Skip to content

Expose a few more OpenSSL functions that are useful for DTLS support #6138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alex merged 9 commits into from
Jun 30, 2021
Merged

Expose a few more OpenSSL functions that are useful for DTLS support #6138

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
585605d
Expose a few more OpenSSL functions that are useful for DTLS support
njsmith Jun 26, 2021
c7f3d4d
Move BIO_ADDR gunk to proper place
njsmith Jun 26, 2021
60fd092
const correct
njsmith Jun 27, 2021
8278a69
Throw more #ifdefs at the wall and see if they stick
njsmith Jun 27, 2021
e919764
njsmith used "think about what he's doing"
njsmith Jun 28, 2021
1028b7d
LibreSSL is not my favorite library
njsmith Jun 28, 2021
ad45530
Attempt to hide my new undefined symbols
njsmith Jun 28, 2021
ae8ed2d
deflake
njsmith Jun 30, 2021
1a31c42
Give up on trying to check function pointers for NULLness
njsmith Jun 30, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions src/_cffi_src/openssl/bio.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
TYPES = """
typedef ... BIO;
typedef ... BIO_METHOD;
typedef ... BIO_ADDR;
"""

FUNCTIONS = """
Expand Down Expand Up @@ -37,7 +38,23 @@
int BIO_reset(BIO *);
void BIO_set_retry_read(BIO *);
void BIO_clear_retry_flags(BIO *);

BIO_ADDR *BIO_ADDR_new(void);
void BIO_ADDR_free(BIO_ADDR *);
"""

CUSTOMIZATIONS = """
#if CRYPTOGRAPHY_IS_LIBRESSL
#include <sys/socket.h>
#include <stdlib.h>
typedef struct sockaddr BIO_ADDR;

BIO_ADDR *BIO_ADDR_new(void) {
return malloc(sizeof(struct sockaddr_storage));
}

void BIO_ADDR_free(BIO_ADDR *ptr) {
free(ptr);
}
#endif
"""
28 changes: 28 additions & 0 deletions src/_cffi_src/openssl/ssl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
* supported
*/
static const long Cryptography_HAS_OP_NO_COMPRESSION;
static const long Cryptography_HAS_OP_NO_RENEGOTIATION;
static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING;
static const long Cryptography_HAS_SSL_SET_SSL_CTX;
static const long Cryptography_HAS_SSL_OP_NO_TICKET;
Expand All @@ -43,6 +44,7 @@
static const long Cryptography_HAS_SET_CERT_CB;
static const long Cryptography_HAS_CUSTOM_EXT;
static const long Cryptography_HAS_SRTP;
static const long Cryptography_HAS_DTLS_GET_DATA_MTU;

static const long SSL_FILETYPE_PEM;
static const long SSL_FILETYPE_ASN1;
Expand All @@ -64,6 +66,7 @@
static const long SSL_OP_NO_TLSv1_3;
static const long SSL_OP_NO_DTLSv1;
static const long SSL_OP_NO_DTLSv1_2;
static const long SSL_OP_NO_RENEGOTIATION;
static const long SSL_OP_NO_COMPRESSION;
static const long SSL_OP_SINGLE_DH_USE;
static const long SSL_OP_EPHEMERAL_RSA;
Expand Down Expand Up @@ -225,6 +228,13 @@
unsigned char *,
unsigned int *
));
void SSL_CTX_set_cookie_verify_cb(SSL_CTX *,
int (*)(
SSL *,
const unsigned char *,
unsigned int
));

long SSL_CTX_get_read_ahead(SSL_CTX *);
long SSL_CTX_set_read_ahead(SSL_CTX *, long);

Expand Down Expand Up @@ -468,6 +478,10 @@
long DTLSv1_handle_timeout(SSL *);
long DTLS_set_link_mtu(SSL *, long);
long DTLS_get_link_min_mtu(SSL *);
long SSL_set_mtu(SSL *, long);
int DTLSv1_listen(SSL *, BIO_ADDR *);
size_t DTLS_get_data_mtu(SSL *);


/* Custom extensions. */
typedef int (*custom_ext_add_cb)(SSL *, unsigned int,
Expand Down Expand Up @@ -556,6 +570,13 @@
static const long Cryptography_HAS_NEXTPROTONEG = 0;
static const long Cryptography_HAS_ALPN = 1;

#ifdef SSL_OP_NO_RENEGOTIATION
static const long Cryptography_HAS_OP_NO_RENEGOTIATION = 1;
#else
static const long Cryptography_HAS_OP_NO_RENEGOTIATION = 0;
Comment thread
njsmith marked this conversation as resolved.
static const long SSL_OP_NO_RENEGOTIATION = 0;
#endif

#if CRYPTOGRAPHY_IS_LIBRESSL
void (*SSL_CTX_set_cert_cb)(SSL_CTX *, int (*)(SSL *, void *), void *) = NULL;
void (*SSL_set_cert_cb)(SSL *, int (*)(SSL *, void *), void *) = NULL;
Expand Down Expand Up @@ -594,6 +615,13 @@
long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
#endif

#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
static const long Cryptography_HAS_DTLS_GET_DATA_MTU = 0;
size_t (*DTLS_get_data_mtu)(SSL *) = NULL;
Copy link
Copy Markdown
Member

@reaperhulk reaperhulk Jun 28, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Take a look in _conditional.py to see what we do when a symbol isn't actually available.

Copy link
Copy Markdown
Contributor Author

@njsmith njsmith Jun 28, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like currently, _conditional.py doesn't actually remove any conditionally-available functions (e.g. DTLS_get_link_min_mtu, visible just above my new code in the diff, doesn't appear there). So I made my best guess at how it should work for DTLS_get_data_mtu -- take a look.

Copy link
Copy Markdown
Member

@reaperhulk reaperhulk Jun 28, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ha, I would argue that is a bug (we don't want callables that are null func ptrs!). Looks like that's a thing we need to separately fix for the DTLS bindings though...

#else
static const long Cryptography_HAS_DTLS_GET_DATA_MTU = 1;
#endif

static const long Cryptography_HAS_DTLS = 1;
/* Wrap DTLSv1_get_timeout to avoid cffi to handle a 'struct timeval'. */
long Cryptography_DTLSv1_get_timeout(SSL *ssl, time_t *ptv_sec,
Expand Down
16 changes: 16 additions & 0 deletions src/cryptography/hazmat/bindings/openssl/_conditional.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,18 @@ def cryptography_has_providers():
]


def cryptography_has_op_no_renegotiation():
return [
"SSL_OP_NO_RENEGOTIATION",
]


def cryptography_has_dtls_get_data_mtu():
return [
"DTLS_get_data_mtu",
]


# This is a mapping of
# {condition: function-returning-names-dependent-on-that-condition} so we can
# loop over them and delete unsupported names at runtime. It will be removed
Expand Down Expand Up @@ -291,4 +303,8 @@ def cryptography_has_providers():
"Cryptography_HAS_SRTP": cryptography_has_srtp,
"Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version,
"Cryptography_HAS_PROVIDERS": cryptography_has_providers,
"Cryptography_HAS_OP_NO_RENEGOTIATION": (
cryptography_has_op_no_renegotiation
),
"Cryptography_HAS_DTLS_GET_DATA_MTU": cryptography_has_dtls_get_data_mtu,
}