[glib-networking/rufferson/openssl/tests/other: 6/7] Add ability to cap OpenSSL TLS version

[Michael Catanzaro <mcatanzaro src gnome org>]

commit 096fe19b82f8751d89f0667ae11018239b4f2a5e
Author: Ruslan N. Marchenko <me ruff mobi>
Date:   Sun Jul 5 14:17:10 2020 +0200

    Add ability to cap OpenSSL TLS version

 tls/openssl/gtlsclientconnection-openssl.c | 19 ++++++++++++++++++-
 tls/openssl/gtlsserverconnection-openssl.c | 19 ++++++++++++++++++-
 tls/tests/meson.build                      |  8 ++++++--
 3 files changed, 42 insertions(+), 4 deletions(-)
---
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index 83210dd..55772bc 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -299,7 +299,7 @@ static gboolean
 set_cipher_list (GTlsClientConnectionOpenssl  *client,
                  GError                      **error)
 {
-  const gchar *cipher_list;
+  const gchar *cipher_list, *proto;
 
   cipher_list = g_getenv ("G_TLS_OPENSSL_CIPHER_LIST");
   if (!cipher_list)
@@ -313,6 +313,23 @@ set_cipher_list (GTlsClientConnectionOpenssl  *client,
       return FALSE;
     }
 
+  proto = g_getenv ("G_TLS_OPENSSL_MAX_PROTO");
+  if (proto)
+    {
+      gint64 version = g_ascii_strtoll (proto, NULL, 0);
+
+      if (version > 0 && version < G_MAXINT64)
+        {
+          if (!SSL_CTX_set_max_proto_version (client->ssl_ctx, (int)version))
+            {
+              g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+                           _("Could not set MAX protocol to %ld: %s"),
+                           version, ERR_error_string (ERR_get_error (), NULL));
+              return FALSE;
+            }
+        }
+    }
+
   return TRUE;
 }
 
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index 279d9a5..dda1146 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -335,7 +335,7 @@ static gboolean
 set_cipher_list (GTlsServerConnectionOpenssl  *server,
                  GError                      **error)
 {
-  const gchar *cipher_list;
+  const gchar *cipher_list, *proto;
 
   cipher_list = g_getenv ("G_TLS_OPENSSL_CIPHER_LIST");
   if (!cipher_list)
@@ -349,6 +349,23 @@ set_cipher_list (GTlsServerConnectionOpenssl  *server,
       return FALSE;
     }
 
+  proto = g_getenv ("G_TLS_OPENSSL_MAX_PROTO");
+  if (proto)
+    {
+      gint64 version = g_ascii_strtoll (proto, NULL, 0);
+
+      if (version > 0 && version < G_MAXINT64)
+        {
+          if (!SSL_CTX_set_max_proto_version (server->ssl_ctx, (int)version))
+            {
+              g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+                           _("Could not set MAX protocol to %ld: %s"),
+                           version, ERR_error_string (ERR_get_error (), NULL));
+              return FALSE;
+            }
+        }
+    }
+
   return TRUE;
 }
 
diff --git a/tls/tests/meson.build b/tls/tests/meson.build
index 4a172b6..9d3f87d 100644
--- a/tls/tests/meson.build
+++ b/tls/tests/meson.build
@@ -82,9 +82,13 @@ foreach backend: backends
 
     test(program_name, exe, env: test_envs)
 
-    if backend == 'gnutls' and program[0] == 'connection' or program[0] == 'dtls-connection'
+    if program[0] == 'connection' or program[0] == 'dtls-connection'
       # Run the tests again, this time with TLS 1.3 disabled so we can test TLS 1.2.
-      test(program_name + '-tls1.2', exe, env: test_envs + 
['G_TLS_GNUTLS_PRIORITY=NORMAL:%COMPAT:!VERS-TLS1.3'])
+      if backend == 'gnutls'
+        test(program_name + '-tls1.2', exe, env: test_envs + 
['G_TLS_GNUTLS_PRIORITY=NORMAL:%COMPAT:!VERS-TLS1.3'])
+      elif backend == 'openssl'
+        test(program_name + '-tls1.2', exe, env: test_envs + ['G_TLS_OPENSSL_MAX_PROTO=0x0303'])
+      endif
     endif
   endforeach
 endforeach