Provide SSL{,_CTX}_set_{min,max}_proto_version() functions.

Rides minor bump. ok beck@
libressl · May 6, 2017 · 56f1072 · 56f1072
1 parent fe3a6f1
commit 56f1072
Show file tree

Hide file tree

Showing 6 changed files with 115 additions and 5 deletions.
diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list
@@ -97,6 +97,8 @@ SSL_CTX_set_default_verify_paths
 SSL_CTX_set_ex_data
 SSL_CTX_set_generate_session_id
 SSL_CTX_set_info_callback
+SSL_CTX_set_min_proto_version
+SSL_CTX_set_max_proto_version
 SSL_CTX_set_msg_callback
 SSL_CTX_set_next_proto_select_cb
 SSL_CTX_set_next_protos_advertised_cb
@@ -229,6 +231,8 @@ SSL_set_ex_data
 SSL_set_fd
 SSL_set_generate_session_id
 SSL_set_info_callback
+SSL_set_min_proto_version
+SSL_set_max_proto_version
 SSL_set_msg_callback
 SSL_set_purpose
 SSL_set_quiet_shutdown

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.140 2017/04/10 17:27:33 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.141 2017/05/06 20:37:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2141,6 +2141,16 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 		ret = ssl_ctrl_get_server_tmp_key(s, parg);
 		break;
 
+	case SSL_CTRL_SET_MIN_PROTO_VERSION:
+		if (larg < 0 || larg > UINT16_MAX)
+			return (0);
+		return SSL_set_min_proto_version(s, larg);
+
+	case SSL_CTRL_SET_MAX_PROTO_VERSION:
+		if (larg < 0 || larg > UINT16_MAX)
+			return (0);
+		return SSL_set_max_proto_version(s, larg);
+
 	default:
 		break;
 	}
@@ -2323,6 +2333,16 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 	case SSL_CTRL_SET_GROUPS_LIST:
 		return SSL_CTX_set1_groups_list(ctx, parg);
 
+	case SSL_CTRL_SET_MIN_PROTO_VERSION:
+		if (larg < 0 || larg > UINT16_MAX)
+			return (0);
+		return SSL_CTX_set_min_proto_version(ctx, larg);
+
+	case SSL_CTRL_SET_MAX_PROTO_VERSION:
+		if (larg < 0 || larg > UINT16_MAX)
+			return (0);
+		return SSL_CTX_set_max_proto_version(ctx, larg);
+
 	default:
 		return (0);
 	}

diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.127 2017/02/05 15:06:05 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.128 2017/05/06 20:37:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1129,6 +1129,9 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
 
 #define SSL_CTRL_SET_DH_AUTO			118
 
+#define SSL_CTRL_SET_MIN_PROTO_VERSION			123
+#define SSL_CTRL_SET_MAX_PROTO_VERSION			124
+
 #define DTLSv1_get_timeout(ssl, arg) \
 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
 #define DTLSv1_handle_timeout(ssl) \
@@ -1177,6 +1180,12 @@ int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups);
 int SSL_set1_groups(SSL *ssl, const int *groups, size_t groups_len);
 int SSL_set1_groups_list(SSL *ssl, const char *groups);
 
+int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version);
+int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version);
+
+int SSL_set_min_proto_version(SSL *ssl, uint16_t version);
+int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
+
 #ifndef LIBRESSL_INTERNAL
 #define SSL_CTRL_SET_CURVES			SSL_CTRL_SET_GROUPS
 #define SSL_CTRL_SET_CURVES_LIST		SSL_CTRL_SET_GROUPS_LIST

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.158 2017/02/28 14:08:49 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.159 2017/05/06 20:37:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2969,6 +2969,33 @@ SSL_cache_hit(SSL *s)
 	return (s->internal->hit);
 }
 
+int
+SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version)
+{
+	return ssl_version_set_min(ctx->method, version,
+	    ctx->internal->max_version, &ctx->internal->min_version);
+}
+
+int
+SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version)
+{
+	return ssl_version_set_max(ctx->method, version,
+	    ctx->internal->min_version, &ctx->internal->max_version);
+}
+
+int
+SSL_set_min_proto_version(SSL *ssl, uint16_t version)
+{
+	return ssl_version_set_min(ssl->method, version,
+	    ssl->internal->max_version, &ssl->internal->min_version);
+}
+
+int
+SSL_set_max_proto_version(SSL *ssl, uint16_t version)
+{
+	return ssl_version_set_max(ssl->method, version,
+	    ssl->internal->min_version, &ssl->internal->max_version);
+}
 
 static int
 ssl_cipher_id_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)

diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.178 2017/03/10 16:03:27 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.179 2017/05/06 20:37:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1061,6 +1061,10 @@ const char *ssl_version_string(int ver);
 int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
 int ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
 int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver);
+int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
+    uint16_t *out_ver);
+int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
+    uint16_t *out_ver);
 uint16_t ssl_max_server_version(SSL *s);
 
 const SSL_METHOD *dtls1_get_client_method(int ver);

diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.2 2017/05/06 16:18:36 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.3 2017/05/06 20:37:25 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -34,6 +34,52 @@ ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver,
 	return 1;
 }
 
+int
+ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
+    uint16_t *out_ver)
+{
+	uint16_t min_version, max_version;
+
+	if (ver == 0) {
+		*out_ver = meth->internal->min_version;
+		return 1;
+	}
+
+	min_version = ver;
+	max_version = max_ver;
+
+	if (!ssl_clamp_version_range(&min_version, &max_version,
+	    meth->internal->min_version, meth->internal->max_version))
+		return 0;
+
+	*out_ver = min_version;
+
+	return 1;
+}
+
+int
+ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
+    uint16_t *out_ver)
+{
+	uint16_t min_version, max_version;
+
+	if (ver == 0) {
+		*out_ver = meth->internal->max_version;
+		return 1;
+	}
+
+	min_version = min_ver;
+	max_version = ver;
+
+	if (!ssl_clamp_version_range(&min_version, &max_version,
+	    meth->internal->min_version, meth->internal->max_version))
+		return 0;
+
+	*out_ver = max_version;
+
+	return 1;
+}
+
 int
 ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
 {