Only use TLS versions internally (rather than both TLS and DTLS versions).

DTLS protocol version numbers are the 1's compliment of human readable TLS
version numbers, which means that newer versions decrease in value and
there is no direct mapping between TLS protocol version numbers and DTLS
protocol version numbers.

Rather than having to deal with this internally, only use TLS versions
internally and map between DTLS and TLS protocol versions when necessary.
Rename functions and variables to use 'tls_version' when they contain a
TLS version (and never a DTLS version).

ok tb@

9 files changed, 132 insertions, 128 deletions

diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c
index 399e274ad4..85c60b1abb 100644
--- a/src/lib/libssl/ssl_ciphers.c
+++ b/src/lib/libssl/ssl_ciphers.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_ciphers.c,v 1.9 2020/09/15 15:28:38 schwarze Exp $ */
+/*      $OpenBSD: ssl_ciphers.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
  * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
@@ -36,28 +36,17 @@ ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher)
 }
 
 int
-ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
+ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
     uint16_t max_ver)
 {
-        /* XXX: We only support DTLSv1 which is effectively TLSv1.1 */
-        if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION)
-                min_ver = max_ver = TLS1_1_VERSION;
-
         switch(cipher->algorithm_ssl) {
         case SSL_SSLV3:
-                if (min_ver <= TLS1_2_VERSION)
-                        return 1;
-                break;
+                return (min_ver <= TLS1_2_VERSION);
         case SSL_TLSV1_2:
-                if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver)
-                        return 1;
-                break;
+                return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver);
         case SSL_TLSV1_3:
-                if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver)
-                        return 1;
-                break;
+                return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver);
         }
-
         return 0;
 }
 
@@ -72,13 +61,13 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
         if (ciphers == NULL)
                 return 0;
 
-        if (!ssl_supported_version_range(s, &min_vers, &max_vers))
+        if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
                 return 0;
 
         for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
                 if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
                         return 0;
-                if (!ssl_cipher_allowed_in_version_range(cipher, min_vers,
+                if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
                     max_vers))
                         continue;
                 if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 33aca33c92..57d0f4b779 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.248 2021/02/20 14:14:16 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.249 2021/02/25 17:06:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -254,8 +254,8 @@ SSL_new(SSL_CTX *ctx)
         if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL)
                 goto err;
 
-        s->internal->min_version = ctx->internal->min_version;
-        s->internal->max_version = ctx->internal->max_version;
+        s->internal->min_tls_version = ctx->internal->min_tls_version;
+        s->internal->max_tls_version = ctx->internal->max_tls_version;
         s->internal->min_proto_version = ctx->internal->min_proto_version;
         s->internal->max_proto_version = ctx->internal->max_proto_version;
 
@@ -1336,7 +1336,7 @@ SSL_get1_supported_ciphers(SSL *s)
 
         if (s == NULL)
                 return NULL;
-        if (!ssl_supported_version_range(s, &min_vers, &max_vers))
+        if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
                 return NULL;
         if ((ciphers = SSL_get_ciphers(s)) == NULL)
                 return NULL;
@@ -1346,7 +1346,7 @@ SSL_get1_supported_ciphers(SSL *s)
         for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
                 if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
                         goto err;
-                if (!ssl_cipher_allowed_in_version_range(cipher, min_vers,
+                if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
                     max_vers))
                         continue;
                 if (!sk_SSL_CIPHER_push(supported_ciphers, cipher))
@@ -1829,8 +1829,8 @@ SSL_CTX_new(const SSL_METHOD *meth)
         }
 
         ret->method = meth;
-        ret->internal->min_version = meth->internal->min_version;
-        ret->internal->max_version = meth->internal->max_version;
+        ret->internal->min_tls_version = meth->internal->min_tls_version;
+        ret->internal->max_tls_version = meth->internal->max_tls_version;
         ret->internal->min_proto_version = 0;
         ret->internal->max_proto_version = 0;
         ret->internal->mode = SSL_MODE_AUTO_RETRY;
@@ -3027,7 +3027,7 @@ int
 SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version)
 {
         return ssl_version_set_min(ctx->method, version,
-            ctx->internal->max_version, &ctx->internal->min_version,
+            ctx->internal->max_tls_version, &ctx->internal->min_tls_version,
             &ctx->internal->min_proto_version);
 }
 
@@ -3041,7 +3041,7 @@ int
 SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version)
 {
         return ssl_version_set_max(ctx->method, version,
-            ctx->internal->min_version, &ctx->internal->max_version,
+            ctx->internal->min_tls_version, &ctx->internal->max_tls_version,
             &ctx->internal->max_proto_version);
 }
 
@@ -3055,7 +3055,7 @@ int
 SSL_set_min_proto_version(SSL *ssl, uint16_t version)
 {
         return ssl_version_set_min(ssl->method, version,
-            ssl->internal->max_version, &ssl->internal->min_version,
+            ssl->internal->max_tls_version, &ssl->internal->min_tls_version,
             &ssl->internal->min_proto_version);
 }
 int
@@ -3068,7 +3068,7 @@ int
 SSL_set_max_proto_version(SSL *ssl, uint16_t version)
 {
         return ssl_version_set_max(ssl->method, version,
-            ssl->internal->min_version, &ssl->internal->max_version,
+            ssl->internal->min_tls_version, &ssl->internal->max_tls_version,
             &ssl->internal->max_proto_version);
 }
 
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 3a4d318987..7ed3094c3e 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.322 2021/02/22 15:59:10 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.323 2021/02/25 17:06:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -362,8 +362,8 @@ typedef struct ssl_method_internal_st {
         int server;
         int version;
 
-        uint16_t min_version;
-        uint16_t max_version;
+        uint16_t min_tls_version;
+        uint16_t max_tls_version;
 
         int (*ssl_new)(SSL *s);
         void (*ssl_clear)(SSL *s);
@@ -517,8 +517,8 @@ int tls12_record_layer_seal_record(struct tls12_record_layer *rl,
     CBB *out);
 
 typedef struct ssl_ctx_internal_st {
-        uint16_t min_version;
-        uint16_t max_version;
+        uint16_t min_tls_version;
+        uint16_t max_tls_version;
 
         /*
          * These may be zero to imply minimum or maximum version supported by
@@ -686,8 +686,8 @@ typedef struct ssl_ctx_internal_st {
 typedef struct ssl_internal_st {
         struct tls13_ctx *tls13;
 
-        uint16_t min_version;
-        uint16_t max_version;
+        uint16_t min_tls_version;
+        uint16_t max_tls_version;
 
         /*
          * These may be zero to imply minimum or maximum version supported by
@@ -1121,19 +1121,19 @@ struct ssl_aead_ctx_st {
 extern const SSL_CIPHER ssl3_ciphers[];
 
 const char *ssl_version_string(int ver);
-int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
-int ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
-int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
-    uint16_t *out_ver, uint16_t *out_proto_ver);
-int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
-    uint16_t *out_ver, uint16_t *out_proto_ver);
+int ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
+    uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver);
+int ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
+    uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver);
+int ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
+int ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
 int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver);
 int ssl_max_supported_version(SSL *s, uint16_t *max_ver);
 int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver);
 int ssl_check_version_from_server(SSL *s, uint16_t server_version);
 int ssl_legacy_stack_version(SSL *s, uint16_t version);
 int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher);
-int ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher,
+int ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher,
     uint16_t min_ver, uint16_t max_ver);
 
 const SSL_METHOD *tls_legacy_method(void);
diff --git a/src/lib/libssl/ssl_methods.c b/src/lib/libssl/ssl_methods.c
index ae532ba16d..084f533f5e 100644
--- a/src/lib/libssl/ssl_methods.c
+++ b/src/lib/libssl/ssl_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_methods.c,v 1.22 2021/02/20 08:33:17 jsing Exp $ */
+/* $OpenBSD: ssl_methods.c,v 1.23 2021/02/25 17:06:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -64,8 +64,8 @@ static const SSL_METHOD_INTERNAL DTLS_method_internal_data = {
         .dtls = 1,
         .server = 1,
         .version = DTLS1_2_VERSION,
-        .min_version = DTLS1_VERSION,
-        .max_version = DTLS1_2_VERSION,
+        .min_tls_version = TLS1_1_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = dtls1_new,
         .ssl_clear = dtls1_clear,
         .ssl_free = dtls1_free,
@@ -93,8 +93,8 @@ static const SSL_METHOD_INTERNAL DTLS_client_method_internal_data = {
         .dtls = 1,
         .server = 0,
         .version = DTLS1_2_VERSION,
-        .min_version = DTLS1_VERSION,
-        .max_version = DTLS1_2_VERSION,
+        .min_tls_version = TLS1_1_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = dtls1_new,
         .ssl_clear = dtls1_clear,
         .ssl_free = dtls1_free,
@@ -123,8 +123,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = {
         .dtls = 1,
         .server = 1,
         .version = DTLS1_VERSION,
-        .min_version = DTLS1_VERSION,
-        .max_version = DTLS1_VERSION,
+        .min_tls_version = TLS1_1_VERSION,
+        .max_tls_version = TLS1_1_VERSION,
         .ssl_new = dtls1_new,
         .ssl_clear = dtls1_clear,
         .ssl_free = dtls1_free,
@@ -152,8 +152,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = {
         .dtls = 1,
         .server = 0,
         .version = DTLS1_VERSION,
-        .min_version = DTLS1_VERSION,
-        .max_version = DTLS1_VERSION,
+        .min_tls_version = TLS1_1_VERSION,
+        .max_tls_version = TLS1_1_VERSION,
         .ssl_new = dtls1_new,
         .ssl_clear = dtls1_clear,
         .ssl_free = dtls1_free,
@@ -181,8 +181,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_2_method_internal_data = {
         .dtls = 1,
         .server = 1,
         .version = DTLS1_2_VERSION,
-        .min_version = DTLS1_2_VERSION,
-        .max_version = DTLS1_2_VERSION,
+        .min_tls_version = TLS1_2_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = dtls1_new,
         .ssl_clear = dtls1_clear,
         .ssl_free = dtls1_free,
@@ -210,8 +210,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_2_client_method_internal_data = {
         .dtls = 1,
         .server = 0,
         .version = DTLS1_2_VERSION,
-        .min_version = DTLS1_2_VERSION,
-        .max_version = DTLS1_2_VERSION,
+        .min_tls_version = TLS1_2_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = dtls1_new,
         .ssl_clear = dtls1_clear,
         .ssl_free = dtls1_free,
@@ -306,8 +306,8 @@ static const SSL_METHOD_INTERNAL TLS_method_internal_data = {
         .dtls = 0,
         .server = 1,
         .version = TLS1_3_VERSION,
-        .min_version = TLS1_VERSION,
-        .max_version = TLS1_3_VERSION,
+        .min_tls_version = TLS1_VERSION,
+        .max_tls_version = TLS1_3_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -336,8 +336,8 @@ static const SSL_METHOD_INTERNAL TLS_legacy_method_internal_data = {
         .dtls = 0,
         .server = 1,
         .version = TLS1_2_VERSION,
-        .min_version = TLS1_VERSION,
-        .max_version = TLS1_2_VERSION,
+        .min_tls_version = TLS1_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -366,8 +366,8 @@ static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = {
         .dtls = 0,
         .server = 0,
         .version = TLS1_3_VERSION,
-        .min_version = TLS1_VERSION,
-        .max_version = TLS1_3_VERSION,
+        .min_tls_version = TLS1_VERSION,
+        .max_tls_version = TLS1_3_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -397,8 +397,8 @@ static const SSL_METHOD_INTERNAL TLS_legacy_client_method_internal_data = {
         .dtls = 0,
         .server = 0,
         .version = TLS1_2_VERSION,
-        .min_version = TLS1_VERSION,
-        .max_version = TLS1_2_VERSION,
+        .min_tls_version = TLS1_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -427,8 +427,8 @@ static const SSL_METHOD_INTERNAL TLSv1_method_internal_data = {
         .dtls = 0,
         .server = 1,
         .version = TLS1_VERSION,
-        .min_version = TLS1_VERSION,
-        .max_version = TLS1_VERSION,
+        .min_tls_version = TLS1_VERSION,
+        .max_tls_version = TLS1_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -456,8 +456,8 @@ static const SSL_METHOD_INTERNAL TLSv1_client_method_internal_data = {
         .dtls = 0,
         .server = 0,
         .version = TLS1_VERSION,
-        .min_version = TLS1_VERSION,
-        .max_version = TLS1_VERSION,
+        .min_tls_version = TLS1_VERSION,
+        .max_tls_version = TLS1_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -485,8 +485,8 @@ static const SSL_METHOD_INTERNAL TLSv1_1_method_internal_data = {
         .dtls = 0,
         .server = 1,
         .version = TLS1_1_VERSION,
-        .min_version = TLS1_1_VERSION,
-        .max_version = TLS1_1_VERSION,
+        .min_tls_version = TLS1_1_VERSION,
+        .max_tls_version = TLS1_1_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -514,8 +514,8 @@ static const SSL_METHOD_INTERNAL TLSv1_1_client_method_internal_data = {
         .dtls = 0,
         .server = 0,
         .version = TLS1_1_VERSION,
-        .min_version = TLS1_1_VERSION,
-        .max_version = TLS1_1_VERSION,
+        .min_tls_version = TLS1_1_VERSION,
+        .max_tls_version = TLS1_1_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -543,8 +543,8 @@ static const SSL_METHOD_INTERNAL TLSv1_2_method_internal_data = {
         .dtls = 0,
         .server = 1,
         .version = TLS1_2_VERSION,
-        .min_version = TLS1_2_VERSION,
-        .max_version = TLS1_2_VERSION,
+        .min_tls_version = TLS1_2_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -572,8 +572,8 @@ static const SSL_METHOD_INTERNAL TLSv1_2_client_method_internal_data = {
         .dtls = 0,
         .server = 0,
         .version = TLS1_2_VERSION,
-        .min_version = TLS1_2_VERSION,
-        .max_version = TLS1_2_VERSION,
+        .min_tls_version = TLS1_2_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
index fc1c3c07de..b383fe83e9 100644
--- a/src/lib/libssl/ssl_packet.c
+++ b/src/lib/libssl/ssl_packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_packet.c,v 1.9 2020/10/14 16:57:33 jsing Exp $ */
+/* $OpenBSD: ssl_packet.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -247,12 +247,13 @@ ssl_server_legacy_first_packet(SSL *s)
                 return 1;
 
         /* Only continue if this is not a version locked method. */
-        if (s->method->internal->min_version == s->method->internal->max_version)
+        if (s->method->internal->min_tls_version ==
+            s->method->internal->max_tls_version)
                 return 1;
 
         if (ssl_is_sslv2_client_hello(&header) == 1) {
                 /* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */
-                if (ssl_enabled_version_range(s, &min_version, NULL) != 1) {
+                if (ssl_enabled_tls_version_range(s, &min_version, NULL) != 1) {
                         SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                         return -1;
                 }
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index 3c4801971e..a216de6e81 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.12 2021/02/22 15:59:10 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.13 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -18,7 +18,7 @@
 #include "ssl_locl.h"
 
 static int
-ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver,
+ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver,
     uint16_t clamp_min, uint16_t clamp_max)
 {
         if (clamp_min > clamp_max || *min_ver > *max_ver)
@@ -35,55 +35,71 @@ ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver,
 }
 
 int
-ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
-    uint16_t *out_ver, uint16_t *out_proto_ver)
+ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
+    uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
 {
         uint16_t min_version, max_version;
 
-        if (ver == 0) {
-                *out_ver = meth->internal->min_version;
+        if (proto_ver == 0) {
+                *out_tls_ver = meth->internal->min_tls_version;
                 *out_proto_ver = 0;
                 return 1;
         }
+        if (meth->internal->dtls) {
+                if (proto_ver != DTLS1_VERSION)
+                        return 0;
+                *out_tls_ver = TLS1_1_VERSION;
+                *out_proto_ver = proto_ver;
+                return 1;
+        }
 
-        min_version = ver;
-        max_version = max_ver;
+        min_version = proto_ver;
+        max_version = max_tls_ver;
 
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            meth->internal->min_version, meth->internal->max_version))
+        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+            meth->internal->min_tls_version, meth->internal->max_tls_version))
                 return 0;
 
-        *out_ver = *out_proto_ver = min_version;
+        *out_tls_ver = min_version;
+        *out_proto_ver = min_version;
 
         return 1;
 }
 
 int
-ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
-    uint16_t *out_ver, uint16_t *out_proto_ver)
+ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
+    uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
 {
         uint16_t min_version, max_version;
 
-        if (ver == 0) {
-                *out_ver = meth->internal->max_version;
+        if (proto_ver == 0) {
+                *out_tls_ver = meth->internal->max_tls_version;
                 *out_proto_ver = 0;
                 return 1;
         }
+        if (meth->internal->dtls) {
+                if (proto_ver != DTLS1_VERSION)
+                        return 0;
+                *out_tls_ver = TLS1_1_VERSION;
+                *out_proto_ver = proto_ver;
+                return 1;
+        }
 
-        min_version = min_ver;
-        max_version = ver;
+        min_version = min_tls_ver;
+        max_version = proto_ver;
 
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            meth->internal->min_version, meth->internal->max_version))
+        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+            meth->internal->min_tls_version, meth->internal->max_tls_version))
                 return 0;
 
-        *out_ver = *out_proto_ver = max_version;
+        *out_tls_ver = max_version;
+        *out_proto_ver = max_version;
 
         return 1;
 }
 
 int
-ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
+ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
 {
         uint16_t min_version, max_version;
 
@@ -121,8 +137,8 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
                 return 0;
 
         /* Limit to configured version range. */
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            s->internal->min_version, s->internal->max_version))
+        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+            s->internal->min_tls_version, s->internal->max_tls_version))
                 return 0;
 
         if (min_ver != NULL)
@@ -134,26 +150,19 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
 }
 
 int
-ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
+ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
 {
         uint16_t min_version, max_version;
 
-        /* DTLS cannot currently be disabled... */
-        if (SSL_is_dtls(s)) {
-                min_version = max_version = DTLS1_VERSION;
-                goto done;
-        }
-
-        if (!ssl_enabled_version_range(s, &min_version, &max_version))
+        if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
                 return 0;
 
         /* Limit to the versions supported by this method. */
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            s->method->internal->min_version,
-            s->method->internal->max_version))
+        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+            s->method->internal->min_tls_version,
+            s->method->internal->max_tls_version))
                 return 0;
 
- done:
         if (min_ver != NULL)
                 *min_ver = min_version;
         if (max_ver != NULL)
@@ -167,7 +176,12 @@ ssl_max_supported_version(SSL *s, uint16_t *max_ver)
 {
         *max_ver = 0;
 
-        if (!ssl_supported_version_range(s, NULL, max_ver))
+        if (SSL_is_dtls(s)) {
+                *max_ver = DTLS1_VERSION;
+                return 1;
+        }
+
+        if (!ssl_supported_tls_version_range(s, NULL, max_ver))
                 return 0;
 
         return 1;
@@ -199,7 +213,7 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
         else
                 return 0;
 
-        if (!ssl_supported_version_range(s, &min_version, &max_version))
+        if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
                 return 0;
 
         if (shared_version < min_version)
@@ -232,12 +246,12 @@ ssl_downgrade_max_version(SSL *s, uint16_t *max_ver)
                 return 1;
         }
 
-        if (!ssl_enabled_version_range(s, &min_version, &max_version))
+        if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
                 return 0;
 
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            s->ctx->method->internal->min_version,
-            s->ctx->method->internal->max_version))
+        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+            s->ctx->method->internal->min_tls_version,
+            s->ctx->method->internal->max_tls_version))
                 return 0;
 
         *max_ver = max_version;
@@ -255,7 +269,7 @@ ssl_check_version_from_server(SSL *s, uint16_t server_version)
         if (SSL_is_dtls(s))
                 return (server_version == DTLS1_VERSION);
 
-        if (!ssl_supported_version_range(s, &min_version, &max_version))
+        if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
                 return 0;
 
         return (server_version >= min_version && server_version <= max_version);
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index fbb84dcc87..a7c3bf2c00 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.72 2021/02/22 16:15:49 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.73 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -31,7 +31,7 @@ tls13_client_init(struct tls13_ctx *ctx)
         size_t groups_len;
         SSL *s = ctx->ssl;
 
-        if (!ssl_supported_version_range(s, &ctx->hs->min_version,
+        if (!ssl_supported_tls_version_range(s, &ctx->hs->min_version,
             &ctx->hs->max_version)) {
                 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                 return 0;
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index bacd11b950..f611aa061d 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.21 2021/01/07 16:26:31 tb Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.22 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -359,7 +359,7 @@ tls13_use_legacy_client(struct tls13_ctx *ctx)
                 return 0;
 
         s->internal->handshake_func = s->method->internal->ssl_connect;
-        s->client_version = s->version = s->method->internal->max_version;
+        s->client_version = s->version = s->method->internal->max_tls_version;
 
         S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
 
@@ -375,7 +375,7 @@ tls13_use_legacy_server(struct tls13_ctx *ctx)
                 return 0;
 
         s->internal->handshake_func = s->method->internal->ssl_accept;
-        s->client_version = s->version = s->method->internal->max_version;
+        s->client_version = s->version = s->method->internal->max_tls_version;
         s->server = 1;
 
         S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 0b079c1d83..715066fb59 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.69 2021/01/09 10:41:48 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.70 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -29,7 +29,7 @@ tls13_server_init(struct tls13_ctx *ctx)
 {
         SSL *s = ctx->ssl;
 
-        if (!ssl_supported_version_range(s, &ctx->hs->min_version,
+        if (!ssl_supported_tls_version_range(s, &ctx->hs->min_version,
             &ctx->hs->max_version)) {
                 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                 return 0;