Impl SSL_client_hello_get0_legacy_version

justsmth · justsmth · commit 0ebf371a5244 · 2025-07-22T09:35:11.000-04:00
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
@@ -1172,6 +1172,15 @@ OPENSSL_EXPORT void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_
 // SSL_client_hello_isv2 always returns zero as SSLv2 is not supported.
 OPENSSL_EXPORT int SSL_client_hello_isv2(SSL *s);
 
+
+// SSL_client_hello_get0_legacy_version provides the value of the
+// "legacy_version" field in the client hello.
+//
+// This function can only be called from within a client hello callback (see
+// |SSL_CTX_set_client_hello_cb|) or during server certificate selection (see
+// |SSL_CTX_set_select_certificate_cb|).
+OPENSSL_EXPORT unsigned int SSL_client_hello_get0_legacy_version(SSL *s);
+
 // SSL_client_hello_get0_ext searches the extensions in the ClientHello for an
 // extension of the given type. If found, it sets |*out| to point to the
 // extension contents (not including the type and length bytes) and |*outlen|
diff --git a/ssl/ssl_client_hello_test.cc b/ssl/ssl_client_hello_test.cc
@@ -369,6 +369,9 @@ int callback_SSL_client_hello_get1_extensions_present_impl(
   EXPECT_GT(extensions_len, 0u);
   EXPECT_NE(nullptr, extensions);
 
+  unsigned legacy_version = SSL_client_hello_get0_legacy_version(ssl);
+  EXPECT_NE(legacy_version, 0u);
+
   // Verify a few common extensions are present
   bool found_supported_groups = false;
   bool found_session_ticket = false;
@@ -482,6 +485,9 @@ TEST(SSLClientHelloTest, GetExtensionOrder) {
           return SSL_CLIENT_HELLO_ERROR;
         }
 
+        unsigned legacy_version = SSL_client_hello_get0_legacy_version(ssl);
+        EXPECT_NE(legacy_version, 0u);
+
         // Call with a buffer that is too small and confirm it fails.
         size_t too_small_num_extensions = num_extensions - 1;
         uint16_t* too_small_exts =
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
@@ -3167,6 +3167,20 @@ int SSL_client_hello_get_extension_order(SSL *s, uint16_t *exts, size_t *num_ext
   return 1;
 }
 
+unsigned int SSL_client_hello_get0_legacy_version(SSL *s) {
+  GUARD_PTR(s);
+  GUARD_PTR(s->s3);
+  SSL_HANDSHAKE *hs = s->s3->hs.get();
+  GUARD_PTR(hs);
+
+  SSLMessage msg_unused;
+  SSL_CLIENT_HELLO client_hello;
+  if (!hs->GetClientHello(&msg_unused, &client_hello)) {
+    return 0;
+  }
+  return client_hello.version;
+}
+
 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx,
                                  void (*cb)(const SSL *ssl, const char *line)) {
   ctx->keylog_callback = cb;
