diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-18 13:10:21 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-19 09:57:15 -0500 |
commit | 6b01bed206156dbcb1ab150f618c8b24c01fb0d0 (patch) | |
tree | 667ea072f731ab8904a121f5b57adb01e40df4af /test/ssltest.c | |
parent | 6ada465fb258ae2c29668c59f3ec9b69dc38f8b3 (diff) | |
download | openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.zip openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.tar.gz openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.tar.bz2 |
Support disabling any or all TLS or DTLS versions
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2. In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...
This commit makes it possible to disable any or all of the TLS or
DTLS protocols. It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'test/ssltest.c')
-rw-r--r-- | test/ssltest.c | 70 |
1 files changed, 49 insertions, 21 deletions
diff --git a/test/ssltest.c b/test/ssltest.c index d6b6618..cccab51 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -776,15 +776,21 @@ static void sv_usage(void) fprintf(stderr, " -srpuser user - SRP username to use\n"); fprintf(stderr, " -srppass arg - password for 'user'\n"); #endif -#ifndef OPENSSL_NO_SSL3_METHOD +#ifndef OPENSSL_NO_SSL3 fprintf(stderr, " -ssl3 - use SSLv3\n"); #endif +#ifndef OPENSSL_NO_TLS1 fprintf(stderr, " -tls1 - use TLSv1\n"); +#endif #ifndef OPENSSL_NO_DTLS fprintf(stderr, " -dtls - use DTLS\n"); +#ifndef OPENSSL_NO_DTLS1 fprintf(stderr, " -dtls1 - use DTLSv1\n"); +#endif +#ifndef OPENSSL_NO_DTLS1_2 fprintf(stderr, " -dtls12 - use DTLSv1.2\n"); #endif +#endif fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); fprintf(stderr, " -CAfile arg - PEM format file of CA's\n"); fprintf(stderr, " -cert arg - Server certificate file\n"); @@ -1046,7 +1052,7 @@ int main(int argc, char *argv[]) #ifdef OPENSSL_FIPS int fips_mode = 0; #endif - int no_protocol = 0; + int no_protocol; SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL; STACK_OF(OPENSSL_STRING) *conf_args = NULL; @@ -1173,24 +1179,12 @@ int main(int argc, char *argv[]) else if (strcmp(*argv, "-tls1") == 0) { tls1 = 1; } else if (strcmp(*argv, "-ssl3") == 0) { -#ifdef OPENSSL_NO_SSL3_METHOD - no_protocol = 1; -#endif ssl3 = 1; } else if (strcmp(*argv, "-dtls1") == 0) { -#ifdef OPENSSL_NO_DTLS - no_protocol = 1; -#endif dtls1 = 1; } else if (strcmp(*argv, "-dtls12") == 0) { -#ifdef OPENSSL_NO_DTLS - no_protocol = 1; -#endif dtls12 = 1; } else if (strcmp(*argv, "-dtls") == 0) { -#ifdef OPENSSL_NO_DTLS - no_protocol = 1; -#endif dtls = 1; } else if (strncmp(*argv, "-num", 4) == 0) { if (--argc < 1) @@ -1365,6 +1359,28 @@ int main(int argc, char *argv[]) EXIT(1); } +#ifdef OPENSSL_NO_SSL3 + if (ssl3) + no_protocol = 1; + else +#endif +#ifdef OPENSSL_NO_TLS1 + if (tls1) + no_protocol = 1; + else +#endif +#if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1) + if (dtls1) + no_protocol = 1; + else +#endif +#if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1_2) + if (dtls12) + no_protocol = 1; + else +#endif + no_protocol = 0; + /* * Testing was requested for a compiled-out protocol (e.g. SSLv3). * Ideally, we would error out, but the generic test wrapper can't know @@ -1444,23 +1460,31 @@ int main(int argc, char *argv[]) * (Otherwise we exit early.) However the compiler doesn't know this, so * we ifdef. */ -#ifndef OPENSSL_NO_SSL3 - if (ssl3) - meth = SSLv3_method(); - else -#endif #ifndef OPENSSL_NO_DTLS +#ifndef OPENSSL_NO_DTLS1 if (dtls1) meth = DTLSv1_method(); - else if (dtls12) + else +#endif +#ifndef OPENSSL_NO_DTLS1_2 + if (dtls12) meth = DTLSv1_2_method(); - else if (dtls) + else +#endif + if (dtls) meth = DTLS_method(); else #endif +#ifndef OPENSSL_NO_SSL3 + if (ssl3) + meth = SSLv3_method(); + else +#endif +#ifndef OPENSSL_NO_TLS1 if (tls1) meth = TLSv1_method(); else +#endif meth = TLS_method(); c_ctx = SSL_CTX_new(meth); @@ -3163,9 +3187,11 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, static int do_test_cipherlist(void) { +#if !defined(OPENSSL_NO_SSL3) || !defined(OPENSSL_NO_TLS1) int i = 0; const SSL_METHOD *meth; const SSL_CIPHER *ci, *tci = NULL; +#endif #ifndef OPENSSL_NO_SSL3 meth = SSLv3_method(); @@ -3180,6 +3206,7 @@ static int do_test_cipherlist(void) tci = ci; } #endif +#ifndef OPENSSL_NO_TLS1 meth = TLSv1_method(); tci = NULL; while ((ci = meth->get_cipher(i++)) != NULL) { @@ -3191,6 +3218,7 @@ static int do_test_cipherlist(void) } tci = ci; } +#endif return 1; } |