diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-18 13:10:21 -0500 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-19 09:57:15 -0500 |
| commit | 6b01bed206156dbcb1ab150f618c8b24c01fb0d0 (patch) | |
| tree | 667ea072f731ab8904a121f5b57adb01e40df4af | |
| parent | 6ada465fb258ae2c29668c59f3ec9b69dc38f8b3 (diff) | |
Support disabling any or all TLS or DTLS versions
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2. In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...
This commit makes it possible to disable any or all of the TLS or
DTLS protocols. It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).
Reviewed-by: Richard Levitte <levitte@openssl.org>
| -rwxr-xr-x | Configure | 120 | ||||
| -rw-r--r-- | apps/ciphers.c | 18 | ||||
| -rw-r--r-- | apps/openssl.c | 21 | ||||
| -rw-r--r-- | apps/s_client.c | 45 | ||||
| -rw-r--r-- | apps/s_server.c | 71 | ||||
| -rw-r--r-- | ssl/methods.c | 61 | ||||
| -rw-r--r-- | ssl/statem/statem_lib.c | 22 | ||||
| -rw-r--r-- | test/recipes/80-test_ssl.t | 616 | ||||
| -rw-r--r-- | test/ssltest.c | 70 |
9 files changed, 451 insertions, 593 deletions
@@ -820,6 +820,10 @@ my $default_ranlib; my $perl; my $fips=0; +# Known TLS and DTLS protocols +my @tls = qw(ssl3 tls1 tls1_1 tls1_2); +my @dtls = qw(dtls1 dtls1_2); + # Explicitelly known options that are possible to disable. They can # be regexps, and will be used like this: /^no-${option}$/ # For developers: keep it sorted alphabetically @@ -847,6 +851,8 @@ my @disablables = ( "dynamic[-_]engine", "ec", "ec2m", + "ecdh", + "ecdsa", "ec_nistp_64_gcc_128", "engine", "err", # Really??? @@ -887,20 +893,22 @@ my @disablables = ( "srtp", "sse2", "ssl", - "ssl3", - "ssl3-method", "ssl-trace", "static-engine", "stdio", "store", "threads", "tls", - "tls1", "unit-test", "whirlpool", "zlib", "zlib-dynamic", ); +foreach my $proto ((@tls, @dtls)) + { + push(@disablables, $proto); + push(@disablables, "$proto-method"); + } # All of the following is disabled by default (RC5 was enabled before 0.9.8): @@ -1000,19 +1008,35 @@ PROCESS_ARGS: { if (!($disabled{$1} eq "experimental")) { - if ($1 eq "ssl") + foreach my $proto ((@tls, @dtls)) { - $disabled{"ssl3"} = "option(ssl)"; + if ($1 eq "$proto-method") + { + $disabled{"$proto"} = "option($proto-method)"; + last; + } } - elsif ($1 eq "tls") + if ($1 eq "dtls") { - $disabled{"tls1"} = "option(tls)" + foreach my $proto (@dtls) + { + $disabled{$proto} = "option(dtls)"; + } } - elsif ($1 eq "ssl3-method") + elsif ($1 eq "ssl") { - $disabled{"ssl3-method"} = "option(ssl)"; + # Last one of its kind $disabled{"ssl3"} = "option(ssl)"; } + elsif ($1 eq "tls") + { + # XXX: Tests will fail if all SSL/TLS + # protocols are disabled. + foreach my $proto (@tls) + { + $disabled{$proto} = "option(tls)"; + } + } else { $disabled{$1} = "option"; @@ -1216,19 +1240,89 @@ if (defined($disabled{"ec"})) $disabled{"ecdh"} = "forced"; } -# SSL 3.0 and TLS requires MD5 and SHA and either RSA or DSA+DH +# SSL 3.0 requires MD5 and SHA and either RSA or DSA+DH if (defined($disabled{"md5"}) || defined($disabled{"sha"}) || (defined($disabled{"rsa"}) - && (defined($disabled{"dsa"}) || defined($disabled{"dh"})))) + && (defined($disabled{"dsa"}) || defined($disabled{"dh"})))) { $disabled{"ssl3"} = "forced"; + $disabled{"ssl"} = "forced"; + } + +# (D)TLS 1.0 and TLS 1.1 require MD5 and SHA and either RSA or DSA+DH +# or ECDSA + ECDH. (XXX: We don't support PSK-only builds). +# +if (defined($disabled{"md5"}) || defined($disabled{"sha"}) + || (defined($disabled{"rsa"}) + && (defined($disabled{"dsa"}) || defined($disabled{"dh"})) + && (defined($disabled{"ecdsa"}) || defined($disabled{"ecdh"})))) + { $disabled{"tls1"} = "forced"; + $disabled{"dtls1"} = "forced"; + $disabled{"tls1_1"} = "forced"; + } + +# (D)TLS 1.2 requires either RSA or DSA+DH or ECDSA + ECDH +# So if all are missing, we can't do either TLS or DTLS. +# (XXX: We don't support PSK-only builds). +# +if (defined($disabled{"rsa"}) + && (defined($disabled{"dsa"}) || defined($disabled{"dh"})) + && (defined($disabled{"ecdsa"}) || defined($disabled{"ecdh"}))) + { + $disabled{"tls"} = "forced"; + $disabled{"dtls"} = "forced"; + foreach my $proto ((@tls, @dtls)) + { + $disabled{"$proto"} = "forced"; + } + } + + +# Avoid protocol support holes. Also disable all versions below N, if version +# N is disabled while N+1 is enabled. +# +my $prev_disabled = 1; +my $force_disable = 0; +foreach my $proto (reverse(@tls)) + { + if ($force_disable) + { + $disabled{$proto} = 1; + } + elsif (! defined($disabled{$proto})) + { + $prev_disabled = 0; + } + elsif (! $prev_disabled) + { + $force_disable = 1; + } + } +my $prev_disabled = 1; +my $force_disable = 0; +foreach my $proto (reverse(@dtls)) + { + if ($force_disable) + { + $disabled{$proto} = 1; + } + elsif (! defined($disabled{$proto})) + { + $prev_disabled = 0; + } + elsif (! $prev_disabled) + { + $force_disable = 1; + } } if (defined($disabled{"dgram"})) { - $disabled{"dtls"} = "forced"; - } + $disabled{"dtls"} = "forced"; + $disabled{"dtls1"} = "forced"; + $disabled{"dtls1_2"} = "forced"; + } if (defined($disabled{"ec"}) || defined($disabled{"dsa"}) || defined($disabled{"dh"}) || defined($disabled{"stdio"})) diff --git a/apps/ciphers.c b/apps/ciphers.c index 086ad43657..3e1ed951a2 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -78,15 +78,21 @@ OPTIONS ciphers_options[] = { {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"}, {"V", OPT_UPPER_V, '-', "Even more verbose"}, {"s", OPT_S, '-', "Only supported ciphers"}, +#ifndef OPENSSL_NO_SSL3 + {"ssl3", OPT_SSL3, '-', "SSL3 mode"}, +#endif +#ifndef OPENSSL_NO_TLS1 {"tls1", OPT_TLS1, '-', "TLS1 mode"}, +#endif +#ifndef OPENSSL_NO_TLS1_1 {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"}, +#endif +#ifndef OPENSSL_NO_TLS1_2 {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"}, +#endif #ifndef OPENSSL_NO_SSL_TRACE {"stdname", OPT_STDNAME, '-', "Show standard cipher names"}, #endif -#ifndef OPENSSL_NO_SSL3 - {"ssl3", OPT_SSL3, '-', "SSL3 mode"}, -#endif #ifndef OPENSSL_NO_PSK {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"}, #endif @@ -153,13 +159,19 @@ int ciphers_main(int argc, char **argv) #endif break; case OPT_TLS1: +#ifndef OPENSSL_NO_TLS1 meth = TLSv1_client_method(); +#endif break; case OPT_TLS1_1: +#ifndef OPENSSL_NO_TLS1_1 meth = TLSv1_1_client_method(); +#endif break; case OPT_TLS1_2: +#ifndef OPENSSL_NO_TLS1_2 meth = TLSv1_2_client_method(); +#endif break; case OPT_PSK: #ifndef OPENSSL_NO_PSK diff --git a/apps/openssl.c b/apps/openssl.c index 4f2ba8cd19..37f71a94d6 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -754,6 +754,12 @@ static void list_disabled(void) #if defined(OPENSSL_NO_DTLS) BIO_puts(bio_out, "DTLS\n"); #endif +#if defined(OPENSSL_NO_DTLS1) + BIO_puts(bio_out, "DTLS1\n"); +#endif +#if defined(OPENSSL_NO_DTLS1_2) + BIO_puts(bio_out, "DTLS1_2\n"); +#endif #ifdef OPENSSL_NO_EC BIO_puts(bio_out, "EC\n"); #endif @@ -835,9 +841,24 @@ static void list_disabled(void) #ifdef OPENSSL_NO_SRTP BIO_puts(bio_out, "SRTP\n"); #endif +#ifdef OPENSSL_NO_SSL + BIO_puts(bio_out, "SSL\n"); +#endif #ifdef OPENSSL_NO_SSL3 BIO_puts(bio_out, "SSL3\n"); #endif +#if defined(OPENSSL_NO_TLS) + BIO_puts(bio_out, "TLS\n"); +#endif +#ifdef OPENSSL_NO_TLS1 + BIO_puts(bio_out, "TLS1\n"); +#endif +#ifdef OPENSSL_NO_TLS1_1 + BIO_puts(bio_out, "TLS1_1\n"); +#endif +#ifdef OPENSSL_NO_TLS1_2 + BIO_puts(bio_out, "TLS1_2\n"); +#endif #ifdef OPENSSL_NO_WHIRLPOOL BIO_puts(bio_out, "WHIRLPOOL\n"); #endif diff --git a/apps/s_client.c b/apps/s_client.c index 6d6ad6910c..4dea7c460a 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -675,9 +675,6 @@ OPTIONS s_client_options[] = { {"quiet", OPT_QUIET, '-', "No s_client output"}, {"ign_eof", OPT_IGN_EOF, '-', "Ignore input eof (default when -quiet)"}, {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Don't ignore input eof"}, - {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"}, - {"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"}, - {"tls1", OPT_TLS1, '-', "Just use TLSv1"}, {"starttls", OPT_STARTTLS, 's', "Use the appropriate STARTTLS command before starting TLS"}, {"xmpphost", OPT_XMPPHOST, 's', @@ -727,13 +724,26 @@ OPTIONS s_client_options[] = { #ifndef OPENSSL_NO_SSL3 {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, #endif +#ifndef OPENSSL_NO_TLS1 + {"tls1", OPT_TLS1, '-', "Just use TLSv1"}, +#endif +#ifndef OPENSSL_NO_TLS1_1 + {"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"}, +#endif +#ifndef OPENSSL_NO_TLS1_2 + {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"}, +#endif #ifndef OPENSSL_NO_DTLS {"dtls", OPT_DTLS, '-'}, - {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"}, - {"dtls1_2", OPT_DTLS1_2, '-'}, {"timeout", OPT_TIMEOUT, '-'}, {"mtu", OPT_MTU, 'p', "Set the link layer MTU"}, #endif +#ifndef OPENSSL_NO_DTLS1 + {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"}, +#endif +#ifndef OPENSSL_NO_DTLS1_2 + {"dtls1_2", OPT_DTLS1_2, '-'}, +#endif #ifndef OPENSSL_NO_SSL_TRACE {"trace", OPT_TRACE, '-'}, #endif @@ -1108,41 +1118,48 @@ int s_client_main(int argc, char **argv) #endif break; case OPT_TLS1_2: +#ifndef OPENSSL_NO_TLS1_2 meth = TLSv1_2_client_method(); +#endif break; case OPT_TLS1_1: +#ifndef OPENSSL_NO_TLS1_1 meth = TLSv1_1_client_method(); +#endif break; case OPT_TLS1: +#ifndef OPENSSL_NO_TLS1 meth = TLSv1_client_method(); +#endif break; -#ifndef OPENSSL_NO_DTLS case OPT_DTLS: +#ifndef OPENSSL_NO_DTLS meth = DTLS_client_method(); socket_type = SOCK_DGRAM; +#endif break; case OPT_DTLS1: +#ifndef OPENSSL_NO_DTLS1 meth = DTLSv1_client_method(); socket_type = SOCK_DGRAM; +#endif break; case OPT_DTLS1_2: +#ifndef OPENSSL_NO_DTLS1_2 meth = DTLSv1_2_client_method(); socket_type = SOCK_DGRAM; +#endif break; case OPT_TIMEOUT: +#ifndef OPENSSL_NO_DTLS enable_timeouts = 1; +#endif break; case OPT_MTU: +#ifndef OPENSSL_NO_DTLS socket_mtu = atol(opt_arg()); - break; -#else - case OPT_DTLS: - case OPT_DTLS1: - case OPT_DTLS1_2: - case OPT_TIMEOUT: - case OPT_MTU: - break; #endif + break; case OPT_FALLBACKSCSV: fallback_scsv = 1; break; diff --git a/apps/s_server.c b/apps/s_server.c index 81ee3853bb..93f608319b 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -863,9 +863,6 @@ OPTIONS s_server_options[] = { "Do not load certificates from the default certificates directory"}, {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"}, {"quiet", OPT_QUIET, '-', "No server output"}, - {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"}, - {"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"}, - {"tls1", OPT_TLS1, '-', "Just talk TLSv1"}, {"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-', "Disable caching and tickets if ephemeral (EC)DH is used"}, {"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"}, @@ -937,16 +934,29 @@ OPTIONS s_server_options[] = { #ifndef OPENSSL_NO_SSL3 {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"}, #endif +#ifndef OPENSSL_NO_TLS1 + {"tls1", OPT_TLS1, '-', "Just talk TLSv1"}, +#endif +#ifndef OPENSSL_NO_TLS1_1 + {"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"}, +#endif +#ifndef OPENSSL_NO_TLS1_2 + {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"}, +#endif #ifndef OPENSSL_NO_DTLS {"dtls", OPT_DTLS, '-'}, - {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"}, - {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"}, {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"}, {"mtu", OPT_MTU, 'p', "Set link layer MTU"}, {"chain", OPT_CHAIN, '-', "Read a certificate chain"}, {"listen", OPT_LISTEN, '-', "Listen for a DTLS ClientHello with a cookie and then connect"}, #endif +#ifndef OPENSSL_NO_DTLS1 + {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"}, +#endif +#ifndef OPENSSL_NO_DTLS1_2 + {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"}, +#endif #ifndef OPENSSL_NO_DH {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"}, #endif @@ -1039,19 +1049,6 @@ int s_server_main(int argc, char *argv[]) prog = opt_init(argc, argv, s_server_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { -#ifdef OPENSSL_NO_PSK - case OPT_PSK_HINT: - case OPT_PSK: -#endif -#ifdef OPENSSL_NO_DTLS - case OPT_DTLS: - case OPT_DTLS1: - case OPT_DTLS1_2: - case OPT_TIMEOUT: - case OPT_MTU: - case OPT_CHAIN: - case OPT_LISTEN: -#endif case OPT_EOF: case OPT_ERR: opthelp: @@ -1299,33 +1296,33 @@ int s_server_main(int argc, char *argv[]) case OPT_NO_RESUME_EPHEMERAL: no_resume_ephemeral = 1; break; -#ifndef OPENSSL_NO_PSK case OPT_PSK_HINT: +#ifndef OPENSSL_NO_PSK psk_identity_hint = opt_arg(); +#endif break; case OPT_PSK: +#ifndef OPENSSL_NO_PSK for (p = psk_key = opt_arg(); *p; p++) { if (isxdigit(*p)) continue; BIO_printf(bio_err, "Not a hex number '%s'\n", *argv); goto end; } - break; #endif -#ifndef OPENSSL_NO_SRP + break; case OPT_SRPVFILE: +#ifndef OPENSSL_NO_SRP srp_verifier_file = opt_arg(); meth = TLSv1_server_method(); +#endif break; case OPT_SRPUSERSEED: +#ifndef OPENSSL_NO_SRP srpuserseed = opt_arg(); meth = TLSv1_server_method(); - break; -#else - case OPT_SRPVFILE: - case OPT_SRPUSERSEED: - break; #endif + break; case OPT_REV: rev = 1; break; @@ -1347,40 +1344,58 @@ int s_server_main(int argc, char *argv[]) #endif break; case OPT_TLS1_2: +#ifndef OPENSSL_NO_TLS1_2 meth = TLSv1_2_server_method(); +#endif break; case OPT_TLS1_1: +#ifndef OPENSSL_NO_TLS1_1 meth = TLSv1_1_server_method(); +#endif break; case OPT_TLS1: +#ifndef OPENSSL_NO_TLS1 meth = TLSv1_server_method(); +#endif break; -#ifndef OPENSSL_NO_DTLS case OPT_DTLS: +#ifndef OPENSSL_NO_DTLS meth = DTLS_server_method(); socket_type = SOCK_DGRAM; +#endif break; case OPT_DTLS1: +#ifndef OPENSSL_NO_DTLS1 meth = DTLSv1_server_method(); socket_type = SOCK_DGRAM; +#endif break; case OPT_DTLS1_2: +#ifndef OPENSSL_NO_DTLS1_2 meth = DTLSv1_2_server_method(); socket_type = SOCK_DGRAM; +#endif break; case OPT_TIMEOUT: +#ifndef OPENSSL_NO_DTLS enable_timeouts = 1; +#endif break; case OPT_MTU: +#ifndef OPENSSL_NO_DTLS socket_mtu = atol(opt_arg()); +#endif break; case OPT_CHAIN: +#ifndef OPENSSL_NO_DTLS cert_chain = 1; +#endif break; case OPT_LISTEN: +#ifndef OPENSSL_NO_DTLS dtlslisten = 1; - break; #endif + break; case OPT_ID_PREFIX: session_id_prefix = opt_arg(); break; diff --git a/ssl/methods.c b/ssl/methods.c index 7a8bb11b77..c0698abd73 100644 --- a/ssl/methods.c +++ b/ssl/methods.c @@ -121,12 +121,18 @@ static const SSL_METHOD *tls1_get_method(int ver) { if (ver == TLS_ANY_VERSION) return TLS_method(); +#ifndef OPENSSL_NO_TLS1_2 if (ver == TLS1_2_VERSION) return TLSv1_2_method(); +#endif +#ifndef OPENSSL_NO_TLS1_1 if (ver == TLS1_1_VERSION) return TLSv1_1_method(); +#endif +#ifndef OPENSSL_NO_TLS1 if (ver == TLS1_VERSION) return TLSv1_method(); +#endif #ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return (SSLv3_method()); @@ -140,20 +146,26 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0, ossl_statem_accept, ossl_statem_connect, tls1_get_method, TLSv1_2_enc_data) +#ifndef OPENSSL_NO_TLS1_2_METHOD IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2, TLSv1_2_method, ossl_statem_accept, ossl_statem_connect, tls1_get_method, TLSv1_2_enc_data) +#endif +#ifndef OPENSSL_NO_TLS1_1_METHOD IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1, TLSv1_1_method, ossl_statem_accept, ossl_statem_connect, tls1_get_method, TLSv1_1_enc_data) +#endif +#ifndef OPENSSL_NO_TLS1_METHOD IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1, TLSv1_method, ossl_statem_accept, ossl_statem_connect, tls1_get_method, TLSv1_enc_data) +#endif #ifndef OPENSSL_NO_SSL3_METHOD IMPLEMENT_ssl3_meth_func(SSLv3_method, ossl_statem_accept, ossl_statem_connect, @@ -169,12 +181,18 @@ static const SSL_METHOD *tls1_get_server_method(int ver) { if (ver == TLS_ANY_VERSION) return TLS_server_method(); +#ifndef OPENSSL_NO_TLS1_2 if (ver == TLS1_2_VERSION) return TLSv1_2_server_method(); +#endif +#ifndef OPENSSL_NO_TLS1_1 if (ver == TLS1_1_VERSION) return TLSv1_1_server_method(); +#endif +#ifndef OPENSSL_NO_TLS1 if (ver == TLS1_VERSION) return TLSv1_server_method(); +#endif #ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return (SSLv3_server_method()); @@ -188,23 +206,29 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0, ssl_undefined_function, tls1_get_server_method, TLSv1_2_enc_data) +#ifndef OPENSSL_NO_TLS1_2_METHOD IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2, TLSv1_2_server_method, ossl_statem_accept, ssl_undefined_function, tls1_get_server_method, TLSv1_2_enc_data) +#endif +#ifndef OPENSSL_NO_TLS1_1_METHOD IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1, TLSv1_1_server_method, ossl_statem_accept, ssl_undefined_function, tls1_get_server_method, TLSv1_1_enc_data) +#endif +#ifndef OPENSSL_NO_TLS1_METHOD IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1, TLSv1_server_method, ossl_statem_accept, ssl_undefined_function, tls1_get_server_method, TLSv1_enc_data) +#endif #ifndef OPENSSL_NO_SSL3_METHOD IMPLEMENT_ssl3_meth_func(SSLv3_server_method, @@ -221,12 +245,18 @@ static const SSL_METHOD *tls1_get_client_method(int ver) { if (ver == TLS_ANY_VERSION) return TLS_client_method(); +#ifndef OPENSSL_NO_TLS1_2 if (ver == TLS1_2_VERSION) return TLSv1_2_client_method(); +#endif +#ifndef OPENSSL_NO_TLS1_1 if (ver == TLS1_1_VERSION) return TLSv1_1_client_method(); +#endif +#ifndef OPENSSL_NO_TLS1 if (ver == TLS1_VERSION) return TLSv1_client_method(); +#endif #ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return (SSLv3_client_method()); @@ -240,23 +270,29 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0, ossl_statem_connect, tls1_get_client_method, TLSv1_2_enc_data) +#ifndef OPENSSL_NO_TLS1_2_METHOD IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2, TLSv1_2_client_method, ssl_undefined_function, ossl_statem_connect, tls1_get_client_method, TLSv1_2_enc_data) +#endif +#ifndef OPENSSL_NO_TLS1_1_METHOD IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1, TLSv1_1_client_method, ssl_undefined_function, ossl_statem_connect, tls1_get_client_method, TLSv1_1_enc_data) +#endif +#ifndef OPENSSL_NO_TLS1_METHOD IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1, TLSv1_client_method, ssl_undefined_function, ossl_statem_connect, tls1_get_client_method, TLSv1_enc_data) +#endif #ifndef OPENSSL_NO_SSL3_METHOD IMPLEMENT_ssl3_meth_func(SSLv3_client_method, @@ -272,25 +308,33 @@ static const SSL_METHOD *dtls1_get_method(int ver) { if (ver == DTLS_ANY_VERSION) return DTLS_method(); +#ifndef OPENSSL_NO_DTLS1 else if (ver == DTLS1_VERSION) return DTLSv1_method(); +#endif +#ifndef OPENSSL_NO_DTLS1_2 else if (ver == DTLS1_2_VERSION) return DTLSv1_2_method(); +#endif else return NULL; } +#ifndef OPENSSL_NO_DTLS1_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1, DTLSv1_method, ossl_statem_accept, ossl_statem_connect, dtls1_get_method, DTLSv1_enc_data) +#endif +#ifndef OPENSSL_NO_DTLS1_2_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, DTLSv1_2_method, ossl_statem_accept, ossl_statem_connect, dtls1_get_method, DTLSv1_2_enc_data) +#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_method, @@ -298,7 +342,6 @@ IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, ossl_statem_connect, dtls1_get_method, DTLSv1_2_enc_data) - /* * DTLS server methods */ @@ -307,25 +350,33 @@ static const SSL_METHOD *dtls1_get_server_method(int ver) { if (ver == DTLS_ANY_VERSION) return DTLS_server_method(); +#ifndef OPENSSL_NO_DTLS1 else if (ver == DTLS1_VERSION) return DTLSv1_server_method(); +#endif +#ifndef OPENSSL_NO_DTLS1_2 else if (ver == DTLS1_2_VERSION) return DTLSv1_2_server_method(); +#endif else return NULL; } +#ifndef OPENSSL_NO_DTLS1_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1, DTLSv1_server_method, ossl_statem_accept, ssl_undefined_function, dtls1_get_server_method, DTLSv1_enc_data) +#endif +#ifndef OPENSSL_NO_DTLS1_2_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, DTLSv1_2_server_method, ossl_statem_accept, ssl_undefined_function, dtls1_get_server_method, DTLSv1_2_enc_data) +#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_server_method, @@ -342,25 +393,33 @@ static const SSL_METHOD *dtls1_get_client_method(int ver) { if (ver == DTLS_ANY_VERSION) return DTLS_client_method(); +#ifndef OPENSSL_NO_DTLS1 else if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) return DTLSv1_client_method(); +#endif +#ifndef OPENSSL_NO_DTLS1_2 else if (ver == DTLS1_2_VERSION) return DTLSv1_2_client_method(); +#endif else return NULL; } +#ifndef OPENSSL_NO_DTLS1_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1, DTLSv1_client_method, ssl_undefined_function, ossl_statem_connect, dtls1_get_client_method, DTLSv1_enc_data) +#endif +#ifndef OPENSSL_NO_DTLS1_2_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, DTLSv1_2_client_method, ssl_undefined_function, ossl_statem_connect, dtls1_get_client_method, DTLSv1_2_enc_data) +#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_client_method, diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 7142128fd7..984df19b58 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -727,11 +727,25 @@ typedef struct { #endif static const version_info tls_version_table[] = { +#ifndef OPENSSL_NO_TLS1_2 { TLS1_2_VERSION, TLSv1_2_client_method, TLSv1_2_server_method }, +#else + { TLS1_2_VERSION, NULL, NULL }, +#endif +#ifndef OPENSSL_NO_TLS1_1 { TLS1_1_VERSION, TLSv1_1_client_method, TLSv1_1_server_method }, +#else + { TLS1_1_VERSION, NULL, NULL }, +#endif +#ifndef OPENSSL_NO_TLS1 { TLS1_VERSION, TLSv1_client_method, TLSv1_server_method }, +#else + { TLS1_VERSION, NULL, NULL }, +#endif #ifndef OPENSSL_NO_SSL3 { SSL3_VERSION, SSLv3_client_method, SSLv3_server_method }, +#else + { SSL3_VERSION, NULL, NULL }, #endif { 0, NULL, NULL }, }; @@ -741,8 +755,16 @@ static const version_info tls_version_table[] = { #endif static const version_info dtls_version_table[] = { +#ifndef OPENSSL_NO_DTLS1_2 { DTLS1_2_VERSION, DTLSv1_2_client_method, DTLSv1_2_server_method }, +#else + { DTLS1_2_VERSION, NULL, NULL }, +#endif +#ifndef OPENSSL_NO_DTLS1 { DTLS1_VERSION, DTLSv1_client_method, DTLSv1_server_method }, +#else + { DTLS1_VERSION, NULL, NULL }, +#endif { 0, NULL, NULL }, }; diff --git a/test/recipes/80-test_ssl.t b/test/recipes/80-test_ssl.t index 0f96b5b5ff..84cdf6ce04 100644 --- a/test/recipes/80-test_ssl.t +++ b/test/recipes/80-test_ssl.t @@ -11,8 +11,12 @@ use OpenSSL::Test::Utils; setup("test_ssl"); -my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk, $no_ssl3, $no_dtls) = - disabled qw/rsa dsa dh ec srp psk ssl3 dtls/; +my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk, + $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, + $no_dtls, $no_dtls1, $no_dtls1_2) = + disabled qw/rsa dsa dh ec srp psk + ssl3 tls1 tls1_1 tls1_2 + dtls dtls1 dtls1_2/; my $digest = "-sha1"; my @reqcmd = ("openssl", "req"); @@ -55,7 +59,7 @@ my $P2intermediate="tmp_intP2.ss"; plan tests => 1 # For testss + 1 # For ssltest -test_cipherlist - + 9 # For the first testssl + + 10 # For the first testssl + 16 # For the first testsslproxy + 16 # For the second testsslproxy ; @@ -316,7 +320,7 @@ sub testssl { } - # plan tests => 9; + # plan tests => 10; subtest 'standard SSL tests' => sub { ###################################################################### @@ -407,7 +411,9 @@ sub testssl { push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss"; } - my @protocols = ("TLSv1.2", "SSLv3"); + my @protocols = (); + push(@protocols, "TLSv1.2") unless $no_tls1_2; + push(@protocols, "SSLv3") unless $no_ssl3; my $protocolciphersuitcount = 0; my %ciphersuites = map { my @c = @@ -568,514 +574,98 @@ sub testssl { } }; - subtest 'Version min/max tests' => sub { - - plan tests => 425; - - SKIP : { - skip "ssl3 disabled", 76 if $no_ssl3; - - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "ssl3"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "ssl3"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "ssl3"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-client"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-should_negotiate", "ssl3"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-should_negotiate", "fail-client"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "ssl3"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "ssl3"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "ssl3"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); - - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"]))); - ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"]))); - ok(run |