Commit 5c587fb6 authored by Kurt Roeckx's avatar Kurt Roeckx
Browse files

Use (D)TLS_MAX_VERSION_INTERNAL internally 



Use 0 if we don't want to set a minimum or maximum version

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
GH: #7260
parent 91c54730

ssl/d1_lib.c

+1 −1
Original line number Diff line number Diff line
@@ -192,7 +192,7 @@ int dtls1_clear(SSL *s) 
        return 0;



    if (s->method->version == DTLS_ANY_VERSION)

        s->version = DTLS_MAX_VERSION;

        s->version = DTLS_MAX_VERSION_INTERNAL;

#ifndef OPENSSL_NO_DTLS1_METHOD

    else if (s->options & SSL_OP_CISCO_ANYCONNECT)

        s->client_version = s->version = DTLS1_BAD_VER;

ssl/ssl_locl.h

+3 −0
Original line number Diff line number Diff line
@@ -131,6 +131,9 @@ 
                           (c)[1]=(unsigned char)(((l)>> 8)&0xff), \

                           (c)[2]=(unsigned char)(((l)    )&0xff)),(c)+=3)



# define TLS_MAX_VERSION_INTERNAL TLS1_3_VERSION

# define DTLS_MAX_VERSION_INTERNAL DTLS1_2_VERSION



/*

 * DTLS version numbers are strange because they're inverted. Except for

 * DTLS1_BAD_VER, which should be considered "lower" than the rest.

ssl/statem/statem_clnt.c

+1 −1
Original line number Diff line number Diff line
@@ -163,7 +163,7 @@ static int ossl_statem_client13_read_transition(SSL *s, int mt) 
            return 1;

        }

        if (mt == SSL3_MT_CERTIFICATE_REQUEST) {

#if DTLS_MAX_VERSION != DTLS1_2_VERSION

#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION

# error TODO(DTLS1.3): Restore digest for PHA before adding message.

#endif

            if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) {

ssl/statem/statem_lib.c

+5 −5
Original line number Diff line number Diff line
@@ -1417,7 +1417,7 @@ typedef struct { 
    const SSL_METHOD *(*smeth) (void);

} version_info;



#if TLS_MAX_VERSION != TLS1_3_VERSION

#if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION

# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.

#endif
@@ -1451,7 +1451,7 @@ static const version_info tls_version_table[] = { 
    {0, NULL, NULL},

};



#if DTLS_MAX_VERSION != DTLS1_2_VERSION

#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION

# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.

#endif
@@ -1684,12 +1684,12 @@ int ssl_set_version_bound(int method_version, int version, int *bound) 
        return 0;



    case TLS_ANY_VERSION:

        if (version < SSL3_VERSION || version > TLS_MAX_VERSION)

        if (version < SSL3_VERSION || version > TLS_MAX_VERSION_INTERNAL)

            return 0;

        break;



    case DTLS_ANY_VERSION:

        if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) ||

        if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION_INTERNAL) ||

            DTLS_VERSION_LT(version, DTLS1_BAD_VER))

            return 0;

        break;
@@ -1735,7 +1735,7 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) 
     * With version-flexible methods we have an initial state with:

     *

     *   s->method->version == (D)TLS_ANY_VERSION,

     *   s->version == (D)TLS_MAX_VERSION.

     *   s->version == (D)TLS_MAX_VERSION_INTERNAL.

     *

     * So we detect version-flexible methods via the method version, not the

     * handle version.

ssl/t1_lib.c

+1 −1
Original line number Diff line number Diff line
@@ -121,7 +121,7 @@ int tls1_clear(SSL *s) 
        return 0;



    if (s->method->version == TLS_ANY_VERSION)

        s->version = TLS_MAX_VERSION;

        s->version = TLS_MAX_VERSION_INTERNAL;

    else

        s->version = s->method->version;