From 2a664981b208ba64a4208ae9df8715a491339d41 Mon Sep 17 00:00:00 2001
From: Oleg Jukovec <oleg.jukovec@tarantool.org>
Date: Fri, 15 Apr 2022 12:54:14 +0300
Subject: [PATCH] Add Ctx.SetMinProtoVersion and Ctx.SetMaxProtoVersion
 wrappers - Ctx.SetMinProtoVersion wraps SSL_CTX_set_min_proto_version -
 Ctx.SetMaxProtoVersion wraps SSL_CTX_set_max_proto_version

---
 ctx.go | 26 ++++++++++++++++++++++++++
 shim.c |  8 ++++++++
 shim.h |  2 ++
 3 files changed, 36 insertions(+)

diff --git a/ctx.go b/ctx.go
index 651d4c2..28d1655 100644
--- a/ctx.go
+++ b/ctx.go
@@ -362,6 +362,32 @@ func (c *Ctx) LoadVerifyLocations(ca_file string, ca_path string) error {
 	return nil
 }
 
+type Version int
+
+const (
+	SSL3_VERSION Version = C.SSL3_VERSION
+	TLS1_VERSION Version = C.TLS1_VERSION
+	TLS1_1_VERSION Version = C.TLS1_1_VERSION
+	TLS1_2_VERSION Version = C.TLS1_2_VERSION
+	TLS1_3_VERSION Version = C.TLS1_3_VERSION
+	DTLS1_VERSION Version = C.DTLS1_VERSION
+	DTLS1_2_VERSION Version = C.DTLS1_2_VERSION
+)
+
+// SetMinProtoVersion sets the minimum supported protocol version for the Ctx.
+// http://www.openssl.org/docs/ssl/SSL_CTX_set_min_proto_version.html
+func (c *Ctx) SetMinProtoVersion(version Version) bool {
+	return C.X_SSL_CTX_set_min_proto_version(
+		c.ctx, C.int(version)) == 1
+}
+
+// SetMaxProtoVersion sets the maximum supported protocol version for the Ctx.
+// http://www.openssl.org/docs/ssl/SSL_CTX_set_max_proto_version.html
+func (c *Ctx) SetMaxProtoVersion(version Version) bool {
+	return C.X_SSL_CTX_set_max_proto_version(
+		c.ctx, C.int(version)) == 1
+}
+
 type Options int
 
 const (
diff --git a/shim.c b/shim.c
index 360aa2b..b27a574 100644
--- a/shim.c
+++ b/shim.c
@@ -475,6 +475,14 @@ int X_SSL_CTX_new_index() {
 	return SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
 }
 
+int X_SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version) {
+	return SSL_CTX_set_min_proto_version(ctx, version);
+}
+
+int X_SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version) {
+	return SSL_CTX_set_max_proto_version(ctx, version);
+}
+
 long X_SSL_CTX_set_options(SSL_CTX* ctx, long options) {
 	return SSL_CTX_set_options(ctx, options);
 }
diff --git a/shim.h b/shim.h
index c63a959..94fe8c6 100644
--- a/shim.h
+++ b/shim.h
@@ -67,6 +67,8 @@ extern int X_SSL_verify_cb(int ok, X509_STORE_CTX* store);
 
 /* SSL_CTX methods */
 extern int X_SSL_CTX_new_index();
+extern int X_SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
+extern int X_SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
 extern long X_SSL_CTX_set_options(SSL_CTX* ctx, long options);
 extern long X_SSL_CTX_clear_options(SSL_CTX* ctx, long options);
 extern long X_SSL_CTX_get_options(SSL_CTX* ctx);