diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-18 19:10:21 +0100 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-19 15:57:15 +0100 |
| commit | 6b01bed206156dbcb1ab150f618c8b24c01fb0d0 (patch) | |
| tree | 667ea072f731ab8904a121f5b57adb01e40df4af /ssl/methods.c | |
| parent | Add documentation for EVP_PKEY_TLS1_PRF (diff) | |
| download | openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.tar.xz openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.zip | |
Support disabling any or all TLS or DTLS versions
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2. In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...
This commit makes it possible to disable any or all of the TLS or
DTLS protocols. It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'ssl/methods.c')
| -rw-r--r-- | ssl/methods.c | 61 |
1 files changed, 60 insertions, 1 deletions
diff --git a/ssl/methods.c b/ssl/methods.c index 7a8bb11b77..c0698abd73 100644 --- a/ssl/methods.c +++ b/ssl/methods.c @@ -121,12 +121,18 @@ static const SSL_METHOD *tls1_get_method(int ver) { if (ver == TLS_ANY_VERSION) return TLS_method(); +#ifndef OPENSSL_NO_TLS1_2 if (ver == TLS1_2_VERSION) return TLSv1_2_method(); +#endif +#ifndef OPENSSL_NO_TLS1_1 if (ver == TLS1_1_VERSION) return TLSv1_1_method(); +#endif +#ifndef OPENSSL_NO_TLS1 if (ver == TLS1_VERSION) return TLSv1_method(); +#endif #ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return (SSLv3_method()); @@ -140,20 +146,26 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0, ossl_statem_accept, ossl_statem_connect, tls1_get_method, TLSv1_2_enc_data) +#ifndef OPENSSL_NO_TLS1_2_METHOD IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2, TLSv1_2_method, ossl_statem_accept, ossl_statem_connect, tls1_get_method, TLSv1_2_enc_data) +#endif +#ifndef OPENSSL_NO_TLS1_1_METHOD IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1, TLSv1_1_method, ossl_statem_accept, ossl_statem_connect, tls1_get_method, TLSv1_1_enc_data) +#endif +#ifndef OPENSSL_NO_TLS1_METHOD IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1, TLSv1_method, ossl_statem_accept, ossl_statem_connect, tls1_get_method, TLSv1_enc_data) +#endif #ifndef OPENSSL_NO_SSL3_METHOD IMPLEMENT_ssl3_meth_func(SSLv3_method, ossl_statem_accept, ossl_statem_connect, @@ -169,12 +181,18 @@ static const SSL_METHOD *tls1_get_server_method(int ver) { if (ver == TLS_ANY_VERSION) return TLS_server_method(); +#ifndef OPENSSL_NO_TLS1_2 if (ver == TLS1_2_VERSION) return TLSv1_2_server_method(); +#endif +#ifndef OPENSSL_NO_TLS1_1 if (ver == TLS1_1_VERSION) return TLSv1_1_server_method(); +#endif +#ifndef OPENSSL_NO_TLS1 if (ver == TLS1_VERSION) return TLSv1_server_method(); +#endif #ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return (SSLv3_server_method()); @@ -188,23 +206,29 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0, ssl_undefined_function, tls1_get_server_method, TLSv1_2_enc_data) +#ifndef OPENSSL_NO_TLS1_2_METHOD IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2, TLSv1_2_server_method, ossl_statem_accept, ssl_undefined_function, tls1_get_server_method, TLSv1_2_enc_data) +#endif +#ifndef OPENSSL_NO_TLS1_1_METHOD IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1, TLSv1_1_server_method, ossl_statem_accept, ssl_undefined_function, tls1_get_server_method, TLSv1_1_enc_data) +#endif +#ifndef OPENSSL_NO_TLS1_METHOD IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1, TLSv1_server_method, ossl_statem_accept, ssl_undefined_function, tls1_get_server_method, TLSv1_enc_data) +#endif #ifndef OPENSSL_NO_SSL3_METHOD IMPLEMENT_ssl3_meth_func(SSLv3_server_method, @@ -221,12 +245,18 @@ static const SSL_METHOD *tls1_get_client_method(int ver) { if (ver == TLS_ANY_VERSION) return TLS_client_method(); +#ifndef OPENSSL_NO_TLS1_2 if (ver == TLS1_2_VERSION) return TLSv1_2_client_method(); +#endif +#ifndef OPENSSL_NO_TLS1_1 if (ver == TLS1_1_VERSION) return TLSv1_1_client_method(); +#endif +#ifndef OPENSSL_NO_TLS1 if (ver == TLS1_VERSION) return TLSv1_client_method(); +#endif #ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return (SSLv3_client_method()); @@ -240,23 +270,29 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0, ossl_statem_connect, tls1_get_client_method, TLSv1_2_enc_data) +#ifndef OPENSSL_NO_TLS1_2_METHOD IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2, TLSv1_2_client_method, ssl_undefined_function, ossl_statem_connect, tls1_get_client_method, TLSv1_2_enc_data) +#endif +#ifndef OPENSSL_NO_TLS1_1_METHOD IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1, TLSv1_1_client_method, ssl_undefined_function, ossl_statem_connect, tls1_get_client_method, TLSv1_1_enc_data) +#endif +#ifndef OPENSSL_NO_TLS1_METHOD IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1, TLSv1_client_method, ssl_undefined_function, ossl_statem_connect, tls1_get_client_method, TLSv1_enc_data) +#endif #ifndef OPENSSL_NO_SSL3_METHOD IMPLEMENT_ssl3_meth_func(SSLv3_client_method, @@ -272,25 +308,33 @@ static const SSL_METHOD *dtls1_get_method(int ver) { if (ver == DTLS_ANY_VERSION) return DTLS_method(); +#ifndef OPENSSL_NO_DTLS1 else if (ver == DTLS1_VERSION) return DTLSv1_method(); +#endif +#ifndef OPENSSL_NO_DTLS1_2 else if (ver == DTLS1_2_VERSION) return DTLSv1_2_method(); +#endif else return NULL; } +#ifndef OPENSSL_NO_DTLS1_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1, DTLSv1_method, ossl_statem_accept, ossl_statem_connect, dtls1_get_method, DTLSv1_enc_data) +#endif +#ifndef OPENSSL_NO_DTLS1_2_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, DTLSv1_2_method, ossl_statem_accept, ossl_statem_connect, dtls1_get_method, DTLSv1_2_enc_data) +#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_method, @@ -298,7 +342,6 @@ IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, ossl_statem_connect, dtls1_get_method, DTLSv1_2_enc_data) - /* * DTLS server methods */ @@ -307,25 +350,33 @@ static const SSL_METHOD *dtls1_get_server_method(int ver) { if (ver == DTLS_ANY_VERSION) return DTLS_server_method(); +#ifndef OPENSSL_NO_DTLS1 else if (ver == DTLS1_VERSION) return DTLSv1_server_method(); +#endif +#ifndef OPENSSL_NO_DTLS1_2 else if (ver == DTLS1_2_VERSION) return DTLSv1_2_server_method(); +#endif else return NULL; } +#ifndef OPENSSL_NO_DTLS1_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1, DTLSv1_server_method, ossl_statem_accept, ssl_undefined_function, dtls1_get_server_method, DTLSv1_enc_data) +#endif +#ifndef OPENSSL_NO_DTLS1_2_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, DTLSv1_2_server_method, ossl_statem_accept, ssl_undefined_function, dtls1_get_server_method, DTLSv1_2_enc_data) +#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_server_method, @@ -342,25 +393,33 @@ static const SSL_METHOD *dtls1_get_client_method(int ver) { if (ver == DTLS_ANY_VERSION) return DTLS_client_method(); +#ifndef OPENSSL_NO_DTLS1 else if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) return DTLSv1_client_method(); +#endif +#ifndef OPENSSL_NO_DTLS1_2 else if (ver == DTLS1_2_VERSION) return DTLSv1_2_client_method(); +#endif else return NULL; } +#ifndef OPENSSL_NO_DTLS1_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1, DTLSv1_client_method, ssl_undefined_function, ossl_statem_connect, dtls1_get_client_method, DTLSv1_enc_data) +#endif +#ifndef OPENSSL_NO_DTLS1_2_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, DTLSv1_2_client_method, ssl_undefined_function, ossl_statem_connect, dtls1_get_client_method, DTLSv1_2_enc_data) +#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_client_method, |