Pull out (and largely rewrite) the code that determines the enabled

protocol version range. This also fixes a bug whereby if all protocols were disabled, the client would still use TLSv1.2 in the client hello, only to have if fail with unsupported version when it received and processed the server hello. ok doug@
author: jsing <> 2016-12-30 16:57:01 +0000
committer: jsing <> 2016-12-30 16:57:01 +0000
commit: ed12fcbf0ab8940c5f2d9d2ed9499e25301988f9 (patch)
tree: a2ed01d37e8c52df3aee7ab1f67260b369a6be4e /src/lib/libssl/ssl_lib.c
parent: d2c1aaa79508ee1ef726e81f750ddee7f8427547 (diff)
download: openbsd-ed12fcbf0ab8940c5f2d9d2ed9499e25301988f9.tar.gz
openbsd-ed12fcbf0ab8940c5f2d9d2ed9499e25301988f9.tar.bz2
openbsd-ed12fcbf0ab8940c5f2d9d2ed9499e25301988f9.zip
1 files changed, 43 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 5d93a3bc13..11f46161a9 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.122 2016/12/04 14:32:30 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.123 2016/12/30 16:57:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2484,6 +2484,48 @@ SSL_get_version(const SSL *s)
        return ssl_version_string(s->version);
 }
+int
+ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
+{
+        uint16_t min_version, max_version;
+        /*
+         * The enabled versions have to be a contiguous range, which means we
+         * cannot enable and disable single versions at our whim, even though
+         * this is what the OpenSSL flags allow. The historical way this has
+         * been handled is by making a flag mean that all higher versions
+         * are disabled, if any version lower than the flag is enabled.
+         */
+        min_version = 0;
+        max_version = TLS1_2_VERSION;
+        if ((s->options & SSL_OP_NO_TLSv1) == 0)
+                min_version = TLS1_VERSION;
+        else if ((s->options & SSL_OP_NO_TLSv1_1) == 0)
+                min_version = TLS1_1_VERSION;
+        else if ((s->options & SSL_OP_NO_TLSv1_2) == 0)
+                min_version = TLS1_2_VERSION;
+        if ((s->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
+                max_version = TLS1_1_VERSION;
+        if ((s->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
+                max_version = TLS1_VERSION;
+        if ((s->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
+                max_version = 0;
+        /* Everything has been disabled... */
+        if (min_version == 0 || max_version == 0)
+                return -1;
+        if (min_ver != NULL)
+                *min_ver = min_version;
+        if (max_ver != NULL)
+                *max_ver = max_version;
+        return 0;
+}
 uint16_t
 ssl_max_server_version(SSL *s)
 {
author	jsing <>	2016-12-30 16:57:01 +0000
committer	jsing <>	2016-12-30 16:57:01 +0000
commit	ed12fcbf0ab8940c5f2d9d2ed9499e25301988f9 (patch)
tree	a2ed01d37e8c52df3aee7ab1f67260b369a6be4e /src/lib/libssl/ssl_lib.c
parent	d2c1aaa79508ee1ef726e81f750ddee7f8427547 (diff)
download	openbsd-ed12fcbf0ab8940c5f2d9d2ed9499e25301988f9.tar.gz openbsd-ed12fcbf0ab8940c5f2d9d2ed9499e25301988f9.tar.bz2 openbsd-ed12fcbf0ab8940c5f2d9d2ed9499e25301988f9.zip

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 5d93a3bc13..11f46161a9 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.122 2016/12/04 14:32:30 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.123 2016/12/30 16:57:01 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2484,6 +2484,48 @@ SSL_get_version(const SSL *s)
2484	return ssl_version_string(s->version);	2484	return ssl_version_string(s->version);
2485	}	2485	}
2486		2486
		2487	int
		2488	ssl_enabled_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver)
		2489	{
		2490	uint16_t min_version, max_version;
		2491
		2492	/*
		2493	* The enabled versions have to be a contiguous range, which means we
		2494	* cannot enable and disable single versions at our whim, even though
		2495	* this is what the OpenSSL flags allow. The historical way this has
		2496	* been handled is by making a flag mean that all higher versions
		2497	* are disabled, if any version lower than the flag is enabled.
		2498	*/
		2499
		2500	min_version = 0;
		2501	max_version = TLS1_2_VERSION;
		2502
		2503	if ((s->options & SSL_OP_NO_TLSv1) == 0)
		2504	min_version = TLS1_VERSION;
		2505	else if ((s->options & SSL_OP_NO_TLSv1_1) == 0)
		2506	min_version = TLS1_1_VERSION;
		2507	else if ((s->options & SSL_OP_NO_TLSv1_2) == 0)
		2508	min_version = TLS1_2_VERSION;
		2509
		2510	if ((s->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
		2511	max_version = TLS1_1_VERSION;
		2512	if ((s->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
		2513	max_version = TLS1_VERSION;
		2514	if ((s->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
		2515	max_version = 0;
		2516
		2517	/* Everything has been disabled... */
		2518	if (min_version == 0 \|\| max_version == 0)
		2519	return -1;
		2520
		2521	if (min_ver != NULL)
		2522	*min_ver = min_version;
		2523	if (max_ver != NULL)
		2524	*max_ver = max_version;
		2525
		2526	return 0;
		2527	}
		2528
2487	uint16_t	2529	uint16_t
2488	ssl_max_server_version(SSL *s)	2530	ssl_max_server_version(SSL *s)
2489	{	2531	{