diff options
| author |   jsing <jsing@openbsd.org> | 2021-02-25 17:06:05 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2021-02-25 17:06:05 +0000 |
| commit | 970acf874db22f09b7e42996a54559867b6102e2 (patch) | |
| tree | 34405a224570d4c15c3de6932b4dfeaaadbcaccd /lib/libssl/ssl_ciphers.c | |
| parent | Rename depth to num_untrusted so it identifies what it actually represents. (diff) | |
| download | wireguard-openbsd-970acf874db22f09b7e42996a54559867b6102e2.tar.xz wireguard-openbsd-970acf874db22f09b7e42996a54559867b6102e2.zip | |
Only use TLS versions internally (rather than both TLS and DTLS versions).
DTLS protocol version numbers are the 1's compliment of human readable TLS
version numbers, which means that newer versions decrease in value and
there is no direct mapping between TLS protocol version numbers and DTLS
protocol version numbers.
Rather than having to deal with this internally, only use TLS versions
internally and map between DTLS and TLS protocol versions when necessary.
Rename functions and variables to use 'tls_version' when they contain a
TLS version (and never a DTLS version).
ok tb@
Diffstat (limited to 'lib/libssl/ssl_ciphers.c')
| -rw-r--r-- | lib/libssl/ssl_ciphers.c | 25 |
1 files changed, 7 insertions, 18 deletions
diff --git a/lib/libssl/ssl_ciphers.c b/lib/libssl/ssl_ciphers.c index 399e274ad4d..85c60b1abb0 100644 --- a/lib/libssl/ssl_ciphers.c +++ b/lib/libssl/ssl_ciphers.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciphers.c,v 1.9 2020/09/15 15:28:38 schwarze Exp $ */ +/* $OpenBSD: ssl_ciphers.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */ /* * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org> @@ -36,28 +36,17 @@ ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher) } int -ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, +ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, uint16_t max_ver) { - /* XXX: We only support DTLSv1 which is effectively TLSv1.1 */ - if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION) - min_ver = max_ver = TLS1_1_VERSION; - switch(cipher->algorithm_ssl) { case SSL_SSLV3: - if (min_ver <= TLS1_2_VERSION) - return 1; - break; + return (min_ver <= TLS1_2_VERSION); case SSL_TLSV1_2: - if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver) - return 1; - break; + return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver); case SSL_TLSV1_3: - if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver) - return 1; - break; + return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver); } - return 0; } @@ -72,13 +61,13 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) if (ciphers == NULL) return 0; - if (!ssl_supported_version_range(s, &min_vers, &max_vers)) + if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers)) return 0; for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) return 0; - if (!ssl_cipher_allowed_in_version_range(cipher, min_vers, + if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers, max_vers)) continue; if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) |