diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h index df4c0dc357e..d5c218e50d7 100644 --- a/lib/libssl/ssl_local.h +++ b/lib/libssl/ssl_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_local.h,v 1.39 2026/05/31 14:34:44 jsing Exp $ */ +/* $OpenBSD: ssl_local.h,v 1.40 2026/06/04 12:05:57 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1177,15 +1177,17 @@ int ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver, uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver); int ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver, uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver); -int ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); -int ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); +int ssl_enabled_tls_version_range(const SSL *s, uint16_t *min_ver, + uint16_t *max_ver); +int ssl_supported_tls_version_range(const SSL *s, uint16_t *min_ver, + uint16_t *max_ver); uint16_t ssl_tls_version(uint16_t version); -uint16_t ssl_effective_tls_version(SSL *s); -int ssl_max_supported_version(SSL *s, uint16_t *max_ver); -int ssl_max_legacy_version(SSL *s, uint16_t *max_ver); -int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver); -int ssl_check_version_from_server(SSL *s, uint16_t server_version); -int ssl_legacy_stack_version(SSL *s, uint16_t version); +uint16_t ssl_effective_tls_version(const SSL *s); +int ssl_max_supported_version(const SSL *s, uint16_t *max_ver); +int ssl_max_legacy_version(const SSL *s, uint16_t *max_ver); +int ssl_max_shared_version(const SSL *s, uint16_t peer_ver, uint16_t *max_ver); +int ssl_check_version_from_server(const SSL *s, uint16_t server_version); +int ssl_legacy_stack_version(const SSL *s, uint16_t version); int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher); int ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, uint16_t max_ver); diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c index 82735460622..edd077b1663 100644 --- a/lib/libssl/ssl_versions.c +++ b/lib/libssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.28 2026/06/04 12:05:57 tb Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -125,7 +125,7 @@ ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver, } int -ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) +ssl_enabled_tls_version_range(const SSL *s, uint16_t *min_ver, uint16_t *max_ver) { uint16_t min_version, max_version; unsigned long options; @@ -186,7 +186,8 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) } int -ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) +ssl_supported_tls_version_range(const SSL *s, uint16_t *min_ver, + uint16_t *max_ver) { uint16_t min_version, max_version; @@ -222,7 +223,7 @@ ssl_tls_version(uint16_t version) } uint16_t -ssl_effective_tls_version(SSL *s) +ssl_effective_tls_version(const SSL *s) { if (s->s3->hs.negotiated_tls_version > 0) return s->s3->hs.negotiated_tls_version; @@ -231,7 +232,7 @@ ssl_effective_tls_version(SSL *s) } int -ssl_max_supported_version(SSL *s, uint16_t *max_ver) +ssl_max_supported_version(const SSL *s, uint16_t *max_ver) { uint16_t max_version; @@ -251,7 +252,7 @@ ssl_max_supported_version(SSL *s, uint16_t *max_ver) } int -ssl_max_legacy_version(SSL *s, uint16_t *max_ver) +ssl_max_legacy_version(const SSL *s, uint16_t *max_ver) { uint16_t max_version; @@ -269,7 +270,7 @@ ssl_max_legacy_version(SSL *s, uint16_t *max_ver) } int -ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) +ssl_max_shared_version(const SSL *s, uint16_t peer_ver, uint16_t *max_ver) { uint16_t min_version, max_version, peer_tls_version, shared_version; @@ -338,7 +339,7 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) } int -ssl_check_version_from_server(SSL *s, uint16_t server_version) +ssl_check_version_from_server(const SSL *s, uint16_t server_version) { uint16_t min_tls_version, max_tls_version, server_tls_version; @@ -363,7 +364,7 @@ ssl_check_version_from_server(SSL *s, uint16_t server_version) } int -ssl_legacy_stack_version(SSL *s, uint16_t version) +ssl_legacy_stack_version(const SSL *s, uint16_t version) { if (SSL_is_dtls(s)) return version == DTLS1_VERSION || version == DTLS1_2_VERSION;