diff options
| -rw-r--r-- | lib/libssl/Symbols.list | 4 | ||||
| -rw-r--r-- | lib/libssl/man/SSL_CTX_set_min_proto_version.3 | 62 | ||||
| -rw-r--r-- | lib/libssl/s3_lib.c | 14 | ||||
| -rw-r--r-- | lib/libssl/shlib_version | 2 | ||||
| -rw-r--r-- | lib/libssl/ssl.h | 12 | ||||
| -rw-r--r-- | lib/libssl/ssl_lib.c | 25 | ||||
| -rw-r--r-- | regress/lib/libssl/unit/ssl_versions.c | 26 |
7 files changed, 117 insertions, 28 deletions
diff --git a/lib/libssl/Symbols.list b/lib/libssl/Symbols.list index eb00c8d25ad..a8ae29ccca5 100644 --- a/lib/libssl/Symbols.list +++ b/lib/libssl/Symbols.list @@ -65,6 +65,8 @@ SSL_CTX_get_client_cert_cb SSL_CTX_get_ex_data SSL_CTX_get_ex_new_index SSL_CTX_get_info_callback +SSL_CTX_get_min_proto_version +SSL_CTX_get_max_proto_version SSL_CTX_get_quiet_shutdown SSL_CTX_get_timeout SSL_CTX_get_verify_callback @@ -188,6 +190,8 @@ SSL_get_ex_new_index SSL_get_fd SSL_get_finished SSL_get_info_callback +SSL_get_min_proto_version +SSL_get_max_proto_version SSL_get_peer_cert_chain SSL_get_peer_certificate SSL_get_peer_finished diff --git a/lib/libssl/man/SSL_CTX_set_min_proto_version.3 b/lib/libssl/man/SSL_CTX_set_min_proto_version.3 index ff057cadac4..38ac9fc4219 100644 --- a/lib/libssl/man/SSL_CTX_set_min_proto_version.3 +++ b/lib/libssl/man/SSL_CTX_set_min_proto_version.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.1 2017/08/19 23:45:10 schwarze Exp $ -.\" OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.2 2018/03/15 12:27:01 jca Exp $ +.\" full merge up to: OpenSSL 3edabd3c Sep 14 09:28:39 2017 +0200 .\" -.\" This file was written by Kurt Roeckx <kurt@roeckx.be>. -.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. +.\" This file was written by Kurt Roeckx <kurt@roeckx.be> and +.\" Christian Heimes <christian@python.org>. +.\" Copyright (c) 2015, 2017 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,15 +49,19 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 19 2017 $ +.Dd $Mdocdate: March 15 2018 $ .Dt SSL_CTX_SET_MIN_PROTO_VERSION 3 .Os .Sh NAME .Nm SSL_CTX_set_min_proto_version , .Nm SSL_CTX_set_max_proto_version , +.Nm SSL_CTX_get_min_proto_version , +.Nm SSL_CTX_get_max_proto_version , .Nm SSL_set_min_proto_version , -.Nm SSL_set_max_proto_version -.Nd set minimum and maximum supported protocol version +.Nm SSL_set_max_proto_version , +.Nm SSL_get_min_proto_version , +.Nm SSL_get_max_proto_version +.Nd get and set minimum and maximum supported protocol version .Sh SYNOPSIS .In openssl/ssl.h .Ft int @@ -70,6 +75,14 @@ .Fa "uint16_t version" .Fc .Ft int +.Fo SSL_CTX_get_min_proto_version +.Fa "SSL_CTX *ctx" +.Fc +.Ft int +.Fo SSL_CTX_get_max_proto_version +.Fa "SSL_CTX *ctx" +.Fc +.Ft int .Fo SSL_set_min_proto_version .Fa "SSL *ssl" .Fa "uint16_t version" @@ -79,8 +92,16 @@ .Fa "SSL *ssl" .Fa "uint16_t version" .Fc +.Ft int +.Fo SSL_get_min_proto_version +.Fa "SSL *ssl" +.Fc +.Ft int +.Fo SSL_get_max_proto_version +.Fa "SSL *ssl" +.Fc .Sh DESCRIPTION -These functions set the minimum and maximum supported protocol +These functions get or set the minimum and maximum supported protocol versions for .Fa ctx or @@ -102,13 +123,32 @@ and for TLS and .Sy DTLS1_VERSION for DTLS. +.Pp +In other implementations, these functions may be implemented as macros. .Sh RETURN VALUES -These functions return 1 on success or 0 on failure. +The setter functions return 1 on success or 0 on failure. +.Pp +The getter functions return the configured version or 0 if +.Fa ctx +or +.Fa ssl +has been configured to automatically use the lowest or highest +version supported by the library. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_CTX_new 3 , .Xr SSL_CTX_set_options 3 .Sh HISTORY -These functions first appeared in OpenSSL 1.1.0 -and have been available since +The setter functions first appeared in BoringSSL in December 2014, +with shorter names without the +.Sy proto_ +part. +Two years later, OpenSSL included them in their 1.1.0 release, +gratuitiously changing the names; Google shrugged and adopted +the longer names one month later. +They have been available since .Ox 6.2 . +.Pp +The getter functions first appeared in OpenSSL 1.1.1 +and have been available since +.Ox 6.3 . diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 8f75cf94983..52e0c524102 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.164 2018/02/17 15:08:21 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.165 2018/03/15 12:27:00 jca Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1984,6 +1984,12 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_SERVER_TMP_KEY: return ssl_ctrl_get_server_tmp_key(s, parg); + case SSL_CTRL_GET_MIN_PROTO_VERSION: + return SSL_get_min_proto_version(s); + + case SSL_CTRL_GET_MAX_PROTO_VERSION: + return SSL_get_max_proto_version(s); + case SSL_CTRL_SET_MIN_PROTO_VERSION: if (larg < 0 || larg > UINT16_MAX) return 0; @@ -2243,6 +2249,12 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_GROUPS_LIST: return SSL_CTX_set1_groups_list(ctx, parg); + case SSL_CTRL_GET_MIN_PROTO_VERSION: + return SSL_CTX_get_min_proto_version(ctx); + + case SSL_CTRL_GET_MAX_PROTO_VERSION: + return SSL_CTX_get_max_proto_version(ctx); + case SSL_CTRL_SET_MIN_PROTO_VERSION: if (larg < 0 || larg > UINT16_MAX) return 0; diff --git a/lib/libssl/shlib_version b/lib/libssl/shlib_version index 5c09c51c65d..c41c26c0f7b 100644 --- a/lib/libssl/shlib_version +++ b/lib/libssl/shlib_version @@ -1,3 +1,3 @@ # Don't forget to give libtls the same type of bump! major=44 -minor=8 +minor=9 diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index e6556fd136c..5f9d248cedb 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.146 2018/03/03 19:58:29 jca Exp $ */ +/* $OpenBSD: ssl.h,v 1.147 2018/03/15 12:27:01 jca Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1125,6 +1125,8 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_CTRL_SET_MIN_PROTO_VERSION 123 #define SSL_CTRL_SET_MAX_PROTO_VERSION 124 +#define SSL_CTRL_GET_MIN_PROTO_VERSION 130 +#define SSL_CTRL_GET_MAX_PROTO_VERSION 131 #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) @@ -1174,9 +1176,13 @@ int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups); int SSL_set1_groups(SSL *ssl, const int *groups, size_t groups_len); int SSL_set1_groups_list(SSL *ssl, const char *groups); +int SSL_CTX_get_min_proto_version(SSL_CTX *ctx); +int SSL_CTX_get_max_proto_version(SSL_CTX *ctx); int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version); int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version); +int SSL_get_min_proto_version(SSL *ssl); +int SSL_get_max_proto_version(SSL *ssl); int SSL_set_min_proto_version(SSL *ssl, uint16_t version); int SSL_set_max_proto_version(SSL *ssl, uint16_t version); @@ -1209,8 +1215,12 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version); #define SSL_CTX_set1_groups_list SSL_CTX_set1_groups_list #define SSL_set1_groups SSL_set1_groups #define SSL_set1_groups_list SSL_set1_groups_list +#define SSL_CTX_get_min_proto_version SSL_CTX_get_min_proto_version +#define SSL_CTX_get_max_proto_version SSL_CTX_get_max_proto_version #define SSL_CTX_set_min_proto_version SSL_CTX_set_min_proto_version #define SSL_CTX_set_max_proto_version SSL_CTX_set_max_proto_version +#define SSL_get_min_proto_version SSL_get_min_proto_version +#define SSL_get_max_proto_version SSL_get_max_proto_version #define SSL_set_min_proto_version SSL_set_min_proto_version #define SSL_set_max_proto_version SSL_set_max_proto_version #endif diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 80a2bd7bfc3..067f0edde45 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.179 2018/02/22 17:30:25 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.180 2018/03/15 12:27:01 jca Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -3024,6 +3024,12 @@ SSL_cache_hit(SSL *s) } int +SSL_CTX_get_min_proto_version(SSL_CTX *ctx) +{ + return ctx->internal->min_version; +} + +int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) { return ssl_version_set_min(ctx->method, version, @@ -3031,6 +3037,12 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) } int +SSL_CTX_get_max_proto_version(SSL_CTX *ctx) +{ + return ctx->internal->max_version; +} + +int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) { return ssl_version_set_max(ctx->method, version, @@ -3038,11 +3050,22 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) } int +SSL_get_min_proto_version(SSL *ssl) +{ + return ssl->internal->min_version; +} + +int SSL_set_min_proto_version(SSL *ssl, uint16_t version) { return ssl_version_set_min(ssl->method, version, ssl->internal->max_version, &ssl->internal->min_version); } +int +SSL_get_max_proto_version(SSL *ssl) +{ + return ssl->internal->max_version; +} int SSL_set_max_proto_version(SSL *ssl, uint16_t version) diff --git a/regress/lib/libssl/unit/ssl_versions.c b/regress/lib/libssl/unit/ssl_versions.c index c12f115c19a..d84a7106d58 100644 --- a/regress/lib/libssl/unit/ssl_versions.c +++ b/regress/lib/libssl/unit/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.4 2017/05/06 20:39:03 jsing Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.5 2018/03/15 12:27:01 jca Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> * @@ -620,16 +620,16 @@ test_ssl_min_max_version(void) goto next; } - if (ssl_ctx->internal->min_version != mmvt->want_minver) { + if (SSL_CTX_get_min_proto_version(ssl_ctx) != mmvt->want_minver) { fprintf(stderr, "FAIL: test %zu - got SSL_CTX min " "version 0x%x, want 0x%x\n", i, - ssl_ctx->internal->min_version, mmvt->want_minver); + SSL_CTX_get_min_proto_version(ssl_ctx), mmvt->want_minver); goto next; } - if (ssl_ctx->internal->max_version != mmvt->want_maxver) { + if (SSL_CTX_get_max_proto_version(ssl_ctx) != mmvt->want_maxver) { fprintf(stderr, "FAIL: test %zu - got SSL_CTX max " "version 0x%x, want 0x%x\n", i, - ssl_ctx->internal->max_version, mmvt->want_maxver); + SSL_CTX_get_max_proto_version(ssl_ctx), mmvt->want_maxver); goto next; } @@ -638,16 +638,16 @@ test_ssl_min_max_version(void) return 1; } - if (ssl->internal->min_version != mmvt->want_minver) { + if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { fprintf(stderr, "FAIL: test %zu - initial SSL min " "version 0x%x, want 0x%x\n", i, - ssl_ctx->internal->min_version, mmvt->want_minver); + SSL_get_min_proto_version(ssl), mmvt->want_minver); goto next; } - if (ssl->internal->max_version != mmvt->want_maxver) { + if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { fprintf(stderr, "FAIL: test %zu - initial SSL max " "version 0x%x, want 0x%x\n", i, - ssl_ctx->internal->max_version, mmvt->want_maxver); + SSL_get_max_proto_version(ssl), mmvt->want_maxver); goto next; } @@ -679,16 +679,16 @@ test_ssl_min_max_version(void) goto next; } - if (ssl->internal->min_version != mmvt->want_minver) { + if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { fprintf(stderr, "FAIL: test %zu - got SSL min " "version 0x%x, want 0x%x\n", i, - ssl_ctx->internal->min_version, mmvt->want_minver); + SSL_get_min_proto_version(ssl), mmvt->want_minver); goto next; } - if (ssl->internal->max_version != mmvt->want_maxver) { + if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { fprintf(stderr, "FAIL: test %zu - got SSL max " "version 0x%x, want 0x%x\n", i, - ssl->internal->max_version, mmvt->want_maxver); + SSL_get_max_proto_version(ssl), mmvt->want_maxver); goto next; } |