commit a4af5f85bdbb67ed037292bc9dff1faae31050f9
author Nitish Sakhawalkar <nitsakh@icloud.com> Mon Mar 25 17:26:59 2019 -0700
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Wed Mar 27 12:46:26 2019 +0000
tree 52509f056adc4b59908ba83e552c67eba02c21f6
parent df11bed9ee05141b54da7b88cc5b7960ca858164

Support get versions with get_{min,max}_proto_version for context

When building node with boringssl, `SSL_CTX_get_min_proto_version` and
`SSL_CTX_get_max_proto_version` are used. Openssl exposes those; this
change adds support for boringssl.

For this to work right in DTLS, we switch conf_{min,max}_version to store wire
versions, rather than our internal normalized versions.

Change-Id: I282ed224806c41f69e6f166ca97c6cc05ff51f17
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35404
Reviewed-by: Nitish Sakhawalkar <nitsakh@gmail.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

ssl/ssl_versions.cc

diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc
index e6dbc8d..e25fce6 100644
--- a/ssl/ssl_versions.cc
+++ b/ssl/ssl_versions.cc
@@ -134,12 +134,12 @@
 static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
                               uint16_t version) {
   if (!api_version_to_wire(&version, version) ||
-      !ssl_method_supports_version(method, version) ||
-      !ssl_protocol_version_from_wire(out, version)) {
+      !ssl_method_supports_version(method, version)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
     return false;
   }
 
+  *out = version;
   return true;
 }
 
@@ -147,8 +147,7 @@
                             uint16_t version) {
   // Zero is interpreted as the default minimum version.
   if (version == 0) {
-    // TLS 1.0 does not exist in DTLS.
-    *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
+    *out = method->is_dtls ? DTLS1_VERSION : TLS1_VERSION;
     return true;
   }
 
@@ -159,7 +158,7 @@
                             uint16_t version) {
   // Zero is interpreted as the default maximum version.
   if (version == 0) {
-    *out = TLS1_2_VERSION;
+    *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
     return true;
   }
 
@@ -188,8 +187,14 @@
     }
   }
 
-  uint16_t min_version = hs->config->conf_min_version;
-  uint16_t max_version = hs->config->conf_max_version;
+  uint16_t min_version, max_version;
+  if (!ssl_protocol_version_from_wire(&min_version,
+                                      hs->config->conf_min_version) ||
+      !ssl_protocol_version_from_wire(&max_version,
+                                      hs->config->conf_max_version)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return false;
+  }
 
   // QUIC requires TLS 1.3.
   if (hs->ssl->quic_method && min_version < TLS1_3_VERSION) {
@@ -344,6 +349,14 @@
   return set_max_version(ctx->method, &ctx->conf_max_version, version);
 }
 
+uint16_t SSL_CTX_get_min_proto_version(SSL_CTX *ctx) {
+  return ctx->conf_min_version;
+}
+
+uint16_t SSL_CTX_get_max_proto_version(SSL_CTX *ctx) {
+  return ctx->conf_max_version;
+}
+
 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
   if (!ssl->config) {
     return 0;