This commit was manufactured by cvs2git to create tag 'tb_20210818'.tb_20210818

author: cvs2svn <admin@example.com> 2021-08-18 16:06:57 +0000
committer: cvs2svn <admin@example.com> 2021-08-18 16:06:57 +0000
commit: d56c8fa8260d226f98b26f017b45b9c2b135f38d (patch)
tree: 348178b41617813cc93787187984a734ef8379ca /src/lib/libssl/ssl_versions.c
parent: 18b9c1bcab7c37d8c5bd05b8e0d14d0c59d96650 (diff)
download: openbsd-tb_20210818.tar.gz
openbsd-tb_20210818.tar.bz2
openbsd-tb_20210818.zip
1 files changed, 0 insertions, 349 deletions
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
deleted file mode 100644
index c633b58c25..0000000000
--- a/src/lib/libssl/ssl_versions.c
+++ /dev/null
@@ -1,349 +0,0 @@
-/* $OpenBSD: ssl_versions.c,v 1.20 2021/07/01 17:53:39 jsing Exp $ */
-/*
- * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include "ssl_locl.h"
-static uint16_t
-ssl_dtls_to_tls_version(uint16_t dtls_ver)
-{
-        if (dtls_ver == DTLS1_VERSION)
-                return TLS1_1_VERSION;
-        if (dtls_ver == DTLS1_2_VERSION)
-                return TLS1_2_VERSION;
-        return 0;
-}
-static uint16_t
-ssl_tls_to_dtls_version(uint16_t tls_ver)
-{
-        if (tls_ver == TLS1_1_VERSION)
-                return DTLS1_VERSION;
-        if (tls_ver == TLS1_2_VERSION)
-                return DTLS1_2_VERSION;
-        return 0;
-}
-static int
-ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver,
-    uint16_t clamp_min, uint16_t clamp_max)
-{
-        if (clamp_min > clamp_max || *min_ver > *max_ver)
-                return 0;
-        if (clamp_max < *min_ver || clamp_min > *max_ver)
-                return 0;
-        if (*min_ver < clamp_min)
-                *min_ver = clamp_min;
-        if (*max_ver > clamp_max)
-                *max_ver = clamp_max;
-        return 1;
-}
-int
-ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
-    uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
-{
-        uint16_t min_proto, min_version, max_version;
-        if (proto_ver == 0) {
-                *out_tls_ver = meth->min_tls_version;
-                *out_proto_ver = 0;
-                return 1;
-        }
-        min_version = proto_ver;
-        max_version = max_tls_ver;
-        if (meth->dtls) {
-                if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
-                        return 0;
-        }
-        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
-            meth->min_tls_version, meth->max_tls_version))
-                return 0;
-        min_proto = min_version;
-        if (meth->dtls) {
-                if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0)
-                        return 0;
-        }
-        *out_tls_ver = min_version;
-        *out_proto_ver = min_proto;
-        return 1;
-}
-int
-ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
-    uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
-{
-        uint16_t max_proto, min_version, max_version;
-        if (proto_ver == 0) {
-                *out_tls_ver = meth->max_tls_version;
-                *out_proto_ver = 0;
-                return 1;
-        }
-        min_version = min_tls_ver;
-        max_version = proto_ver;
-        if (meth->dtls) {
-                if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
-                        return 0;
-        }
-        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
-            meth->min_tls_version, meth->max_tls_version))
-                return 0;
-        max_proto = max_version;
-        if (meth->dtls) {
-                if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0)
-                        return 0;
-        }
-        *out_tls_ver = max_version;
-        *out_proto_ver = max_proto;
-        return 1;
-}
-int
-ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
-{
-        uint16_t min_version, max_version;
-        unsigned long options;
-        /*
-         * The enabled versions have to be a contiguous range, which means we
-         * cannot enable and disable single versions at our whim, even though
-         * this is what the OpenSSL flags allow. The historical way this has
-         * been handled is by making a flag mean that all higher versions
-         * are disabled, if any version lower than the flag is enabled.
-         */
-        min_version = 0;
-        max_version = TLS1_3_VERSION;
-        options = s->internal->options;
-        if (SSL_is_dtls(s)) {
-                options = 0;
-                if (s->internal->options & SSL_OP_NO_DTLSv1)
-                        options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
-                if (s->internal->options & SSL_OP_NO_DTLSv1_2)
-                        options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
-        }
-        if ((options & SSL_OP_NO_TLSv1) == 0)
-                min_version = TLS1_VERSION;
-        else if ((options & SSL_OP_NO_TLSv1_1) == 0)
-                min_version = TLS1_1_VERSION;
-        else if ((options & SSL_OP_NO_TLSv1_2) == 0)
-                min_version = TLS1_2_VERSION;
-        else if ((options & SSL_OP_NO_TLSv1_3) == 0)
-                min_version = TLS1_3_VERSION;
-        if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION)
-                max_version = TLS1_2_VERSION;
-        if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
-                max_version = TLS1_1_VERSION;
-        if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
-                max_version = TLS1_VERSION;
-        if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
-                max_version = 0;
-        /* Everything has been disabled... */
-        if (min_version == 0 || max_version == 0)
-                return 0;
-        /* Limit to configured version range. */
-        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
-            s->internal->min_tls_version, s->internal->max_tls_version))
-                return 0;
-        if (min_ver != NULL)
-                *min_ver = min_version;
-        if (max_ver != NULL)
-                *max_ver = max_version;
-        return 1;
-}
-int
-ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
-{
-        uint16_t min_version, max_version;
-        if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
-                return 0;
-        /* Limit to the versions supported by this method. */
-        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
-            s->method->min_tls_version, s->method->max_tls_version))
-                return 0;
-        if (min_ver != NULL)
-                *min_ver = min_version;
-        if (max_ver != NULL)
-                *max_ver = max_version;
-        return 1;
-}
-uint16_t
-ssl_tls_version(uint16_t version)
-{
-        if (version == TLS1_VERSION || version == TLS1_1_VERSION ||
-            version == TLS1_2_VERSION || version == TLS1_3_VERSION)
-                return version;
-        if (version == DTLS1_VERSION)
-                return TLS1_1_VERSION;
-        if (version == DTLS1_2_VERSION)
-                return TLS1_2_VERSION;
-        return 0;
-}
-uint16_t
-ssl_effective_tls_version(SSL *s)
-{
-        if (S3I(s)->hs.negotiated_tls_version > 0)
-                return S3I(s)->hs.negotiated_tls_version;
-        return S3I(s)->hs.our_max_tls_version;
-}
-int
-ssl_max_supported_version(SSL *s, uint16_t *max_ver)
-{
-        uint16_t max_version;
-        *max_ver = 0;
-        if (!ssl_supported_tls_version_range(s, NULL, &max_version))
-                return 0;
-        if (SSL_is_dtls(s)) {
-                if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
-                        return 0;
-        }
-        *max_ver = max_version;
-        return 1;
-}
-int
-ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
-{
-        uint16_t min_version, max_version, peer_tls_version, shared_version;
-        *max_ver = 0;
-        peer_tls_version = peer_ver;
-        if (SSL_is_dtls(s)) {
-                if ((peer_ver >> 8) != DTLS1_VERSION_MAJOR)
-                        return 0;
-                /*
-                 * Convert the peer version to a TLS version - DTLS versions are
-                 * the 1's complement of TLS version numbers (but not the actual
-                 * protocol version numbers, that would be too sensible). Not to
-                 * mention that DTLSv1.0 is really equivalent to DTLSv1.1.
-                 */
-                peer_tls_version = ssl_dtls_to_tls_version(peer_ver);
-                /*
-                 * This may be a version that we do not know about, if it is
-                 * newer than DTLS1_2_VERSION (yes, less than is correct due
-                 * to the "clever" versioning scheme), use TLS1_2_VERSION.
-                 */
-                if (peer_tls_version == 0) {
-                        if (peer_ver < DTLS1_2_VERSION)
-                                peer_tls_version = TLS1_2_VERSION;
-                }
-        }
-        if (peer_tls_version >= TLS1_3_VERSION)
-                shared_version = TLS1_3_VERSION;
-        else if (peer_tls_version >= TLS1_2_VERSION)
-                shared_version = TLS1_2_VERSION;
-        else if (peer_tls_version >= TLS1_1_VERSION)
-                shared_version = TLS1_1_VERSION;
-        else if (peer_tls_version >= TLS1_VERSION)
-                shared_version = TLS1_VERSION;
-        else
-                return 0;
-        if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
-                return 0;
-        if (shared_version < min_version)
-                return 0;
-        if (shared_version > max_version)
-                shared_version = max_version;
-        if (SSL_is_dtls(s)) {
-                /*
-                 * The resulting shared version will by definition be something
-                 * that we know about. Switch back from TLS to DTLS.
-                 */
-                shared_version = ssl_tls_to_dtls_version(shared_version);
-                if (shared_version == 0)
-                        return 0;
-        }
-        *max_ver = shared_version;
-        return 1;
-}
-int
-ssl_check_version_from_server(SSL *s, uint16_t server_version)
-{
-        uint16_t min_tls_version, max_tls_version, server_tls_version;
-        /* Ensure that the version selected by the server is valid. */
-        server_tls_version = server_version;
-        if (SSL_is_dtls(s)) {
-                server_tls_version = ssl_dtls_to_tls_version(server_version);
-                if (server_tls_version == 0)
-                        return 0;
-        }
-        if (!ssl_supported_tls_version_range(s, &min_tls_version,
-            &max_tls_version))
-                return 0;
-        return (server_tls_version >= min_tls_version &&
-            server_tls_version <= max_tls_version);
-}
-int
-ssl_legacy_stack_version(SSL *s, uint16_t version)
-{
-        if (SSL_is_dtls(s))
-                return version == DTLS1_VERSION || version == DTLS1_2_VERSION;
-        return version == TLS1_VERSION || version == TLS1_1_VERSION ||
-            version == TLS1_2_VERSION;
-}
author	cvs2svn <admin@example.com>	2021-08-18 16:06:57 +0000
committer	cvs2svn <admin@example.com>	2021-08-18 16:06:57 +0000
commit	d56c8fa8260d226f98b26f017b45b9c2b135f38d (patch)
tree	348178b41617813cc93787187984a734ef8379ca /src/lib/libssl/ssl_versions.c
parent	18b9c1bcab7c37d8c5bd05b8e0d14d0c59d96650 (diff)
download	openbsd-tb_20210818.tar.gz openbsd-tb_20210818.tar.bz2 openbsd-tb_20210818.zip

diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c deleted file mode 100644 index c633b58c25..0000000000 --- a/src/lib/libssl/ssl_versions.c +++ /dev/null
@@ -1,349 +0,0 @@
1	/* $OpenBSD: ssl_versions.c,v 1.20 2021/07/01 17:53:39 jsing Exp $ */
2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	*
5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above
7	* copyright notice and this permission notice appear in all copies.
8	*
9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/
17
18	#include "ssl_locl.h"
19
20	static uint16_t
21	ssl_dtls_to_tls_version(uint16_t dtls_ver)
22	{
23	if (dtls_ver == DTLS1_VERSION)
24	return TLS1_1_VERSION;
25	if (dtls_ver == DTLS1_2_VERSION)
26	return TLS1_2_VERSION;
27	return 0;
28	}
29
30	static uint16_t
31	ssl_tls_to_dtls_version(uint16_t tls_ver)
32	{
33	if (tls_ver == TLS1_1_VERSION)
34	return DTLS1_VERSION;
35	if (tls_ver == TLS1_2_VERSION)
36	return DTLS1_2_VERSION;
37	return 0;
38	}
39
40	static int
41	ssl_clamp_tls_version_range(uint16_t min_ver, uint16_t max_ver,
42	uint16_t clamp_min, uint16_t clamp_max)
43	{
44	if (clamp_min > clamp_max \|\| min_ver > max_ver)
45	return 0;
46	if (clamp_max < min_ver \|\| clamp_min > max_ver)
47	return 0;
48
49	if (*min_ver < clamp_min)
50	*min_ver = clamp_min;
51	if (*max_ver > clamp_max)
52	*max_ver = clamp_max;
53
54	return 1;
55	}
56
57	int
58	ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
59	uint16_t max_tls_ver, uint16_t out_tls_ver, uint16_t out_proto_ver)
60	{
61	uint16_t min_proto, min_version, max_version;
62
63	if (proto_ver == 0) {
64	*out_tls_ver = meth->min_tls_version;
65	*out_proto_ver = 0;
66	return 1;
67	}
68
69	min_version = proto_ver;
70	max_version = max_tls_ver;
71
72	if (meth->dtls) {
73	if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
74	return 0;
75	}
76
77	if (!ssl_clamp_tls_version_range(&min_version, &max_version,
78	meth->min_tls_version, meth->max_tls_version))
79	return 0;
80
81	min_proto = min_version;
82	if (meth->dtls) {
83	if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0)
84	return 0;
85	}
86	*out_tls_ver = min_version;
87	*out_proto_ver = min_proto;
88
89	return 1;
90	}
91
92	int
93	ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
94	uint16_t min_tls_ver, uint16_t out_tls_ver, uint16_t out_proto_ver)
95	{
96	uint16_t max_proto, min_version, max_version;
97
98	if (proto_ver == 0) {
99	*out_tls_ver = meth->max_tls_version;
100	*out_proto_ver = 0;
101	return 1;
102	}
103
104	min_version = min_tls_ver;
105	max_version = proto_ver;
106
107	if (meth->dtls) {
108	if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
109	return 0;
110	}
111
112	if (!ssl_clamp_tls_version_range(&min_version, &max_version,
113	meth->min_tls_version, meth->max_tls_version))
114	return 0;
115
116	max_proto = max_version;
117	if (meth->dtls) {
118	if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0)
119	return 0;
120	}
121	*out_tls_ver = max_version;
122	*out_proto_ver = max_proto;
123
124	return 1;
125	}
126
127	int
128	ssl_enabled_tls_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver)
129	{
130	uint16_t min_version, max_version;
131	unsigned long options;
132
133	/*
134	* The enabled versions have to be a contiguous range, which means we
135	* cannot enable and disable single versions at our whim, even though
136	* this is what the OpenSSL flags allow. The historical way this has
137	* been handled is by making a flag mean that all higher versions
138	* are disabled, if any version lower than the flag is enabled.
139	*/
140
141	min_version = 0;
142	max_version = TLS1_3_VERSION;
143	options = s->internal->options;
144
145	if (SSL_is_dtls(s)) {
146	options = 0;
147	if (s->internal->options & SSL_OP_NO_DTLSv1)
148	options \|= SSL_OP_NO_TLSv1 \| SSL_OP_NO_TLSv1_1;
149	if (s->internal->options & SSL_OP_NO_DTLSv1_2)
150	options \|= SSL_OP_NO_TLSv1 \| SSL_OP_NO_TLSv1_2;
151	}
152
153	if ((options & SSL_OP_NO_TLSv1) == 0)
154	min_version = TLS1_VERSION;
155	else if ((options & SSL_OP_NO_TLSv1_1) == 0)
156	min_version = TLS1_1_VERSION;
157	else if ((options & SSL_OP_NO_TLSv1_2) == 0)
158	min_version = TLS1_2_VERSION;
159	else if ((options & SSL_OP_NO_TLSv1_3) == 0)
160	min_version = TLS1_3_VERSION;
161
162	if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION)
163	max_version = TLS1_2_VERSION;
164	if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
165	max_version = TLS1_1_VERSION;
166	if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
167	max_version = TLS1_VERSION;
168	if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
169	max_version = 0;
170
171	/* Everything has been disabled... */
172	if (min_version == 0 \|\| max_version == 0)
173	return 0;
174
175	/* Limit to configured version range. */
176	if (!ssl_clamp_tls_version_range(&min_version, &max_version,
177	s->internal->min_tls_version, s->internal->max_tls_version))
178	return 0;
179
180	if (min_ver != NULL)
181	*min_ver = min_version;
182	if (max_ver != NULL)
183	*max_ver = max_version;
184
185	return 1;
186	}
187
188	int
189	ssl_supported_tls_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver)
190	{
191	uint16_t min_version, max_version;
192
193	if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
194	return 0;
195
196	/* Limit to the versions supported by this method. */
197	if (!ssl_clamp_tls_version_range(&min_version, &max_version,
198	s->method->min_tls_version, s->method->max_tls_version))
199	return 0;
200
201	if (min_ver != NULL)
202	*min_ver = min_version;
203	if (max_ver != NULL)
204	*max_ver = max_version;
205
206	return 1;
207	}
208
209	uint16_t
210	ssl_tls_version(uint16_t version)
211	{
212	if (version == TLS1_VERSION \|\| version == TLS1_1_VERSION \|\|
213	version == TLS1_2_VERSION \|\| version == TLS1_3_VERSION)
214	return version;
215
216	if (version == DTLS1_VERSION)
217	return TLS1_1_VERSION;
218	if (version == DTLS1_2_VERSION)
219	return TLS1_2_VERSION;
220
221	return 0;
222	}
223
224	uint16_t
225	ssl_effective_tls_version(SSL *s)
226	{
227	if (S3I(s)->hs.negotiated_tls_version > 0)
228	return S3I(s)->hs.negotiated_tls_version;
229
230	return S3I(s)->hs.our_max_tls_version;
231	}
232
233	int
234	ssl_max_supported_version(SSL s, uint16_t max_ver)
235	{
236	uint16_t max_version;
237
238	*max_ver = 0;
239
240	if (!ssl_supported_tls_version_range(s, NULL, &max_version))
241	return 0;
242
243	if (SSL_is_dtls(s)) {
244	if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
245	return 0;
246	}
247
248	*max_ver = max_version;
249
250	return 1;
251	}
252
253	int
254	ssl_max_shared_version(SSL s, uint16_t peer_ver, uint16_t max_ver)
255	{
256	uint16_t min_version, max_version, peer_tls_version, shared_version;
257
258	*max_ver = 0;
259	peer_tls_version = peer_ver;
260
261	if (SSL_is_dtls(s)) {
262	if ((peer_ver >> 8) != DTLS1_VERSION_MAJOR)
263	return 0;
264
265	/*
266	* Convert the peer version to a TLS version - DTLS versions are
267	* the 1's complement of TLS version numbers (but not the actual
268	* protocol version numbers, that would be too sensible). Not to
269	* mention that DTLSv1.0 is really equivalent to DTLSv1.1.
270	*/
271	peer_tls_version = ssl_dtls_to_tls_version(peer_ver);
272
273	/*
274	* This may be a version that we do not know about, if it is
275	* newer than DTLS1_2_VERSION (yes, less than is correct due
276	* to the "clever" versioning scheme), use TLS1_2_VERSION.
277	*/
278	if (peer_tls_version == 0) {
279	if (peer_ver < DTLS1_2_VERSION)
280	peer_tls_version = TLS1_2_VERSION;
281	}
282	}
283
284	if (peer_tls_version >= TLS1_3_VERSION)
285	shared_version = TLS1_3_VERSION;
286	else if (peer_tls_version >= TLS1_2_VERSION)
287	shared_version = TLS1_2_VERSION;
288	else if (peer_tls_version >= TLS1_1_VERSION)
289	shared_version = TLS1_1_VERSION;
290	else if (peer_tls_version >= TLS1_VERSION)
291	shared_version = TLS1_VERSION;
292	else
293	return 0;
294
295	if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
296	return 0;
297
298	if (shared_version < min_version)
299	return 0;
300
301	if (shared_version > max_version)
302	shared_version = max_version;
303
304	if (SSL_is_dtls(s)) {
305	/*
306	* The resulting shared version will by definition be something
307	* that we know about. Switch back from TLS to DTLS.
308	*/
309	shared_version = ssl_tls_to_dtls_version(shared_version);
310	if (shared_version == 0)
311	return 0;
312	}
313
314	*max_ver = shared_version;
315
316	return 1;
317	}
318
319	int
320	ssl_check_version_from_server(SSL *s, uint16_t server_version)
321	{
322	uint16_t min_tls_version, max_tls_version, server_tls_version;
323
324	/* Ensure that the version selected by the server is valid. */
325
326	server_tls_version = server_version;
327	if (SSL_is_dtls(s)) {
328	server_tls_version = ssl_dtls_to_tls_version(server_version);
329	if (server_tls_version == 0)
330	return 0;
331	}
332
333	if (!ssl_supported_tls_version_range(s, &min_tls_version,
334	&max_tls_version))
335	return 0;
336
337	return (server_tls_version >= min_tls_version &&
338	server_tls_version <= max_tls_version);
339	}
340
341	int
342	ssl_legacy_stack_version(SSL *s, uint16_t version)
343	{
344	if (SSL_is_dtls(s))
345	return version == DTLS1_VERSION \|\| version == DTLS1_2_VERSION;
346
347	return version == TLS1_VERSION \|\| version == TLS1_1_VERSION \|\|
348	version == TLS1_2_VERSION;
349	}