From b5cfa8d98d6ecf63861e1feba47654cddfce1f4d Mon Sep 17 00:00:00 2001 From: PhiBo Date: Sun, 4 May 2014 13:50:25 +0200 Subject: Add support for SSL_get_ciphers() --- cryptography/hazmat/bindings/openssl/ssl.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cryptography/hazmat/bindings/openssl/ssl.py b/cryptography/hazmat/bindings/openssl/ssl.py index 0b15411c..d473e2db 100644 --- a/cryptography/hazmat/bindings/openssl/ssl.py +++ b/cryptography/hazmat/bindings/openssl/ssl.py @@ -15,6 +15,8 @@ from __future__ import absolute_import, division, print_function INCLUDES = """ #include + +typedef STACK_OF(SSL_CIPHER) Cryptography_STACK_OF_SSL_CIPHER; """ TYPES = """ @@ -153,6 +155,7 @@ typedef struct { static const long TLSEXT_NAMETYPE_host_name; typedef ... SSL_CIPHER; +typedef ... Cryptography_STACK_OF_SSL_CIPHER; """ FUNCTIONS = """ @@ -190,6 +193,7 @@ int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); const char *SSL_get_cipher_list(const SSL *, int); +Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *ssl); /* context */ void SSL_CTX_free(SSL_CTX *); @@ -351,6 +355,9 @@ int SSL_select_next_proto(unsigned char **, unsigned char *, const unsigned char *, unsigned int); void SSL_get0_next_proto_negotiated(const SSL *, const unsigned char **, unsigned *); + +int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *); +SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int i); """ CUSTOMIZATIONS = """ -- cgit v1.2.3 From 8772e58ef2a43406db1f30cf319629f0fefcf69b Mon Sep 17 00:00:00 2001 From: PhiBo Date: Sun, 4 May 2014 14:00:48 +0200 Subject: Add macro to get secure renegotiation support --- cryptography/hazmat/bindings/openssl/ssl.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cryptography/hazmat/bindings/openssl/ssl.py b/cryptography/hazmat/bindings/openssl/ssl.py index d473e2db..45cfb539 100644 --- a/cryptography/hazmat/bindings/openssl/ssl.py +++ b/cryptography/hazmat/bindings/openssl/ssl.py @@ -86,6 +86,7 @@ static const long SSL_OP_COOKIE_EXCHANGE; static const long SSL_OP_NO_TICKET; static const long SSL_OP_ALL; static const long SSL_OP_SINGLE_ECDH_USE; +static const long SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; static const long SSL_VERIFY_PEER; static const long SSL_VERIFY_FAIL_IF_NO_PEER_CERT; static const long SSL_VERIFY_CLIENT_ONCE; @@ -252,6 +253,7 @@ int SSL_want_read(const SSL *); int SSL_want_write(const SSL *); long SSL_total_renegotiations(SSL *); +long SSL_get_secure_renegotiation_support(SSL *ssl); /* Defined as unsigned long because SSL_OP_ALL is greater than signed 32-bit and Windows defines long as 32-bit. */ -- cgit v1.2.3 From 31956ca61833965b9e85ee4a30742462d5e127ab Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 6 May 2014 08:23:56 -0500 Subject: style fixes and conditional binding for SSL_OP_ALLOW_UNSAFE_RENEGOTIATION --- cryptography/hazmat/bindings/openssl/ssl.py | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/cryptography/hazmat/bindings/openssl/ssl.py b/cryptography/hazmat/bindings/openssl/ssl.py index 45cfb539..eaacbc1a 100644 --- a/cryptography/hazmat/bindings/openssl/ssl.py +++ b/cryptography/hazmat/bindings/openssl/ssl.py @@ -26,6 +26,7 @@ TYPES = """ static const long Cryptography_HAS_SSL2; static const long Cryptography_HAS_TLSv1_1; static const long Cryptography_HAS_TLSv1_2; +static const long Cryptography_HAS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; /* Internally invented symbol to tell us if SNI is supported */ static const long Cryptography_HAS_TLSEXT_HOSTNAME; @@ -194,7 +195,7 @@ int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); const char *SSL_get_cipher_list(const SSL *, int); -Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *ssl); +Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *); /* context */ void SSL_CTX_free(SSL_CTX *); @@ -253,7 +254,7 @@ int SSL_want_read(const SSL *); int SSL_want_write(const SSL *); long SSL_total_renegotiations(SSL *); -long SSL_get_secure_renegotiation_support(SSL *ssl); +long SSL_get_secure_renegotiation_support(SSL *); /* Defined as unsigned long because SSL_OP_ALL is greater than signed 32-bit and Windows defines long as 32-bit. */ @@ -359,10 +360,16 @@ void SSL_get0_next_proto_negotiated(const SSL *, const unsigned char **, unsigned *); int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *); -SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int i); +SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int); """ CUSTOMIZATIONS = """ +#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION +static const long Cryptography_HAS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 1; +#else +static const long SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 0; +static const long Cryptography_HAS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 0; +#endif #ifdef OPENSSL_NO_SSL2 static const long Cryptography_HAS_SSL2 = 0; SSL_METHOD* (*SSLv2_method)(void) = NULL; @@ -560,5 +567,9 @@ CONDITIONAL_NAMES = { "SSL_CTX_set_next_proto_select_cb", "SSL_select_next_proto", "SSL_get0_next_proto_negotiated", - ] + ], + + "Cryptography_HAS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION": [ + "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", + ], } -- cgit v1.2.3 From 5ce82d6c58d09a54b8b8faf547a5cf5fb2390f91 Mon Sep 17 00:00:00 2001 From: PhiBo Date: Tue, 6 May 2014 22:35:53 +0200 Subject: Conditional binding for secure renegotiation --- cryptography/hazmat/bindings/openssl/ssl.py | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/cryptography/hazmat/bindings/openssl/ssl.py b/cryptography/hazmat/bindings/openssl/ssl.py index eaacbc1a..1a2a69e9 100644 --- a/cryptography/hazmat/bindings/openssl/ssl.py +++ b/cryptography/hazmat/bindings/openssl/ssl.py @@ -26,7 +26,7 @@ TYPES = """ static const long Cryptography_HAS_SSL2; static const long Cryptography_HAS_TLSv1_1; static const long Cryptography_HAS_TLSv1_2; -static const long Cryptography_HAS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; +static const long Cryptography_HAS_SECURE_RENEGOTIATION; /* Internally invented symbol to tell us if SNI is supported */ static const long Cryptography_HAS_TLSEXT_HOSTNAME; @@ -364,11 +364,14 @@ SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int); """ CUSTOMIZATIONS = """ -#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION -static const long Cryptography_HAS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 1; +/* Secure renegotiation is supported in OpenSSL >= 0.9.8m */ +#if OPENSSL_VERSION_NUMBER < 0x009080dfL +static const long Cryptography_HAS_SECURE_RENEGOTIATION = 0; +long SSL_get_secure_renegotiation_support(SSL *) = 0; +static const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 0; +static const SSL_OP_LEGACY_SERVER_CONNECT = 0; #else -static const long SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 0; -static const long Cryptography_HAS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 0; +static const long Cryptography_HAS_SECURE_RENEGOTIATION = 1; #endif #ifdef OPENSSL_NO_SSL2 static const long Cryptography_HAS_SSL2 = 0; @@ -569,7 +572,9 @@ CONDITIONAL_NAMES = { "SSL_get0_next_proto_negotiated", ], - "Cryptography_HAS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION": [ + "Cryptography_HAS_SECURE_RENEGOTIATION": [ "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", + "SSL_OP_LEGACY_SERVER_CONNECT", + "SSL_get_secure_renegotiation_support", ], } -- cgit v1.2.3 From b6f6cdecfc7b82d15a766a13f0d5ca6c5893c82d Mon Sep 17 00:00:00 2001 From: PhiBo Date: Wed, 7 May 2014 00:48:43 +0200 Subject: Fix to build without secure renegotiation support --- cryptography/hazmat/bindings/openssl/ssl.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/cryptography/hazmat/bindings/openssl/ssl.py b/cryptography/hazmat/bindings/openssl/ssl.py index 1a2a69e9..d4671a5c 100644 --- a/cryptography/hazmat/bindings/openssl/ssl.py +++ b/cryptography/hazmat/bindings/openssl/ssl.py @@ -364,12 +364,14 @@ SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int); """ CUSTOMIZATIONS = """ -/* Secure renegotiation is supported in OpenSSL >= 0.9.8m */ -#if OPENSSL_VERSION_NUMBER < 0x009080dfL +/** Secure renegotiation is supported in OpenSSL >= 0.9.8m + * But some Linux distributions have back ported some features. + */ +#ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION static const long Cryptography_HAS_SECURE_RENEGOTIATION = 0; -long SSL_get_secure_renegotiation_support(SSL *) = 0; -static const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 0; -static const SSL_OP_LEGACY_SERVER_CONNECT = 0; +long (*SSL_get_secure_renegotiation_support)(SSL *) = NULL; +const long SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 0; +const long SSL_OP_LEGACY_SERVER_CONNECT = 0; #else static const long Cryptography_HAS_SECURE_RENEGOTIATION = 1; #endif -- cgit v1.2.3 From 5d2053701af93db5c3a0eadf39c46bcde4287b18 Mon Sep 17 00:00:00 2001 From: PhiBo Date: Wed, 7 May 2014 01:39:12 +0200 Subject: Add missing type SSL_OP_LEGACY_SERVER_CONNECT --- cryptography/hazmat/bindings/openssl/ssl.py | 1 + 1 file changed, 1 insertion(+) diff --git a/cryptography/hazmat/bindings/openssl/ssl.py b/cryptography/hazmat/bindings/openssl/ssl.py index d4671a5c..cd8fa1cf 100644 --- a/cryptography/hazmat/bindings/openssl/ssl.py +++ b/cryptography/hazmat/bindings/openssl/ssl.py @@ -88,6 +88,7 @@ static const long SSL_OP_NO_TICKET; static const long SSL_OP_ALL; static const long SSL_OP_SINGLE_ECDH_USE; static const long SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; +static const long SSL_OP_LEGACY_SERVER_CONNECT; static const long SSL_VERIFY_PEER; static const long SSL_VERIFY_FAIL_IF_NO_PEER_CERT; static const long SSL_VERIFY_CLIENT_ONCE; -- cgit v1.2.3