1 /* $OpenBSD: ssl_versions.c,v 1.15 2021/06/27 16:54:55 jsing Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <openssl/ssl.h> 19 20 #include "ssl_locl.h" 21 22 struct version_range_test { 23 const long options; 24 const uint16_t minver; 25 const uint16_t maxver; 26 const uint16_t want_minver; 27 const uint16_t want_maxver; 28 }; 29 30 static struct version_range_test version_range_tests[] = { 31 { 32 .options = 0, 33 .minver = TLS1_VERSION, 34 .maxver = TLS1_3_VERSION, 35 .want_minver = TLS1_VERSION, 36 .want_maxver = TLS1_3_VERSION, 37 }, 38 { 39 .options = 0, 40 .minver = TLS1_VERSION, 41 .maxver = TLS1_2_VERSION, 42 .want_minver = TLS1_VERSION, 43 .want_maxver = TLS1_2_VERSION, 44 }, 45 { 46 .options = SSL_OP_NO_TLSv1, 47 .minver = TLS1_VERSION, 48 .maxver = TLS1_2_VERSION, 49 .want_minver = TLS1_1_VERSION, 50 .want_maxver = TLS1_2_VERSION, 51 }, 52 { 53 .options = SSL_OP_NO_TLSv1_3, 54 .minver = TLS1_VERSION, 55 .maxver = TLS1_3_VERSION, 56 .want_minver = TLS1_VERSION, 57 .want_maxver = TLS1_2_VERSION, 58 }, 59 { 60 .options = SSL_OP_NO_TLSv1_2, 61 .minver = TLS1_VERSION, 62 .maxver = TLS1_2_VERSION, 63 .want_minver = TLS1_VERSION, 64 .want_maxver = TLS1_1_VERSION, 65 }, 66 { 67 .options = SSL_OP_NO_TLSv1_1, 68 .minver = TLS1_VERSION, 69 .maxver = TLS1_2_VERSION, 70 .want_minver = TLS1_VERSION, 71 .want_maxver = TLS1_VERSION, 72 }, 73 { 74 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 75 .minver = TLS1_VERSION, 76 .maxver = TLS1_2_VERSION, 77 .want_minver = TLS1_2_VERSION, 78 .want_maxver = TLS1_2_VERSION, 79 }, 80 { 81 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 82 .minver = TLS1_VERSION, 83 .maxver = TLS1_2_VERSION, 84 .want_minver = TLS1_VERSION, 85 .want_maxver = TLS1_VERSION, 86 }, 87 { 88 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2, 89 .minver = TLS1_VERSION, 90 .maxver = TLS1_2_VERSION, 91 .want_minver = TLS1_1_VERSION, 92 .want_maxver = TLS1_1_VERSION, 93 }, 94 { 95 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 96 SSL_OP_NO_TLSv1_2, 97 .minver = TLS1_VERSION, 98 .maxver = TLS1_2_VERSION, 99 .want_minver = 0, 100 .want_maxver = 0, 101 }, 102 { 103 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 104 SSL_OP_NO_TLSv1_2, 105 .minver = TLS1_VERSION, 106 .maxver = TLS1_3_VERSION, 107 .want_minver = TLS1_3_VERSION, 108 .want_maxver = TLS1_3_VERSION, 109 }, 110 { 111 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 112 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3, 113 .minver = TLS1_VERSION, 114 .maxver = TLS1_3_VERSION, 115 .want_minver = 0, 116 .want_maxver = 0, 117 }, 118 { 119 .options = 0, 120 .minver = TLS1_VERSION, 121 .maxver = TLS1_2_VERSION, 122 .want_minver = TLS1_VERSION, 123 .want_maxver = TLS1_2_VERSION, 124 }, 125 { 126 .options = 0, 127 .minver = TLS1_1_VERSION, 128 .maxver = TLS1_2_VERSION, 129 .want_minver = TLS1_1_VERSION, 130 .want_maxver = TLS1_2_VERSION, 131 }, 132 { 133 .options = 0, 134 .minver = TLS1_2_VERSION, 135 .maxver = TLS1_2_VERSION, 136 .want_minver = TLS1_2_VERSION, 137 .want_maxver = TLS1_2_VERSION, 138 }, 139 { 140 .options = 0, 141 .minver = TLS1_VERSION, 142 .maxver = TLS1_3_VERSION, 143 .want_minver = TLS1_VERSION, 144 .want_maxver = TLS1_3_VERSION, 145 }, 146 { 147 .options = 0, 148 .minver = TLS1_1_VERSION, 149 .maxver = TLS1_3_VERSION, 150 .want_minver = TLS1_1_VERSION, 151 .want_maxver = TLS1_3_VERSION, 152 }, 153 { 154 .options = 0, 155 .minver = TLS1_2_VERSION, 156 .maxver = TLS1_3_VERSION, 157 .want_minver = TLS1_2_VERSION, 158 .want_maxver = TLS1_3_VERSION, 159 }, 160 { 161 .options = 0, 162 .minver = TLS1_3_VERSION, 163 .maxver = TLS1_3_VERSION, 164 .want_minver = TLS1_3_VERSION, 165 .want_maxver = TLS1_3_VERSION, 166 }, 167 { 168 .options = 0, 169 .minver = TLS1_VERSION, 170 .maxver = TLS1_1_VERSION, 171 .want_minver = TLS1_VERSION, 172 .want_maxver = TLS1_1_VERSION, 173 }, 174 { 175 .options = 0, 176 .minver = TLS1_VERSION, 177 .maxver = TLS1_VERSION, 178 .want_minver = TLS1_VERSION, 179 .want_maxver = TLS1_VERSION, 180 }, 181 }; 182 183 #define N_VERSION_RANGE_TESTS \ 184 (sizeof(version_range_tests) / sizeof(*version_range_tests)) 185 186 static int 187 test_ssl_enabled_version_range(void) 188 { 189 struct version_range_test *vrt; 190 uint16_t minver, maxver; 191 SSL_CTX *ssl_ctx = NULL; 192 SSL *ssl = NULL; 193 int failed = 1; 194 size_t i; 195 196 fprintf(stderr, "INFO: starting enabled version range tests...\n"); 197 198 if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { 199 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 200 goto failure; 201 } 202 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 203 fprintf(stderr, "SSL_new() returned NULL\n"); 204 goto failure; 205 } 206 207 failed = 0; 208 209 for (i = 0; i < N_VERSION_RANGE_TESTS; i++) { 210 vrt = &version_range_tests[i]; 211 212 SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 213 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); 214 SSL_set_options(ssl, vrt->options); 215 216 minver = maxver = 0xffff; 217 ssl->internal->min_tls_version = vrt->minver; 218 ssl->internal->max_tls_version = vrt->maxver; 219 220 if (ssl_enabled_tls_version_range(ssl, &minver, &maxver) != 1) { 221 if (vrt->want_minver != 0 || vrt->want_maxver != 0) { 222 fprintf(stderr, "FAIL: test %zu - failed but " 223 "wanted non-zero versions\n", i); 224 failed++; 225 } 226 continue; 227 } 228 if (minver != vrt->want_minver) { 229 fprintf(stderr, "FAIL: test %zu - got minver %x, " 230 "want %x\n", i, minver, vrt->want_minver); 231 failed++; 232 } 233 if (maxver != vrt->want_maxver) { 234 fprintf(stderr, "FAIL: test %zu - got maxver %x, " 235 "want %x\n", i, maxver, vrt->want_maxver); 236 failed++; 237 } 238 } 239 240 failure: 241 SSL_CTX_free(ssl_ctx); 242 SSL_free(ssl); 243 244 return (failed); 245 } 246 247 struct shared_version_test { 248 const SSL_METHOD *(*ssl_method)(void); 249 const long options; 250 const uint16_t minver; 251 const uint16_t maxver; 252 const uint16_t peerver; 253 const uint16_t want_maxver; 254 }; 255 256 static struct shared_version_test shared_version_tests[] = { 257 { 258 .ssl_method = TLS_method, 259 .options = 0, 260 .minver = TLS1_VERSION, 261 .maxver = TLS1_2_VERSION, 262 .peerver = SSL2_VERSION, 263 .want_maxver = 0, 264 }, 265 { 266 .ssl_method = TLS_method, 267 .options = 0, 268 .minver = TLS1_VERSION, 269 .maxver = TLS1_2_VERSION, 270 .peerver = SSL3_VERSION, 271 .want_maxver = 0, 272 }, 273 { 274 .ssl_method = TLS_method, 275 .options = 0, 276 .minver = TLS1_VERSION, 277 .maxver = TLS1_2_VERSION, 278 .peerver = TLS1_VERSION, 279 .want_maxver = TLS1_VERSION, 280 }, 281 { 282 .ssl_method = TLS_method, 283 .options = 0, 284 .minver = TLS1_VERSION, 285 .maxver = TLS1_2_VERSION, 286 .peerver = TLS1_1_VERSION, 287 .want_maxver = TLS1_1_VERSION, 288 }, 289 { 290 .ssl_method = TLS_method, 291 .options = 0, 292 .minver = TLS1_VERSION, 293 .maxver = TLS1_2_VERSION, 294 .peerver = TLS1_2_VERSION, 295 .want_maxver = TLS1_2_VERSION, 296 }, 297 { 298 .ssl_method = TLS_method, 299 .options = 0, 300 .minver = TLS1_VERSION, 301 .maxver = TLS1_2_VERSION, 302 .peerver = TLS1_3_VERSION, 303 .want_maxver = TLS1_2_VERSION, 304 }, 305 { 306 .ssl_method = TLS_method, 307 .options = 0, 308 .minver = TLS1_VERSION, 309 .maxver = TLS1_2_VERSION, 310 .peerver = 0x7f12, 311 .want_maxver = TLS1_2_VERSION, 312 }, 313 { 314 .ssl_method = TLS_method, 315 .options = SSL_OP_NO_TLSv1_2, 316 .minver = TLS1_VERSION, 317 .maxver = TLS1_2_VERSION, 318 .peerver = TLS1_2_VERSION, 319 .want_maxver = TLS1_1_VERSION, 320 }, 321 { 322 .ssl_method = TLS_method, 323 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 324 .minver = TLS1_VERSION, 325 .maxver = TLS1_2_VERSION, 326 .peerver = TLS1_2_VERSION, 327 .want_maxver = TLS1_VERSION, 328 }, 329 { 330 .ssl_method = TLS_method, 331 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 332 .minver = TLS1_VERSION, 333 .maxver = TLS1_2_VERSION, 334 .peerver = TLS1_2_VERSION, 335 .want_maxver = 0, 336 }, 337 { 338 .ssl_method = TLS_method, 339 .options = SSL_OP_NO_TLSv1, 340 .minver = TLS1_VERSION, 341 .maxver = TLS1_2_VERSION, 342 .peerver = TLS1_1_VERSION, 343 .want_maxver = TLS1_1_VERSION, 344 }, 345 { 346 .ssl_method = TLS_method, 347 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 348 .minver = TLS1_VERSION, 349 .maxver = TLS1_2_VERSION, 350 .peerver = TLS1_1_VERSION, 351 .want_maxver = 0, 352 }, 353 { 354 .ssl_method = TLS_method, 355 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 356 .minver = TLS1_VERSION, 357 .maxver = TLS1_2_VERSION, 358 .peerver = TLS1_1_VERSION, 359 .want_maxver = TLS1_VERSION, 360 }, 361 { 362 .ssl_method = TLS_method, 363 .options = SSL_OP_NO_TLSv1, 364 .minver = TLS1_VERSION, 365 .maxver = TLS1_2_VERSION, 366 .peerver = TLS1_VERSION, 367 .want_maxver = 0, 368 }, 369 { 370 .ssl_method = TLS_method, 371 .options = 0, 372 .minver = TLS1_VERSION, 373 .maxver = TLS1_1_VERSION, 374 .peerver = TLS1_2_VERSION, 375 .want_maxver = TLS1_1_VERSION, 376 }, 377 { 378 .ssl_method = TLS_method, 379 .options = 0, 380 .minver = TLS1_VERSION, 381 .maxver = TLS1_VERSION, 382 .peerver = TLS1_2_VERSION, 383 .want_maxver = TLS1_VERSION, 384 }, 385 { 386 .ssl_method = TLSv1_method, 387 .options = 0, 388 .minver = TLS1_VERSION, 389 .maxver = TLS1_2_VERSION, 390 .peerver = TLS1_VERSION, 391 .want_maxver = TLS1_VERSION, 392 }, 393 { 394 .ssl_method = TLSv1_method, 395 .options = 0, 396 .minver = TLS1_1_VERSION, 397 .maxver = TLS1_2_VERSION, 398 .peerver = TLS1_VERSION, 399 .want_maxver = 0, 400 }, 401 { 402 .ssl_method = TLSv1_1_method, 403 .options = 0, 404 .minver = TLS1_VERSION, 405 .maxver = TLS1_2_VERSION, 406 .peerver = TLS1_1_VERSION, 407 .want_maxver = TLS1_1_VERSION, 408 }, 409 { 410 .ssl_method = DTLS_method, 411 .options = 0, 412 .minver = TLS1_1_VERSION, 413 .maxver = TLS1_2_VERSION, 414 .peerver = DTLS1_VERSION, 415 .want_maxver = DTLS1_VERSION, 416 }, 417 { 418 .ssl_method = DTLS_method, 419 .options = 0, 420 .minver = TLS1_1_VERSION, 421 .maxver = TLS1_2_VERSION, 422 .peerver = DTLS1_2_VERSION, 423 .want_maxver = DTLS1_2_VERSION, 424 }, 425 { 426 .ssl_method = DTLS_method, 427 .options = 0, 428 .minver = TLS1_1_VERSION, 429 .maxver = TLS1_2_VERSION, 430 .peerver = 0xfefc, /* DTLSv1.3, probably. */ 431 .want_maxver = DTLS1_2_VERSION, 432 }, 433 { 434 .ssl_method = DTLSv1_method, 435 .options = 0, 436 .minver = TLS1_1_VERSION, 437 .maxver = TLS1_1_VERSION, 438 .peerver = DTLS1_2_VERSION, 439 .want_maxver = DTLS1_VERSION, 440 }, 441 { 442 .ssl_method = DTLSv1_2_method, 443 .options = 0, 444 .minver = TLS1_2_VERSION, 445 .maxver = TLS1_2_VERSION, 446 .peerver = DTLS1_2_VERSION, 447 .want_maxver = DTLS1_2_VERSION, 448 }, 449 { 450 .ssl_method = DTLSv1_method, 451 .options = 0, 452 .minver = TLS1_1_VERSION, 453 .maxver = TLS1_1_VERSION, 454 .peerver = TLS1_2_VERSION, 455 .want_maxver = 0, 456 }, 457 { 458 .ssl_method = DTLS_method, 459 .options = SSL_OP_NO_DTLSv1, 460 .minver = TLS1_1_VERSION, 461 .maxver = TLS1_2_VERSION, 462 .peerver = DTLS1_VERSION, 463 .want_maxver = 0, 464 }, 465 { 466 .ssl_method = DTLS_method, 467 .options = SSL_OP_NO_DTLSv1, 468 .minver = TLS1_1_VERSION, 469 .maxver = TLS1_2_VERSION, 470 .peerver = DTLS1_2_VERSION, 471 .want_maxver = DTLS1_2_VERSION, 472 }, 473 { 474 .ssl_method = DTLS_method, 475 .options = SSL_OP_NO_DTLSv1_2, 476 .minver = TLS1_1_VERSION, 477 .maxver = TLS1_2_VERSION, 478 .peerver = DTLS1_2_VERSION, 479 .want_maxver = DTLS1_VERSION, 480 }, 481 }; 482 483 #define N_SHARED_VERSION_TESTS \ 484 (sizeof(shared_version_tests) / sizeof(*shared_version_tests)) 485 486 static int 487 test_ssl_max_shared_version(void) 488 { 489 struct shared_version_test *svt; 490 SSL_CTX *ssl_ctx = NULL; 491 SSL *ssl = NULL; 492 uint16_t maxver; 493 int failed = 0; 494 size_t i; 495 496 failed = 0; 497 498 fprintf(stderr, "INFO: starting max shared version tests...\n"); 499 500 for (i = 0; i < N_SHARED_VERSION_TESTS; i++) { 501 svt = &shared_version_tests[i]; 502 503 if ((ssl_ctx = SSL_CTX_new(svt->ssl_method())) == NULL) { 504 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 505 return 1; 506 } 507 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 508 fprintf(stderr, "SSL_new() returned NULL\n"); 509 return 1; 510 } 511 512 SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 513 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); 514 SSL_set_options(ssl, svt->options); 515 516 maxver = 0; 517 ssl->internal->min_tls_version = svt->minver; 518 ssl->internal->max_tls_version = svt->maxver; 519 520 if (!ssl_max_shared_version(ssl, svt->peerver, &maxver)) { 521 if (svt->want_maxver != 0) { 522 fprintf(stderr, "FAIL: test %zu - failed but " 523 "wanted non-zero shared version (peer %x)\n", 524 i, svt->peerver); 525 failed++; 526 } 527 continue; 528 } 529 if (maxver != svt->want_maxver) { 530 fprintf(stderr, "FAIL: test %zu - got shared " 531 "version %x, want %x\n", i, maxver, 532 svt->want_maxver); 533 failed++; 534 } 535 536 SSL_CTX_free(ssl_ctx); 537 SSL_free(ssl); 538 } 539 540 return (failed); 541 } 542 543 struct min_max_version_test { 544 const SSL_METHOD *(*ssl_method)(void); 545 const uint16_t minver; 546 const uint16_t maxver; 547 const uint16_t want_minver; 548 const uint16_t want_maxver; 549 const int want_min_fail; 550 const int want_max_fail; 551 }; 552 553 static struct min_max_version_test min_max_version_tests[] = { 554 { 555 .ssl_method = TLS_method, 556 .minver = 0, 557 .maxver = 0, 558 .want_minver = 0, 559 .want_maxver = 0, 560 }, 561 { 562 .ssl_method = TLS_method, 563 .minver = TLS1_VERSION, 564 .maxver = 0, 565 .want_minver = TLS1_VERSION, 566 .want_maxver = 0, 567 }, 568 { 569 .ssl_method = TLS_method, 570 .minver = 0, 571 .maxver = TLS1_2_VERSION, 572 .want_minver = 0, 573 .want_maxver = TLS1_2_VERSION, 574 }, 575 { 576 .ssl_method = TLS_method, 577 .minver = 0, 578 .maxver = TLS1_3_VERSION, 579 .want_minver = 0, 580 .want_maxver = TLS1_3_VERSION, 581 }, 582 { 583 .ssl_method = TLS_method, 584 .minver = TLS1_VERSION, 585 .maxver = TLS1_2_VERSION, 586 .want_minver = TLS1_VERSION, 587 .want_maxver = TLS1_2_VERSION, 588 }, 589 { 590 .ssl_method = TLS_method, 591 .minver = TLS1_1_VERSION, 592 .maxver = 0, 593 .want_minver = TLS1_1_VERSION, 594 .want_maxver = 0, 595 }, 596 { 597 .ssl_method = TLS_method, 598 .minver = TLS1_2_VERSION, 599 .maxver = 0, 600 .want_minver = TLS1_2_VERSION, 601 .want_maxver = 0, 602 }, 603 { 604 .ssl_method = TLS_method, 605 .minver = 0x0300, 606 .maxver = 0, 607 .want_minver = TLS1_VERSION, 608 .want_maxver = 0, 609 }, 610 { 611 .ssl_method = TLS_method, 612 .minver = 0x0305, 613 .maxver = 0, 614 .want_min_fail = 1, 615 }, 616 { 617 .ssl_method = TLS_method, 618 .minver = 0, 619 .maxver = 0x0305, 620 .want_minver = 0, 621 .want_maxver = TLS1_3_VERSION, 622 }, 623 { 624 .ssl_method = TLS_method, 625 .minver = 0, 626 .maxver = TLS1_1_VERSION, 627 .want_minver = 0, 628 .want_maxver = TLS1_1_VERSION, 629 }, 630 { 631 .ssl_method = TLS_method, 632 .minver = 0, 633 .maxver = TLS1_VERSION, 634 .want_minver = 0, 635 .want_maxver = TLS1_VERSION, 636 }, 637 { 638 .ssl_method = TLS_method, 639 .minver = 0, 640 .maxver = 0x0300, 641 .want_max_fail = 1, 642 }, 643 { 644 .ssl_method = TLS_method, 645 .minver = TLS1_2_VERSION, 646 .maxver = TLS1_1_VERSION, 647 .want_minver = TLS1_2_VERSION, 648 .want_maxver = 0, 649 .want_max_fail = 1, 650 }, 651 { 652 .ssl_method = TLSv1_1_method, 653 .minver = 0, 654 .maxver = 0, 655 .want_minver = 0, 656 .want_maxver = 0, 657 }, 658 { 659 .ssl_method = TLSv1_1_method, 660 .minver = TLS1_VERSION, 661 .maxver = TLS1_2_VERSION, 662 .want_minver = TLS1_1_VERSION, 663 .want_maxver = TLS1_1_VERSION, 664 }, 665 { 666 .ssl_method = TLSv1_1_method, 667 .minver = TLS1_2_VERSION, 668 .maxver = 0, 669 .want_minver = 0, 670 .want_maxver = 0, 671 .want_min_fail = 1, 672 }, 673 { 674 .ssl_method = TLSv1_1_method, 675 .minver = 0, 676 .maxver = TLS1_VERSION, 677 .want_minver = 0, 678 .want_maxver = 0, 679 .want_max_fail = 1, 680 }, 681 { 682 .ssl_method = DTLS_method, 683 .minver = 0, 684 .maxver = 0, 685 .want_minver = 0, 686 .want_maxver = 0, 687 }, 688 { 689 .ssl_method = DTLS_method, 690 .minver = 0, 691 .maxver = DTLS1_VERSION, 692 .want_minver = 0, 693 .want_maxver = DTLS1_VERSION, 694 }, 695 { 696 .ssl_method = DTLS_method, 697 .minver = DTLS1_VERSION, 698 .maxver = 0, 699 .want_minver = DTLS1_VERSION, 700 .want_maxver = 0, 701 }, 702 { 703 .ssl_method = DTLS_method, 704 .minver = DTLS1_VERSION, 705 .maxver = DTLS1_2_VERSION, 706 .want_minver = DTLS1_VERSION, 707 .want_maxver = DTLS1_2_VERSION, 708 }, 709 { 710 .ssl_method = DTLSv1_method, 711 .minver = 0, 712 .maxver = 0, 713 .want_minver = 0, 714 .want_maxver = 0, 715 }, 716 { 717 .ssl_method = DTLSv1_method, 718 .minver = DTLS1_VERSION, 719 .maxver = 0, 720 .want_minver = DTLS1_VERSION, 721 .want_maxver = 0, 722 }, 723 { 724 .ssl_method = DTLSv1_method, 725 .minver = 0, 726 .maxver = DTLS1_VERSION, 727 .want_minver = 0, 728 .want_maxver = DTLS1_VERSION, 729 }, 730 { 731 .ssl_method = DTLSv1_method, 732 .minver = 0, 733 .maxver = DTLS1_2_VERSION, 734 .want_minver = 0, 735 .want_maxver = DTLS1_VERSION, 736 }, 737 { 738 .ssl_method = DTLSv1_method, 739 .minver = TLS1_VERSION, 740 .maxver = TLS1_2_VERSION, 741 .want_minver = 0, 742 .want_maxver = 0, 743 .want_min_fail = 1, 744 .want_max_fail = 1, 745 }, 746 }; 747 748 #define N_MIN_MAX_VERSION_TESTS \ 749 (sizeof(min_max_version_tests) / sizeof(*min_max_version_tests)) 750 751 static int 752 test_ssl_min_max_version(void) 753 { 754 struct min_max_version_test *mmvt; 755 SSL_CTX *ssl_ctx = NULL; 756 SSL *ssl = NULL; 757 int failed = 0; 758 size_t i; 759 760 failed = 0; 761 762 fprintf(stderr, "INFO: starting min max version tests...\n"); 763 764 for (i = 0; i < N_MIN_MAX_VERSION_TESTS; i++) { 765 mmvt = &min_max_version_tests[i]; 766 767 if ((ssl_ctx = SSL_CTX_new(mmvt->ssl_method())) == NULL) { 768 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 769 return 1; 770 } 771 772 if (!SSL_CTX_set_min_proto_version(ssl_ctx, mmvt->minver)) { 773 if (!mmvt->want_min_fail) { 774 fprintf(stderr, "FAIL: test %zu - failed to set " 775 "SSL_CTX min version\n", i); 776 failed++; 777 } 778 goto next; 779 } 780 if (!SSL_CTX_set_max_proto_version(ssl_ctx, mmvt->maxver)) { 781 if (!mmvt->want_max_fail) { 782 fprintf(stderr, "FAIL: test %zu - failed to set " 783 "SSL_CTX min version\n", i); 784 failed++; 785 } 786 goto next; 787 } 788 789 if (mmvt->want_min_fail) { 790 fprintf(stderr, "FAIL: test %zu - successfully set " 791 "SSL_CTX min version, should have failed\n", i); 792 failed++; 793 goto next; 794 } 795 if (mmvt->want_max_fail) { 796 fprintf(stderr, "FAIL: test %zu - successfully set " 797 "SSL_CTX max version, should have failed\n", i); 798 failed++; 799 goto next; 800 } 801 802 if (SSL_CTX_get_min_proto_version(ssl_ctx) != mmvt->want_minver) { 803 fprintf(stderr, "FAIL: test %zu - got SSL_CTX min " 804 "version 0x%x, want 0x%x\n", i, 805 SSL_CTX_get_min_proto_version(ssl_ctx), mmvt->want_minver); 806 failed++; 807 goto next; 808 } 809 if (SSL_CTX_get_max_proto_version(ssl_ctx) != mmvt->want_maxver) { 810 fprintf(stderr, "FAIL: test %zu - got SSL_CTX max " 811 "version 0x%x, want 0x%x\n", i, 812 SSL_CTX_get_max_proto_version(ssl_ctx), mmvt->want_maxver); 813 failed++; 814 goto next; 815 } 816 817 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 818 fprintf(stderr, "SSL_new() returned NULL\n"); 819 return 1; 820 } 821 822 if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { 823 fprintf(stderr, "FAIL: test %zu - initial SSL min " 824 "version 0x%x, want 0x%x\n", i, 825 SSL_get_min_proto_version(ssl), mmvt->want_minver); 826 failed++; 827 goto next; 828 } 829 if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { 830 fprintf(stderr, "FAIL: test %zu - initial SSL max " 831 "version 0x%x, want 0x%x\n", i, 832 SSL_get_max_proto_version(ssl), mmvt->want_maxver); 833 failed++; 834 goto next; 835 } 836 837 if (!SSL_set_min_proto_version(ssl, mmvt->minver)) { 838 if (mmvt->want_min_fail) { 839 fprintf(stderr, "FAIL: test %zu - failed to set " 840 "SSL min version\n", i); 841 failed++; 842 } 843 goto next; 844 } 845 if (!SSL_set_max_proto_version(ssl, mmvt->maxver)) { 846 if (mmvt->want_max_fail) { 847 fprintf(stderr, "FAIL: test %zu - failed to set " 848 "SSL min version\n", i); 849 failed++; 850 } 851 goto next; 852 } 853 854 if (mmvt->want_min_fail) { 855 fprintf(stderr, "FAIL: test %zu - successfully set SSL " 856 "min version, should have failed\n", i); 857 failed++; 858 goto next; 859 } 860 if (mmvt->want_max_fail) { 861 fprintf(stderr, "FAIL: test %zu - successfully set SSL " 862 "max version, should have failed\n", i); 863 failed++; 864 goto next; 865 } 866 867 if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { 868 fprintf(stderr, "FAIL: test %zu - got SSL min " 869 "version 0x%x, want 0x%x\n", i, 870 SSL_get_min_proto_version(ssl), mmvt->want_minver); 871 failed++; 872 goto next; 873 } 874 if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { 875 fprintf(stderr, "FAIL: test %zu - got SSL max " 876 "version 0x%x, want 0x%x\n", i, 877 SSL_get_max_proto_version(ssl), mmvt->want_maxver); 878 failed++; 879 goto next; 880 } 881 882 next: 883 SSL_CTX_free(ssl_ctx); 884 SSL_free(ssl); 885 886 ssl_ctx = NULL; 887 ssl = NULL; 888 } 889 890 return (failed); 891 } 892 893 int 894 main(int argc, char **argv) 895 { 896 int failed = 0; 897 898 SSL_library_init(); 899 900 /* XXX - Test ssl_supported_version_range() */ 901 902 failed |= test_ssl_enabled_version_range(); 903 failed |= test_ssl_max_shared_version(); 904 failed |= test_ssl_min_max_version(); 905 906 if (failed == 0) 907 printf("PASS %s\n", __FILE__); 908 909 return (failed); 910 } 911