Have all test programs using that function specify those versions.
Additionally, have the remaining test programs that use SSL_CTX_new
directly specify at least the maximum protocol version.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5662)
}
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
&serverctx, &clientctx, argv[1], argv[2])) {
printf("Failed to create SSL_CTX pair\n");
goto end;
int main(int argc, char *argv[])
{
- SSL_CTX *ctx;
- SSL *con;
+ SSL_CTX *ctx = NULL;
+ SSL *con = NULL;
BIO *rbio;
BIO *wbio;
BIO *err;
for (; currtest < TOTAL_NUM_TESTS; currtest++) {
testresult = 0;
ctx = SSL_CTX_new(TLS_method());
+ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION))
+ goto end;
con = SSL_new(ctx);
rbio = BIO_new(BIO_s_mem());
printf("Starting Test %d\n", testidx);
- if (!create_ssl_ctx_pair(DTLS_server_method(), DTLS_client_method(), &sctx,
- &cctx, cert, privkey)) {
+ if (!create_ssl_ctx_pair(DTLS_server_method(), DTLS_client_method(),
+ DTLS1_VERSION, DTLS_MAX_VERSION, &sctx, &cctx,
+ cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y'
};
- if (!create_ssl_ctx_pair(SSLv23_method(), SSLv23_method(), &sctx, &cctx,
+ if (!create_ssl_ctx_pair(SSLv23_method(), SSLv23_method(),
+ SSL3_VERSION, TLS_MAX_VERSION, &sctx, &cctx,
cert, privkey)) {
printf("Failed to create SSL_CTX pair\n");
goto err;
#ifndef OPENSSL_NO_DTLS
if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
server_ctx = SSL_CTX_new(DTLS_server_method());
+ TEST_check(SSL_CTX_set_max_proto_version(server_ctx, DTLS_MAX_VERSION));
if (test_ctx->extra.server.servername_callback !=
SSL_TEST_SERVERNAME_CB_NONE) {
server2_ctx = SSL_CTX_new(DTLS_server_method());
TEST_check(server2_ctx != NULL);
}
client_ctx = SSL_CTX_new(DTLS_client_method());
+ TEST_check(SSL_CTX_set_max_proto_version(client_ctx, DTLS_MAX_VERSION));
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new(DTLS_server_method());
+ TEST_check(SSL_CTX_set_max_proto_version(resume_server_ctx,
+ DTLS_MAX_VERSION));
resume_client_ctx = SSL_CTX_new(DTLS_client_method());
+ TEST_check(SSL_CTX_set_max_proto_version(resume_client_ctx,
+ DTLS_MAX_VERSION));
TEST_check(resume_server_ctx != NULL);
TEST_check(resume_client_ctx != NULL);
}
#endif
if (test_ctx->method == SSL_TEST_METHOD_TLS) {
server_ctx = SSL_CTX_new(TLS_server_method());
+ TEST_check(SSL_CTX_set_max_proto_version(server_ctx, TLS_MAX_VERSION));
/* SNI on resumption isn't supported/tested yet. */
if (test_ctx->extra.server.servername_callback !=
SSL_TEST_SERVERNAME_CB_NONE) {
TEST_check(server2_ctx != NULL);
}
client_ctx = SSL_CTX_new(TLS_client_method());
+ TEST_check(SSL_CTX_set_max_proto_version(client_ctx, TLS_MAX_VERSION));
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new(TLS_server_method());
+ TEST_check(SSL_CTX_set_max_proto_version(resume_server_ctx,
+ TLS_MAX_VERSION));
resume_client_ctx = SSL_CTX_new(TLS_client_method());
+ TEST_check(SSL_CTX_set_max_proto_version(resume_client_ctx,
+ TLS_MAX_VERSION));
TEST_check(resume_server_ctx != NULL);
TEST_check(resume_client_ctx != NULL);
}
#define NUM_EXTRA_CERTS 40
static int execute_test_large_message(const SSL_METHOD *smeth,
- const SSL_METHOD *cmeth, int read_ahead)
+ const SSL_METHOD *cmeth,
+ int min_version, int max_version,
+ int read_ahead)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
goto end;
}
- if (!create_ssl_ctx_pair(smeth, cmeth, &sctx,
+ if (!create_ssl_ctx_pair(smeth, cmeth, min_version, max_version, &sctx,
&cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
goto end;
static int test_large_message_tls(void)
{
return execute_test_large_message(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
0);
}
static int test_large_message_tls_read_ahead(void)
{
return execute_test_large_message(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
1);
}
* read_ahead is set.
*/
return execute_test_large_message(DTLS_server_method(),
- DTLS_client_method(), 0);
+ DTLS_client_method(),
+ DTLS1_VERSION, DTLS_MAX_VERSION,
+ 0);
}
#endif
OCSP_RESPID *id = NULL;
BIO *certbio = NULL;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
- &cctx, cert, privkey)) {
+ if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx,
+ cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
SSL_SESSION *sess1 = NULL, *sess2 = NULL;
int testresult = 0;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
- &cctx, cert, privkey)) {
+ if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx,
+ cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
curr = testctx ? &testsigalgs[idx]
: &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
- &cctx, cert, privkey)) {
+ if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx,
+ cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
clntaddcb = clntparsecb = srvaddcb = srvparsecb = 0;
snicb = 0;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
- &cctx, cert, privkey)) {
+ if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx,
+ cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
goto end;
}
if (tst == 1
- && !create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2, NULL,
+ && !create_ssl_ctx_pair(TLS_server_method(), NULL,
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx2, NULL,
cert, privkey)) {
printf("Unable to create SSL_CTX pair (2)\n");
goto end;
printf("Starting Test %d, %s\n", testidx, cipher_list[testidx]);
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
- &cctx, cert, privkey)) {
+ if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx,
+ cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
} else if (tls1) {
min_version = TLS1_VERSION;
max_version = TLS1_VERSION;
+ } else {
+ min_version = SSL3_VERSION;
+ max_version = TLS_MAX_VERSION;
}
#endif
#ifndef OPENSSL_NO_DTLS
- if (dtls || dtls1 || dtls12)
+ if (dtls || dtls1 || dtls12) {
meth = DTLS_method();
- if (dtls1) {
- min_version = DTLS1_VERSION;
- max_version = DTLS1_VERSION;
- } else if (dtls12) {
- min_version = DTLS1_2_VERSION;
- max_version = DTLS1_2_VERSION;
+ if (dtls1) {
+ min_version = DTLS1_VERSION;
+ max_version = DTLS1_VERSION;
+ } else if (dtls12) {
+ min_version = DTLS1_2_VERSION;
+ max_version = DTLS1_2_VERSION;
+ } else {
+ min_version = DTLS_MIN_VERSION;
+ max_version = DTLS_MAX_VERSION;
+ }
}
#endif
SSL_CTX_set_options(s_ctx, SSL_OP_NO_TICKET);
}
- if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0)
+ if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0) {
+ printf("Unable to set client min protocol version (0x%X)\n",
+ min_version);
goto end;
- if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0)
+ }
+ if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0) {
+ printf("Unable to set client max protocol version (0x%X)\n",
+ max_version);
goto end;
- if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0)
+ }
+ if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0) {
+ printf("Unable to set server min protocol version (0x%X)\n",
+ min_version);
goto end;
- if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0)
+ }
+ if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0) {
+ printf("Unable to set server max protocol version (0x%X)\n",
+ max_version);
goto end;
+ }
if (cipher != NULL) {
if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
}
int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
+ int min_proto_version, int max_proto_version,
SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
char *privkeyfile)
{
goto err;
}
+ if (min_proto_version > 0
+ && !SSL_CTX_set_min_proto_version(serverctx, min_proto_version)) {
+ printf("Unable to set server min protocol versions\n");
+ goto err;
+ }
+ if (max_proto_version > 0
+ && !SSL_CTX_set_max_proto_version(serverctx, max_proto_version)) {
+ printf("Unable to set server max protocol versions\n");
+ goto err;
+ }
+
+ if (clientctx != NULL) {
+ if (min_proto_version > 0
+ && !SSL_CTX_set_max_proto_version(clientctx, max_proto_version)) {
+ printf("Unable to set client max protocol versions\n");
+ goto err;
+ }
+ if (max_proto_version > 0
+ && !SSL_CTX_set_min_proto_version(clientctx, min_proto_version)) {
+ printf("Unable to set client min protocol versions\n");
+ goto err;
+ }
+ }
+
if (SSL_CTX_use_certificate_file(serverctx, certfile,
SSL_FILETYPE_PEM) <= 0) {
printf("Failed to load server certificate\n");
# include <openssl/ssl.h>
int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
+ int min_proto_version, int max_proto_version,
SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
char *privkeyfile);
int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
projects / oweals / openssl.git / commitdiff