diff options
| author |   jsing <jsing@openbsd.org> | 2017-01-26 06:01:44 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2017-01-26 06:01:44 +0000 |
| commit | 2b939dc48d7587254ac1d3d0fa6dcbe481def472 (patch) | |
| tree | 8a3c76655f25b20d7609649ee87326a42d07a22e /lib/libssl/ssl_lib.c | |
| parent | Rename s3_{both,clnt,pkt_srvr}.c to have an ssl_ prefix since they are no (diff) | |
| download | wireguard-openbsd-2b939dc48d7587254ac1d3d0fa6dcbe481def472.tar.xz wireguard-openbsd-2b939dc48d7587254ac1d3d0fa6dcbe481def472.zip | |
Move relatively new version range code from ssl_lib.c into a separate
ssl_versions.c file.
ok beck@
Diffstat (limited to 'lib/libssl/ssl_lib.c')
| -rw-r--r-- | lib/libssl/ssl_lib.c | 157 |
1 files changed, 1 insertions, 156 deletions
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 649b238bd99..6f31d6dcdf7 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.151 2017/01/26 00:42:44 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.152 2017/01/26 06:01:44 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2492,161 +2492,6 @@ SSL_get_version(const SSL *s) return ssl_version_string(s->version); } -static int -ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver, - uint16_t clamp_min, uint16_t clamp_max) -{ - if (clamp_min > clamp_max || *min_ver > *max_ver) - return 0; - if (clamp_max < *min_ver || clamp_min > *max_ver) - return 0; - - if (*min_ver < clamp_min) - *min_ver = clamp_min; - if (*max_ver > clamp_max) - *max_ver = clamp_max; - - return 1; -} - -int -ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) -{ - uint16_t min_version, max_version; - - /* - * The enabled versions have to be a contiguous range, which means we - * cannot enable and disable single versions at our whim, even though - * this is what the OpenSSL flags allow. The historical way this has - * been handled is by making a flag mean that all higher versions - * are disabled, if any version lower than the flag is enabled. - */ - - min_version = 0; - max_version = TLS1_2_VERSION; - - if ((s->internal->options & SSL_OP_NO_TLSv1) == 0) - min_version = TLS1_VERSION; - else if ((s->internal->options & SSL_OP_NO_TLSv1_1) == 0) - min_version = TLS1_1_VERSION; - else if ((s->internal->options & SSL_OP_NO_TLSv1_2) == 0) - min_version = TLS1_2_VERSION; - - if ((s->internal->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) - max_version = TLS1_1_VERSION; - if ((s->internal->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) - max_version = TLS1_VERSION; - if ((s->internal->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) - max_version = 0; - - /* Everything has been disabled... */ - if (min_version == 0 || max_version == 0) - return 0; - - /* Limit to configured version range. */ - if (!ssl_clamp_version_range(&min_version, &max_version, - s->internal->min_version, s->internal->max_version)) - return 0; - - if (min_ver != NULL) - *min_ver = min_version; - if (max_ver != NULL) - *max_ver = max_version; - - return 1; -} - -int -ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) -{ - uint16_t min_version, max_version; - - /* DTLS cannot currently be disabled... */ - if (SSL_IS_DTLS(s)) { - min_version = max_version = DTLS1_VERSION; - goto done; - } - - if (!ssl_enabled_version_range(s, &min_version, &max_version)) - return 0; - - /* Limit to the versions supported by this method. */ - if (!ssl_clamp_version_range(&min_version, &max_version, - s->method->internal->min_version, - s->method->internal->max_version)) - return 0; - - done: - if (min_ver != NULL) - *min_ver = min_version; - if (max_ver != NULL) - *max_ver = max_version; - - return 1; -} - -int -ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) -{ - uint16_t min_version, max_version, shared_version; - - *max_ver = 0; - - if (SSL_IS_DTLS(s)) { - if (peer_ver >= DTLS1_VERSION) { - *max_ver = DTLS1_VERSION; - return 1; - } - return 0; - } - - if (peer_ver >= TLS1_2_VERSION) - shared_version = TLS1_2_VERSION; - else if (peer_ver >= TLS1_1_VERSION) - shared_version = TLS1_1_VERSION; - else if (peer_ver >= TLS1_VERSION) - shared_version = TLS1_VERSION; - else - return 0; - - if (!ssl_supported_version_range(s, &min_version, &max_version)) - return 0; - - if (shared_version < min_version) - return 0; - - if (shared_version > max_version) - shared_version = max_version; - - *max_ver = shared_version; - - return 1; -} - -uint16_t -ssl_max_server_version(SSL *s) -{ - uint16_t max_version, min_version = 0; - - if (SSL_IS_DTLS(s)) - return (DTLS1_VERSION); - - if (!ssl_enabled_version_range(s, &min_version, &max_version)) - return 0; - - /* - * Limit to the versions supported by this method. The SSL method - * will be changed during version negotiation, as such we want to - * use the SSL method from the context. - */ - if (!ssl_clamp_version_range(&min_version, &max_version, - s->ctx->method->internal->min_version, - s->ctx->method->internal->max_version)) - return 0; - - return (max_version); -} - SSL * SSL_dup(SSL *s) { |