Setters and Getters for SSL/CTX Protocols

From pyca#5379 : Added bindings for SSL session and context interfaces to SET min and max protocol versions (added in OpenSSL 1.1.0). Added bindings for SSL session and context interfaces to GET min and max protocol versions (added in OpenSSL 1.1.1). Added conditional build variables to allow compilation on systems not offering these interfaces via the compiled library.

src/_cffi_src/openssl/ssl.py

@@ -29,6 +29,8 @@
 static const long Cryptography_HAS_CIPHER_DETAILS;
 static const long Cryptography_HAS_VERIFIED_CHAIN;
 static const long Cryptography_HAS_KEYLOG;
+static const long Cryptography_HAS_PROTOCOL_SETTERS;
+static const long Cryptography_HAS_PROTOCOL_GETTERS;
 
 /* Internally invented symbol to tell us if SNI is supported */
 static const long Cryptography_HAS_TLSEXT_HOSTNAME;
@@ -198,6 +200,14 @@
 int SSL_renegotiate_pending(SSL *);
 const char *SSL_get_cipher_list(const SSL *, int);
 
+/* Added in 1.1.0 */
+int SSL_set_min_proto_version(SSL *ssl, int version);
+int SSL_set_max_proto_version(SSL *ssl, int version);
+
+/* Added in 1.1.1 */
+int SSL_get_min_proto_version(SSL *ssl);
+int SSL_get_max_proto_version(SSL *ssl);
+
 /*  context */
 void SSL_CTX_free(SSL_CTX *);
 long SSL_CTX_set_timeout(SSL_CTX *, long);
@@ -265,6 +275,14 @@
 
 long SSL_CTX_set1_sigalgs_list(SSL_CTX *, const char *);
 
+/* Added in 1.1.0 */
+int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
+int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
+
+/* Added in 1.1.1 */
+int SSL_CTX_get_min_proto_version(SSL_CTX *ctx);
+int SSL_CTX_get_max_proto_version(SSL_CTX *ctx);
+
 /*  SSL_SESSION */
 void SSL_SESSION_free(SSL_SESSION *);
 
@@ -755,4 +773,27 @@
 #else
 static const long Cryptography_HAS_TLSv1_3 = 1;
 #endif
+
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL
+int (*SSL_CTX_set_min_proto_version)(SSL_CTX *ctx, int version) = NULL;
+int (*SSL_CTX_set_max_proto_version)(SSL_CTX *ctx, int version) = NULL;
+int (*SSL_set_min_proto_version)(SSL *ssl, int version) = NULL;
+int (*SSL_set_max_proto_version)(SSL *ssl, int version) = NULL;
+int (*SSL_CTX_get_min_proto_version)(SSL_CTX *ctx) = NULL;
+int (*SSL_CTX_get_max_proto_version)(SSL_CTX *ctx) = NULL;
+int (*SSL_get_min_proto_version)(SSL *ssl) = NULL;
+int (*SSL_get_max_proto_version)(SSL *ssl) = NULL;
+static const long Cryptography_HAS_PROTOCOL_SETTERS = 0;
+static const long Cryptography_HAS_PROTOCOL_GETTERS = 0;
+#elif CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL
+int (*SSL_CTX_get_min_proto_version)(SSL_CTX *ctx) = NULL;
+int (*SSL_CTX_get_max_proto_version)(SSL_CTX *ctx) = NULL;
+int (*SSL_get_min_proto_version)(SSL *ssl) = NULL;
+int (*SSL_get_max_proto_version)(SSL *ssl) = NULL;
+static const long Cryptography_HAS_PROTOCOL_SETTERS = 1;
+static const long Cryptography_HAS_PROTOCOL_GETTERS = 0;
+#else
+static const long Cryptography_HAS_PROTOCOL_SETTERS = 1;
+static const long Cryptography_HAS_PROTOCOL_GETTERS = 1;
+#endif
 """

src/cryptography/hazmat/bindings/openssl/_conditional.py

@@ -291,6 +291,24 @@ def cryptography_has_srtp():
     ]
 
 
+def cryptography_has_protocol_setters():
+    return [
+        "SSL_CTX_set_min_proto_version",
+        "SSL_CTX_set_max_proto_version",
+        "SSL_set_min_proto_version",
+        "SSL_set_max_proto_version",
+    ]
+
+
+def cryptography_has_protocol_getters():
+    return [
+        "SSL_CTX_get_min_proto_version",
+        "SSL_CTX_get_max_proto_version",
+        "SSL_get_min_proto_version",
+        "SSL_get_max_proto_version",
+    ]
+
+
 # This is a mapping of
 # {condition: function-returning-names-dependent-on-that-condition} so we can
 # loop over them and delete unsupported names at runtime. It will be removed
@@ -342,4 +360,6 @@ def cryptography_has_srtp():
     "Cryptography_HAS_ENGINE": cryptography_has_engine,
     "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
     "Cryptography_HAS_SRTP": cryptography_has_srtp,
+    "Cryptography_HAS_PROTOCOL_SETTERS": cryptography_has_protocol_setters,
+    "Cryptography_HAS_PROTOCOL_GETTERS": cryptography_has_protocol_getters,
 }