1 files changed, 43 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 5d93a3bc13..11f46161a9 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.122 2016/12/04 14:32:30 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.123 2016/12/30 16:57:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2484,6 +2484,48 @@ SSL_get_version(const SSL *s)
        return ssl_version_string(s->version);
 }
+int
+ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
+{
+        uint16_t min_version, max_version;
+        /*
+         * The enabled versions have to be a contiguous range, which means we
+         * cannot enable and disable single versions at our whim, even though
+         * this is what the OpenSSL flags allow. The historical way this has
+         * been handled is by making a flag mean that all higher versions
+         * are disabled, if any version lower than the flag is enabled.
+         */
+        min_version = 0;
+        max_version = TLS1_2_VERSION;
+        if ((s->options & SSL_OP_NO_TLSv1) == 0)
+                min_version = TLS1_VERSION;
+        else if ((s->options & SSL_OP_NO_TLSv1_1) == 0)
+                min_version = TLS1_1_VERSION;
+        else if ((s->options & SSL_OP_NO_TLSv1_2) == 0)
+                min_version = TLS1_2_VERSION;
+        if ((s->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
+                max_version = TLS1_1_VERSION;
+        if ((s->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
+                max_version = TLS1_VERSION;
+        if ((s->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
+                max_version = 0;
+        /* Everything has been disabled... */
+        if (min_version == 0 || max_version == 0)
+                return -1;
+        if (min_ver != NULL)
+                *min_ver = min_version;
+        if (max_ver != NULL)
+                *max_ver = max_version;
+        return 0;
+}
 uint16_t
 ssl_max_server_version(SSL *s)
 {

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 5d93a3bc13..11f46161a9 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.122 2016/12/04 14:32:30 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.123 2016/12/30 16:57:01 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2484,6 +2484,48 @@ SSL_get_version(const SSL *s)
2484	return ssl_version_string(s->version);	2484	return ssl_version_string(s->version);
2485	}	2485	}
2486		2486
		2487	int
		2488	ssl_enabled_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver)
		2489	{
		2490	uint16_t min_version, max_version;
		2491
		2492	/*
		2493	* The enabled versions have to be a contiguous range, which means we
		2494	* cannot enable and disable single versions at our whim, even though
		2495	* this is what the OpenSSL flags allow. The historical way this has
		2496	* been handled is by making a flag mean that all higher versions
		2497	* are disabled, if any version lower than the flag is enabled.
		2498	*/
		2499
		2500	min_version = 0;
		2501	max_version = TLS1_2_VERSION;
		2502
		2503	if ((s->options & SSL_OP_NO_TLSv1) == 0)
		2504	min_version = TLS1_VERSION;
		2505	else if ((s->options & SSL_OP_NO_TLSv1_1) == 0)
		2506	min_version = TLS1_1_VERSION;
		2507	else if ((s->options & SSL_OP_NO_TLSv1_2) == 0)
		2508	min_version = TLS1_2_VERSION;
		2509
		2510	if ((s->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
		2511	max_version = TLS1_1_VERSION;
		2512	if ((s->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
		2513	max_version = TLS1_VERSION;
		2514	if ((s->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
		2515	max_version = 0;
		2516
		2517	/* Everything has been disabled... */
		2518	if (min_version == 0 \|\| max_version == 0)
		2519	return -1;
		2520
		2521	if (min_ver != NULL)
		2522	*min_ver = min_version;
		2523	if (max_ver != NULL)
		2524	*max_ver = max_version;
		2525
		2526	return 0;
		2527	}
		2528
2487	uint16_t	2529	uint16_t
2488	ssl_max_server_version(SSL *s)	2530	ssl_max_server_version(SSL *s)
2489	{	2531	{