1# This file is dual licensed under the terms of the Apache License, Version 2# 2.0, and the BSD License. See the LICENSE file in the root of this repository 3# for complete details. 4 5from __future__ import absolute_import, division, print_function 6 7INCLUDES = """ 8#include <openssl/ssl.h> 9 10typedef STACK_OF(SSL_CIPHER) Cryptography_STACK_OF_SSL_CIPHER; 11""" 12 13TYPES = """ 14static const long Cryptography_HAS_SSL_ST; 15static const long Cryptography_HAS_TLS_ST; 16static const long Cryptography_HAS_SSL2; 17static const long Cryptography_HAS_SSL3_METHOD; 18static const long Cryptography_HAS_TLSv1_1; 19static const long Cryptography_HAS_TLSv1_2; 20static const long Cryptography_HAS_TLSv1_3; 21static const long Cryptography_HAS_SECURE_RENEGOTIATION; 22static const long Cryptography_HAS_COMPRESSION; 23static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB; 24static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP; 25static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE; 26static const long Cryptography_HAS_GET_SERVER_TMP_KEY; 27static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE; 28static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS; 29static const long Cryptography_HAS_DTLS; 30static const long Cryptography_HAS_GENERIC_DTLS_METHOD; 31static const long Cryptography_HAS_SIGALGS; 32static const long Cryptography_HAS_PSK; 33static const long Cryptography_HAS_CIPHER_DETAILS; 34 35/* Internally invented symbol to tell us if SNI is supported */ 36static const long Cryptography_HAS_TLSEXT_HOSTNAME; 37 38/* Internally invented symbol to tell us if SSL_MODE_RELEASE_BUFFERS is 39 * supported 40 */ 41static const long Cryptography_HAS_RELEASE_BUFFERS; 42 43/* Internally invented symbol to tell us if SSL_OP_NO_COMPRESSION is 44 * supported 45 */ 46static const long Cryptography_HAS_OP_NO_COMPRESSION; 47static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING; 48static const long Cryptography_HAS_SSL_SET_SSL_CTX; 49static const long Cryptography_HAS_SSL_OP_NO_TICKET; 50static const long Cryptography_HAS_ALPN; 51static const long Cryptography_HAS_NEXTPROTONEG; 52static const long Cryptography_HAS_SET_CERT_CB; 53static const long Cryptography_HAS_CUSTOM_EXT; 54 55static const long SSL_FILETYPE_PEM; 56static const long SSL_FILETYPE_ASN1; 57static const long SSL_ERROR_NONE; 58static const long SSL_ERROR_ZERO_RETURN; 59static const long SSL_ERROR_WANT_READ; 60static const long SSL_ERROR_WANT_WRITE; 61static const long SSL_ERROR_WANT_X509_LOOKUP; 62static const long SSL_ERROR_WANT_CONNECT; 63static const long SSL_ERROR_SYSCALL; 64static const long SSL_ERROR_SSL; 65static const long SSL_SENT_SHUTDOWN; 66static const long SSL_RECEIVED_SHUTDOWN; 67static const long SSL_OP_NO_SSLv2; 68static const long SSL_OP_NO_SSLv3; 69static const long SSL_OP_NO_TLSv1; 70static const long SSL_OP_NO_TLSv1_1; 71static const long SSL_OP_NO_TLSv1_2; 72static const long SSL_OP_NO_TLSv1_3; 73static const long SSL_OP_NO_DTLSv1; 74static const long SSL_OP_NO_DTLSv1_2; 75static const long SSL_OP_NO_COMPRESSION; 76static const long SSL_OP_SINGLE_DH_USE; 77static const long SSL_OP_EPHEMERAL_RSA; 78static const long SSL_OP_MICROSOFT_SESS_ID_BUG; 79static const long SSL_OP_NETSCAPE_CHALLENGE_BUG; 80static const long SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; 81static const long SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG; 82static const long SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER; 83static const long SSL_OP_MSIE_SSLV2_RSA_PADDING; 84static const long SSL_OP_SSLEAY_080_CLIENT_DH_BUG; 85static const long SSL_OP_TLS_D5_BUG; 86static const long SSL_OP_TLS_BLOCK_PADDING_BUG; 87static const long SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; 88static const long SSL_OP_CIPHER_SERVER_PREFERENCE; 89static const long SSL_OP_TLS_ROLLBACK_BUG; 90static const long SSL_OP_PKCS1_CHECK_1; 91static const long SSL_OP_PKCS1_CHECK_2; 92static const long SSL_OP_NETSCAPE_CA_DN_BUG; 93static const long SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG; 94static const long SSL_OP_NO_QUERY_MTU; 95static const long SSL_OP_COOKIE_EXCHANGE; 96static const long SSL_OP_NO_TICKET; 97static const long SSL_OP_ALL; 98static const long SSL_OP_SINGLE_ECDH_USE; 99static const long SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; 100static const long SSL_OP_LEGACY_SERVER_CONNECT; 101static const long SSL_VERIFY_PEER; 102static const long SSL_VERIFY_FAIL_IF_NO_PEER_CERT; 103static const long SSL_VERIFY_CLIENT_ONCE; 104static const long SSL_VERIFY_NONE; 105static const long SSL_VERIFY_POST_HANDSHAKE; 106static const long SSL_SESS_CACHE_OFF; 107static const long SSL_SESS_CACHE_CLIENT; 108static const long SSL_SESS_CACHE_SERVER; 109static const long SSL_SESS_CACHE_BOTH; 110static const long SSL_SESS_CACHE_NO_AUTO_CLEAR; 111static const long SSL_SESS_CACHE_NO_INTERNAL_LOOKUP; 112static const long SSL_SESS_CACHE_NO_INTERNAL_STORE; 113static const long SSL_SESS_CACHE_NO_INTERNAL; 114static const long SSL_ST_CONNECT; 115static const long SSL_ST_ACCEPT; 116static const long SSL_ST_MASK; 117static const long SSL_ST_INIT; 118static const long SSL_ST_BEFORE; 119static const long SSL_ST_OK; 120static const long SSL_ST_RENEGOTIATE; 121static const long SSL_CB_LOOP; 122static const long SSL_CB_EXIT; 123static const long SSL_CB_READ; 124static const long SSL_CB_WRITE; 125static const long SSL_CB_ALERT; 126static const long SSL_CB_READ_ALERT; 127static const long SSL_CB_WRITE_ALERT; 128static const long SSL_CB_ACCEPT_LOOP; 129static const long SSL_CB_ACCEPT_EXIT; 130static const long SSL_CB_CONNECT_LOOP; 131static const long SSL_CB_CONNECT_EXIT; 132static const long SSL_CB_HANDSHAKE_START; 133static const long SSL_CB_HANDSHAKE_DONE; 134static const long SSL_MODE_RELEASE_BUFFERS; 135static const long SSL_MODE_ENABLE_PARTIAL_WRITE; 136static const long SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; 137static const long SSL_MODE_AUTO_RETRY; 138static const long SSL3_RANDOM_SIZE; 139static const long TLS_ST_BEFORE; 140static const long TLS_ST_OK; 141 142static const long OPENSSL_NPN_NEGOTIATED; 143 144typedef ... SSL_METHOD; 145typedef ... SSL_CTX; 146 147typedef ... SSL_SESSION; 148 149typedef ... SSL; 150 151static const long TLSEXT_NAMETYPE_host_name; 152static const long TLSEXT_STATUSTYPE_ocsp; 153 154typedef ... SSL_CIPHER; 155typedef ... Cryptography_STACK_OF_SSL_CIPHER; 156typedef ... COMP_METHOD; 157 158typedef struct { 159 const char *name; 160 unsigned long id; 161} SRTP_PROTECTION_PROFILE; 162""" 163 164FUNCTIONS = """ 165/* SSL */ 166const char *SSL_state_string_long(const SSL *); 167SSL_SESSION *SSL_get1_session(SSL *); 168int SSL_set_session(SSL *, SSL_SESSION *); 169int SSL_get_verify_mode(const SSL *); 170void SSL_set_verify(SSL *, int, int (*)(int, X509_STORE_CTX *)); 171void SSL_set_verify_depth(SSL *, int); 172int SSL_get_verify_depth(const SSL *); 173int (*SSL_get_verify_callback(const SSL *))(int, X509_STORE_CTX *); 174void SSL_set_info_callback(SSL *ssl, void (*)(const SSL *, int, int)); 175void (*SSL_get_info_callback(const SSL *))(const SSL *, int, int); 176SSL *SSL_new(SSL_CTX *); 177void SSL_free(SSL *); 178int SSL_set_fd(SSL *, int); 179SSL_CTX *SSL_get_SSL_CTX(const SSL *); 180SSL_CTX *SSL_set_SSL_CTX(SSL *, SSL_CTX *); 181BIO *SSL_get_rbio(const SSL *); 182BIO *SSL_get_wbio(const SSL *); 183void SSL_set_bio(SSL *, BIO *, BIO *); 184void SSL_set_connect_state(SSL *); 185void SSL_set_accept_state(SSL *); 186void SSL_set_shutdown(SSL *, int); 187int SSL_get_shutdown(const SSL *); 188int SSL_pending(const SSL *); 189int SSL_write(SSL *, const void *, int); 190int SSL_read(SSL *, void *, int); 191int SSL_peek(SSL *, void *, int); 192X509 *SSL_get_certificate(const SSL *); 193X509 *SSL_get_peer_certificate(const SSL *); 194int SSL_get_ex_data_X509_STORE_CTX_idx(void); 195 196/* Added in 1.0.2 */ 197X509_VERIFY_PARAM *SSL_get0_param(SSL *); 198 199int SSL_use_certificate(SSL *, X509 *); 200int SSL_use_certificate_ASN1(SSL *, const unsigned char *, int); 201int SSL_use_certificate_file(SSL *, const char *, int); 202int SSL_use_PrivateKey(SSL *, EVP_PKEY *); 203int SSL_use_PrivateKey_ASN1(int, SSL *, const unsigned char *, long); 204int SSL_use_PrivateKey_file(SSL *, const char *, int); 205int SSL_check_private_key(const SSL *); 206 207int SSL_get_sigalgs(SSL *, int, int *, int *, int *, unsigned char *, 208 unsigned char *); 209 210Cryptography_STACK_OF_X509 *SSL_get_peer_cert_chain(const SSL *); 211Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *); 212 213int SSL_get_error(const SSL *, int); 214int SSL_do_handshake(SSL *); 215int SSL_shutdown(SSL *); 216int SSL_renegotiate(SSL *); 217int SSL_renegotiate_pending(SSL *); 218const char *SSL_get_cipher_list(const SSL *, int); 219Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *); 220 221/* context */ 222void SSL_CTX_free(SSL_CTX *); 223long SSL_CTX_set_timeout(SSL_CTX *, long); 224int SSL_CTX_set_default_verify_paths(SSL_CTX *); 225void SSL_CTX_set_verify(SSL_CTX *, int, int (*)(int, X509_STORE_CTX *)); 226void SSL_CTX_set_verify_depth(SSL_CTX *, int); 227int (*SSL_CTX_get_verify_callback(const SSL_CTX *))(int, X509_STORE_CTX *); 228int SSL_CTX_get_verify_mode(const SSL_CTX *); 229int SSL_CTX_get_verify_depth(const SSL_CTX *); 230int SSL_CTX_set_cipher_list(SSL_CTX *, const char *); 231int SSL_CTX_load_verify_locations(SSL_CTX *, const char *, const char *); 232void SSL_CTX_set_default_passwd_cb(SSL_CTX *, pem_password_cb *); 233void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *, void *); 234int SSL_CTX_use_certificate(SSL_CTX *, X509 *); 235int SSL_CTX_use_certificate_ASN1(SSL_CTX *, int, const unsigned char *); 236int SSL_CTX_use_certificate_file(SSL_CTX *, const char *, int); 237int SSL_CTX_use_certificate_chain_file(SSL_CTX *, const char *); 238int SSL_CTX_use_PrivateKey(SSL_CTX *, EVP_PKEY *); 239int SSL_CTX_use_PrivateKey_ASN1(int, SSL_CTX *, const unsigned char *, long); 240int SSL_CTX_use_PrivateKey_file(SSL_CTX *, const char *, int); 241int SSL_CTX_check_private_key(const SSL_CTX *); 242void SSL_CTX_set_cert_verify_callback(SSL_CTX *, 243 int (*)(X509_STORE_CTX *, void *), 244 void *); 245 246void SSL_CTX_set_cookie_generate_cb(SSL_CTX *, 247 int (*)( 248 SSL *, 249 unsigned char *, 250 unsigned int * 251 )); 252long SSL_CTX_get_read_ahead(SSL_CTX *); 253long SSL_CTX_set_read_ahead(SSL_CTX *, long); 254 255int SSL_CTX_use_psk_identity_hint(SSL_CTX *, const char *); 256void SSL_CTX_set_psk_server_callback(SSL_CTX *, 257 unsigned int (*)( 258 SSL *, 259 const char *, 260 unsigned char *, 261 unsigned int 262 )); 263void SSL_CTX_set_psk_client_callback(SSL_CTX *, 264 unsigned int (*)( 265 SSL *, 266 const char *, 267 char *, 268 unsigned int, 269 unsigned char *, 270 unsigned int 271 )); 272 273int SSL_CTX_set_session_id_context(SSL_CTX *, const unsigned char *, 274 unsigned int); 275 276void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); 277X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); 278int SSL_CTX_add_client_CA(SSL_CTX *, X509 *); 279 280void SSL_CTX_set_client_CA_list(SSL_CTX *, Cryptography_STACK_OF_X509_NAME *); 281 282void SSL_CTX_set_info_callback(SSL_CTX *, void (*)(const SSL *, int, int)); 283void (*SSL_CTX_get_info_callback(SSL_CTX *))(const SSL *, int, int); 284 285long SSL_CTX_set1_sigalgs_list(SSL_CTX *, const char *); 286 287/* SSL_SESSION */ 288void SSL_SESSION_free(SSL_SESSION *); 289 290/* Information about actually used cipher */ 291const char *SSL_CIPHER_get_name(const SSL_CIPHER *); 292int SSL_CIPHER_get_bits(const SSL_CIPHER *, int *); 293/* the modern signature of this is uint32_t, but older openssl declared it 294 as unsigned long. To make our compiler flags happy we'll declare it as a 295 64-bit wide value, which should always be safe */ 296uint64_t SSL_CIPHER_get_id(const SSL_CIPHER *); 297int SSL_CIPHER_is_aead(const SSL_CIPHER *); 298int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *); 299int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *); 300int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *); 301int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *); 302 303size_t SSL_get_finished(const SSL *, void *, size_t); 304size_t SSL_get_peer_finished(const SSL *, void *, size_t); 305Cryptography_STACK_OF_X509_NAME *SSL_load_client_CA_file(const char *); 306 307const char *SSL_get_servername(const SSL *, const int); 308/* Function signature changed to const char * in 1.1.0 */ 309const char *SSL_CIPHER_get_version(const SSL_CIPHER *); 310/* These became macros in 1.1.0 */ 311int SSL_library_init(void); 312void SSL_load_error_strings(void); 313 314/* these CRYPTO_EX_DATA functions became macros in 1.1.0 */ 315int SSL_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *, 316 CRYPTO_EX_free *); 317int SSL_set_ex_data(SSL *, int, void *); 318int SSL_CTX_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *, 319 CRYPTO_EX_free *); 320int SSL_CTX_set_ex_data(SSL_CTX *, int, void *); 321 322SSL_SESSION *SSL_get_session(const SSL *); 323const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *, unsigned int *); 324long SSL_SESSION_get_time(const SSL_SESSION *); 325long SSL_SESSION_get_timeout(const SSL_SESSION *); 326int SSL_SESSION_has_ticket(const SSL_SESSION *); 327long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *); 328 329/* not a macro, but older OpenSSLs don't pass the args as const */ 330char *SSL_CIPHER_description(const SSL_CIPHER *, char *, int); 331int SSL_SESSION_print(BIO *, const SSL_SESSION *); 332 333/* not macros, but will be conditionally bound so can't live in functions */ 334const COMP_METHOD *SSL_get_current_compression(SSL *); 335const COMP_METHOD *SSL_get_current_expansion(SSL *); 336const char *SSL_COMP_get_name(const COMP_METHOD *); 337int SSL_CTX_set_client_cert_engine(SSL_CTX *, ENGINE *); 338 339unsigned long SSL_set_mode(SSL *, unsigned long); 340unsigned long SSL_get_mode(SSL *); 341 342unsigned long SSL_set_options(SSL *, unsigned long); 343unsigned long SSL_get_options(SSL *); 344 345void SSL_set_app_data(SSL *, char *); 346char * SSL_get_app_data(SSL *); 347void SSL_set_read_ahead(SSL *, int); 348 349int SSL_want_read(const SSL *); 350int SSL_want_write(const SSL *); 351 352long SSL_total_renegotiations(SSL *); 353long SSL_get_secure_renegotiation_support(SSL *); 354 355/* Defined as unsigned long because SSL_OP_ALL is greater than signed 32-bit 356 and Windows defines long as 32-bit. */ 357unsigned long SSL_CTX_set_options(SSL_CTX *, unsigned long); 358unsigned long SSL_CTX_clear_options(SSL_CTX *, unsigned long); 359unsigned long SSL_CTX_get_options(SSL_CTX *); 360unsigned long SSL_CTX_set_mode(SSL_CTX *, unsigned long); 361unsigned long SSL_CTX_get_mode(SSL_CTX *); 362unsigned long SSL_CTX_set_session_cache_mode(SSL_CTX *, unsigned long); 363unsigned long SSL_CTX_get_session_cache_mode(SSL_CTX *); 364unsigned long SSL_CTX_set_tmp_dh(SSL_CTX *, DH *); 365unsigned long SSL_CTX_set_tmp_ecdh(SSL_CTX *, EC_KEY *); 366unsigned long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *); 367 368/*- These aren't macros these functions are all const X on openssl > 1.0.x -*/ 369 370/* methods */ 371 372/* 373 * TLSv1_1 and TLSv1_2 are recent additions. Only sufficiently new versions of 374 * OpenSSL support them. 375 */ 376const SSL_METHOD *TLSv1_1_method(void); 377const SSL_METHOD *TLSv1_1_server_method(void); 378const SSL_METHOD *TLSv1_1_client_method(void); 379 380const SSL_METHOD *TLSv1_2_method(void); 381const SSL_METHOD *TLSv1_2_server_method(void); 382const SSL_METHOD *TLSv1_2_client_method(void); 383 384const SSL_METHOD *SSLv3_method(void); 385const SSL_METHOD *SSLv3_server_method(void); 386const SSL_METHOD *SSLv3_client_method(void); 387 388const SSL_METHOD *TLSv1_method(void); 389const SSL_METHOD *TLSv1_server_method(void); 390const SSL_METHOD *TLSv1_client_method(void); 391 392const SSL_METHOD *DTLSv1_method(void); 393const SSL_METHOD *DTLSv1_server_method(void); 394const SSL_METHOD *DTLSv1_client_method(void); 395 396/* Added in 1.0.2 */ 397const SSL_METHOD *DTLS_method(void); 398const SSL_METHOD *DTLS_server_method(void); 399const SSL_METHOD *DTLS_client_method(void); 400 401const SSL_METHOD *SSLv23_method(void); 402const SSL_METHOD *SSLv23_server_method(void); 403const SSL_METHOD *SSLv23_client_method(void); 404 405/*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/ 406SSL_CTX *SSL_CTX_new(SSL_METHOD *); 407long SSL_CTX_get_timeout(const SSL_CTX *); 408 409const SSL_CIPHER *SSL_get_current_cipher(const SSL *); 410const char *SSL_get_version(const SSL *); 411int SSL_version(const SSL *); 412 413void *SSL_CTX_get_ex_data(const SSL_CTX *, int); 414void *SSL_get_ex_data(const SSL *, int); 415 416void SSL_set_tlsext_host_name(SSL *, char *); 417void SSL_CTX_set_tlsext_servername_callback( 418 SSL_CTX *, 419 int (*)(SSL *, int *, void *)); 420void SSL_CTX_set_tlsext_servername_arg( 421 SSL_CTX *, void *); 422 423long SSL_set_tlsext_status_ocsp_resp(SSL *, unsigned char *, int); 424long SSL_get_tlsext_status_ocsp_resp(SSL *, const unsigned char **); 425long SSL_set_tlsext_status_type(SSL *, long); 426long SSL_CTX_set_tlsext_status_cb(SSL_CTX *, int(*)(SSL *, void *)); 427long SSL_CTX_set_tlsext_status_arg(SSL_CTX *, void *); 428 429int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *, const char *); 430int SSL_set_tlsext_use_srtp(SSL *, const char *); 431SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *); 432 433long SSL_session_reused(SSL *); 434 435void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *, 436 int (*)(SSL *, 437 const unsigned char **, 438 unsigned int *, 439 void *), 440 void *); 441void SSL_CTX_set_next_proto_select_cb(SSL_CTX *, 442 int (*)(SSL *, 443 unsigned char **, 444 unsigned char *, 445 const unsigned char *, 446 unsigned int, 447 void *), 448 void *); 449int SSL_select_next_proto(unsigned char **, unsigned char *, 450 const unsigned char *, unsigned int, 451 const unsigned char *, unsigned int); 452void SSL_get0_next_proto_negotiated(const SSL *, 453 const unsigned char **, unsigned *); 454 455int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *); 456const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int); 457 458/* ALPN APIs were introduced in OpenSSL 1.0.2. To continue to support earlier 459 * versions some special handling of these is necessary. 460 */ 461int SSL_CTX_set_alpn_protos(SSL_CTX *, const unsigned char *, unsigned); 462int SSL_set_alpn_protos(SSL *, const unsigned char *, unsigned); 463void SSL_CTX_set_alpn_select_cb(SSL_CTX *, 464 int (*) (SSL *, 465 const unsigned char **, 466 unsigned char *, 467 const unsigned char *, 468 unsigned int, 469 void *), 470 void *); 471void SSL_get0_alpn_selected(const SSL *, const unsigned char **, unsigned *); 472 473long SSL_get_server_tmp_key(SSL *, EVP_PKEY **); 474 475/* SSL_CTX_set_cert_cb is introduced in OpenSSL 1.0.2. To continue to support 476 * earlier versions some special handling of these is necessary. 477 */ 478void SSL_CTX_set_cert_cb(SSL_CTX *, int (*)(SSL *, void *), void *); 479void SSL_set_cert_cb(SSL *, int (*)(SSL *, void *), void *); 480 481/* Added in 1.0.2 */ 482const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *); 483 484int SSL_SESSION_set1_id_context(SSL_SESSION *, const unsigned char *, 485 unsigned int); 486/* Added in 1.1.0 for the great opaquing of structs */ 487size_t SSL_SESSION_get_master_key(const SSL_SESSION *, unsigned char *, 488 size_t); 489size_t SSL_get_client_random(const SSL *, unsigned char *, size_t); 490size_t SSL_get_server_random(const SSL *, unsigned char *, size_t); 491int SSL_export_keying_material(SSL *, unsigned char *, size_t, const char *, 492 size_t, const unsigned char *, size_t, int); 493 494long SSL_CTX_sess_number(SSL_CTX *); 495long SSL_CTX_sess_connect(SSL_CTX *); 496long SSL_CTX_sess_connect_good(SSL_CTX *); 497long SSL_CTX_sess_connect_renegotiate(SSL_CTX *); 498long SSL_CTX_sess_accept(SSL_CTX *); 499long SSL_CTX_sess_accept_good(SSL_CTX *); 500long SSL_CTX_sess_accept_renegotiate(SSL_CTX *); 501long SSL_CTX_sess_hits(SSL_CTX *); 502long SSL_CTX_sess_cb_hits(SSL_CTX *); 503long SSL_CTX_sess_misses(SSL_CTX *); 504long SSL_CTX_sess_timeouts(SSL_CTX *); 505long SSL_CTX_sess_cache_full(SSL_CTX *); 506 507/* DTLS support */ 508long Cryptography_DTLSv1_get_timeout(SSL *, time_t *, long *); 509long DTLSv1_handle_timeout(SSL *); 510long DTLS_set_link_mtu(SSL *, long); 511long DTLS_get_link_min_mtu(SSL *); 512 513/* Custom extensions. */ 514typedef int (*custom_ext_add_cb)(SSL *, unsigned int, 515 const unsigned char **, 516 size_t *, int *, 517 void *); 518 519typedef void (*custom_ext_free_cb)(SSL *, unsigned int, 520 const unsigned char *, 521 void *); 522 523typedef int (*custom_ext_parse_cb)(SSL *, unsigned int, 524 const unsigned char *, 525 size_t, int *, 526 void *); 527 528int SSL_CTX_add_client_custom_ext(SSL_CTX *, unsigned int, 529 custom_ext_add_cb, 530 custom_ext_free_cb, void *, 531 custom_ext_parse_cb, 532 void *); 533 534int SSL_CTX_add_server_custom_ext(SSL_CTX *, unsigned int, 535 custom_ext_add_cb, 536 custom_ext_free_cb, void *, 537 custom_ext_parse_cb, 538 void *); 539 540int SSL_extension_supported(unsigned int); 541 542int SSL_CTX_set_ciphersuites(SSL_CTX *, const char *); 543int SSL_verify_client_post_handshake(SSL *); 544void SSL_CTX_set_post_handshake_auth(SSL_CTX *, int); 545void SSL_set_post_handshake_auth(SSL *, int); 546 547uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *); 548int SSL_write_early_data(SSL *, const void *, size_t, size_t *); 549int SSL_read_early_data(SSL *, void *, size_t, size_t *); 550int SSL_CTX_set_max_early_data(SSL_CTX *, uint32_t); 551""" 552 553CUSTOMIZATIONS = """ 554/* Added in 1.0.2 but we need it in all versions now due to the great 555 opaquing. */ 556#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 557/* from ssl/ssl_lib.c */ 558const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) { 559 return ctx->method; 560} 561#endif 562 563/* Added in 1.1.0 in the great opaquing, but we need to define it for older 564 OpenSSLs. Such is our burden. */ 565#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER 566/* from ssl/ssl_lib.c */ 567size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen) 568{ 569 if (outlen == 0) 570 return sizeof(ssl->s3->client_random); 571 if (outlen > sizeof(ssl->s3->client_random)) 572 outlen = sizeof(ssl->s3->client_random); 573 memcpy(out, ssl->s3->client_random, outlen); 574 return outlen; 575} 576/* Added in 1.1.0 as well */ 577/* from ssl/ssl_lib.c */ 578size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen) 579{ 580 if (outlen == 0) 581 return sizeof(ssl->s3->server_random); 582 if (outlen > sizeof(ssl->s3->server_random)) 583 outlen = sizeof(ssl->s3->server_random); 584 memcpy(out, ssl->s3->server_random, outlen); 585 return outlen; 586} 587/* Added in 1.1.0 as well */ 588/* from ssl/ssl_lib.c */ 589size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, 590 unsigned char *out, size_t outlen) 591{ 592 if (session->master_key_length < 0) { 593 /* Should never happen */ 594 return 0; 595 } 596 if (outlen == 0) 597 return session->master_key_length; 598 if (outlen > (size_t)session->master_key_length) 599 outlen = session->master_key_length; 600 memcpy(out, session->master_key, outlen); 601 return outlen; 602} 603/* from ssl/ssl_sess.c */ 604int SSL_SESSION_has_ticket(const SSL_SESSION *s) 605{ 606 return (s->tlsext_ticklen > 0) ? 1 : 0; 607} 608/* from ssl/ssl_sess.c */ 609unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s) 610{ 611 return s->tlsext_tick_lifetime_hint; 612} 613#endif 614 615static const long Cryptography_HAS_SECURE_RENEGOTIATION = 1; 616 617/* Cryptography now compiles out all SSLv2 bindings. This exists to allow 618 * clients that use it to check for SSLv2 support to keep functioning as 619 * expected. 620 */ 621static const long Cryptography_HAS_SSL2 = 0; 622 623#ifdef OPENSSL_NO_SSL3_METHOD 624static const long Cryptography_HAS_SSL3_METHOD = 0; 625SSL_METHOD* (*SSLv3_method)(void) = NULL; 626SSL_METHOD* (*SSLv3_client_method)(void) = NULL; 627SSL_METHOD* (*SSLv3_server_method)(void) = NULL; 628#else 629static const long Cryptography_HAS_SSL3_METHOD = 1; 630#endif 631 632static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1; 633static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB = 1; 634static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP = 1; 635static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE = 1; 636static const long Cryptography_HAS_RELEASE_BUFFERS = 1; 637static const long Cryptography_HAS_OP_NO_COMPRESSION = 1; 638static const long Cryptography_HAS_TLSv1_1 = 1; 639static const long Cryptography_HAS_TLSv1_2 = 1; 640static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1; 641static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1; 642static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1; 643static const long Cryptography_HAS_NEXTPROTONEG = 1; 644 645/* SSL_get0_param was added in OpenSSL 1.0.2. */ 646#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER 647X509_VERIFY_PARAM *(*SSL_get0_param)(SSL *) = NULL; 648#else 649#endif 650 651/* ALPN was added in OpenSSL 1.0.2. */ 652#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_IS_LIBRESSL 653int (*SSL_CTX_set_alpn_protos)(SSL_CTX *, 654 const unsigned char *, 655 unsigned) = NULL; 656int (*SSL_set_alpn_protos)(SSL *, const unsigned char *, unsigned) = NULL; 657void (*SSL_CTX_set_alpn_select_cb)(SSL_CTX *, 658 int (*) (SSL *, 659 const unsigned char **, 660 unsigned char *, 661 const unsigned char *, 662 unsigned int, 663 void *), 664 void *) = NULL; 665void (*SSL_get0_alpn_selected)(const SSL *, 666 const unsigned char **, 667 unsigned *) = NULL; 668static const long Cryptography_HAS_ALPN = 0; 669#else 670static const long Cryptography_HAS_ALPN = 1; 671#endif 672 673/* SSL_CTX_set_cert_cb was added in OpenSSL 1.0.2. */ 674#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 675void (*SSL_CTX_set_cert_cb)(SSL_CTX *, int (*)(SSL *, void *), void *) = NULL; 676void (*SSL_set_cert_cb)(SSL *, int (*)(SSL *, void *), void *) = NULL; 677static const long Cryptography_HAS_SET_CERT_CB = 0; 678#else 679static const long Cryptography_HAS_SET_CERT_CB = 1; 680#endif 681 682 683/* In OpenSSL 1.0.2i+ the handling of COMP_METHOD when OPENSSL_NO_COMP was 684 changed and we no longer need to typedef void */ 685#if (defined(OPENSSL_NO_COMP) && CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I) || \ 686 CRYPTOGRAPHY_IS_LIBRESSL 687static const long Cryptography_HAS_COMPRESSION = 0; 688typedef void COMP_METHOD; 689#else 690static const long Cryptography_HAS_COMPRESSION = 1; 691#endif 692 693#if defined(SSL_CTRL_GET_SERVER_TMP_KEY) 694static const long Cryptography_HAS_GET_SERVER_TMP_KEY = 1; 695#else 696static const long Cryptography_HAS_GET_SERVER_TMP_KEY = 0; 697long (*SSL_get_server_tmp_key)(SSL *, EVP_PKEY **) = NULL; 698#endif 699 700static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE = 1; 701 702static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS = 1; 703 704/* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were 705 removed */ 706#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 707static const long Cryptography_HAS_SSL_ST = 1; 708#else 709static const long Cryptography_HAS_SSL_ST = 0; 710static const long SSL_ST_BEFORE = 0; 711static const long SSL_ST_OK = 0; 712static const long SSL_ST_INIT = 0; 713static const long SSL_ST_RENEGOTIATE = 0; 714#endif 715#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER 716static const long Cryptography_HAS_TLS_ST = 1; 717#else 718static const long Cryptography_HAS_TLS_ST = 0; 719static const long TLS_ST_BEFORE = 0; 720static const long TLS_ST_OK = 0; 721#endif 722 723#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 724static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0; 725const SSL_METHOD *(*DTLS_method)(void) = NULL; 726const SSL_METHOD *(*DTLS_server_method)(void) = NULL; 727const SSL_METHOD *(*DTLS_client_method)(void) = NULL; 728static const long SSL_OP_NO_DTLSv1 = 0; 729static const long SSL_OP_NO_DTLSv1_2 = 0; 730long (*DTLS_set_link_mtu)(SSL *, long) = NULL; 731long (*DTLS_get_link_min_mtu)(SSL *) = NULL; 732#else 733static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1; 734#endif 735 736static const long Cryptography_HAS_DTLS = 1; 737/* Wrap DTLSv1_get_timeout to avoid cffi to handle a 'struct timeval'. */ 738long Cryptography_DTLSv1_get_timeout(SSL *ssl, time_t *ptv_sec, 739 long *ptv_usec) { 740 struct timeval tv = { 0 }; 741 long r = DTLSv1_get_timeout(ssl, &tv); 742 743 if (r == 1) { 744 if (ptv_sec) { 745 *ptv_sec = tv.tv_sec; 746 } 747 748 if (ptv_usec) { 749 *ptv_usec = tv.tv_usec; 750 } 751 } 752 753 return r; 754} 755 756#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 757static const long Cryptography_HAS_SIGALGS = 0; 758const int (*SSL_get_sigalgs)(SSL *, int, int *, int *, int *, unsigned char *, 759 unsigned char *) = NULL; 760const long (*SSL_CTX_set1_sigalgs_list)(SSL_CTX *, const char *) = NULL; 761#else 762static const long Cryptography_HAS_SIGALGS = 1; 763#endif 764 765#if CRYPTOGRAPHY_IS_LIBRESSL || defined(OPENSSL_NO_PSK) 766static const long Cryptography_HAS_PSK = 0; 767int (*SSL_CTX_use_psk_identity_hint)(SSL_CTX *, const char *) = NULL; 768void (*SSL_CTX_set_psk_server_callback)(SSL_CTX *, 769 unsigned int (*)( 770 SSL *, 771 const char *, 772 unsigned char *, 773 unsigned int 774 )) = NULL; 775void (*SSL_CTX_set_psk_client_callback)(SSL_CTX *, 776 unsigned int (*)( 777 SSL *, 778 const char *, 779 char *, 780 unsigned int, 781 unsigned char *, 782 unsigned int 783 )) = NULL; 784#else 785static const long Cryptography_HAS_PSK = 1; 786#endif 787 788/* 789 * Custom extensions were added in 1.0.2. 1.1.1 is adding a more general 790 * SSL_CTX_add_custom_ext function, but we're not binding that yet. 791 */ 792#if CRYPTOGRAPHY_OPENSSL_102_OR_GREATER 793static const long Cryptography_HAS_CUSTOM_EXT = 1; 794#else 795static const long Cryptography_HAS_CUSTOM_EXT = 0; 796 797typedef int (*custom_ext_add_cb)(SSL *, unsigned int, 798 const unsigned char **, 799 size_t *, int *, 800 void *); 801 802typedef void (*custom_ext_free_cb)(SSL *, unsigned int, 803 const unsigned char *, 804 void *); 805 806typedef int (*custom_ext_parse_cb)(SSL *, unsigned int, 807 const unsigned char *, 808 size_t, int *, 809 void *); 810 811int (*SSL_CTX_add_client_custom_ext)(SSL_CTX *, unsigned int, 812 custom_ext_add_cb, 813 custom_ext_free_cb, void *, 814 custom_ext_parse_cb, 815 void *) = NULL; 816 817int (*SSL_CTX_add_server_custom_ext)(SSL_CTX *, unsigned int, 818 custom_ext_add_cb, 819 custom_ext_free_cb, void *, 820 custom_ext_parse_cb, 821 void *) = NULL; 822 823int (*SSL_extension_supported)(unsigned int) = NULL; 824#endif 825 826#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER 827int (*SSL_CIPHER_is_aead)(const SSL_CIPHER *) = NULL; 828int (*SSL_CIPHER_get_cipher_nid)(const SSL_CIPHER *) = NULL; 829int (*SSL_CIPHER_get_digest_nid)(const SSL_CIPHER *) = NULL; 830int (*SSL_CIPHER_get_kx_nid)(const SSL_CIPHER *) = NULL; 831int (*SSL_CIPHER_get_auth_nid)(const SSL_CIPHER *) = NULL; 832static const long Cryptography_HAS_CIPHER_DETAILS = 0; 833#else 834static const long Cryptography_HAS_CIPHER_DETAILS = 1; 835#endif 836 837#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 838static const long Cryptography_HAS_TLSv1_3 = 0; 839static const long SSL_OP_NO_TLSv1_3 = 0; 840static const long SSL_VERIFY_POST_HANDSHAKE = 0; 841int (*SSL_CTX_set_ciphersuites)(SSL_CTX *, const char *) = NULL; 842int (*SSL_verify_client_post_handshake)(SSL *) = NULL; 843void (*SSL_CTX_set_post_handshake_auth)(SSL_CTX *, int) = NULL; 844void (*SSL_set_post_handshake_auth)(SSL *, int) = NULL; 845uint32_t (*SSL_SESSION_get_max_early_data)(const SSL_SESSION *) = NULL; 846int (*SSL_write_early_data)(SSL *, const void *, size_t, size_t *) = NULL; 847int (*SSL_read_early_data)(SSL *, void *, size_t, size_t *) = NULL; 848int (*SSL_CTX_set_max_early_data)(SSL_CTX *, uint32_t) = NULL; 849#else 850static const long Cryptography_HAS_TLSv1_3 = 1; 851#endif 852""" 853