1 files changed, 0 insertions, 373 deletions
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
deleted file mode 100644
index 8273546062..0000000000
--- a/src/lib/libssl/ssl_versions.c
+++ /dev/null
@@ -1,373 +0,0 @@
-/* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */
-/*
- * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include "ssl_local.h"
-static uint16_t
-ssl_dtls_to_tls_version(uint16_t dtls_ver)
-{
-        if (dtls_ver == DTLS1_VERSION)
-                return TLS1_1_VERSION;
-        if (dtls_ver == DTLS1_2_VERSION)
-                return TLS1_2_VERSION;
-        return 0;
-}
-static uint16_t
-ssl_tls_to_dtls_version(uint16_t tls_ver)
-{
-        if (tls_ver == TLS1_1_VERSION)
-                return DTLS1_VERSION;
-        if (tls_ver == TLS1_2_VERSION)
-                return DTLS1_2_VERSION;
-        return 0;
-}
-static int
-ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver,
-    uint16_t clamp_min, uint16_t clamp_max)
-{
-        if (clamp_min > clamp_max || *min_ver > *max_ver)
-                return 0;
-        if (clamp_max < *min_ver || clamp_min > *max_ver)
-                return 0;
-        if (*min_ver < clamp_min)
-                *min_ver = clamp_min;
-        if (*max_ver > clamp_max)
-                *max_ver = clamp_max;
-        return 1;
-}
-int
-ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
-    uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
-{
-        uint16_t min_proto, min_version, max_version;
-        if (proto_ver == 0) {
-                *out_tls_ver = meth->min_tls_version;
-                *out_proto_ver = 0;
-                return 1;
-        }
-        min_version = proto_ver;
-        max_version = max_tls_ver;
-        if (meth->dtls) {
-                if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
-                        return 0;
-        }
-        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
-            meth->min_tls_version, meth->max_tls_version))
-                return 0;
-        min_proto = min_version;
-        if (meth->dtls) {
-                if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0)
-                        return 0;
-        }
-        *out_tls_ver = min_version;
-        *out_proto_ver = min_proto;
-        return 1;
-}
-int
-ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
-    uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
-{
-        uint16_t max_proto, min_version, max_version;
-        if (proto_ver == 0) {
-                *out_tls_ver = meth->max_tls_version;
-                *out_proto_ver = 0;
-                return 1;
-        }
-        min_version = min_tls_ver;
-        max_version = proto_ver;
-        if (meth->dtls) {
-                if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
-                        return 0;
-        }
-        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
-            meth->min_tls_version, meth->max_tls_version))
-                return 0;
-        max_proto = max_version;
-        if (meth->dtls) {
-                if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0)
-                        return 0;
-        }
-        *out_tls_ver = max_version;
-        *out_proto_ver = max_proto;
-        return 1;
-}
-int
-ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
-{
-        uint16_t min_version, max_version;
-        unsigned long options;
-        /*
-         * The enabled versions have to be a contiguous range, which means we
-         * cannot enable and disable single versions at our whim, even though
-         * this is what the OpenSSL flags allow. The historical way this has
-         * been handled is by making a flag mean that all higher versions
-         * are disabled, if any version lower than the flag is enabled.
-         */
-        min_version = 0;
-        max_version = TLS1_3_VERSION;
-        options = s->options;
-        if (SSL_is_dtls(s)) {
-                options = 0;
-                if (s->options & SSL_OP_NO_DTLSv1)
-                        options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
-                if (s->options & SSL_OP_NO_DTLSv1_2)
-                        options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
-        }
-        if ((options & SSL_OP_NO_TLSv1_2) == 0)
-                min_version = TLS1_2_VERSION;
-        else if ((options & SSL_OP_NO_TLSv1_3) == 0)
-                min_version = TLS1_3_VERSION;
-        if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION)
-                max_version = TLS1_2_VERSION;
-        if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
-                max_version = 0;
-        /* Everything has been disabled... */
-        if (min_version == 0 || max_version == 0)
-                return 0;
-        /* Limit to configured version range. */
-        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
-            s->min_tls_version, s->max_tls_version))
-                return 0;
-        /* QUIC requires a minimum of TLSv1.3. */
-        if (SSL_is_quic(s)) {
-                if (max_version < TLS1_3_VERSION)
-                        return 0;
-                if (min_version < TLS1_3_VERSION)
-                        min_version = TLS1_3_VERSION;
-        }
-        if (min_ver != NULL)
-                *min_ver = min_version;
-        if (max_ver != NULL)
-                *max_ver = max_version;
-        return 1;
-}
-int
-ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
-{
-        uint16_t min_version, max_version;
-        if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
-                return 0;
-        /* Limit to the versions supported by this method. */
-        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
-            s->method->min_tls_version, s->method->max_tls_version))
-                return 0;
-        if (min_ver != NULL)
-                *min_ver = min_version;
-        if (max_ver != NULL)
-                *max_ver = max_version;
-        return 1;
-}
-uint16_t
-ssl_tls_version(uint16_t version)
-{
-        if (version == TLS1_VERSION || version == TLS1_1_VERSION ||
-            version == TLS1_2_VERSION || version == TLS1_3_VERSION)
-                return version;
-        if (version == DTLS1_VERSION)
-                return TLS1_1_VERSION;
-        if (version == DTLS1_2_VERSION)
-                return TLS1_2_VERSION;
-        return 0;
-}
-uint16_t
-ssl_effective_tls_version(SSL *s)
-{
-        if (s->s3->hs.negotiated_tls_version > 0)
-                return s->s3->hs.negotiated_tls_version;
-        return s->s3->hs.our_max_tls_version;
-}
-int
-ssl_max_supported_version(SSL *s, uint16_t *max_ver)
-{
-        uint16_t max_version;
-        *max_ver = 0;
-        if (!ssl_supported_tls_version_range(s, NULL, &max_version))
-                return 0;
-        if (SSL_is_dtls(s)) {
-                if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
-                        return 0;
-        }
-        *max_ver = max_version;
-        return 1;
-}
-int
-ssl_max_legacy_version(SSL *s, uint16_t *max_ver)
-{
-        uint16_t max_version;
-        if ((max_version = s->s3->hs.our_max_tls_version) > TLS1_2_VERSION)
-                max_version = TLS1_2_VERSION;
-        if (SSL_is_dtls(s)) {
-                if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
-                        return 0;
-        }
-        *max_ver = max_version;
-        return 1;
-}
-int
-ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
-{
-        uint16_t min_version, max_version, peer_tls_version, shared_version;
-        *max_ver = 0;
-        peer_tls_version = peer_ver;
-        if (SSL_is_dtls(s)) {
-                if ((peer_ver >> 8) != DTLS1_VERSION_MAJOR)
-                        return 0;
-                /*
-                 * Convert the peer version to a TLS version - DTLS versions are
-                 * the 1's complement of TLS version numbers (but not the actual
-                 * protocol version numbers, that would be too sensible). Not to
-                 * mention that DTLSv1.0 is really equivalent to DTLSv1.1.
-                 */
-                peer_tls_version = ssl_dtls_to_tls_version(peer_ver);
-                /*
-                 * This may be a version that we do not know about, if it is
-                 * newer than DTLS1_2_VERSION (yes, less than is correct due
-                 * to the "clever" versioning scheme), use TLS1_2_VERSION.
-                 */
-                if (peer_tls_version == 0) {
-                        if (peer_ver < DTLS1_2_VERSION)
-                                peer_tls_version = TLS1_2_VERSION;
-                }
-        }
-        if (peer_tls_version >= TLS1_3_VERSION)
-                shared_version = TLS1_3_VERSION;
-        else if (peer_tls_version >= TLS1_2_VERSION)
-                shared_version = TLS1_2_VERSION;
-        else if (peer_tls_version >= TLS1_1_VERSION)
-                shared_version = TLS1_1_VERSION;
-        else if (peer_tls_version >= TLS1_VERSION)
-                shared_version = TLS1_VERSION;
-        else
-                return 0;
-        if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
-                return 0;
-        if (shared_version < min_version)
-                return 0;
-        if (shared_version > max_version)
-                shared_version = max_version;
-        if (SSL_is_dtls(s)) {
-                /*
-                 * The resulting shared version will by definition be something
-                 * that we know about. Switch back from TLS to DTLS.
-                 */
-                shared_version = ssl_tls_to_dtls_version(shared_version);
-                if (shared_version == 0)
-                        return 0;
-        }
-        if (!ssl_security_version(s, shared_version))
-                return 0;
-        *max_ver = shared_version;
-        return 1;
-}
-int
-ssl_check_version_from_server(SSL *s, uint16_t server_version)
-{
-        uint16_t min_tls_version, max_tls_version, server_tls_version;
-        /* Ensure that the version selected by the server is valid. */
-        server_tls_version = server_version;
-        if (SSL_is_dtls(s)) {
-                server_tls_version = ssl_dtls_to_tls_version(server_version);
-                if (server_tls_version == 0)
-                        return 0;
-        }
-        if (!ssl_supported_tls_version_range(s, &min_tls_version,
-            &max_tls_version))
-                return 0;
-        if (server_tls_version < min_tls_version ||
-            server_tls_version > max_tls_version)
-                return 0;
-        return ssl_security_version(s, server_tls_version);
-}
-int
-ssl_legacy_stack_version(SSL *s, uint16_t version)
-{
-        if (SSL_is_dtls(s))
-                return version == DTLS1_VERSION || version == DTLS1_2_VERSION;
-        return version == TLS1_VERSION || version == TLS1_1_VERSION ||
-            version == TLS1_2_VERSION;
-}

diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c deleted file mode 100644 index 8273546062..0000000000 --- a/src/lib/libssl/ssl_versions.c +++ /dev/null
@@ -1,373 +0,0 @@
1	/* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */
2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	*
5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above
7	* copyright notice and this permission notice appear in all copies.
8	*
9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/
17
18	#include "ssl_local.h"
19
20	static uint16_t
21	ssl_dtls_to_tls_version(uint16_t dtls_ver)
22	{
23	if (dtls_ver == DTLS1_VERSION)
24	return TLS1_1_VERSION;
25	if (dtls_ver == DTLS1_2_VERSION)
26	return TLS1_2_VERSION;
27	return 0;
28	}
29
30	static uint16_t
31	ssl_tls_to_dtls_version(uint16_t tls_ver)
32	{
33	if (tls_ver == TLS1_1_VERSION)
34	return DTLS1_VERSION;
35	if (tls_ver == TLS1_2_VERSION)
36	return DTLS1_2_VERSION;
37	return 0;
38	}
39
40	static int
41	ssl_clamp_tls_version_range(uint16_t min_ver, uint16_t max_ver,
42	uint16_t clamp_min, uint16_t clamp_max)
43	{
44	if (clamp_min > clamp_max \|\| min_ver > max_ver)
45	return 0;
46	if (clamp_max < min_ver \|\| clamp_min > max_ver)
47	return 0;
48
49	if (*min_ver < clamp_min)
50	*min_ver = clamp_min;
51	if (*max_ver > clamp_max)
52	*max_ver = clamp_max;
53
54	return 1;
55	}
56
57	int
58	ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
59	uint16_t max_tls_ver, uint16_t out_tls_ver, uint16_t out_proto_ver)
60	{
61	uint16_t min_proto, min_version, max_version;
62
63	if (proto_ver == 0) {
64	*out_tls_ver = meth->min_tls_version;
65	*out_proto_ver = 0;
66	return 1;
67	}
68
69	min_version = proto_ver;
70	max_version = max_tls_ver;
71
72	if (meth->dtls) {
73	if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
74	return 0;
75	}
76
77	if (!ssl_clamp_tls_version_range(&min_version, &max_version,
78	meth->min_tls_version, meth->max_tls_version))
79	return 0;
80
81	min_proto = min_version;
82	if (meth->dtls) {
83	if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0)
84	return 0;
85	}
86	*out_tls_ver = min_version;
87	*out_proto_ver = min_proto;
88
89	return 1;
90	}
91
92	int
93	ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
94	uint16_t min_tls_ver, uint16_t out_tls_ver, uint16_t out_proto_ver)
95	{
96	uint16_t max_proto, min_version, max_version;
97
98	if (proto_ver == 0) {
99	*out_tls_ver = meth->max_tls_version;
100	*out_proto_ver = 0;
101	return 1;
102	}
103
104	min_version = min_tls_ver;
105	max_version = proto_ver;
106
107	if (meth->dtls) {
108	if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
109	return 0;
110	}
111
112	if (!ssl_clamp_tls_version_range(&min_version, &max_version,
113	meth->min_tls_version, meth->max_tls_version))
114	return 0;
115
116	max_proto = max_version;
117	if (meth->dtls) {
118	if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0)
119	return 0;
120	}
121	*out_tls_ver = max_version;
122	*out_proto_ver = max_proto;
123
124	return 1;
125	}
126
127	int
128	ssl_enabled_tls_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver)
129	{
130	uint16_t min_version, max_version;
131	unsigned long options;
132
133	/*
134	* The enabled versions have to be a contiguous range, which means we
135	* cannot enable and disable single versions at our whim, even though
136	* this is what the OpenSSL flags allow. The historical way this has
137	* been handled is by making a flag mean that all higher versions
138	* are disabled, if any version lower than the flag is enabled.
139	*/
140
141	min_version = 0;
142	max_version = TLS1_3_VERSION;
143	options = s->options;
144
145	if (SSL_is_dtls(s)) {
146	options = 0;
147	if (s->options & SSL_OP_NO_DTLSv1)
148	options \|= SSL_OP_NO_TLSv1 \| SSL_OP_NO_TLSv1_1;
149	if (s->options & SSL_OP_NO_DTLSv1_2)
150	options \|= SSL_OP_NO_TLSv1 \| SSL_OP_NO_TLSv1_2;
151	}
152
153	if ((options & SSL_OP_NO_TLSv1_2) == 0)
154	min_version = TLS1_2_VERSION;
155	else if ((options & SSL_OP_NO_TLSv1_3) == 0)
156	min_version = TLS1_3_VERSION;
157
158	if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION)
159	max_version = TLS1_2_VERSION;
160	if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
161	max_version = 0;
162
163	/* Everything has been disabled... */
164	if (min_version == 0 \|\| max_version == 0)
165	return 0;
166
167	/* Limit to configured version range. */
168	if (!ssl_clamp_tls_version_range(&min_version, &max_version,
169	s->min_tls_version, s->max_tls_version))
170	return 0;
171
172	/* QUIC requires a minimum of TLSv1.3. */
173	if (SSL_is_quic(s)) {
174	if (max_version < TLS1_3_VERSION)
175	return 0;
176	if (min_version < TLS1_3_VERSION)
177	min_version = TLS1_3_VERSION;
178	}
179
180	if (min_ver != NULL)
181	*min_ver = min_version;
182	if (max_ver != NULL)
183	*max_ver = max_version;
184
185	return 1;
186	}
187
188	int
189	ssl_supported_tls_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver)
190	{
191	uint16_t min_version, max_version;
192
193	if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
194	return 0;
195
196	/* Limit to the versions supported by this method. */
197	if (!ssl_clamp_tls_version_range(&min_version, &max_version,
198	s->method->min_tls_version, s->method->max_tls_version))
199	return 0;
200
201	if (min_ver != NULL)
202	*min_ver = min_version;
203	if (max_ver != NULL)
204	*max_ver = max_version;
205
206	return 1;
207	}
208
209	uint16_t
210	ssl_tls_version(uint16_t version)
211	{
212	if (version == TLS1_VERSION \|\| version == TLS1_1_VERSION \|\|
213	version == TLS1_2_VERSION \|\| version == TLS1_3_VERSION)
214	return version;
215
216	if (version == DTLS1_VERSION)
217	return TLS1_1_VERSION;
218	if (version == DTLS1_2_VERSION)
219	return TLS1_2_VERSION;
220
221	return 0;
222	}
223
224	uint16_t
225	ssl_effective_tls_version(SSL *s)
226	{
227	if (s->s3->hs.negotiated_tls_version > 0)
228	return s->s3->hs.negotiated_tls_version;
229
230	return s->s3->hs.our_max_tls_version;
231	}
232
233	int
234	ssl_max_supported_version(SSL s, uint16_t max_ver)
235	{
236	uint16_t max_version;
237
238	*max_ver = 0;
239
240	if (!ssl_supported_tls_version_range(s, NULL, &max_version))
241	return 0;
242
243	if (SSL_is_dtls(s)) {
244	if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
245	return 0;
246	}
247
248	*max_ver = max_version;
249
250	return 1;
251	}
252
253	int
254	ssl_max_legacy_version(SSL s, uint16_t max_ver)
255	{
256	uint16_t max_version;
257
258	if ((max_version = s->s3->hs.our_max_tls_version) > TLS1_2_VERSION)
259	max_version = TLS1_2_VERSION;
260
261	if (SSL_is_dtls(s)) {
262	if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
263	return 0;
264	}
265
266	*max_ver = max_version;
267
268	return 1;
269	}
270
271	int
272	ssl_max_shared_version(SSL s, uint16_t peer_ver, uint16_t max_ver)
273	{
274	uint16_t min_version, max_version, peer_tls_version, shared_version;
275
276	*max_ver = 0;
277	peer_tls_version = peer_ver;
278
279	if (SSL_is_dtls(s)) {
280	if ((peer_ver >> 8) != DTLS1_VERSION_MAJOR)
281	return 0;
282
283	/*
284	* Convert the peer version to a TLS version - DTLS versions are
285	* the 1's complement of TLS version numbers (but not the actual
286	* protocol version numbers, that would be too sensible). Not to
287	* mention that DTLSv1.0 is really equivalent to DTLSv1.1.
288	*/
289	peer_tls_version = ssl_dtls_to_tls_version(peer_ver);
290
291	/*
292	* This may be a version that we do not know about, if it is
293	* newer than DTLS1_2_VERSION (yes, less than is correct due
294	* to the "clever" versioning scheme), use TLS1_2_VERSION.
295	*/
296	if (peer_tls_version == 0) {
297	if (peer_ver < DTLS1_2_VERSION)
298	peer_tls_version = TLS1_2_VERSION;
299	}
300	}
301
302	if (peer_tls_version >= TLS1_3_VERSION)
303	shared_version = TLS1_3_VERSION;
304	else if (peer_tls_version >= TLS1_2_VERSION)
305	shared_version = TLS1_2_VERSION;
306	else if (peer_tls_version >= TLS1_1_VERSION)
307	shared_version = TLS1_1_VERSION;
308	else if (peer_tls_version >= TLS1_VERSION)
309	shared_version = TLS1_VERSION;
310	else
311	return 0;
312
313	if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
314	return 0;
315
316	if (shared_version < min_version)
317	return 0;
318
319	if (shared_version > max_version)
320	shared_version = max_version;
321
322	if (SSL_is_dtls(s)) {
323	/*
324	* The resulting shared version will by definition be something
325	* that we know about. Switch back from TLS to DTLS.
326	*/
327	shared_version = ssl_tls_to_dtls_version(shared_version);
328	if (shared_version == 0)
329	return 0;
330	}
331
332	if (!ssl_security_version(s, shared_version))
333	return 0;
334
335	*max_ver = shared_version;
336
337	return 1;
338	}
339
340	int
341	ssl_check_version_from_server(SSL *s, uint16_t server_version)
342	{
343	uint16_t min_tls_version, max_tls_version, server_tls_version;
344
345	/* Ensure that the version selected by the server is valid. */
346
347	server_tls_version = server_version;
348	if (SSL_is_dtls(s)) {
349	server_tls_version = ssl_dtls_to_tls_version(server_version);
350	if (server_tls_version == 0)
351	return 0;
352	}
353
354	if (!ssl_supported_tls_version_range(s, &min_tls_version,
355	&max_tls_version))
356	return 0;
357
358	if (server_tls_version < min_tls_version \|\|
359	server_tls_version > max_tls_version)
360	return 0;
361
362	return ssl_security_version(s, server_tls_version);
363	}
364
365	int
366	ssl_legacy_stack_version(SSL *s, uint16_t version)
367	{
368	if (SSL_is_dtls(s))
369	return version == DTLS1_VERSION \|\| version == DTLS1_2_VERSION;
370
371	return version == TLS1_VERSION \|\| version == TLS1_1_VERSION \|\|
372	version == TLS1_2_VERSION;
373	}