- {
- static const ssl_flag_tbl ssl_protocol_list[] =
- {
- SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
- SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
- SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
- SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
- SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
- SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)
- };
- if (!(cctx->flags & SSL_CONF_FLAG_FILE))
- return -2;
- cctx->tbl = ssl_protocol_list;
- cctx->ntbl = sizeof(ssl_protocol_list)/sizeof(ssl_flag_tbl);
- return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
- }
+{
+ static const ssl_flag_tbl ssl_protocol_list[] = {
+ SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
+ SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
+ SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
+ SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
+ SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
+ SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2),
+ SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3),
+ SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1),
+ SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2)
+ };
+ cctx->tbl = ssl_protocol_list;
+ cctx->ntbl = OSSL_NELEM(ssl_protocol_list);
+ return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
+}
+
+/*
+ * protocol_from_string - converts a protocol version string to a number
+ *
+ * Returns -1 on failure or the version on success
+ */
+static int protocol_from_string(const char *value)
+{
+ struct protocol_versions {
+ const char *name;
+ int version;
+ };
+ static const struct protocol_versions versions[] = {
+ {"None", 0},
+ {"SSLv3", SSL3_VERSION},
+ {"TLSv1", TLS1_VERSION},
+ {"TLSv1.1", TLS1_1_VERSION},
+ {"TLSv1.2", TLS1_2_VERSION},
+ {"TLSv1.3", TLS1_3_VERSION},
+ {"DTLSv1", DTLS1_VERSION},
+ {"DTLSv1.2", DTLS1_2_VERSION}
+ };
+ size_t i;
+ size_t n = OSSL_NELEM(versions);
+
+ for (i = 0; i < n; i++)
+ if (strcmp(versions[i].name, value) == 0)
+ return versions[i].version;
+ return -1;
+}
+
+static int min_max_proto(SSL_CONF_CTX *cctx, const char *value, int *bound)
+{
+ int method_version;
+ int new_version;
+
+ if (cctx->ctx != NULL)
+ method_version = cctx->ctx->method->version;
+ else if (cctx->ssl != NULL)
+ method_version = cctx->ssl->ctx->method->version;
+ else
+ return 0;
+ if ((new_version = protocol_from_string(value)) < 0)
+ return 0;
+ return ssl_set_version_bound(method_version, new_version, bound);
+}
+
+/*
+ * cmd_MinProtocol - Set min protocol version
+ * @cctx: config structure to save settings in
+ * @value: The min protocol version in string form
+ *
+ * Returns 1 on success and 0 on failure.
+ */
+static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value)
+{
+ return min_max_proto(cctx, value, cctx->min_version);
+}
+
+/*
+ * cmd_MaxProtocol - Set max protocol version
+ * @cctx: config structure to save settings in
+ * @value: The max protocol version in string form
+ *
+ * Returns 1 on success and 0 on failure.
+ */
+static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value)
+{
+ return min_max_proto(cctx, value, cctx->max_version);
+}