Setters and Getters for SSL/CTX Protocols

From pyca#5379 : Added bindings for SSL / CTX interfaces to SET min and max protocol versions (added in OpenSSL 1.1.0). Added bindings for SSL / CTX interfaces to GET min and max protocol versions (added in OpenSSL 1.1.1). Added conditional build variables to allow compilation on systems not offering these interfaces via the compiled library.

Merge branch 'Min_Proto_Bindings' of github.com:th3b0x/cryptography into th3b0x-TLS_method-patch

.github/workflows/ci.yml

@@ -17,8 +17,7 @@ jobs:
         PYTHON:
           - {VERSION: "2.7", TOXENV: "py27", EXTRA_CFLAGS: ""}
           - {VERSION: "3.5", TOXENV: "py35", EXTRA_CFLAGS: ""}
-          - {VERSION: "3.8", TOXENV: "py38", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"}
-          - {VERSION: "3.9.0-rc.1", TOXENV: "py39"}
+          - {VERSION: "3.9", TOXENV: "py39", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"}
     name: "Python ${{ matrix.PYTHON.VERSION }} on macOS"
     steps:
       - uses: actions/checkout@master
@@ -63,8 +62,8 @@ jobs:
           - {VERSION: "3.5", TOXENV: "py35", MSVC_VERSION: "2019", CL_FLAGS: ""}
           - {VERSION: "3.6", TOXENV: "py36", MSVC_VERSION: "2019", CL_FLAGS: ""}
           - {VERSION: "3.7", TOXENV: "py37", MSVC_VERSION: "2019", CL_FLAGS: ""}
-          - {VERSION: "3.8", TOXENV: "py38", MSVC_VERSION: "2019", CL_FLAGS: "/D USE_OSRANDOM_RNG_FOR_TESTING"}
-          - {VERSION: "3.9.0-rc.1", TOXENV: "py39", MSVC_VERSION: "2019", CL_FLAGS: ""}
+          - {VERSION: "3.8", TOXENV: "py38", MSVC_VERSION: "2019", CL_FLAGS: ""}
+          - {VERSION: "3.9", TOXENV: "py39", MSVC_VERSION: "2019", CL_FLAGS: "/D USE_OSRANDOM_RNG_FOR_TESTING"}
     name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"
     steps:
       - uses: actions/checkout@master

.travis.yml

@@ -54,7 +54,7 @@ matrix:
         - python: 3.8
           env: TOXENV=py38 LIBRESSL=3.1.4
         - python: 3.8
-          env: TOXENV=py38 LIBRESSL=3.2.1
+          env: TOXENV=py38 LIBRESSL=3.2.2
 
         - python: 2.7
           services: docker

.travis/downstream.d/twisted.sh

@@ -5,7 +5,7 @@ case "${1}" in
         git clone --depth=1 https://github.com/twisted/twisted
         cd twisted
         git rev-parse HEAD
-        pip install ".[tls,conch,http2]"
+        pip install ".[all_non_platform]"
         ;;
     run)
         cd twisted

src/_cffi_src/openssl/ssl.py

@@ -29,6 +29,8 @@
 static const long Cryptography_HAS_CIPHER_DETAILS;
 static const long Cryptography_HAS_VERIFIED_CHAIN;
 static const long Cryptography_HAS_KEYLOG;
+static const long Cryptography_HAS_PROTOCOL_SETTERS;
+static const long Cryptography_HAS_PROTOCOL_GETTERS;
 
 /* Internally invented symbol to tell us if SNI is supported */
 static const long Cryptography_HAS_TLSEXT_HOSTNAME;
@@ -198,6 +200,14 @@
 int SSL_renegotiate_pending(SSL *);
 const char *SSL_get_cipher_list(const SSL *, int);
 
+/* Added in 1.1.0 */
+int SSL_set_min_proto_version(SSL *ssl, int version);
+int SSL_set_max_proto_version(SSL *ssl, int version);
+
+/* Added in 1.1.1 */
+int SSL_get_min_proto_version(SSL *ssl);
+int SSL_get_max_proto_version(SSL *ssl);
+
 /*  context */
 void SSL_CTX_free(SSL_CTX *);
 long SSL_CTX_set_timeout(SSL_CTX *, long);
@@ -265,6 +275,14 @@
 
 long SSL_CTX_set1_sigalgs_list(SSL_CTX *, const char *);
 
+/* Added in 1.1.0 */
+int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
+int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
+
+/* Added in 1.1.1 */
+int SSL_CTX_get_min_proto_version(SSL_CTX *ctx);
+int SSL_CTX_get_max_proto_version(SSL_CTX *ctx);
+
 /*  SSL_SESSION */
 void SSL_SESSION_free(SSL_SESSION *);
 
@@ -766,4 +784,27 @@
 #define TLS_client_method SSLv23_client_method
 #define TLS_server_method SSLv23_server_method
 #endif
+
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL
+int (*SSL_CTX_set_min_proto_version)(SSL_CTX *ctx, int version) = NULL;
+int (*SSL_CTX_set_max_proto_version)(SSL_CTX *ctx, int version) = NULL;
+int (*SSL_set_min_proto_version)(SSL *ssl, int version) = NULL;
+int (*SSL_set_max_proto_version)(SSL *ssl, int version) = NULL;
+int (*SSL_CTX_get_min_proto_version)(SSL_CTX *ctx) = NULL;
+int (*SSL_CTX_get_max_proto_version)(SSL_CTX *ctx) = NULL;
+int (*SSL_get_min_proto_version)(SSL *ssl) = NULL;
+int (*SSL_get_max_proto_version)(SSL *ssl) = NULL;
+static const long Cryptography_HAS_PROTOCOL_SETTERS = 0;
+static const long Cryptography_HAS_PROTOCOL_GETTERS = 0;
+#elif CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL
+int (*SSL_CTX_get_min_proto_version)(SSL_CTX *ctx) = NULL;
+int (*SSL_CTX_get_max_proto_version)(SSL_CTX *ctx) = NULL;
+int (*SSL_get_min_proto_version)(SSL *ssl) = NULL;
+int (*SSL_get_max_proto_version)(SSL *ssl) = NULL;
+static const long Cryptography_HAS_PROTOCOL_SETTERS = 1;
+static const long Cryptography_HAS_PROTOCOL_GETTERS = 0;
+#else
+static const long Cryptography_HAS_PROTOCOL_SETTERS = 1;
+static const long Cryptography_HAS_PROTOCOL_GETTERS = 1;
+#endif
 """

src/cryptography/hazmat/bindings/openssl/_conditional.py

@@ -291,6 +291,24 @@ def cryptography_has_srtp():
     ]
 
 
+def cryptography_has_protocol_setters():
+    return [
+        "SSL_CTX_set_min_proto_version",
+        "SSL_CTX_set_max_proto_version",
+        "SSL_set_min_proto_version",
+        "SSL_set_max_proto_version",
+    ]
+
+
+def cryptography_has_protocol_getters():
+    return [
+        "SSL_CTX_get_min_proto_version",
+        "SSL_CTX_get_max_proto_version",
+        "SSL_get_min_proto_version",
+        "SSL_get_max_proto_version",
+    ]
+
+
 # This is a mapping of
 # {condition: function-returning-names-dependent-on-that-condition} so we can
 # loop over them and delete unsupported names at runtime. It will be removed
@@ -342,4 +360,6 @@ def cryptography_has_srtp():
     "Cryptography_HAS_ENGINE": cryptography_has_engine,
     "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
     "Cryptography_HAS_SRTP": cryptography_has_srtp,
+    "Cryptography_HAS_PROTOCOL_SETTERS": cryptography_has_protocol_setters,
+    "Cryptography_HAS_PROTOCOL_GETTERS": cryptography_has_protocol_getters,
 }