From f612673049b93387eb7f93c207aca821496da861 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 Mar 2023 12:02:33 +0100
Subject: [PATCH] Extend the min/max protocol testing

Add more test cases and ensure we test DTLS and QUIC too

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20830)
---
 test/ssl_ctx_test.c | 78 +++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 71 insertions(+), 7 deletions(-)

diff --git a/test/ssl_ctx_test.c b/test/ssl_ctx_test.c
index e461d72595..ea7aadc2f6 100644
--- a/test/ssl_ctx_test.c
+++ b/test/ssl_ctx_test.c
@@ -11,6 +11,7 @@
 #include <openssl/ssl.h>
 
 typedef struct {
+    int proto;
     int min_version;
     int max_version;
     int min_ok;
@@ -19,13 +20,54 @@ typedef struct {
     int expected_max;
 } version_test;
 
+#define PROTO_TLS  0
+#define PROTO_DTLS 1
+#define PROTO_QUIC 2
+
+/*
+ * If a version is valid for *any* protocol then setting the min/max protocol is
+ * expected to return success, even if that version is not valid for *this*
+ * protocol. However it only has an effect if it is valid for *this* protocol -
+ * otherwise it is ignored.
+ */
 static const version_test version_testdata[] = {
-    /* min           max             ok    expected min    expected max */
-    {0,              0,              1, 1, 0,              0},
-    {TLS1_VERSION,   TLS1_2_VERSION, 1, 1, TLS1_VERSION,   TLS1_2_VERSION},
-    {TLS1_2_VERSION, TLS1_2_VERSION, 1, 1, TLS1_2_VERSION, TLS1_2_VERSION},
-    {TLS1_2_VERSION, TLS1_1_VERSION, 1, 1, TLS1_2_VERSION, TLS1_1_VERSION},
-    {7,              42,             0, 0, 0,              0},
+    /* proto     min                     max                     ok    expected min        expected max */
+    {PROTO_TLS,  0,                      0,                      1, 1, 0,                  0},
+    {PROTO_TLS,  SSL3_VERSION,           TLS1_3_VERSION,         1, 1, SSL3_VERSION,       TLS1_3_VERSION},
+    {PROTO_TLS,  TLS1_VERSION,           TLS1_3_VERSION,         1, 1, TLS1_VERSION,       TLS1_3_VERSION},
+    {PROTO_TLS,  TLS1_VERSION,           TLS1_2_VERSION,         1, 1, TLS1_VERSION,       TLS1_2_VERSION},
+    {PROTO_TLS,  TLS1_2_VERSION,         TLS1_2_VERSION,         1, 1, TLS1_2_VERSION,     TLS1_2_VERSION},
+    {PROTO_TLS,  TLS1_2_VERSION,         TLS1_1_VERSION,         1, 1, TLS1_2_VERSION,     TLS1_1_VERSION},
+    {PROTO_TLS,  SSL3_VERSION - 1,       TLS1_3_VERSION,         0, 1, 0,                  TLS1_3_VERSION},
+    {PROTO_TLS,  SSL3_VERSION,           TLS1_3_VERSION + 1,     1, 0, SSL3_VERSION,       0},
+#ifndef OPENSSL_NO_DTLS
+    {PROTO_TLS,  DTLS1_VERSION,          DTLS1_2_VERSION,        1, 1, 0,                  0},
+#endif
+    {PROTO_TLS,  OSSL_QUIC1_VERSION,     OSSL_QUIC1_VERSION,     0, 0, 0,                  0},
+    {PROTO_TLS,  7,                      42,                     0, 0, 0,                  0},
+    {PROTO_DTLS, 0,                      0,                      1, 1, 0,                  0},
+    {PROTO_DTLS, DTLS1_VERSION,          DTLS1_2_VERSION,        1, 1, DTLS1_VERSION,      DTLS1_2_VERSION},
+#ifndef OPENSSL_NO_DTLS1_2
+    {PROTO_DTLS, DTLS1_2_VERSION,        DTLS1_2_VERSION,        1, 1, DTLS1_2_VERSION,    DTLS1_2_VERSION},
+#endif
+#ifndef OPENSSL_NO_DTLS1
+    {PROTO_DTLS, DTLS1_VERSION,          DTLS1_VERSION,          1, 1, DTLS1_VERSION,      DTLS1_VERSION},
+#endif
+#if !defined(OPENSSL_NO_DTLS1) && !defined(OPENSSL_NO_DTLS1_2)
+    {PROTO_DTLS, DTLS1_2_VERSION,        DTLS1_VERSION,          1, 1, DTLS1_2_VERSION,    DTLS1_VERSION},
+#endif
+    {PROTO_DTLS, DTLS1_VERSION + 1,      DTLS1_2_VERSION,        0, 1, 0,                  DTLS1_2_VERSION},
+    {PROTO_DTLS, DTLS1_VERSION,          DTLS1_2_VERSION - 1,    1, 0, DTLS1_VERSION,      0},
+    {PROTO_DTLS, TLS1_VERSION,           TLS1_3_VERSION,         1, 1, 0,                  0},
+    {PROTO_DTLS, OSSL_QUIC1_VERSION,     OSSL_QUIC1_VERSION,     0, 0, 0,                  0},
+    /* These functions never have an effect when called on a QUIC object */
+    {PROTO_QUIC, 0,                      0,                      1, 1, 0,                  0},
+    {PROTO_QUIC, OSSL_QUIC1_VERSION,     OSSL_QUIC1_VERSION,     0, 0, 0,                  0},
+    {PROTO_QUIC, OSSL_QUIC1_VERSION,     OSSL_QUIC1_VERSION + 1, 0, 0, 0,                  0},
+    {PROTO_QUIC, TLS1_VERSION,           TLS1_3_VERSION,         1, 1, 0,                  0},
+#ifndef OPENSSL_NO_DTLS
+    {PROTO_QUIC, DTLS1_VERSION,          DTLS1_2_VERSION,        1, 1, 0,                  0},
+#endif
 };
 
 static int test_set_min_max_version(int idx_tst)
@@ -34,8 +76,30 @@ static int test_set_min_max_version(int idx_tst)
     SSL *ssl = NULL;
     int testresult = 0;
     version_test t = version_testdata[idx_tst];
+    const SSL_METHOD *meth = NULL;
 
-    ctx = SSL_CTX_new(TLS_server_method());
+    switch (t.proto) {
+    case PROTO_TLS:
+        meth = TLS_client_method();
+        break;
+
+#ifndef OPENSSL_NO_DTLS
+    case PROTO_DTLS:
+        meth = DTLS_client_method();
+        break;
+#endif
+
+#ifndef OPENSSL_NO_QUIC
+    case PROTO_QUIC:
+        meth = OSSL_QUIC_client_method();
+        break;
+#endif
+    }
+
+    if (meth == NULL)
+        return TEST_skip("Protocol not supported");
+
+    ctx = SSL_CTX_new(meth);
     if (ctx == NULL)
         goto end;