1 /* $OpenBSD: ssl_versions.c,v 1.14 2021/03/17 17:43:31 jsing Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <openssl/ssl.h> 19 20 #include "ssl_locl.h" 21 22 struct version_range_test { 23 const long options; 24 const uint16_t minver; 25 const uint16_t maxver; 26 const uint16_t want_minver; 27 const uint16_t want_maxver; 28 }; 29 30 static struct version_range_test version_range_tests[] = { 31 { 32 .options = 0, 33 .minver = TLS1_VERSION, 34 .maxver = TLS1_3_VERSION, 35 .want_minver = TLS1_VERSION, 36 .want_maxver = TLS1_3_VERSION, 37 }, 38 { 39 .options = 0, 40 .minver = TLS1_VERSION, 41 .maxver = TLS1_2_VERSION, 42 .want_minver = TLS1_VERSION, 43 .want_maxver = TLS1_2_VERSION, 44 }, 45 { 46 .options = SSL_OP_NO_TLSv1, 47 .minver = TLS1_VERSION, 48 .maxver = TLS1_2_VERSION, 49 .want_minver = TLS1_1_VERSION, 50 .want_maxver = TLS1_2_VERSION, 51 }, 52 { 53 .options = SSL_OP_NO_TLSv1_3, 54 .minver = TLS1_VERSION, 55 .maxver = TLS1_3_VERSION, 56 .want_minver = TLS1_VERSION, 57 .want_maxver = TLS1_2_VERSION, 58 }, 59 { 60 .options = SSL_OP_NO_TLSv1_2, 61 .minver = TLS1_VERSION, 62 .maxver = TLS1_2_VERSION, 63 .want_minver = TLS1_VERSION, 64 .want_maxver = TLS1_1_VERSION, 65 }, 66 { 67 .options = SSL_OP_NO_TLSv1_1, 68 .minver = TLS1_VERSION, 69 .maxver = TLS1_2_VERSION, 70 .want_minver = TLS1_VERSION, 71 .want_maxver = TLS1_VERSION, 72 }, 73 { 74 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 75 .minver = TLS1_VERSION, 76 .maxver = TLS1_2_VERSION, 77 .want_minver = TLS1_2_VERSION, 78 .want_maxver = TLS1_2_VERSION, 79 }, 80 { 81 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 82 .minver = TLS1_VERSION, 83 .maxver = TLS1_2_VERSION, 84 .want_minver = TLS1_VERSION, 85 .want_maxver = TLS1_VERSION, 86 }, 87 { 88 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2, 89 .minver = TLS1_VERSION, 90 .maxver = TLS1_2_VERSION, 91 .want_minver = TLS1_1_VERSION, 92 .want_maxver = TLS1_1_VERSION, 93 }, 94 { 95 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 96 SSL_OP_NO_TLSv1_2, 97 .minver = TLS1_VERSION, 98 .maxver = TLS1_2_VERSION, 99 .want_minver = 0, 100 .want_maxver = 0, 101 }, 102 { 103 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 104 SSL_OP_NO_TLSv1_2, 105 .minver = TLS1_VERSION, 106 .maxver = TLS1_3_VERSION, 107 .want_minver = TLS1_3_VERSION, 108 .want_maxver = TLS1_3_VERSION, 109 }, 110 { 111 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 112 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3, 113 .minver = TLS1_VERSION, 114 .maxver = TLS1_3_VERSION, 115 .want_minver = 0, 116 .want_maxver = 0, 117 }, 118 { 119 .options = 0, 120 .minver = TLS1_VERSION, 121 .maxver = TLS1_2_VERSION, 122 .want_minver = TLS1_VERSION, 123 .want_maxver = TLS1_2_VERSION, 124 }, 125 { 126 .options = 0, 127 .minver = TLS1_1_VERSION, 128 .maxver = TLS1_2_VERSION, 129 .want_minver = TLS1_1_VERSION, 130 .want_maxver = TLS1_2_VERSION, 131 }, 132 { 133 .options = 0, 134 .minver = TLS1_2_VERSION, 135 .maxver = TLS1_2_VERSION, 136 .want_minver = TLS1_2_VERSION, 137 .want_maxver = TLS1_2_VERSION, 138 }, 139 { 140 .options = 0, 141 .minver = TLS1_VERSION, 142 .maxver = TLS1_3_VERSION, 143 .want_minver = TLS1_VERSION, 144 .want_maxver = TLS1_3_VERSION, 145 }, 146 { 147 .options = 0, 148 .minver = TLS1_1_VERSION, 149 .maxver = TLS1_3_VERSION, 150 .want_minver = TLS1_1_VERSION, 151 .want_maxver = TLS1_3_VERSION, 152 }, 153 { 154 .options = 0, 155 .minver = TLS1_2_VERSION, 156 .maxver = TLS1_3_VERSION, 157 .want_minver = TLS1_2_VERSION, 158 .want_maxver = TLS1_3_VERSION, 159 }, 160 { 161 .options = 0, 162 .minver = TLS1_3_VERSION, 163 .maxver = TLS1_3_VERSION, 164 .want_minver = TLS1_3_VERSION, 165 .want_maxver = TLS1_3_VERSION, 166 }, 167 { 168 .options = 0, 169 .minver = TLS1_VERSION, 170 .maxver = TLS1_1_VERSION, 171 .want_minver = TLS1_VERSION, 172 .want_maxver = TLS1_1_VERSION, 173 }, 174 { 175 .options = 0, 176 .minver = TLS1_VERSION, 177 .maxver = TLS1_VERSION, 178 .want_minver = TLS1_VERSION, 179 .want_maxver = TLS1_VERSION, 180 }, 181 }; 182 183 #define N_VERSION_RANGE_TESTS \ 184 (sizeof(version_range_tests) / sizeof(*version_range_tests)) 185 186 static int 187 test_ssl_enabled_version_range(void) 188 { 189 struct version_range_test *vrt; 190 uint16_t minver, maxver; 191 SSL_CTX *ssl_ctx = NULL; 192 SSL *ssl = NULL; 193 int failed = 1; 194 size_t i; 195 196 fprintf(stderr, "INFO: starting enabled version range tests...\n"); 197 198 if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { 199 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 200 goto failure; 201 } 202 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 203 fprintf(stderr, "SSL_new() returned NULL\n"); 204 goto failure; 205 } 206 207 failed = 0; 208 209 for (i = 0; i < N_VERSION_RANGE_TESTS; i++) { 210 vrt = &version_range_tests[i]; 211 212 SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 213 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); 214 SSL_set_options(ssl, vrt->options); 215 216 minver = maxver = 0xffff; 217 ssl->internal->min_tls_version = vrt->minver; 218 ssl->internal->max_tls_version = vrt->maxver; 219 220 if (ssl_enabled_tls_version_range(ssl, &minver, &maxver) != 1) { 221 if (vrt->want_minver != 0 || vrt->want_maxver != 0) { 222 fprintf(stderr, "FAIL: test %zu - failed but " 223 "wanted non-zero versions\n", i); 224 failed++; 225 } 226 continue; 227 } 228 if (minver != vrt->want_minver) { 229 fprintf(stderr, "FAIL: test %zu - got minver %x, " 230 "want %x\n", i, minver, vrt->want_minver); 231 failed++; 232 } 233 if (maxver != vrt->want_maxver) { 234 fprintf(stderr, "FAIL: test %zu - got maxver %x, " 235 "want %x\n", i, maxver, vrt->want_maxver); 236 failed++; 237 } 238 } 239 240 failure: 241 SSL_CTX_free(ssl_ctx); 242 SSL_free(ssl); 243 244 return (failed); 245 } 246 247 struct shared_version_test { 248 const SSL_METHOD *(*ssl_method)(void); 249 const long options; 250 const uint16_t minver; 251 const uint16_t maxver; 252 const uint16_t peerver; 253 const uint16_t want_maxver; 254 }; 255 256 static struct shared_version_test shared_version_tests[] = { 257 { 258 .ssl_method = TLS_method, 259 .options = 0, 260 .minver = TLS1_VERSION, 261 .maxver = TLS1_2_VERSION, 262 .peerver = SSL2_VERSION, 263 .want_maxver = 0, 264 }, 265 { 266 .ssl_method = TLS_method, 267 .options = 0, 268 .minver = TLS1_VERSION, 269 .maxver = TLS1_2_VERSION, 270 .peerver = SSL3_VERSION, 271 .want_maxver = 0, 272 }, 273 { 274 .ssl_method = TLS_method, 275 .options = 0, 276 .minver = TLS1_VERSION, 277 .maxver = TLS1_2_VERSION, 278 .peerver = TLS1_VERSION, 279 .want_maxver = TLS1_VERSION, 280 }, 281 { 282 .ssl_method = TLS_method, 283 .options = 0, 284 .minver = TLS1_VERSION, 285 .maxver = TLS1_2_VERSION, 286 .peerver = TLS1_1_VERSION, 287 .want_maxver = TLS1_1_VERSION, 288 }, 289 { 290 .ssl_method = TLS_method, 291 .options = 0, 292 .minver = TLS1_VERSION, 293 .maxver = TLS1_2_VERSION, 294 .peerver = TLS1_2_VERSION, 295 .want_maxver = TLS1_2_VERSION, 296 }, 297 { 298 .ssl_method = TLS_method, 299 .options = 0, 300 .minver = TLS1_VERSION, 301 .maxver = TLS1_2_VERSION, 302 .peerver = TLS1_3_VERSION, 303 .want_maxver = TLS1_2_VERSION, 304 }, 305 { 306 .ssl_method = TLS_method, 307 .options = 0, 308 .minver = TLS1_VERSION, 309 .maxver = TLS1_2_VERSION, 310 .peerver = 0x7f12, 311 .want_maxver = TLS1_2_VERSION, 312 }, 313 { 314 .ssl_method = TLS_method, 315 .options = SSL_OP_NO_TLSv1_2, 316 .minver = TLS1_VERSION, 317 .maxver = TLS1_2_VERSION, 318 .peerver = TLS1_2_VERSION, 319 .want_maxver = TLS1_1_VERSION, 320 }, 321 { 322 .ssl_method = TLS_method, 323 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 324 .minver = TLS1_VERSION, 325 .maxver = TLS1_2_VERSION, 326 .peerver = TLS1_2_VERSION, 327 .want_maxver = TLS1_VERSION, 328 }, 329 { 330 .ssl_method = TLS_method, 331 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 332 .minver = TLS1_VERSION, 333 .maxver = TLS1_2_VERSION, 334 .peerver = TLS1_2_VERSION, 335 .want_maxver = 0, 336 }, 337 { 338 .ssl_method = TLS_method, 339 .options = SSL_OP_NO_TLSv1, 340 .minver = TLS1_VERSION, 341 .maxver = TLS1_2_VERSION, 342 .peerver = TLS1_1_VERSION, 343 .want_maxver = TLS1_1_VERSION, 344 }, 345 { 346 .ssl_method = TLS_method, 347 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 348 .minver = TLS1_VERSION, 349 .maxver = TLS1_2_VERSION, 350 .peerver = TLS1_1_VERSION, 351 .want_maxver = 0, 352 }, 353 { 354 .ssl_method = TLS_method, 355 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 356 .minver = TLS1_VERSION, 357 .maxver = TLS1_2_VERSION, 358 .peerver = TLS1_1_VERSION, 359 .want_maxver = TLS1_VERSION, 360 }, 361 { 362 .ssl_method = TLS_method, 363 .options = SSL_OP_NO_TLSv1, 364 .minver = TLS1_VERSION, 365 .maxver = TLS1_2_VERSION, 366 .peerver = TLS1_VERSION, 367 .want_maxver = 0, 368 }, 369 { 370 .ssl_method = TLS_method, 371 .options = 0, 372 .minver = TLS1_VERSION, 373 .maxver = TLS1_1_VERSION, 374 .peerver = TLS1_2_VERSION, 375 .want_maxver = TLS1_1_VERSION, 376 }, 377 { 378 .ssl_method = TLS_method, 379 .options = 0, 380 .minver = TLS1_VERSION, 381 .maxver = TLS1_VERSION, 382 .peerver = TLS1_2_VERSION, 383 .want_maxver = TLS1_VERSION, 384 }, 385 { 386 .ssl_method = TLSv1_method, 387 .options = 0, 388 .minver = TLS1_VERSION, 389 .maxver = TLS1_2_VERSION, 390 .peerver = TLS1_VERSION, 391 .want_maxver = TLS1_VERSION, 392 }, 393 { 394 .ssl_method = TLSv1_method, 395 .options = 0, 396 .minver = TLS1_1_VERSION, 397 .maxver = TLS1_2_VERSION, 398 .peerver = TLS1_VERSION, 399 .want_maxver = 0, 400 }, 401 { 402 .ssl_method = TLSv1_1_method, 403 .options = 0, 404 .minver = TLS1_VERSION, 405 .maxver = TLS1_2_VERSION, 406 .peerver = TLS1_1_VERSION, 407 .want_maxver = TLS1_1_VERSION, 408 }, 409 { 410 .ssl_method = DTLS_method, 411 .options = 0, 412 .minver = TLS1_1_VERSION, 413 .maxver = TLS1_2_VERSION, 414 .peerver = DTLS1_VERSION, 415 .want_maxver = DTLS1_VERSION, 416 }, 417 { 418 .ssl_method = DTLS_method, 419 .options = 0, 420 .minver = TLS1_1_VERSION, 421 .maxver = TLS1_2_VERSION, 422 .peerver = DTLS1_2_VERSION, 423 .want_maxver = DTLS1_2_VERSION, 424 }, 425 { 426 .ssl_method = DTLS_method, 427 .options = 0, 428 .minver = TLS1_1_VERSION, 429 .maxver = TLS1_2_VERSION, 430 .peerver = 0xfefc, /* DTLSv1.3, probably. */ 431 .want_maxver = DTLS1_2_VERSION, 432 }, 433 { 434 .ssl_method = DTLSv1_method, 435 .options = 0, 436 .minver = TLS1_1_VERSION, 437 .maxver = TLS1_1_VERSION, 438 .peerver = DTLS1_2_VERSION, 439 .want_maxver = DTLS1_VERSION, 440 }, 441 { 442 .ssl_method = DTLSv1_2_method, 443 .options = 0, 444 .minver = TLS1_2_VERSION, 445 .maxver = TLS1_2_VERSION, 446 .peerver = DTLS1_2_VERSION, 447 .want_maxver = DTLS1_2_VERSION, 448 }, 449 { 450 .ssl_method = DTLSv1_method, 451 .options = 0, 452 .minver = TLS1_1_VERSION, 453 .maxver = TLS1_1_VERSION, 454 .peerver = TLS1_2_VERSION, 455 .want_maxver = 0, 456 }, 457 { 458 .ssl_method = DTLS_method, 459 .options = SSL_OP_NO_DTLSv1, 460 .minver = TLS1_1_VERSION, 461 .maxver = TLS1_2_VERSION, 462 .peerver = DTLS1_VERSION, 463 .want_maxver = 0, 464 }, 465 { 466 .ssl_method = DTLS_method, 467 .options = SSL_OP_NO_DTLSv1_2, 468 .minver = TLS1_1_VERSION, 469 .maxver = TLS1_2_VERSION, 470 .peerver = DTLS1_2_VERSION, 471 .want_maxver = DTLS1_VERSION, 472 }, 473 }; 474 475 #define N_SHARED_VERSION_TESTS \ 476 (sizeof(shared_version_tests) / sizeof(*shared_version_tests)) 477 478 static int 479 test_ssl_max_shared_version(void) 480 { 481 struct shared_version_test *svt; 482 SSL_CTX *ssl_ctx = NULL; 483 SSL *ssl = NULL; 484 uint16_t maxver; 485 int failed = 0; 486 size_t i; 487 488 failed = 0; 489 490 fprintf(stderr, "INFO: starting max shared version tests...\n"); 491 492 for (i = 0; i < N_SHARED_VERSION_TESTS; i++) { 493 svt = &shared_version_tests[i]; 494 495 if ((ssl_ctx = SSL_CTX_new(svt->ssl_method())) == NULL) { 496 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 497 return 1; 498 } 499 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 500 fprintf(stderr, "SSL_new() returned NULL\n"); 501 return 1; 502 } 503 504 SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 505 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); 506 SSL_set_options(ssl, svt->options); 507 508 maxver = 0; 509 ssl->internal->min_tls_version = svt->minver; 510 ssl->internal->max_tls_version = svt->maxver; 511 512 if (!ssl_max_shared_version(ssl, svt->peerver, &maxver)) { 513 if (svt->want_maxver != 0) { 514 fprintf(stderr, "FAIL: test %zu - failed but " 515 "wanted non-zero shared version (peer %x)\n", 516 i, svt->peerver); 517 failed++; 518 } 519 continue; 520 } 521 if (maxver != svt->want_maxver) { 522 fprintf(stderr, "FAIL: test %zu - got shared " 523 "version %x, want %x\n", i, maxver, 524 svt->want_maxver); 525 failed++; 526 } 527 528 SSL_CTX_free(ssl_ctx); 529 SSL_free(ssl); 530 } 531 532 return (failed); 533 } 534 535 struct min_max_version_test { 536 const SSL_METHOD *(*ssl_method)(void); 537 const uint16_t minver; 538 const uint16_t maxver; 539 const uint16_t want_minver; 540 const uint16_t want_maxver; 541 const int want_min_fail; 542 const int want_max_fail; 543 }; 544 545 static struct min_max_version_test min_max_version_tests[] = { 546 { 547 .ssl_method = TLS_method, 548 .minver = 0, 549 .maxver = 0, 550 .want_minver = 0, 551 .want_maxver = 0, 552 }, 553 { 554 .ssl_method = TLS_method, 555 .minver = TLS1_VERSION, 556 .maxver = 0, 557 .want_minver = TLS1_VERSION, 558 .want_maxver = 0, 559 }, 560 { 561 .ssl_method = TLS_method, 562 .minver = 0, 563 .maxver = TLS1_2_VERSION, 564 .want_minver = 0, 565 .want_maxver = TLS1_2_VERSION, 566 }, 567 { 568 .ssl_method = TLS_method, 569 .minver = 0, 570 .maxver = TLS1_3_VERSION, 571 .want_minver = 0, 572 .want_maxver = TLS1_3_VERSION, 573 }, 574 { 575 .ssl_method = TLS_method, 576 .minver = TLS1_VERSION, 577 .maxver = TLS1_2_VERSION, 578 .want_minver = TLS1_VERSION, 579 .want_maxver = TLS1_2_VERSION, 580 }, 581 { 582 .ssl_method = TLS_method, 583 .minver = TLS1_1_VERSION, 584 .maxver = 0, 585 .want_minver = TLS1_1_VERSION, 586 .want_maxver = 0, 587 }, 588 { 589 .ssl_method = TLS_method, 590 .minver = TLS1_2_VERSION, 591 .maxver = 0, 592 .want_minver = TLS1_2_VERSION, 593 .want_maxver = 0, 594 }, 595 { 596 .ssl_method = TLS_method, 597 .minver = 0x0300, 598 .maxver = 0, 599 .want_minver = TLS1_VERSION, 600 .want_maxver = 0, 601 }, 602 { 603 .ssl_method = TLS_method, 604 .minver = 0x0305, 605 .maxver = 0, 606 .want_min_fail = 1, 607 }, 608 { 609 .ssl_method = TLS_method, 610 .minver = 0, 611 .maxver = 0x0305, 612 .want_minver = 0, 613 .want_maxver = TLS1_3_VERSION, 614 }, 615 { 616 .ssl_method = TLS_method, 617 .minver = 0, 618 .maxver = TLS1_1_VERSION, 619 .want_minver = 0, 620 .want_maxver = TLS1_1_VERSION, 621 }, 622 { 623 .ssl_method = TLS_method, 624 .minver = 0, 625 .maxver = TLS1_VERSION, 626 .want_minver = 0, 627 .want_maxver = TLS1_VERSION, 628 }, 629 { 630 .ssl_method = TLS_method, 631 .minver = 0, 632 .maxver = 0x0300, 633 .want_max_fail = 1, 634 }, 635 { 636 .ssl_method = TLS_method, 637 .minver = TLS1_2_VERSION, 638 .maxver = TLS1_1_VERSION, 639 .want_minver = TLS1_2_VERSION, 640 .want_maxver = 0, 641 .want_max_fail = 1, 642 }, 643 { 644 .ssl_method = TLSv1_1_method, 645 .minver = 0, 646 .maxver = 0, 647 .want_minver = 0, 648 .want_maxver = 0, 649 }, 650 { 651 .ssl_method = TLSv1_1_method, 652 .minver = TLS1_VERSION, 653 .maxver = TLS1_2_VERSION, 654 .want_minver = TLS1_1_VERSION, 655 .want_maxver = TLS1_1_VERSION, 656 }, 657 { 658 .ssl_method = TLSv1_1_method, 659 .minver = TLS1_2_VERSION, 660 .maxver = 0, 661 .want_minver = 0, 662 .want_maxver = 0, 663 .want_min_fail = 1, 664 }, 665 { 666 .ssl_method = TLSv1_1_method, 667 .minver = 0, 668 .maxver = TLS1_VERSION, 669 .want_minver = 0, 670 .want_maxver = 0, 671 .want_max_fail = 1, 672 }, 673 { 674 .ssl_method = DTLS_method, 675 .minver = 0, 676 .maxver = 0, 677 .want_minver = 0, 678 .want_maxver = 0, 679 }, 680 { 681 .ssl_method = DTLS_method, 682 .minver = 0, 683 .maxver = DTLS1_VERSION, 684 .want_minver = 0, 685 .want_maxver = DTLS1_VERSION, 686 }, 687 { 688 .ssl_method = DTLS_method, 689 .minver = DTLS1_VERSION, 690 .maxver = 0, 691 .want_minver = DTLS1_VERSION, 692 .want_maxver = 0, 693 }, 694 { 695 .ssl_method = DTLS_method, 696 .minver = DTLS1_VERSION, 697 .maxver = DTLS1_2_VERSION, 698 .want_minver = DTLS1_VERSION, 699 .want_maxver = DTLS1_2_VERSION, 700 }, 701 { 702 .ssl_method = DTLSv1_method, 703 .minver = 0, 704 .maxver = 0, 705 .want_minver = 0, 706 .want_maxver = 0, 707 }, 708 { 709 .ssl_method = DTLSv1_method, 710 .minver = DTLS1_VERSION, 711 .maxver = 0, 712 .want_minver = DTLS1_VERSION, 713 .want_maxver = 0, 714 }, 715 { 716 .ssl_method = DTLSv1_method, 717 .minver = 0, 718 .maxver = DTLS1_VERSION, 719 .want_minver = 0, 720 .want_maxver = DTLS1_VERSION, 721 }, 722 { 723 .ssl_method = DTLSv1_method, 724 .minver = 0, 725 .maxver = DTLS1_2_VERSION, 726 .want_minver = 0, 727 .want_maxver = DTLS1_VERSION, 728 }, 729 { 730 .ssl_method = DTLSv1_method, 731 .minver = TLS1_VERSION, 732 .maxver = TLS1_2_VERSION, 733 .want_minver = 0, 734 .want_maxver = 0, 735 .want_min_fail = 1, 736 .want_max_fail = 1, 737 }, 738 }; 739 740 #define N_MIN_MAX_VERSION_TESTS \ 741 (sizeof(min_max_version_tests) / sizeof(*min_max_version_tests)) 742 743 static int 744 test_ssl_min_max_version(void) 745 { 746 struct min_max_version_test *mmvt; 747 SSL_CTX *ssl_ctx = NULL; 748 SSL *ssl = NULL; 749 int failed = 0; 750 size_t i; 751 752 failed = 0; 753 754 fprintf(stderr, "INFO: starting min max version tests...\n"); 755 756 for (i = 0; i < N_MIN_MAX_VERSION_TESTS; i++) { 757 mmvt = &min_max_version_tests[i]; 758 759 if ((ssl_ctx = SSL_CTX_new(mmvt->ssl_method())) == NULL) { 760 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 761 return 1; 762 } 763 764 if (!SSL_CTX_set_min_proto_version(ssl_ctx, mmvt->minver)) { 765 if (!mmvt->want_min_fail) { 766 fprintf(stderr, "FAIL: test %zu - failed to set " 767 "SSL_CTX min version\n", i); 768 failed++; 769 } 770 goto next; 771 } 772 if (!SSL_CTX_set_max_proto_version(ssl_ctx, mmvt->maxver)) { 773 if (!mmvt->want_max_fail) { 774 fprintf(stderr, "FAIL: test %zu - failed to set " 775 "SSL_CTX min version\n", i); 776 failed++; 777 } 778 goto next; 779 } 780 781 if (mmvt->want_min_fail) { 782 fprintf(stderr, "FAIL: test %zu - successfully set " 783 "SSL_CTX min version, should have failed\n", i); 784 failed++; 785 goto next; 786 } 787 if (mmvt->want_max_fail) { 788 fprintf(stderr, "FAIL: test %zu - successfully set " 789 "SSL_CTX max version, should have failed\n", i); 790 failed++; 791 goto next; 792 } 793 794 if (SSL_CTX_get_min_proto_version(ssl_ctx) != mmvt->want_minver) { 795 fprintf(stderr, "FAIL: test %zu - got SSL_CTX min " 796 "version 0x%x, want 0x%x\n", i, 797 SSL_CTX_get_min_proto_version(ssl_ctx), mmvt->want_minver); 798 failed++; 799 goto next; 800 } 801 if (SSL_CTX_get_max_proto_version(ssl_ctx) != mmvt->want_maxver) { 802 fprintf(stderr, "FAIL: test %zu - got SSL_CTX max " 803 "version 0x%x, want 0x%x\n", i, 804 SSL_CTX_get_max_proto_version(ssl_ctx), mmvt->want_maxver); 805 failed++; 806 goto next; 807 } 808 809 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 810 fprintf(stderr, "SSL_new() returned NULL\n"); 811 return 1; 812 } 813 814 if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { 815 fprintf(stderr, "FAIL: test %zu - initial SSL min " 816 "version 0x%x, want 0x%x\n", i, 817 SSL_get_min_proto_version(ssl), mmvt->want_minver); 818 failed++; 819 goto next; 820 } 821 if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { 822 fprintf(stderr, "FAIL: test %zu - initial SSL max " 823 "version 0x%x, want 0x%x\n", i, 824 SSL_get_max_proto_version(ssl), mmvt->want_maxver); 825 failed++; 826 goto next; 827 } 828 829 if (!SSL_set_min_proto_version(ssl, mmvt->minver)) { 830 if (mmvt->want_min_fail) { 831 fprintf(stderr, "FAIL: test %zu - failed to set " 832 "SSL min version\n", i); 833 failed++; 834 } 835 goto next; 836 } 837 if (!SSL_set_max_proto_version(ssl, mmvt->maxver)) { 838 if (mmvt->want_max_fail) { 839 fprintf(stderr, "FAIL: test %zu - failed to set " 840 "SSL min version\n", i); 841 failed++; 842 } 843 goto next; 844 } 845 846 if (mmvt->want_min_fail) { 847 fprintf(stderr, "FAIL: test %zu - successfully set SSL " 848 "min version, should have failed\n", i); 849 failed++; 850 goto next; 851 } 852 if (mmvt->want_max_fail) { 853 fprintf(stderr, "FAIL: test %zu - successfully set SSL " 854 "max version, should have failed\n", i); 855 failed++; 856 goto next; 857 } 858 859 if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { 860 fprintf(stderr, "FAIL: test %zu - got SSL min " 861 "version 0x%x, want 0x%x\n", i, 862 SSL_get_min_proto_version(ssl), mmvt->want_minver); 863 failed++; 864 goto next; 865 } 866 if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { 867 fprintf(stderr, "FAIL: test %zu - got SSL max " 868 "version 0x%x, want 0x%x\n", i, 869 SSL_get_max_proto_version(ssl), mmvt->want_maxver); 870 failed++; 871 goto next; 872 } 873 874 next: 875 SSL_CTX_free(ssl_ctx); 876 SSL_free(ssl); 877 878 ssl_ctx = NULL; 879 ssl = NULL; 880 } 881 882 return (failed); 883 } 884 885 int 886 main(int argc, char **argv) 887 { 888 int failed = 0; 889 890 SSL_library_init(); 891 892 /* XXX - Test ssl_supported_version_range() */ 893 894 failed |= test_ssl_enabled_version_range(); 895 failed |= test_ssl_max_shared_version(); 896 failed |= test_ssl_min_max_version(); 897 898 if (failed == 0) 899 printf("PASS %s\n", __FILE__); 900 901 return (failed); 902 } 903