diff options
Diffstat (limited to 'src/lib/libssl/ssl_ciphers.c')
| -rw-r--r-- | src/lib/libssl/ssl_ciphers.c | 25 |
1 files changed, 7 insertions, 18 deletions
diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c index 399e274ad4..85c60b1abb 100644 --- a/src/lib/libssl/ssl_ciphers.c +++ b/src/lib/libssl/ssl_ciphers.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciphers.c,v 1.9 2020/09/15 15:28:38 schwarze Exp $ */ | 1 | /* $OpenBSD: ssl_ciphers.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> | 3 | * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> |
| 4 | * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org> |
| @@ -36,28 +36,17 @@ ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher) | |||
| 36 | } | 36 | } |
| 37 | 37 | ||
| 38 | int | 38 | int |
| 39 | ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, | 39 | ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, |
| 40 | uint16_t max_ver) | 40 | uint16_t max_ver) |
| 41 | { | 41 | { |
| 42 | /* XXX: We only support DTLSv1 which is effectively TLSv1.1 */ | ||
| 43 | if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION) | ||
| 44 | min_ver = max_ver = TLS1_1_VERSION; | ||
| 45 | |||
| 46 | switch(cipher->algorithm_ssl) { | 42 | switch(cipher->algorithm_ssl) { |
| 47 | case SSL_SSLV3: | 43 | case SSL_SSLV3: |
| 48 | if (min_ver <= TLS1_2_VERSION) | 44 | return (min_ver <= TLS1_2_VERSION); |
| 49 | return 1; | ||
| 50 | break; | ||
| 51 | case SSL_TLSV1_2: | 45 | case SSL_TLSV1_2: |
| 52 | if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver) | 46 | return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver); |
| 53 | return 1; | ||
| 54 | break; | ||
| 55 | case SSL_TLSV1_3: | 47 | case SSL_TLSV1_3: |
| 56 | if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver) | 48 | return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver); |
| 57 | return 1; | ||
| 58 | break; | ||
| 59 | } | 49 | } |
| 60 | |||
| 61 | return 0; | 50 | return 0; |
| 62 | } | 51 | } |
| 63 | 52 | ||
| @@ -72,13 +61,13 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) | |||
| 72 | if (ciphers == NULL) | 61 | if (ciphers == NULL) |
| 73 | return 0; | 62 | return 0; |
| 74 | 63 | ||
| 75 | if (!ssl_supported_version_range(s, &min_vers, &max_vers)) | 64 | if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers)) |
| 76 | return 0; | 65 | return 0; |
| 77 | 66 | ||
| 78 | for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { | 67 | for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { |
| 79 | if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) | 68 | if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) |
| 80 | return 0; | 69 | return 0; |
| 81 | if (!ssl_cipher_allowed_in_version_range(cipher, min_vers, | 70 | if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers, |
| 82 | max_vers)) | 71 | max_vers)) |
| 83 | continue; | 72 | continue; |
| 84 | if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) | 73 | if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) |