Skip to content

Commit

Permalink
Added tls bindings for new OpenSSL APIs
Browse files Browse the repository at this point in the history
fixes pyca#5379
closes pyca#5483
  • Loading branch information
alex committed Dec 1, 2020
1 parent 6d858c8 commit 12da376
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 4 deletions.
30 changes: 26 additions & 4 deletions src/_cffi_src/openssl/ssl.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
static const long Cryptography_HAS_PSK;
static const long Cryptography_HAS_VERIFIED_CHAIN;
static const long Cryptography_HAS_KEYLOG;
static const long Cryptography_HAS_GET_PROTO_VERSION;
/* Internally invented symbol to tell us if SSL_MODE_RELEASE_BUFFERS is
* supported
Expand Down Expand Up @@ -312,6 +313,16 @@
long SSL_total_renegotiations(SSL *);
long SSL_get_secure_renegotiation_support(SSL *);
long SSL_CTX_set_min_proto_version(SSL_CTX *, int);
long SSL_CTX_set_max_proto_version(SSL_CTX *, int);
long SSL_set_min_proto_version(SSL *, int);
long SSL_set_max_proto_version(SSL *, int);
long SSL_CTX_get_min_proto_version(SSL_CTX *);
long SSL_CTX_get_max_proto_version(SSL_CTX *);
long SSL_get_min_proto_version(SSL *);
long SSL_get_max_proto_version(SSL *);
/* Defined as unsigned long because SSL_OP_ALL is greater than signed 32-bit
and Windows defines long as 32-bit. */
unsigned long SSL_CTX_set_options(SSL_CTX *, unsigned long);
Expand All @@ -330,10 +341,6 @@
/* methods */
/*
* TLSv1_1 and TLSv1_2 are recent additions. Only sufficiently new versions of
* OpenSSL support them.
*/
const SSL_METHOD *TLSv1_1_method(void);
const SSL_METHOD *TLSv1_1_server_method(void);
const SSL_METHOD *TLSv1_1_client_method(void);
Expand Down Expand Up @@ -363,6 +370,10 @@
const SSL_METHOD *SSLv23_server_method(void);
const SSL_METHOD *SSLv23_client_method(void);
const SSL_METHOD *TLS_method(void);
const SSL_METHOD *TLS_server_method(void);
const SSL_METHOD *TLS_client_method(void);
/*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/
SSL_CTX *SSL_CTX_new(SSL_METHOD *);
long SSL_CTX_get_timeout(const SSL_CTX *);
Expand Down Expand Up @@ -674,4 +685,15 @@
#else
static const long Cryptography_HAS_TLSv1_3 = 1;
#endif
#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL
static const long Cryptography_HAS_GET_PROTO_VERSION = 0;
long (*SSL_CTX_get_min_proto_version)(SSL_CTX *) = NULL;
long (*SSL_CTX_get_max_proto_version)(SSL_CTX *) = NULL;
long (*SSL_get_min_proto_version)(SSL *) = NULL;
long (*SSL_get_max_proto_version)(SSL *) = NULL;
#else
static const long Cryptography_HAS_GET_PROTO_VERSION = 1;
#endif
"""
10 changes: 10 additions & 0 deletions src/cryptography/hazmat/bindings/openssl/_conditional.py
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,15 @@ def cryptography_has_srtp():
]


def cryptography_has_get_proto_version():
return [
"SSL_CTX_get_min_proto_version",
"SSL_CTX_get_max_proto_version",
"SSL_get_min_proto_version",
"SSL_get_max_proto_version",
]


# This is a mapping of
# {condition: function-returning-names-dependent-on-that-condition} so we can
# loop over them and delete unsupported names at runtime. It will be removed
Expand Down Expand Up @@ -309,4 +318,5 @@ def cryptography_has_srtp():
"Cryptography_HAS_ENGINE": cryptography_has_engine,
"Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
"Cryptography_HAS_SRTP": cryptography_has_srtp,
"Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version,
}

0 comments on commit 12da376

Please sign in to comment.