diff options
| author |   jsing <jsing@openbsd.org> | 2016-12-30 16:57:01 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2016-12-30 16:57:01 +0000 |
| commit | 1ca47b806a1f2374765aa53a3e8a298869646148 (patch) | |
| tree | d363f088d071b66cbb35eea4c93b83ad28d30860 /lib/libssl/ssl_lib.c | |
| parent | Place ASN_ITEM_{ptr,rptr,ref} and DECLARE_ASN1_ITEM under #ifndef (diff) | |
| download | wireguard-openbsd-1ca47b806a1f2374765aa53a3e8a298869646148.tar.xz wireguard-openbsd-1ca47b806a1f2374765aa53a3e8a298869646148.zip | |
Pull out (and largely rewrite) the code that determines the enabled
protocol version range.
This also fixes a bug whereby if all protocols were disabled, the client
would still use TLSv1.2 in the client hello, only to have if fail with
unsupported version when it received and processed the server hello.
ok doug@
Diffstat (limited to 'lib/libssl/ssl_lib.c')
| -rw-r--r-- | lib/libssl/ssl_lib.c | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 5d93a3bc13a..11f46161a9b 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.122 2016/12/04 14:32:30 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.123 2016/12/30 16:57:01 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2484,6 +2484,48 @@ SSL_get_version(const SSL *s) return ssl_version_string(s->version); } +int +ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) +{ + uint16_t min_version, max_version; + + /* + * The enabled versions have to be a contiguous range, which means we + * cannot enable and disable single versions at our whim, even though + * this is what the OpenSSL flags allow. The historical way this has + * been handled is by making a flag mean that all higher versions + * are disabled, if any version lower than the flag is enabled. + */ + + min_version = 0; + max_version = TLS1_2_VERSION; + + if ((s->options & SSL_OP_NO_TLSv1) == 0) + min_version = TLS1_VERSION; + else if ((s->options & SSL_OP_NO_TLSv1_1) == 0) + min_version = TLS1_1_VERSION; + else if ((s->options & SSL_OP_NO_TLSv1_2) == 0) + min_version = TLS1_2_VERSION; + + if ((s->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) + max_version = TLS1_1_VERSION; + if ((s->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) + max_version = TLS1_VERSION; + if ((s->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) + max_version = 0; + + /* Everything has been disabled... */ + if (min_version == 0 || max_version == 0) + return -1; + + if (min_ver != NULL) + *min_ver = min_version; + if (max_ver != NULL) + *max_ver = max_version; + + return 0; +} + uint16_t ssl_max_server_version(SSL *s) { |