1 /* $OpenBSD: ssl_versions.c,v 1.19 2022/11/26 16:08:57 tb Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <openssl/ssl.h> 19 20 #include "ssl_local.h" 21 22 struct version_range_test { 23 const long options; 24 const uint16_t minver; 25 const uint16_t maxver; 26 const uint16_t want_minver; 27 const uint16_t want_maxver; 28 }; 29 30 static struct version_range_test version_range_tests[] = { 31 { 32 .options = 0, 33 .minver = TLS1_VERSION, 34 .maxver = TLS1_3_VERSION, 35 .want_minver = TLS1_VERSION, 36 .want_maxver = TLS1_3_VERSION, 37 }, 38 { 39 .options = 0, 40 .minver = TLS1_VERSION, 41 .maxver = TLS1_2_VERSION, 42 .want_minver = TLS1_VERSION, 43 .want_maxver = TLS1_2_VERSION, 44 }, 45 { 46 .options = SSL_OP_NO_TLSv1, 47 .minver = TLS1_VERSION, 48 .maxver = TLS1_2_VERSION, 49 .want_minver = TLS1_1_VERSION, 50 .want_maxver = TLS1_2_VERSION, 51 }, 52 { 53 .options = SSL_OP_NO_TLSv1_3, 54 .minver = TLS1_VERSION, 55 .maxver = TLS1_3_VERSION, 56 .want_minver = TLS1_VERSION, 57 .want_maxver = TLS1_2_VERSION, 58 }, 59 { 60 .options = SSL_OP_NO_TLSv1_2, 61 .minver = TLS1_VERSION, 62 .maxver = TLS1_2_VERSION, 63 .want_minver = TLS1_VERSION, 64 .want_maxver = TLS1_1_VERSION, 65 }, 66 { 67 .options = SSL_OP_NO_TLSv1_1, 68 .minver = TLS1_VERSION, 69 .maxver = TLS1_2_VERSION, 70 .want_minver = TLS1_VERSION, 71 .want_maxver = TLS1_VERSION, 72 }, 73 { 74 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 75 .minver = TLS1_VERSION, 76 .maxver = TLS1_2_VERSION, 77 .want_minver = TLS1_2_VERSION, 78 .want_maxver = TLS1_2_VERSION, 79 }, 80 { 81 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 82 .minver = TLS1_VERSION, 83 .maxver = TLS1_2_VERSION, 84 .want_minver = TLS1_VERSION, 85 .want_maxver = TLS1_VERSION, 86 }, 87 { 88 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2, 89 .minver = TLS1_VERSION, 90 .maxver = TLS1_2_VERSION, 91 .want_minver = TLS1_1_VERSION, 92 .want_maxver = TLS1_1_VERSION, 93 }, 94 { 95 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 96 SSL_OP_NO_TLSv1_2, 97 .minver = TLS1_VERSION, 98 .maxver = TLS1_2_VERSION, 99 .want_minver = 0, 100 .want_maxver = 0, 101 }, 102 { 103 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 104 SSL_OP_NO_TLSv1_2, 105 .minver = TLS1_VERSION, 106 .maxver = TLS1_3_VERSION, 107 .want_minver = TLS1_3_VERSION, 108 .want_maxver = TLS1_3_VERSION, 109 }, 110 { 111 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 112 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3, 113 .minver = TLS1_VERSION, 114 .maxver = TLS1_3_VERSION, 115 .want_minver = 0, 116 .want_maxver = 0, 117 }, 118 { 119 .options = 0, 120 .minver = TLS1_VERSION, 121 .maxver = TLS1_2_VERSION, 122 .want_minver = TLS1_VERSION, 123 .want_maxver = TLS1_2_VERSION, 124 }, 125 { 126 .options = 0, 127 .minver = TLS1_1_VERSION, 128 .maxver = TLS1_2_VERSION, 129 .want_minver = TLS1_1_VERSION, 130 .want_maxver = TLS1_2_VERSION, 131 }, 132 { 133 .options = 0, 134 .minver = TLS1_2_VERSION, 135 .maxver = TLS1_2_VERSION, 136 .want_minver = TLS1_2_VERSION, 137 .want_maxver = TLS1_2_VERSION, 138 }, 139 { 140 .options = 0, 141 .minver = TLS1_VERSION, 142 .maxver = TLS1_3_VERSION, 143 .want_minver = TLS1_VERSION, 144 .want_maxver = TLS1_3_VERSION, 145 }, 146 { 147 .options = 0, 148 .minver = TLS1_1_VERSION, 149 .maxver = TLS1_3_VERSION, 150 .want_minver = TLS1_1_VERSION, 151 .want_maxver = TLS1_3_VERSION, 152 }, 153 { 154 .options = 0, 155 .minver = TLS1_2_VERSION, 156 .maxver = TLS1_3_VERSION, 157 .want_minver = TLS1_2_VERSION, 158 .want_maxver = TLS1_3_VERSION, 159 }, 160 { 161 .options = 0, 162 .minver = TLS1_3_VERSION, 163 .maxver = TLS1_3_VERSION, 164 .want_minver = TLS1_3_VERSION, 165 .want_maxver = TLS1_3_VERSION, 166 }, 167 { 168 .options = 0, 169 .minver = TLS1_VERSION, 170 .maxver = TLS1_1_VERSION, 171 .want_minver = TLS1_VERSION, 172 .want_maxver = TLS1_1_VERSION, 173 }, 174 { 175 .options = 0, 176 .minver = TLS1_VERSION, 177 .maxver = TLS1_VERSION, 178 .want_minver = TLS1_VERSION, 179 .want_maxver = TLS1_VERSION, 180 }, 181 }; 182 183 #define N_VERSION_RANGE_TESTS \ 184 (sizeof(version_range_tests) / sizeof(*version_range_tests)) 185 186 static int 187 test_ssl_enabled_version_range(void) 188 { 189 struct version_range_test *vrt; 190 uint16_t minver, maxver; 191 SSL_CTX *ssl_ctx = NULL; 192 SSL *ssl = NULL; 193 int failed = 1; 194 size_t i; 195 196 fprintf(stderr, "INFO: starting enabled version range tests...\n"); 197 198 if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { 199 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 200 goto failure; 201 } 202 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 203 fprintf(stderr, "SSL_new() returned NULL\n"); 204 goto failure; 205 } 206 207 failed = 0; 208 209 for (i = 0; i < N_VERSION_RANGE_TESTS; i++) { 210 vrt = &version_range_tests[i]; 211 212 SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 213 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); 214 SSL_set_options(ssl, vrt->options); 215 216 minver = maxver = 0xffff; 217 ssl->min_tls_version = vrt->minver; 218 ssl->max_tls_version = vrt->maxver; 219 220 if (ssl_enabled_tls_version_range(ssl, &minver, &maxver) != 1) { 221 if (vrt->want_minver != 0 || vrt->want_maxver != 0) { 222 fprintf(stderr, "FAIL: test %zu - failed but " 223 "wanted non-zero versions\n", i); 224 failed++; 225 } 226 continue; 227 } 228 if (minver != vrt->want_minver) { 229 fprintf(stderr, "FAIL: test %zu - got minver %x, " 230 "want %x\n", i, minver, vrt->want_minver); 231 failed++; 232 } 233 if (maxver != vrt->want_maxver) { 234 fprintf(stderr, "FAIL: test %zu - got maxver %x, " 235 "want %x\n", i, maxver, vrt->want_maxver); 236 failed++; 237 } 238 } 239 240 failure: 241 SSL_CTX_free(ssl_ctx); 242 SSL_free(ssl); 243 244 return (failed); 245 } 246 247 struct shared_version_test { 248 const SSL_METHOD *(*ssl_method)(void); 249 const long options; 250 const uint16_t minver; 251 const uint16_t maxver; 252 const uint16_t peerver; 253 const uint16_t want_maxver; 254 }; 255 256 static struct shared_version_test shared_version_tests[] = { 257 { 258 .ssl_method = TLS_method, 259 .options = 0, 260 .minver = TLS1_VERSION, 261 .maxver = TLS1_2_VERSION, 262 .peerver = SSL2_VERSION, 263 .want_maxver = 0, 264 }, 265 { 266 .ssl_method = TLS_method, 267 .options = 0, 268 .minver = TLS1_VERSION, 269 .maxver = TLS1_2_VERSION, 270 .peerver = SSL3_VERSION, 271 .want_maxver = 0, 272 }, 273 { 274 .ssl_method = TLS_method, 275 .options = 0, 276 .minver = TLS1_VERSION, 277 .maxver = TLS1_2_VERSION, 278 .peerver = TLS1_VERSION, 279 .want_maxver = TLS1_VERSION, 280 }, 281 { 282 .ssl_method = TLS_method, 283 .options = 0, 284 .minver = TLS1_VERSION, 285 .maxver = TLS1_2_VERSION, 286 .peerver = TLS1_1_VERSION, 287 .want_maxver = TLS1_1_VERSION, 288 }, 289 { 290 .ssl_method = TLS_method, 291 .options = 0, 292 .minver = TLS1_VERSION, 293 .maxver = TLS1_2_VERSION, 294 .peerver = TLS1_2_VERSION, 295 .want_maxver = TLS1_2_VERSION, 296 }, 297 { 298 .ssl_method = TLS_method, 299 .options = 0, 300 .minver = TLS1_VERSION, 301 .maxver = TLS1_2_VERSION, 302 .peerver = TLS1_3_VERSION, 303 .want_maxver = TLS1_2_VERSION, 304 }, 305 { 306 .ssl_method = TLS_method, 307 .options = 0, 308 .minver = TLS1_VERSION, 309 .maxver = TLS1_2_VERSION, 310 .peerver = 0x7f12, 311 .want_maxver = TLS1_2_VERSION, 312 }, 313 { 314 .ssl_method = TLS_method, 315 .options = SSL_OP_NO_TLSv1_2, 316 .minver = TLS1_VERSION, 317 .maxver = TLS1_2_VERSION, 318 .peerver = TLS1_2_VERSION, 319 .want_maxver = TLS1_1_VERSION, 320 }, 321 { 322 .ssl_method = TLS_method, 323 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 324 .minver = TLS1_VERSION, 325 .maxver = TLS1_2_VERSION, 326 .peerver = TLS1_2_VERSION, 327 .want_maxver = TLS1_VERSION, 328 }, 329 { 330 .ssl_method = TLS_method, 331 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 332 .minver = TLS1_VERSION, 333 .maxver = TLS1_2_VERSION, 334 .peerver = TLS1_2_VERSION, 335 .want_maxver = 0, 336 }, 337 { 338 .ssl_method = TLS_method, 339 .options = SSL_OP_NO_TLSv1, 340 .minver = TLS1_VERSION, 341 .maxver = TLS1_2_VERSION, 342 .peerver = TLS1_1_VERSION, 343 .want_maxver = TLS1_1_VERSION, 344 }, 345 { 346 .ssl_method = TLS_method, 347 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 348 .minver = TLS1_VERSION, 349 .maxver = TLS1_2_VERSION, 350 .peerver = TLS1_1_VERSION, 351 .want_maxver = 0, 352 }, 353 { 354 .ssl_method = TLS_method, 355 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 356 .minver = TLS1_VERSION, 357 .maxver = TLS1_2_VERSION, 358 .peerver = TLS1_1_VERSION, 359 .want_maxver = TLS1_VERSION, 360 }, 361 { 362 .ssl_method = TLS_method, 363 .options = SSL_OP_NO_TLSv1, 364 .minver = TLS1_VERSION, 365 .maxver = TLS1_2_VERSION, 366 .peerver = TLS1_VERSION, 367 .want_maxver = 0, 368 }, 369 { 370 .ssl_method = TLS_method, 371 .options = 0, 372 .minver = TLS1_VERSION, 373 .maxver = TLS1_1_VERSION, 374 .peerver = TLS1_2_VERSION, 375 .want_maxver = TLS1_1_VERSION, 376 }, 377 { 378 .ssl_method = TLS_method, 379 .options = 0, 380 .minver = TLS1_VERSION, 381 .maxver = TLS1_VERSION, 382 .peerver = TLS1_2_VERSION, 383 .want_maxver = TLS1_VERSION, 384 }, 385 { 386 .ssl_method = TLSv1_method, 387 .options = 0, 388 .minver = TLS1_VERSION, 389 .maxver = TLS1_2_VERSION, 390 .peerver = TLS1_VERSION, 391 .want_maxver = TLS1_VERSION, 392 }, 393 { 394 .ssl_method = TLSv1_method, 395 .options = 0, 396 .minver = TLS1_1_VERSION, 397 .maxver = TLS1_2_VERSION, 398 .peerver = TLS1_VERSION, 399 .want_maxver = 0, 400 }, 401 { 402 .ssl_method = TLSv1_1_method, 403 .options = 0, 404 .minver = TLS1_VERSION, 405 .maxver = TLS1_2_VERSION, 406 .peerver = TLS1_1_VERSION, 407 .want_maxver = TLS1_1_VERSION, 408 }, 409 { 410 .ssl_method = DTLS_method, 411 .options = 0, 412 .minver = TLS1_1_VERSION, 413 .maxver = TLS1_2_VERSION, 414 .peerver = DTLS1_VERSION, 415 .want_maxver = DTLS1_VERSION, 416 }, 417 { 418 .ssl_method = DTLS_method, 419 .options = 0, 420 .minver = TLS1_1_VERSION, 421 .maxver = TLS1_2_VERSION, 422 .peerver = DTLS1_2_VERSION, 423 .want_maxver = DTLS1_2_VERSION, 424 }, 425 { 426 .ssl_method = DTLS_method, 427 .options = 0, 428 .minver = TLS1_1_VERSION, 429 .maxver = TLS1_2_VERSION, 430 .peerver = 0xfefc, /* DTLSv1.3, probably. */ 431 .want_maxver = DTLS1_2_VERSION, 432 }, 433 { 434 .ssl_method = DTLSv1_method, 435 .options = 0, 436 .minver = TLS1_1_VERSION, 437 .maxver = TLS1_1_VERSION, 438 .peerver = DTLS1_2_VERSION, 439 .want_maxver = DTLS1_VERSION, 440 }, 441 { 442 .ssl_method = DTLSv1_2_method, 443 .options = 0, 444 .minver = TLS1_2_VERSION, 445 .maxver = TLS1_2_VERSION, 446 .peerver = DTLS1_2_VERSION, 447 .want_maxver = DTLS1_2_VERSION, 448 }, 449 { 450 .ssl_method = DTLSv1_method, 451 .options = 0, 452 .minver = TLS1_1_VERSION, 453 .maxver = TLS1_1_VERSION, 454 .peerver = TLS1_2_VERSION, 455 .want_maxver = 0, 456 }, 457 { 458 .ssl_method = DTLS_method, 459 .options = SSL_OP_NO_DTLSv1, 460 .minver = TLS1_1_VERSION, 461 .maxver = TLS1_2_VERSION, 462 .peerver = DTLS1_VERSION, 463 .want_maxver = 0, 464 }, 465 { 466 .ssl_method = DTLS_method, 467 .options = SSL_OP_NO_DTLSv1, 468 .minver = TLS1_1_VERSION, 469 .maxver = TLS1_2_VERSION, 470 .peerver = DTLS1_2_VERSION, 471 .want_maxver = DTLS1_2_VERSION, 472 }, 473 { 474 .ssl_method = DTLS_method, 475 .options = SSL_OP_NO_DTLSv1_2, 476 .minver = TLS1_1_VERSION, 477 .maxver = TLS1_2_VERSION, 478 .peerver = DTLS1_2_VERSION, 479 .want_maxver = DTLS1_VERSION, 480 }, 481 }; 482 483 #define N_SHARED_VERSION_TESTS \ 484 (sizeof(shared_version_tests) / sizeof(*shared_version_tests)) 485 486 static int 487 test_ssl_max_shared_version(void) 488 { 489 struct shared_version_test *svt; 490 SSL_CTX *ssl_ctx = NULL; 491 SSL *ssl = NULL; 492 uint16_t maxver; 493 int failed = 0; 494 size_t i; 495 496 failed = 0; 497 498 fprintf(stderr, "INFO: starting max shared version tests...\n"); 499 500 for (i = 0; i < N_SHARED_VERSION_TESTS; i++) { 501 svt = &shared_version_tests[i]; 502 503 if ((ssl_ctx = SSL_CTX_new(svt->ssl_method())) == NULL) { 504 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 505 failed++; 506 goto err; 507 } 508 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 509 fprintf(stderr, "SSL_new() returned NULL\n"); 510 failed++; 511 goto err; 512 } 513 514 SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 515 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); 516 SSL_set_options(ssl, svt->options); 517 518 maxver = 0; 519 ssl->min_tls_version = svt->minver; 520 ssl->max_tls_version = svt->maxver; 521 522 if (!ssl_max_shared_version(ssl, svt->peerver, &maxver)) { 523 if (svt->want_maxver != 0) { 524 fprintf(stderr, "FAIL: test %zu - failed but " 525 "wanted non-zero shared version (peer %x)\n", 526 i, svt->peerver); 527 failed++; 528 } 529 SSL_CTX_free(ssl_ctx); 530 SSL_free(ssl); 531 ssl_ctx = NULL; 532 ssl = NULL; 533 continue; 534 } 535 if (maxver != svt->want_maxver) { 536 fprintf(stderr, "FAIL: test %zu - got shared " 537 "version %x, want %x\n", i, maxver, 538 svt->want_maxver); 539 failed++; 540 } 541 542 SSL_CTX_free(ssl_ctx); 543 SSL_free(ssl); 544 ssl_ctx = NULL; 545 ssl = NULL; 546 } 547 548 err: 549 SSL_CTX_free(ssl_ctx); 550 SSL_free(ssl); 551 552 return (failed); 553 } 554 555 struct min_max_version_test { 556 const SSL_METHOD *(*ssl_method)(void); 557 const uint16_t minver; 558 const uint16_t maxver; 559 const uint16_t want_minver; 560 const uint16_t want_maxver; 561 const int want_min_fail; 562 const int want_max_fail; 563 }; 564 565 static struct min_max_version_test min_max_version_tests[] = { 566 { 567 .ssl_method = TLS_method, 568 .minver = 0, 569 .maxver = 0, 570 .want_minver = 0, 571 .want_maxver = 0, 572 }, 573 { 574 .ssl_method = TLS_method, 575 .minver = TLS1_VERSION, 576 .maxver = 0, 577 .want_minver = TLS1_VERSION, 578 .want_maxver = 0, 579 }, 580 { 581 .ssl_method = TLS_method, 582 .minver = 0, 583 .maxver = TLS1_2_VERSION, 584 .want_minver = 0, 585 .want_maxver = TLS1_2_VERSION, 586 }, 587 { 588 .ssl_method = TLS_method, 589 .minver = 0, 590 .maxver = TLS1_3_VERSION, 591 .want_minver = 0, 592 .want_maxver = TLS1_3_VERSION, 593 }, 594 { 595 .ssl_method = TLS_method, 596 .minver = TLS1_VERSION, 597 .maxver = TLS1_2_VERSION, 598 .want_minver = TLS1_VERSION, 599 .want_maxver = TLS1_2_VERSION, 600 }, 601 { 602 .ssl_method = TLS_method, 603 .minver = TLS1_1_VERSION, 604 .maxver = 0, 605 .want_minver = TLS1_1_VERSION, 606 .want_maxver = 0, 607 }, 608 { 609 .ssl_method = TLS_method, 610 .minver = TLS1_2_VERSION, 611 .maxver = 0, 612 .want_minver = TLS1_2_VERSION, 613 .want_maxver = 0, 614 }, 615 { 616 .ssl_method = TLS_method, 617 .minver = 0x0300, 618 .maxver = 0, 619 .want_minver = TLS1_VERSION, 620 .want_maxver = 0, 621 }, 622 { 623 .ssl_method = TLS_method, 624 .minver = 0x0305, 625 .maxver = 0, 626 .want_min_fail = 1, 627 }, 628 { 629 .ssl_method = TLS_method, 630 .minver = 0, 631 .maxver = 0x0305, 632 .want_minver = 0, 633 .want_maxver = TLS1_3_VERSION, 634 }, 635 { 636 .ssl_method = TLS_method, 637 .minver = 0, 638 .maxver = TLS1_1_VERSION, 639 .want_minver = 0, 640 .want_maxver = TLS1_1_VERSION, 641 }, 642 { 643 .ssl_method = TLS_method, 644 .minver = 0, 645 .maxver = TLS1_VERSION, 646 .want_minver = 0, 647 .want_maxver = TLS1_VERSION, 648 }, 649 { 650 .ssl_method = TLS_method, 651 .minver = 0, 652 .maxver = 0x0300, 653 .want_max_fail = 1, 654 }, 655 { 656 .ssl_method = TLS_method, 657 .minver = TLS1_2_VERSION, 658 .maxver = TLS1_1_VERSION, 659 .want_minver = TLS1_2_VERSION, 660 .want_maxver = 0, 661 .want_max_fail = 1, 662 }, 663 { 664 .ssl_method = TLSv1_1_method, 665 .minver = 0, 666 .maxver = 0, 667 .want_minver = 0, 668 .want_maxver = 0, 669 }, 670 { 671 .ssl_method = TLSv1_1_method, 672 .minver = TLS1_VERSION, 673 .maxver = TLS1_2_VERSION, 674 .want_minver = TLS1_1_VERSION, 675 .want_maxver = TLS1_1_VERSION, 676 }, 677 { 678 .ssl_method = TLSv1_1_method, 679 .minver = TLS1_2_VERSION, 680 .maxver = 0, 681 .want_minver = 0, 682 .want_maxver = 0, 683 .want_min_fail = 1, 684 }, 685 { 686 .ssl_method = TLSv1_1_method, 687 .minver = 0, 688 .maxver = TLS1_VERSION, 689 .want_minver = 0, 690 .want_maxver = 0, 691 .want_max_fail = 1, 692 }, 693 { 694 .ssl_method = DTLS_method, 695 .minver = 0, 696 .maxver = 0, 697 .want_minver = 0, 698 .want_maxver = 0, 699 }, 700 { 701 .ssl_method = DTLS_method, 702 .minver = 0, 703 .maxver = DTLS1_VERSION, 704 .want_minver = 0, 705 .want_maxver = DTLS1_VERSION, 706 }, 707 { 708 .ssl_method = DTLS_method, 709 .minver = DTLS1_VERSION, 710 .maxver = 0, 711 .want_minver = DTLS1_VERSION, 712 .want_maxver = 0, 713 }, 714 { 715 .ssl_method = DTLS_method, 716 .minver = DTLS1_VERSION, 717 .maxver = DTLS1_2_VERSION, 718 .want_minver = DTLS1_VERSION, 719 .want_maxver = DTLS1_2_VERSION, 720 }, 721 { 722 .ssl_method = DTLSv1_method, 723 .minver = 0, 724 .maxver = 0, 725 .want_minver = 0, 726 .want_maxver = 0, 727 }, 728 { 729 .ssl_method = DTLSv1_method, 730 .minver = DTLS1_VERSION, 731 .maxver = 0, 732 .want_minver = DTLS1_VERSION, 733 .want_maxver = 0, 734 }, 735 { 736 .ssl_method = DTLSv1_method, 737 .minver = 0, 738 .maxver = DTLS1_VERSION, 739 .want_minver = 0, 740 .want_maxver = DTLS1_VERSION, 741 }, 742 { 743 .ssl_method = DTLSv1_method, 744 .minver = 0, 745 .maxver = DTLS1_2_VERSION, 746 .want_minver = 0, 747 .want_maxver = DTLS1_VERSION, 748 }, 749 { 750 .ssl_method = DTLSv1_method, 751 .minver = TLS1_VERSION, 752 .maxver = TLS1_2_VERSION, 753 .want_minver = 0, 754 .want_maxver = 0, 755 .want_min_fail = 1, 756 .want_max_fail = 1, 757 }, 758 }; 759 760 #define N_MIN_MAX_VERSION_TESTS \ 761 (sizeof(min_max_version_tests) / sizeof(*min_max_version_tests)) 762 763 static int 764 test_ssl_min_max_version(void) 765 { 766 struct min_max_version_test *mmvt; 767 SSL_CTX *ssl_ctx = NULL; 768 SSL *ssl = NULL; 769 int failed = 0; 770 size_t i; 771 772 failed = 0; 773 774 fprintf(stderr, "INFO: starting min max version tests...\n"); 775 776 for (i = 0; i < N_MIN_MAX_VERSION_TESTS; i++) { 777 mmvt = &min_max_version_tests[i]; 778 779 if ((ssl_ctx = SSL_CTX_new(mmvt->ssl_method())) == NULL) { 780 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 781 return 1; 782 } 783 784 if (!SSL_CTX_set_min_proto_version(ssl_ctx, mmvt->minver)) { 785 if (!mmvt->want_min_fail) { 786 fprintf(stderr, "FAIL: test %zu - failed to set " 787 "SSL_CTX min version\n", i); 788 failed++; 789 } 790 goto next; 791 } 792 if (!SSL_CTX_set_max_proto_version(ssl_ctx, mmvt->maxver)) { 793 if (!mmvt->want_max_fail) { 794 fprintf(stderr, "FAIL: test %zu - failed to set " 795 "SSL_CTX min version\n", i); 796 failed++; 797 } 798 goto next; 799 } 800 801 if (mmvt->want_min_fail) { 802 fprintf(stderr, "FAIL: test %zu - successfully set " 803 "SSL_CTX min version, should have failed\n", i); 804 failed++; 805 goto next; 806 } 807 if (mmvt->want_max_fail) { 808 fprintf(stderr, "FAIL: test %zu - successfully set " 809 "SSL_CTX max version, should have failed\n", i); 810 failed++; 811 goto next; 812 } 813 814 if (SSL_CTX_get_min_proto_version(ssl_ctx) != mmvt->want_minver) { 815 fprintf(stderr, "FAIL: test %zu - got SSL_CTX min " 816 "version 0x%x, want 0x%x\n", i, 817 SSL_CTX_get_min_proto_version(ssl_ctx), mmvt->want_minver); 818 failed++; 819 goto next; 820 } 821 if (SSL_CTX_get_max_proto_version(ssl_ctx) != mmvt->want_maxver) { 822 fprintf(stderr, "FAIL: test %zu - got SSL_CTX max " 823 "version 0x%x, want 0x%x\n", i, 824 SSL_CTX_get_max_proto_version(ssl_ctx), mmvt->want_maxver); 825 failed++; 826 goto next; 827 } 828 829 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 830 fprintf(stderr, "SSL_new() returned NULL\n"); 831 return 1; 832 } 833 834 if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { 835 fprintf(stderr, "FAIL: test %zu - initial SSL min " 836 "version 0x%x, want 0x%x\n", i, 837 SSL_get_min_proto_version(ssl), mmvt->want_minver); 838 failed++; 839 goto next; 840 } 841 if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { 842 fprintf(stderr, "FAIL: test %zu - initial SSL max " 843 "version 0x%x, want 0x%x\n", i, 844 SSL_get_max_proto_version(ssl), mmvt->want_maxver); 845 failed++; 846 goto next; 847 } 848 849 if (!SSL_set_min_proto_version(ssl, mmvt->minver)) { 850 if (mmvt->want_min_fail) { 851 fprintf(stderr, "FAIL: test %zu - failed to set " 852 "SSL min version\n", i); 853 failed++; 854 } 855 goto next; 856 } 857 if (!SSL_set_max_proto_version(ssl, mmvt->maxver)) { 858 if (mmvt->want_max_fail) { 859 fprintf(stderr, "FAIL: test %zu - failed to set " 860 "SSL min version\n", i); 861 failed++; 862 } 863 goto next; 864 } 865 866 if (mmvt->want_min_fail) { 867 fprintf(stderr, "FAIL: test %zu - successfully set SSL " 868 "min version, should have failed\n", i); 869 failed++; 870 goto next; 871 } 872 if (mmvt->want_max_fail) { 873 fprintf(stderr, "FAIL: test %zu - successfully set SSL " 874 "max version, should have failed\n", i); 875 failed++; 876 goto next; 877 } 878 879 if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { 880 fprintf(stderr, "FAIL: test %zu - got SSL min " 881 "version 0x%x, want 0x%x\n", i, 882 SSL_get_min_proto_version(ssl), mmvt->want_minver); 883 failed++; 884 goto next; 885 } 886 if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { 887 fprintf(stderr, "FAIL: test %zu - got SSL max " 888 "version 0x%x, want 0x%x\n", i, 889 SSL_get_max_proto_version(ssl), mmvt->want_maxver); 890 failed++; 891 goto next; 892 } 893 894 next: 895 SSL_CTX_free(ssl_ctx); 896 SSL_free(ssl); 897 898 ssl_ctx = NULL; 899 ssl = NULL; 900 } 901 902 return (failed); 903 } 904 905 int 906 main(int argc, char **argv) 907 { 908 int failed = 0; 909 910 SSL_library_init(); 911 912 /* XXX - Test ssl_supported_version_range() */ 913 914 failed |= test_ssl_enabled_version_range(); 915 failed |= test_ssl_max_shared_version(); 916 failed |= test_ssl_min_max_version(); 917 918 if (failed == 0) 919 printf("PASS %s\n", __FILE__); 920 921 return (failed); 922 } 923