From 3581bda29878442998cf111eefbb9058cf96ee8a Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Tue, 18 Sep 2018 16:35:36 -0400
Subject: [PATCH] vtls: fix ssl version "or later" behavior change for many
 backends

- Treat CURL_SSLVERSION_MAX_NONE the same as
  CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
  the minimum version also as the maximum.

This is a follow-up to 6015cef which changed the behavior of setting
the SSL version so that the requested version would only be the minimum
and not the maximum. It appears it was properly implemented in OpenSSL
but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
mean use just TLS v1.0 and now it means use TLS v1.0 *or later*.

Co-authored-by: Daniel Gustafsson

Closes #xxxx
Closes #xxxx
---
 lib/vtls/darwinssl.c | 2 --
 lib/vtls/gskit.c     | 2 --
 lib/vtls/gtls.c      | 4 +---
 lib/vtls/mbedtls.c   | 3 ---
 lib/vtls/nss.c       | 2 --
 lib/vtls/polarssl.c  | 3 ---
 lib/vtls/schannel.c  | 2 --
 7 files changed, 1 insertion(+), 17 deletions(-)

diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 3eee53a02d3122..e8116b8a11838b 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -1304,8 +1304,6 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex)
 
   switch(ssl_version_max) {
     case CURL_SSLVERSION_MAX_NONE:
-      ssl_version_max = ssl_version << 16;
-      break;
     case CURL_SSLVERSION_MAX_DEFAULT:
       ssl_version_max = max_supported_version_by_os;
       break;
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
index a0b49601f7d3ba..d6be159ab9e910 100644
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -766,8 +766,6 @@ set_ssl_version_min_max(unsigned int *protoflags, struct connectdata *conn)
   long i = ssl_version;
   switch(ssl_version_max) {
     case CURL_SSLVERSION_MAX_NONE:
-      ssl_version_max = ssl_version;
-      break;
     case CURL_SSLVERSION_MAX_DEFAULT:
       ssl_version_max = CURL_SSLVERSION_TLSv1_2;
       break;
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 207b0fd1bd959e..93f5ed1db5beac 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -390,8 +390,6 @@ set_ssl_version_min_max(int *list, size_t list_size, struct connectdata *conn)
 
   switch(ssl_version_max) {
     case CURL_SSLVERSION_MAX_NONE:
-      ssl_version_max = ssl_version << 16;
-      break;
     case CURL_SSLVERSION_MAX_DEFAULT:
       ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
       break;
@@ -435,7 +433,7 @@ set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn)
     return CURLE_SSL_CONNECT_ERROR;
   }
   if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) {
-    ssl_version_max = ssl_version << 16;
+    ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT;
   }
   switch(ssl_version | ssl_version_max) {
     case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0:
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index d7759dc849a42a..c5ed8872ef238b 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -205,14 +205,11 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex)
     case CURL_SSLVERSION_DEFAULT:
     case CURL_SSLVERSION_TLSv1:
       ssl_version = CURL_SSLVERSION_TLSv1_0;
-      ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
       break;
   }
 
   switch(ssl_version_max) {
     case CURL_SSLVERSION_MAX_NONE:
-      ssl_version_max = ssl_version << 16;
-      break;
     case CURL_SSLVERSION_MAX_DEFAULT:
       ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
       break;
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 4eb6a779211b9b..d85b212f7f5a06 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1714,8 +1714,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
       failf(data, "unsupported min version passed via CURLOPT_SSLVERSION");
       return result;
     }
-    if(max == CURL_SSLVERSION_MAX_NONE)
-      sslver->max = sslver->min;
   }
 
   switch(max) {
diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
index 604cb4c862935e..27af0ccf3e2e49 100644
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -185,14 +185,11 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex)
     case CURL_SSLVERSION_DEFAULT:
     case CURL_SSLVERSION_TLSv1:
       ssl_version = CURL_SSLVERSION_TLSv1_0;
-      ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
       break;
   }
 
   switch(ssl_version_max) {
     case CURL_SSLVERSION_MAX_NONE:
-      ssl_version_max = ssl_version << 16;
-      break;
     case CURL_SSLVERSION_MAX_DEFAULT:
       ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
       break;
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index f3ed98d59a644c..e4426924bca493 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -180,8 +180,6 @@ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct connectdata *conn)
 
   switch(ssl_version_max) {
     case CURL_SSLVERSION_MAX_NONE:
-      ssl_version_max = ssl_version << 16;
-      break;
     case CURL_SSLVERSION_MAX_DEFAULT:
       ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
       break;