Return a min/max version of zero if set to zero.

OpenSSL's SSL{_CTX,}_get_{min,max}_proto_version() return a version of zero
if the minimum or maximum has been set to zero (which means the minimum or
maximum version supported by the method). Previously we returned the
minimum or maximum version supported by the method, instead of zero. Match
OpenSSL's behaviour by using shadow variables.

Discussed with tb@

3 files changed, 41 insertions, 17 deletions

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index f802875274..6a182f2e3b 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.246 2021/02/20 08:30:52 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.247 2021/02/20 09:43:29 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -256,6 +256,8 @@ SSL_new(SSL_CTX *ctx)
 
         s->internal->min_version = ctx->internal->min_version;
         s->internal->max_version = ctx->internal->max_version;
+        s->internal->min_proto_version = ctx->internal->min_proto_version;
+        s->internal->max_proto_version = ctx->internal->max_proto_version;
 
         s->internal->options = ctx->internal->options;
         s->internal->mode = ctx->internal->mode;
@@ -1829,6 +1831,8 @@ SSL_CTX_new(const SSL_METHOD *meth)
         ret->method = meth;
         ret->internal->min_version = meth->internal->min_version;
         ret->internal->max_version = meth->internal->max_version;
+        ret->internal->min_proto_version = 0;
+        ret->internal->max_proto_version = 0;
         ret->internal->mode = SSL_MODE_AUTO_RETRY;
 
         ret->cert_store = NULL;
@@ -3016,52 +3020,56 @@ SSL_cache_hit(SSL *s)
 int
 SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
 {
-        return ctx->internal->min_version;
+        return ctx->internal->min_proto_version;
 }
 
 int
 SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version)
 {
         return ssl_version_set_min(ctx->method, version,
-            ctx->internal->max_version, &ctx->internal->min_version);
+            ctx->internal->max_version, &ctx->internal->min_version,
+            &ctx->internal->min_proto_version);
 }
 
 int
 SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
 {
-        return ctx->internal->max_version;
+        return ctx->internal->max_proto_version;
 }
 
 int
 SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version)
 {
         return ssl_version_set_max(ctx->method, version,
-            ctx->internal->min_version, &ctx->internal->max_version);
+            ctx->internal->min_version, &ctx->internal->max_version,
+            &ctx->internal->max_proto_version);
 }
 
 int
 SSL_get_min_proto_version(SSL *ssl)
 {
-        return ssl->internal->min_version;
+        return ssl->internal->min_proto_version;
 }
 
 int
 SSL_set_min_proto_version(SSL *ssl, uint16_t version)
 {
         return ssl_version_set_min(ssl->method, version,
-            ssl->internal->max_version, &ssl->internal->min_version);
+            ssl->internal->max_version, &ssl->internal->min_version,
+            &ssl->internal->min_proto_version);
 }
 int
 SSL_get_max_proto_version(SSL *ssl)
 {
-        return ssl->internal->max_version;
+        return ssl->internal->max_proto_version;
 }
 
 int
 SSL_set_max_proto_version(SSL *ssl, uint16_t version)
 {
         return ssl_version_set_max(ssl->method, version,
-            ssl->internal->min_version, &ssl->internal->max_version);
+            ssl->internal->min_version, &ssl->internal->max_version,
+            &ssl->internal->max_proto_version);
 }
 
 static int
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index edb8223fe2..fc61ffee4f 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.320 2021/02/07 15:26:32 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.321 2021/02/20 09:43:29 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -520,6 +520,13 @@ typedef struct ssl_ctx_internal_st {
         uint16_t min_version;
         uint16_t max_version;
 
+        /*
+         * These may be zero to imply minimum or maximum version supported by
+         * the method.
+         */
+        uint16_t min_proto_version;
+        uint16_t max_proto_version;
+
         unsigned long options;
         unsigned long mode;
 
@@ -682,6 +689,13 @@ typedef struct ssl_internal_st {
         uint16_t min_version;
         uint16_t max_version;
 
+        /*
+         * These may be zero to imply minimum or maximum version supported by
+         * the method.
+         */
+        uint16_t min_proto_version;
+        uint16_t max_proto_version;
+
         unsigned long options; /* protocol behaviour */
         unsigned long mode; /* API behaviour */
 
@@ -1111,9 +1125,9 @@ int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
 int ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
 int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver);
 int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
-    uint16_t *out_ver);
+    uint16_t *out_ver, uint16_t *out_proto_ver);
 int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
-    uint16_t *out_ver);
+    uint16_t *out_ver, uint16_t *out_proto_ver);
 int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver);
 int ssl_legacy_stack_version(SSL *s, uint16_t version);
 int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher);
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index 2245ae15b5..1ee5ed312c 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.10 2021/02/20 08:30:52 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.11 2021/02/20 09:43:29 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -36,12 +36,13 @@ ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver,
 
 int
 ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
-    uint16_t *out_ver)
+    uint16_t *out_ver, uint16_t *out_proto_ver)
 {
         uint16_t min_version, max_version;
 
         if (ver == 0) {
                 *out_ver = meth->internal->min_version;
+                *out_proto_ver = 0;
                 return 1;
         }
 
@@ -52,19 +53,20 @@ ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
             meth->internal->min_version, meth->internal->max_version))
                 return 0;
 
-        *out_ver = min_version;
+        *out_ver = *out_proto_ver = min_version;
 
         return 1;
 }
 
 int
 ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
-    uint16_t *out_ver)
+    uint16_t *out_ver, uint16_t *out_proto_ver)
 {
         uint16_t min_version, max_version;
 
         if (ver == 0) {
                 *out_ver = meth->internal->max_version;
+                *out_proto_ver = 0;
                 return 1;
         }
 
@@ -75,7 +77,7 @@ ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
             meth->internal->min_version, meth->internal->max_version))
                 return 0;
 
-        *out_ver = max_version;
+        *out_ver = *out_proto_ver = max_version;
 
         return 1;
 }