Provide SSL_CTX_get_min_proto_version and SSL_CTX_get_max_proto_version

We already provided the setters, so also provide the getters like
OpenSSL does.  Addition prompted by the use of those functions in recent
openvpn releases.

manpage diff from schwarze@ (thanks!) with input from jsing@, ok tb@
jsing@

7 files changed, 117 insertions, 28 deletions

diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list
index eb00c8d25a..a8ae29ccca 100644
--- a/src/lib/libssl/Symbols.list
+++ b/src/lib/libssl/Symbols.list
@@ -65,6 +65,8 @@ SSL_CTX_get_client_cert_cb
 SSL_CTX_get_ex_data
 SSL_CTX_get_ex_new_index
 SSL_CTX_get_info_callback
+SSL_CTX_get_min_proto_version
+SSL_CTX_get_max_proto_version
 SSL_CTX_get_quiet_shutdown
 SSL_CTX_get_timeout
 SSL_CTX_get_verify_callback
@@ -188,6 +190,8 @@ SSL_get_ex_new_index
 SSL_get_fd
 SSL_get_finished
 SSL_get_info_callback
+SSL_get_min_proto_version
+SSL_get_max_proto_version
 SSL_get_peer_cert_chain
 SSL_get_peer_certificate
 SSL_get_peer_finished
diff --git a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
index ff057cadac..38ac9fc421 100644
--- a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
+++ b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
@@ -1,8 +1,9 @@
-.\"     $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.1 2017/08/19 23:45:10 schwarze Exp $
-.\"     OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.2 2018/03/15 12:27:01 jca Exp $
+.\" full merge up to: OpenSSL 3edabd3c Sep 14 09:28:39 2017 +0200
 .\"
-.\" This file was written by Kurt Roeckx <kurt@roeckx.be>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+.\" This file was written by Kurt Roeckx <kurt@roeckx.be> and
+.\" Christian Heimes <christian@python.org>.
+.\" Copyright (c) 2015, 2017 The OpenSSL Project.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -48,15 +49,19 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 19 2017 $
+.Dd $Mdocdate: March 15 2018 $
 .Dt SSL_CTX_SET_MIN_PROTO_VERSION 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_min_proto_version ,
 .Nm SSL_CTX_set_max_proto_version ,
+.Nm SSL_CTX_get_min_proto_version ,
+.Nm SSL_CTX_get_max_proto_version ,
 .Nm SSL_set_min_proto_version ,
-.Nm SSL_set_max_proto_version
-.Nd set minimum and maximum supported protocol version
+.Nm SSL_set_max_proto_version ,
+.Nm SSL_get_min_proto_version ,
+.Nm SSL_get_max_proto_version
+.Nd get and set minimum and maximum supported protocol version
 .Sh SYNOPSIS
 .In openssl/ssl.h
 .Ft int
@@ -70,6 +75,14 @@
 .Fa "uint16_t version"
 .Fc
 .Ft int
+.Fo SSL_CTX_get_min_proto_version
+.Fa "SSL_CTX *ctx"
+.Fc
+.Ft int
+.Fo SSL_CTX_get_max_proto_version
+.Fa "SSL_CTX *ctx"
+.Fc
+.Ft int
 .Fo SSL_set_min_proto_version
 .Fa "SSL *ssl"
 .Fa "uint16_t version"
@@ -79,8 +92,16 @@
 .Fa "SSL *ssl"
 .Fa "uint16_t version"
 .Fc
+.Ft int
+.Fo SSL_get_min_proto_version
+.Fa "SSL *ssl"
+.Fc
+.Ft int
+.Fo SSL_get_max_proto_version
+.Fa "SSL *ssl"
+.Fc
 .Sh DESCRIPTION
-These functions set the minimum and maximum supported protocol
+These functions get or set the minimum and maximum supported protocol
 versions for
 .Fa ctx
 or
@@ -102,13 +123,32 @@ and
 for TLS and
 .Sy DTLS1_VERSION
 for DTLS.
+.Pp
+In other implementations, these functions may be implemented as macros.
 .Sh RETURN VALUES
-These functions return 1 on success or 0 on failure.
+The setter functions return 1 on success or 0 on failure.
+.Pp
+The getter functions return the configured version or 0 if
+.Fa ctx
+or
+.Fa ssl
+has been configured to automatically use the lowest or highest
+version supported by the library.
 .Sh SEE ALSO
 .Xr ssl 3 ,
 .Xr SSL_CTX_new 3 ,
 .Xr SSL_CTX_set_options 3
 .Sh HISTORY
-These functions first appeared in OpenSSL 1.1.0
-and have been available since
+The setter functions first appeared in BoringSSL in December 2014,
+with shorter names without the
+.Sy proto_
+part.
+Two years later, OpenSSL included them in their 1.1.0 release,
+gratuitiously changing the names; Google shrugged and adopted
+the longer names one month later.
+They have been available since
 .Ox 6.2 .
+.Pp
+The getter functions first appeared in OpenSSL 1.1.1
+and have been available since
+.Ox 6.3 .
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 8f75cf9498..52e0c52410 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.164 2018/02/17 15:08:21 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.165 2018/03/15 12:27:00 jca Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1984,6 +1984,12 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
         case SSL_CTRL_GET_SERVER_TMP_KEY:
                 return ssl_ctrl_get_server_tmp_key(s, parg);
 
+        case SSL_CTRL_GET_MIN_PROTO_VERSION:
+                return SSL_get_min_proto_version(s);
+
+        case SSL_CTRL_GET_MAX_PROTO_VERSION:
+                return SSL_get_max_proto_version(s);
+
         case SSL_CTRL_SET_MIN_PROTO_VERSION:
                 if (larg < 0 || larg > UINT16_MAX)
                         return 0;
@@ -2243,6 +2249,12 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
         case SSL_CTRL_SET_GROUPS_LIST:
                 return SSL_CTX_set1_groups_list(ctx, parg);
 
+        case SSL_CTRL_GET_MIN_PROTO_VERSION:
+                return SSL_CTX_get_min_proto_version(ctx);
+
+        case SSL_CTRL_GET_MAX_PROTO_VERSION:
+                return SSL_CTX_get_max_proto_version(ctx);
+
         case SSL_CTRL_SET_MIN_PROTO_VERSION:
                 if (larg < 0 || larg > UINT16_MAX)
                         return 0;
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
index 5c09c51c65..c41c26c0f7 100644
--- a/src/lib/libssl/shlib_version
+++ b/src/lib/libssl/shlib_version
@@ -1,3 +1,3 @@
 # Don't forget to give libtls the same type of bump!
 major=44
-minor=8
+minor=9
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index e6556fd136..5f9d248ced 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.146 2018/03/03 19:58:29 jca Exp $ */
+/* $OpenBSD: ssl.h,v 1.147 2018/03/15 12:27:01 jca Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1125,6 +1125,8 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
 
 #define SSL_CTRL_SET_MIN_PROTO_VERSION                  123
 #define SSL_CTRL_SET_MAX_PROTO_VERSION                  124
+#define SSL_CTRL_GET_MIN_PROTO_VERSION                  130
+#define SSL_CTRL_GET_MAX_PROTO_VERSION                  131
 
 #define DTLSv1_get_timeout(ssl, arg) \
         SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1174,9 +1176,13 @@ int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups);
 int SSL_set1_groups(SSL *ssl, const int *groups, size_t groups_len);
 int SSL_set1_groups_list(SSL *ssl, const char *groups);
 
+int SSL_CTX_get_min_proto_version(SSL_CTX *ctx);
+int SSL_CTX_get_max_proto_version(SSL_CTX *ctx);
 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version);
 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version);
 
+int SSL_get_min_proto_version(SSL *ssl);
+int SSL_get_max_proto_version(SSL *ssl);
 int SSL_set_min_proto_version(SSL *ssl, uint16_t version);
 int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
 
@@ -1209,8 +1215,12 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
 #define SSL_CTX_set1_groups_list        SSL_CTX_set1_groups_list
 #define SSL_set1_groups                 SSL_set1_groups
 #define SSL_set1_groups_list            SSL_set1_groups_list
+#define SSL_CTX_get_min_proto_version   SSL_CTX_get_min_proto_version
+#define SSL_CTX_get_max_proto_version   SSL_CTX_get_max_proto_version
 #define SSL_CTX_set_min_proto_version   SSL_CTX_set_min_proto_version
 #define SSL_CTX_set_max_proto_version   SSL_CTX_set_max_proto_version
+#define SSL_get_min_proto_version       SSL_get_min_proto_version
+#define SSL_get_max_proto_version       SSL_get_max_proto_version
 #define SSL_set_min_proto_version       SSL_set_min_proto_version
 #define SSL_set_max_proto_version       SSL_set_max_proto_version
 #endif
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 80a2bd7bfc..067f0edde4 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.179 2018/02/22 17:30:25 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.180 2018/03/15 12:27:01 jca Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -3024,6 +3024,12 @@ SSL_cache_hit(SSL *s)
 }
 
 int
+SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
+{
+        return ctx->internal->min_version;
+}
+
+int
 SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version)
 {
         return ssl_version_set_min(ctx->method, version,
@@ -3031,6 +3037,12 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version)
 }
 
 int
+SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
+{
+        return ctx->internal->max_version;
+}
+
+int
 SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version)
 {
         return ssl_version_set_max(ctx->method, version,
@@ -3038,11 +3050,22 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version)
 }
 
 int
+SSL_get_min_proto_version(SSL *ssl)
+{
+        return ssl->internal->min_version;
+}
+
+int
 SSL_set_min_proto_version(SSL *ssl, uint16_t version)
 {
         return ssl_version_set_min(ssl->method, version,
             ssl->internal->max_version, &ssl->internal->min_version);
 }
+int
+SSL_get_max_proto_version(SSL *ssl)
+{
+        return ssl->internal->max_version;
+}
 
 int
 SSL_set_max_proto_version(SSL *ssl, uint16_t version)
diff --git a/src/regress/lib/libssl/unit/ssl_versions.c b/src/regress/lib/libssl/unit/ssl_versions.c
index c12f115c19..d84a7106d5 100644
--- a/src/regress/lib/libssl/unit/ssl_versions.c
+++ b/src/regress/lib/libssl/unit/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.4 2017/05/06 20:39:03 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.5 2018/03/15 12:27:01 jca Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -620,16 +620,16 @@ test_ssl_min_max_version(void)
                         goto next;
                 }
 
-                if (ssl_ctx->internal->min_version != mmvt->want_minver) {
+                if (SSL_CTX_get_min_proto_version(ssl_ctx) != mmvt->want_minver) {
                         fprintf(stderr, "FAIL: test %zu - got SSL_CTX min "
                             "version 0x%x, want 0x%x\n", i,
-                            ssl_ctx->internal->min_version, mmvt->want_minver);
+                            SSL_CTX_get_min_proto_version(ssl_ctx), mmvt->want_minver);
                         goto next;
                 }
-                if (ssl_ctx->internal->max_version != mmvt->want_maxver) {
+                if (SSL_CTX_get_max_proto_version(ssl_ctx) != mmvt->want_maxver) {
                         fprintf(stderr, "FAIL: test %zu - got SSL_CTX max "
                             "version 0x%x, want 0x%x\n", i,
-                            ssl_ctx->internal->max_version, mmvt->want_maxver);
+                            SSL_CTX_get_max_proto_version(ssl_ctx), mmvt->want_maxver);
                         goto next;
                 }
 
@@ -638,16 +638,16 @@ test_ssl_min_max_version(void)
                         return 1;
                 }
 
-                if (ssl->internal->min_version != mmvt->want_minver) {
+                if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) {
                         fprintf(stderr, "FAIL: test %zu - initial SSL min "
                             "version 0x%x, want 0x%x\n", i,
-                            ssl_ctx->internal->min_version, mmvt->want_minver);
+                            SSL_get_min_proto_version(ssl), mmvt->want_minver);
                         goto next;
                 }
-                if (ssl->internal->max_version != mmvt->want_maxver) {
+                if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) {
                         fprintf(stderr, "FAIL: test %zu - initial SSL max "
                             "version 0x%x, want 0x%x\n", i,
-                            ssl_ctx->internal->max_version, mmvt->want_maxver);
+                            SSL_get_max_proto_version(ssl), mmvt->want_maxver);
                         goto next;
                 }
 
@@ -679,16 +679,16 @@ test_ssl_min_max_version(void)
                         goto next;
                 }
 
-                if (ssl->internal->min_version != mmvt->want_minver) {
+                if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) {
                         fprintf(stderr, "FAIL: test %zu - got SSL min "
                             "version 0x%x, want 0x%x\n", i,
-                            ssl_ctx->internal->min_version, mmvt->want_minver);
+                            SSL_get_min_proto_version(ssl), mmvt->want_minver);
                         goto next;
                 }
-                if (ssl->internal->max_version != mmvt->want_maxver) {
+                if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) {
                         fprintf(stderr, "FAIL: test %zu - got SSL max "
                             "version 0x%x, want 0x%x\n", i,
-                            ssl->internal->max_version, mmvt->want_maxver);
+                            SSL_get_max_proto_version(ssl), mmvt->want_maxver);
                         goto next;
                 }