Only use TLS versions internally (rather than both TLS and DTLS versions).

DTLS protocol version numbers are the 1's compliment of human readable TLS version numbers, which means that newer versions decrease in value and there is no direct mapping between TLS protocol version numbers and DTLS protocol version numbers. Rather than having to deal with this internally, only use TLS versions internally and map between DTLS and TLS protocol versions when necessary. Rename functions and variables to use 'tls_version' when they contain a TLS version (and never a DTLS version). ok tb@
author: jsing <> 2021-02-25 17:06:05 +0000
committer: jsing <> 2021-02-25 17:06:05 +0000
commit: 72c7f20e4fbcb3386178960b8f88ab2fbc042567 (patch)
tree: 5a334628a895bbe67688cd0dbadfdc68524f02de /src/lib/libssl/ssl_ciphers.c
parent: aed0a5deca305a997de3f6234733204b383f094f (diff)
download: openbsd-72c7f20e4fbcb3386178960b8f88ab2fbc042567.tar.gz
openbsd-72c7f20e4fbcb3386178960b8f88ab2fbc042567.tar.bz2
openbsd-72c7f20e4fbcb3386178960b8f88ab2fbc042567.zip
1 files changed, 7 insertions, 18 deletions
diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c
index 399e274ad4..85c60b1abb 100644
--- a/src/lib/libssl/ssl_ciphers.c
+++ b/src/lib/libssl/ssl_ciphers.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_ciphers.c,v 1.9 2020/09/15 15:28:38 schwarze Exp $ */
+/*      $OpenBSD: ssl_ciphers.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */
 /*
 * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
 * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
@@ -36,28 +36,17 @@ ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher)
 }
 int
-ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
+ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
    uint16_t max_ver)
 {
-        /* XXX: We only support DTLSv1 which is effectively TLSv1.1 */
-        if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION)
-                min_ver = max_ver = TLS1_1_VERSION;
        switch(cipher->algorithm_ssl) {
        case SSL_SSLV3:
-                if (min_ver <= TLS1_2_VERSION)
+                return (min_ver <= TLS1_2_VERSION);
-                        return 1;
-                break;
        case SSL_TLSV1_2:
-                if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver)
+                return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver);
-                        return 1;
-                break;
        case SSL_TLSV1_3:
-                if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver)
+                return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver);
-                        return 1;
-                break;
        }
        return 0;
 }
@@ -72,13 +61,13 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
        if (ciphers == NULL)
                return 0;
-        if (!ssl_supported_version_range(s, &min_vers, &max_vers))
+        if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
                return 0;
        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
                if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
                        return 0;
-                if (!ssl_cipher_allowed_in_version_range(cipher, min_vers,
+                if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
                    max_vers))
                        continue;
                if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
author	jsing <>	2021-02-25 17:06:05 +0000
committer	jsing <>	2021-02-25 17:06:05 +0000
commit	72c7f20e4fbcb3386178960b8f88ab2fbc042567 (patch)
tree	5a334628a895bbe67688cd0dbadfdc68524f02de /src/lib/libssl/ssl_ciphers.c
parent	aed0a5deca305a997de3f6234733204b383f094f (diff)
download	openbsd-72c7f20e4fbcb3386178960b8f88ab2fbc042567.tar.gz openbsd-72c7f20e4fbcb3386178960b8f88ab2fbc042567.tar.bz2 openbsd-72c7f20e4fbcb3386178960b8f88ab2fbc042567.zip