[Openvpn-devel,2.4] Add SSL_CTX_get_max_proto_version() not in openssl 1.0

Message ID 1516468294-32635-1-git-send-email-selva.nair@gmail.com
State Accepted
Headers show
Series
  • [Openvpn-devel,2.4] Add SSL_CTX_get_max_proto_version() not in openssl 1.0
Related show

Commit Message

Selva Nair Jan. 20, 2018, 5:11 p.m.
From: Selva Nair <selva.nair@gmail.com>

- No change in functionality. This is used in a subsequent
  patch for extending TLS1.2 support with cryptoapicert

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
This is for 2.4
Same as the patch merged into master except for the ifdefs
needed for 0.9.8

 src/openvpn/openssl_compat.h | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

Comments

Gert Doering Jan. 25, 2018, 8:35 a.m. | #1
ACK.  Same code as in master (+ifdef), compile-tested with 1.0.1 and 0.9.8

Your patch has been applied to the release/2.4 branch.

commit 51ab66a52b9b12402495274bc7070d0b9a2ebde6
Author: Selva Nair
Date:   Sat Jan 20 12:11:34 2018 -0500

     Add SSL_CTX_get_max_proto_version() not in openssl 1.0

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <1516468294-32635-1-git-send-email-selva.nair@gmail.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16304.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Patch

diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 9f1e92a..4b338d2 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -670,6 +670,33 @@  SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
 }
 #endif /* SSL_CTX_get_min_proto_version */
 
+#ifndef SSL_CTX_get_max_proto_version
+/** Return the max SSL protocol version currently enabled in the context.
+ *  If no valid version >= TLS1.0 is found, return 0. */
+static inline int
+SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
+{
+    long sslopt = SSL_CTX_get_options(ctx);
+#ifdef SSL_OP_NO_TLSv1_2
+    if (!(sslopt & SSL_OP_NO_TLSv1_2))
+    {
+	return TLS1_2_VERSION;
+    }
+#endif
+#ifdef SSL_OP_NO_TLSv1_1
+    if (!(sslopt & SSL_OP_NO_TLSv1_1))
+    {
+	return TLS1_1_VERSION;
+    }
+#endif
+    if (!(sslopt & SSL_OP_NO_TLSv1))
+    {
+	return TLS1_VERSION;
+    }
+    return 0;
+}
+#endif /* SSL_CTX_get_max_proto_version */
+
 #ifndef SSL_CTX_set_min_proto_version
 /** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */
 static inline int