commit 6b01bed206156dbcb1ab150f618c8b24c01fb0d0
author Viktor Dukhovni <openssl-users@dukhovni.org> Mon Jan 18 13:10:21 2016 -0500
committer Viktor Dukhovni <openssl-users@dukhovni.org> Tue Jan 19 09:57:15 2016 -0500
tree 667ea072f731ab8904a121f5b57adb01e40df4af
parent 6ada465fb258ae2c29668c59f3ec9b69dc38f8b3

Support disabling any or all TLS or DTLS versions

Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2.  In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...

This commit makes it possible to disable any or all of the TLS or
DTLS protocols.  It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).

Reviewed-by: Richard Levitte <levitte@openssl.org>

ssl/methods.c

diff --git a/ssl/methods.c b/ssl/methods.c
index 7a8bb11..c0698ab 100644
--- a/ssl/methods.c
+++ b/ssl/methods.c
@@ -121,12 +121,18 @@
 {
     if (ver == TLS_ANY_VERSION)
         return TLS_method();
+#ifndef OPENSSL_NO_TLS1_2
     if (ver == TLS1_2_VERSION)
         return TLSv1_2_method();
+#endif
+#ifndef OPENSSL_NO_TLS1_1
     if (ver == TLS1_1_VERSION)
         return TLSv1_1_method();
+#endif
+#ifndef OPENSSL_NO_TLS1
     if (ver == TLS1_VERSION)
         return TLSv1_method();
+#endif
 #ifndef OPENSSL_NO_SSL3
     if (ver == SSL3_VERSION)
         return (SSLv3_method());
@@ -140,20 +146,26 @@
                         ossl_statem_accept,
                         ossl_statem_connect, tls1_get_method, TLSv1_2_enc_data)
 
+#ifndef OPENSSL_NO_TLS1_2_METHOD
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
                         TLSv1_2_method,
                         ossl_statem_accept,
                         ossl_statem_connect, tls1_get_method, TLSv1_2_enc_data)
+#endif
 
+#ifndef OPENSSL_NO_TLS1_1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
                         TLSv1_1_method,
                         ossl_statem_accept,
                         ossl_statem_connect, tls1_get_method, TLSv1_1_enc_data)
+#endif
 
+#ifndef OPENSSL_NO_TLS1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
                         TLSv1_method,
                         ossl_statem_accept,
                         ossl_statem_connect, tls1_get_method, TLSv1_enc_data)
+#endif
 
 #ifndef OPENSSL_NO_SSL3_METHOD
 IMPLEMENT_ssl3_meth_func(SSLv3_method, ossl_statem_accept, ossl_statem_connect,
@@ -169,12 +181,18 @@
 {
     if (ver == TLS_ANY_VERSION)
         return TLS_server_method();
+#ifndef OPENSSL_NO_TLS1_2
     if (ver == TLS1_2_VERSION)
         return TLSv1_2_server_method();
+#endif
+#ifndef OPENSSL_NO_TLS1_1
     if (ver == TLS1_1_VERSION)
         return TLSv1_1_server_method();
+#endif
+#ifndef OPENSSL_NO_TLS1
     if (ver == TLS1_VERSION)
         return TLSv1_server_method();
+#endif
 #ifndef OPENSSL_NO_SSL3
     if (ver == SSL3_VERSION)
         return (SSLv3_server_method());
@@ -188,23 +206,29 @@
                         ssl_undefined_function,
                         tls1_get_server_method, TLSv1_2_enc_data)
 
+#ifndef OPENSSL_NO_TLS1_2_METHOD
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
                         TLSv1_2_server_method,
                         ossl_statem_accept,
                         ssl_undefined_function,
                         tls1_get_server_method, TLSv1_2_enc_data)
+#endif
 
+#ifndef OPENSSL_NO_TLS1_1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
                         TLSv1_1_server_method,
                         ossl_statem_accept,
                         ssl_undefined_function,
                         tls1_get_server_method, TLSv1_1_enc_data)
+#endif
 
+#ifndef OPENSSL_NO_TLS1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
                         TLSv1_server_method,
                         ossl_statem_accept,
                         ssl_undefined_function,
                         tls1_get_server_method, TLSv1_enc_data)
+#endif
 
 #ifndef OPENSSL_NO_SSL3_METHOD
 IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
@@ -221,12 +245,18 @@
 {
     if (ver == TLS_ANY_VERSION)
         return TLS_client_method();
+#ifndef OPENSSL_NO_TLS1_2
     if (ver == TLS1_2_VERSION)
         return TLSv1_2_client_method();
+#endif
+#ifndef OPENSSL_NO_TLS1_1
     if (ver == TLS1_1_VERSION)
         return TLSv1_1_client_method();
+#endif
+#ifndef OPENSSL_NO_TLS1
     if (ver == TLS1_VERSION)
         return TLSv1_client_method();
+#endif
 #ifndef OPENSSL_NO_SSL3
     if (ver == SSL3_VERSION)
         return (SSLv3_client_method());
@@ -240,23 +270,29 @@
                         ossl_statem_connect,
                         tls1_get_client_method, TLSv1_2_enc_data)
 
+#ifndef OPENSSL_NO_TLS1_2_METHOD
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
                         TLSv1_2_client_method,
                         ssl_undefined_function,
                         ossl_statem_connect,
                         tls1_get_client_method, TLSv1_2_enc_data)
+#endif
 
+#ifndef OPENSSL_NO_TLS1_1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
                         TLSv1_1_client_method,
                         ssl_undefined_function,
                         ossl_statem_connect,
                         tls1_get_client_method, TLSv1_1_enc_data)
+#endif
 
+#ifndef OPENSSL_NO_TLS1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
                         TLSv1_client_method,
                         ssl_undefined_function,
                         ossl_statem_connect,
                         tls1_get_client_method, TLSv1_enc_data)
+#endif
 
 #ifndef OPENSSL_NO_SSL3_METHOD
 IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
@@ -272,25 +308,33 @@
 {
     if (ver == DTLS_ANY_VERSION)
         return DTLS_method();
+#ifndef OPENSSL_NO_DTLS1
     else if (ver == DTLS1_VERSION)
         return DTLSv1_method();
+#endif
+#ifndef OPENSSL_NO_DTLS1_2
     else if (ver == DTLS1_2_VERSION)
         return DTLSv1_2_method();
+#endif
     else
         return NULL;
 }
 
+#ifndef OPENSSL_NO_DTLS1_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
                           DTLSv1_method,
                           ossl_statem_accept,
                           ossl_statem_connect,
                           dtls1_get_method, DTLSv1_enc_data)
+#endif
 
+#ifndef OPENSSL_NO_DTLS1_2_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2,
                           DTLSv1_2_method,
                           ossl_statem_accept,
                           ossl_statem_connect,
                           dtls1_get_method, DTLSv1_2_enc_data)
+#endif
 
 IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0,
                           DTLS_method,
@@ -298,7 +342,6 @@
                           ossl_statem_connect,
                           dtls1_get_method, DTLSv1_2_enc_data)
 
-
 /*
  * DTLS server methods
  */
@@ -307,25 +350,33 @@
 {
     if (ver == DTLS_ANY_VERSION)
         return DTLS_server_method();
+#ifndef OPENSSL_NO_DTLS1
     else if (ver == DTLS1_VERSION)
         return DTLSv1_server_method();
+#endif
+#ifndef OPENSSL_NO_DTLS1_2
     else if (ver == DTLS1_2_VERSION)
         return DTLSv1_2_server_method();
+#endif
     else
         return NULL;
 }
 
+#ifndef OPENSSL_NO_DTLS1_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
                           DTLSv1_server_method,
                           ossl_statem_accept,
                           ssl_undefined_function,
                           dtls1_get_server_method, DTLSv1_enc_data)
+#endif
 
+#ifndef OPENSSL_NO_DTLS1_2_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2,
                           DTLSv1_2_server_method,
                           ossl_statem_accept,
                           ssl_undefined_function,
                           dtls1_get_server_method, DTLSv1_2_enc_data)
+#endif
 
 IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0,
                           DTLS_server_method,
@@ -342,25 +393,33 @@
 {
     if (ver == DTLS_ANY_VERSION)
         return DTLS_client_method();
+#ifndef OPENSSL_NO_DTLS1
     else if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
         return DTLSv1_client_method();
+#endif
+#ifndef OPENSSL_NO_DTLS1_2
     else if (ver == DTLS1_2_VERSION)
         return DTLSv1_2_client_method();
+#endif
     else
         return NULL;
 }
 
+#ifndef OPENSSL_NO_DTLS1_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
                           DTLSv1_client_method,
                           ssl_undefined_function,
                           ossl_statem_connect,
                           dtls1_get_client_method, DTLSv1_enc_data)
+#endif
 
+#ifndef OPENSSL_NO_DTLS1_2_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2,
                           DTLSv1_2_client_method,
                           ssl_undefined_function,
                           ossl_statem_connect,
                           dtls1_get_client_method, DTLSv1_2_enc_data)
+#endif
 
 IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0,
                           DTLS_client_method,