From 792684dc457d44526f35586cb1671d67604bf5b1 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sat, 6 May 2017 20:37:25 +0000 Subject: Provide SSL{,_CTX}_set_{min,max}_proto_version() functions. Rides minor bump. ok beck@ --- src/lib/libssl/Symbols.list | 4 ++++ src/lib/libssl/s3_lib.c | 22 +++++++++++++++++++- src/lib/libssl/ssl.h | 11 +++++++++- src/lib/libssl/ssl_lib.c | 29 +++++++++++++++++++++++++- src/lib/libssl/ssl_locl.h | 6 +++++- src/lib/libssl/ssl_versions.c | 48 ++++++++++++++++++++++++++++++++++++++++++- 6 files changed, 115 insertions(+), 5 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list index 042f553959..e147ff873d 100644 --- a/src/lib/libssl/Symbols.list +++ b/src/lib/libssl/Symbols.list @@ -97,6 +97,8 @@ SSL_CTX_set_default_verify_paths SSL_CTX_set_ex_data SSL_CTX_set_generate_session_id SSL_CTX_set_info_callback +SSL_CTX_set_min_proto_version +SSL_CTX_set_max_proto_version SSL_CTX_set_msg_callback SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_protos_advertised_cb @@ -229,6 +231,8 @@ SSL_set_ex_data SSL_set_fd SSL_set_generate_session_id SSL_set_info_callback +SSL_set_min_proto_version +SSL_set_max_proto_version SSL_set_msg_callback SSL_set_purpose SSL_set_quiet_shutdown diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index d4142e743f..0f05b8f2fe 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.140 2017/04/10 17:27:33 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.141 2017/05/06 20:37:24 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2141,6 +2141,16 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = ssl_ctrl_get_server_tmp_key(s, parg); break; + case SSL_CTRL_SET_MIN_PROTO_VERSION: + if (larg < 0 || larg > UINT16_MAX) + return (0); + return SSL_set_min_proto_version(s, larg); + + case SSL_CTRL_SET_MAX_PROTO_VERSION: + if (larg < 0 || larg > UINT16_MAX) + return (0); + return SSL_set_max_proto_version(s, larg); + default: break; } @@ -2323,6 +2333,16 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_GROUPS_LIST: return SSL_CTX_set1_groups_list(ctx, parg); + case SSL_CTRL_SET_MIN_PROTO_VERSION: + if (larg < 0 || larg > UINT16_MAX) + return (0); + return SSL_CTX_set_min_proto_version(ctx, larg); + + case SSL_CTRL_SET_MAX_PROTO_VERSION: + if (larg < 0 || larg > UINT16_MAX) + return (0); + return SSL_CTX_set_max_proto_version(ctx, larg); + default: return (0); } diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 0789b914b7..05d0660c49 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.127 2017/02/05 15:06:05 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.128 2017/05/06 20:37:25 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1129,6 +1129,9 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_CTRL_SET_DH_AUTO 118 +#define SSL_CTRL_SET_MIN_PROTO_VERSION 123 +#define SSL_CTRL_SET_MAX_PROTO_VERSION 124 + #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) #define DTLSv1_handle_timeout(ssl) \ @@ -1177,6 +1180,12 @@ int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups); int SSL_set1_groups(SSL *ssl, const int *groups, size_t groups_len); int SSL_set1_groups_list(SSL *ssl, const char *groups); +int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version); +int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version); + +int SSL_set_min_proto_version(SSL *ssl, uint16_t version); +int SSL_set_max_proto_version(SSL *ssl, uint16_t version); + #ifndef LIBRESSL_INTERNAL #define SSL_CTRL_SET_CURVES SSL_CTRL_SET_GROUPS #define SSL_CTRL_SET_CURVES_LIST SSL_CTRL_SET_GROUPS_LIST diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 3f458d8b10..c49b79df0b 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.158 2017/02/28 14:08:49 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.159 2017/05/06 20:37:25 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2969,6 +2969,33 @@ SSL_cache_hit(SSL *s) return (s->internal->hit); } +int +SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) +{ + return ssl_version_set_min(ctx->method, version, + ctx->internal->max_version, &ctx->internal->min_version); +} + +int +SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) +{ + return ssl_version_set_max(ctx->method, version, + ctx->internal->min_version, &ctx->internal->max_version); +} + +int +SSL_set_min_proto_version(SSL *ssl, uint16_t version) +{ + return ssl_version_set_min(ssl->method, version, + ssl->internal->max_version, &ssl->internal->min_version); +} + +int +SSL_set_max_proto_version(SSL *ssl, uint16_t version) +{ + return ssl_version_set_max(ssl->method, version, + ssl->internal->min_version, &ssl->internal->max_version); +} static int ssl_cipher_id_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_) diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index b68b680106..b52b03149a 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.178 2017/03/10 16:03:27 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.179 2017/05/06 20:37:25 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1061,6 +1061,10 @@ const char *ssl_version_string(int ver); int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); int ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver); +int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, + uint16_t *out_ver); +int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, + uint16_t *out_ver); uint16_t ssl_max_server_version(SSL *s); const SSL_METHOD *dtls1_get_client_method(int ver); diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c index 6e17cdac6c..240a2498aa 100644 --- a/src/lib/libssl/ssl_versions.c +++ b/src/lib/libssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.2 2017/05/06 16:18:36 jsing Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.3 2017/05/06 20:37:25 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -34,6 +34,52 @@ ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver, return 1; } +int +ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, + uint16_t *out_ver) +{ + uint16_t min_version, max_version; + + if (ver == 0) { + *out_ver = meth->internal->min_version; + return 1; + } + + min_version = ver; + max_version = max_ver; + + if (!ssl_clamp_version_range(&min_version, &max_version, + meth->internal->min_version, meth->internal->max_version)) + return 0; + + *out_ver = min_version; + + return 1; +} + +int +ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, + uint16_t *out_ver) +{ + uint16_t min_version, max_version; + + if (ver == 0) { + *out_ver = meth->internal->max_version; + return 1; + } + + min_version = min_ver; + max_version = ver; + + if (!ssl_clamp_version_range(&min_version, &max_version, + meth->internal->min_version, meth->internal->max_version)) + return 0; + + *out_ver = max_version; + + return 1; +} + int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) { -- cgit v1.2.3-55-g6feb