | 27 +
.../cryptography/py3/_cffi_src/openssl/pkcs7.py | 79 +++
.../cryptography/py3/_cffi_src/openssl/rand.py | 28 +
.../cryptography/py3/_cffi_src/openssl/rsa.py | 61 ++
.../py3/_cffi_src/openssl/src/osrandom_engine.c | 660 +++++++++++++++++++
.../py3/_cffi_src/openssl/src/osrandom_engine.h | 118 ++++
.../cryptography/py3/_cffi_src/openssl/ssl.py | 705 +++++++++++++++++++++
.../cryptography/py3/_cffi_src/openssl/x509.py | 302 +++++++++
.../cryptography/py3/_cffi_src/openssl/x509_vfy.py | 255 ++++++++
.../cryptography/py3/_cffi_src/openssl/x509name.py | 78 +++
.../cryptography/py3/_cffi_src/openssl/x509v3.py | 314 +++++++++
contrib/python/cryptography/py3/_cffi_src/utils.py | 110 ++++
44 files changed, 4816 insertions(+)
create mode 100644 contrib/python/cryptography/py3/_cffi_src/__init__.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/build_openssl.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/build_padding.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/hazmat_src/padding.c
create mode 100644 contrib/python/cryptography/py3/_cffi_src/hazmat_src/padding.h
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/__init__.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/aes.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/asn1.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/bignum.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/bio.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/callbacks.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/cmac.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/conf.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/crypto.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/cryptography.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/ct.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/dh.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/dsa.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/ec.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/ecdh.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/ecdsa.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/engine.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/err.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/evp.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/fips.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/hmac.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/nid.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/objects.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/ocsp.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/opensslv.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/osrandom_engine.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/pem.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/pkcs12.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/pkcs7.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/rand.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/rsa.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/src/osrandom_engine.c
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/src/osrandom_engine.h
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/ssl.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/x509.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/x509_vfy.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/x509name.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/openssl/x509v3.py
create mode 100644 contrib/python/cryptography/py3/_cffi_src/utils.py
(limited to 'contrib/python/cryptography/py3')
diff --git a/contrib/python/cryptography/py3/_cffi_src/__init__.py b/contrib/python/cryptography/py3/_cffi_src/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/contrib/python/cryptography/py3/_cffi_src/build_openssl.py b/contrib/python/cryptography/py3/_cffi_src/build_openssl.py
new file mode 100644
index 0000000000..4380c33969
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/build_openssl.py
@@ -0,0 +1,121 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import os
+import sys
+from distutils import dist
+from distutils.ccompiler import get_default_compiler
+from distutils.command.config import config
+
+from _cffi_src.utils import (
+ build_ffi_for_binding,
+ compiler_type,
+ extra_link_args,
+)
+
+
+def _get_openssl_libraries(platform):
+ if os.environ.get("CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS", None):
+ return []
+ # OpenSSL goes by a different library name on different operating systems.
+ if platform == "win32" and compiler_type() == "msvc":
+ return [
+ "libssl",
+ "libcrypto",
+ "advapi32",
+ "crypt32",
+ "gdi32",
+ "user32",
+ "ws2_32",
+ ]
+ else:
+ # darwin, linux, mingw all use this path
+ # In some circumstances, the order in which these libs are
+ # specified on the linker command-line is significant;
+ # libssl must come before libcrypto
+ # (https://marc.info/?l=openssl-users&m=135361825921871)
+ # -lpthread required due to usage of pthread an potential
+ # existance of a static part containing e.g. pthread_atfork
+ # (https://github.com/pyca/cryptography/issues/5084)
+ if sys.platform == "zos":
+ return ["ssl", "crypto"]
+ else:
+ return ["ssl", "crypto", "pthread"]
+
+
+def _extra_compile_args(platform):
+ """
+ We set -Wconversion args here so that we only do Wconversion checks on the
+ code we're compiling and not on cffi itself (as passing -Wconversion in
+ CFLAGS would do). We set no error on sign conversion because some
+ function signatures in LibreSSL differ from OpenSSL have changed on long
+ vs. unsigned long in the past. Since that isn't a precision issue we don't
+ care.
+ """
+ # make sure the compiler used supports the flags to be added
+ is_gcc = False
+ if get_default_compiler() == "unix":
+ d = dist.Distribution()
+ cmd = config(d)
+ cmd._check_compiler()
+ is_gcc = (
+ "gcc" in cmd.compiler.compiler[0]
+ or "clang" in cmd.compiler.compiler[0]
+ )
+ if is_gcc or not (
+ platform in ["win32", "hp-ux11", "sunos5"]
+ or platform.startswith("aix")
+ ):
+ return ["-Wconversion", "-Wno-error=sign-conversion"]
+ else:
+ return []
+
+
+ffi = build_ffi_for_binding(
+ module_name="_openssl",
+ module_prefix="_cffi_src.openssl.",
+ modules=[
+ # This goes first so we can define some cryptography-wide symbols.
+ "cryptography",
+ "aes",
+ "asn1",
+ "bignum",
+ "bio",
+ "cmac",
+ "conf",
+ "crypto",
+ "ct",
+ "dh",
+ "dsa",
+ "ec",
+ "ecdh",
+ "ecdsa",
+ "engine",
+ "err",
+ "evp",
+ "fips",
+ "hmac",
+ "nid",
+ "objects",
+ "ocsp",
+ "opensslv",
+ "osrandom_engine",
+ "pem",
+ "pkcs12",
+ "rand",
+ "rsa",
+ "ssl",
+ "x509",
+ "x509name",
+ "x509v3",
+ "x509_vfy",
+ "pkcs7",
+ "callbacks",
+ ],
+ libraries=_get_openssl_libraries(sys.platform),
+ extra_compile_args=_extra_compile_args(sys.platform),
+ extra_link_args=extra_link_args(compiler_type()),
+)
diff --git a/contrib/python/cryptography/py3/_cffi_src/build_padding.py b/contrib/python/cryptography/py3/_cffi_src/build_padding.py
new file mode 100644
index 0000000000..207f4a658e
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/build_padding.py
@@ -0,0 +1,27 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import os
+
+from _cffi_src.utils import build_ffi, compiler_type, extra_link_args
+
+
+with open(
+ os.path.join(os.path.dirname(__file__), "hazmat_src/padding.h")
+) as f:
+ types = f.read()
+
+with open(
+ os.path.join(os.path.dirname(__file__), "hazmat_src/padding.c")
+) as f:
+ functions = f.read()
+
+ffi = build_ffi(
+ module_name="_padding",
+ cdef_source=types,
+ verify_source=functions,
+ extra_link_args=extra_link_args(compiler_type()),
+)
diff --git a/contrib/python/cryptography/py3/_cffi_src/hazmat_src/padding.c b/contrib/python/cryptography/py3/_cffi_src/hazmat_src/padding.c
new file mode 100644
index 0000000000..a6e05dee1e
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/hazmat_src/padding.c
@@ -0,0 +1,65 @@
+// This file is dual licensed under the terms of the Apache License, Version
+// 2.0, and the BSD License. See the LICENSE file in the root of this
+// repository for complete details.
+
+/* Returns the value of the input with the most-significant-bit copied to all
+ of the bits. */
+static uint16_t Cryptography_DUPLICATE_MSB_TO_ALL(uint16_t a) {
+ return (1 - (a >> (sizeof(uint16_t) * 8 - 1))) - 1;
+}
+
+/* This returns 0xFFFF if a < b else 0x0000, but does so in a constant time
+ fashion */
+static uint16_t Cryptography_constant_time_lt(uint16_t a, uint16_t b) {
+ a -= b;
+ return Cryptography_DUPLICATE_MSB_TO_ALL(a);
+}
+
+uint8_t Cryptography_check_pkcs7_padding(const uint8_t *data,
+ uint16_t block_len) {
+ uint16_t i;
+ uint16_t pad_size = data[block_len - 1];
+ uint16_t mismatch = 0;
+ for (i = 0; i < block_len; i++) {
+ unsigned int mask = Cryptography_constant_time_lt(i, pad_size);
+ uint16_t b = data[block_len - 1 - i];
+ mismatch |= (mask & (pad_size ^ b));
+ }
+
+ /* Check to make sure the pad_size was within the valid range. */
+ mismatch |= ~Cryptography_constant_time_lt(0, pad_size);
+ mismatch |= Cryptography_constant_time_lt(block_len, pad_size);
+
+ /* Make sure any bits set are copied to the lowest bit */
+ mismatch |= mismatch >> 8;
+ mismatch |= mismatch >> 4;
+ mismatch |= mismatch >> 2;
+ mismatch |= mismatch >> 1;
+ /* Now check the low bit to see if it's set */
+ return (mismatch & 1) == 0;
+}
+
+uint8_t Cryptography_check_ansix923_padding(const uint8_t *data,
+ uint16_t block_len) {
+ uint16_t i;
+ uint16_t pad_size = data[block_len - 1];
+ uint16_t mismatch = 0;
+ /* Skip the first one with the pad size */
+ for (i = 1; i < block_len; i++) {
+ unsigned int mask = Cryptography_constant_time_lt(i, pad_size);
+ uint16_t b = data[block_len - 1 - i];
+ mismatch |= (mask & b);
+ }
+
+ /* Check to make sure the pad_size was within the valid range. */
+ mismatch |= ~Cryptography_constant_time_lt(0, pad_size);
+ mismatch |= Cryptography_constant_time_lt(block_len, pad_size);
+
+ /* Make sure any bits set are copied to the lowest bit */
+ mismatch |= mismatch >> 8;
+ mismatch |= mismatch >> 4;
+ mismatch |= mismatch >> 2;
+ mismatch |= mismatch >> 1;
+ /* Now check the low bit to see if it's set */
+ return (mismatch & 1) == 0;
+}
diff --git a/contrib/python/cryptography/py3/_cffi_src/hazmat_src/padding.h b/contrib/python/cryptography/py3/_cffi_src/hazmat_src/padding.h
new file mode 100644
index 0000000000..fb023c1711
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/hazmat_src/padding.h
@@ -0,0 +1,6 @@
+// This file is dual licensed under the terms of the Apache License, Version
+// 2.0, and the BSD License. See the LICENSE file in the root of this
+// repository for complete details.
+
+uint8_t Cryptography_check_pkcs7_padding(const uint8_t *, uint8_t);
+uint8_t Cryptography_check_ansix923_padding(const uint8_t *, uint8_t);
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/__init__.py b/contrib/python/cryptography/py3/_cffi_src/openssl/__init__.py
new file mode 100644
index 0000000000..4b540884df
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/__init__.py
@@ -0,0 +1,5 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/aes.py b/contrib/python/cryptography/py3/_cffi_src/openssl/aes.py
new file mode 100644
index 0000000000..25ef3ec0e3
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/aes.py
@@ -0,0 +1,23 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/aes.h>
+"""
+
+TYPES = """
+typedef ... AES_KEY;
+"""
+
+FUNCTIONS = """
+int AES_wrap_key(AES_KEY *, const unsigned char *, unsigned char *,
+ const unsigned char *, unsigned int);
+int AES_unwrap_key(AES_KEY *, const unsigned char *, unsigned char *,
+ const unsigned char *, unsigned int);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/asn1.py b/contrib/python/cryptography/py3/_cffi_src/openssl/asn1.py
new file mode 100644
index 0000000000..da55b670e0
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/asn1.py
@@ -0,0 +1,108 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/asn1.h>
+"""
+
+TYPES = """
+typedef int... time_t;
+
+typedef ... ASN1_INTEGER;
+
+struct asn1_string_st {
+ int length;
+ int type;
+ unsigned char *data;
+ long flags;
+};
+
+typedef struct asn1_string_st ASN1_OCTET_STRING;
+typedef struct asn1_string_st ASN1_IA5STRING;
+typedef struct asn1_string_st ASN1_BIT_STRING;
+typedef struct asn1_string_st ASN1_TIME;
+typedef ... ASN1_OBJECT;
+typedef struct asn1_string_st ASN1_STRING;
+typedef struct asn1_string_st ASN1_UTF8STRING;
+typedef struct {
+ int type;
+ ...;
+} ASN1_TYPE;
+typedef ... ASN1_GENERALIZEDTIME;
+typedef ... ASN1_ENUMERATED;
+typedef ... ASN1_NULL;
+
+static const int V_ASN1_GENERALIZEDTIME;
+
+static const int MBSTRING_UTF8;
+"""
+
+FUNCTIONS = """
+void ASN1_OBJECT_free(ASN1_OBJECT *);
+
+/* ASN1 STRING */
+unsigned char *ASN1_STRING_data(ASN1_STRING *);
+int ASN1_STRING_set(ASN1_STRING *, const void *, int);
+
+/* ASN1 OCTET STRING */
+ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(void);
+void ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *);
+int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *, const unsigned char *, int);
+
+/* ASN1 IA5STRING */
+ASN1_IA5STRING *ASN1_IA5STRING_new(void);
+
+/* ASN1 INTEGER */
+void ASN1_INTEGER_free(ASN1_INTEGER *);
+int ASN1_INTEGER_set(ASN1_INTEGER *, long);
+
+/* ASN1 TIME */
+ASN1_TIME *ASN1_TIME_new(void);
+void ASN1_TIME_free(ASN1_TIME *);
+int ASN1_TIME_set_string(ASN1_TIME *, const char *);
+
+/* ASN1 GENERALIZEDTIME */
+ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *, time_t);
+void ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *);
+
+/* ASN1 ENUMERATED */
+ASN1_ENUMERATED *ASN1_ENUMERATED_new(void);
+void ASN1_ENUMERATED_free(ASN1_ENUMERATED *);
+int ASN1_ENUMERATED_set(ASN1_ENUMERATED *, long);
+
+int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *, int, int);
+/* These became const ASN1_* in 1.1.0 */
+int ASN1_STRING_type(ASN1_STRING *);
+int ASN1_STRING_to_UTF8(unsigned char **, ASN1_STRING *);
+long ASN1_ENUMERATED_get(ASN1_ENUMERATED *);
+int i2a_ASN1_INTEGER(BIO *, ASN1_INTEGER *);
+
+/* This became const ASN1_TIME in 1.1.0f */
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *,
+ ASN1_GENERALIZEDTIME **);
+
+ASN1_UTF8STRING *ASN1_UTF8STRING_new(void);
+void ASN1_UTF8STRING_free(ASN1_UTF8STRING *);
+
+ASN1_BIT_STRING *ASN1_BIT_STRING_new(void);
+void ASN1_BIT_STRING_free(ASN1_BIT_STRING *);
+/* This is not a macro, but is const on some versions of OpenSSL */
+int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *, int);
+
+int ASN1_STRING_length(ASN1_STRING *);
+int ASN1_STRING_set_default_mask_asc(char *);
+
+BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *, BIGNUM *);
+ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *, ASN1_INTEGER *);
+
+int i2d_ASN1_TYPE(ASN1_TYPE *, unsigned char **);
+ASN1_TYPE *d2i_ASN1_TYPE(ASN1_TYPE **, const unsigned char **, long);
+
+ASN1_NULL *ASN1_NULL_new(void);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/bignum.py b/contrib/python/cryptography/py3/_cffi_src/openssl/bignum.py
new file mode 100644
index 0000000000..751018391d
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/bignum.py
@@ -0,0 +1,85 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/bn.h>
+"""
+
+TYPES = """
+typedef ... BN_CTX;
+typedef ... BN_MONT_CTX;
+typedef ... BIGNUM;
+typedef int... BN_ULONG;
+"""
+
+FUNCTIONS = """
+#define BN_FLG_CONSTTIME ...
+
+void BN_set_flags(BIGNUM *, int);
+
+BIGNUM *BN_new(void);
+void BN_free(BIGNUM *);
+void BN_clear_free(BIGNUM *);
+
+int BN_rand_range(BIGNUM *, const BIGNUM *);
+
+BN_CTX *BN_CTX_new(void);
+void BN_CTX_free(BN_CTX *);
+
+void BN_CTX_start(BN_CTX *);
+BIGNUM *BN_CTX_get(BN_CTX *);
+void BN_CTX_end(BN_CTX *);
+
+BN_MONT_CTX *BN_MONT_CTX_new(void);
+int BN_MONT_CTX_set(BN_MONT_CTX *, const BIGNUM *, BN_CTX *);
+void BN_MONT_CTX_free(BN_MONT_CTX *);
+
+BIGNUM *BN_dup(const BIGNUM *);
+
+int BN_set_word(BIGNUM *, BN_ULONG);
+
+const BIGNUM *BN_value_one(void);
+
+char *BN_bn2hex(const BIGNUM *);
+int BN_hex2bn(BIGNUM **, const char *);
+
+int BN_bn2bin(const BIGNUM *, unsigned char *);
+BIGNUM *BN_bin2bn(const unsigned char *, int, BIGNUM *);
+
+int BN_num_bits(const BIGNUM *);
+
+int BN_cmp(const BIGNUM *, const BIGNUM *);
+int BN_is_negative(const BIGNUM *);
+int BN_add(BIGNUM *, const BIGNUM *, const BIGNUM *);
+int BN_sub(BIGNUM *, const BIGNUM *, const BIGNUM *);
+int BN_nnmod(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+int BN_mod_add(BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *,
+ BN_CTX *);
+int BN_mod_sub(BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *,
+ BN_CTX *);
+int BN_mod_mul(BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *,
+ BN_CTX *);
+int BN_mod_exp(BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *,
+ BN_CTX *);
+int BN_mod_exp_mont(BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *,
+ BN_CTX *, BN_MONT_CTX *);
+int BN_mod_exp_mont_consttime(BIGNUM *, const BIGNUM *, const BIGNUM *,
+ const BIGNUM *, BN_CTX *, BN_MONT_CTX *);
+BIGNUM *BN_mod_inverse(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+
+int BN_num_bytes(const BIGNUM *);
+
+int BN_mod(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+
+/* The following 3 prime methods are exposed for Tribler. */
+int BN_generate_prime_ex(BIGNUM *, int, int, const BIGNUM *,
+ const BIGNUM *, BN_GENCB *);
+int BN_is_prime_ex(const BIGNUM *, int, BN_CTX *, BN_GENCB *);
+const int BN_prime_checks_for_size(int);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/bio.py b/contrib/python/cryptography/py3/_cffi_src/openssl/bio.py
new file mode 100644
index 0000000000..52d57c6228
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/bio.py
@@ -0,0 +1,44 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/bio.h>
+"""
+
+TYPES = """
+typedef ... BIO;
+typedef ... BIO_METHOD;
+"""
+
+FUNCTIONS = """
+int BIO_free(BIO *);
+void BIO_free_all(BIO *);
+BIO *BIO_new_file(const char *, const char *);
+BIO *BIO_new_dgram(int, int);
+size_t BIO_ctrl_pending(BIO *);
+int BIO_read(BIO *, void *, int);
+int BIO_gets(BIO *, char *, int);
+int BIO_write(BIO *, const void *, int);
+/* Added in 1.1.0 */
+int BIO_up_ref(BIO *);
+
+BIO *BIO_new(BIO_METHOD *);
+BIO_METHOD *BIO_s_mem(void);
+BIO_METHOD *BIO_s_datagram(void);
+BIO *BIO_new_mem_buf(const void *, int);
+long BIO_set_mem_eof_return(BIO *, int);
+long BIO_get_mem_data(BIO *, char **);
+int BIO_should_read(BIO *);
+int BIO_should_write(BIO *);
+int BIO_should_io_special(BIO *);
+int BIO_should_retry(BIO *);
+int BIO_reset(BIO *);
+void BIO_set_retry_read(BIO *);
+void BIO_clear_retry_flags(BIO *);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/callbacks.py b/contrib/python/cryptography/py3/_cffi_src/openssl/callbacks.py
new file mode 100644
index 0000000000..19301b973a
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/callbacks.py
@@ -0,0 +1,52 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <string.h>
+"""
+
+TYPES = """
+typedef struct {
+ char *password;
+ int length;
+ int called;
+ int error;
+ int maxsize;
+} CRYPTOGRAPHY_PASSWORD_DATA;
+"""
+
+FUNCTIONS = """
+int Cryptography_pem_password_cb(char *, int, int, void *);
+"""
+
+CUSTOMIZATIONS = """
+typedef struct {
+ char *password;
+ int length;
+ int called;
+ int error;
+ int maxsize;
+} CRYPTOGRAPHY_PASSWORD_DATA;
+
+int Cryptography_pem_password_cb(char *buf, int size,
+ int rwflag, void *userdata) {
+ /* The password cb is only invoked if OpenSSL decides the private
+ key is encrypted. So this path only occurs if it needs a password */
+ CRYPTOGRAPHY_PASSWORD_DATA *st = (CRYPTOGRAPHY_PASSWORD_DATA *)userdata;
+ st->called += 1;
+ st->maxsize = size;
+ if (st->length == 0) {
+ st->error = -1;
+ return 0;
+ } else if (st->length < size) {
+ memcpy(buf, st->password, st->length);
+ return st->length;
+ } else {
+ st->error = -2;
+ return 0;
+ }
+}
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/cmac.py b/contrib/python/cryptography/py3/_cffi_src/openssl/cmac.py
new file mode 100644
index 0000000000..557abd1ca8
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/cmac.py
@@ -0,0 +1,27 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#if !defined(OPENSSL_NO_CMAC)
+#include <openssl/cmac.h>
+#endif
+"""
+
+TYPES = """
+typedef ... CMAC_CTX;
+"""
+
+FUNCTIONS = """
+CMAC_CTX *CMAC_CTX_new(void);
+int CMAC_Init(CMAC_CTX *, const void *, size_t, const EVP_CIPHER *, ENGINE *);
+int CMAC_Update(CMAC_CTX *, const void *, size_t);
+int CMAC_Final(CMAC_CTX *, unsigned char *, size_t *);
+int CMAC_CTX_copy(CMAC_CTX *, const CMAC_CTX *);
+void CMAC_CTX_free(CMAC_CTX *);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/conf.py b/contrib/python/cryptography/py3/_cffi_src/openssl/conf.py
new file mode 100644
index 0000000000..9db0162a63
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/conf.py
@@ -0,0 +1,21 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/conf.h>
+"""
+
+TYPES = """
+"""
+
+FUNCTIONS = """
+void OPENSSL_config(const char *);
+/* This is a macro in 1.1.0 */
+void OPENSSL_no_config(void);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/crypto.py b/contrib/python/cryptography/py3/_cffi_src/openssl/crypto.py
new file mode 100644
index 0000000000..6064a4eeea
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/crypto.py
@@ -0,0 +1,117 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/crypto.h>
+"""
+
+TYPES = """
+static const long Cryptography_HAS_MEM_FUNCTIONS;
+static const long Cryptography_HAS_OPENSSL_CLEANUP;
+
+static const int SSLEAY_VERSION;
+static const int SSLEAY_CFLAGS;
+static const int SSLEAY_PLATFORM;
+static const int SSLEAY_DIR;
+static const int SSLEAY_BUILT_ON;
+static const int OPENSSL_VERSION;
+static const int OPENSSL_CFLAGS;
+static const int OPENSSL_BUILT_ON;
+static const int OPENSSL_PLATFORM;
+static const int OPENSSL_DIR;
+"""
+
+FUNCTIONS = """
+void OPENSSL_cleanup(void);
+
+/* SSLeay was removed in 1.1.0 */
+unsigned long SSLeay(void);
+const char *SSLeay_version(int);
+/* these functions were added to replace the SSLeay functions in 1.1.0 */
+unsigned long OpenSSL_version_num(void);
+const char *OpenSSL_version(int);
+
+/* this is a macro in 1.1.0 */
+void *OPENSSL_malloc(size_t);
+void OPENSSL_free(void *);
+
+
+/* Signature changed significantly in 1.1.0, only expose there for sanity */
+int Cryptography_CRYPTO_set_mem_functions(
+ void *(*)(size_t, const char *, int),
+ void *(*)(void *, size_t, const char *, int),
+ void (*)(void *, const char *, int));
+
+void *Cryptography_malloc_wrapper(size_t, const char *, int);
+void *Cryptography_realloc_wrapper(void *, size_t, const char *, int);
+void Cryptography_free_wrapper(void *, const char *, int);
+"""
+
+CUSTOMIZATIONS = """
+/* In 1.1.0 SSLeay has finally been retired. We bidirectionally define the
+ values so you can use either one. This is so we can use the new function
+ names no matter what OpenSSL we're running on, but users on older pyOpenSSL
+ releases won't see issues if they're running OpenSSL 1.1.0 */
+#if !defined(SSLEAY_VERSION)
+# define SSLeay OpenSSL_version_num
+# define SSLeay_version OpenSSL_version
+# define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
+# define SSLEAY_VERSION OPENSSL_VERSION
+# define SSLEAY_CFLAGS OPENSSL_CFLAGS
+# define SSLEAY_BUILT_ON OPENSSL_BUILT_ON
+# define SSLEAY_PLATFORM OPENSSL_PLATFORM
+# define SSLEAY_DIR OPENSSL_DIR
+#endif
+#if !defined(OPENSSL_VERSION)
+# define OpenSSL_version_num SSLeay
+# define OpenSSL_version SSLeay_version
+# define OPENSSL_VERSION SSLEAY_VERSION
+# define OPENSSL_CFLAGS SSLEAY_CFLAGS
+# define OPENSSL_BUILT_ON SSLEAY_BUILT_ON
+# define OPENSSL_PLATFORM SSLEAY_PLATFORM
+# define OPENSSL_DIR SSLEAY_DIR
+#endif
+
+#if CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_OPENSSL_CLEANUP = 0;
+
+void (*OPENSSL_cleanup)(void) = NULL;
+
+/* This function has a significantly different signature pre-1.1.0. since it is
+ * for testing only, we don't bother to expose it on older OpenSSLs.
+ */
+static const long Cryptography_HAS_MEM_FUNCTIONS = 0;
+int (*Cryptography_CRYPTO_set_mem_functions)(
+ void *(*)(size_t, const char *, int),
+ void *(*)(void *, size_t, const char *, int),
+ void (*)(void *, const char *, int)) = NULL;
+
+#else
+static const long Cryptography_HAS_OPENSSL_CLEANUP = 1;
+static const long Cryptography_HAS_MEM_FUNCTIONS = 1;
+
+int Cryptography_CRYPTO_set_mem_functions(
+ void *(*m)(size_t, const char *, int),
+ void *(*r)(void *, size_t, const char *, int),
+ void (*f)(void *, const char *, int)
+) {
+ return CRYPTO_set_mem_functions(m, r, f);
+}
+#endif
+
+void *Cryptography_malloc_wrapper(size_t size, const char *path, int line) {
+ return malloc(size);
+}
+
+void *Cryptography_realloc_wrapper(void *ptr, size_t size, const char *path,
+ int line) {
+ return realloc(ptr, size);
+}
+
+void Cryptography_free_wrapper(void *ptr, const char *path, int line) {
+ free(ptr);
+}
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/cryptography.py b/contrib/python/cryptography/py3/_cffi_src/openssl/cryptography.py
new file mode 100644
index 0000000000..f24bee5a4f
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/cryptography.py
@@ -0,0 +1,69 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+/* define our OpenSSL API compatibility level to 1.0.1. Any symbols older than
+ that will raise an error during compilation. We can raise this number again
+ after we drop 1.0.2 support in the distant future. */
+#define OPENSSL_API_COMPAT 0x10001000L
+
+#include <openssl/opensslv.h>
+
+
+#if defined(LIBRESSL_VERSION_NUMBER)
+#define CRYPTOGRAPHY_IS_LIBRESSL 1
+#else
+#define CRYPTOGRAPHY_IS_LIBRESSL 0
+#endif
+
+/*
+ LibreSSL removed e_os2.h from the public headers so we'll only include it
+ if we're using vanilla OpenSSL.
+*/
+#if !CRYPTOGRAPHY_IS_LIBRESSL
+#include <openssl/e_os2.h>
+#endif
+#if defined(_WIN32)
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <Wincrypt.h>
+#include <Winsock2.h>
+#endif
+
+#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+ (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
+
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+ (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \
+ (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \
+ (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \
+ (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL)
+#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \
+ !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING)
+#define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1
+#else
+#define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 0
+#endif
+"""
+
+TYPES = """
+static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
+
+static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111;
+static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
+static const int CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE;
+
+static const int CRYPTOGRAPHY_IS_LIBRESSL;
+"""
+
+FUNCTIONS = """
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/ct.py b/contrib/python/cryptography/py3/_cffi_src/openssl/ct.py
new file mode 100644
index 0000000000..5f0670635f
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/ct.py
@@ -0,0 +1,118 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#if CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER && !defined(OPENSSL_NO_CT)
+#include <openssl/ct.h>
+
+typedef STACK_OF(SCT) Cryptography_STACK_OF_SCT;
+#endif
+"""
+
+TYPES = """
+static const long Cryptography_HAS_SCT;
+
+typedef enum {
+ SCT_VERSION_NOT_SET,
+ SCT_VERSION_V1
+} sct_version_t;
+
+typedef enum {
+ CT_LOG_ENTRY_TYPE_NOT_SET,
+ CT_LOG_ENTRY_TYPE_X509,
+ CT_LOG_ENTRY_TYPE_PRECERT
+} ct_log_entry_type_t;
+
+typedef enum {
+ SCT_SOURCE_UNKNOWN,
+ SCT_SOURCE_TLS_EXTENSION,
+ SCT_SOURCE_X509V3_EXTENSION,
+ SCT_SOURCE_OCSP_STAPLED_RESPONSE
+} sct_source_t;
+
+typedef ... SCT;
+typedef ... Cryptography_STACK_OF_SCT;
+"""
+
+FUNCTIONS = """
+sct_version_t SCT_get_version(const SCT *);
+
+ct_log_entry_type_t SCT_get_log_entry_type(const SCT *);
+
+size_t SCT_get0_log_id(const SCT *, unsigned char **);
+
+size_t SCT_get0_signature(const SCT *, unsigned char **);
+
+uint64_t SCT_get_timestamp(const SCT *);
+
+int SCT_set_source(SCT *, sct_source_t);
+
+Cryptography_STACK_OF_SCT *sk_SCT_new_null(void);
+void sk_SCT_free(Cryptography_STACK_OF_SCT *);
+int sk_SCT_num(const Cryptography_STACK_OF_SCT *);
+SCT *sk_SCT_value(const Cryptography_STACK_OF_SCT *, int);
+int sk_SCT_push(Cryptography_STACK_OF_SCT *, SCT *);
+
+void SCT_LIST_free(Cryptography_STACK_OF_SCT *);
+
+SCT *SCT_new(void);
+int SCT_set1_log_id(SCT *, unsigned char *, size_t);
+void SCT_set_timestamp(SCT *, uint64_t);
+int SCT_set_version(SCT *, sct_version_t);
+int SCT_set_log_entry_type(SCT *, ct_log_entry_type_t);
+"""
+
+CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER && !defined(OPENSSL_NO_CT)
+static const long Cryptography_HAS_SCT = 1;
+#else
+static const long Cryptography_HAS_SCT = 0;
+
+typedef enum {
+ SCT_VERSION_NOT_SET,
+ SCT_VERSION_V1
+} sct_version_t;
+typedef enum {
+ CT_LOG_ENTRY_TYPE_NOT_SET,
+ CT_LOG_ENTRY_TYPE_X509,
+ CT_LOG_ENTRY_TYPE_PRECERT
+} ct_log_entry_type_t;
+typedef enum {
+ SCT_SOURCE_UNKNOWN,
+ SCT_SOURCE_TLS_EXTENSION,
+ SCT_SOURCE_X509V3_EXTENSION,
+ SCT_SOURCE_OCSP_STAPLED_RESPONSE
+} sct_source_t;
+
+/* OpenSSL compiled with `no-ct` still defines the `SCT` struct. */
+#if !defined(OPENSSL_NO_CT)
+typedef void SCT;
+#endif
+
+typedef void Cryptography_STACK_OF_SCT;
+
+sct_version_t (*SCT_get_version)(const SCT *) = NULL;
+ct_log_entry_type_t (*SCT_get_log_entry_type)(const SCT *) = NULL;
+size_t (*SCT_get0_log_id)(const SCT *, unsigned char **) = NULL;
+size_t (*SCT_get0_signature)(const SCT *, unsigned char **) = NULL;
+uint64_t (*SCT_get_timestamp)(const SCT *) = NULL;
+
+int (*SCT_set_source)(SCT *, sct_source_t) = NULL;
+
+Cryptography_STACK_OF_SCT *(*sk_SCT_new_null)(void) = NULL;
+void (*sk_SCT_free)(Cryptography_STACK_OF_SCT *) = NULL;
+int (*sk_SCT_num)(const Cryptography_STACK_OF_SCT *) = NULL;
+SCT *(*sk_SCT_value)(const Cryptography_STACK_OF_SCT *, int) = NULL;
+int (*sk_SCT_push)(Cryptography_STACK_OF_SCT *, SCT *) = NULL;
+
+void (*SCT_LIST_free)(Cryptography_STACK_OF_SCT *) = NULL;
+SCT *(*SCT_new)(void) = NULL;
+int (*SCT_set1_log_id)(SCT *, unsigned char *, size_t) = NULL;
+void (*SCT_set_timestamp)(SCT *, uint64_t) = NULL;
+int (*SCT_set_version)(SCT *, sct_version_t) = NULL;
+int (*SCT_set_log_entry_type)(SCT *, ct_log_entry_type_t) = NULL;
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/dh.py b/contrib/python/cryptography/py3/_cffi_src/openssl/dh.py
new file mode 100644
index 0000000000..947a5a8ee0
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/dh.py
@@ -0,0 +1,166 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/dh.h>
+"""
+
+TYPES = """
+typedef ... DH;
+
+const long DH_NOT_SUITABLE_GENERATOR;
+"""
+
+FUNCTIONS = """
+DH *DH_new(void);
+void DH_free(DH *);
+int DH_size(const DH *);
+int DH_generate_key(DH *);
+int DH_compute_key(unsigned char *, const BIGNUM *, DH *);
+DH *DHparams_dup(DH *);
+
+/* added in 1.1.0 when the DH struct was opaqued */
+void DH_get0_pqg(const DH *, const BIGNUM **, const BIGNUM **,
+ const BIGNUM **);
+int DH_set0_pqg(DH *, BIGNUM *, BIGNUM *, BIGNUM *);
+void DH_get0_key(const DH *, const BIGNUM **, const BIGNUM **);
+int DH_set0_key(DH *, BIGNUM *, BIGNUM *);
+
+int Cryptography_DH_check(const DH *, int *);
+int DH_generate_parameters_ex(DH *, int, int, BN_GENCB *);
+DH *d2i_DHparams_bio(BIO *, DH **);
+int i2d_DHparams_bio(BIO *, DH *);
+DH *Cryptography_d2i_DHxparams_bio(BIO *bp, DH **x);
+int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x);
+"""
+
+CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_IS_LIBRESSL
+#ifndef DH_CHECK_Q_NOT_PRIME
+#define DH_CHECK_Q_NOT_PRIME 0x10
+#endif
+
+#ifndef DH_CHECK_INVALID_Q_VALUE
+#define DH_CHECK_INVALID_Q_VALUE 0x20
+#endif
+
+#ifndef DH_CHECK_INVALID_J_VALUE
+#define DH_CHECK_INVALID_J_VALUE 0x40
+#endif
+
+/* DH_check implementation taken from OpenSSL 1.1.0pre6 */
+
+/*-
+ * Check that p is a safe prime and
+ * if g is 2, 3 or 5, check that it is a suitable generator
+ * where
+ * for 2, p mod 24 == 11
+ * for 3, p mod 12 == 5
+ * for 5, p mod 10 == 3 or 7
+ * should hold.
+ */
+
+int Cryptography_DH_check(const DH *dh, int *ret)
+{
+ int ok = 0, r;
+ BN_CTX *ctx = NULL;
+ BN_ULONG l;
+ BIGNUM *t1 = NULL, *t2 = NULL;
+
+ *ret = 0;
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+ t1 = BN_CTX_get(ctx);
+ if (t1 == NULL)
+ goto err;
+ t2 = BN_CTX_get(ctx);
+ if (t2 == NULL)
+ goto err;
+
+ if (dh->q) {
+ if (BN_cmp(dh->g, BN_value_one()) <= 0)
+ *ret |= DH_NOT_SUITABLE_GENERATOR;
+ else if (BN_cmp(dh->g, dh->p) >= 0)
+ *ret |= DH_NOT_SUITABLE_GENERATOR;
+ else {
+ /* Check g^q == 1 mod p */
+ if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx))
+ goto err;
+ if (!BN_is_one(t1))
+ *ret |= DH_NOT_SUITABLE_GENERATOR;
+ }
+ r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL);
+ if (r < 0)
+ goto err;
+ if (!r)
+ *ret |= DH_CHECK_Q_NOT_PRIME;
+ /* Check p == 1 mod q i.e. q divides p - 1 */
+ if (!BN_div(t1, t2, dh->p, dh->q, ctx))
+ goto err;
+ if (!BN_is_one(t2))
+ *ret |= DH_CHECK_INVALID_Q_VALUE;
+ if (dh->j && BN_cmp(dh->j, t1))
+ *ret |= DH_CHECK_INVALID_J_VALUE;
+
+ } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
+ l = BN_mod_word(dh->p, 24);
+ if (l == (BN_ULONG)-1)
+ goto err;
+ if (l != 11)
+ *ret |= DH_NOT_SUITABLE_GENERATOR;
+ } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
+ l = BN_mod_word(dh->p, 10);
+ if (l == (BN_ULONG)-1)
+ goto err;
+ if ((l != 3) && (l != 7))
+ *ret |= DH_NOT_SUITABLE_GENERATOR;
+ } else
+ *ret |= DH_UNABLE_TO_CHECK_GENERATOR;
+
+ r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL);
+ if (r < 0)
+ goto err;
+ if (!r)
+ *ret |= DH_CHECK_P_NOT_PRIME;
+ else if (!dh->q) {
+ if (!BN_rshift1(t1, dh->p))
+ goto err;
+ r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL);
+ if (r < 0)
+ goto err;
+ if (!r)
+ *ret |= DH_CHECK_P_NOT_SAFE_PRIME;
+ }
+ ok = 1;
+ err:
+ if (ctx != NULL) {
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ }
+ return (ok);
+}
+#else
+int Cryptography_DH_check(const DH *dh, int *ret) {
+ return DH_check(dh, ret);
+}
+#endif
+
+/* These functions were added in OpenSSL 1.1.0f commit d0c50e80a8 */
+/* Define our own to simplify support across all versions. */
+#if defined(EVP_PKEY_DHX) && EVP_PKEY_DHX != -1
+DH *Cryptography_d2i_DHxparams_bio(BIO *bp, DH **x) {
+ return ASN1_d2i_bio_of(DH, DH_new, d2i_DHxparams, bp, x);
+}
+int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x) {
+ return ASN1_i2d_bio_of_const(DH, i2d_DHxparams, bp, x);
+}
+#else
+DH *(*Cryptography_d2i_DHxparams_bio)(BIO *bp, DH **x) = NULL;
+int (*Cryptography_i2d_DHxparams_bio)(BIO *bp, DH *x) = NULL;
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/dsa.py b/contrib/python/cryptography/py3/_cffi_src/openssl/dsa.py
new file mode 100644
index 0000000000..3a290067bc
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/dsa.py
@@ -0,0 +1,37 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/dsa.h>
+"""
+
+TYPES = """
+typedef ... DSA;
+"""
+
+FUNCTIONS = """
+int DSA_generate_key(DSA *);
+DSA *DSA_new(void);
+void DSA_free(DSA *);
+DSA *DSAparams_dup(DSA *);
+int DSA_size(const DSA *);
+int DSA_sign(int, const unsigned char *, int, unsigned char *, unsigned int *,
+ DSA *);
+int DSA_verify(int, const unsigned char *, int, const unsigned char *, int,
+ DSA *);
+
+/* added in 1.1.0 to access the opaque struct */
+void DSA_get0_pqg(const DSA *, const BIGNUM **, const BIGNUM **,
+ const BIGNUM **);
+int DSA_set0_pqg(DSA *, BIGNUM *, BIGNUM *, BIGNUM *);
+void DSA_get0_key(const DSA *, const BIGNUM **, const BIGNUM **);
+int DSA_set0_key(DSA *, BIGNUM *, BIGNUM *);
+int DSA_generate_parameters_ex(DSA *, int, unsigned char *, int,
+ int *, unsigned long *, BN_GENCB *);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/ec.py b/contrib/python/cryptography/py3/_cffi_src/openssl/ec.py
new file mode 100644
index 0000000000..6432fc22e9
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/ec.py
@@ -0,0 +1,126 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/ec.h>
+#include <openssl/obj_mac.h>
+"""
+
+TYPES = """
+static const int Cryptography_HAS_EC2M;
+
+static const int OPENSSL_EC_NAMED_CURVE;
+
+typedef ... EC_KEY;
+typedef ... EC_GROUP;
+typedef ... EC_POINT;
+typedef ... EC_METHOD;
+typedef struct {
+ int nid;
+ const char *comment;
+} EC_builtin_curve;
+typedef enum {
+ POINT_CONVERSION_COMPRESSED,
+ POINT_CONVERSION_UNCOMPRESSED,
+ ...
+} point_conversion_form_t;
+"""
+
+FUNCTIONS = """
+void EC_GROUP_free(EC_GROUP *);
+
+EC_GROUP *EC_GROUP_new_by_curve_name(int);
+
+int EC_GROUP_get_degree(const EC_GROUP *);
+
+const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *);
+const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *);
+int EC_GROUP_get_curve_name(const EC_GROUP *);
+
+size_t EC_get_builtin_curves(EC_builtin_curve *, size_t);
+
+EC_KEY *EC_KEY_new(void);
+void EC_KEY_free(EC_KEY *);
+
+EC_KEY *EC_KEY_new_by_curve_name(int);
+const EC_GROUP *EC_KEY_get0_group(const EC_KEY *);
+int EC_GROUP_get_order(const EC_GROUP *, BIGNUM *, BN_CTX *);
+int EC_KEY_set_group(EC_KEY *, const EC_GROUP *);
+const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *);
+int EC_KEY_set_private_key(EC_KEY *, const BIGNUM *);
+const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *);
+int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *);
+void EC_KEY_set_asn1_flag(EC_KEY *, int);
+int EC_KEY_generate_key(EC_KEY *);
+int EC_KEY_set_public_key_affine_coordinates(EC_KEY *, BIGNUM *, BIGNUM *);
+
+EC_POINT *EC_POINT_new(const EC_GROUP *);
+void EC_POINT_free(EC_POINT *);
+void EC_POINT_clear_free(EC_POINT *);
+EC_POINT *EC_POINT_dup(const EC_POINT *, const EC_GROUP *);
+
+int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+ const BIGNUM *, const BIGNUM *, BN_CTX *);
+
+int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *,
+ const EC_POINT *, BIGNUM *, BIGNUM *, BN_CTX *);
+
+int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+ const BIGNUM *, int, BN_CTX *);
+
+int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *, EC_POINT *,
+ const BIGNUM *, const BIGNUM *, BN_CTX *);
+
+int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *,
+ const EC_POINT *, BIGNUM *, BIGNUM *, BN_CTX *);
+
+int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *, EC_POINT *,
+ const BIGNUM *, int, BN_CTX *);
+
+size_t EC_POINT_point2oct(const EC_GROUP *, const EC_POINT *,
+ point_conversion_form_t,
+ unsigned char *, size_t, BN_CTX *);
+
+int EC_POINT_oct2point(const EC_GROUP *, EC_POINT *,
+ const unsigned char *, size_t, BN_CTX *);
+
+int EC_POINT_add(const EC_GROUP *, EC_POINT *, const EC_POINT *,
+ const EC_POINT *, BN_CTX *);
+
+int EC_POINT_dbl(const EC_GROUP *, EC_POINT *, const EC_POINT *, BN_CTX *);
+int EC_POINT_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int EC_POINT_is_at_infinity(const EC_GROUP *, const EC_POINT *);
+int EC_POINT_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+
+int EC_POINT_cmp(
+ const EC_GROUP *, const EC_POINT *, const EC_POINT *, BN_CTX *);
+
+int EC_POINT_mul(const EC_GROUP *, EC_POINT *, const BIGNUM *,
+ const EC_POINT *, const BIGNUM *, BN_CTX *);
+
+int EC_METHOD_get_field_type(const EC_METHOD *);
+
+const char *EC_curve_nid2nist(int);
+
+int EC_GROUP_get_asn1_flag(const EC_GROUP *);
+"""
+
+CUSTOMIZATIONS = """
+#if defined(OPENSSL_NO_EC2M)
+static const long Cryptography_HAS_EC2M = 0;
+
+int (*EC_POINT_set_affine_coordinates_GF2m)(const EC_GROUP *, EC_POINT *,
+ const BIGNUM *, const BIGNUM *, BN_CTX *) = NULL;
+
+int (*EC_POINT_get_affine_coordinates_GF2m)(const EC_GROUP *,
+ const EC_POINT *, BIGNUM *, BIGNUM *, BN_CTX *) = NULL;
+
+int (*EC_POINT_set_compressed_coordinates_GF2m)(const EC_GROUP *, EC_POINT *,
+ const BIGNUM *, int, BN_CTX *) = NULL;
+#else
+static const long Cryptography_HAS_EC2M = 1;
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/ecdh.py b/contrib/python/cryptography/py3/_cffi_src/openssl/ecdh.py
new file mode 100644
index 0000000000..c73cc9f36f
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/ecdh.py
@@ -0,0 +1,21 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/ecdh.h>
+"""
+
+TYPES = """
+"""
+
+FUNCTIONS = """
+int ECDH_compute_key(void *, size_t, const EC_POINT *, EC_KEY *,
+ void *(*)(const void *, size_t, void *, size_t *));
+long SSL_CTX_set_ecdh_auto(SSL_CTX *, int);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/ecdsa.py b/contrib/python/cryptography/py3/_cffi_src/openssl/ecdsa.py
new file mode 100644
index 0000000000..3134e24b61
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/ecdsa.py
@@ -0,0 +1,29 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/ecdsa.h>
+"""
+
+TYPES = """
+typedef ... ECDSA_SIG;
+
+typedef ... CRYPTO_EX_new;
+typedef ... CRYPTO_EX_dup;
+typedef ... CRYPTO_EX_free;
+"""
+
+FUNCTIONS = """
+int ECDSA_sign(int, const unsigned char *, int, unsigned char *,
+ unsigned int *, EC_KEY *);
+int ECDSA_verify(int, const unsigned char *, int, const unsigned char *, int,
+ EC_KEY *);
+int ECDSA_size(const EC_KEY *);
+
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/engine.py b/contrib/python/cryptography/py3/_cffi_src/openssl/engine.py
new file mode 100644
index 0000000000..24cdd42a83
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/engine.py
@@ -0,0 +1,65 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/engine.h>
+"""
+
+TYPES = """
+typedef ... ENGINE;
+typedef ... UI_METHOD;
+
+static const long Cryptography_HAS_ENGINE;
+"""
+
+FUNCTIONS = """
+ENGINE *ENGINE_by_id(const char *);
+int ENGINE_init(ENGINE *);
+int ENGINE_finish(ENGINE *);
+ENGINE *ENGINE_get_default_RAND(void);
+int ENGINE_set_default_RAND(ENGINE *);
+void ENGINE_unregister_RAND(ENGINE *);
+int ENGINE_ctrl_cmd(ENGINE *, const char *, long, void *, void (*)(void), int);
+int ENGINE_free(ENGINE *);
+const char *ENGINE_get_name(const ENGINE *);
+
+// These bindings are unused by cryptography or pyOpenSSL but are present
+// for advanced users who need them.
+int ENGINE_ctrl_cmd_string(ENGINE *, const char *, const char *, int);
+void ENGINE_load_builtin_engines(void);
+EVP_PKEY *ENGINE_load_private_key(ENGINE *, const char *, UI_METHOD *, void *);
+EVP_PKEY *ENGINE_load_public_key(ENGINE *, const char *, UI_METHOD *, void *);
+"""
+
+CUSTOMIZATIONS = """
+#ifdef OPENSSL_NO_ENGINE
+static const long Cryptography_HAS_ENGINE = 0;
+
+ENGINE *(*ENGINE_by_id)(const char *) = NULL;
+int (*ENGINE_init)(ENGINE *) = NULL;
+int (*ENGINE_finish)(ENGINE *) = NULL;
+ENGINE *(*ENGINE_get_default_RAND)(void) = NULL;
+int (*ENGINE_set_default_RAND)(ENGINE *) = NULL;
+void (*ENGINE_unregister_RAND)(ENGINE *) = NULL;
+int (*ENGINE_ctrl_cmd)(ENGINE *, const char *, long, void *,
+ void (*)(void), int) = NULL;
+
+int (*ENGINE_free)(ENGINE *) = NULL;
+const char *(*ENGINE_get_id)(const ENGINE *) = NULL;
+const char *(*ENGINE_get_name)(const ENGINE *) = NULL;
+
+int (*ENGINE_ctrl_cmd_string)(ENGINE *, const char *, const char *,
+ int) = NULL;
+void (*ENGINE_load_builtin_engines)(void) = NULL;
+EVP_PKEY *(*ENGINE_load_private_key)(ENGINE *, const char *, UI_METHOD *,
+ void *) = NULL;
+EVP_PKEY *(*ENGINE_load_public_key)(ENGINE *, const char *,
+ UI_METHOD *, void *) = NULL;
+
+#else
+static const long Cryptography_HAS_ENGINE = 1;
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/err.py b/contrib/python/cryptography/py3/_cffi_src/openssl/err.py
new file mode 100644
index 0000000000..0dd7414674
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/err.py
@@ -0,0 +1,49 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/err.h>
+"""
+
+TYPES = """
+static const int EVP_F_EVP_ENCRYPTFINAL_EX;
+static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH;
+static const int EVP_R_BAD_DECRYPT;
+static const int EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM;
+static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR;
+static const int PEM_R_UNSUPPORTED_ENCRYPTION;
+static const int EVP_R_UNKNOWN_PBE_ALGORITHM;
+
+static const int ERR_LIB_EVP;
+static const int ERR_LIB_PEM;
+static const int ERR_LIB_ASN1;
+static const int ERR_LIB_PKCS12;
+
+static const int SSL_TLSEXT_ERR_OK;
+static const int SSL_TLSEXT_ERR_ALERT_FATAL;
+static const int SSL_TLSEXT_ERR_NOACK;
+
+static const int X509_R_CERT_ALREADY_IN_HASH_TABLE;
+"""
+
+FUNCTIONS = """
+void ERR_error_string_n(unsigned long, char *, size_t);
+const char *ERR_lib_error_string(unsigned long);
+const char *ERR_func_error_string(unsigned long);
+const char *ERR_reason_error_string(unsigned long);
+unsigned long ERR_get_error(void);
+unsigned long ERR_peek_error(void);
+void ERR_clear_error(void);
+void ERR_put_error(int, int, int, const char *, int);
+
+int ERR_GET_LIB(unsigned long);
+int ERR_GET_FUNC(unsigned long);
+int ERR_GET_REASON(unsigned long);
+
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/evp.py b/contrib/python/cryptography/py3/_cffi_src/openssl/evp.py
new file mode 100644
index 0000000000..ab7cfeb395
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/evp.py
@@ -0,0 +1,272 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/evp.h>
+"""
+
+TYPES = """
+typedef ... EVP_CIPHER;
+typedef ... EVP_CIPHER_CTX;
+typedef ... EVP_MD;
+typedef ... EVP_MD_CTX;
+
+typedef ... EVP_PKEY;
+typedef ... EVP_PKEY_CTX;
+static const int EVP_PKEY_RSA;
+static const int EVP_PKEY_DSA;
+static const int EVP_PKEY_DH;
+static const int EVP_PKEY_DHX;
+static const int EVP_PKEY_EC;
+static const int EVP_PKEY_X25519;
+static const int EVP_PKEY_ED25519;
+static const int EVP_PKEY_X448;
+static const int EVP_PKEY_ED448;
+static const int EVP_PKEY_POLY1305;
+static const int EVP_MAX_MD_SIZE;
+static const int EVP_CTRL_AEAD_SET_IVLEN;
+static const int EVP_CTRL_AEAD_GET_TAG;
+static const int EVP_CTRL_AEAD_SET_TAG;
+
+static const int Cryptography_HAS_SCRYPT;
+static const int Cryptography_HAS_EVP_PKEY_DHX;
+static const int Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint;
+static const int Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY;
+static const long Cryptography_HAS_RAW_KEY;
+static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF;
+"""
+
+FUNCTIONS = """
+const EVP_CIPHER *EVP_get_cipherbyname(const char *);
+int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *, int);
+int EVP_CipherInit_ex(EVP_CIPHER_CTX *, const EVP_CIPHER *, ENGINE *,
+ const unsigned char *, const unsigned char *, int);
+int EVP_CipherUpdate(EVP_CIPHER_CTX *, unsigned char *, int *,
+ const unsigned char *, int);
+int EVP_CipherFinal_ex(EVP_CIPHER_CTX *, unsigned char *, int *);
+int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
+EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
+void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *);
+int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *, int);
+const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *);
+
+int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *);
+int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, ENGINE *);
+int EVP_DigestUpdate(EVP_MD_CTX *, const void *, size_t);
+int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *);
+int EVP_DigestFinalXOF(EVP_MD_CTX *, unsigned char *, size_t);
+const EVP_MD *EVP_get_digestbyname(const char *);
+
+EVP_PKEY *EVP_PKEY_new(void);
+void EVP_PKEY_free(EVP_PKEY *);
+int EVP_PKEY_type(int);
+int EVP_PKEY_size(EVP_PKEY *);
+RSA *EVP_PKEY_get1_RSA(EVP_PKEY *);
+DSA *EVP_PKEY_get1_DSA(EVP_PKEY *);
+DH *EVP_PKEY_get1_DH(EVP_PKEY *);
+
+int EVP_PKEY_encrypt(EVP_PKEY_CTX *, unsigned char *, size_t *,
+ const unsigned char *, size_t);
+int EVP_PKEY_decrypt(EVP_PKEY_CTX *, unsigned char *, size_t *,
+ const unsigned char *, size_t);
+
+int EVP_SignInit(EVP_MD_CTX *, const EVP_MD *);
+int EVP_SignUpdate(EVP_MD_CTX *, const void *, size_t);
+int EVP_SignFinal(EVP_MD_CTX *, unsigned char *, unsigned int *, EVP_PKEY *);
+
+int EVP_VerifyInit(EVP_MD_CTX *, const EVP_MD *);
+int EVP_VerifyUpdate(EVP_MD_CTX *, const void *, size_t);
+int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int,
+ EVP_PKEY *);
+
+int EVP_DigestSignInit(EVP_MD_CTX *, EVP_PKEY_CTX **, const EVP_MD *,
+ ENGINE *, EVP_PKEY *);
+int EVP_DigestSignUpdate(EVP_MD_CTX *, const void *, size_t);
+int EVP_DigestSignFinal(EVP_MD_CTX *, unsigned char *, size_t *);
+int EVP_DigestVerifyInit(EVP_MD_CTX *, EVP_PKEY_CTX **, const EVP_MD *,
+ ENGINE *, EVP_PKEY *);
+
+
+
+EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *, ENGINE *);
+EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int, ENGINE *);
+EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *);
+void EVP_PKEY_CTX_free(EVP_PKEY_CTX *);
+int EVP_PKEY_sign_init(EVP_PKEY_CTX *);
+int EVP_PKEY_sign(EVP_PKEY_CTX *, unsigned char *, size_t *,
+ const unsigned char *, size_t);
+int EVP_PKEY_verify_init(EVP_PKEY_CTX *);
+int EVP_PKEY_verify(EVP_PKEY_CTX *, const unsigned char *, size_t,
+ const unsigned char *, size_t);
+int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *);
+int EVP_PKEY_verify_recover(EVP_PKEY_CTX *, unsigned char *,
+ size_t *, const unsigned char *, size_t);
+int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *);
+int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *);
+
+int EVP_PKEY_set1_RSA(EVP_PKEY *, RSA *);
+int EVP_PKEY_set1_DSA(EVP_PKEY *, DSA *);
+int EVP_PKEY_set1_DH(EVP_PKEY *, DH *);
+
+int EVP_PKEY_cmp(const EVP_PKEY *, const EVP_PKEY *);
+
+int EVP_PKEY_keygen_init(EVP_PKEY_CTX *);
+int EVP_PKEY_keygen(EVP_PKEY_CTX *, EVP_PKEY **);
+int EVP_PKEY_derive_init(EVP_PKEY_CTX *);
+int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *, EVP_PKEY *);
+int EVP_PKEY_derive(EVP_PKEY_CTX *, unsigned char *, size_t *);
+int EVP_PKEY_set_type(EVP_PKEY *, int);
+
+int EVP_PKEY_id(const EVP_PKEY *);
+int Cryptography_EVP_PKEY_id(const EVP_PKEY *);
+
+EVP_MD_CTX *EVP_MD_CTX_new(void);
+void EVP_MD_CTX_free(EVP_MD_CTX *);
+/* Backwards compat aliases for pyOpenSSL */
+EVP_MD_CTX *Cryptography_EVP_MD_CTX_new(void);
+void Cryptography_EVP_MD_CTX_free(EVP_MD_CTX *);
+
+/* Added in 1.1.1 */
+int EVP_DigestSign(EVP_MD_CTX *, unsigned char *, size_t *,
+ const unsigned char *, size_t);
+int EVP_DigestVerify(EVP_MD_CTX *, const unsigned char *, size_t,
+ const unsigned char *, size_t);
+/* Added in 1.1.0 */
+size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *, unsigned char **);
+int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *, const unsigned char *,
+ size_t);
+
+/* EVP_PKEY * became const in 1.1.0 */
+int EVP_PKEY_bits(EVP_PKEY *);
+
+void OpenSSL_add_all_algorithms(void);
+int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *);
+
+EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *);
+int EVP_PKEY_set1_EC_KEY(EVP_PKEY *, EC_KEY *);
+
+int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *);
+
+int PKCS5_PBKDF2_HMAC(const char *, int, const unsigned char *, int, int,
+ const EVP_MD *, int, unsigned char *);
+
+int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *, const EVP_MD *);
+
+int EVP_PBE_scrypt(const char *, size_t, const unsigned char *, size_t,
+ uint64_t, uint64_t, uint64_t, uint64_t, unsigned char *,
+ size_t);
+
+EVP_PKEY *EVP_PKEY_new_raw_private_key(int, ENGINE *, const unsigned char *,
+ size_t);
+EVP_PKEY *EVP_PKEY_new_raw_public_key(int, ENGINE *, const unsigned char *,
+ size_t);
+int EVP_PKEY_get_raw_private_key(const EVP_PKEY *, unsigned char *, size_t *);
+int EVP_PKEY_get_raw_public_key(const EVP_PKEY *, unsigned char *, size_t *);
+"""
+
+CUSTOMIZATIONS = """
+#ifdef EVP_PKEY_DHX
+const long Cryptography_HAS_EVP_PKEY_DHX = 1;
+#else
+const long Cryptography_HAS_EVP_PKEY_DHX = 0;
+const long EVP_PKEY_DHX = -1;
+#endif
+
+int Cryptography_EVP_PKEY_id(const EVP_PKEY *key) {
+ return EVP_PKEY_id(key);
+}
+EVP_MD_CTX *Cryptography_EVP_MD_CTX_new(void) {
+ return EVP_MD_CTX_new();
+}
+void Cryptography_EVP_MD_CTX_free(EVP_MD_CTX *md) {
+ EVP_MD_CTX_free(md);
+}
+
+#if CRYPTOGRAPHY_IS_LIBRESSL || defined(OPENSSL_NO_SCRYPT)
+static const long Cryptography_HAS_SCRYPT = 0;
+int (*EVP_PBE_scrypt)(const char *, size_t, const unsigned char *, size_t,
+ uint64_t, uint64_t, uint64_t, uint64_t, unsigned char *,
+ size_t) = NULL;
+#else
+static const long Cryptography_HAS_SCRYPT = 1;
+#endif
+
+#if !CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint = 1;
+#else
+static const long Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint = 0;
+size_t (*EVP_PKEY_get1_tls_encodedpoint)(EVP_PKEY *, unsigned char **) = NULL;
+int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *,
+ size_t) = NULL;
+#endif
+
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;
+static const long Cryptography_HAS_RAW_KEY = 0;
+static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
+int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
+int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *,
+ const unsigned char *tbs, size_t) = NULL;
+int (*EVP_DigestVerify)(EVP_MD_CTX *, const unsigned char *, size_t,
+ const unsigned char *, size_t) = NULL;
+EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *,
+ size_t) = NULL;
+EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *,
+ size_t) = NULL;
+int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *,
+ size_t *) = NULL;
+int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *,
+ size_t *) = NULL;
+#else
+static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
+static const long Cryptography_HAS_RAW_KEY = 1;
+static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1;
+#endif
+
+/* OpenSSL 1.1.0+ does this define for us, but if not present we'll do it */
+#if !defined(EVP_CTRL_AEAD_SET_IVLEN)
+# define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
+#endif
+#if !defined(EVP_CTRL_AEAD_GET_TAG)
+# define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
+#endif
+#if !defined(EVP_CTRL_AEAD_SET_TAG)
+# define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
+#endif
+
+/* This is tied to X25519 support so we reuse the Cryptography_HAS_X25519
+ conditional to remove it. OpenSSL 1.1.0 didn't have this define, but
+ 1.1.1 will when it is released. We can remove this in the distant
+ future when we drop 1.1.0 support. */
+#ifndef EVP_PKEY_X25519
+#define EVP_PKEY_X25519 NID_X25519
+#endif
+
+/* This is tied to X448 support so we reuse the Cryptography_HAS_X448
+ conditional to remove it. OpenSSL 1.1.1 adds this define. We can remove
+ this in the distant future when we drop 1.1.0 support. */
+#ifndef EVP_PKEY_X448
+#define EVP_PKEY_X448 NID_X448
+#endif
+
+/* This is tied to ED25519 support so we reuse the Cryptography_HAS_ED25519
+ conditional to remove it. */
+#ifndef EVP_PKEY_ED25519
+#define EVP_PKEY_ED25519 NID_ED25519
+#endif
+
+/* This is tied to ED448 support so we reuse the Cryptography_HAS_ED448
+ conditional to remove it. */
+#ifndef EVP_PKEY_ED448
+#define EVP_PKEY_ED448 NID_ED448
+#endif
+
+/* This is tied to poly1305 support so we reuse the Cryptography_HAS_POLY1305
+ conditional to remove it. */
+#ifndef EVP_PKEY_POLY1305
+#define EVP_PKEY_POLY1305 NID_poly1305
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/fips.py b/contrib/python/cryptography/py3/_cffi_src/openssl/fips.py
new file mode 100644
index 0000000000..c92bca494b
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/fips.py
@@ -0,0 +1,28 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/crypto.h>
+"""
+
+TYPES = """
+static const long Cryptography_HAS_FIPS;
+"""
+
+FUNCTIONS = """
+int FIPS_mode_set(int);
+int FIPS_mode(void);
+"""
+
+CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_FIPS = 0;
+int (*FIPS_mode_set)(int) = NULL;
+int (*FIPS_mode)(void) = NULL;
+#else
+static const long Cryptography_HAS_FIPS = 1;
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/hmac.py b/contrib/python/cryptography/py3/_cffi_src/openssl/hmac.py
new file mode 100644
index 0000000000..2e0e33ffe3
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/hmac.py
@@ -0,0 +1,26 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/hmac.h>
+"""
+
+TYPES = """
+typedef ... HMAC_CTX;
+"""
+
+FUNCTIONS = """
+int HMAC_Init_ex(HMAC_CTX *, const void *, int, const EVP_MD *, ENGINE *);
+int HMAC_Update(HMAC_CTX *, const unsigned char *, size_t);
+int HMAC_Final(HMAC_CTX *, unsigned char *, unsigned int *);
+int HMAC_CTX_copy(HMAC_CTX *, HMAC_CTX *);
+
+HMAC_CTX *HMAC_CTX_new(void);
+void HMAC_CTX_free(HMAC_CTX *ctx);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/nid.py b/contrib/python/cryptography/py3/_cffi_src/openssl/nid.py
new file mode 100644
index 0000000000..9ef88cdbbd
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/nid.py
@@ -0,0 +1,52 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/obj_mac.h>
+"""
+
+TYPES = """
+static const int Cryptography_HAS_ED448;
+static const int Cryptography_HAS_ED25519;
+static const int Cryptography_HAS_POLY1305;
+
+static const int NID_undef;
+static const int NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+static const int NID_X25519;
+static const int NID_X448;
+static const int NID_ED25519;
+static const int NID_ED448;
+static const int NID_poly1305;
+
+static const int NID_subject_alt_name;
+static const int NID_crl_reason;
+
+static const int NID_pkcs7_signed;
+"""
+
+FUNCTIONS = """
+"""
+
+CUSTOMIZATIONS = """
+#ifndef NID_ED25519
+static const long Cryptography_HAS_ED25519 = 0;
+static const int NID_ED25519 = 0;
+#else
+static const long Cryptography_HAS_ED25519 = 1;
+#endif
+#ifndef NID_ED448
+static const long Cryptography_HAS_ED448 = 0;
+static const int NID_ED448 = 0;
+#else
+static const long Cryptography_HAS_ED448 = 1;
+#endif
+#ifndef NID_poly1305
+static const long Cryptography_HAS_POLY1305 = 0;
+static const int NID_poly1305 = 0;
+#else
+static const long Cryptography_HAS_POLY1305 = 1;
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/objects.py b/contrib/python/cryptography/py3/_cffi_src/openssl/objects.py
new file mode 100644
index 0000000000..236903d986
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/objects.py
@@ -0,0 +1,33 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/objects.h>
+"""
+
+TYPES = """
+typedef struct {
+ int type;
+ int alias;
+ const char *name;
+ const char *data;
+} OBJ_NAME;
+
+static const long OBJ_NAME_TYPE_MD_METH;
+"""
+
+FUNCTIONS = """
+const char *OBJ_nid2ln(int);
+const char *OBJ_nid2sn(int);
+int OBJ_obj2nid(const ASN1_OBJECT *);
+int OBJ_sn2nid(const char *);
+int OBJ_txt2nid(const char *);
+ASN1_OBJECT *OBJ_txt2obj(const char *, int);
+int OBJ_obj2txt(char *, int, const ASN1_OBJECT *, int);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/ocsp.py b/contrib/python/cryptography/py3/_cffi_src/openssl/ocsp.py
new file mode 100644
index 0000000000..c3d034c2c4
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/ocsp.py
@@ -0,0 +1,166 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/ocsp.h>
+"""
+
+TYPES = """
+typedef ... OCSP_REQUEST;
+typedef ... OCSP_ONEREQ;
+typedef ... OCSP_RESPONSE;
+typedef ... OCSP_BASICRESP;
+typedef ... OCSP_SINGLERESP;
+typedef ... OCSP_CERTID;
+typedef ... OCSP_RESPDATA;
+static const long OCSP_NOCERTS;
+static const long OCSP_RESPID_KEY;
+"""
+
+FUNCTIONS = """
+int OCSP_response_status(OCSP_RESPONSE *);
+OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *);
+int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *);
+const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *);
+Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs(const OCSP_BASICRESP *);
+const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
+ const OCSP_BASICRESP *);
+const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *);
+int OCSP_resp_get0_id(const OCSP_BASICRESP *, const ASN1_OCTET_STRING **,
+ const X509_NAME **);
+const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *);
+const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *);
+X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *, int);
+int OCSP_resp_count(OCSP_BASICRESP *);
+OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *, int);
+int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *);
+X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *, int);
+
+int OCSP_single_get0_status(OCSP_SINGLERESP *, int *, ASN1_GENERALIZEDTIME **,
+ ASN1_GENERALIZEDTIME **, ASN1_GENERALIZEDTIME **);
+
+int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *);
+X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *, int);
+int OCSP_request_onereq_count(OCSP_REQUEST *);
+OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *, int);
+OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *);
+OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *, OCSP_CERTID *);
+OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *, const X509 *, const X509 *);
+void OCSP_CERTID_free(OCSP_CERTID *);
+
+
+OCSP_BASICRESP *OCSP_BASICRESP_new(void);
+void OCSP_BASICRESP_free(OCSP_BASICRESP *);
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *, OCSP_CERTID *, int,
+ int, ASN1_TIME *, ASN1_TIME *,
+ ASN1_TIME *);
+int OCSP_basic_add1_cert(OCSP_BASICRESP *, X509 *);
+int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *, X509_EXTENSION *, int);
+int OCSP_basic_sign(OCSP_BASICRESP *, X509 *, EVP_PKEY *, const EVP_MD *,
+ Cryptography_STACK_OF_X509 *, unsigned long);
+OCSP_RESPONSE *OCSP_response_create(int, OCSP_BASICRESP *);
+void OCSP_RESPONSE_free(OCSP_RESPONSE *);
+
+OCSP_REQUEST *OCSP_REQUEST_new(void);
+void OCSP_REQUEST_free(OCSP_REQUEST *);
+int OCSP_REQUEST_add_ext(OCSP_REQUEST *, X509_EXTENSION *, int);
+int OCSP_id_get0_info(ASN1_OCTET_STRING **, ASN1_OBJECT **,
+ ASN1_OCTET_STRING **, ASN1_INTEGER **, OCSP_CERTID *);
+OCSP_REQUEST *d2i_OCSP_REQUEST_bio(BIO *, OCSP_REQUEST **);
+OCSP_RESPONSE *d2i_OCSP_RESPONSE_bio(BIO *, OCSP_RESPONSE **);
+int i2d_OCSP_REQUEST_bio(BIO *, OCSP_REQUEST *);
+int i2d_OCSP_RESPONSE_bio(BIO *, OCSP_RESPONSE *);
+int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char **);
+"""
+
+CUSTOMIZATIONS = """
+#if ( \
+ !CRYPTOGRAPHY_IS_LIBRESSL && \
+ CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+ )
+/* These structs come from ocsp_lcl.h and are needed to de-opaque the struct
+ for the getters in OpenSSL 1.1.0 through 1.1.0i */
+struct ocsp_responder_id_st {
+ int type;
+ union {
+ X509_NAME *byName;
+ ASN1_OCTET_STRING *byKey;
+ } value;
+};
+struct ocsp_response_data_st {
+ ASN1_INTEGER *version;
+ OCSP_RESPID responderId;
+ ASN1_GENERALIZEDTIME *producedAt;
+ STACK_OF(OCSP_SINGLERESP) *responses;
+ STACK_OF(X509_EXTENSION) *responseExtensions;
+};
+struct ocsp_basic_response_st {
+ OCSP_RESPDATA tbsResponseData;
+ X509_ALGOR signatureAlgorithm;
+ ASN1_BIT_STRING *signature;
+ STACK_OF(X509) *certs;
+};
+#endif
+
+#if CRYPTOGRAPHY_IS_LIBRESSL
+/* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */
+const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
+{
+ return single->certId;
+}
+const Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs(
+ const OCSP_BASICRESP *bs)
+{
+ return bs->certs;
+}
+int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
+ const ASN1_OCTET_STRING **pid,
+ const X509_NAME **pname)
+{
+ const OCSP_RESPID *rid = bs->tbsResponseData->responderId;
+
+ if (rid->type == V_OCSP_RESPID_NAME) {
+ *pname = rid->value.byName;
+ *pid = NULL;
+ } else if (rid->type == V_OCSP_RESPID_KEY) {
+ *pid = rid->value.byKey;
+ *pname = NULL;
+ } else {
+ return 0;
+ }
+ return 1;
+}
+const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
+ const OCSP_BASICRESP* bs)
+{
+ return bs->tbsResponseData->producedAt;
+}
+const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
+{
+ return bs->signature;
+}
+#endif
+
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J
+const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
+{
+#if CRYPTOGRAPHY_IS_LIBRESSL
+ return bs->signatureAlgorithm;
+#else
+ return &bs->signatureAlgorithm;
+#endif
+}
+
+const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
+{
+#if CRYPTOGRAPHY_IS_LIBRESSL
+ return bs->tbsResponseData;
+#else
+ return &bs->tbsResponseData;
+#endif
+}
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/opensslv.py b/contrib/python/cryptography/py3/_cffi_src/openssl/opensslv.py
new file mode 100644
index 0000000000..9b0c689338
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/opensslv.py
@@ -0,0 +1,22 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/opensslv.h>
+"""
+
+TYPES = """
+/* Note that these will be resolved when cryptography is compiled and are NOT
+ guaranteed to be the version that it actually loads. */
+static const int OPENSSL_VERSION_NUMBER;
+static const char *const OPENSSL_VERSION_TEXT;
+"""
+
+FUNCTIONS = """
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/osrandom_engine.py b/contrib/python/cryptography/py3/_cffi_src/openssl/osrandom_engine.py
new file mode 100644
index 0000000000..ed1068ef8a
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/osrandom_engine.py
@@ -0,0 +1,24 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import os
+
+HERE = os.path.dirname(os.path.abspath(__file__))
+
+with open(os.path.join(HERE, "src/osrandom_engine.h")) as f:
+ INCLUDES = f.read()
+
+TYPES = """
+static const char *const Cryptography_osrandom_engine_name;
+static const char *const Cryptography_osrandom_engine_id;
+"""
+
+FUNCTIONS = """
+int Cryptography_add_osrandom_engine(void);
+"""
+
+with open(os.path.join(HERE, "src/osrandom_engine.c")) as f:
+ CUSTOMIZATIONS = f.read()
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/pem.py b/contrib/python/cryptography/py3/_cffi_src/openssl/pem.py
new file mode 100644
index 0000000000..3f279c4fff
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/pem.py
@@ -0,0 +1,75 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/pem.h>
+"""
+
+TYPES = """
+typedef int pem_password_cb(char *buf, int size, int rwflag, void *userdata);
+"""
+
+FUNCTIONS = """
+X509 *PEM_read_bio_X509(BIO *, X509 **, pem_password_cb *, void *);
+int PEM_write_bio_X509(BIO *, X509 *);
+
+int PEM_write_bio_PrivateKey(BIO *, EVP_PKEY *, const EVP_CIPHER *,
+ unsigned char *, int, pem_password_cb *, void *);
+
+EVP_PKEY *PEM_read_bio_PrivateKey(BIO *, EVP_PKEY **, pem_password_cb *,
+ void *);
+
+int PEM_write_bio_PKCS8PrivateKey(BIO *, EVP_PKEY *, const EVP_CIPHER *,
+ char *, int, pem_password_cb *, void *);
+
+int i2d_PKCS8PrivateKey_bio(BIO *, EVP_PKEY *, const EVP_CIPHER *,
+ char *, int, pem_password_cb *, void *);
+
+int i2d_PKCS7_bio(BIO *, PKCS7 *);
+PKCS7 *d2i_PKCS7_bio(BIO *, PKCS7 **);
+
+EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *, EVP_PKEY **, pem_password_cb *,
+ void *);
+
+int PEM_write_bio_X509_REQ(BIO *, X509_REQ *);
+
+X509_REQ *PEM_read_bio_X509_REQ(BIO *, X509_REQ **, pem_password_cb *, void *);
+
+X509_CRL *PEM_read_bio_X509_CRL(BIO *, X509_CRL **, pem_password_cb *, void *);
+
+int PEM_write_bio_X509_CRL(BIO *, X509_CRL *);
+
+PKCS7 *PEM_read_bio_PKCS7(BIO *, PKCS7 **, pem_password_cb *, void *);
+int PEM_write_bio_PKCS7(BIO *, PKCS7 *);
+
+DH *PEM_read_bio_DHparams(BIO *, DH **, pem_password_cb *, void *);
+
+int PEM_write_bio_DSAPrivateKey(BIO *, DSA *, const EVP_CIPHER *,
+ unsigned char *, int,
+ pem_password_cb *, void *);
+
+int PEM_write_bio_RSAPrivateKey(BIO *, RSA *, const EVP_CIPHER *,
+ unsigned char *, int,
+ pem_password_cb *, void *);
+
+RSA *PEM_read_bio_RSAPublicKey(BIO *, RSA **, pem_password_cb *, void *);
+
+int PEM_write_bio_RSAPublicKey(BIO *, const RSA *);
+
+EVP_PKEY *PEM_read_bio_PUBKEY(BIO *, EVP_PKEY **, pem_password_cb *, void *);
+int PEM_write_bio_PUBKEY(BIO *, EVP_PKEY *);
+int PEM_write_bio_ECPrivateKey(BIO *, EC_KEY *, const EVP_CIPHER *,
+ unsigned char *, int, pem_password_cb *,
+ void *);
+int PEM_write_bio_DHparams(BIO *, DH *);
+int PEM_write_bio_DHxparams(BIO *, DH *);
+"""
+
+CUSTOMIZATIONS = """
+#if !defined(EVP_PKEY_DHX) || EVP_PKEY_DHX == -1
+int (*PEM_write_bio_DHxparams)(BIO *, DH *) = NULL;
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/pkcs12.py b/contrib/python/cryptography/py3/_cffi_src/openssl/pkcs12.py
new file mode 100644
index 0000000000..21a8481faa
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/pkcs12.py
@@ -0,0 +1,27 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/pkcs12.h>
+"""
+
+TYPES = """
+typedef ... PKCS12;
+"""
+
+FUNCTIONS = """
+void PKCS12_free(PKCS12 *);
+
+PKCS12 *d2i_PKCS12_bio(BIO *, PKCS12 **);
+int i2d_PKCS12_bio(BIO *, PKCS12 *);
+int PKCS12_parse(PKCS12 *, const char *, EVP_PKEY **, X509 **,
+ Cryptography_STACK_OF_X509 **);
+PKCS12 *PKCS12_create(char *, char *, EVP_PKEY *, X509 *,
+ Cryptography_STACK_OF_X509 *, int, int, int, int, int);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/pkcs7.py b/contrib/python/cryptography/py3/_cffi_src/openssl/pkcs7.py
new file mode 100644
index 0000000000..c22263dfe6
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/pkcs7.py
@@ -0,0 +1,79 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/pkcs7.h>
+"""
+
+TYPES = """
+typedef struct {
+ Cryptography_STACK_OF_X509 *cert;
+ Cryptography_STACK_OF_X509_CRL *crl;
+ ...;
+} PKCS7_SIGNED;
+
+typedef struct {
+ Cryptography_STACK_OF_X509 *cert;
+ Cryptography_STACK_OF_X509_CRL *crl;
+ ...;
+} PKCS7_SIGN_ENVELOPE;
+
+typedef ... PKCS7_DIGEST;
+typedef ... PKCS7_ENCRYPT;
+typedef ... PKCS7_ENVELOPE;
+typedef ... PKCS7_SIGNER_INFO;
+
+typedef struct {
+ ASN1_OBJECT *type;
+ union {
+ char *ptr;
+ ASN1_OCTET_STRING *data;
+ PKCS7_SIGNED *sign;
+ PKCS7_ENVELOPE *enveloped;
+ PKCS7_SIGN_ENVELOPE *signed_and_enveloped;
+ PKCS7_DIGEST *digest;
+ PKCS7_ENCRYPT *encrypted;
+ ASN1_TYPE *other;
+ } d;
+ ...;
+} PKCS7;
+
+static const int PKCS7_BINARY;
+static const int PKCS7_DETACHED;
+static const int PKCS7_NOATTR;
+static const int PKCS7_NOCERTS;
+static const int PKCS7_NOCHAIN;
+static const int PKCS7_NOINTERN;
+static const int PKCS7_NOSIGS;
+static const int PKCS7_NOSMIMECAP;
+static const int PKCS7_NOVERIFY;
+static const int PKCS7_STREAM;
+static const int PKCS7_TEXT;
+static const int PKCS7_PARTIAL;
+"""
+
+FUNCTIONS = """
+void PKCS7_free(PKCS7 *);
+PKCS7 *PKCS7_sign(X509 *, EVP_PKEY *, Cryptography_STACK_OF_X509 *,
+ BIO *, int);
+int SMIME_write_PKCS7(BIO *, PKCS7 *, BIO *, int);
+int PEM_write_bio_PKCS7_stream(BIO *, PKCS7 *, BIO *, int);
+PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *, X509 *, EVP_PKEY *,
+ const EVP_MD *, int);
+int PKCS7_final(PKCS7 *, BIO *, int);
+/* Included verify due to external consumer, see
+ https://github.com/pyca/cryptography/issues/5433 */
+int PKCS7_verify(PKCS7 *, Cryptography_STACK_OF_X509 *, X509_STORE *, BIO *,
+ BIO *, int);
+PKCS7 *SMIME_read_PKCS7(BIO *, BIO **);
+
+int PKCS7_type_is_signed(PKCS7 *);
+int PKCS7_type_is_enveloped(PKCS7 *);
+int PKCS7_type_is_signedAndEnveloped(PKCS7 *);
+int PKCS7_type_is_data(PKCS7 *);
+"""
+
+CUSTOMIZATIONS = ""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/rand.py b/contrib/python/cryptography/py3/_cffi_src/openssl/rand.py
new file mode 100644
index 0000000000..1bc2ec0bc3
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/rand.py
@@ -0,0 +1,28 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/rand.h>
+"""
+
+TYPES = """
+typedef ... RAND_METHOD;
+"""
+
+FUNCTIONS = """
+int RAND_set_rand_method(const RAND_METHOD *);
+void RAND_add(const void *, int, double);
+int RAND_status(void);
+int RAND_bytes(unsigned char *, int);
+/* ERR_load_RAND_strings started returning an int in 1.1.0. Unfortunately we
+ can't declare a conditional signature like that. Since it always returns
+ 1 we'll just lie about the signature to preserve compatibility for
+ pyOpenSSL (which calls this in its rand.py as of mid-2016) */
+void ERR_load_RAND_strings(void);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/rsa.py b/contrib/python/cryptography/py3/_cffi_src/openssl/rsa.py
new file mode 100644
index 0000000000..92b8fa4600
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/rsa.py
@@ -0,0 +1,61 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/rsa.h>
+"""
+
+TYPES = """
+typedef ... RSA;
+typedef ... BN_GENCB;
+static const int RSA_PKCS1_PADDING;
+static const int RSA_NO_PADDING;
+static const int RSA_PKCS1_OAEP_PADDING;
+static const int RSA_PKCS1_PSS_PADDING;
+static const int RSA_F4;
+
+static const int Cryptography_HAS_RSA_OAEP_MD;
+static const int Cryptography_HAS_RSA_OAEP_LABEL;
+"""
+
+FUNCTIONS = """
+RSA *RSA_new(void);
+void RSA_free(RSA *);
+int RSA_generate_key_ex(RSA *, int, BIGNUM *, BN_GENCB *);
+int RSA_check_key(const RSA *);
+RSA *RSAPublicKey_dup(RSA *);
+int RSA_blinding_on(RSA *, BN_CTX *);
+int RSA_print(BIO *, const RSA *, int);
+
+/* added in 1.1.0 when the RSA struct was opaqued */
+int RSA_set0_key(RSA *, BIGNUM *, BIGNUM *, BIGNUM *);
+int RSA_set0_factors(RSA *, BIGNUM *, BIGNUM *);
+int RSA_set0_crt_params(RSA *, BIGNUM *, BIGNUM *, BIGNUM *);
+void RSA_get0_key(const RSA *, const BIGNUM **, const BIGNUM **,
+ const BIGNUM **);
+void RSA_get0_factors(const RSA *, const BIGNUM **, const BIGNUM **);
+void RSA_get0_crt_params(const RSA *, const BIGNUM **, const BIGNUM **,
+ const BIGNUM **);
+int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *, int);
+int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *, int);
+int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *, EVP_MD *);
+int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *, unsigned char *, int);
+
+int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *, EVP_MD *);
+"""
+
+CUSTOMIZATIONS = """
+#if !CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_RSA_OAEP_MD = 1;
+static const long Cryptography_HAS_RSA_OAEP_LABEL = 1;
+#else
+static const long Cryptography_HAS_RSA_OAEP_MD = 0;
+static const long Cryptography_HAS_RSA_OAEP_LABEL = 0;
+int (*EVP_PKEY_CTX_set_rsa_oaep_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL;
+int (*EVP_PKEY_CTX_set0_rsa_oaep_label)(EVP_PKEY_CTX *, unsigned char *,
+ int) = NULL;
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/src/osrandom_engine.c b/contrib/python/cryptography/py3/_cffi_src/openssl/src/osrandom_engine.c
new file mode 100644
index 0000000000..a84857b86d
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/src/osrandom_engine.c
@@ -0,0 +1,660 @@
+/* osurandom engine
+ *
+ * Windows CryptGenRandom()
+ * macOS >= 10.12 getentropy()
+ * OpenBSD 5.6+ getentropy()
+ * other BSD getentropy() if SYS_getentropy is defined
+ * Linux 3.17+ getrandom() with fallback to /dev/urandom
+ * other /dev/urandom with cached fd
+ *
+ * The /dev/urandom, getrandom and getentropy code is derived from Python's
+ * Python/random.c, written by Antoine Pitrou and Victor Stinner.
+ *
+ * Copyright 2001-2016 Python Software Foundation; All Rights Reserved.
+ */
+
+#ifdef __linux__
+#include <poll.h>
+#endif
+
+#if CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE
+/* OpenSSL has ENGINE support and is older than 1.1.1d (the first version that
+ * properly implements fork safety in its RNG) so build the engine. */
+static const char *Cryptography_osrandom_engine_id = "osrandom";
+
+/****************************************************************************
+ * Windows
+ */
+#if CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_CRYPTGENRANDOM
+static const char *Cryptography_osrandom_engine_name = "osrandom_engine CryptGenRandom()";
+static HCRYPTPROV hCryptProv = 0;
+
+static int osrandom_init(ENGINE *e) {
+ if (hCryptProv != 0) {
+ return 1;
+ }
+ if (CryptAcquireContext(&hCryptProv, NULL, NULL,
+ PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
+ return 1;
+ } else {
+ ERR_Cryptography_OSRandom_error(
+ CRYPTOGRAPHY_OSRANDOM_F_INIT,
+ CRYPTOGRAPHY_OSRANDOM_R_CRYPTACQUIRECONTEXT,
+ __FILE__, __LINE__
+ );
+ return 0;
+ }
+}
+
+static int osrandom_rand_bytes(unsigned char *buffer, int size) {
+ if (hCryptProv == 0) {
+ return 0;
+ }
+
+ if (!CryptGenRandom(hCryptProv, (DWORD)size, buffer)) {
+ ERR_Cryptography_OSRandom_error(
+ CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES,
+ CRYPTOGRAPHY_OSRANDOM_R_CRYPTGENRANDOM,
+ __FILE__, __LINE__
+ );
+ return 0;
+ }
+ return 1;
+}
+
+static int osrandom_finish(ENGINE *e) {
+ if (CryptReleaseContext(hCryptProv, 0)) {
+ hCryptProv = 0;
+ return 1;
+ } else {
+ ERR_Cryptography_OSRandom_error(
+ CRYPTOGRAPHY_OSRANDOM_F_FINISH,
+ CRYPTOGRAPHY_OSRANDOM_R_CRYPTRELEASECONTEXT,
+ __FILE__, __LINE__
+ );
+ return 0;
+ }
+}
+
+static int osrandom_rand_status(void) {
+ return hCryptProv != 0;
+}
+
+static const char *osurandom_get_implementation(void) {
+ return "CryptGenRandom";
+}
+
+#endif /* CRYPTOGRAPHY_OSRANDOM_ENGINE_CRYPTGENRANDOM */
+
+/****************************************************************************
+ * /dev/urandom helpers for all non-BSD Unix platforms
+ */
+#ifdef CRYPTOGRAPHY_OSRANDOM_NEEDS_DEV_URANDOM
+
+static struct {
+ int fd;
+ dev_t st_dev;
+ ino_t st_ino;
+} urandom_cache = { -1 };
+
+static int open_cloexec(const char *path) {
+ int open_flags = O_RDONLY;
+#ifdef O_CLOEXEC
+ open_flags |= O_CLOEXEC;
+#endif
+
+ int fd = open(path, open_flags);
+ if (fd == -1) {
+ return -1;
+ }
+
+#ifndef O_CLOEXEC
+ int flags = fcntl(fd, F_GETFD);
+ if (flags == -1) {
+ return -1;
+ }
+ if (fcntl(fd, F_SETFD, flags | FD_CLOEXEC) == -1) {
+ return -1;
+ }
+#endif
+ return fd;
+}
+
+#ifdef __linux__
+/* On Linux, we open("/dev/random") and use poll() to wait until it's readable
+ * before we read from /dev/urandom, this ensures that we don't read from
+ * /dev/urandom before the kernel CSPRNG is initialized. This isn't necessary on
+ * other platforms because they don't have the same _bug_ as Linux does with
+ * /dev/urandom and early boot. */
+static int wait_on_devrandom(void) {
+ struct pollfd pfd = {};
+ int ret = 0;
+ int random_fd = open_cloexec("/dev/random");
+ if (random_fd < 0) {
+ return -1;
+ }
+ pfd.fd = random_fd;
+ pfd.events = POLLIN;
+ pfd.revents = 0;
+ do {
+ ret = poll(&pfd, 1, -1);
+ } while (ret < 0 && (errno == EINTR || errno == EAGAIN));
+ close(random_fd);
+ return ret;
+}
+#endif
+
+/* return -1 on error */
+static int dev_urandom_fd(void) {
+ int fd = -1;
+ struct stat st;
+
+ /* Check that fd still points to the correct device */
+ if (urandom_cache.fd >= 0) {
+ if (fstat(urandom_cache.fd, &st)
+ || st.st_dev != urandom_cache.st_dev
+ || st.st_ino != urandom_cache.st_ino) {
+ /* Somebody replaced our FD. Invalidate our cache but don't
+ * close the fd. */
+ urandom_cache.fd = -1;
+ }
+ }
+ if (urandom_cache.fd < 0) {
+#ifdef __linux__
+ if (wait_on_devrandom() < 0) {
+ goto error;
+ }
+#endif
+
+ fd = open_cloexec("/dev/urandom");
+ if (fd < 0) {
+ goto error;
+ }
+ if (fstat(fd, &st)) {
+ goto error;
+ }
+ /* Another thread initialized the fd */
+ if (urandom_cache.fd >= 0) {
+ close(fd);
+ return urandom_cache.fd;
+ }
+ urandom_cache.st_dev = st.st_dev;
+ urandom_cache.st_ino = st.st_ino;
+ urandom_cache.fd = fd;
+ }
+ return urandom_cache.fd;
+
+ error:
+ if (fd != -1) {
+ close(fd);
+ }
+ ERR_Cryptography_OSRandom_error(
+ CRYPTOGRAPHY_OSRANDOM_F_DEV_URANDOM_FD,
+ CRYPTOGRAPHY_OSRANDOM_R_DEV_URANDOM_OPEN_FAILED,
+ __FILE__, __LINE__
+ );
+ return -1;
+}
+
+static int dev_urandom_read(unsigned char *buffer, int size) {
+ int fd;
+ int n;
+
+ fd = dev_urandom_fd();
+ if (fd < 0) {
+ return 0;
+ }
+
+ while (size > 0) {
+ do {
+ n = (int)read(fd, buffer, (size_t)size);
+ } while (n < 0 && errno == EINTR);
+
+ if (n <= 0) {
+ ERR_Cryptography_OSRandom_error(
+ CRYPTOGRAPHY_OSRANDOM_F_DEV_URANDOM_READ,
+ CRYPTOGRAPHY_OSRANDOM_R_DEV_URANDOM_READ_FAILED,
+ __FILE__, __LINE__
+ );
+ return 0;
+ }
+ buffer += n;
+ size -= n;
+ }
+ return 1;
+}
+
+static void dev_urandom_close(void) {
+ if (urandom_cache.fd >= 0) {
+ int fd;
+ struct stat st;
+
+ if (fstat(urandom_cache.fd, &st)
+ && st.st_dev == urandom_cache.st_dev
+ && st.st_ino == urandom_cache.st_ino) {
+ fd = urandom_cache.fd;
+ urandom_cache.fd = -1;
+ close(fd);
+ }
+ }
+}
+#endif /* CRYPTOGRAPHY_OSRANDOM_NEEDS_DEV_URANDOM */
+
+/****************************************************************************
+ * BSD getentropy
+ */
+#if CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_GETENTROPY
+static const char *Cryptography_osrandom_engine_name = "osrandom_engine getentropy()";
+
+static int getentropy_works = CRYPTOGRAPHY_OSRANDOM_GETENTROPY_NOT_INIT;
+
+static int osrandom_init(ENGINE *e) {
+#if !defined(__APPLE__)
+ getentropy_works = CRYPTOGRAPHY_OSRANDOM_GETENTROPY_WORKS;
+#else
+ if (__builtin_available(macOS 10.12, *)) {
+ getentropy_works = CRYPTOGRAPHY_OSRANDOM_GETENTROPY_WORKS;
+ } else {
+ getentropy_works = CRYPTOGRAPHY_OSRANDOM_GETENTROPY_FALLBACK;
+ int fd = dev_urandom_fd();
+ if (fd < 0) {
+ return 0;
+ }
+ }
+#endif
+ return 1;
+}
+
+static int osrandom_rand_bytes(unsigned char *buffer, int size) {
+ int len;
+ int res;
+
+ switch(getentropy_works) {
+#if defined(__APPLE__)
+ case CRYPTOGRAPHY_OSRANDOM_GETENTROPY_FALLBACK:
+ return dev_urandom_read(buffer, size);
+#endif
+ case CRYPTOGRAPHY_OSRANDOM_GETENTROPY_WORKS:
+ while (size > 0) {
+ /* OpenBSD and macOS restrict maximum buffer size to 256. */
+ len = size > 256 ? 256 : size;
+/* on mac, availability is already checked using `__builtin_available` above */
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunguarded-availability"
+ res = getentropy(buffer, (size_t)len);
+#pragma clang diagnostic pop
+ if (res < 0) {
+ ERR_Cryptography_OSRandom_error(
+ CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES,
+ CRYPTOGRAPHY_OSRANDOM_R_GETENTROPY_FAILED,
+ __FILE__, __LINE__
+ );
+ return 0;
+ }
+ buffer += len;
+ size -= len;
+ }
+ return 1;
+ }
+ __builtin_unreachable();
+}
+
+static int osrandom_finish(ENGINE *e) {
+ return 1;
+}
+
+static int osrandom_rand_status(void) {
+ return 1;
+}
+
+static const char *osurandom_get_implementation(void) {
+ switch(getentropy_works) {
+ case CRYPTOGRAPHY_OSRANDOM_GETENTROPY_FALLBACK:
+ return "/dev/urandom";
+ case CRYPTOGRAPHY_OSRANDOM_GETENTROPY_WORKS:
+ return "getentropy";
+ }
+ __builtin_unreachable();
+}
+#endif /* CRYPTOGRAPHY_OSRANDOM_ENGINE_GETENTROPY */
+
+/****************************************************************************
+ * Linux getrandom engine with fallback to dev_urandom
+ */
+
+#if CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_GETRANDOM
+static const char *Cryptography_osrandom_engine_name = "osrandom_engine getrandom()";
+
+static int getrandom_works = CRYPTOGRAPHY_OSRANDOM_GETRANDOM_NOT_INIT;
+
+static int osrandom_init(ENGINE *e) {
+ /* We try to detect working getrandom until we succeed. */
+ if (getrandom_works != CRYPTOGRAPHY_OSRANDOM_GETRANDOM_WORKS) {
+ long n;
+ char dest[1];
+ /* if the kernel CSPRNG is not initialized this will block */
+ n = syscall(SYS_getrandom, dest, sizeof(dest), 0);
+ if (n == sizeof(dest)) {
+ getrandom_works = CRYPTOGRAPHY_OSRANDOM_GETRANDOM_WORKS;
+ } else {
+ int e = errno;
+ switch(e) {
+ case ENOSYS:
+ /* Fallback: Kernel does not support the syscall. */
+ getrandom_works = CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK;
+ break;
+ case EPERM:
+ /* Fallback: seccomp prevents syscall */
+ getrandom_works = CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK;
+ break;
+ default:
+ /* EINTR cannot occur for buflen < 256. */
+ ERR_Cryptography_OSRandom_error(
+ CRYPTOGRAPHY_OSRANDOM_F_INIT,
+ CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_INIT_FAILED_UNEXPECTED,
+ "errno", e
+ );
+ getrandom_works = CRYPTOGRAPHY_OSRANDOM_GETRANDOM_INIT_FAILED;
+ break;
+ }
+ }
+ }
+
+ /* fallback to dev urandom */
+ if (getrandom_works == CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK) {
+ int fd = dev_urandom_fd();
+ if (fd < 0) {
+ return 0;
+ }
+ }
+ return 1;
+}
+
+static int osrandom_rand_bytes(unsigned char *buffer, int size) {
+ long n;
+
+ switch(getrandom_works) {
+ case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_INIT_FAILED:
+ ERR_Cryptography_OSRandom_error(
+ CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES,
+ CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_INIT_FAILED,
+ __FILE__, __LINE__
+ );
+ return 0;
+ case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_NOT_INIT:
+ ERR_Cryptography_OSRandom_error(
+ CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES,
+ CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_NOT_INIT,
+ __FILE__, __LINE__
+ );
+ return 0;
+ case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK:
+ return dev_urandom_read(buffer, size);
+ case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_WORKS:
+ while (size > 0) {
+ do {
+ n = syscall(SYS_getrandom, buffer, size, 0);
+ } while (n < 0 && errno == EINTR);
+
+ if (n <= 0) {
+ ERR_Cryptography_OSRandom_error(
+ CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES,
+ CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_FAILED,
+ __FILE__, __LINE__
+ );
+ return 0;
+ }
+ buffer += n;
+ size -= (int)n;
+ }
+ return 1;
+ }
+ __builtin_unreachable();
+}
+
+static int osrandom_finish(ENGINE *e) {
+ dev_urandom_close();
+ return 1;
+}
+
+static int osrandom_rand_status(void) {
+ switch(getrandom_works) {
+ case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_INIT_FAILED:
+ return 0;
+ case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_NOT_INIT:
+ return 0;
+ case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK:
+ return urandom_cache.fd >= 0;
+ case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_WORKS:
+ return 1;
+ }
+ __builtin_unreachable();
+}
+
+static const char *osurandom_get_implementation(void) {
+ switch(getrandom_works) {
+ case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_INIT_FAILED:
+ return "<failed>";
+ case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_NOT_INIT:
+ return "<not initialized>";
+ case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK:
+ return "/dev/urandom";
+ case CRYPTOGRAPHY_OSRANDOM_GETRANDOM_WORKS:
+ return "getrandom";
+ }
+ __builtin_unreachable();
+}
+#endif /* CRYPTOGRAPHY_OSRANDOM_ENGINE_GETRANDOM */
+
+/****************************************************************************
+ * dev_urandom engine for all remaining platforms
+ */
+
+#if CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_DEV_URANDOM
+static const char *Cryptography_osrandom_engine_name = "osrandom_engine /dev/urandom";
+
+static int osrandom_init(ENGINE *e) {
+ int fd = dev_urandom_fd();
+ if (fd < 0) {
+ return 0;
+ }
+ return 1;
+}
+
+static int osrandom_rand_bytes(unsigned char *buffer, int size) {
+ return dev_urandom_read(buffer, size);
+}
+
+static int osrandom_finish(ENGINE *e) {
+ dev_urandom_close();
+ return 1;
+}
+
+static int osrandom_rand_status(void) {
+ return urandom_cache.fd >= 0;
+}
+
+static const char *osurandom_get_implementation(void) {
+ return "/dev/urandom";
+}
+#endif /* CRYPTOGRAPHY_OSRANDOM_ENGINE_DEV_URANDOM */
+
+/****************************************************************************
+ * ENGINE boiler plate
+ */
+
+/* This replicates the behavior of the OpenSSL FIPS RNG, which returns a
+ -1 in the event that there is an error when calling RAND_pseudo_bytes. */
+static int osrandom_pseudo_rand_bytes(unsigned char *buffer, int size) {
+ int res = osrandom_rand_bytes(buffer, size);
+ if (res == 0) {
+ return -1;
+ } else {
+ return res;
+ }
+}
+
+static RAND_METHOD osrandom_rand = {
+ NULL,
+ osrandom_rand_bytes,
+ NULL,
+ NULL,
+ osrandom_pseudo_rand_bytes,
+ osrandom_rand_status,
+};
+
+static const ENGINE_CMD_DEFN osrandom_cmd_defns[] = {
+ {CRYPTOGRAPHY_OSRANDOM_GET_IMPLEMENTATION,
+ "get_implementation",
+ "Get CPRNG implementation.",
+ ENGINE_CMD_FLAG_NO_INPUT},
+ {0, NULL, NULL, 0}
+};
+
+static int osrandom_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) {
+ const char *name;
+ size_t len;
+
+ switch (cmd) {
+ case CRYPTOGRAPHY_OSRANDOM_GET_IMPLEMENTATION:
+ /* i: buffer size, p: char* buffer */
+ name = osurandom_get_implementation();
+ len = strlen(name);
+ if ((p == NULL) && (i == 0)) {
+ /* return required buffer len */
+ return (int)len;
+ }
+ if ((p == NULL) || i < 0 || ((size_t)i <= len)) {
+ /* no buffer or buffer too small */
+ ENGINEerr(ENGINE_F_ENGINE_CTRL, ENGINE_R_INVALID_ARGUMENT);
+ return 0;
+ }
+ strcpy((char *)p, name);
+ return (int)len;
+ default:
+ ENGINEerr(ENGINE_F_ENGINE_CTRL, ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+ return 0;
+ }
+}
+
+/* error reporting */
+#define ERR_FUNC(func) ERR_PACK(0, func, 0)
+#define ERR_REASON(reason) ERR_PACK(0, 0, reason)
+
+static ERR_STRING_DATA CRYPTOGRAPHY_OSRANDOM_lib_name[] = {
+ {0, "osrandom_engine"},
+ {0, NULL}
+};
+
+static ERR_STRING_DATA CRYPTOGRAPHY_OSRANDOM_str_funcs[] = {
+ {ERR_FUNC(CRYPTOGRAPHY_OSRANDOM_F_INIT),
+ "osrandom_init"},
+ {ERR_FUNC(CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES),
+ "osrandom_rand_bytes"},
+ {ERR_FUNC(CRYPTOGRAPHY_OSRANDOM_F_FINISH),
+ "osrandom_finish"},
+ {ERR_FUNC(CRYPTOGRAPHY_OSRANDOM_F_DEV_URANDOM_FD),
+ "dev_urandom_fd"},
+ {ERR_FUNC(CRYPTOGRAPHY_OSRANDOM_F_DEV_URANDOM_READ),
+ "dev_urandom_read"},
+ {0, NULL}
+};
+
+static ERR_STRING_DATA CRYPTOGRAPHY_OSRANDOM_str_reasons[] = {
+ {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_CRYPTACQUIRECONTEXT),
+ "CryptAcquireContext() failed."},
+ {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_CRYPTGENRANDOM),
+ "CryptGenRandom() failed."},
+ {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_CRYPTRELEASECONTEXT),
+ "CryptReleaseContext() failed."},
+ {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_GETENTROPY_FAILED),
+ "getentropy() failed"},
+ {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_DEV_URANDOM_OPEN_FAILED),
+ "open('/dev/urandom') failed."},
+ {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_DEV_URANDOM_READ_FAILED),
+ "Reading from /dev/urandom fd failed."},
+ {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_INIT_FAILED),
+ "getrandom() initialization failed."},
+ {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_INIT_FAILED_UNEXPECTED),
+ "getrandom() initialization failed with unexpected errno."},
+ {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_FAILED),
+ "getrandom() syscall failed."},
+ {ERR_REASON(CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_NOT_INIT),
+ "getrandom() engine was not properly initialized."},
+ {0, NULL}
+};
+
+static int Cryptography_OSRandom_lib_error_code = 0;
+
+static void ERR_load_Cryptography_OSRandom_strings(void)
+{
+ if (Cryptography_OSRandom_lib_error_code == 0) {
+ Cryptography_OSRandom_lib_error_code = ERR_get_next_error_library();
+ ERR_load_strings(Cryptography_OSRandom_lib_error_code,
+ CRYPTOGRAPHY_OSRANDOM_lib_name);
+ ERR_load_strings(Cryptography_OSRandom_lib_error_code,
+ CRYPTOGRAPHY_OSRANDOM_str_funcs);
+ ERR_load_strings(Cryptography_OSRandom_lib_error_code,
+ CRYPTOGRAPHY_OSRANDOM_str_reasons);
+ }
+}
+
+static void ERR_Cryptography_OSRandom_error(int function, int reason,
+ char *file, int line)
+{
+ ERR_PUT_error(Cryptography_OSRandom_lib_error_code, function, reason,
+ file, line);
+}
+
+/* Returns 1 if successfully added, 2 if engine has previously been added,
+ and 0 for error. */
+int Cryptography_add_osrandom_engine(void) {
+ ENGINE *e;
+
+ ERR_load_Cryptography_OSRandom_strings();
+
+ e = ENGINE_by_id(Cryptography_osrandom_engine_id);
+ if (e != NULL) {
+ ENGINE_free(e);
+ return 2;
+ } else {
+ ERR_clear_error();
+ }
+
+ e = ENGINE_new();
+ if (e == NULL) {
+ return 0;
+ }
+ if (!ENGINE_set_id(e, Cryptography_osrandom_engine_id) ||
+ !ENGINE_set_name(e, Cryptography_osrandom_engine_name) ||
+ !ENGINE_set_RAND(e, &osrandom_rand) ||
+ !ENGINE_set_init_function(e, osrandom_init) ||
+ !ENGINE_set_finish_function(e, osrandom_finish) ||
+ !ENGINE_set_cmd_defns(e, osrandom_cmd_defns) ||
+ !ENGINE_set_ctrl_function(e, osrandom_ctrl)) {
+ ENGINE_free(e);
+ return 0;
+ }
+ if (!ENGINE_add(e)) {
+ ENGINE_free(e);
+ return 0;
+ }
+ if (!ENGINE_free(e)) {
+ return 0;
+ }
+
+ return 1;
+}
+
+#else
+/* If OpenSSL has no ENGINE support then we don't want
+ * to compile the osrandom engine, but we do need some
+ * placeholders */
+static const char *Cryptography_osrandom_engine_id = "no-engine-support";
+static const char *Cryptography_osrandom_engine_name = "osrandom_engine disabled";
+
+int Cryptography_add_osrandom_engine(void) {
+ return 0;
+}
+
+#endif
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/src/osrandom_engine.h b/contrib/python/cryptography/py3/_cffi_src/openssl/src/osrandom_engine.h
new file mode 100644
index 0000000000..93d918b88b
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/src/osrandom_engine.h
@@ -0,0 +1,118 @@
+#ifndef OPENSSL_NO_ENGINE
+/* OpenSSL has ENGINE support so include all of this. */
+#ifdef _WIN32
+ #include <Wincrypt.h>
+#else
+ #include <fcntl.h>
+ #include <unistd.h>
+ /* for defined(BSD) */
+ #ifndef __MVS__
+ #include <sys/param.h>
+ #endif
+
+ #ifdef BSD
+ /* for SYS_getentropy */
+ #include <sys/syscall.h>
+ #endif
+
+ #ifdef __APPLE__
+ #include <sys/random.h>
+ /* To support weak linking we need to declare this as a weak import even if
+ * it's not present in sys/random (e.g. macOS < 10.12). */
+ extern int getentropy(void *buffer, size_t size) __attribute((weak_import));
+ #endif
+
+ #ifdef __linux__
+ /* for SYS_getrandom */
+ #include <sys/syscall.h>
+ #ifndef GRND_NONBLOCK
+ #define GRND_NONBLOCK 0x0001
+ #endif /* GRND_NONBLOCK */
+
+ #ifndef SYS_getrandom
+ /* We only bother to define the constants for platforms where we ship
+ * wheels, since that's the predominant way you get a situation where
+ * you don't have SYS_getrandom at compile time but do have the syscall
+ * at runtime */
+ #if defined(__x86_64__)
+ #define SYS_getrandom 318
+ #elif defined(__i386__)
+ #define SYS_getrandom 355
+ #elif defined(__aarch64__)
+ #define SYS_getrandom 278
+ #endif
+ #endif
+ #endif /* __linux__ */
+#endif /* _WIN32 */
+
+#define CRYPTOGRAPHY_OSRANDOM_ENGINE_CRYPTGENRANDOM 1
+#define CRYPTOGRAPHY_OSRANDOM_ENGINE_GETENTROPY 2
+#define CRYPTOGRAPHY_OSRANDOM_ENGINE_GETRANDOM 3
+#define CRYPTOGRAPHY_OSRANDOM_ENGINE_DEV_URANDOM 4
+
+#ifndef CRYPTOGRAPHY_OSRANDOM_ENGINE
+ #if defined(_WIN32)
+ /* Windows */
+ #define CRYPTOGRAPHY_OSRANDOM_ENGINE CRYPTOGRAPHY_OSRANDOM_ENGINE_CRYPTGENRANDOM
+ #elif defined(BSD) && defined(SYS_getentropy)
+ /* OpenBSD 5.6+ & macOS with SYS_getentropy defined, although < 10.12 will fallback
+ * to urandom */
+ #define CRYPTOGRAPHY_OSRANDOM_ENGINE CRYPTOGRAPHY_OSRANDOM_ENGINE_GETENTROPY
+ #elif defined(__linux__) && defined(SYS_getrandom)
+ /* Linux 3.17+ */
+ #define CRYPTOGRAPHY_OSRANDOM_ENGINE CRYPTOGRAPHY_OSRANDOM_ENGINE_GETRANDOM
+ #else
+ /* Keep this as last entry, fall back to /dev/urandom */
+ #define CRYPTOGRAPHY_OSRANDOM_ENGINE CRYPTOGRAPHY_OSRANDOM_ENGINE_DEV_URANDOM
+ #endif
+#endif /* CRYPTOGRAPHY_OSRANDOM_ENGINE */
+
+/* Fallbacks need /dev/urandom helper functions. */
+#if CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_GETRANDOM || \
+ CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_DEV_URANDOM || \
+ (CRYPTOGRAPHY_OSRANDOM_ENGINE == CRYPTOGRAPHY_OSRANDOM_ENGINE_GETENTROPY && \
+ defined(__APPLE__))
+ #define CRYPTOGRAPHY_OSRANDOM_NEEDS_DEV_URANDOM 1
+#endif
+
+enum {
+ CRYPTOGRAPHY_OSRANDOM_GETRANDOM_INIT_FAILED = -2,
+ CRYPTOGRAPHY_OSRANDOM_GETRANDOM_NOT_INIT,
+ CRYPTOGRAPHY_OSRANDOM_GETRANDOM_FALLBACK,
+ CRYPTOGRAPHY_OSRANDOM_GETRANDOM_WORKS
+};
+
+enum {
+ CRYPTOGRAPHY_OSRANDOM_GETENTROPY_NOT_INIT,
+ CRYPTOGRAPHY_OSRANDOM_GETENTROPY_FALLBACK,
+ CRYPTOGRAPHY_OSRANDOM_GETENTROPY_WORKS
+};
+
+/* engine ctrl */
+#define CRYPTOGRAPHY_OSRANDOM_GET_IMPLEMENTATION ENGINE_CMD_BASE
+
+/* error reporting */
+static void ERR_load_Cryptography_OSRandom_strings(void);
+static void ERR_Cryptography_OSRandom_error(int function, int reason,
+ char *file, int line);
+
+#define CRYPTOGRAPHY_OSRANDOM_F_INIT 100
+#define CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES 101
+#define CRYPTOGRAPHY_OSRANDOM_F_FINISH 102
+#define CRYPTOGRAPHY_OSRANDOM_F_DEV_URANDOM_FD 300
+#define CRYPTOGRAPHY_OSRANDOM_F_DEV_URANDOM_READ 301
+
+#define CRYPTOGRAPHY_OSRANDOM_R_CRYPTACQUIRECONTEXT 100
+#define CRYPTOGRAPHY_OSRANDOM_R_CRYPTGENRANDOM 101
+#define CRYPTOGRAPHY_OSRANDOM_R_CRYPTRELEASECONTEXT 102
+
+#define CRYPTOGRAPHY_OSRANDOM_R_GETENTROPY_FAILED 200
+
+#define CRYPTOGRAPHY_OSRANDOM_R_DEV_URANDOM_OPEN_FAILED 300
+#define CRYPTOGRAPHY_OSRANDOM_R_DEV_URANDOM_READ_FAILED 301
+
+#define CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_INIT_FAILED 400
+#define CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_INIT_FAILED_UNEXPECTED 402
+#define CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_FAILED 403
+#define CRYPTOGRAPHY_OSRANDOM_R_GETRANDOM_NOT_INIT 404
+#endif
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/ssl.py b/contrib/python/cryptography/py3/_cffi_src/openssl/ssl.py
new file mode 100644
index 0000000000..9400f115fb
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/ssl.py
@@ -0,0 +1,705 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/ssl.h>
+
+typedef STACK_OF(SSL_CIPHER) Cryptography_STACK_OF_SSL_CIPHER;
+"""
+
+TYPES = """
+static const long Cryptography_HAS_SSL_ST;
+static const long Cryptography_HAS_TLS_ST;
+static const long Cryptography_HAS_SSL3_METHOD;
+static const long Cryptography_HAS_TLSv1_1;
+static const long Cryptography_HAS_TLSv1_2;
+static const long Cryptography_HAS_TLSv1_3;
+static const long Cryptography_HAS_SECURE_RENEGOTIATION;
+static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS;
+static const long Cryptography_HAS_DTLS;
+static const long Cryptography_HAS_SIGALGS;
+static const long Cryptography_HAS_PSK;
+static const long Cryptography_HAS_VERIFIED_CHAIN;
+static const long Cryptography_HAS_KEYLOG;
+static const long Cryptography_HAS_GET_PROTO_VERSION;
+static const long Cryptography_HAS_TLSEXT_HOSTNAME;
+
+/* Internally invented symbol to tell us if SSL_MODE_RELEASE_BUFFERS is
+ * supported
+ */
+static const long Cryptography_HAS_RELEASE_BUFFERS;
+
+/* Internally invented symbol to tell us if SSL_OP_NO_COMPRESSION is
+ * supported
+ */
+static const long Cryptography_HAS_OP_NO_COMPRESSION;
+static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING;
+static const long Cryptography_HAS_SSL_SET_SSL_CTX;
+static const long Cryptography_HAS_SSL_OP_NO_TICKET;
+static const long Cryptography_HAS_ALPN;
+static const long Cryptography_HAS_NEXTPROTONEG;
+static const long Cryptography_HAS_SET_CERT_CB;
+static const long Cryptography_HAS_CUSTOM_EXT;
+static const long Cryptography_HAS_SRTP;
+
+static const long SSL_FILETYPE_PEM;
+static const long SSL_FILETYPE_ASN1;
+static const long SSL_ERROR_NONE;
+static const long SSL_ERROR_ZERO_RETURN;
+static const long SSL_ERROR_WANT_READ;
+static const long SSL_ERROR_WANT_WRITE;
+static const long SSL_ERROR_WANT_X509_LOOKUP;
+static const long SSL_ERROR_WANT_CONNECT;
+static const long SSL_ERROR_SYSCALL;
+static const long SSL_ERROR_SSL;
+static const long SSL_SENT_SHUTDOWN;
+static const long SSL_RECEIVED_SHUTDOWN;
+static const long SSL_OP_NO_SSLv2;
+static const long SSL_OP_NO_SSLv3;
+static const long SSL_OP_NO_TLSv1;
+static const long SSL_OP_NO_TLSv1_1;
+static const long SSL_OP_NO_TLSv1_2;
+static const long SSL_OP_NO_TLSv1_3;
+static const long SSL_OP_NO_DTLSv1;
+static const long SSL_OP_NO_DTLSv1_2;
+static const long SSL_OP_NO_COMPRESSION;
+static const long SSL_OP_SINGLE_DH_USE;
+static const long SSL_OP_EPHEMERAL_RSA;
+static const long SSL_OP_MICROSOFT_SESS_ID_BUG;
+static const long SSL_OP_NETSCAPE_CHALLENGE_BUG;
+static const long SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
+static const long SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG;
+static const long SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER;
+static const long SSL_OP_MSIE_SSLV2_RSA_PADDING;
+static const long SSL_OP_SSLEAY_080_CLIENT_DH_BUG;
+static const long SSL_OP_TLS_D5_BUG;
+static const long SSL_OP_TLS_BLOCK_PADDING_BUG;
+static const long SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+static const long SSL_OP_CIPHER_SERVER_PREFERENCE;
+static const long SSL_OP_TLS_ROLLBACK_BUG;
+static const long SSL_OP_PKCS1_CHECK_1;
+static const long SSL_OP_PKCS1_CHECK_2;
+static const long SSL_OP_NETSCAPE_CA_DN_BUG;
+static const long SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG;
+static const long SSL_OP_NO_QUERY_MTU;
+static const long SSL_OP_COOKIE_EXCHANGE;
+static const long SSL_OP_NO_TICKET;
+static const long SSL_OP_ALL;
+static const long SSL_OP_SINGLE_ECDH_USE;
+static const long SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+static const long SSL_OP_LEGACY_SERVER_CONNECT;
+static const long SSL_VERIFY_PEER;
+static const long SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+static const long SSL_VERIFY_CLIENT_ONCE;
+static const long SSL_VERIFY_NONE;
+static const long SSL_VERIFY_POST_HANDSHAKE;
+static const long SSL_SESS_CACHE_OFF;
+static const long SSL_SESS_CACHE_CLIENT;
+static const long SSL_SESS_CACHE_SERVER;
+static const long SSL_SESS_CACHE_BOTH;
+static const long SSL_SESS_CACHE_NO_AUTO_CLEAR;
+static const long SSL_SESS_CACHE_NO_INTERNAL_LOOKUP;
+static const long SSL_SESS_CACHE_NO_INTERNAL_STORE;
+static const long SSL_SESS_CACHE_NO_INTERNAL;
+static const long SSL_ST_CONNECT;
+static const long SSL_ST_ACCEPT;
+static const long SSL_ST_MASK;
+static const long SSL_ST_INIT;
+static const long SSL_ST_BEFORE;
+static const long SSL_ST_OK;
+static const long SSL_ST_RENEGOTIATE;
+static const long SSL_CB_LOOP;
+static const long SSL_CB_EXIT;
+static const long SSL_CB_READ;
+static const long SSL_CB_WRITE;
+static const long SSL_CB_ALERT;
+static const long SSL_CB_READ_ALERT;
+static const long SSL_CB_WRITE_ALERT;
+static const long SSL_CB_ACCEPT_LOOP;
+static const long SSL_CB_ACCEPT_EXIT;
+static const long SSL_CB_CONNECT_LOOP;
+static const long SSL_CB_CONNECT_EXIT;
+static const long SSL_CB_HANDSHAKE_START;
+static const long SSL_CB_HANDSHAKE_DONE;
+static const long SSL_MODE_RELEASE_BUFFERS;
+static const long SSL_MODE_ENABLE_PARTIAL_WRITE;
+static const long SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
+static const long SSL_MODE_AUTO_RETRY;
+static const long SSL3_RANDOM_SIZE;
+static const long TLS_ST_BEFORE;
+static const long TLS_ST_OK;
+
+typedef ... SSL_METHOD;
+typedef ... SSL_CTX;
+
+typedef ... SSL_SESSION;
+
+typedef ... SSL;
+
+static const long TLSEXT_NAMETYPE_host_name;
+static const long TLSEXT_STATUSTYPE_ocsp;
+
+typedef ... SSL_CIPHER;
+typedef ... Cryptography_STACK_OF_SSL_CIPHER;
+
+typedef struct {
+ const char *name;
+ unsigned long id;
+} SRTP_PROTECTION_PROFILE;
+"""
+
+FUNCTIONS = """
+/* SSL */
+const char *SSL_state_string_long(const SSL *);
+SSL_SESSION *SSL_get1_session(SSL *);
+int SSL_set_session(SSL *, SSL_SESSION *);
+SSL *SSL_new(SSL_CTX *);
+void SSL_free(SSL *);
+int SSL_set_fd(SSL *, int);
+SSL_CTX *SSL_set_SSL_CTX(SSL *, SSL_CTX *);
+void SSL_set_bio(SSL *, BIO *, BIO *);
+void SSL_set_connect_state(SSL *);
+void SSL_set_accept_state(SSL *);
+void SSL_set_shutdown(SSL *, int);
+int SSL_get_shutdown(const SSL *);
+int SSL_pending(const SSL *);
+int SSL_write(SSL *, const void *, int);
+int SSL_read(SSL *, void *, int);
+int SSL_peek(SSL *, void *, int);
+X509 *SSL_get_certificate(const SSL *);
+X509 *SSL_get_peer_certificate(const SSL *);
+int SSL_get_ex_data_X509_STORE_CTX_idx(void);
+
+/* Added in 1.0.2 */
+X509_VERIFY_PARAM *SSL_get0_param(SSL *);
+X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *);
+
+int SSL_get_sigalgs(SSL *, int, int *, int *, int *, unsigned char *,
+ unsigned char *);
+
+Cryptography_STACK_OF_X509 *SSL_get_peer_cert_chain(const SSL *);
+Cryptography_STACK_OF_X509 *SSL_get0_verified_chain(const SSL *);
+Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *);
+
+int SSL_get_error(const SSL *, int);
+long SSL_get_verify_result(const SSL *ssl);
+int SSL_do_handshake(SSL *);
+int SSL_shutdown(SSL *);
+int SSL_renegotiate(SSL *);
+int SSL_renegotiate_pending(SSL *);
+const char *SSL_get_cipher_list(const SSL *, int);
+
+/* context */
+void SSL_CTX_free(SSL_CTX *);
+long SSL_CTX_set_timeout(SSL_CTX *, long);
+int SSL_CTX_set_default_verify_paths(SSL_CTX *);
+void SSL_CTX_set_verify(SSL_CTX *, int, int (*)(int, X509_STORE_CTX *));
+void SSL_CTX_set_verify_depth(SSL_CTX *, int);
+int SSL_CTX_get_verify_mode(const SSL_CTX *);
+int SSL_CTX_get_verify_depth(const SSL_CTX *);
+int SSL_CTX_set_cipher_list(SSL_CTX *, const char *);
+int SSL_CTX_load_verify_locations(SSL_CTX *, const char *, const char *);
+void SSL_CTX_set_default_passwd_cb(SSL_CTX *, pem_password_cb *);
+void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *, void *);
+int SSL_CTX_use_certificate(SSL_CTX *, X509 *);
+int SSL_CTX_use_certificate_file(SSL_CTX *, const char *, int);
+int SSL_CTX_use_certificate_chain_file(SSL_CTX *, const char *);
+int SSL_CTX_use_PrivateKey(SSL_CTX *, EVP_PKEY *);
+int SSL_CTX_use_PrivateKey_file(SSL_CTX *, const char *, int);
+int SSL_CTX_check_private_key(const SSL_CTX *);
+void SSL_CTX_set_cert_verify_callback(SSL_CTX *,
+ int (*)(X509_STORE_CTX *, void *),
+ void *);
+
+void SSL_CTX_set_cookie_generate_cb(SSL_CTX *,
+ int (*)(
+ SSL *,
+ unsigned char *,
+ unsigned int *
+ ));
+long SSL_CTX_get_read_ahead(SSL_CTX *);
+long SSL_CTX_set_read_ahead(SSL_CTX *, long);
+
+int SSL_CTX_use_psk_identity_hint(SSL_CTX *, const char *);
+void SSL_CTX_set_psk_server_callback(SSL_CTX *,
+ unsigned int (*)(
+ SSL *,
+ const char *,
+ unsigned char *,
+ unsigned int
+ ));
+void SSL_CTX_set_psk_client_callback(SSL_CTX *,
+ unsigned int (*)(
+ SSL *,
+ const char *,
+ char *,
+ unsigned int,
+ unsigned char *,
+ unsigned int
+ ));
+
+int SSL_CTX_set_session_id_context(SSL_CTX *, const unsigned char *,
+ unsigned int);
+
+void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *);
+X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
+int SSL_CTX_add_client_CA(SSL_CTX *, X509 *);
+
+void SSL_CTX_set_client_CA_list(SSL_CTX *, Cryptography_STACK_OF_X509_NAME *);
+
+void SSL_CTX_set_info_callback(SSL_CTX *, void (*)(const SSL *, int, int));
+void (*SSL_CTX_get_info_callback(SSL_CTX *))(const SSL *, int, int);
+
+void SSL_CTX_set_keylog_callback(SSL_CTX *,
+ void (*)(const SSL *, const char *));
+void (*SSL_CTX_get_keylog_callback(SSL_CTX *))(const SSL *, const char *);
+
+long SSL_CTX_set1_sigalgs_list(SSL_CTX *, const char *);
+
+/* SSL_SESSION */
+void SSL_SESSION_free(SSL_SESSION *);
+
+/* Information about actually used cipher */
+const char *SSL_CIPHER_get_name(const SSL_CIPHER *);
+int SSL_CIPHER_get_bits(const SSL_CIPHER *, int *);
+/* the modern signature of this is uint32_t, but older openssl declared it
+ as unsigned long. To make our compiler flags happy we'll declare it as a
+ 64-bit wide value, which should always be safe */
+uint64_t SSL_CIPHER_get_id(const SSL_CIPHER *);
+int SSL_CIPHER_is_aead(const SSL_CIPHER *);
+int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *);
+int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *);
+int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *);
+int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *);
+
+size_t SSL_get_finished(const SSL *, void *, size_t);
+size_t SSL_get_peer_finished(const SSL *, void *, size_t);
+Cryptography_STACK_OF_X509_NAME *SSL_load_client_CA_file(const char *);
+
+const char *SSL_get_servername(const SSL *, const int);
+/* Function signature changed to const char * in 1.1.0 */
+const char *SSL_CIPHER_get_version(const SSL_CIPHER *);
+/* These became macros in 1.1.0 */
+int SSL_library_init(void);
+void SSL_load_error_strings(void);
+
+/* these CRYPTO_EX_DATA functions became macros in 1.1.0 */
+int SSL_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *,
+ CRYPTO_EX_free *);
+int SSL_set_ex_data(SSL *, int, void *);
+int SSL_CTX_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *,
+ CRYPTO_EX_free *);
+int SSL_CTX_set_ex_data(SSL_CTX *, int, void *);
+
+SSL_SESSION *SSL_get_session(const SSL *);
+const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *, unsigned int *);
+long SSL_SESSION_get_time(const SSL_SESSION *);
+long SSL_SESSION_get_timeout(const SSL_SESSION *);
+int SSL_SESSION_has_ticket(const SSL_SESSION *);
+long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *);
+
+unsigned long SSL_set_mode(SSL *, unsigned long);
+unsigned long SSL_clear_mode(SSL *, unsigned long);
+unsigned long SSL_get_mode(SSL *);
+
+unsigned long SSL_set_options(SSL *, unsigned long);
+unsigned long SSL_get_options(SSL *);
+
+int SSL_want_read(const SSL *);
+int SSL_want_write(const SSL *);
+
+long SSL_total_renegotiations(SSL *);
+long SSL_get_secure_renegotiation_support(SSL *);
+
+long SSL_CTX_set_min_proto_version(SSL_CTX *, int);
+long SSL_CTX_set_max_proto_version(SSL_CTX *, int);
+long SSL_set_min_proto_version(SSL *, int);
+long SSL_set_max_proto_version(SSL *, int);
+
+long SSL_CTX_get_min_proto_version(SSL_CTX *);
+long SSL_CTX_get_max_proto_version(SSL_CTX *);
+long SSL_get_min_proto_version(SSL *);
+long SSL_get_max_proto_version(SSL *);
+
+/* Defined as unsigned long because SSL_OP_ALL is greater than signed 32-bit
+ and Windows defines long as 32-bit. */
+unsigned long SSL_CTX_set_options(SSL_CTX *, unsigned long);
+unsigned long SSL_CTX_clear_options(SSL_CTX *, unsigned long);
+unsigned long SSL_CTX_get_options(SSL_CTX *);
+unsigned long SSL_CTX_set_mode(SSL_CTX *, unsigned long);
+unsigned long SSL_CTX_clear_mode(SSL_CTX *, unsigned long);
+unsigned long SSL_CTX_get_mode(SSL_CTX *);
+unsigned long SSL_CTX_set_session_cache_mode(SSL_CTX *, unsigned long);
+unsigned long SSL_CTX_get_session_cache_mode(SSL_CTX *);
+unsigned long SSL_CTX_set_tmp_dh(SSL_CTX *, DH *);
+unsigned long SSL_CTX_set_tmp_ecdh(SSL_CTX *, EC_KEY *);
+unsigned long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *);
+
+/*- These aren't macros these functions are all const X on openssl > 1.0.x -*/
+
+/* methods */
+
+const SSL_METHOD *TLSv1_1_method(void);
+const SSL_METHOD *TLSv1_1_server_method(void);
+const SSL_METHOD *TLSv1_1_client_method(void);
+
+const SSL_METHOD *TLSv1_2_method(void);
+const SSL_METHOD *TLSv1_2_server_method(void);
+const SSL_METHOD *TLSv1_2_client_method(void);
+
+const SSL_METHOD *SSLv3_method(void);
+const SSL_METHOD *SSLv3_server_method(void);
+const SSL_METHOD *SSLv3_client_method(void);
+
+const SSL_METHOD *TLSv1_method(void);
+const SSL_METHOD *TLSv1_server_method(void);
+const SSL_METHOD *TLSv1_client_method(void);
+
+const SSL_METHOD *DTLSv1_method(void);
+const SSL_METHOD *DTLSv1_server_method(void);
+const SSL_METHOD *DTLSv1_client_method(void);
+
+/* Added in 1.0.2 */
+const SSL_METHOD *DTLS_method(void);
+const SSL_METHOD *DTLS_server_method(void);
+const SSL_METHOD *DTLS_client_method(void);
+
+const SSL_METHOD *SSLv23_method(void);
+const SSL_METHOD *SSLv23_server_method(void);
+const SSL_METHOD *SSLv23_client_method(void);
+
+const SSL_METHOD *TLS_method(void);
+const SSL_METHOD *TLS_server_method(void);
+const SSL_METHOD *TLS_client_method(void);
+
+/*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/
+SSL_CTX *SSL_CTX_new(SSL_METHOD *);
+long SSL_CTX_get_timeout(const SSL_CTX *);
+
+const SSL_CIPHER *SSL_get_current_cipher(const SSL *);
+const char *SSL_get_version(const SSL *);
+int SSL_version(const SSL *);
+
+void *SSL_CTX_get_ex_data(const SSL_CTX *, int);
+void *SSL_get_ex_data(const SSL *, int);
+
+void SSL_set_tlsext_host_name(SSL *, char *);
+void SSL_CTX_set_tlsext_servername_callback(
+ SSL_CTX *,
+ int (*)(SSL *, int *, void *));
+void SSL_CTX_set_tlsext_servername_arg(
+ SSL_CTX *, void *);
+
+long SSL_set_tlsext_status_ocsp_resp(SSL *, unsigned char *, int);
+long SSL_get_tlsext_status_ocsp_resp(SSL *, const unsigned char **);
+long SSL_set_tlsext_status_type(SSL *, long);
+long SSL_CTX_set_tlsext_status_cb(SSL_CTX *, int(*)(SSL *, void *));
+long SSL_CTX_set_tlsext_status_arg(SSL_CTX *, void *);
+
+int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *, const char *);
+int SSL_set_tlsext_use_srtp(SSL *, const char *);
+SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *);
+
+long SSL_session_reused(SSL *);
+
+int SSL_select_next_proto(unsigned char **, unsigned char *,
+ const unsigned char *, unsigned int,
+ const unsigned char *, unsigned int);
+
+int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *);
+const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int);
+
+/* ALPN APIs were introduced in OpenSSL 1.0.2. To continue to support earlier
+ * versions some special handling of these is necessary.
+ */
+int SSL_CTX_set_alpn_protos(SSL_CTX *, const unsigned char *, unsigned);
+int SSL_set_alpn_protos(SSL *, const unsigned char *, unsigned);
+void SSL_CTX_set_alpn_select_cb(SSL_CTX *,
+ int (*) (SSL *,
+ const unsigned char **,
+ unsigned char *,
+ const unsigned char *,
+ unsigned int,
+ void *),
+ void *);
+void SSL_get0_alpn_selected(const SSL *, const unsigned char **, unsigned *);
+
+long SSL_get_server_tmp_key(SSL *, EVP_PKEY **);
+
+/* SSL_CTX_set_cert_cb is introduced in OpenSSL 1.0.2. To continue to support
+ * earlier versions some special handling of these is necessary.
+ */
+void SSL_CTX_set_cert_cb(SSL_CTX *, int (*)(SSL *, void *), void *);
+void SSL_set_cert_cb(SSL *, int (*)(SSL *, void *), void *);
+
+int SSL_SESSION_set1_id_context(SSL_SESSION *, const unsigned char *,
+ unsigned int);
+/* Added in 1.1.0 for the great opaquing of structs */
+size_t SSL_SESSION_get_master_key(const SSL_SESSION *, unsigned char *,
+ size_t);
+size_t SSL_get_client_random(const SSL *, unsigned char *, size_t);
+size_t SSL_get_server_random(const SSL *, unsigned char *, size_t);
+int SSL_export_keying_material(SSL *, unsigned char *, size_t, const char *,
+ size_t, const unsigned char *, size_t, int);
+
+long SSL_CTX_sess_number(SSL_CTX *);
+long SSL_CTX_sess_connect(SSL_CTX *);
+long SSL_CTX_sess_connect_good(SSL_CTX *);
+long SSL_CTX_sess_connect_renegotiate(SSL_CTX *);
+long SSL_CTX_sess_accept(SSL_CTX *);
+long SSL_CTX_sess_accept_good(SSL_CTX *);
+long SSL_CTX_sess_accept_renegotiate(SSL_CTX *);
+long SSL_CTX_sess_hits(SSL_CTX *);
+long SSL_CTX_sess_cb_hits(SSL_CTX *);
+long SSL_CTX_sess_misses(SSL_CTX *);
+long SSL_CTX_sess_timeouts(SSL_CTX *);
+long SSL_CTX_sess_cache_full(SSL_CTX *);
+
+/* DTLS support */
+long Cryptography_DTLSv1_get_timeout(SSL *, time_t *, long *);
+long DTLSv1_handle_timeout(SSL *);
+long DTLS_set_link_mtu(SSL *, long);
+long DTLS_get_link_min_mtu(SSL *);
+
+/* Custom extensions. */
+typedef int (*custom_ext_add_cb)(SSL *, unsigned int,
+ const unsigned char **,
+ size_t *, int *,
+ void *);
+
+typedef void (*custom_ext_free_cb)(SSL *, unsigned int,
+ const unsigned char *,
+ void *);
+
+typedef int (*custom_ext_parse_cb)(SSL *, unsigned int,
+ const unsigned char *,
+ size_t, int *,
+ void *);
+
+int SSL_CTX_add_client_custom_ext(SSL_CTX *, unsigned int,
+ custom_ext_add_cb,
+ custom_ext_free_cb, void *,
+ custom_ext_parse_cb,
+ void *);
+
+int SSL_CTX_add_server_custom_ext(SSL_CTX *, unsigned int,
+ custom_ext_add_cb,
+ custom_ext_free_cb, void *,
+ custom_ext_parse_cb,
+ void *);
+
+int SSL_extension_supported(unsigned int);
+
+int SSL_CTX_set_ciphersuites(SSL_CTX *, const char *);
+int SSL_verify_client_post_handshake(SSL *);
+void SSL_CTX_set_post_handshake_auth(SSL_CTX *, int);
+void SSL_set_post_handshake_auth(SSL *, int);
+
+uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *);
+int SSL_write_early_data(SSL *, const void *, size_t, size_t *);
+int SSL_read_early_data(SSL *, void *, size_t, size_t *);
+int SSL_CTX_set_max_early_data(SSL_CTX *, uint32_t);
+"""
+
+CUSTOMIZATIONS = """
+// This symbol is being preserved because removing it will break users with
+// pyOpenSSL < 19.1 and pip < 20.x. We need to leave this in place until those
+// users have upgraded. PersistentlyDeprecated2020
+static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1;
+
+#if CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_VERIFIED_CHAIN = 0;
+Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL;
+#else
+static const long Cryptography_HAS_VERIFIED_CHAIN = 1;
+#endif
+
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+static const long Cryptography_HAS_KEYLOG = 0;
+void (*SSL_CTX_set_keylog_callback)(SSL_CTX *,
+ void (*) (const SSL *, const char *)
+ ) = NULL;
+void (*(*SSL_CTX_get_keylog_callback)(SSL_CTX *))(
+ const SSL *,
+ const char *
+ ) = NULL;
+#else
+static const long Cryptography_HAS_KEYLOG = 1;
+#endif
+
+static const long Cryptography_HAS_SECURE_RENEGOTIATION = 1;
+
+#ifdef OPENSSL_NO_SSL3_METHOD
+static const long Cryptography_HAS_SSL3_METHOD = 0;
+SSL_METHOD* (*SSLv3_method)(void) = NULL;
+SSL_METHOD* (*SSLv3_client_method)(void) = NULL;
+SSL_METHOD* (*SSLv3_server_method)(void) = NULL;
+#else
+static const long Cryptography_HAS_SSL3_METHOD = 1;
+#endif
+
+static const long Cryptography_HAS_RELEASE_BUFFERS = 1;
+static const long Cryptography_HAS_OP_NO_COMPRESSION = 1;
+static const long Cryptography_HAS_TLSv1_1 = 1;
+static const long Cryptography_HAS_TLSv1_2 = 1;
+static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
+static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
+static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
+static const long Cryptography_HAS_NEXTPROTONEG = 0;
+static const long Cryptography_HAS_ALPN = 1;
+
+#if CRYPTOGRAPHY_IS_LIBRESSL
+void (*SSL_CTX_set_cert_cb)(SSL_CTX *, int (*)(SSL *, void *), void *) = NULL;
+void (*SSL_set_cert_cb)(SSL *, int (*)(SSL *, void *), void *) = NULL;
+static const long Cryptography_HAS_SET_CERT_CB = 0;
+#else
+static const long Cryptography_HAS_SET_CERT_CB = 1;
+#endif
+
+static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS = 1;
+
+/* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were
+ removed */
+#if CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_SSL_ST = 1;
+#else
+static const long Cryptography_HAS_SSL_ST = 0;
+static const long SSL_ST_BEFORE = 0;
+static const long SSL_ST_OK = 0;
+static const long SSL_ST_INIT = 0;
+static const long SSL_ST_RENEGOTIATE = 0;
+#endif
+#if !CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_TLS_ST = 1;
+#else
+static const long Cryptography_HAS_TLS_ST = 0;
+static const long TLS_ST_BEFORE = 0;
+static const long TLS_ST_OK = 0;
+#endif
+
+#if CRYPTOGRAPHY_IS_LIBRESSL
+static const long SSL_OP_NO_DTLSv1 = 0;
+static const long SSL_OP_NO_DTLSv1_2 = 0;
+long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
+long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
+#endif
+
+static const long Cryptography_HAS_DTLS = 1;
+/* Wrap DTLSv1_get_timeout to avoid cffi to handle a 'struct timeval'. */
+long Cryptography_DTLSv1_get_timeout(SSL *ssl, time_t *ptv_sec,
+ long *ptv_usec) {
+ struct timeval tv = { 0 };
+ long r = DTLSv1_get_timeout(ssl, &tv);
+
+ if (r == 1) {
+ if (ptv_sec) {
+ *ptv_sec = tv.tv_sec;
+ }
+
+ if (ptv_usec) {
+ *ptv_usec = tv.tv_usec;
+ }
+ }
+
+ return r;
+}
+
+#if CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_SIGALGS = 0;
+const int (*SSL_get_sigalgs)(SSL *, int, int *, int *, int *, unsigned char *,
+ unsigned char *) = NULL;
+const long (*SSL_CTX_set1_sigalgs_list)(SSL_CTX *, const char *) = NULL;
+#else
+static const long Cryptography_HAS_SIGALGS = 1;
+#endif
+
+#if CRYPTOGRAPHY_IS_LIBRESSL || defined(OPENSSL_NO_PSK)
+static const long Cryptography_HAS_PSK = 0;
+int (*SSL_CTX_use_psk_identity_hint)(SSL_CTX *, const char *) = NULL;
+void (*SSL_CTX_set_psk_server_callback)(SSL_CTX *,
+ unsigned int (*)(
+ SSL *,
+ const char *,
+ unsigned char *,
+ unsigned int
+ )) = NULL;
+void (*SSL_CTX_set_psk_client_callback)(SSL_CTX *,
+ unsigned int (*)(
+ SSL *,
+ const char *,
+ char *,
+ unsigned int,
+ unsigned char *,
+ unsigned int
+ )) = NULL;
+#else
+static const long Cryptography_HAS_PSK = 1;
+#endif
+
+#if !CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_CUSTOM_EXT = 1;
+#else
+static const long Cryptography_HAS_CUSTOM_EXT = 0;
+typedef int (*custom_ext_add_cb)(SSL *, unsigned int,
+ const unsigned char **,
+ size_t *, int *,
+ void *);
+typedef void (*custom_ext_free_cb)(SSL *, unsigned int,
+ const unsigned char *,
+ void *);
+typedef int (*custom_ext_parse_cb)(SSL *, unsigned int,
+ const unsigned char *,
+ size_t, int *,
+ void *);
+int (*SSL_CTX_add_client_custom_ext)(SSL_CTX *, unsigned int,
+ custom_ext_add_cb,
+ custom_ext_free_cb, void *,
+ custom_ext_parse_cb,
+ void *) = NULL;
+int (*SSL_CTX_add_server_custom_ext)(SSL_CTX *, unsigned int,
+ custom_ext_add_cb,
+ custom_ext_free_cb, void *,
+ custom_ext_parse_cb,
+ void *) = NULL;
+int (*SSL_extension_supported)(unsigned int) = NULL;
+#endif
+
+#ifndef OPENSSL_NO_SRTP
+static const long Cryptography_HAS_SRTP = 1;
+#else
+static const long Cryptography_HAS_SRTP = 0;
+int (*SSL_CTX_set_tlsext_use_srtp)(SSL_CTX *, const char *) = NULL;
+int (*SSL_set_tlsext_use_srtp)(SSL *, const char *) = NULL;
+SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL;
+#endif
+
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+static const long Cryptography_HAS_TLSv1_3 = 0;
+static const long SSL_OP_NO_TLSv1_3 = 0;
+static const long SSL_VERIFY_POST_HANDSHAKE = 0;
+int (*SSL_CTX_set_ciphersuites)(SSL_CTX *, const char *) = NULL;
+int (*SSL_verify_client_post_handshake)(SSL *) = NULL;
+void (*SSL_CTX_set_post_handshake_auth)(SSL_CTX *, int) = NULL;
+void (*SSL_set_post_handshake_auth)(SSL *, int) = NULL;
+uint32_t (*SSL_SESSION_get_max_early_data)(const SSL_SESSION *) = NULL;
+int (*SSL_write_early_data)(SSL *, const void *, size_t, size_t *) = NULL;
+int (*SSL_read_early_data)(SSL *, void *, size_t, size_t *) = NULL;
+int (*SSL_CTX_set_max_early_data)(SSL_CTX *, uint32_t) = NULL;
+#else
+static const long Cryptography_HAS_TLSv1_3 = 1;
+#endif
+
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_GET_PROTO_VERSION = 0;
+
+long (*SSL_CTX_get_min_proto_version)(SSL_CTX *) = NULL;
+long (*SSL_CTX_get_max_proto_version)(SSL_CTX *) = NULL;
+long (*SSL_get_min_proto_version)(SSL *) = NULL;
+long (*SSL_get_max_proto_version)(SSL *) = NULL;
+#else
+static const long Cryptography_HAS_GET_PROTO_VERSION = 1;
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/x509.py b/contrib/python/cryptography/py3/_cffi_src/openssl/x509.py
new file mode 100644
index 0000000000..24946ea48d
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/x509.py
@@ -0,0 +1,302 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/ssl.h>
+
+/*
+ * This is part of a work-around for the difficulty cffi has in dealing with
+ * `STACK_OF(foo)` as the name of a type. We invent a new, simpler name that
+ * will be an alias for this type and use the alias throughout. This works
+ * together with another opaque typedef for the same name in the TYPES section.
+ * Note that the result is an opaque type.
+ */
+typedef STACK_OF(X509) Cryptography_STACK_OF_X509;
+typedef STACK_OF(X509_CRL) Cryptography_STACK_OF_X509_CRL;
+typedef STACK_OF(X509_REVOKED) Cryptography_STACK_OF_X509_REVOKED;
+"""
+
+TYPES = """
+typedef ... Cryptography_STACK_OF_X509;
+typedef ... Cryptography_STACK_OF_X509_CRL;
+typedef ... Cryptography_STACK_OF_X509_REVOKED;
+
+typedef struct {
+ ASN1_OBJECT *algorithm;
+ ...;
+} X509_ALGOR;
+
+typedef ... X509_ATTRIBUTE;
+typedef ... X509_EXTENSION;
+typedef ... X509_EXTENSIONS;
+typedef ... X509_REQ;
+typedef ... X509_REVOKED;
+typedef ... X509_CRL;
+typedef ... X509;
+
+typedef ... NETSCAPE_SPKI;
+
+typedef ... PKCS8_PRIV_KEY_INFO;
+
+typedef void (*sk_X509_EXTENSION_freefunc)(X509_EXTENSION *);
+"""
+
+FUNCTIONS = """
+X509 *X509_new(void);
+void X509_free(X509 *);
+X509 *X509_dup(X509 *);
+int X509_cmp(const X509 *, const X509 *);
+int X509_up_ref(X509 *);
+
+int X509_print_ex(BIO *, X509 *, unsigned long, unsigned long);
+
+int X509_set_version(X509 *, long);
+
+EVP_PKEY *X509_get_pubkey(X509 *);
+int X509_set_pubkey(X509 *, EVP_PKEY *);
+
+unsigned char *X509_alias_get0(X509 *, int *);
+int X509_sign(X509 *, EVP_PKEY *, const EVP_MD *);
+
+int X509_digest(const X509 *, const EVP_MD *, unsigned char *, unsigned int *);
+
+ASN1_TIME *X509_gmtime_adj(ASN1_TIME *, long);
+
+unsigned long X509_subject_name_hash(X509 *);
+
+int X509_set_subject_name(X509 *, X509_NAME *);
+
+int X509_set_issuer_name(X509 *, X509_NAME *);
+
+int X509_add_ext(X509 *, X509_EXTENSION *, int);
+X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *);
+
+ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *);
+void X509_EXTENSION_free(X509_EXTENSION *);
+
+int X509_REQ_set_version(X509_REQ *, long);
+X509_REQ *X509_REQ_new(void);
+void X509_REQ_free(X509_REQ *);
+int X509_REQ_set_pubkey(X509_REQ *, EVP_PKEY *);
+int X509_REQ_set_subject_name(X509_REQ *, X509_NAME *);
+int X509_REQ_sign(X509_REQ *, EVP_PKEY *, const EVP_MD *);
+int X509_REQ_verify(X509_REQ *, EVP_PKEY *);
+EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *);
+int X509_REQ_print_ex(BIO *, X509_REQ *, unsigned long, unsigned long);
+int X509_REQ_add_extensions(X509_REQ *, X509_EXTENSIONS *);
+X509_EXTENSIONS *X509_REQ_get_extensions(X509_REQ *);
+X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *, int);
+int X509_REQ_get_attr_by_OBJ(const X509_REQ *, const ASN1_OBJECT *, int);
+void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *, int, int, void *);
+ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *, int);
+int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *);
+int X509_REQ_add1_attr_by_OBJ(X509_REQ *, const ASN1_OBJECT *,
+ int, const unsigned char *, int);
+
+int X509V3_EXT_print(BIO *, X509_EXTENSION *, unsigned long, int);
+ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *);
+
+X509_REVOKED *X509_REVOKED_new(void);
+void X509_REVOKED_free(X509_REVOKED *);
+
+int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *);
+
+int X509_REVOKED_add_ext(X509_REVOKED *, X509_EXTENSION*, int);
+int X509_REVOKED_add1_ext_i2d(X509_REVOKED *, int, void *, int, unsigned long);
+X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *, int);
+
+int X509_REVOKED_set_revocationDate(X509_REVOKED *, ASN1_TIME *);
+
+X509_CRL *X509_CRL_new(void);
+X509_CRL *X509_CRL_dup(X509_CRL *);
+X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **);
+int X509_CRL_add0_revoked(X509_CRL *, X509_REVOKED *);
+int X509_CRL_add_ext(X509_CRL *, X509_EXTENSION *, int);
+int X509_CRL_cmp(const X509_CRL *, const X509_CRL *);
+int X509_CRL_print(BIO *, X509_CRL *);
+int X509_CRL_set_issuer_name(X509_CRL *, X509_NAME *);
+int X509_CRL_set_version(X509_CRL *, long);
+int X509_CRL_sign(X509_CRL *, EVP_PKEY *, const EVP_MD *);
+int X509_CRL_sort(X509_CRL *);
+int X509_CRL_verify(X509_CRL *, EVP_PKEY *);
+int i2d_X509_CRL_bio(BIO *, X509_CRL *);
+void X509_CRL_free(X509_CRL *);
+
+int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *, EVP_PKEY *);
+int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *, EVP_PKEY *, const EVP_MD *);
+char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *);
+NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *, int);
+EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *);
+int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *, EVP_PKEY *);
+NETSCAPE_SPKI *NETSCAPE_SPKI_new(void);
+void NETSCAPE_SPKI_free(NETSCAPE_SPKI *);
+
+/* ASN1 serialization */
+int i2d_X509_bio(BIO *, X509 *);
+X509 *d2i_X509_bio(BIO *, X509 **);
+
+int i2d_X509_REQ_bio(BIO *, X509_REQ *);
+X509_REQ *d2i_X509_REQ_bio(BIO *, X509_REQ **);
+
+int i2d_PrivateKey_bio(BIO *, EVP_PKEY *);
+EVP_PKEY *d2i_PrivateKey_bio(BIO *, EVP_PKEY **);
+int i2d_PUBKEY_bio(BIO *, EVP_PKEY *);
+EVP_PKEY *d2i_PUBKEY_bio(BIO *, EVP_PKEY **);
+
+ASN1_INTEGER *X509_get_serialNumber(X509 *);
+int X509_set_serialNumber(X509 *, ASN1_INTEGER *);
+
+const char *X509_verify_cert_error_string(long);
+
+const char *X509_get_default_cert_dir(void);
+const char *X509_get_default_cert_file(void);
+const char *X509_get_default_cert_dir_env(void);
+const char *X509_get_default_cert_file_env(void);
+
+int i2d_RSAPrivateKey_bio(BIO *, RSA *);
+RSA *d2i_RSAPublicKey_bio(BIO *, RSA **);
+int i2d_RSAPublicKey_bio(BIO *, RSA *);
+int i2d_DSAPrivateKey_bio(BIO *, DSA *);
+
+/* These became const X509 in 1.1.0 */
+int X509_get_ext_count(X509 *);
+X509_EXTENSION *X509_get_ext(X509 *, int);
+X509_NAME *X509_get_subject_name(X509 *);
+X509_NAME *X509_get_issuer_name(X509 *);
+
+/* This became const ASN1_OBJECT * in 1.1.0 */
+X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **,
+ ASN1_OBJECT *, int,
+ ASN1_OCTET_STRING *);
+
+
+/* This became const X509_EXTENSION * in 1.1.0 */
+int X509_EXTENSION_get_critical(X509_EXTENSION *);
+
+/* This became const X509_REVOKED * in 1.1.0 */
+int X509_REVOKED_get_ext_count(X509_REVOKED *);
+X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *, int);
+
+/* This became const X509_CRL * in 1.1.0 */
+X509_EXTENSION *X509_CRL_get_ext(X509_CRL *, int);
+int X509_CRL_get_ext_count(X509_CRL *);
+
+int X509_CRL_get0_by_serial(X509_CRL *, X509_REVOKED **, ASN1_INTEGER *);
+
+X509_REVOKED *X509_REVOKED_dup(X509_REVOKED *);
+X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *);
+
+/* new in 1.0.2 */
+int i2d_re_X509_tbs(X509 *, unsigned char **);
+int X509_get_signature_nid(const X509 *);
+
+const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *);
+
+void X509_get0_signature(const ASN1_BIT_STRING **,
+ const X509_ALGOR **, const X509 *);
+
+long X509_get_version(X509 *);
+
+ASN1_TIME *X509_get_notBefore(X509 *);
+ASN1_TIME *X509_get_notAfter(X509 *);
+ASN1_TIME *X509_getm_notBefore(X509 *);
+ASN1_TIME *X509_getm_notAfter(X509 *);
+
+long X509_REQ_get_version(X509_REQ *);
+X509_NAME *X509_REQ_get_subject_name(X509_REQ *);
+
+Cryptography_STACK_OF_X509 *sk_X509_new_null(void);
+void sk_X509_free(Cryptography_STACK_OF_X509 *);
+int sk_X509_num(Cryptography_STACK_OF_X509 *);
+int sk_X509_push(Cryptography_STACK_OF_X509 *, X509 *);
+X509 *sk_X509_value(Cryptography_STACK_OF_X509 *, int);
+
+X509_EXTENSIONS *sk_X509_EXTENSION_new_null(void);
+int sk_X509_EXTENSION_num(X509_EXTENSIONS *);
+X509_EXTENSION *sk_X509_EXTENSION_value(X509_EXTENSIONS *, int);
+int sk_X509_EXTENSION_push(X509_EXTENSIONS *, X509_EXTENSION *);
+int sk_X509_EXTENSION_insert(X509_EXTENSIONS *, X509_EXTENSION *, int);
+X509_EXTENSION *sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int);
+void sk_X509_EXTENSION_free(X509_EXTENSIONS *);
+void sk_X509_EXTENSION_pop_free(X509_EXTENSIONS *, sk_X509_EXTENSION_freefunc);
+
+int sk_X509_REVOKED_num(Cryptography_STACK_OF_X509_REVOKED *);
+X509_REVOKED *sk_X509_REVOKED_value(Cryptography_STACK_OF_X509_REVOKED *, int);
+
+Cryptography_STACK_OF_X509_CRL *sk_X509_CRL_new_null(void);
+void sk_X509_CRL_free(Cryptography_STACK_OF_X509_CRL *);
+int sk_X509_CRL_num(Cryptography_STACK_OF_X509_CRL *);
+int sk_X509_CRL_push(Cryptography_STACK_OF_X509_CRL *, X509_CRL *);
+X509_CRL *sk_X509_CRL_value(Cryptography_STACK_OF_X509_CRL *, int);
+
+long X509_CRL_get_version(X509_CRL *);
+ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *);
+ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *);
+X509_NAME *X509_CRL_get_issuer(X509_CRL *);
+Cryptography_STACK_OF_X509_REVOKED *X509_CRL_get_REVOKED(X509_CRL *);
+
+/* These aren't macros these arguments are all const X on openssl > 1.0.x */
+int X509_CRL_set_lastUpdate(X509_CRL *, ASN1_TIME *);
+int X509_CRL_set_nextUpdate(X509_CRL *, ASN1_TIME *);
+int X509_set_notBefore(X509 *, ASN1_TIME *);
+int X509_set_notAfter(X509 *, ASN1_TIME *);
+int X509_set1_notBefore(X509 *, ASN1_TIME *);
+int X509_set1_notAfter(X509 *, ASN1_TIME *);
+
+EC_KEY *d2i_EC_PUBKEY_bio(BIO *, EC_KEY **);
+int i2d_EC_PUBKEY_bio(BIO *, EC_KEY *);
+EC_KEY *d2i_ECPrivateKey_bio(BIO *, EC_KEY **);
+int i2d_ECPrivateKey_bio(BIO *, EC_KEY *);
+
+// declared in safestack
+int sk_ASN1_OBJECT_num(Cryptography_STACK_OF_ASN1_OBJECT *);
+ASN1_OBJECT *sk_ASN1_OBJECT_value(Cryptography_STACK_OF_ASN1_OBJECT *, int);
+void sk_ASN1_OBJECT_free(Cryptography_STACK_OF_ASN1_OBJECT *);
+Cryptography_STACK_OF_ASN1_OBJECT *sk_ASN1_OBJECT_new_null(void);
+int sk_ASN1_OBJECT_push(Cryptography_STACK_OF_ASN1_OBJECT *, ASN1_OBJECT *);
+
+/* these functions were added in 1.1.0 */
+const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *);
+const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *);
+void X509_CRL_get0_signature(const X509_CRL *, const ASN1_BIT_STRING **,
+ const X509_ALGOR **);
+int i2d_re_X509_REQ_tbs(X509_REQ *, unsigned char **);
+int i2d_re_X509_CRL_tbs(X509_CRL *, unsigned char **);
+void X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **,
+ const X509_ALGOR **);
+"""
+
+CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_IS_LIBRESSL
+int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
+{
+ /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1
+ but older OpenSSLs don't have the enc ASN1_ENCODING member in the
+ X509 struct. Setting modified to 1 marks the encoding
+ (x->cert_info->enc.enc) as invalid, but since the entire struct isn't
+ present we don't care. */
+ return i2d_X509_CINF(x->cert_info, pp);
+}
+#endif
+
+/* Being kept around for pyOpenSSL */
+X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) {
+ return X509_REVOKED_dup(rev);
+}
+/* Added in 1.1.0 but we need it in all versions now due to the great
+ opaquing. */
+#if CRYPTOGRAPHY_IS_LIBRESSL
+int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
+{
+ req->req_info->enc.modified = 1;
+ return i2d_X509_REQ_INFO(req->req_info, pp);
+}
+int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) {
+ crl->crl->enc.modified = 1;
+ return i2d_X509_CRL_INFO(crl->crl, pp);
+}
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/x509_vfy.py b/contrib/python/cryptography/py3/_cffi_src/openssl/x509_vfy.py
new file mode 100644
index 0000000000..ba3d3dbb14
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/x509_vfy.py
@@ -0,0 +1,255 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/x509_vfy.h>
+
+/*
+ * This is part of a work-around for the difficulty cffi has in dealing with
+ * `STACK_OF(foo)` as the name of a type. We invent a new, simpler name that
+ * will be an alias for this type and use the alias throughout. This works
+ * together with another opaque typedef for the same name in the TYPES section.
+ * Note that the result is an opaque type.
+ */
+typedef STACK_OF(ASN1_OBJECT) Cryptography_STACK_OF_ASN1_OBJECT;
+typedef STACK_OF(X509_OBJECT) Cryptography_STACK_OF_X509_OBJECT;
+"""
+
+TYPES = """
+static const long Cryptography_HAS_102_VERIFICATION;
+static const long Cryptography_HAS_110_VERIFICATION_PARAMS;
+static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER;
+
+typedef ... Cryptography_STACK_OF_ASN1_OBJECT;
+typedef ... Cryptography_STACK_OF_X509_OBJECT;
+
+typedef ... X509_OBJECT;
+typedef ... X509_STORE;
+typedef ... X509_VERIFY_PARAM;
+typedef ... X509_STORE_CTX;
+
+typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **, X509_STORE_CTX *, X509 *);
+
+/* While these are defined in the source as ints, they're tagged here
+ as longs, just in case they ever grow to large, such as what we saw
+ with OP_ALL. */
+
+/* Verification error codes */
+static const int X509_V_OK;
+static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
+static const int X509_V_ERR_UNABLE_TO_GET_CRL;
+static const int X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE;
+static const int X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE;
+static const int X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+static const int X509_V_ERR_CERT_SIGNATURE_FAILURE;
+static const int X509_V_ERR_CRL_SIGNATURE_FAILURE;
+static const int X509_V_ERR_CERT_NOT_YET_VALID;
+static const int X509_V_ERR_CERT_HAS_EXPIRED;
+static const int X509_V_ERR_CRL_NOT_YET_VALID;
+static const int X509_V_ERR_CRL_HAS_EXPIRED;
+static const int X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
+static const int X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
+static const int X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
+static const int X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
+static const int X509_V_ERR_OUT_OF_MEM;
+static const int X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
+static const int X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
+static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+static const int X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
+static const int X509_V_ERR_CERT_CHAIN_TOO_LONG;
+static const int X509_V_ERR_CERT_REVOKED;
+static const int X509_V_ERR_INVALID_CA;
+static const int X509_V_ERR_PATH_LENGTH_EXCEEDED;
+static const int X509_V_ERR_INVALID_PURPOSE;
+static const int X509_V_ERR_CERT_UNTRUSTED;
+static const int X509_V_ERR_CERT_REJECTED;
+static const int X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
+static const int X509_V_ERR_AKID_SKID_MISMATCH;
+static const int X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+static const int X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+static const int X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
+static const int X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
+static const int X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
+static const int X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
+static const int X509_V_ERR_INVALID_NON_CA;
+static const int X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
+static const int X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
+static const int X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
+static const int X509_V_ERR_INVALID_EXTENSION;
+static const int X509_V_ERR_INVALID_POLICY_EXTENSION;
+static const int X509_V_ERR_NO_EXPLICIT_POLICY;
+static const int X509_V_ERR_DIFFERENT_CRL_SCOPE;
+static const int X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE;
+static const int X509_V_ERR_UNNESTED_RESOURCE;
+static const int X509_V_ERR_PERMITTED_VIOLATION;
+static const int X509_V_ERR_EXCLUDED_VIOLATION;
+static const int X509_V_ERR_SUBTREE_MINMAX;
+static const int X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
+static const int X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX;
+static const int X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+static const int X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
+static const int X509_V_ERR_SUITE_B_INVALID_VERSION;
+static const int X509_V_ERR_SUITE_B_INVALID_ALGORITHM;
+static const int X509_V_ERR_SUITE_B_INVALID_CURVE;
+static const int X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM;
+static const int X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED;
+static const int X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256;
+static const int X509_V_ERR_HOSTNAME_MISMATCH;
+static const int X509_V_ERR_EMAIL_MISMATCH;
+static const int X509_V_ERR_IP_ADDRESS_MISMATCH;
+static const int X509_V_ERR_APPLICATION_VERIFICATION;
+
+/* Verification parameters */
+static const long X509_V_FLAG_CB_ISSUER_CHECK;
+static const long X509_V_FLAG_USE_CHECK_TIME;
+static const long X509_V_FLAG_CRL_CHECK;
+static const long X509_V_FLAG_CRL_CHECK_ALL;
+static const long X509_V_FLAG_IGNORE_CRITICAL;
+static const long X509_V_FLAG_X509_STRICT;
+static const long X509_V_FLAG_ALLOW_PROXY_CERTS;
+static const long X509_V_FLAG_POLICY_CHECK;
+static const long X509_V_FLAG_EXPLICIT_POLICY;
+static const long X509_V_FLAG_INHIBIT_ANY;
+static const long X509_V_FLAG_INHIBIT_MAP;
+static const long X509_V_FLAG_NOTIFY_POLICY;
+static const long X509_V_FLAG_EXTENDED_CRL_SUPPORT;
+static const long X509_V_FLAG_USE_DELTAS;
+static const long X509_V_FLAG_CHECK_SS_SIGNATURE;
+static const long X509_V_FLAG_TRUSTED_FIRST;
+static const long X509_V_FLAG_SUITEB_128_LOS_ONLY;
+static const long X509_V_FLAG_SUITEB_192_LOS;
+static const long X509_V_FLAG_SUITEB_128_LOS;
+static const long X509_V_FLAG_PARTIAL_CHAIN;
+
+static const long X509_LU_X509;
+static const long X509_LU_CRL;
+
+static const long X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
+static const long X509_CHECK_FLAG_NO_WILDCARDS;
+static const long X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
+static const long X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
+static const long X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS;
+static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
+"""
+
+FUNCTIONS = """
+int X509_verify_cert(X509_STORE_CTX *);
+
+/* X509_STORE */
+X509_STORE *X509_STORE_new(void);
+int X509_STORE_add_cert(X509_STORE *, X509 *);
+int X509_STORE_add_crl(X509_STORE *, X509_CRL *);
+int X509_STORE_load_locations(X509_STORE *, const char *, const char *);
+int X509_STORE_set1_param(X509_STORE *, X509_VERIFY_PARAM *);
+int X509_STORE_set_default_paths(X509_STORE *);
+int X509_STORE_set_flags(X509_STORE *, unsigned long);
+void X509_STORE_free(X509_STORE *);
+
+/* X509_STORE_CTX */
+X509_STORE_CTX *X509_STORE_CTX_new(void);
+void X509_STORE_CTX_cleanup(X509_STORE_CTX *);
+void X509_STORE_CTX_free(X509_STORE_CTX *);
+int X509_STORE_CTX_init(X509_STORE_CTX *, X509_STORE *, X509 *,
+ Cryptography_STACK_OF_X509 *);
+void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *,
+ Cryptography_STACK_OF_X509 *);
+void X509_STORE_CTX_set_cert(X509_STORE_CTX *, X509 *);
+void X509_STORE_CTX_set_chain(X509_STORE_CTX *,Cryptography_STACK_OF_X509 *);
+X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *);
+void X509_STORE_CTX_set0_param(X509_STORE_CTX *, X509_VERIFY_PARAM *);
+int X509_STORE_CTX_set_default(X509_STORE_CTX *, const char *);
+void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *,
+ int (*)(int, X509_STORE_CTX *));
+Cryptography_STACK_OF_X509 *X509_STORE_CTX_get_chain(X509_STORE_CTX *);
+Cryptography_STACK_OF_X509 *X509_STORE_CTX_get1_chain(X509_STORE_CTX *);
+int X509_STORE_CTX_get_error(X509_STORE_CTX *);
+void X509_STORE_CTX_set_error(X509_STORE_CTX *, int);
+int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *);
+X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *);
+int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *, int, void *);
+void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *, int);
+int X509_STORE_CTX_get1_issuer(X509 **, X509_STORE_CTX *, X509 *);
+
+/* X509_VERIFY_PARAM */
+X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void);
+int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *, unsigned long);
+int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *, unsigned long);
+unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *);
+int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *, int);
+int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *, int);
+void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *, time_t);
+int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *, ASN1_OBJECT *);
+int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *,
+ Cryptography_STACK_OF_ASN1_OBJECT *);
+void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *, int);
+int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *);
+void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *);
+/* this CRYPTO_EX_DATA function became a macro in 1.1.0 */
+int X509_STORE_CTX_get_ex_new_index(long, void *, CRYPTO_EX_new *,
+ CRYPTO_EX_dup *, CRYPTO_EX_free *);
+
+/* X509_STORE_CTX */
+void X509_STORE_CTX_set0_crls(X509_STORE_CTX *,
+ Cryptography_STACK_OF_X509_CRL *);
+
+/* X509_VERIFY_PARAM */
+int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *, const char *,
+ size_t);
+void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *, unsigned int);
+int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const char *,
+ size_t);
+int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *,
+ size_t);
+int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *);
+
+int sk_X509_OBJECT_num(Cryptography_STACK_OF_X509_OBJECT *);
+X509_OBJECT *sk_X509_OBJECT_value(Cryptography_STACK_OF_X509_OBJECT *, int);
+X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *);
+Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *);
+X509 *X509_OBJECT_get0_X509(X509_OBJECT *);
+int X509_OBJECT_get_type(const X509_OBJECT *);
+
+/* added in 1.1.0 */
+X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *);
+X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *);
+void X509_STORE_set_get_issuer(X509_STORE *, X509_STORE_CTX_get_issuer_fn);
+"""
+
+CUSTOMIZATIONS = """
+#if !CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_102_VERIFICATION = 1;
+#else
+static const long Cryptography_HAS_102_VERIFICATION = 0;
+static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0;
+static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0;
+static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0;
+static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
+static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
+static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
+static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0;
+static const long X509_V_FLAG_SUITEB_192_LOS = 0;
+static const long X509_V_FLAG_SUITEB_128_LOS = 0;
+#endif
+
+#if CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 0;
+#ifndef X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
+static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = 0;
+#endif
+#else
+static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 1;
+#endif
+
+#if CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 0;
+typedef void *X509_STORE_CTX_get_issuer_fn;
+X509_STORE_CTX_get_issuer_fn (*X509_STORE_get_get_issuer)(X509_STORE *) = NULL;
+void (*X509_STORE_set_get_issuer)(X509_STORE *,
+ X509_STORE_CTX_get_issuer_fn) = NULL;
+#else
+static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 1;
+#endif
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/x509name.py b/contrib/python/cryptography/py3/_cffi_src/openssl/x509name.py
new file mode 100644
index 0000000000..1fbe26aa74
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/x509name.py
@@ -0,0 +1,78 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/x509.h>
+
+/*
+ * See the comment above Cryptography_STACK_OF_X509 in x509.py
+ */
+typedef STACK_OF(X509_NAME) Cryptography_STACK_OF_X509_NAME;
+typedef STACK_OF(X509_NAME_ENTRY) Cryptography_STACK_OF_X509_NAME_ENTRY;
+"""
+
+TYPES = """
+typedef ... Cryptography_STACK_OF_X509_NAME_ENTRY;
+typedef ... X509_NAME;
+typedef ... X509_NAME_ENTRY;
+typedef ... Cryptography_STACK_OF_X509_NAME;
+"""
+
+FUNCTIONS = """
+X509_NAME *X509_NAME_new(void);
+void X509_NAME_free(X509_NAME *);
+
+unsigned long X509_NAME_hash(X509_NAME *);
+
+int i2d_X509_NAME(X509_NAME *, unsigned char **);
+int X509_NAME_add_entry_by_txt(X509_NAME *, const char *, int,
+ const unsigned char *, int, int, int);
+X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *, int);
+void X509_NAME_ENTRY_free(X509_NAME_ENTRY *);
+int X509_NAME_get_index_by_NID(X509_NAME *, int, int);
+int X509_NAME_cmp(const X509_NAME *, const X509_NAME *);
+X509_NAME *X509_NAME_dup(X509_NAME *);
+int X509_NAME_ENTRY_set(X509_NAME_ENTRY *);
+/* These became const X509_NAME * in 1.1.0 */
+int X509_NAME_entry_count(X509_NAME *);
+X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *, int);
+char *X509_NAME_oneline(X509_NAME *, char *, int);
+int X509_NAME_print_ex(BIO *, X509_NAME *, int, unsigned long);
+
+/* These became const X509_NAME_ENTRY * in 1.1.0 */
+ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *);
+ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *);
+int X509_NAME_add_entry(X509_NAME *, X509_NAME_ENTRY *, int, int);
+
+/* this became const unsigned char * in 1.1.0 */
+int X509_NAME_add_entry_by_NID(X509_NAME *, int, int, unsigned char *,
+ int, int, int);
+
+/* These became const ASN1_OBJECT * in 1.1.0 */
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **,
+ ASN1_OBJECT *, int,
+ const unsigned char *, int);
+int X509_NAME_add_entry_by_OBJ(X509_NAME *, ASN1_OBJECT *, int,
+ unsigned char *, int, int, int);
+
+Cryptography_STACK_OF_X509_NAME *sk_X509_NAME_new_null(void);
+int sk_X509_NAME_num(Cryptography_STACK_OF_X509_NAME *);
+int sk_X509_NAME_push(Cryptography_STACK_OF_X509_NAME *, X509_NAME *);
+X509_NAME *sk_X509_NAME_value(Cryptography_STACK_OF_X509_NAME *, int);
+void sk_X509_NAME_free(Cryptography_STACK_OF_X509_NAME *);
+int sk_X509_NAME_ENTRY_num(Cryptography_STACK_OF_X509_NAME_ENTRY *);
+Cryptography_STACK_OF_X509_NAME_ENTRY *sk_X509_NAME_ENTRY_new_null(void);
+int sk_X509_NAME_ENTRY_push(Cryptography_STACK_OF_X509_NAME_ENTRY *,
+ X509_NAME_ENTRY *);
+X509_NAME_ENTRY *sk_X509_NAME_ENTRY_value(
+ Cryptography_STACK_OF_X509_NAME_ENTRY *, int);
+Cryptography_STACK_OF_X509_NAME_ENTRY *sk_X509_NAME_ENTRY_dup(
+ Cryptography_STACK_OF_X509_NAME_ENTRY *
+);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/openssl/x509v3.py b/contrib/python/cryptography/py3/_cffi_src/openssl/x509v3.py
new file mode 100644
index 0000000000..5968120652
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/openssl/x509v3.py
@@ -0,0 +1,314 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/x509v3.h>
+
+/*
+ * This is part of a work-around for the difficulty cffi has in dealing with
+ * `LHASH_OF(foo)` as the name of a type. We invent a new, simpler name that
+ * will be an alias for this type and use the alias throughout. This works
+ * together with another opaque typedef for the same name in the TYPES section.
+ * Note that the result is an opaque type.
+ */
+typedef LHASH_OF(CONF_VALUE) Cryptography_LHASH_OF_CONF_VALUE;
+
+typedef STACK_OF(ACCESS_DESCRIPTION) Cryptography_STACK_OF_ACCESS_DESCRIPTION;
+typedef STACK_OF(DIST_POINT) Cryptography_STACK_OF_DIST_POINT;
+typedef STACK_OF(POLICYQUALINFO) Cryptography_STACK_OF_POLICYQUALINFO;
+typedef STACK_OF(POLICYINFO) Cryptography_STACK_OF_POLICYINFO;
+typedef STACK_OF(ASN1_INTEGER) Cryptography_STACK_OF_ASN1_INTEGER;
+typedef STACK_OF(GENERAL_SUBTREE) Cryptography_STACK_OF_GENERAL_SUBTREE;
+"""
+
+TYPES = """
+typedef ... Cryptography_STACK_OF_ACCESS_DESCRIPTION;
+typedef ... Cryptography_STACK_OF_POLICYQUALINFO;
+typedef ... Cryptography_STACK_OF_POLICYINFO;
+typedef ... Cryptography_STACK_OF_ASN1_INTEGER;
+typedef ... Cryptography_STACK_OF_GENERAL_SUBTREE;
+typedef ... EXTENDED_KEY_USAGE;
+typedef ... CONF;
+
+typedef struct {
+ X509 *issuer_cert;
+ X509 *subject_cert;
+ ...;
+} X509V3_CTX;
+
+typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char **, long);
+
+static const int GEN_OTHERNAME;
+static const int GEN_EMAIL;
+static const int GEN_X400;
+static const int GEN_DNS;
+static const int GEN_URI;
+static const int GEN_DIRNAME;
+static const int GEN_EDIPARTY;
+static const int GEN_IPADD;
+static const int GEN_RID;
+
+typedef struct {
+ ASN1_OBJECT *type_id;
+ ASN1_TYPE *value;
+} OTHERNAME;
+
+typedef struct {
+ ...;
+} EDIPARTYNAME;
+
+typedef struct {
+ int ca;
+ ASN1_INTEGER *pathlen;
+} BASIC_CONSTRAINTS;
+
+typedef struct {
+ Cryptography_STACK_OF_GENERAL_SUBTREE *permittedSubtrees;
+ Cryptography_STACK_OF_GENERAL_SUBTREE *excludedSubtrees;
+} NAME_CONSTRAINTS;
+
+typedef struct {
+ ASN1_INTEGER *requireExplicitPolicy;
+ ASN1_INTEGER *inhibitPolicyMapping;
+} POLICY_CONSTRAINTS;
+
+
+typedef struct {
+ int type;
+ union {
+ char *ptr;
+ OTHERNAME *otherName; /* otherName */
+ ASN1_IA5STRING *rfc822Name;
+ ASN1_IA5STRING *dNSName;
+ ASN1_TYPE *x400Address;
+ X509_NAME *directoryName;
+ EDIPARTYNAME *ediPartyName;
+ ASN1_IA5STRING *uniformResourceIdentifier;
+ ASN1_OCTET_STRING *iPAddress;
+ ASN1_OBJECT *registeredID;
+
+ /* Old names */
+ ASN1_OCTET_STRING *ip; /* iPAddress */
+ X509_NAME *dirn; /* dirn */
+ ASN1_IA5STRING *ia5; /* rfc822Name, dNSName, */
+ /* uniformResourceIdentifier */
+ ASN1_OBJECT *rid; /* registeredID */
+ ASN1_TYPE *other; /* x400Address */
+ } d;
+ ...;
+} GENERAL_NAME;
+
+typedef struct {
+ GENERAL_NAME *base;
+ ASN1_INTEGER *minimum;
+ ASN1_INTEGER *maximum;
+} GENERAL_SUBTREE;
+
+typedef struct stack_st_GENERAL_NAME GENERAL_NAMES;
+
+typedef struct {
+ ASN1_OCTET_STRING *keyid;
+ GENERAL_NAMES *issuer;
+ ASN1_INTEGER *serial;
+} AUTHORITY_KEYID;
+
+typedef struct {
+ ASN1_OBJECT *method;
+ GENERAL_NAME *location;
+} ACCESS_DESCRIPTION;
+
+typedef ... Cryptography_LHASH_OF_CONF_VALUE;
+
+
+typedef ... Cryptography_STACK_OF_DIST_POINT;
+
+typedef struct {
+ int type;
+ union {
+ GENERAL_NAMES *fullname;
+ Cryptography_STACK_OF_X509_NAME_ENTRY *relativename;
+ } name;
+ ...;
+} DIST_POINT_NAME;
+
+typedef struct {
+ DIST_POINT_NAME *distpoint;
+ ASN1_BIT_STRING *reasons;
+ GENERAL_NAMES *CRLissuer;
+ ...;
+} DIST_POINT;
+
+typedef struct {
+ DIST_POINT_NAME *distpoint;
+ int onlyuser;
+ int onlyCA;
+ ASN1_BIT_STRING *onlysomereasons;
+ int indirectCRL;
+ int onlyattr;
+} ISSUING_DIST_POINT;
+
+typedef struct {
+ ASN1_STRING *organization;
+ Cryptography_STACK_OF_ASN1_INTEGER *noticenos;
+} NOTICEREF;
+
+typedef struct {
+ NOTICEREF *noticeref;
+ ASN1_STRING *exptext;
+} USERNOTICE;
+
+typedef struct {
+ ASN1_OBJECT *pqualid;
+ union {
+ ASN1_IA5STRING *cpsuri;
+ USERNOTICE *usernotice;
+ ASN1_TYPE *other;
+ } d;
+} POLICYQUALINFO;
+
+typedef struct {
+ ASN1_OBJECT *policyid;
+ Cryptography_STACK_OF_POLICYQUALINFO *qualifiers;
+} POLICYINFO;
+
+typedef void (*sk_GENERAL_NAME_freefunc)(GENERAL_NAME *);
+typedef void (*sk_DIST_POINT_freefunc)(DIST_POINT *);
+typedef void (*sk_POLICYINFO_freefunc)(POLICYINFO *);
+typedef void (*sk_ACCESS_DESCRIPTION_freefunc)(ACCESS_DESCRIPTION *);
+"""
+
+
+FUNCTIONS = """
+int X509V3_EXT_add_alias(int, int);
+void X509V3_set_ctx(X509V3_CTX *, X509 *, X509 *, X509_REQ *, X509_CRL *, int);
+int GENERAL_NAME_print(BIO *, GENERAL_NAME *);
+GENERAL_NAMES *GENERAL_NAMES_new(void);
+void GENERAL_NAMES_free(GENERAL_NAMES *);
+void *X509V3_EXT_d2i(X509_EXTENSION *);
+int X509_check_ca(X509 *);
+/* X509 became a const arg in 1.1.0 */
+void *X509_get_ext_d2i(X509 *, int, int *, int *);
+/* The last two char * args became const char * in 1.1.0 */
+X509_EXTENSION *X509V3_EXT_nconf(CONF *, X509V3_CTX *, char *, char *);
+/* This is a macro defined by a call to DECLARE_ASN1_FUNCTIONS in the
+ x509v3.h header. */
+BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void);
+void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *);
+/* This is a macro defined by a call to DECLARE_ASN1_FUNCTIONS in the
+ x509v3.h header. */
+AUTHORITY_KEYID *AUTHORITY_KEYID_new(void);
+void AUTHORITY_KEYID_free(AUTHORITY_KEYID *);
+
+NAME_CONSTRAINTS *NAME_CONSTRAINTS_new(void);
+void NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *);
+
+OTHERNAME *OTHERNAME_new(void);
+void OTHERNAME_free(OTHERNAME *);
+
+POLICY_CONSTRAINTS *POLICY_CONSTRAINTS_new(void);
+void POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *);
+
+void *X509V3_set_ctx_nodb(X509V3_CTX *);
+
+int i2d_GENERAL_NAMES(GENERAL_NAMES *, unsigned char **);
+GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **, const unsigned char **,
+ long);
+
+int sk_GENERAL_NAME_num(struct stack_st_GENERAL_NAME *);
+int sk_GENERAL_NAME_push(struct stack_st_GENERAL_NAME *, GENERAL_NAME *);
+GENERAL_NAME *sk_GENERAL_NAME_value(struct stack_st_GENERAL_NAME *, int);
+void sk_GENERAL_NAME_pop_free(struct stack_st_GENERAL_NAME *,
+ sk_GENERAL_NAME_freefunc);
+
+Cryptography_STACK_OF_ACCESS_DESCRIPTION *sk_ACCESS_DESCRIPTION_new_null(void);
+int sk_ACCESS_DESCRIPTION_num(Cryptography_STACK_OF_ACCESS_DESCRIPTION *);
+ACCESS_DESCRIPTION *sk_ACCESS_DESCRIPTION_value(
+ Cryptography_STACK_OF_ACCESS_DESCRIPTION *, int
+);
+void sk_ACCESS_DESCRIPTION_free(Cryptography_STACK_OF_ACCESS_DESCRIPTION *);
+void sk_ACCESS_DESCRIPTION_pop_free(Cryptography_STACK_OF_ACCESS_DESCRIPTION *,
+ sk_ACCESS_DESCRIPTION_freefunc);
+int sk_ACCESS_DESCRIPTION_push(Cryptography_STACK_OF_ACCESS_DESCRIPTION *,
+ ACCESS_DESCRIPTION *);
+
+ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void);
+void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *);
+
+X509_EXTENSION *X509V3_EXT_conf_nid(Cryptography_LHASH_OF_CONF_VALUE *,
+ X509V3_CTX *, int, char *);
+
+Cryptography_STACK_OF_DIST_POINT *sk_DIST_POINT_new_null(void);
+void sk_DIST_POINT_free(Cryptography_STACK_OF_DIST_POINT *);
+int sk_DIST_POINT_num(Cryptography_STACK_OF_DIST_POINT *);
+DIST_POINT *sk_DIST_POINT_value(Cryptography_STACK_OF_DIST_POINT *, int);
+int sk_DIST_POINT_push(Cryptography_STACK_OF_DIST_POINT *, DIST_POINT *);
+void sk_DIST_POINT_pop_free(Cryptography_STACK_OF_DIST_POINT *,
+ sk_DIST_POINT_freefunc);
+void CRL_DIST_POINTS_free(Cryptography_STACK_OF_DIST_POINT *);
+
+void sk_POLICYINFO_free(Cryptography_STACK_OF_POLICYINFO *);
+int sk_POLICYINFO_num(Cryptography_STACK_OF_POLICYINFO *);
+POLICYINFO *sk_POLICYINFO_value(Cryptography_STACK_OF_POLICYINFO *, int);
+int sk_POLICYINFO_push(Cryptography_STACK_OF_POLICYINFO *, POLICYINFO *);
+Cryptography_STACK_OF_POLICYINFO *sk_POLICYINFO_new_null(void);
+void sk_POLICYINFO_pop_free(Cryptography_STACK_OF_POLICYINFO *,
+ sk_POLICYINFO_freefunc);
+void CERTIFICATEPOLICIES_free(Cryptography_STACK_OF_POLICYINFO *);
+
+POLICYINFO *POLICYINFO_new(void);
+void POLICYINFO_free(POLICYINFO *);
+
+POLICYQUALINFO *POLICYQUALINFO_new(void);
+void POLICYQUALINFO_free(POLICYQUALINFO *);
+
+NOTICEREF *NOTICEREF_new(void);
+void NOTICEREF_free(NOTICEREF *);
+
+USERNOTICE *USERNOTICE_new(void);
+void USERNOTICE_free(USERNOTICE *);
+
+void sk_POLICYQUALINFO_free(Cryptography_STACK_OF_POLICYQUALINFO *);
+int sk_POLICYQUALINFO_num(Cryptography_STACK_OF_POLICYQUALINFO *);
+POLICYQUALINFO *sk_POLICYQUALINFO_value(Cryptography_STACK_OF_POLICYQUALINFO *,
+ int);
+int sk_POLICYQUALINFO_push(Cryptography_STACK_OF_POLICYQUALINFO *,
+ POLICYQUALINFO *);
+Cryptography_STACK_OF_POLICYQUALINFO *sk_POLICYQUALINFO_new_null(void);
+
+Cryptography_STACK_OF_GENERAL_SUBTREE *sk_GENERAL_SUBTREE_new_null(void);
+void sk_GENERAL_SUBTREE_free(Cryptography_STACK_OF_GENERAL_SUBTREE *);
+int sk_GENERAL_SUBTREE_num(Cryptography_STACK_OF_GENERAL_SUBTREE *);
+GENERAL_SUBTREE *sk_GENERAL_SUBTREE_value(
+ Cryptography_STACK_OF_GENERAL_SUBTREE *, int
+);
+int sk_GENERAL_SUBTREE_push(Cryptography_STACK_OF_GENERAL_SUBTREE *,
+ GENERAL_SUBTREE *);
+
+GENERAL_SUBTREE *GENERAL_SUBTREE_new(void);
+
+void sk_ASN1_INTEGER_free(Cryptography_STACK_OF_ASN1_INTEGER *);
+int sk_ASN1_INTEGER_num(Cryptography_STACK_OF_ASN1_INTEGER *);
+ASN1_INTEGER *sk_ASN1_INTEGER_value(Cryptography_STACK_OF_ASN1_INTEGER *, int);
+int sk_ASN1_INTEGER_push(Cryptography_STACK_OF_ASN1_INTEGER *, ASN1_INTEGER *);
+Cryptography_STACK_OF_ASN1_INTEGER *sk_ASN1_INTEGER_new_null(void);
+
+X509_EXTENSION *X509V3_EXT_i2d(int, int, void *);
+
+DIST_POINT *DIST_POINT_new(void);
+void DIST_POINT_free(DIST_POINT *);
+
+DIST_POINT_NAME *DIST_POINT_NAME_new(void);
+void DIST_POINT_NAME_free(DIST_POINT_NAME *);
+
+GENERAL_NAME *GENERAL_NAME_new(void);
+void GENERAL_NAME_free(GENERAL_NAME *);
+
+ISSUING_DIST_POINT *ISSUING_DIST_POINT_new(void);
+void ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *);
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/contrib/python/cryptography/py3/_cffi_src/utils.py b/contrib/python/cryptography/py3/_cffi_src/utils.py
new file mode 100644
index 0000000000..56745a3e5b
--- /dev/null
+++ b/contrib/python/cryptography/py3/_cffi_src/utils.py
@@ -0,0 +1,110 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import os
+import sys
+from distutils.ccompiler import new_compiler
+from distutils.dist import Distribution
+
+from cffi import FFI
+
+
+# Load the cryptography __about__ to get the current package version
+base_src = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+about = {}
+with open(os.path.join(base_src, "cryptography", "__about__.py")) as f:
+ exec (f.read(), about)
+
+
+def build_ffi_for_binding(
+ module_name,
+ module_prefix,
+ modules,
+ libraries=[],
+ extra_compile_args=[],
+ extra_link_args=[],
+):
+ """
+ Modules listed in ``modules`` should have the following attributes:
+
+ * ``INCLUDES``: A string containing C includes.
+ * ``TYPES``: A string containing C declarations for types.
+ * ``FUNCTIONS``: A string containing C declarations for functions & macros.
+ * ``CUSTOMIZATIONS``: A string containing arbitrary top-level C code, this
+ can be used to do things like test for a define and provide an
+ alternate implementation based on that.
+ """
+ types = []
+ includes = []
+ functions = []
+ customizations = []
+ for name in modules:
+ __import__(module_prefix + name)
+ module = sys.modules[module_prefix + name]
+
+ types.append(module.TYPES)
+ functions.append(module.FUNCTIONS)
+ includes.append(module.INCLUDES)
+ customizations.append(module.CUSTOMIZATIONS)
+
+ verify_source = "\n".join(includes + customizations)
+ ffi = build_ffi(
+ module_name,
+ cdef_source="\n".join(types + functions),
+ verify_source=verify_source,
+ libraries=libraries,
+ extra_compile_args=extra_compile_args,
+ extra_link_args=extra_link_args,
+ )
+
+ return ffi
+
+
+def build_ffi(
+ module_name,
+ cdef_source,
+ verify_source,
+ libraries=[],
+ extra_compile_args=[],
+ extra_link_args=[],
+):
+ ffi = FFI()
+ # Always add the CRYPTOGRAPHY_PACKAGE_VERSION to the shared object
+ cdef_source += "\nstatic const char *const CRYPTOGRAPHY_PACKAGE_VERSION;"
+ verify_source += '\n#define CRYPTOGRAPHY_PACKAGE_VERSION "{}"'.format(
+ about["__version__"]
+ )
+ ffi.cdef(cdef_source)
+ ffi.set_source(
+ module_name,
+ verify_source,
+ libraries=libraries,
+ extra_compile_args=extra_compile_args,
+ extra_link_args=extra_link_args,
+ )
+ return ffi
+
+
+def extra_link_args(compiler_type):
+ if compiler_type == "msvc":
+ # Enable NX and ASLR for Windows builds on MSVC. These are enabled by
+ # default on Python 3.3+ but not on 2.x.
+ return ["/NXCOMPAT", "/DYNAMICBASE"]
+ else:
+ return []
+
+
+def compiler_type():
+ """
+ Gets the compiler type from distutils. On Windows with MSVC it will be
+ "msvc". On macOS and linux it is "unix".
+ """
+ dist = Distribution()
+ dist.parse_config_files()
+ cmd = dist.get_command_obj("build")
+ cmd.ensure_finalized()
+ compiler = new_compiler(compiler=cmd.compiler)
+ return compiler.compiler_type
--
cgit v1.2.3