saltbundlepy-cryptography/fix-build-with-old-ssl.patch

--- a/src/_cffi_src/openssl/bio.py
+++ b/src/_cffi_src/openssl/bio.py
@@ -41,4 +41,7 @@
 """
 
 CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+int (*BIO_up_ref)(BIO *) = NULL;
+#endif
 """
--- a/src/_cffi_src/openssl/cryptography.py
+++ b/src/_cffi_src/openssl/cryptography.py
@@ -36,6 +36,8 @@
 #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
 
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 \
+    (OPENSSL_VERSION_NUMBER < 0x10100000 || CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
     (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \
@@ -44,6 +46,10 @@
     (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \
     (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL)
+
+#define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
+    (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
+
 #if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \
     !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING)
 #define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1
--- a/src/_cffi_src/openssl/crypto.py
+++ b/src/_cffi_src/openssl/crypto.py
@@ -51,6 +51,10 @@
 """
 
 CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+void (*OPENSSL_cleanup)(void) = NULL;
+#endif
+
 /* In 1.1.0 SSLeay has finally been retired. We bidirectionally define the
    values so you can use either one. This is so we can use the new function
    names no matter what OpenSSL we're running on, but users on older pyOpenSSL
--- a/src/_cffi_src/openssl/dh.py
+++ b/src/_cffi_src/openssl/dh.py
@@ -38,6 +38,15 @@
 """
 
 CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+/* added in 1.1.0 when the DH struct was opaqued */
+void (*DH_get0_pqg)(const DH *, const BIGNUM **, const BIGNUM **,
+                 const BIGNUM **) = NULL;
+int (*DH_set0_pqg)(DH *, BIGNUM *, BIGNUM *, BIGNUM *) = NULL;
+void (*DH_get0_key)(const DH *, const BIGNUM **, const BIGNUM **) = NULL;
+int (*DH_set0_key)(DH *, BIGNUM *, BIGNUM *) = NULL;
+#endif
+
 #if CRYPTOGRAPHY_IS_LIBRESSL
 #ifndef DH_CHECK_Q_NOT_PRIME
 #define DH_CHECK_Q_NOT_PRIME            0x10
--- a/src/_cffi_src/openssl/dsa.py
+++ b/src/_cffi_src/openssl/dsa.py
@@ -34,4 +34,11 @@
 """
 
 CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+void (*DSA_get0_pqg)(const DSA *, const BIGNUM **, const BIGNUM **,
+                  const BIGNUM **) = NULL;
+int (*DSA_set0_pqg)(DSA *, BIGNUM *, BIGNUM *, BIGNUM *) = NULL;
+void (*DSA_get0_key)(const DSA *, const BIGNUM **, const BIGNUM **);
+int (*DSA_set0_key)(DSA *, BIGNUM *, BIGNUM *) = NULL;
+#endif
 """
--- a/src/_cffi_src/openssl/evp.py
+++ b/src/_cffi_src/openssl/evp.py
@@ -134,6 +134,7 @@
                    const unsigned char *, size_t);
 int EVP_DigestVerify(EVP_MD_CTX *, const unsigned char *, size_t,
                      const unsigned char *, size_t);
+
 /* Added in 1.1.0 */
 size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *, unsigned char **);
 int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *, const unsigned char *,
@@ -179,12 +180,32 @@
     return EVP_PKEY_id(key);
 }
 EVP_MD_CTX *Cryptography_EVP_MD_CTX_new(void) {
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+    return EVP_MD_CTX_create();
+#else
     return EVP_MD_CTX_new();
+#endif
 }
+
 void Cryptography_EVP_MD_CTX_free(EVP_MD_CTX *md) {
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+    EVP_MD_CTX_destroy(md);
+#else
     EVP_MD_CTX_free(md);
+#endif
 }
 
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+EVP_MD_CTX *(*EVP_MD_CTX_new)(void) = NULL;
+void (*EVP_MD_CTX_free)(EVP_MD_CTX *) = NULL;
+int (*EVP_PBE_scrypt)(const char *, size_t, const unsigned char *, size_t,
+                   uint64_t, uint64_t, uint64_t, uint64_t, unsigned char *,
+                   size_t) = NULL;
+size_t (*EVP_PKEY_get1_tls_encodedpoint)(EVP_PKEY *, unsigned char **) = NULL;
+int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *,
+                                   size_t) = NULL;
+#endif
+
 #if CRYPTOGRAPHY_IS_LIBRESSL || defined(OPENSSL_NO_SCRYPT)
 static const long Cryptography_HAS_SCRYPT = 0;
 int (*EVP_PBE_scrypt)(const char *, size_t, const unsigned char *, size_t,
--- a/src/_cffi_src/openssl/hmac.py
+++ b/src/_cffi_src/openssl/hmac.py
@@ -23,4 +23,8 @@
 """
 
 CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+HMAC_CTX *(*HMAC_CTX_new)(void) = NULL;
+void (*HMAC_CTX_free)(HMAC_CTX *ctx) = NULL;
+#endif
 """
--- a/src/_cffi_src/openssl/nid.py
+++ b/src/_cffi_src/openssl/nid.py
@@ -31,12 +31,24 @@
 """
 
 CUSTOMIZATIONS = """
+#ifndef NID_X25519
+static const long Cryptography_HAS_X25519 = 0;
+static const int NID_X25519 = 0;
+#else
+static const long Cryptography_HAS_X25519 = 1;
+#endif
 #ifndef NID_ED25519
 static const long Cryptography_HAS_ED25519 = 0;
 static const int NID_ED25519 = 0;
 #else
 static const long Cryptography_HAS_ED25519 = 1;
 #endif
+#ifndef NID_X448
+static const long Cryptography_HAS_X448 = 0;
+static const int NID_X448 = 0;
+#else
+static const long Cryptography_HAS_X448 = 1;
+#endif
 #ifndef NID_ED448
 static const long Cryptography_HAS_ED448 = 0;
 static const int NID_ED448 = 0;
--- a/src/_cffi_src/openssl/ocsp.py
+++ b/src/_cffi_src/openssl/ocsp.py
@@ -78,7 +78,7 @@
 
 CUSTOMIZATIONS = """
 #if ( \
-    !CRYPTOGRAPHY_IS_LIBRESSL && \
+    CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && \
     CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
     )
 /* These structs come from ocsp_lcl.h and are needed to de-opaque the struct
@@ -105,7 +105,7 @@
 };
 #endif
 
-#if CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
 /* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */
 const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
 {
@@ -147,7 +147,7 @@
 #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J
 const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
 {
-#if CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
     return bs->signatureAlgorithm;
 #else
     return &bs->signatureAlgorithm;
@@ -156,7 +156,7 @@
 
 const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
 {
-#if CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
     return bs->tbsResponseData;
 #else
     return &bs->tbsResponseData;
--- a/src/_cffi_src/openssl/rsa.py
+++ b/src/_cffi_src/openssl/rsa.py
@@ -58,4 +58,20 @@
 int (*EVP_PKEY_CTX_set0_rsa_oaep_label)(EVP_PKEY_CTX *, unsigned char *,
                                         int) = NULL;
 #endif
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+int (*RSA_set0_key)(RSA *, BIGNUM *, BIGNUM *, BIGNUM *) = NULL;
+int (*RSA_set0_factors)(RSA *, BIGNUM *, BIGNUM *) = NULL;
+int (*RSA_set0_crt_params)(RSA *, BIGNUM *, BIGNUM *, BIGNUM *) = NULL;
+void (*RSA_get0_key)(const RSA *, const BIGNUM **, const BIGNUM **,
+                  const BIGNUM **) = NULL;
+void (*RSA_get0_factors)(const RSA *, const BIGNUM **, const BIGNUM **) = NULL;
+void (*RSA_get0_crt_params)(const RSA *, const BIGNUM **, const BIGNUM **,
+                         const BIGNUM **) = NULL;
+int (*EVP_PKEY_CTX_set_rsa_padding)(EVP_PKEY_CTX *, int) = NULL;
+int (*EVP_PKEY_CTX_set_rsa_pss_saltlen)(EVP_PKEY_CTX *, int) = NULL;
+int (*EVP_PKEY_CTX_set_rsa_mgf1_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL;
+int (*EVP_PKEY_CTX_set0_rsa_oaep_label)(EVP_PKEY_CTX *, unsigned char *, int) = NULL;
+
+//int (*EVP_PKEY_CTX_set_rsa_oaep_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL;
+#endif
 """
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -510,7 +510,7 @@
 // users have upgraded. PersistentlyDeprecated2020
 static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1;
 
-#if CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
 static const long Cryptography_HAS_VERIFIED_CHAIN = 0;
 Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL;
 #else
@@ -563,7 +563,7 @@
 
 /* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were
    removed */
-#if CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
 static const long Cryptography_HAS_SSL_ST = 1;
 #else
 static const long Cryptography_HAS_SSL_ST = 0;
@@ -572,7 +572,7 @@
 static const long SSL_ST_INIT = 0;
 static const long SSL_ST_RENEGOTIATE = 0;
 #endif
-#if !CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
 static const long Cryptography_HAS_TLS_ST = 1;
 #else
 static const long Cryptography_HAS_TLS_ST = 0;
@@ -702,4 +702,28 @@
 #else
 static const long Cryptography_HAS_GET_PROTO_VERSION = 1;
 #endif
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+const SSL_METHOD *(*TLS_method)(void) = NULL;
+const SSL_METHOD *(*TLS_server_method)(void) = NULL;
+const SSL_METHOD *(*TLS_client_method)(void) = NULL;
+
+int (*SSL_CIPHER_is_aead)(const SSL_CIPHER *) = NULL;
+int (*SSL_CIPHER_get_cipher_nid)(const SSL_CIPHER *) = NULL;
+int (*SSL_CIPHER_get_digest_nid)(const SSL_CIPHER *) = NULL;
+int (*SSL_CIPHER_get_kx_nid)(const SSL_CIPHER *) = NULL;
+int (*SSL_CIPHER_get_auth_nid)(const SSL_CIPHER *) = NULL;
+
+long (*SSL_CTX_set_min_proto_version)(SSL_CTX *, int) = NULL;
+long (*SSL_CTX_set_max_proto_version)(SSL_CTX *, int) = NULL;
+long (*SSL_set_min_proto_version)(SSL *, int) = NULL;
+long (*SSL_set_max_proto_version)(SSL *, int) = NULL;
+
+int (*SSL_SESSION_has_ticket)(const SSL_SESSION *) = NULL;
+long (*SSL_SESSION_get_ticket_lifetime_hint)(const SSL_SESSION *) = NULL;
+
+size_t (*SSL_SESSION_get_master_key)(const SSL_SESSION *, unsigned char *,
+                                  size_t) = NULL;
+size_t (*SSL_get_client_random)(const SSL *, unsigned char *, size_t) = NULL;
+size_t (*SSL_get_server_random)(const SSL *, unsigned char *, size_t) = NULL;
+#endif
 """
--- a/src/_cffi_src/openssl/x509name.py
+++ b/src/_cffi_src/openssl/x509name.py
@@ -75,4 +75,7 @@
 """
 
 CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+int (*X509_NAME_ENTRY_set)(X509_NAME_ENTRY *) = NULL;
+#endif
 """
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -288,7 +288,7 @@
 }
 /* Added in 1.1.0 but we need it in all versions now due to the great
    opaquing. */
-#if CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
 int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
 {
     req->req_info->enc.modified = 1;
@@ -298,5 +298,45 @@
     crl->crl->enc.modified = 1;
     return i2d_X509_CRL_INFO(crl->crl, pp);
 }
+
+int X509_up_ref(X509 *x) {
+   return CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+}
+
+const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x)
+{
+    return x->cert_info->signature;
+}
+
+/* from x509/x509_req.c */
+void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
+                             const X509_ALGOR **palg)
+{
+    if (psig != NULL)
+        *psig = req->signature;
+    if (palg != NULL)
+        *palg = req->sig_alg;
+}
+void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
+                             const X509_ALGOR **palg)
+{
+    if (psig != NULL)
+        *psig = crl->signature;
+    if (palg != NULL)
+        *palg = crl->sig_alg;
+}
+const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *x)
+{
+    return x->revocationDate;
+}
+const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *x)
+{
+    return x->serialNumber;
+}
+
+#define X509_set1_notBefore X509_set_notBefore
+#define X509_set1_notAfter X509_set_notAfter
+#define X509_getm_notAfter X509_get_notAfter
+#define X509_getm_notBefore X509_get_notBefore
 #endif
 """
--- a/src/_cffi_src/openssl/x509_vfy.py
+++ b/src/_cffi_src/openssl/x509_vfy.py
@@ -234,7 +234,7 @@
 static const long X509_V_FLAG_SUITEB_128_LOS = 0;
 #endif
 
-#if CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL
 static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 0;
 #ifndef X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
 static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = 0;
@@ -243,7 +243,30 @@
 static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 1;
 #endif
 
-#if CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER
+Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *ctx) {
+    return ctx->objs;
+}
+X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store) {
+    return store->param;
+}
+int X509_OBJECT_get_type(const X509_OBJECT *x) {
+    return x->type;
+}
+
+/* from x509/x509_vfy.c */
+X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
+{
+    return ctx->cert;
+}
+
+X509 *X509_OBJECT_get0_X509(X509_OBJECT *x) {
+    return x->data.x509;
+}
+#endif
+
+
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
 static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 0;
 typedef void *X509_STORE_CTX_get_issuer_fn;
 X509_STORE_CTX_get_issuer_fn (*X509_STORE_get_get_issuer)(X509_STORE *) = NULL;