Cover DTLS 1.3 in the TLS fuzzers

Also restore 1.0 and 1.1 coverage. We need to explicitly configure the minimum and maximum supported, since the default may be narrower. Bug: 42290594 Change-Id: I690bd7b98401bfd48ea819053152d21120c5922f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/73888 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Nick Harper <[email protected]>
google · Dec 6, 2024 · 9559c45 · 9559c45
1 parent 4c647a5
commit 9559c45
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/ssl/test/fuzzer.h b/ssl/test/fuzzer.h
@@ -414,7 +414,12 @@ class TLSFuzzer {
     SSL_CTX_enable_ocsp_stapling(ctx_.get());
 
     // Enable versions and ciphers that are off by default.
-    if (!SSL_CTX_set_strict_cipher_list(ctx_.get(), "ALL:3DES")) {
+    uint16_t min_version = protocol_ == kDTLS ? DTLS1_VERSION : TLS1_VERSION;
+    uint16_t max_version =
+        protocol_ == kDTLS ? DTLS1_3_VERSION : TLS1_3_VERSION;
+    if (!SSL_CTX_set_min_proto_version(ctx_.get(), min_version) ||
+        !SSL_CTX_set_max_proto_version(ctx_.get(), max_version) ||
+        !SSL_CTX_set_strict_cipher_list(ctx_.get(), "ALL:3DES")) {
       return false;
     }