From ea34c1a9821545b99b6864af211dead662e75dfc Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 3 Nov 2018 19:48:29 +0800 Subject: add various new TLS bindings (#4555) * add SSL_OP_NO_TLSv1_3 * compiling now * bind SSL_CTX_set_ciphersuites as well * add some more --- src/_cffi_src/openssl/ssl.py | 19 +++++++++++++++++++ .../hazmat/bindings/openssl/_conditional.py | 12 ++++++++++++ 2 files changed, 31 insertions(+) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index f9481af1..e1880712 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -17,6 +17,7 @@ static const long Cryptography_HAS_SSL2; static const long Cryptography_HAS_SSL3_METHOD; static const long Cryptography_HAS_TLSv1_1; static const long Cryptography_HAS_TLSv1_2; +static const long Cryptography_HAS_TLSv1_3; static const long Cryptography_HAS_SECURE_RENEGOTIATION; static const long Cryptography_HAS_COMPRESSION; static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB; @@ -68,6 +69,7 @@ static const long SSL_OP_NO_SSLv3; static const long SSL_OP_NO_TLSv1; static const long SSL_OP_NO_TLSv1_1; static const long SSL_OP_NO_TLSv1_2; +static const long SSL_OP_NO_TLSv1_3; static const long SSL_OP_NO_DTLSv1; static const long SSL_OP_NO_DTLSv1_2; static const long SSL_OP_NO_COMPRESSION; @@ -100,6 +102,7 @@ static const long SSL_VERIFY_PEER; static const long SSL_VERIFY_FAIL_IF_NO_PEER_CERT; static const long SSL_VERIFY_CLIENT_ONCE; static const long SSL_VERIFY_NONE; +static const long SSL_VERIFY_POST_HANDSHAKE; static const long SSL_SESS_CACHE_OFF; static const long SSL_SESS_CACHE_CLIENT; static const long SSL_SESS_CACHE_SERVER; @@ -529,6 +532,11 @@ int SSL_CTX_add_server_custom_ext(SSL_CTX *, unsigned int, void *); int SSL_extension_supported(unsigned int); + +int SSL_CTX_set_ciphersuites(SSL_CTX *, const char *); +int SSL_verify_client_post_handshake(SSL *); +void SSL_CTX_set_post_handshake_auth(SSL_CTX *, int); +void SSL_set_post_handshake_auth(SSL *, int); """ CUSTOMIZATIONS = """ @@ -815,4 +823,15 @@ static const long Cryptography_HAS_CIPHER_DETAILS = 0; static const long Cryptography_HAS_CIPHER_DETAILS = 1; #endif +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 +static const long Cryptography_HAS_TLSv1_3 = 0; +static const long SSL_OP_NO_TLSv1_3 = 0; +static const long SSL_VERIFY_POST_HANDSHAKE = 0; +int (*SSL_CTX_set_ciphersuites)(SSL_CTX *, const char *) = NULL; +int (*SSL_verify_client_post_handshake)(SSL *) = NULL; +void (*SSL_CTX_set_post_handshake_auth)(SSL_CTX *, int) = NULL; +void (*SSL_set_post_handshake_auth)(SSL *, int) = NULL; +#else +static const long Cryptography_HAS_TLSv1_3 = 1; +#endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 78b9b279..219f163e 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -290,6 +290,17 @@ def cryptography_has_cipher_details(): ] +def cryptography_has_tlsv13(): + return [ + "SSL_OP_NO_TLSv1_3", + "SSL_VERIFY_POST_HANDSHAKE", + "SSL_CTX_set_ciphersuites", + "SSL_verify_client_post_handshake", + "SSL_CTX_set_post_handshake_auth", + "SSL_set_post_handshake_auth", + ] + + # This is a mapping of # {condition: function-returning-names-dependent-on-that-condition} so we can # loop over them and delete unsupported names at runtime. It will be removed @@ -351,4 +362,5 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_CUSTOM_EXT": cryptography_has_custom_ext, "Cryptography_HAS_OPENSSL_CLEANUP": cryptography_has_openssl_cleanup, "Cryptography_HAS_CIPHER_DETAILS": cryptography_has_cipher_details, + "Cryptography_HAS_TLSv1_3": cryptography_has_tlsv13, } -- cgit v1.2.3