bpo-41195: Add getter for Openssl security level (GH-21282)

Add an accessor under SSLContext.security_level as a wrapper around
SSL_CTX_get_security_level, see:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html


------
This is my first time contributing, so please pull me up on all the things I missed or did incorrectly.

Automerge-Triggered-By: @tiran
This commit is contained in:
matthewhughes934 2020-07-17 09:59:15 +01:00 committed by GitHub
parent 38d3864efe
commit 8e836bb21c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 44 additions and 0 deletions

View File

@ -2032,6 +2032,16 @@ to speed up repeated connections from the same clients.
.. versionadded:: 3.7
.. attribute:: SSLContext.security_level
An integer representing the `security level
<https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html>`_
for the context. This attribute is read-only.
.. availability:: OpenSSL 1.1.0 or newer
.. versionadded:: 3.10
.. attribute:: SSLContext.verify_flags
The flags for certificate verification operations. You can set flags like

View File

@ -1270,6 +1270,25 @@ class ContextTests(unittest.TestCase):
ctx.maximum_version = ssl.TLSVersion.TLSv1
@unittest.skipUnless(
hasattr(ssl.SSLContext, 'security_level'),
"requires OpenSSL >= 1.1.0"
)
def test_security_level(self):
ctx = ssl.SSLContext()
# The default security callback allows for levels between 0-5
# with OpenSSL defaulting to 1, however some vendors override the
# default value (e.g. Debian defaults to 2)
security_level_range = {
0,
1, # OpenSSL default
2, # Debian
3,
4,
5,
}
self.assertIn(ctx.security_level, security_level_range)
@unittest.skipUnless(have_verify_flags(),
"verify_flags need OpenSSL > 0.9.8")
def test_verify_flags(self):

View File

@ -0,0 +1,2 @@
Add read-only ssl.SSLContext.security_level attribute to retrieve the
context's security level.

View File

@ -3746,6 +3746,15 @@ PyDoc_STRVAR(PySSLContext_num_tickets_doc,
"Control the number of TLSv1.3 session tickets");
#endif /* OpenSSL 1.1.1 */
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
static PyObject *
get_security_level(PySSLContext *self, void *c)
{
return PyLong_FromLong(SSL_CTX_get_security_level(self->ctx));
}
PyDoc_STRVAR(PySSLContext_security_level_doc, "The current security level");
#endif /* OpenSSL 1.1.0 */
static PyObject *
get_options(PySSLContext *self, void *c)
{
@ -4793,6 +4802,10 @@ static PyGetSetDef context_getsetlist[] = {
(setter) set_verify_flags, NULL},
{"verify_mode", (getter) get_verify_mode,
(setter) set_verify_mode, NULL},
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
{"security_level", (getter) get_security_level,
NULL, PySSLContext_security_level_doc},
#endif
{NULL}, /* sentinel */
};