1 files changed, 1 insertions, 156 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 649b238bd9..6f31d6dcdf 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.151 2017/01/26 00:42:44 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.152 2017/01/26 06:01:44 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2492,161 +2492,6 @@ SSL_get_version(const SSL *s)
        return ssl_version_string(s->version);
 }
-static int
-ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver,
-    uint16_t clamp_min, uint16_t clamp_max)
-{
-        if (clamp_min > clamp_max || *min_ver > *max_ver)
-                return 0;
-        if (clamp_max < *min_ver || clamp_min > *max_ver)
-                return 0;
-        if (*min_ver < clamp_min)
-                *min_ver = clamp_min;
-        if (*max_ver > clamp_max)
-                *max_ver = clamp_max;
-        return 1;
-}
-int
-ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
-{
-        uint16_t min_version, max_version;
-        /*
-         * The enabled versions have to be a contiguous range, which means we
-         * cannot enable and disable single versions at our whim, even though
-         * this is what the OpenSSL flags allow. The historical way this has
-         * been handled is by making a flag mean that all higher versions
-         * are disabled, if any version lower than the flag is enabled.
-         */
-        min_version = 0;
-        max_version = TLS1_2_VERSION;
-        if ((s->internal->options & SSL_OP_NO_TLSv1) == 0)
-                min_version = TLS1_VERSION;
-        else if ((s->internal->options & SSL_OP_NO_TLSv1_1) == 0)
-                min_version = TLS1_1_VERSION;
-        else if ((s->internal->options & SSL_OP_NO_TLSv1_2) == 0)
-                min_version = TLS1_2_VERSION;
-        if ((s->internal->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
-                max_version = TLS1_1_VERSION;
-        if ((s->internal->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
-                max_version = TLS1_VERSION;
-        if ((s->internal->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
-                max_version = 0;
-        /* Everything has been disabled... */
-        if (min_version == 0 || max_version == 0)
-                return 0;
-        /* Limit to configured version range. */
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            s->internal->min_version, s->internal->max_version))
-                return 0;
-        if (min_ver != NULL)
-                *min_ver = min_version;
-        if (max_ver != NULL)
-                *max_ver = max_version;
-        return 1;
-}
-int
-ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
-{
-        uint16_t min_version, max_version;
-        /* DTLS cannot currently be disabled... */
-        if (SSL_IS_DTLS(s)) {
-                min_version = max_version = DTLS1_VERSION;
-                goto done;
-        }
-        if (!ssl_enabled_version_range(s, &min_version, &max_version))
-                return 0;
-        /* Limit to the versions supported by this method. */
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            s->method->internal->min_version,
-            s->method->internal->max_version))
-                return 0;
- done:
-        if (min_ver != NULL)
-                *min_ver = min_version;
-        if (max_ver != NULL)
-                *max_ver = max_version;
-        return 1;
-}
-int
-ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
-{
-        uint16_t min_version, max_version, shared_version;
-        *max_ver = 0;
-        if (SSL_IS_DTLS(s)) {
-                if (peer_ver >= DTLS1_VERSION) {
-                        *max_ver = DTLS1_VERSION;
-                        return 1;
-                }
-                return 0;
-        }
-        if (peer_ver >= TLS1_2_VERSION)
-                shared_version = TLS1_2_VERSION;
-        else if (peer_ver >= TLS1_1_VERSION)
-                shared_version = TLS1_1_VERSION;
-        else if (peer_ver >= TLS1_VERSION)
-                shared_version = TLS1_VERSION;
-        else
-                return 0;
-        if (!ssl_supported_version_range(s, &min_version, &max_version))
-                return 0;
-        if (shared_version < min_version)
-                return 0;
-        if (shared_version > max_version)
-                shared_version = max_version;
-        *max_ver = shared_version;
-        return 1;
-}
-uint16_t
-ssl_max_server_version(SSL *s)
-{
-        uint16_t max_version, min_version = 0;
-        if (SSL_IS_DTLS(s))
-                return (DTLS1_VERSION);
-        if (!ssl_enabled_version_range(s, &min_version, &max_version))
-                return 0;
-        /*
-         * Limit to the versions supported by this method. The SSL method
-         * will be changed during version negotiation, as such we want to
-         * use the SSL method from the context.
-         */
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            s->ctx->method->internal->min_version,
-            s->ctx->method->internal->max_version))
-                return 0;
-        return (max_version);
-}
 SSL *
 SSL_dup(SSL *s)
 {

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 649b238bd9..6f31d6dcdf 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.151 2017/01/26 00:42:44 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.152 2017/01/26 06:01:44 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2492,161 +2492,6 @@ SSL_get_version(const SSL *s)
2492	return ssl_version_string(s->version);	2492	return ssl_version_string(s->version);
2493	}	2493	}
2494		2494
2495	static int
2496	ssl_clamp_version_range(uint16_t min_ver, uint16_t max_ver,
2497	uint16_t clamp_min, uint16_t clamp_max)
2498	{
2499	if (clamp_min > clamp_max \|\| min_ver > max_ver)
2500	return 0;
2501	if (clamp_max < min_ver \|\| clamp_min > max_ver)
2502	return 0;
2503
2504	if (*min_ver < clamp_min)
2505	*min_ver = clamp_min;
2506	if (*max_ver > clamp_max)
2507	*max_ver = clamp_max;
2508
2509	return 1;
2510	}
2511
2512	int
2513	ssl_enabled_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver)
2514	{
2515	uint16_t min_version, max_version;
2516
2517	/*
2518	* The enabled versions have to be a contiguous range, which means we
2519	* cannot enable and disable single versions at our whim, even though
2520	* this is what the OpenSSL flags allow. The historical way this has
2521	* been handled is by making a flag mean that all higher versions
2522	* are disabled, if any version lower than the flag is enabled.
2523	*/
2524
2525	min_version = 0;
2526	max_version = TLS1_2_VERSION;
2527
2528	if ((s->internal->options & SSL_OP_NO_TLSv1) == 0)
2529	min_version = TLS1_VERSION;
2530	else if ((s->internal->options & SSL_OP_NO_TLSv1_1) == 0)
2531	min_version = TLS1_1_VERSION;
2532	else if ((s->internal->options & SSL_OP_NO_TLSv1_2) == 0)
2533	min_version = TLS1_2_VERSION;
2534
2535	if ((s->internal->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
2536	max_version = TLS1_1_VERSION;
2537	if ((s->internal->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
2538	max_version = TLS1_VERSION;
2539	if ((s->internal->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
2540	max_version = 0;
2541
2542	/* Everything has been disabled... */
2543	if (min_version == 0 \|\| max_version == 0)
2544	return 0;
2545
2546	/* Limit to configured version range. */
2547	if (!ssl_clamp_version_range(&min_version, &max_version,
2548	s->internal->min_version, s->internal->max_version))
2549	return 0;
2550
2551	if (min_ver != NULL)
2552	*min_ver = min_version;
2553	if (max_ver != NULL)
2554	*max_ver = max_version;
2555
2556	return 1;
2557	}
2558
2559	int
2560	ssl_supported_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver)
2561	{
2562	uint16_t min_version, max_version;
2563
2564	/* DTLS cannot currently be disabled... */
2565	if (SSL_IS_DTLS(s)) {
2566	min_version = max_version = DTLS1_VERSION;
2567	goto done;
2568	}
2569
2570	if (!ssl_enabled_version_range(s, &min_version, &max_version))
2571	return 0;
2572
2573	/* Limit to the versions supported by this method. */
2574	if (!ssl_clamp_version_range(&min_version, &max_version,
2575	s->method->internal->min_version,
2576	s->method->internal->max_version))
2577	return 0;
2578
2579	done:
2580	if (min_ver != NULL)
2581	*min_ver = min_version;
2582	if (max_ver != NULL)
2583	*max_ver = max_version;
2584
2585	return 1;
2586	}
2587
2588	int
2589	ssl_max_shared_version(SSL s, uint16_t peer_ver, uint16_t max_ver)
2590	{
2591	uint16_t min_version, max_version, shared_version;
2592
2593	*max_ver = 0;
2594
2595	if (SSL_IS_DTLS(s)) {
2596	if (peer_ver >= DTLS1_VERSION) {
2597	*max_ver = DTLS1_VERSION;
2598	return 1;
2599	}
2600	return 0;
2601	}
2602
2603	if (peer_ver >= TLS1_2_VERSION)
2604	shared_version = TLS1_2_VERSION;
2605	else if (peer_ver >= TLS1_1_VERSION)
2606	shared_version = TLS1_1_VERSION;
2607	else if (peer_ver >= TLS1_VERSION)
2608	shared_version = TLS1_VERSION;
2609	else
2610	return 0;
2611
2612	if (!ssl_supported_version_range(s, &min_version, &max_version))
2613	return 0;
2614
2615	if (shared_version < min_version)
2616	return 0;
2617
2618	if (shared_version > max_version)
2619	shared_version = max_version;
2620
2621	*max_ver = shared_version;
2622
2623	return 1;
2624	}
2625
2626	uint16_t
2627	ssl_max_server_version(SSL *s)
2628	{
2629	uint16_t max_version, min_version = 0;
2630
2631	if (SSL_IS_DTLS(s))
2632	return (DTLS1_VERSION);
2633
2634	if (!ssl_enabled_version_range(s, &min_version, &max_version))
2635	return 0;
2636
2637	/*
2638	* Limit to the versions supported by this method. The SSL method
2639	* will be changed during version negotiation, as such we want to
2640	* use the SSL method from the context.
2641	*/
2642	if (!ssl_clamp_version_range(&min_version, &max_version,
2643	s->ctx->method->internal->min_version,
2644	s->ctx->method->internal->max_version))
2645	return 0;
2646
2647	return (max_version);
2648	}
2649
2650	SSL *	2495	SSL *
2651	SSL_dup(SSL *s)	2496	SSL_dup(SSL *s)
2652	{	2497	{