diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index ff960f5775ad..f3511e454c98 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -24,6 +24,7 @@ static const long Cryptography_HAS_PSK; static const long Cryptography_HAS_VERIFIED_CHAIN; static const long Cryptography_HAS_KEYLOG; +static const long Cryptography_HAS_GET_PROTO_VERSION; /* Internally invented symbol to tell us if SSL_MODE_RELEASE_BUFFERS is * supported @@ -312,6 +313,16 @@ long SSL_total_renegotiations(SSL *); long SSL_get_secure_renegotiation_support(SSL *); +long SSL_CTX_set_min_proto_version(SSL_CTX *, int); +long SSL_CTX_set_max_proto_version(SSL_CTX *, int); +long SSL_set_min_proto_version(SSL *, int); +long SSL_set_max_proto_version(SSL *, int); + +long SSL_CTX_get_min_proto_version(SSL_CTX *); +long SSL_CTX_get_max_proto_version(SSL_CTX *); +long SSL_get_min_proto_version(SSL *); +long SSL_get_max_proto_version(SSL *); + /* Defined as unsigned long because SSL_OP_ALL is greater than signed 32-bit and Windows defines long as 32-bit. */ unsigned long SSL_CTX_set_options(SSL_CTX *, unsigned long); @@ -330,10 +341,6 @@ /* methods */ -/* - * TLSv1_1 and TLSv1_2 are recent additions. Only sufficiently new versions of - * OpenSSL support them. - */ const SSL_METHOD *TLSv1_1_method(void); const SSL_METHOD *TLSv1_1_server_method(void); const SSL_METHOD *TLSv1_1_client_method(void); @@ -363,6 +370,10 @@ const SSL_METHOD *SSLv23_server_method(void); const SSL_METHOD *SSLv23_client_method(void); +const SSL_METHOD *TLS_method(void); +const SSL_METHOD *TLS_server_method(void); +const SSL_METHOD *TLS_client_method(void); + /*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/ SSL_CTX *SSL_CTX_new(SSL_METHOD *); long SSL_CTX_get_timeout(const SSL_CTX *); @@ -674,4 +685,15 @@ #else static const long Cryptography_HAS_TLSv1_3 = 1; #endif + +#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL +static const long Cryptography_HAS_GET_PROTO_VERSION = 0; + +long (*SSL_CTX_get_min_proto_version)(SSL_CTX *) = NULL; +long (*SSL_CTX_get_max_proto_version)(SSL_CTX *) = NULL; +long (*SSL_get_min_proto_version)(SSL *) = NULL; +long (*SSL_get_max_proto_version)(SSL *) = NULL; +#else +static const long Cryptography_HAS_GET_PROTO_VERSION = 1; +#endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index d990999cd1b9..ca50fed13414 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -262,6 +262,15 @@ def cryptography_has_srtp(): ] +def cryptography_has_get_proto_version(): + return [ + "SSL_CTX_get_min_proto_version", + "SSL_CTX_get_max_proto_version", + "SSL_get_min_proto_version", + "SSL_get_max_proto_version", + ] + + # This is a mapping of # {condition: function-returning-names-dependent-on-that-condition} so we can # loop over them and delete unsupported names at runtime. It will be removed @@ -309,4 +318,5 @@ def cryptography_has_srtp(): "Cryptography_HAS_ENGINE": cryptography_has_engine, "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, "Cryptography_HAS_SRTP": cryptography_has_srtp, + "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version, }