Return a min/max version of zero if set to zero.

OpenSSL's SSL{_CTX,}_get_{min,max}_proto_version() return a version of zero
if the minimum or maximum has been set to zero (which means the minimum or
maximum version supported by the method). Previously we returned the
minimum or maximum version supported by the method, instead of zero. Match
OpenSSL's behaviour by using shadow variables.

Discussed with tb@

1 files changed, 17 insertions, 9 deletions

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index f802875274..6a182f2e3b 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.246 2021/02/20 08:30:52 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.247 2021/02/20 09:43:29 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -256,6 +256,8 @@ SSL_new(SSL_CTX *ctx)
 
         s->internal->min_version = ctx->internal->min_version;
         s->internal->max_version = ctx->internal->max_version;
+        s->internal->min_proto_version = ctx->internal->min_proto_version;
+        s->internal->max_proto_version = ctx->internal->max_proto_version;
 
         s->internal->options = ctx->internal->options;
         s->internal->mode = ctx->internal->mode;
@@ -1829,6 +1831,8 @@ SSL_CTX_new(const SSL_METHOD *meth)
         ret->method = meth;
         ret->internal->min_version = meth->internal->min_version;
         ret->internal->max_version = meth->internal->max_version;
+        ret->internal->min_proto_version = 0;
+        ret->internal->max_proto_version = 0;
         ret->internal->mode = SSL_MODE_AUTO_RETRY;
 
         ret->cert_store = NULL;
@@ -3016,52 +3020,56 @@ SSL_cache_hit(SSL *s)
 int
 SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
 {
-        return ctx->internal->min_version;
+        return ctx->internal->min_proto_version;
 }
 
 int
 SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version)
 {
         return ssl_version_set_min(ctx->method, version,
-            ctx->internal->max_version, &ctx->internal->min_version);
+            ctx->internal->max_version, &ctx->internal->min_version,
+            &ctx->internal->min_proto_version);
 }
 
 int
 SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
 {
-        return ctx->internal->max_version;
+        return ctx->internal->max_proto_version;
 }
 
 int
 SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version)
 {
         return ssl_version_set_max(ctx->method, version,
-            ctx->internal->min_version, &ctx->internal->max_version);
+            ctx->internal->min_version, &ctx->internal->max_version,
+            &ctx->internal->max_proto_version);
 }
 
 int
 SSL_get_min_proto_version(SSL *ssl)
 {
-        return ssl->internal->min_version;
+        return ssl->internal->min_proto_version;
 }
 
 int
 SSL_set_min_proto_version(SSL *ssl, uint16_t version)
 {
         return ssl_version_set_min(ssl->method, version,
-            ssl->internal->max_version, &ssl->internal->min_version);
+            ssl->internal->max_version, &ssl->internal->min_version,
+            &ssl->internal->min_proto_version);
 }
 int
 SSL_get_max_proto_version(SSL *ssl)
 {
-        return ssl->internal->max_version;
+        return ssl->internal->max_proto_version;
 }
 
 int
 SSL_set_max_proto_version(SSL *ssl, uint16_t version)
 {
         return ssl_version_set_max(ssl->method, version,
-            ssl->internal->min_version, &ssl->internal->max_version);
+            ssl->internal->min_version, &ssl->internal->max_version,
+            &ssl->internal->max_proto_version);
 }
 
 static int