diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index c38e309a1835f..a82fda77e2e5f 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -29,6 +29,8 @@ static const long Cryptography_HAS_CIPHER_DETAILS; static const long Cryptography_HAS_VERIFIED_CHAIN; static const long Cryptography_HAS_KEYLOG; +static const long Cryptography_HAS_PROTOCOL_SETTERS; +static const long Cryptography_HAS_PROTOCOL_GETTERS; /* Internally invented symbol to tell us if SNI is supported */ static const long Cryptography_HAS_TLSEXT_HOSTNAME; @@ -198,6 +200,14 @@ int SSL_renegotiate_pending(SSL *); const char *SSL_get_cipher_list(const SSL *, int); +/* Added in 1.1.0 */ +int SSL_set_min_proto_version(SSL *ssl, int version); +int SSL_set_max_proto_version(SSL *ssl, int version); + +/* Added in 1.1.1 */ +int SSL_get_min_proto_version(SSL *ssl); +int SSL_get_max_proto_version(SSL *ssl); + /* context */ void SSL_CTX_free(SSL_CTX *); long SSL_CTX_set_timeout(SSL_CTX *, long); @@ -265,6 +275,14 @@ long SSL_CTX_set1_sigalgs_list(SSL_CTX *, const char *); +/* Added in 1.1.0 */ +int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); +int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version); + +/* Added in 1.1.1 */ +int SSL_CTX_get_min_proto_version(SSL_CTX *ctx); +int SSL_CTX_get_max_proto_version(SSL_CTX *ctx); + /* SSL_SESSION */ void SSL_SESSION_free(SSL_SESSION *); @@ -755,4 +773,27 @@ #else static const long Cryptography_HAS_TLSv1_3 = 1; #endif + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL +int (*SSL_CTX_set_min_proto_version)(SSL_CTX *ctx, int version) = NULL; +int (*SSL_CTX_set_max_proto_version)(SSL_CTX *ctx, int version) = NULL; +int (*SSL_set_min_proto_version)(SSL *ssl, int version) = NULL; +int (*SSL_set_max_proto_version)(SSL *ssl, int version) = NULL; +int (*SSL_CTX_get_min_proto_version)(SSL_CTX *ctx) = NULL; +int (*SSL_CTX_get_max_proto_version)(SSL_CTX *ctx) = NULL; +int (*SSL_get_min_proto_version)(SSL *ssl) = NULL; +int (*SSL_get_max_proto_version)(SSL *ssl) = NULL; +static const long Cryptography_HAS_PROTOCOL_SETTERS = 0; +static const long Cryptography_HAS_PROTOCOL_GETTERS = 0; +#elif CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL +int (*SSL_CTX_get_min_proto_version)(SSL_CTX *ctx) = NULL; +int (*SSL_CTX_get_max_proto_version)(SSL_CTX *ctx) = NULL; +int (*SSL_get_min_proto_version)(SSL *ssl) = NULL; +int (*SSL_get_max_proto_version)(SSL *ssl) = NULL; +static const long Cryptography_HAS_PROTOCOL_SETTERS = 1; +static const long Cryptography_HAS_PROTOCOL_GETTERS = 0; +#else +static const long Cryptography_HAS_PROTOCOL_SETTERS = 1; +static const long Cryptography_HAS_PROTOCOL_GETTERS = 1; +#endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index cdc18eab68480..3d3035092a84f 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -291,6 +291,24 @@ def cryptography_has_srtp(): ] +def cryptography_has_protocol_setters(): + return [ + "SSL_CTX_set_min_proto_version", + "SSL_CTX_set_max_proto_version", + "SSL_set_min_proto_version", + "SSL_set_max_proto_version", + ] + + +def cryptography_has_protocol_getters(): + return [ + "SSL_CTX_get_min_proto_version", + "SSL_CTX_get_max_proto_version", + "SSL_get_min_proto_version", + "SSL_get_max_proto_version", + ] + + # This is a mapping of # {condition: function-returning-names-dependent-on-that-condition} so we can # loop over them and delete unsupported names at runtime. It will be removed @@ -342,4 +360,6 @@ def cryptography_has_srtp(): "Cryptography_HAS_ENGINE": cryptography_has_engine, "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, "Cryptography_HAS_SRTP": cryptography_has_srtp, + "Cryptography_HAS_PROTOCOL_SETTERS": cryptography_has_protocol_setters, + "Cryptography_HAS_PROTOCOL_GETTERS": cryptography_has_protocol_getters, }