6 files changed, 115 insertions, 5 deletions
diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list
index 042f553959..e147ff873d 100644
--- a/src/lib/libssl/Symbols.list
+++ b/src/lib/libssl/Symbols.list
@@ -97,6 +97,8 @@ SSL_CTX_set_default_verify_paths
 SSL_CTX_set_ex_data
 SSL_CTX_set_generate_session_id
 SSL_CTX_set_info_callback
+SSL_CTX_set_min_proto_version
+SSL_CTX_set_max_proto_version
 SSL_CTX_set_msg_callback
 SSL_CTX_set_next_proto_select_cb
 SSL_CTX_set_next_protos_advertised_cb
@@ -229,6 +231,8 @@ SSL_set_ex_data
 SSL_set_fd
 SSL_set_generate_session_id
 SSL_set_info_callback
+SSL_set_min_proto_version
+SSL_set_max_proto_version
 SSL_set_msg_callback
 SSL_set_purpose
 SSL_set_quiet_shutdown
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index d4142e743f..0f05b8f2fe 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.140 2017/04/10 17:27:33 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.141 2017/05/06 20:37:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2141,6 +2141,16 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                ret = ssl_ctrl_get_server_tmp_key(s, parg);
                break;
+        case SSL_CTRL_SET_MIN_PROTO_VERSION:
+                if (larg < 0 || larg > UINT16_MAX)
+                        return (0);
+                return SSL_set_min_proto_version(s, larg);
+        case SSL_CTRL_SET_MAX_PROTO_VERSION:
+                if (larg < 0 || larg > UINT16_MAX)
+                        return (0);
+                return SSL_set_max_proto_version(s, larg);
        default:
                break;
        }
@@ -2323,6 +2333,16 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
        case SSL_CTRL_SET_GROUPS_LIST:
                return SSL_CTX_set1_groups_list(ctx, parg);
+        case SSL_CTRL_SET_MIN_PROTO_VERSION:
+                if (larg < 0 || larg > UINT16_MAX)
+                        return (0);
+                return SSL_CTX_set_min_proto_version(ctx, larg);
+        case SSL_CTRL_SET_MAX_PROTO_VERSION:
+                if (larg < 0 || larg > UINT16_MAX)
+                        return (0);
+                return SSL_CTX_set_max_proto_version(ctx, larg);
        default:
                return (0);
        }
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 0789b914b7..05d0660c49 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.127 2017/02/05 15:06:05 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.128 2017/05/06 20:37:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1129,6 +1129,9 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
 #define SSL_CTRL_SET_DH_AUTO                    118
+#define SSL_CTRL_SET_MIN_PROTO_VERSION                  123
+#define SSL_CTRL_SET_MAX_PROTO_VERSION                  124
 #define DTLSv1_get_timeout(ssl, arg) \
        SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
 #define DTLSv1_handle_timeout(ssl) \
@@ -1177,6 +1180,12 @@ int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups);
 int SSL_set1_groups(SSL *ssl, const int *groups, size_t groups_len);
 int SSL_set1_groups_list(SSL *ssl, const char *groups);
+int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version);
+int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version);
+int SSL_set_min_proto_version(SSL *ssl, uint16_t version);
+int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
 #ifndef LIBRESSL_INTERNAL
 #define SSL_CTRL_SET_CURVES                     SSL_CTRL_SET_GROUPS
 #define SSL_CTRL_SET_CURVES_LIST                SSL_CTRL_SET_GROUPS_LIST
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 3f458d8b10..c49b79df0b 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.158 2017/02/28 14:08:49 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.159 2017/05/06 20:37:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2969,6 +2969,33 @@ SSL_cache_hit(SSL *s)
        return (s->internal->hit);
 }
+int
+SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version)
+{
+        return ssl_version_set_min(ctx->method, version,
+            ctx->internal->max_version, &ctx->internal->min_version);
+}
+int
+SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version)
+{
+        return ssl_version_set_max(ctx->method, version,
+            ctx->internal->min_version, &ctx->internal->max_version);
+}
+int
+SSL_set_min_proto_version(SSL *ssl, uint16_t version)
+{
+        return ssl_version_set_min(ssl->method, version,
+            ssl->internal->max_version, &ssl->internal->min_version);
+}
+int
+SSL_set_max_proto_version(SSL *ssl, uint16_t version)
+{
+        return ssl_version_set_max(ssl->method, version,
+            ssl->internal->min_version, &ssl->internal->max_version);
+}
 static int
 ssl_cipher_id_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index b68b680106..b52b03149a 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.178 2017/03/10 16:03:27 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.179 2017/05/06 20:37:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1061,6 +1061,10 @@ const char *ssl_version_string(int ver);
 int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
 int ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
 int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver);
+int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
+    uint16_t *out_ver);
+int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
+    uint16_t *out_ver);
 uint16_t ssl_max_server_version(SSL *s);
 const SSL_METHOD *dtls1_get_client_method(int ver);
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index 6e17cdac6c..240a2498aa 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.2 2017/05/06 16:18:36 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.3 2017/05/06 20:37:25 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -35,6 +35,52 @@ ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver,
 }
 int
+ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
+    uint16_t *out_ver)
+{
+        uint16_t min_version, max_version;
+        if (ver == 0) {
+                *out_ver = meth->internal->min_version;
+                return 1;
+        }
+        min_version = ver;
+        max_version = max_ver;
+        if (!ssl_clamp_version_range(&min_version, &max_version,
+            meth->internal->min_version, meth->internal->max_version))
+                return 0;
+        *out_ver = min_version;
+        
+        return 1;
+}
+int
+ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
+    uint16_t *out_ver)
+{
+        uint16_t min_version, max_version;
+        if (ver == 0) {
+                *out_ver = meth->internal->max_version;
+                return 1;
+        }
+        min_version = min_ver;
+        max_version = ver;
+        if (!ssl_clamp_version_range(&min_version, &max_version,
+            meth->internal->min_version, meth->internal->max_version))
+                return 0;
+        *out_ver = max_version;
+        
+        return 1;
+}
+int
 ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
 {
        uint16_t min_version, max_version;

diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list index 042f553959..e147ff873d 100644 --- a/src/lib/libssl/Symbols.list +++ b/src/lib/libssl/Symbols.list
@@ -97,6 +97,8 @@ SSL_CTX_set_default_verify_paths
97	SSL_CTX_set_ex_data	97	SSL_CTX_set_ex_data
98	SSL_CTX_set_generate_session_id	98	SSL_CTX_set_generate_session_id
99	SSL_CTX_set_info_callback	99	SSL_CTX_set_info_callback
		100	SSL_CTX_set_min_proto_version
		101	SSL_CTX_set_max_proto_version
100	SSL_CTX_set_msg_callback	102	SSL_CTX_set_msg_callback
101	SSL_CTX_set_next_proto_select_cb	103	SSL_CTX_set_next_proto_select_cb
102	SSL_CTX_set_next_protos_advertised_cb	104	SSL_CTX_set_next_protos_advertised_cb
@@ -229,6 +231,8 @@ SSL_set_ex_data
229	SSL_set_fd	231	SSL_set_fd
230	SSL_set_generate_session_id	232	SSL_set_generate_session_id
231	SSL_set_info_callback	233	SSL_set_info_callback
		234	SSL_set_min_proto_version
		235	SSL_set_max_proto_version
232	SSL_set_msg_callback	236	SSL_set_msg_callback
233	SSL_set_purpose	237	SSL_set_purpose
234	SSL_set_quiet_shutdown	238	SSL_set_quiet_shutdown


diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index d4142e743f..0f05b8f2fe 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.140 2017/04/10 17:27:33 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.141 2017/05/06 20:37:24 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2141,6 +2141,16 @@ ssl3_ctrl(SSL s, int cmd, long larg, void parg)
2141	ret = ssl_ctrl_get_server_tmp_key(s, parg);	2141	ret = ssl_ctrl_get_server_tmp_key(s, parg);
2142	break;	2142	break;
2143		2143
		2144	case SSL_CTRL_SET_MIN_PROTO_VERSION:
		2145	if (larg < 0 \|\| larg > UINT16_MAX)
		2146	return (0);
		2147	return SSL_set_min_proto_version(s, larg);
		2148
		2149	case SSL_CTRL_SET_MAX_PROTO_VERSION:
		2150	if (larg < 0 \|\| larg > UINT16_MAX)
		2151	return (0);
		2152	return SSL_set_max_proto_version(s, larg);
		2153
2144	default:	2154	default:
2145	break;	2155	break;
2146	}	2156	}
@@ -2323,6 +2333,16 @@ ssl3_ctx_ctrl(SSL_CTX ctx, int cmd, long larg, void parg)
2323	case SSL_CTRL_SET_GROUPS_LIST:	2333	case SSL_CTRL_SET_GROUPS_LIST:
2324	return SSL_CTX_set1_groups_list(ctx, parg);	2334	return SSL_CTX_set1_groups_list(ctx, parg);
2325		2335
		2336	case SSL_CTRL_SET_MIN_PROTO_VERSION:
		2337	if (larg < 0 \|\| larg > UINT16_MAX)
		2338	return (0);
		2339	return SSL_CTX_set_min_proto_version(ctx, larg);
		2340
		2341	case SSL_CTRL_SET_MAX_PROTO_VERSION:
		2342	if (larg < 0 \|\| larg > UINT16_MAX)
		2343	return (0);
		2344	return SSL_CTX_set_max_proto_version(ctx, larg);
		2345
2326	default:	2346	default:
2327	return (0);	2347	return (0);
2328	}	2348	}


diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 0789b914b7..05d0660c49 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl.h,v 1.127 2017/02/05 15:06:05 jsing Exp $ */	1	/* $OpenBSD: ssl.h,v 1.128 2017/05/06 20:37:25 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1129,6 +1129,9 @@ int PEM_write_SSL_SESSION(FILE fp, SSL_SESSION x);
1129		1129
1130	#define SSL_CTRL_SET_DH_AUTO 118	1130	#define SSL_CTRL_SET_DH_AUTO 118
1131		1131
		1132	#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
		1133	#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
		1134
1132	#define DTLSv1_get_timeout(ssl, arg) \	1135	#define DTLSv1_get_timeout(ssl, arg) \
1133	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)	1136	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
1134	#define DTLSv1_handle_timeout(ssl) \	1137	#define DTLSv1_handle_timeout(ssl) \
@@ -1177,6 +1180,12 @@ int SSL_CTX_set1_groups_list(SSL_CTX ctx, const char groups);
1177	int SSL_set1_groups(SSL ssl, const int groups, size_t groups_len);	1180	int SSL_set1_groups(SSL ssl, const int groups, size_t groups_len);
1178	int SSL_set1_groups_list(SSL ssl, const char groups);	1181	int SSL_set1_groups_list(SSL ssl, const char groups);
1179		1182
		1183	int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version);
		1184	int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version);
		1185
		1186	int SSL_set_min_proto_version(SSL *ssl, uint16_t version);
		1187	int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
		1188
1180	#ifndef LIBRESSL_INTERNAL	1189	#ifndef LIBRESSL_INTERNAL
1181	#define SSL_CTRL_SET_CURVES SSL_CTRL_SET_GROUPS	1190	#define SSL_CTRL_SET_CURVES SSL_CTRL_SET_GROUPS
1182	#define SSL_CTRL_SET_CURVES_LIST SSL_CTRL_SET_GROUPS_LIST	1191	#define SSL_CTRL_SET_CURVES_LIST SSL_CTRL_SET_GROUPS_LIST


diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 3f458d8b10..c49b79df0b 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.158 2017/02/28 14:08:49 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.159 2017/05/06 20:37:25 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2969,6 +2969,33 @@ SSL_cache_hit(SSL *s)
2969	return (s->internal->hit);	2969	return (s->internal->hit);
2970	}	2970	}
2971		2971
		2972	int
		2973	SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version)
		2974	{
		2975	return ssl_version_set_min(ctx->method, version,
		2976	ctx->internal->max_version, &ctx->internal->min_version);
		2977	}
		2978
		2979	int
		2980	SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version)
		2981	{
		2982	return ssl_version_set_max(ctx->method, version,
		2983	ctx->internal->min_version, &ctx->internal->max_version);
		2984	}
		2985
		2986	int
		2987	SSL_set_min_proto_version(SSL *ssl, uint16_t version)
		2988	{
		2989	return ssl_version_set_min(ssl->method, version,
		2990	ssl->internal->max_version, &ssl->internal->min_version);
		2991	}
		2992
		2993	int
		2994	SSL_set_max_proto_version(SSL *ssl, uint16_t version)
		2995	{
		2996	return ssl_version_set_max(ssl->method, version,
		2997	ssl->internal->min_version, &ssl->internal->max_version);
		2998	}
2972		2999
2973	static int	3000	static int
2974	ssl_cipher_id_cmp_BSEARCH_CMP_FN(const void a_, const void b_)	3001	ssl_cipher_id_cmp_BSEARCH_CMP_FN(const void a_, const void b_)


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index b68b680106..b52b03149a 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.178 2017/03/10 16:03:27 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.179 2017/05/06 20:37:25 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1061,6 +1061,10 @@ const char *ssl_version_string(int ver);
1061	int ssl_enabled_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver);	1061	int ssl_enabled_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver);
1062	int ssl_supported_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver);	1062	int ssl_supported_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver);
1063	int ssl_max_shared_version(SSL s, uint16_t peer_ver, uint16_t max_ver);	1063	int ssl_max_shared_version(SSL s, uint16_t peer_ver, uint16_t max_ver);
		1064	int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
		1065	uint16_t *out_ver);
		1066	int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
		1067	uint16_t *out_ver);
1064	uint16_t ssl_max_server_version(SSL *s);	1068	uint16_t ssl_max_server_version(SSL *s);
1065		1069
1066	const SSL_METHOD *dtls1_get_client_method(int ver);	1070	const SSL_METHOD *dtls1_get_client_method(int ver);


diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c index 6e17cdac6c..240a2498aa 100644 --- a/src/lib/libssl/ssl_versions.c +++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_versions.c,v 1.2 2017/05/06 16:18:36 jsing Exp $ */	1	/* $OpenBSD: ssl_versions.c,v 1.3 2017/05/06 20:37:25 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -35,6 +35,52 @@ ssl_clamp_version_range(uint16_t min_ver, uint16_t max_ver,
35	}	35	}
36		36
37	int	37	int
		38	ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
		39	uint16_t *out_ver)
		40	{
		41	uint16_t min_version, max_version;
		42
		43	if (ver == 0) {
		44	*out_ver = meth->internal->min_version;
		45	return 1;
		46	}
		47
		48	min_version = ver;
		49	max_version = max_ver;
		50
		51	if (!ssl_clamp_version_range(&min_version, &max_version,
		52	meth->internal->min_version, meth->internal->max_version))
		53	return 0;
		54
		55	*out_ver = min_version;
		56
		57	return 1;
		58	}
		59
		60	int
		61	ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
		62	uint16_t *out_ver)
		63	{
		64	uint16_t min_version, max_version;
		65
		66	if (ver == 0) {
		67	*out_ver = meth->internal->max_version;
		68	return 1;
		69	}
		70
		71	min_version = min_ver;
		72	max_version = ver;
		73
		74	if (!ssl_clamp_version_range(&min_version, &max_version,
		75	meth->internal->min_version, meth->internal->max_version))
		76	return 0;
		77
		78	*out_ver = max_version;
		79
		80	return 1;
		81	}
		82
		83	int
38	ssl_enabled_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver)	84	ssl_enabled_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver)
39	{	85	{
40	uint16_t min_version, max_version;	86	uint16_t min_version, max_version;