Replace ssl_max_server_version() with ssl_downgrade_max_version()

Replace the only occurrence of ssl_max_server_version() with a call
to ssl_downgrade_max_version() and remove ssl_max_server_version().

ok beck@ tb@

3 files changed, 6 insertions, 30 deletions

diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c
index 3abed60b5b..3a1fb14d5c 100644
--- a/src/lib/libssl/ssl_ciphers.c
+++ b/src/lib/libssl/ssl_ciphers.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_ciphers.c,v 1.3 2019/05/15 09:13:16 bcook Exp $ */
+/*      $OpenBSD: ssl_ciphers.c,v 1.4 2020/05/31 18:03:32 jsing Exp $ */
 /*
  * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
  * Copyright (c) 2015-2018 Joel Sing <jsing@openbsd.org>
@@ -133,8 +133,9 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
                          * Fail if the current version is an unexpected
                          * downgrade.
                          */
-                        max_version = ssl_max_server_version(s);
-                        if (max_version == 0 || s->version < max_version) {
+                        if (!ssl_downgrade_max_version(s, &max_version))
+                                goto err;
+                        if (s->version < max_version) {
                                 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
                                 ssl3_send_alert(s, SSL3_AL_FATAL,
                                         SSL_AD_INAPPROPRIATE_FALLBACK);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 03c2c227ed..bfc3c1ad9b 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.278 2020/05/31 16:36:35 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.279 2020/05/31 18:03:32 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1094,7 +1094,6 @@ int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
     uint16_t *out_ver);
 int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
     uint16_t *out_ver);
-uint16_t ssl_max_server_version(SSL *s);
 int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver);
 int ssl_cipher_is_permitted(const SSL_CIPHER *cipher, uint16_t min_ver,
     uint16_t max_ver);
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index 03eb41582a..b21fa7198c 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.5 2020/05/31 16:36:35 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.6 2020/05/31 18:03:32 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -200,30 +200,6 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
         return 1;
 }
 
-uint16_t
-ssl_max_server_version(SSL *s)
-{
-        uint16_t max_version, min_version = 0;
-
-        if (SSL_IS_DTLS(s))
-                return (DTLS1_VERSION);
-
-        if (!ssl_enabled_version_range(s, &min_version, &max_version))
-                return 0;
-
-        /*
-         * Limit to the versions supported by this method. The SSL method
-         * will be changed during version negotiation, as such we want to
-         * use the SSL method from the context.
-         */
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            s->ctx->method->internal->min_version,
-            s->ctx->method->internal->max_version))
-                return 0;
-
-        return (max_version);
-}
-
 int
 ssl_downgrade_max_version(SSL *s, uint16_t *max_ver)
 {