Only use TLS versions internally (rather than both TLS and DTLS versions).

DTLS protocol version numbers are the 1's compliment of human readable TLS
version numbers, which means that newer versions decrease in value and
there is no direct mapping between TLS protocol version numbers and DTLS
protocol version numbers.

Rather than having to deal with this internally, only use TLS versions
internally and map between DTLS and TLS protocol versions when necessary.
Rename functions and variables to use 'tls_version' when they contain a
TLS version (and never a DTLS version).

ok tb@

1 files changed, 4 insertions, 3 deletions

diff --git a/lib/libssl/ssl_packet.c b/lib/libssl/ssl_packet.c
index fc1c3c07de7..b383fe83e9b 100644
--- a/lib/libssl/ssl_packet.c
+++ b/lib/libssl/ssl_packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_packet.c,v 1.9 2020/10/14 16:57:33 jsing Exp $ */
+/* $OpenBSD: ssl_packet.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -247,12 +247,13 @@ ssl_server_legacy_first_packet(SSL *s)
 		return 1;
 
 	/* Only continue if this is not a version locked method. */
-	if (s->method->internal->min_version == s->method->internal->max_version)
+	if (s->method->internal->min_tls_version ==
+	    s->method->internal->max_tls_version)
 		return 1;
 
 	if (ssl_is_sslv2_client_hello(&header) == 1) {
 		/* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */
-		if (ssl_enabled_version_range(s, &min_version, NULL) != 1) {
+		if (ssl_enabled_tls_version_range(s, &min_version, NULL) != 1) {
 			SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
 			return -1;
 		}