From 07b81328def0e779214aaa9737a14a21926f497b Mon Sep 17 00:00:00 2001 From: David Blevins Date: Tue, 6 Oct 2020 15:26:51 -0400 Subject: [PATCH 1/6] Added TLS_method TLS_client_method and TLS_server_method hooks into the bindings with support for LibreSSL and OpenSSL Updated tests to cover new interfaces --- src/_cffi_src/openssl/ssl.py | 16 +++++ .../hazmat/bindings/openssl/_conditional.py | 13 ++++ tests/hazmat/backends/test_openssl.py | 16 ++++- tests/hazmat/bindings/test_openssl.py | 67 +++++++++++++++++++ 4 files changed, 111 insertions(+), 1 deletion(-) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index c38e309a1835..e68037201623 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -18,6 +18,7 @@ static const long Cryptography_HAS_TLSv1_1; static const long Cryptography_HAS_TLSv1_2; static const long Cryptography_HAS_TLSv1_3; +static const long Cryptography_HAS_TLS_METHOD; static const long Cryptography_HAS_SECURE_RENEGOTIATION; static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB; static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP; @@ -362,6 +363,11 @@ const SSL_METHOD *DTLSv1_server_method(void); const SSL_METHOD *DTLSv1_client_method(void); +/* Added in 1.1.0 */ +const SSL_METHOD *TLS_method(void); +const SSL_METHOD *TLS_client_method(void); +const SSL_METHOD *TLS_server_method(void); + /* Added in 1.0.2 */ const SSL_METHOD *DTLS_method(void); const SSL_METHOD *DTLS_server_method(void); @@ -501,6 +507,7 @@ """ CUSTOMIZATIONS = """ + #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 static const long Cryptography_HAS_VERIFIED_CHAIN = 0; Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL; @@ -755,4 +762,13 @@ #else static const long Cryptography_HAS_TLSv1_3 = 1; #endif + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL +static const long Cryptography_HAS_TLS_METHOD = 0; +const SSL_METHOD* (*TLS_method)(void) = NULL; +const SSL_METHOD* (*TLS_client_method)(void) = NULL; +const SSL_METHOD* (*TLS_server_method)(void) = NULL; +#else +static const long Cryptography_HAS_TLS_METHOD = 1; +#endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 9cf489acde06..e7e467e45269 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -270,6 +270,10 @@ def cryptography_has_engine(): "ENGINE_free", "ENGINE_get_name", "Cryptography_add_osrandom_engine", + "ENGINE_ctrl_cmd_string", + "ENGINE_load_builtin_engines", + "ENGINE_load_private_key", + "ENGINE_load_public_key", ] @@ -287,6 +291,14 @@ def cryptography_has_srtp(): ] +def cryptography_has_tls_method(): + return [ + "TLS_method", + "TLS_client_method", + "TLS_server_method", + ] + + # This is a mapping of # {condition: function-returning-names-dependent-on-that-condition} so we can # loop over them and delete unsupported names at runtime. It will be removed @@ -338,4 +350,5 @@ def cryptography_has_srtp(): "Cryptography_HAS_ENGINE": cryptography_has_engine, "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, "Cryptography_HAS_SRTP": cryptography_has_srtp, + "Cryptography_HAS_TLS_METHOD": cryptography_has_tls_method, } diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index acec247df4a9..12101edf62f4 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -91,7 +91,11 @@ def test_nonexistent_cipher(self, mode): type(mode), lambda backend, cipher, mode: backend._ffi.NULL, ) - cipher = Cipher(DummyCipherAlgorithm(), mode, backend=b,) + cipher = Cipher( + DummyCipherAlgorithm(), + mode, + backend=b, + ) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): cipher.encryptor() @@ -119,6 +123,16 @@ def test_ssl_ciphers_registered(self): assert ctx != backend._ffi.NULL backend._lib.SSL_CTX_free(ctx) + @pytest.mark.skipif( + backend._lib.Cryptography_HAS_TLS_METHOD == 0, + reason="Requires Library with TLS_method", + ) + def test_tls_ciphers_registered(self): + meth = backend._lib.TLS_method() + ctx = backend._lib.SSL_CTX_new(meth) + assert ctx != backend._ffi.NULL + backend._lib.SSL_CTX_free(ctx) + def test_evp_ciphers_registered(self): cipher = backend._lib.EVP_get_cipherbyname(b"aes-256-cbc") assert cipher != backend._ffi.NULL diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index a4f6ac015695..4dad99c0697f 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -4,6 +4,8 @@ from __future__ import absolute_import, division, print_function +import pretend + import pytest from cryptography.exceptions import InternalError @@ -11,6 +13,7 @@ Binding, _consume_errors, _openssl_assert, + _verify_openssl_version, _verify_package_version, ) @@ -82,6 +85,61 @@ def test_ssl_mode(self): assert resp == expected_options assert b.lib.SSL_get_mode(ssl) == expected_options + @pytest.mark.skipif( + Binding.lib.Cryptography_HAS_TLS_METHOD == 0, + reason="TLS_method requires OpenSSL >= 1.1.0", + ) + def test_tls_ctx_options(self): + # Test that we're properly handling 32-bit unsigned on all platforms. + b = Binding() + assert b.lib.SSL_OP_ALL > 0 + ctx = b.lib.SSL_CTX_new(b.lib.TLS_method()) + assert ctx != b.ffi.NULL + ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) + current_options = b.lib.SSL_CTX_get_options(ctx) + resp = b.lib.SSL_CTX_set_options(ctx, b.lib.SSL_OP_ALL) + expected_options = current_options | b.lib.SSL_OP_ALL + assert resp == expected_options + assert b.lib.SSL_CTX_get_options(ctx) == expected_options + + @pytest.mark.skipif( + Binding.lib.Cryptography_HAS_TLS_METHOD == 0, + reason="TLS_method requires OpenSSL >= 1.1.0", + ) + def test_tls_options(self): + # Test that we're properly handling 32-bit unsigned on all platforms. + b = Binding() + assert b.lib.SSL_OP_ALL > 0 + ctx = b.lib.SSL_CTX_new(b.lib.TLS_method()) + assert ctx != b.ffi.NULL + ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) + ssl = b.lib.SSL_new(ctx) + ssl = b.ffi.gc(ssl, b.lib.SSL_free) + current_options = b.lib.SSL_get_options(ssl) + resp = b.lib.SSL_set_options(ssl, b.lib.SSL_OP_ALL) + expected_options = current_options | b.lib.SSL_OP_ALL + assert resp == expected_options + assert b.lib.SSL_get_options(ssl) == expected_options + + @pytest.mark.skipif( + Binding.lib.Cryptography_HAS_TLS_METHOD == 0, + reason="TLS_method requires OpenSSL >= 1.1.0", + ) + def test_tls_mode(self): + # Test that we're properly handling 32-bit unsigned on all platforms. + b = Binding() + assert b.lib.SSL_OP_ALL > 0 + ctx = b.lib.SSL_CTX_new(b.lib.TLS_method()) + assert ctx != b.ffi.NULL + ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) + ssl = b.lib.SSL_new(ctx) + ssl = b.ffi.gc(ssl, b.lib.SSL_free) + current_options = b.lib.SSL_get_mode(ssl) + resp = b.lib.SSL_set_mode(ssl, b.lib.SSL_OP_ALL) + expected_options = current_options | b.lib.SSL_OP_ALL + assert resp == expected_options + assert b.lib.SSL_get_mode(ssl) == expected_options + def test_conditional_removal(self): b = Binding() @@ -125,3 +183,12 @@ def test_check_startup_errors_are_allowed(self): def test_version_mismatch(self): with pytest.raises(ImportError): _verify_package_version("nottherightversion") + + def test_verify_openssl_version(self, monkeypatch): + monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_102", raising=False) + lib = pretend.stub( + CRYPTOGRAPHY_OPENSSL_LESS_THAN_110=True, + CRYPTOGRAPHY_IS_LIBRESSL=False, + ) + with pytest.raises(RuntimeError): + _verify_openssl_version(lib) From a5f30c8b88f95cb6694c58cdce583b975d2933ab Mon Sep 17 00:00:00 2001 From: David Blevins Date: Wed, 7 Oct 2020 09:18:15 -0400 Subject: [PATCH 2/6] Removed redundant tests for TLS_method bindings LibreSSL is a derivative of OpenSSL. OpenSSL maps SSLv23_method to TLS_method, thus behavior will always be identical between both sets of methods given the tests initially provided and the constants currently available. --- tests/hazmat/bindings/test_openssl.py | 55 --------------------------- 1 file changed, 55 deletions(-) diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 4dad99c0697f..ecee34091dc7 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -85,61 +85,6 @@ def test_ssl_mode(self): assert resp == expected_options assert b.lib.SSL_get_mode(ssl) == expected_options - @pytest.mark.skipif( - Binding.lib.Cryptography_HAS_TLS_METHOD == 0, - reason="TLS_method requires OpenSSL >= 1.1.0", - ) - def test_tls_ctx_options(self): - # Test that we're properly handling 32-bit unsigned on all platforms. - b = Binding() - assert b.lib.SSL_OP_ALL > 0 - ctx = b.lib.SSL_CTX_new(b.lib.TLS_method()) - assert ctx != b.ffi.NULL - ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) - current_options = b.lib.SSL_CTX_get_options(ctx) - resp = b.lib.SSL_CTX_set_options(ctx, b.lib.SSL_OP_ALL) - expected_options = current_options | b.lib.SSL_OP_ALL - assert resp == expected_options - assert b.lib.SSL_CTX_get_options(ctx) == expected_options - - @pytest.mark.skipif( - Binding.lib.Cryptography_HAS_TLS_METHOD == 0, - reason="TLS_method requires OpenSSL >= 1.1.0", - ) - def test_tls_options(self): - # Test that we're properly handling 32-bit unsigned on all platforms. - b = Binding() - assert b.lib.SSL_OP_ALL > 0 - ctx = b.lib.SSL_CTX_new(b.lib.TLS_method()) - assert ctx != b.ffi.NULL - ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) - ssl = b.lib.SSL_new(ctx) - ssl = b.ffi.gc(ssl, b.lib.SSL_free) - current_options = b.lib.SSL_get_options(ssl) - resp = b.lib.SSL_set_options(ssl, b.lib.SSL_OP_ALL) - expected_options = current_options | b.lib.SSL_OP_ALL - assert resp == expected_options - assert b.lib.SSL_get_options(ssl) == expected_options - - @pytest.mark.skipif( - Binding.lib.Cryptography_HAS_TLS_METHOD == 0, - reason="TLS_method requires OpenSSL >= 1.1.0", - ) - def test_tls_mode(self): - # Test that we're properly handling 32-bit unsigned on all platforms. - b = Binding() - assert b.lib.SSL_OP_ALL > 0 - ctx = b.lib.SSL_CTX_new(b.lib.TLS_method()) - assert ctx != b.ffi.NULL - ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) - ssl = b.lib.SSL_new(ctx) - ssl = b.ffi.gc(ssl, b.lib.SSL_free) - current_options = b.lib.SSL_get_mode(ssl) - resp = b.lib.SSL_set_mode(ssl, b.lib.SSL_OP_ALL) - expected_options = current_options | b.lib.SSL_OP_ALL - assert resp == expected_options - assert b.lib.SSL_get_mode(ssl) == expected_options - def test_conditional_removal(self): b = Binding() From f9b9e05e8aa0e632b0fbf096f64c556bb2fddf47 Mon Sep 17 00:00:00 2001 From: David Blevins Date: Wed, 7 Oct 2020 11:33:36 -0400 Subject: [PATCH 3/6] Updated binding to backport TLS_method --- src/_cffi_src/openssl/ssl.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index e68037201623..fe9a5e4d0ce5 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -765,9 +765,9 @@ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL static const long Cryptography_HAS_TLS_METHOD = 0; -const SSL_METHOD* (*TLS_method)(void) = NULL; -const SSL_METHOD* (*TLS_client_method)(void) = NULL; -const SSL_METHOD* (*TLS_server_method)(void) = NULL; +const SSL_METHOD* (*TLS_method)(void) = SSLv23_method; +const SSL_METHOD* (*TLS_client_method)(void) = SSLv23_client_method; +const SSL_METHOD* (*TLS_server_method)(void) = SSLv23_server_method; #else static const long Cryptography_HAS_TLS_METHOD = 1; #endif From 1814d4fae0f01ea28b9221b2c94c0eabbffca113 Mon Sep 17 00:00:00 2001 From: David Blevins Date: Wed, 7 Oct 2020 17:29:13 -0400 Subject: [PATCH 4/6] Code Review: simplify binding (per reaperhulk) Simplified binding statement for TLS_method inclusion Removed Conditional Library build hooks Updated tests to discard use of Cryptography_HAS_TLS_METHOD --- src/_cffi_src/openssl/ssl.py | 10 +++------- .../hazmat/bindings/openssl/_conditional.py | 9 --------- tests/hazmat/backends/test_openssl.py | 4 ---- 3 files changed, 3 insertions(+), 20 deletions(-) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index fe9a5e4d0ce5..53da6a33b554 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -18,7 +18,6 @@ static const long Cryptography_HAS_TLSv1_1; static const long Cryptography_HAS_TLSv1_2; static const long Cryptography_HAS_TLSv1_3; -static const long Cryptography_HAS_TLS_METHOD; static const long Cryptography_HAS_SECURE_RENEGOTIATION; static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB; static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP; @@ -764,11 +763,8 @@ #endif #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL -static const long Cryptography_HAS_TLS_METHOD = 0; -const SSL_METHOD* (*TLS_method)(void) = SSLv23_method; -const SSL_METHOD* (*TLS_client_method)(void) = SSLv23_client_method; -const SSL_METHOD* (*TLS_server_method)(void) = SSLv23_server_method; -#else -static const long Cryptography_HAS_TLS_METHOD = 1; +#define TLS_method SSLv23_method +#define TLS_client_method SSLv23_client_method +#define TLS_server_method SSLv23_server_method #endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index e7e467e45269..cdc18eab6848 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -291,14 +291,6 @@ def cryptography_has_srtp(): ] -def cryptography_has_tls_method(): - return [ - "TLS_method", - "TLS_client_method", - "TLS_server_method", - ] - - # This is a mapping of # {condition: function-returning-names-dependent-on-that-condition} so we can # loop over them and delete unsupported names at runtime. It will be removed @@ -350,5 +342,4 @@ def cryptography_has_tls_method(): "Cryptography_HAS_ENGINE": cryptography_has_engine, "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, "Cryptography_HAS_SRTP": cryptography_has_srtp, - "Cryptography_HAS_TLS_METHOD": cryptography_has_tls_method, } diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 12101edf62f4..e79f2c9fb6f4 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -123,10 +123,6 @@ def test_ssl_ciphers_registered(self): assert ctx != backend._ffi.NULL backend._lib.SSL_CTX_free(ctx) - @pytest.mark.skipif( - backend._lib.Cryptography_HAS_TLS_METHOD == 0, - reason="Requires Library with TLS_method", - ) def test_tls_ciphers_registered(self): meth = backend._lib.TLS_method() ctx = backend._lib.SSL_CTX_new(meth) From f1a5433ebcccf65843aadd7e21ab7a01fc81d431 Mon Sep 17 00:00:00 2001 From: David Blevins Date: Sat, 10 Oct 2020 06:26:47 -0400 Subject: [PATCH 5/6] Removed extraneous newline --- src/_cffi_src/openssl/ssl.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 53da6a33b554..a82dbfc88fd9 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -506,7 +506,6 @@ """ CUSTOMIZATIONS = """ - #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 static const long Cryptography_HAS_VERIFIED_CHAIN = 0; Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL; From 50c398cc7b139731df66d731f1d2ed68b7beb21c Mon Sep 17 00:00:00 2001 From: David Blevins Date: Sat, 24 Oct 2020 10:26:50 -0400 Subject: [PATCH 6/6] Setters and Getters for SSL/CTX Protocols From #5379 : Added bindings for SSL / CTX interfaces to SET min and max protocol versions (added in OpenSSL 1.1.0). Added bindings for SSL / CTX interfaces to GET min and max protocol versions (added in OpenSSL 1.1.1). Added conditional build variables to allow compilation on systems not offering these interfaces via the compiled library. --- src/_cffi_src/openssl/ssl.py | 41 +++++++++++++++++++ .../hazmat/bindings/openssl/_conditional.py | 20 +++++++++ 2 files changed, 61 insertions(+) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index c38e309a1835..a82fda77e2e5 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -29,6 +29,8 @@ static const long Cryptography_HAS_CIPHER_DETAILS; static const long Cryptography_HAS_VERIFIED_CHAIN; static const long Cryptography_HAS_KEYLOG; +static const long Cryptography_HAS_PROTOCOL_SETTERS; +static const long Cryptography_HAS_PROTOCOL_GETTERS; /* Internally invented symbol to tell us if SNI is supported */ static const long Cryptography_HAS_TLSEXT_HOSTNAME; @@ -198,6 +200,14 @@ int SSL_renegotiate_pending(SSL *); const char *SSL_get_cipher_list(const SSL *, int); +/* Added in 1.1.0 */ +int SSL_set_min_proto_version(SSL *ssl, int version); +int SSL_set_max_proto_version(SSL *ssl, int version); + +/* Added in 1.1.1 */ +int SSL_get_min_proto_version(SSL *ssl); +int SSL_get_max_proto_version(SSL *ssl); + /* context */ void SSL_CTX_free(SSL_CTX *); long SSL_CTX_set_timeout(SSL_CTX *, long); @@ -265,6 +275,14 @@ long SSL_CTX_set1_sigalgs_list(SSL_CTX *, const char *); +/* Added in 1.1.0 */ +int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); +int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version); + +/* Added in 1.1.1 */ +int SSL_CTX_get_min_proto_version(SSL_CTX *ctx); +int SSL_CTX_get_max_proto_version(SSL_CTX *ctx); + /* SSL_SESSION */ void SSL_SESSION_free(SSL_SESSION *); @@ -755,4 +773,27 @@ #else static const long Cryptography_HAS_TLSv1_3 = 1; #endif + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL +int (*SSL_CTX_set_min_proto_version)(SSL_CTX *ctx, int version) = NULL; +int (*SSL_CTX_set_max_proto_version)(SSL_CTX *ctx, int version) = NULL; +int (*SSL_set_min_proto_version)(SSL *ssl, int version) = NULL; +int (*SSL_set_max_proto_version)(SSL *ssl, int version) = NULL; +int (*SSL_CTX_get_min_proto_version)(SSL_CTX *ctx) = NULL; +int (*SSL_CTX_get_max_proto_version)(SSL_CTX *ctx) = NULL; +int (*SSL_get_min_proto_version)(SSL *ssl) = NULL; +int (*SSL_get_max_proto_version)(SSL *ssl) = NULL; +static const long Cryptography_HAS_PROTOCOL_SETTERS = 0; +static const long Cryptography_HAS_PROTOCOL_GETTERS = 0; +#elif CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL +int (*SSL_CTX_get_min_proto_version)(SSL_CTX *ctx) = NULL; +int (*SSL_CTX_get_max_proto_version)(SSL_CTX *ctx) = NULL; +int (*SSL_get_min_proto_version)(SSL *ssl) = NULL; +int (*SSL_get_max_proto_version)(SSL *ssl) = NULL; +static const long Cryptography_HAS_PROTOCOL_SETTERS = 1; +static const long Cryptography_HAS_PROTOCOL_GETTERS = 0; +#else +static const long Cryptography_HAS_PROTOCOL_SETTERS = 1; +static const long Cryptography_HAS_PROTOCOL_GETTERS = 1; +#endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index cdc18eab6848..3d3035092a84 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -291,6 +291,24 @@ def cryptography_has_srtp(): ] +def cryptography_has_protocol_setters(): + return [ + "SSL_CTX_set_min_proto_version", + "SSL_CTX_set_max_proto_version", + "SSL_set_min_proto_version", + "SSL_set_max_proto_version", + ] + + +def cryptography_has_protocol_getters(): + return [ + "SSL_CTX_get_min_proto_version", + "SSL_CTX_get_max_proto_version", + "SSL_get_min_proto_version", + "SSL_get_max_proto_version", + ] + + # This is a mapping of # {condition: function-returning-names-dependent-on-that-condition} so we can # loop over them and delete unsupported names at runtime. It will be removed @@ -342,4 +360,6 @@ def cryptography_has_srtp(): "Cryptography_HAS_ENGINE": cryptography_has_engine, "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, "Cryptography_HAS_SRTP": cryptography_has_srtp, + "Cryptography_HAS_PROTOCOL_SETTERS": cryptography_has_protocol_setters, + "Cryptography_HAS_PROTOCOL_GETTERS": cryptography_has_protocol_getters, }