diff options
| author |   jsing <jsing@openbsd.org> | 2021-02-22 15:59:10 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2021-02-22 15:59:10 +0000 |
| commit | 305a92761f80bc0040aafade534448940c1f2885 (patch) | |
| tree | 2fa2c9bbfe93653329d6959044048c4deeffaf52 /lib/libssl/ssl_versions.c | |
| parent | When cutting of the head of an overlapping fragment during pf (diff) | |
| download | wireguard-openbsd-305a92761f80bc0040aafade534448940c1f2885.tar.xz wireguard-openbsd-305a92761f80bc0040aafade534448940c1f2885.zip | |
Factor out/change some of the legacy client version handling code.
This consolidates the version handling code and will make upcoming changes
easier.
ok tb@
Diffstat (limited to 'lib/libssl/ssl_versions.c')
| -rw-r--r-- | lib/libssl/ssl_versions.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c index 1ee5ed312cf..3c4801971e0 100644 --- a/lib/libssl/ssl_versions.c +++ b/lib/libssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.11 2021/02/20 09:43:29 jsing Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.12 2021/02/22 15:59:10 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> * @@ -163,6 +163,17 @@ ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) } int +ssl_max_supported_version(SSL *s, uint16_t *max_ver) +{ + *max_ver = 0; + + if (!ssl_supported_version_range(s, NULL, max_ver)) + return 0; + + return 1; +} + +int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) { uint16_t min_version, max_version, shared_version; @@ -235,6 +246,22 @@ ssl_downgrade_max_version(SSL *s, uint16_t *max_ver) } int +ssl_check_version_from_server(SSL *s, uint16_t server_version) +{ + uint16_t min_version, max_version; + + /* Ensure that the version selected by the server is valid. */ + + if (SSL_is_dtls(s)) + return (server_version == DTLS1_VERSION); + + if (!ssl_supported_version_range(s, &min_version, &max_version)) + return 0; + + return (server_version >= min_version && server_version <= max_version); +} + +int ssl_legacy_stack_version(SSL *s, uint16_t version) { if (SSL_is_dtls(s)) |