Don't return invalid versions in version_from_wire.

This is in preparation for using the supported_versions extension to
experiment with draft TLS 1.3 versions, since we don't wish to restore
the fallback. With versions begin opaque values, we will want
version_from_wire to reject unknown values, not attempt to preserve
order in some way.

This means ClientHello.version processing needs to be separate code.
That's just written out fully in negotiate_version now. It also means
SSL_set_{min,max}_version will notice invalid inputs which aligns us
better with upstream's versions of those APIs.

This CL doesn't replace ssl->version with an internal-representation
version, though follow work should do it once a couple of changes land
in consumers.

BUG=90

Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da
Reviewed-on: https://boringssl-review.googlesource.com/11122
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

1 files changed, 6 insertions, 2 deletions

diff --git a/tool/server.cc b/tool/server.cc
index e0aeb134..b4a4eb13 100644
--- a/tool/server.cc
+++ b/tool/server.cc
@@ -133,7 +133,9 @@ bool Server(const std::vector<std::string> &args) {
               args_map["-max-version"].c_str());
       return false;
     }
-    SSL_CTX_set_max_version(ctx, version);
+    if (!SSL_CTX_set_max_version(ctx, version)) {
+      return false;
+    }
   }
 
   if (args_map.count("-min-version") != 0) {
@@ -143,7 +145,9 @@ bool Server(const std::vector<std::string> &args) {
               args_map["-min-version"].c_str());
       return false;
     }
-    SSL_CTX_set_min_version(ctx, version);
+    if (!SSL_CTX_set_min_version(ctx, version)) {
+      return false;
+    }
   }
 
   if (args_map.count("-ocsp-response") != 0 &&