From e74895bffc5590639132a49d9905ef6bff1b0125 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 7 Oct 2020 09:26:05 -0400 Subject: [PATCH 1/4] Update CI for 3.9 release (#5480) --- .github/workflows/ci.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0450c1a813ab..717504a61229 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,8 +17,7 @@ jobs: PYTHON: - {VERSION: "2.7", TOXENV: "py27", EXTRA_CFLAGS: ""} - {VERSION: "3.5", TOXENV: "py35", EXTRA_CFLAGS: ""} - - {VERSION: "3.8", TOXENV: "py38", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"} - - {VERSION: "3.9.0-rc.1", TOXENV: "py39"} + - {VERSION: "3.9", TOXENV: "py39", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"} name: "Python ${{ matrix.PYTHON.VERSION }} on macOS" steps: - uses: actions/checkout@master @@ -63,8 +62,8 @@ jobs: - {VERSION: "3.5", TOXENV: "py35", MSVC_VERSION: "2019", CL_FLAGS: ""} - {VERSION: "3.6", TOXENV: "py36", MSVC_VERSION: "2019", CL_FLAGS: ""} - {VERSION: "3.7", TOXENV: "py37", MSVC_VERSION: "2019", CL_FLAGS: ""} - - {VERSION: "3.8", TOXENV: "py38", MSVC_VERSION: "2019", CL_FLAGS: "/D USE_OSRANDOM_RNG_FOR_TESTING"} - - {VERSION: "3.9.0-rc.1", TOXENV: "py39", MSVC_VERSION: "2019", CL_FLAGS: ""} + - {VERSION: "3.8", TOXENV: "py38", MSVC_VERSION: "2019", CL_FLAGS: ""} + - {VERSION: "3.9", TOXENV: "py39", MSVC_VERSION: "2019", CL_FLAGS: "/D USE_OSRANDOM_RNG_FOR_TESTING"} name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}" steps: - uses: actions/checkout@master From 27026d37ffde697f76f84c8eb716ff2b8b983110 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Oct 2020 19:49:36 -0400 Subject: [PATCH 2/4] fixed twisted tests (#5489) --- .travis/downstream.d/twisted.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis/downstream.d/twisted.sh b/.travis/downstream.d/twisted.sh index 3d45413bbe21..522e763ec3b7 100755 --- a/.travis/downstream.d/twisted.sh +++ b/.travis/downstream.d/twisted.sh @@ -5,7 +5,7 @@ case "${1}" in git clone --depth=1 https://github.com/twisted/twisted cd twisted git rev-parse HEAD - pip install ".[tls,conch,http2]" + pip install ".[all_non_platform]" ;; run) cd twisted From ca622468f7665ddda00b7358d0ba0652beba7a89 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Oct 2020 10:28:09 -0400 Subject: [PATCH 3/4] bumped to latest libressl (#5491) --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 51cb8841f43f..29349ed87109 100644 --- a/.travis.yml +++ b/.travis.yml @@ -54,7 +54,7 @@ matrix: - python: 3.8 env: TOXENV=py38 LIBRESSL=3.1.4 - python: 3.8 - env: TOXENV=py38 LIBRESSL=3.2.1 + env: TOXENV=py38 LIBRESSL=3.2.2 - python: 2.7 services: docker From 50c398cc7b139731df66d731f1d2ed68b7beb21c Mon Sep 17 00:00:00 2001 From: David Blevins Date: Sat, 24 Oct 2020 10:26:50 -0400 Subject: [PATCH 4/4] Setters and Getters for SSL/CTX Protocols From #5379 : Added bindings for SSL / CTX interfaces to SET min and max protocol versions (added in OpenSSL 1.1.0). Added bindings for SSL / CTX interfaces to GET min and max protocol versions (added in OpenSSL 1.1.1). Added conditional build variables to allow compilation on systems not offering these interfaces via the compiled library. --- src/_cffi_src/openssl/ssl.py | 41 +++++++++++++++++++ .../hazmat/bindings/openssl/_conditional.py | 20 +++++++++ 2 files changed, 61 insertions(+) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index c38e309a1835..a82fda77e2e5 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -29,6 +29,8 @@ static const long Cryptography_HAS_CIPHER_DETAILS; static const long Cryptography_HAS_VERIFIED_CHAIN; static const long Cryptography_HAS_KEYLOG; +static const long Cryptography_HAS_PROTOCOL_SETTERS; +static const long Cryptography_HAS_PROTOCOL_GETTERS; /* Internally invented symbol to tell us if SNI is supported */ static const long Cryptography_HAS_TLSEXT_HOSTNAME; @@ -198,6 +200,14 @@ int SSL_renegotiate_pending(SSL *); const char *SSL_get_cipher_list(const SSL *, int); +/* Added in 1.1.0 */ +int SSL_set_min_proto_version(SSL *ssl, int version); +int SSL_set_max_proto_version(SSL *ssl, int version); + +/* Added in 1.1.1 */ +int SSL_get_min_proto_version(SSL *ssl); +int SSL_get_max_proto_version(SSL *ssl); + /* context */ void SSL_CTX_free(SSL_CTX *); long SSL_CTX_set_timeout(SSL_CTX *, long); @@ -265,6 +275,14 @@ long SSL_CTX_set1_sigalgs_list(SSL_CTX *, const char *); +/* Added in 1.1.0 */ +int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); +int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version); + +/* Added in 1.1.1 */ +int SSL_CTX_get_min_proto_version(SSL_CTX *ctx); +int SSL_CTX_get_max_proto_version(SSL_CTX *ctx); + /* SSL_SESSION */ void SSL_SESSION_free(SSL_SESSION *); @@ -755,4 +773,27 @@ #else static const long Cryptography_HAS_TLSv1_3 = 1; #endif + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL +int (*SSL_CTX_set_min_proto_version)(SSL_CTX *ctx, int version) = NULL; +int (*SSL_CTX_set_max_proto_version)(SSL_CTX *ctx, int version) = NULL; +int (*SSL_set_min_proto_version)(SSL *ssl, int version) = NULL; +int (*SSL_set_max_proto_version)(SSL *ssl, int version) = NULL; +int (*SSL_CTX_get_min_proto_version)(SSL_CTX *ctx) = NULL; +int (*SSL_CTX_get_max_proto_version)(SSL_CTX *ctx) = NULL; +int (*SSL_get_min_proto_version)(SSL *ssl) = NULL; +int (*SSL_get_max_proto_version)(SSL *ssl) = NULL; +static const long Cryptography_HAS_PROTOCOL_SETTERS = 0; +static const long Cryptography_HAS_PROTOCOL_GETTERS = 0; +#elif CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL +int (*SSL_CTX_get_min_proto_version)(SSL_CTX *ctx) = NULL; +int (*SSL_CTX_get_max_proto_version)(SSL_CTX *ctx) = NULL; +int (*SSL_get_min_proto_version)(SSL *ssl) = NULL; +int (*SSL_get_max_proto_version)(SSL *ssl) = NULL; +static const long Cryptography_HAS_PROTOCOL_SETTERS = 1; +static const long Cryptography_HAS_PROTOCOL_GETTERS = 0; +#else +static const long Cryptography_HAS_PROTOCOL_SETTERS = 1; +static const long Cryptography_HAS_PROTOCOL_GETTERS = 1; +#endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index cdc18eab6848..3d3035092a84 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -291,6 +291,24 @@ def cryptography_has_srtp(): ] +def cryptography_has_protocol_setters(): + return [ + "SSL_CTX_set_min_proto_version", + "SSL_CTX_set_max_proto_version", + "SSL_set_min_proto_version", + "SSL_set_max_proto_version", + ] + + +def cryptography_has_protocol_getters(): + return [ + "SSL_CTX_get_min_proto_version", + "SSL_CTX_get_max_proto_version", + "SSL_get_min_proto_version", + "SSL_get_max_proto_version", + ] + + # This is a mapping of # {condition: function-returning-names-dependent-on-that-condition} so we can # loop over them and delete unsupported names at runtime. It will be removed @@ -342,4 +360,6 @@ def cryptography_has_srtp(): "Cryptography_HAS_ENGINE": cryptography_has_engine, "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, "Cryptography_HAS_SRTP": cryptography_has_srtp, + "Cryptography_HAS_PROTOCOL_SETTERS": cryptography_has_protocol_setters, + "Cryptography_HAS_PROTOCOL_GETTERS": cryptography_has_protocol_getters, }