Add |SSL_get_min_proto_version| and |SSL_get_max_proto_version|
This makes it possible to fetch the min and max versions configured
directly on SSL objects (as opposed to SSL_CTX ones).
This is useful when configuring supported TLS versions on per-connection
basis.
Change-Id: Ibccc92c5f7668e9a7be5a01d6f84089608382407
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38104
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 8cd03be..f12cacc 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -644,10 +644,10 @@
uint16_t version);
// SSL_CTX_get_min_proto_version returns the minimum protocol version for |ctx|
-OPENSSL_EXPORT uint16_t SSL_CTX_get_min_proto_version(SSL_CTX *ctx);
+OPENSSL_EXPORT uint16_t SSL_CTX_get_min_proto_version(const SSL_CTX *ctx);
// SSL_CTX_get_max_proto_version returns the maximum protocol version for |ctx|
-OPENSSL_EXPORT uint16_t SSL_CTX_get_max_proto_version(SSL_CTX *ctx);
+OPENSSL_EXPORT uint16_t SSL_CTX_get_max_proto_version(const SSL_CTX *ctx);
// SSL_set_min_proto_version sets the minimum protocol version for |ssl| to
// |version|. If |version| is zero, the default minimum version is used. It
@@ -659,6 +659,14 @@
// returns one on success and zero if |version| is invalid.
OPENSSL_EXPORT int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
+// SSL_get_min_proto_version returns the minimum protocol version for |ssl|. If
+// the connection's configuration has been shed, 0 is returned.
+OPENSSL_EXPORT uint16_t SSL_get_min_proto_version(const SSL *ssl);
+
+// SSL_get_max_proto_version returns the maximum protocol version for |ssl|. If
+// the connection's configuration has been shed, 0 is returned.
+OPENSSL_EXPORT uint16_t SSL_get_max_proto_version(const SSL *ssl);
+
// SSL_version returns the TLS or DTLS protocol version used by |ssl|, which is
// one of the |*_VERSION| values. (E.g. |TLS1_2_VERSION|.) Before the version
// is negotiated, the result is undefined.
diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc
index df5ffd2..e63a189 100644
--- a/ssl/ssl_versions.cc
+++ b/ssl/ssl_versions.cc
@@ -335,11 +335,11 @@
return set_max_version(ctx->method, &ctx->conf_max_version, version);
}
-uint16_t SSL_CTX_get_min_proto_version(SSL_CTX *ctx) {
+uint16_t SSL_CTX_get_min_proto_version(const SSL_CTX *ctx) {
return ctx->conf_min_version;
}
-uint16_t SSL_CTX_get_max_proto_version(SSL_CTX *ctx) {
+uint16_t SSL_CTX_get_max_proto_version(const SSL_CTX *ctx) {
return ctx->conf_max_version;
}
@@ -357,6 +357,20 @@
return set_max_version(ssl->method, &ssl->config->conf_max_version, version);
}
+uint16_t SSL_get_min_proto_version(const SSL *ssl) {
+ if (!ssl->config) {
+ return 0;
+ }
+ return ssl->config->conf_min_version;
+}
+
+uint16_t SSL_get_max_proto_version(const SSL *ssl) {
+ if (!ssl->config) {
+ return 0;
+ }
+ return ssl->config->conf_max_version;
+}
+
int SSL_version(const SSL *ssl) {
return wire_version_to_api(ssl_version(ssl));
}