commit e34bcc91c07c0bf65ecc53a814d51f5246007150
author David Benjamin <davidben@google.com> Wed Sep 21 16:53:09 2016 -0400
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Wed Sep 21 21:41:49 2016 +0000
tree 267d2b289a5d347ab906a417b9175cec7fd6f1c5
parent c8b6b4fe4afbcd31b61007b1288de380c7f51b4c

Support default versions with set_{min,max}_proto_version.

Upstream makes 0 mean "min/max supported version". Match that behavior,
although call it "default" instead. It shouldn't get you TLS 1.3 until
we're ready to turn it on everywhere.

BUG=90

Change-Id: I9f122fceb701b7d4de2ff70afbc1ffdf370cb97e
Reviewed-on: https://boringssl-review.googlesource.com/11181
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/ssl_lib.c

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 8232532..6ec7d25 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -305,17 +305,12 @@
     ret->options |= SSL_OP_NO_TICKET;
   }
 
-  ret->min_version = ret->method->min_version;
-  ret->max_version = ret->method->max_version;
-
   /* Lock the SSL_CTX to the specified version, for compatibility with legacy
    * uses of SSL_METHOD. */
-  if (method->version != 0) {
-    SSL_CTX_set_max_proto_version(ret, method->version);
-    SSL_CTX_set_min_proto_version(ret, method->version);
-  } else if (!method->method->is_dtls) {
-    /* TODO(svaldez): Enable TLS 1.3 by default once fully implemented. */
-    SSL_CTX_set_max_proto_version(ret, TLS1_2_VERSION);
+  if (!SSL_CTX_set_max_proto_version(ret, method->version) ||
+      !SSL_CTX_set_min_proto_version(ret, method->version)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    goto err2;
   }
 
   return ret;
@@ -949,20 +944,44 @@
   return SSL_ERROR_SYSCALL;
 }
 
+static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
+                           uint16_t version) {
+  if (version == 0) {
+    *out = method->min_version;
+    return 1;
+  }
+
+  return method->version_from_wire(out, version);
+}
+
+static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
+                           uint16_t version) {
+  if (version == 0) {
+    *out = method->max_version;
+    /* TODO(svaldez): Enable TLS 1.3 by default once fully implemented. */
+    if (*out > TLS1_2_VERSION) {
+      *out = TLS1_2_VERSION;
+    }
+    return 1;
+  }
+
+  return method->version_from_wire(out, version);
+}
+
 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
-  return ctx->method->version_from_wire(&ctx->min_version, version);
+  return set_min_version(ctx->method, &ctx->min_version, version);
 }
 
 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
-  return ctx->method->version_from_wire(&ctx->max_version, version);
+  return set_max_version(ctx->method, &ctx->max_version, version);
 }
 
 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
-  return ssl->method->version_from_wire(&ssl->min_version, version);
+  return set_min_version(ssl->method, &ssl->min_version, version);
 }
 
 int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
-  return ssl->method->version_from_wire(&ssl->max_version, version);
+  return set_max_version(ssl->method, &ssl->max_version, version);
 }
 
 uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) {