diff options
| author |   jsing <jsing@openbsd.org> | 2021-03-11 17:14:46 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2021-03-11 17:14:46 +0000 |
| commit | 1927d7790dff19472852783a67316f330febbddb (patch) | |
| tree | 6259fed46a2f2eac2f4109f1042e2eac48975bed /lib/libssl/ssl_ciphers.c | |
| parent | There is no need to try to attach IPv6 to an interface when the (diff) | |
| download | wireguard-openbsd-1927d7790dff19472852783a67316f330febbddb.tar.xz wireguard-openbsd-1927d7790dff19472852783a67316f330febbddb.zip | |
Remove ssl_downgrade_max_version().
Now that we store our maximum TLS version at the start of the handshake,
we can check against that directly.
ok inoguchi@ tb@
Diffstat (limited to 'lib/libssl/ssl_ciphers.c')
| -rw-r--r-- | lib/libssl/ssl_ciphers.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/lib/libssl/ssl_ciphers.c b/lib/libssl/ssl_ciphers.c index 85c60b1abb0..4e4a0d93a4a 100644 --- a/lib/libssl/ssl_ciphers.c +++ b/lib/libssl/ssl_ciphers.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciphers.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */ +/* $OpenBSD: ssl_ciphers.c,v 1.11 2021/03/11 17:14:46 jsing Exp $ */ /* * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org> @@ -93,7 +93,7 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) { STACK_OF(SSL_CIPHER) *ciphers = NULL; const SSL_CIPHER *cipher; - uint16_t cipher_value, max_version; + uint16_t cipher_value; unsigned long cipher_id; S3I(s)->send_connection_binding = 0; @@ -134,9 +134,8 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) * Fail if the current version is an unexpected * downgrade. */ - if (!ssl_downgrade_max_version(s, &max_version)) - goto err; - if (s->version < max_version) { + if (S3I(s)->hs.negotiated_tls_version < + S3I(s)->hs.our_max_tls_version) { SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INAPPROPRIATE_FALLBACK); |