Add flags to error on compile with incompatible pointer type (#4455)
* try something a bit different.
* newer compiler plz
* permute
* fix some warnings
* fix getters on OpenSSL < 1.1.0
* this is getting involved
* given our compiler flags we can't have SSL_CTX_set_cookie_verify_cb
diff --git a/.travis.yml b/.travis.yml
index a85a8b6..a34c50e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -47,12 +47,18 @@
env: TOXENV=py37 OPENSSL=1.1.1-pre9
dist: xenial
sudo: true
- - python: 3.6
- env: TOXENV=py36 LIBRESSL=2.4.5
- - python: 3.6
- env: TOXENV=py36 LIBRESSL=2.6.5
- - python: 3.6
- env: TOXENV=py36 LIBRESSL=2.7.4
+ - python: 3.7
+ env: TOXENV=py37 LIBRESSL=2.4.5
+ dist: xenial
+ sudo: true
+ - python: 3.7
+ env: TOXENV=py37 LIBRESSL=2.6.5
+ dist: xenial
+ sudo: true
+ - python: 3.7
+ env: TOXENV=py37 LIBRESSL=2.7.4
+ dist: xenial
+ sudo: true
- python: 3.6
env: TOXENV=docs OPENSSL=1.1.0i
addons:
diff --git a/.travis/run.sh b/.travis/run.sh
index 352c252..5e0e56d 100755
--- a/.travis/run.sh
+++ b/.travis/run.sh
@@ -7,12 +7,14 @@
fi
if [ -n "${LIBRESSL}" ]; then
OPENSSL=$LIBRESSL
+ export CFLAGS="-Werror -Wno-error=deprecated-declarations -Wno-error=discarded-qualifiers -Wno-error=unused-function"
fi
+
if [ -n "${OPENSSL}" ]; then
OPENSSL_DIR="ossl-2/${OPENSSL}"
export PATH="$HOME/$OPENSSL_DIR/bin:$PATH"
- export CFLAGS="-I$HOME/$OPENSSL_DIR/include"
+ export CFLAGS="${CFLAGS} -I$HOME/$OPENSSL_DIR/include"
# rpath on linux will cause it to use an absolute path so we don't need to
# do LD_LIBRARY_PATH
export LDFLAGS="-L$HOME/$OPENSSL_DIR/lib -Wl,-rpath=$HOME/$OPENSSL_DIR/lib"
diff --git a/Jenkinsfile b/Jenkinsfile
index f89728f..8bb15d6 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -210,7 +210,7 @@
cd cryptography
CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1 \
LDFLAGS="/usr/local/opt/openssl\\@1.1/lib/libcrypto.a /usr/local/opt/openssl\\@1.1/lib/libssl.a" \
- CFLAGS="-I/usr/local/opt/openssl\\@1.1/include -Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types -Wno-error=unused-function -Wno-error=unused-command-line-argument -mmacosx-version-min=10.9" \
+ CFLAGS="-I/usr/local/opt/openssl\\@1.1/include -Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -Wno-error=unused-command-line-argument -mmacosx-version-min=10.9" \
tox -r -- --color=yes --wycheproof-root=../wycheproof
virtualenv .venv
source .venv/bin/activate
diff --git a/src/_cffi_src/openssl/ocsp.py b/src/_cffi_src/openssl/ocsp.py
index dbe0367..db8597a 100644
--- a/src/_cffi_src/openssl/ocsp.py
+++ b/src/_cffi_src/openssl/ocsp.py
@@ -149,12 +149,20 @@
CRYPTOGRAPHY_OPENSSL_BETWEEN_111_and_111PRE9
const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
{
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+ return bs->signatureAlgorithm;
+#else
return &bs->signatureAlgorithm;
+#endif
}
const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
{
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+ return bs->tbsResponseData;
+#else
return &bs->tbsResponseData;
+#endif
}
#endif
"""
diff --git a/src/_cffi_src/openssl/src/osrandom_engine.c b/src/_cffi_src/openssl/src/osrandom_engine.c
index 4fcd34f..947c79a 100644
--- a/src/_cffi_src/openssl/src/osrandom_engine.c
+++ b/src/_cffi_src/openssl/src/osrandom_engine.c
@@ -149,7 +149,7 @@
static int dev_urandom_read(unsigned char *buffer, int size) {
int fd;
- ssize_t n;
+ int n;
fd = dev_urandom_fd();
if (fd < 0) {
@@ -158,7 +158,7 @@
while (size > 0) {
do {
- n = read(fd, buffer, (size_t)size);
+ n = (int)read(fd, buffer, (size_t)size);
} while (n < 0 && errno == EINTR);
if (n <= 0) {
@@ -219,7 +219,7 @@
}
static int osrandom_rand_bytes(unsigned char *buffer, int size) {
- size_t len;
+ int len;
int res;
switch(getentropy_works) {
@@ -230,8 +230,8 @@
case CRYPTOGRAPHY_OSRANDOM_GETENTROPY_WORKS:
while (size > 0) {
/* OpenBSD and macOS restrict maximum buffer size to 256. */
- len = size > 256 ? 256 : (size_t)size;
- res = getentropy(buffer, len);
+ len = size > 256 ? 256 : size;
+ res = getentropy(buffer, (size_t)len);
if (res < 0) {
ERR_Cryptography_OSRandom_error(
CRYPTOGRAPHY_OSRANDOM_F_RAND_BYTES,
@@ -362,7 +362,7 @@
return 0;
}
buffer += n;
- size -= n;
+ size -= (int)n;
}
return 1;
}
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index 2aa5d01..2e32b8f 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -238,12 +238,6 @@
unsigned char *,
unsigned int *
));
-void SSL_CTX_set_cookie_verify_cb(SSL_CTX *,
- int (*)(
- SSL *,
- const unsigned char *,
- unsigned int
- ));
long SSL_CTX_get_read_ahead(SSL_CTX *);
long SSL_CTX_set_read_ahead(SSL_CTX *, long);
@@ -285,7 +279,10 @@
/* Information about actually used cipher */
const char *SSL_CIPHER_get_name(const SSL_CIPHER *);
int SSL_CIPHER_get_bits(const SSL_CIPHER *, int *);
-uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *);
+/* the modern signature of this is uint32_t, but older openssl declared it
+ as unsigned long. To make our compiler flags happy we'll declare it as a
+ 64-bit wide value, which should always be safe */
+uint64_t SSL_CIPHER_get_id(const SSL_CIPHER *);
int SSL_CIPHER_is_aead(const SSL_CIPHER *);
int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *);
int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *);
@@ -700,10 +697,10 @@
const SSL_METHOD *(*DTLS_method)(void) = NULL;
const SSL_METHOD *(*DTLS_server_method)(void) = NULL;
const SSL_METHOD *(*DTLS_client_method)(void) = NULL;
-static const long SSL_OP_NO_DTLSv1 = NULL;
-static const long SSL_OP_NO_DTLSv1_2 = NULL;
-long *(*DTLS_set_link_mtu)(SSL *, long) = NULL;
-long *(*DTLS_get_link_min_mtu)(SSL *) = NULL;
+static const long SSL_OP_NO_DTLSv1 = 0;
+static const long SSL_OP_NO_DTLSv1_2 = 0;
+long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
+long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
#else
static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1;
#endif
diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index 3f2ac90..748c6c8 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -260,8 +260,8 @@
const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *);
-/* in 1.1.0 becomes const ASN1_BIT_STRING, const X509_ALGOR */
-void X509_get0_signature(ASN1_BIT_STRING **, X509_ALGOR **, X509 *);
+void X509_get0_signature(const ASN1_BIT_STRING **,
+ const X509_ALGOR **, const X509 *);
long X509_get_version(X509 *);
@@ -347,8 +347,8 @@
opaquing. */
#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER
/* from x509/x_x509.c version 1.0.2 */
-void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
- const X509 *x)
+void X509_get0_signature(const ASN1_BIT_STRING **psig,
+ const X509_ALGOR **palg, const X509 *x)
{
if (psig)
*psig = x->signature;