Support disabling any or all TLS or DTLS versions

Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just TLS 1.2. In the future they might want to disable TLS 1.2 and enable just TLS 1.3, ... This commit makes it possible to disable any or all of the TLS or DTLS protocols. It also considerably simplifies the SSL/TLS tests, by auto-generating the min/max version tests based on the set of supported protocols (425 explicitly written out tests got replaced by two loops that generate all 425 tests if all protocols are enabled, fewer otherwise). Reviewed-by: Richard Levitte <levitte@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-01-18 13:10:21 -0500
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-01-19 09:57:15 -0500
commit: 6b01bed206156dbcb1ab150f618c8b24c01fb0d0 (patch)
tree: 667ea072f731ab8904a121f5b57adb01e40df4af /test/ssltest.c
parent: 6ada465fb258ae2c29668c59f3ec9b69dc38f8b3 (diff)
download: openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.zip
openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.tar.gz
openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.tar.bz2
1 files changed, 49 insertions, 21 deletions
diff --git a/test/ssltest.c b/test/ssltest.c
index d6b6618..cccab51 100644
--- a/test/ssltest.c
+++ b/test/ssltest.c
@@ -776,15 +776,21 @@ static void sv_usage(void)
     fprintf(stderr, " -srpuser user  - SRP username to use\n");
     fprintf(stderr, " -srppass arg   - password for 'user'\n");
 #endif
-#ifndef OPENSSL_NO_SSL3_METHOD
+#ifndef OPENSSL_NO_SSL3
     fprintf(stderr, " -ssl3         - use SSLv3\n");
 #endif
+#ifndef OPENSSL_NO_TLS1
     fprintf(stderr, " -tls1         - use TLSv1\n");
+#endif
 #ifndef OPENSSL_NO_DTLS
     fprintf(stderr, " -dtls        - use DTLS\n");
+#ifndef OPENSSL_NO_DTLS1
     fprintf(stderr, " -dtls1        - use DTLSv1\n");
+#endif
+#ifndef OPENSSL_NO_DTLS1_2
     fprintf(stderr, " -dtls12       - use DTLSv1.2\n");
 #endif
+#endif
     fprintf(stderr, " -CApath arg   - PEM format directory of CA's\n");
     fprintf(stderr, " -CAfile arg   - PEM format file of CA's\n");
     fprintf(stderr, " -cert arg     - Server certificate file\n");
@@ -1046,7 +1052,7 @@ int main(int argc, char *argv[])
 #ifdef OPENSSL_FIPS
     int fips_mode = 0;
 #endif
-    int no_protocol = 0;
+    int no_protocol;
 
     SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL;
     STACK_OF(OPENSSL_STRING) *conf_args = NULL;
@@ -1173,24 +1179,12 @@ int main(int argc, char *argv[])
         else if (strcmp(*argv, "-tls1") == 0) {
             tls1 = 1;
         } else if (strcmp(*argv, "-ssl3") == 0) {
-#ifdef OPENSSL_NO_SSL3_METHOD
-            no_protocol = 1;
-#endif
             ssl3 = 1;
         } else if (strcmp(*argv, "-dtls1") == 0) {
-#ifdef OPENSSL_NO_DTLS
-            no_protocol = 1;
-#endif
             dtls1 = 1;
         } else if (strcmp(*argv, "-dtls12") == 0) {
-#ifdef OPENSSL_NO_DTLS
-            no_protocol = 1;
-#endif
             dtls12 = 1;
         } else if (strcmp(*argv, "-dtls") == 0) {
-#ifdef OPENSSL_NO_DTLS
-            no_protocol = 1;
-#endif
             dtls = 1;
         } else if (strncmp(*argv, "-num", 4) == 0) {
             if (--argc < 1)
@@ -1365,6 +1359,28 @@ int main(int argc, char *argv[])
         EXIT(1);
     }
 
+#ifdef OPENSSL_NO_SSL3
+    if (ssl3)
+        no_protocol = 1;
+    else
+#endif
+#ifdef OPENSSL_NO_TLS1
+    if (tls1)
+        no_protocol = 1;
+    else
+#endif
+#if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1)
+    if (dtls1)
+        no_protocol = 1;
+    else
+#endif
+#if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1_2)
+    if (dtls12)
+        no_protocol = 1;
+    else
+#endif
+        no_protocol = 0;
+
     /*
      * Testing was requested for a compiled-out protocol (e.g. SSLv3).
      * Ideally, we would error out, but the generic test wrapper can't know
@@ -1444,23 +1460,31 @@ int main(int argc, char *argv[])
      * (Otherwise we exit early.) However the compiler doesn't know this, so
      * we ifdef.
      */
-#ifndef OPENSSL_NO_SSL3
-    if (ssl3)
-        meth = SSLv3_method();
-    else
-#endif
 #ifndef OPENSSL_NO_DTLS
+#ifndef OPENSSL_NO_DTLS1
     if (dtls1)
         meth = DTLSv1_method();
-    else if (dtls12)
+    else
+#endif
+#ifndef OPENSSL_NO_DTLS1_2
+    if (dtls12)
         meth = DTLSv1_2_method();
-    else if (dtls)
+    else
+#endif
+    if (dtls)
         meth = DTLS_method();
     else
 #endif
+#ifndef OPENSSL_NO_SSL3
+    if (ssl3)
+        meth = SSLv3_method();
+    else
+#endif
+#ifndef OPENSSL_NO_TLS1
     if (tls1)
         meth = TLSv1_method();
     else
+#endif
         meth = TLS_method();
 
     c_ctx = SSL_CTX_new(meth);
@@ -3163,9 +3187,11 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity,
 
 static int do_test_cipherlist(void)
 {
+#if !defined(OPENSSL_NO_SSL3) || !defined(OPENSSL_NO_TLS1)
     int i = 0;
     const SSL_METHOD *meth;
     const SSL_CIPHER *ci, *tci = NULL;
+#endif
 
 #ifndef OPENSSL_NO_SSL3
     meth = SSLv3_method();
@@ -3180,6 +3206,7 @@ static int do_test_cipherlist(void)
         tci = ci;
     }
 #endif
+#ifndef OPENSSL_NO_TLS1
     meth = TLSv1_method();
     tci = NULL;
     while ((ci = meth->get_cipher(i++)) != NULL) {
@@ -3191,6 +3218,7 @@ static int do_test_cipherlist(void)
             }
         tci = ci;
     }
+#endif
 
     return 1;
 }
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-01-18 13:10:21 -0500
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-01-19 09:57:15 -0500
commit	6b01bed206156dbcb1ab150f618c8b24c01fb0d0 (patch)
tree	667ea072f731ab8904a121f5b57adb01e40df4af /test/ssltest.c
parent	6ada465fb258ae2c29668c59f3ec9b69dc38f8b3 (diff)
download	openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.zip openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.tar.gz openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.tar.bz2