diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2020-05-31 18:03:33 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2020-05-31 18:03:33 +0000 |
| commit | 0eb071acf272e8e8840b65af156d7671728bbcdf (patch) | |
| tree | 892f13119aafe11d8496c900385d007461e6111f | |
| parent | 75f132c4c92ce94e9d554ea6b85c1db11bc189c1 (diff) | |
Replace ssl_max_server_version() with ssl_downgrade_max_version()
Replace the only occurrence of ssl_max_server_version() with a call
to ssl_downgrade_max_version() and remove ssl_max_server_version().
ok beck@ tb@
| -rw-r--r-- | lib/libssl/ssl_ciphers.c | 7 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 3 | ||||
| -rw-r--r-- | lib/libssl/ssl_versions.c | 26 |
3 files changed, 6 insertions, 30 deletions
diff --git a/lib/libssl/ssl_ciphers.c b/lib/libssl/ssl_ciphers.c index 3abed60b5b7..3a1fb14d5c9 100644 --- a/lib/libssl/ssl_ciphers.c +++ b/lib/libssl/ssl_ciphers.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciphers.c,v 1.3 2019/05/15 09:13:16 bcook Exp $ */ +/* $OpenBSD: ssl_ciphers.c,v 1.4 2020/05/31 18:03:32 jsing Exp $ */ /* * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> * Copyright (c) 2015-2018 Joel Sing <jsing@openbsd.org> @@ -133,8 +133,9 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) * Fail if the current version is an unexpected * downgrade. */ - max_version = ssl_max_server_version(s); - if (max_version == 0 || s->version < max_version) { + if (!ssl_downgrade_max_version(s, &max_version)) + goto err; + if (s->version < max_version) { SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INAPPROPRIATE_FALLBACK); diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 03c2c227edc..bfc3c1ad9b5 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.278 2020/05/31 16:36:35 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.279 2020/05/31 18:03:32 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1094,7 +1094,6 @@ int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, uint16_t *out_ver); int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, uint16_t *out_ver); -uint16_t ssl_max_server_version(SSL *s); int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver); int ssl_cipher_is_permitted(const SSL_CIPHER *cipher, uint16_t min_ver, uint16_t max_ver); diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c index 03eb41582ac..b21fa7198c6 100644 --- a/lib/libssl/ssl_versions.c +++ b/lib/libssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.5 2020/05/31 16:36:35 jsing Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.6 2020/05/31 18:03:32 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> * @@ -200,30 +200,6 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) return 1; } -uint16_t -ssl_max_server_version(SSL *s) -{ - uint16_t max_version, min_version = 0; - - if (SSL_IS_DTLS(s)) - return (DTLS1_VERSION); - - if (!ssl_enabled_version_range(s, &min_version, &max_version)) - return 0; - - /* - * Limit to the versions supported by this method. The SSL method - * will be changed during version negotiation, as such we want to - * use the SSL method from the context. - */ - if (!ssl_clamp_version_range(&min_version, &max_version, - s->ctx->method->internal->min_version, - s->ctx->method->internal->max_version)) - return 0; - - return (max_version); -} - int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver) { |