From 95d91de56d07efcd6dd35c2b3815d31608c9ba7f Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 31 May 2020 18:03:32 +0000
Subject: Replace ssl_max_server_version() with ssl_downgrade_max_version()

Replace the only occurrence of ssl_max_server_version() with a call
to ssl_downgrade_max_version() and remove ssl_max_server_version().

ok beck@ tb@
---
 src/lib/libssl/ssl_ciphers.c  |  7 ++++---
 src/lib/libssl/ssl_locl.h     |  3 +--
 src/lib/libssl/ssl_versions.c | 26 +-------------------------
 3 files changed, 6 insertions(+), 30 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c
index 3abed60b5b..3a1fb14d5c 100644
--- a/src/lib/libssl/ssl_ciphers.c
+++ b/src/lib/libssl/ssl_ciphers.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl_ciphers.c,v 1.3 2019/05/15 09:13:16 bcook Exp $ */
+/*	$OpenBSD: ssl_ciphers.c,v 1.4 2020/05/31 18:03:32 jsing Exp $ */
 /*
  * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
  * Copyright (c) 2015-2018 Joel Sing <jsing@openbsd.org>
@@ -133,8 +133,9 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
 			 * Fail if the current version is an unexpected
 			 * downgrade.
 			 */
-			max_version = ssl_max_server_version(s);
-			if (max_version == 0 || s->version < max_version) {
+			if (!ssl_downgrade_max_version(s, &max_version))
+				goto err;
+			if (s->version < max_version) {
 				SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
 				ssl3_send_alert(s, SSL3_AL_FATAL,
 					SSL_AD_INAPPROPRIATE_FALLBACK);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 03c2c227ed..bfc3c1ad9b 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.278 2020/05/31 16:36:35 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.279 2020/05/31 18:03:32 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1094,7 +1094,6 @@ int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
     uint16_t *out_ver);
 int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
     uint16_t *out_ver);
-uint16_t ssl_max_server_version(SSL *s);
 int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver);
 int ssl_cipher_is_permitted(const SSL_CIPHER *cipher, uint16_t min_ver,
     uint16_t max_ver);
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index 03eb41582a..b21fa7198c 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.5 2020/05/31 16:36:35 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.6 2020/05/31 18:03:32 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -200,30 +200,6 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
 	return 1;
 }
 
-uint16_t
-ssl_max_server_version(SSL *s)
-{
-	uint16_t max_version, min_version = 0;
-
-	if (SSL_IS_DTLS(s))
-		return (DTLS1_VERSION);
-
-	if (!ssl_enabled_version_range(s, &min_version, &max_version))
-		return 0;
-
-	/*
-	 * Limit to the versions supported by this method. The SSL method
-	 * will be changed during version negotiation, as such we want to
-	 * use the SSL method from the context.
-	 */
-	if (!ssl_clamp_version_range(&min_version, &max_version,
-	    s->ctx->method->internal->min_version,
-	    s->ctx->method->internal->max_version))
-		return 0;
-
-	return (max_version);
-}
-
 int
 ssl_downgrade_max_version(SSL *s, uint16_t *max_ver)
 {
-- 
cgit v1.2.3-55-g6feb