1 /* $OpenBSD: ssl_versions.c,v 1.16 2021/12/29 23:04:12 tb Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <openssl/ssl.h> 19 20 #include "ssl_locl.h" 21 22 struct version_range_test { 23 const long options; 24 const uint16_t minver; 25 const uint16_t maxver; 26 const uint16_t want_minver; 27 const uint16_t want_maxver; 28 }; 29 30 static struct version_range_test version_range_tests[] = { 31 { 32 .options = 0, 33 .minver = TLS1_VERSION, 34 .maxver = TLS1_3_VERSION, 35 .want_minver = TLS1_VERSION, 36 .want_maxver = TLS1_3_VERSION, 37 }, 38 { 39 .options = 0, 40 .minver = TLS1_VERSION, 41 .maxver = TLS1_2_VERSION, 42 .want_minver = TLS1_VERSION, 43 .want_maxver = TLS1_2_VERSION, 44 }, 45 { 46 .options = SSL_OP_NO_TLSv1, 47 .minver = TLS1_VERSION, 48 .maxver = TLS1_2_VERSION, 49 .want_minver = TLS1_1_VERSION, 50 .want_maxver = TLS1_2_VERSION, 51 }, 52 { 53 .options = SSL_OP_NO_TLSv1_3, 54 .minver = TLS1_VERSION, 55 .maxver = TLS1_3_VERSION, 56 .want_minver = TLS1_VERSION, 57 .want_maxver = TLS1_2_VERSION, 58 }, 59 { 60 .options = SSL_OP_NO_TLSv1_2, 61 .minver = TLS1_VERSION, 62 .maxver = TLS1_2_VERSION, 63 .want_minver = TLS1_VERSION, 64 .want_maxver = TLS1_1_VERSION, 65 }, 66 { 67 .options = SSL_OP_NO_TLSv1_1, 68 .minver = TLS1_VERSION, 69 .maxver = TLS1_2_VERSION, 70 .want_minver = TLS1_VERSION, 71 .want_maxver = TLS1_VERSION, 72 }, 73 { 74 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 75 .minver = TLS1_VERSION, 76 .maxver = TLS1_2_VERSION, 77 .want_minver = TLS1_2_VERSION, 78 .want_maxver = TLS1_2_VERSION, 79 }, 80 { 81 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 82 .minver = TLS1_VERSION, 83 .maxver = TLS1_2_VERSION, 84 .want_minver = TLS1_VERSION, 85 .want_maxver = TLS1_VERSION, 86 }, 87 { 88 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2, 89 .minver = TLS1_VERSION, 90 .maxver = TLS1_2_VERSION, 91 .want_minver = TLS1_1_VERSION, 92 .want_maxver = TLS1_1_VERSION, 93 }, 94 { 95 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 96 SSL_OP_NO_TLSv1_2, 97 .minver = TLS1_VERSION, 98 .maxver = TLS1_2_VERSION, 99 .want_minver = 0, 100 .want_maxver = 0, 101 }, 102 { 103 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 104 SSL_OP_NO_TLSv1_2, 105 .minver = TLS1_VERSION, 106 .maxver = TLS1_3_VERSION, 107 .want_minver = TLS1_3_VERSION, 108 .want_maxver = TLS1_3_VERSION, 109 }, 110 { 111 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 112 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3, 113 .minver = TLS1_VERSION, 114 .maxver = TLS1_3_VERSION, 115 .want_minver = 0, 116 .want_maxver = 0, 117 }, 118 { 119 .options = 0, 120 .minver = TLS1_VERSION, 121 .maxver = TLS1_2_VERSION, 122 .want_minver = TLS1_VERSION, 123 .want_maxver = TLS1_2_VERSION, 124 }, 125 { 126 .options = 0, 127 .minver = TLS1_1_VERSION, 128 .maxver = TLS1_2_VERSION, 129 .want_minver = TLS1_1_VERSION, 130 .want_maxver = TLS1_2_VERSION, 131 }, 132 { 133 .options = 0, 134 .minver = TLS1_2_VERSION, 135 .maxver = TLS1_2_VERSION, 136 .want_minver = TLS1_2_VERSION, 137 .want_maxver = TLS1_2_VERSION, 138 }, 139 { 140 .options = 0, 141 .minver = TLS1_VERSION, 142 .maxver = TLS1_3_VERSION, 143 .want_minver = TLS1_VERSION, 144 .want_maxver = TLS1_3_VERSION, 145 }, 146 { 147 .options = 0, 148 .minver = TLS1_1_VERSION, 149 .maxver = TLS1_3_VERSION, 150 .want_minver = TLS1_1_VERSION, 151 .want_maxver = TLS1_3_VERSION, 152 }, 153 { 154 .options = 0, 155 .minver = TLS1_2_VERSION, 156 .maxver = TLS1_3_VERSION, 157 .want_minver = TLS1_2_VERSION, 158 .want_maxver = TLS1_3_VERSION, 159 }, 160 { 161 .options = 0, 162 .minver = TLS1_3_VERSION, 163 .maxver = TLS1_3_VERSION, 164 .want_minver = TLS1_3_VERSION, 165 .want_maxver = TLS1_3_VERSION, 166 }, 167 { 168 .options = 0, 169 .minver = TLS1_VERSION, 170 .maxver = TLS1_1_VERSION, 171 .want_minver = TLS1_VERSION, 172 .want_maxver = TLS1_1_VERSION, 173 }, 174 { 175 .options = 0, 176 .minver = TLS1_VERSION, 177 .maxver = TLS1_VERSION, 178 .want_minver = TLS1_VERSION, 179 .want_maxver = TLS1_VERSION, 180 }, 181 }; 182 183 #define N_VERSION_RANGE_TESTS \ 184 (sizeof(version_range_tests) / sizeof(*version_range_tests)) 185 186 static int 187 test_ssl_enabled_version_range(void) 188 { 189 struct version_range_test *vrt; 190 uint16_t minver, maxver; 191 SSL_CTX *ssl_ctx = NULL; 192 SSL *ssl = NULL; 193 int failed = 1; 194 size_t i; 195 196 fprintf(stderr, "INFO: starting enabled version range tests...\n"); 197 198 if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { 199 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 200 goto failure; 201 } 202 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 203 fprintf(stderr, "SSL_new() returned NULL\n"); 204 goto failure; 205 } 206 207 failed = 0; 208 209 for (i = 0; i < N_VERSION_RANGE_TESTS; i++) { 210 vrt = &version_range_tests[i]; 211 212 SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 213 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); 214 SSL_set_options(ssl, vrt->options); 215 216 minver = maxver = 0xffff; 217 ssl->internal->min_tls_version = vrt->minver; 218 ssl->internal->max_tls_version = vrt->maxver; 219 220 if (ssl_enabled_tls_version_range(ssl, &minver, &maxver) != 1) { 221 if (vrt->want_minver != 0 || vrt->want_maxver != 0) { 222 fprintf(stderr, "FAIL: test %zu - failed but " 223 "wanted non-zero versions\n", i); 224 failed++; 225 } 226 continue; 227 } 228 if (minver != vrt->want_minver) { 229 fprintf(stderr, "FAIL: test %zu - got minver %x, " 230 "want %x\n", i, minver, vrt->want_minver); 231 failed++; 232 } 233 if (maxver != vrt->want_maxver) { 234 fprintf(stderr, "FAIL: test %zu - got maxver %x, " 235 "want %x\n", i, maxver, vrt->want_maxver); 236 failed++; 237 } 238 } 239 240 failure: 241 SSL_CTX_free(ssl_ctx); 242 SSL_free(ssl); 243 244 return (failed); 245 } 246 247 struct shared_version_test { 248 const SSL_METHOD *(*ssl_method)(void); 249 const long options; 250 const uint16_t minver; 251 const uint16_t maxver; 252 const uint16_t peerver; 253 const uint16_t want_maxver; 254 }; 255 256 static struct shared_version_test shared_version_tests[] = { 257 { 258 .ssl_method = TLS_method, 259 .options = 0, 260 .minver = TLS1_VERSION, 261 .maxver = TLS1_2_VERSION, 262 .peerver = SSL2_VERSION, 263 .want_maxver = 0, 264 }, 265 { 266 .ssl_method = TLS_method, 267 .options = 0, 268 .minver = TLS1_VERSION, 269 .maxver = TLS1_2_VERSION, 270 .peerver = SSL3_VERSION, 271 .want_maxver = 0, 272 }, 273 { 274 .ssl_method = TLS_method, 275 .options = 0, 276 .minver = TLS1_VERSION, 277 .maxver = TLS1_2_VERSION, 278 .peerver = TLS1_VERSION, 279 .want_maxver = TLS1_VERSION, 280 }, 281 { 282 .ssl_method = TLS_method, 283 .options = 0, 284 .minver = TLS1_VERSION, 285 .maxver = TLS1_2_VERSION, 286 .peerver = TLS1_1_VERSION, 287 .want_maxver = TLS1_1_VERSION, 288 }, 289 { 290 .ssl_method = TLS_method, 291 .options = 0, 292 .minver = TLS1_VERSION, 293 .maxver = TLS1_2_VERSION, 294 .peerver = TLS1_2_VERSION, 295 .want_maxver = TLS1_2_VERSION, 296 }, 297 { 298 .ssl_method = TLS_method, 299 .options = 0, 300 .minver = TLS1_VERSION, 301 .maxver = TLS1_2_VERSION, 302 .peerver = TLS1_3_VERSION, 303 .want_maxver = TLS1_2_VERSION, 304 }, 305 { 306 .ssl_method = TLS_method, 307 .options = 0, 308 .minver = TLS1_VERSION, 309 .maxver = TLS1_2_VERSION, 310 .peerver = 0x7f12, 311 .want_maxver = TLS1_2_VERSION, 312 }, 313 { 314 .ssl_method = TLS_method, 315 .options = SSL_OP_NO_TLSv1_2, 316 .minver = TLS1_VERSION, 317 .maxver = TLS1_2_VERSION, 318 .peerver = TLS1_2_VERSION, 319 .want_maxver = TLS1_1_VERSION, 320 }, 321 { 322 .ssl_method = TLS_method, 323 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 324 .minver = TLS1_VERSION, 325 .maxver = TLS1_2_VERSION, 326 .peerver = TLS1_2_VERSION, 327 .want_maxver = TLS1_VERSION, 328 }, 329 { 330 .ssl_method = TLS_method, 331 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 332 .minver = TLS1_VERSION, 333 .maxver = TLS1_2_VERSION, 334 .peerver = TLS1_2_VERSION, 335 .want_maxver = 0, 336 }, 337 { 338 .ssl_method = TLS_method, 339 .options = SSL_OP_NO_TLSv1, 340 .minver = TLS1_VERSION, 341 .maxver = TLS1_2_VERSION, 342 .peerver = TLS1_1_VERSION, 343 .want_maxver = TLS1_1_VERSION, 344 }, 345 { 346 .ssl_method = TLS_method, 347 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 348 .minver = TLS1_VERSION, 349 .maxver = TLS1_2_VERSION, 350 .peerver = TLS1_1_VERSION, 351 .want_maxver = 0, 352 }, 353 { 354 .ssl_method = TLS_method, 355 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 356 .minver = TLS1_VERSION, 357 .maxver = TLS1_2_VERSION, 358 .peerver = TLS1_1_VERSION, 359 .want_maxver = TLS1_VERSION, 360 }, 361 { 362 .ssl_method = TLS_method, 363 .options = SSL_OP_NO_TLSv1, 364 .minver = TLS1_VERSION, 365 .maxver = TLS1_2_VERSION, 366 .peerver = TLS1_VERSION, 367 .want_maxver = 0, 368 }, 369 { 370 .ssl_method = TLS_method, 371 .options = 0, 372 .minver = TLS1_VERSION, 373 .maxver = TLS1_1_VERSION, 374 .peerver = TLS1_2_VERSION, 375 .want_maxver = TLS1_1_VERSION, 376 }, 377 { 378 .ssl_method = TLS_method, 379 .options = 0, 380 .minver = TLS1_VERSION, 381 .maxver = TLS1_VERSION, 382 .peerver = TLS1_2_VERSION, 383 .want_maxver = TLS1_VERSION, 384 }, 385 { 386 .ssl_method = TLSv1_method, 387 .options = 0, 388 .minver = TLS1_VERSION, 389 .maxver = TLS1_2_VERSION, 390 .peerver = TLS1_VERSION, 391 .want_maxver = TLS1_VERSION, 392 }, 393 { 394 .ssl_method = TLSv1_method, 395 .options = 0, 396 .minver = TLS1_1_VERSION, 397 .maxver = TLS1_2_VERSION, 398 .peerver = TLS1_VERSION, 399 .want_maxver = 0, 400 }, 401 { 402 .ssl_method = TLSv1_1_method, 403 .options = 0, 404 .minver = TLS1_VERSION, 405 .maxver = TLS1_2_VERSION, 406 .peerver = TLS1_1_VERSION, 407 .want_maxver = TLS1_1_VERSION, 408 }, 409 { 410 .ssl_method = DTLS_method, 411 .options = 0, 412 .minver = TLS1_1_VERSION, 413 .maxver = TLS1_2_VERSION, 414 .peerver = DTLS1_VERSION, 415 .want_maxver = DTLS1_VERSION, 416 }, 417 { 418 .ssl_method = DTLS_method, 419 .options = 0, 420 .minver = TLS1_1_VERSION, 421 .maxver = TLS1_2_VERSION, 422 .peerver = DTLS1_2_VERSION, 423 .want_maxver = DTLS1_2_VERSION, 424 }, 425 { 426 .ssl_method = DTLS_method, 427 .options = 0, 428 .minver = TLS1_1_VERSION, 429 .maxver = TLS1_2_VERSION, 430 .peerver = 0xfefc, /* DTLSv1.3, probably. */ 431 .want_maxver = DTLS1_2_VERSION, 432 }, 433 { 434 .ssl_method = DTLSv1_method, 435 .options = 0, 436 .minver = TLS1_1_VERSION, 437 .maxver = TLS1_1_VERSION, 438 .peerver = DTLS1_2_VERSION, 439 .want_maxver = DTLS1_VERSION, 440 }, 441 { 442 .ssl_method = DTLSv1_2_method, 443 .options = 0, 444 .minver = TLS1_2_VERSION, 445 .maxver = TLS1_2_VERSION, 446 .peerver = DTLS1_2_VERSION, 447 .want_maxver = DTLS1_2_VERSION, 448 }, 449 { 450 .ssl_method = DTLSv1_method, 451 .options = 0, 452 .minver = TLS1_1_VERSION, 453 .maxver = TLS1_1_VERSION, 454 .peerver = TLS1_2_VERSION, 455 .want_maxver = 0, 456 }, 457 { 458 .ssl_method = DTLS_method, 459 .options = SSL_OP_NO_DTLSv1, 460 .minver = TLS1_1_VERSION, 461 .maxver = TLS1_2_VERSION, 462 .peerver = DTLS1_VERSION, 463 .want_maxver = 0, 464 }, 465 { 466 .ssl_method = DTLS_method, 467 .options = SSL_OP_NO_DTLSv1, 468 .minver = TLS1_1_VERSION, 469 .maxver = TLS1_2_VERSION, 470 .peerver = DTLS1_2_VERSION, 471 .want_maxver = DTLS1_2_VERSION, 472 }, 473 { 474 .ssl_method = DTLS_method, 475 .options = SSL_OP_NO_DTLSv1_2, 476 .minver = TLS1_1_VERSION, 477 .maxver = TLS1_2_VERSION, 478 .peerver = DTLS1_2_VERSION, 479 .want_maxver = DTLS1_VERSION, 480 }, 481 }; 482 483 #define N_SHARED_VERSION_TESTS \ 484 (sizeof(shared_version_tests) / sizeof(*shared_version_tests)) 485 486 static int 487 test_ssl_max_shared_version(void) 488 { 489 struct shared_version_test *svt; 490 SSL_CTX *ssl_ctx = NULL; 491 SSL *ssl = NULL; 492 uint16_t maxver; 493 int failed = 0; 494 size_t i; 495 496 failed = 0; 497 498 fprintf(stderr, "INFO: starting max shared version tests...\n"); 499 500 for (i = 0; i < N_SHARED_VERSION_TESTS; i++) { 501 svt = &shared_version_tests[i]; 502 503 if ((ssl_ctx = SSL_CTX_new(svt->ssl_method())) == NULL) { 504 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 505 failed++; 506 goto err; 507 } 508 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 509 fprintf(stderr, "SSL_new() returned NULL\n"); 510 failed++; 511 goto err; 512 } 513 514 SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 515 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); 516 SSL_set_options(ssl, svt->options); 517 518 maxver = 0; 519 ssl->internal->min_tls_version = svt->minver; 520 ssl->internal->max_tls_version = svt->maxver; 521 522 if (!ssl_max_shared_version(ssl, svt->peerver, &maxver)) { 523 if (svt->want_maxver != 0) { 524 fprintf(stderr, "FAIL: test %zu - failed but " 525 "wanted non-zero shared version (peer %x)\n", 526 i, svt->peerver); 527 failed++; 528 } 529 continue; 530 } 531 if (maxver != svt->want_maxver) { 532 fprintf(stderr, "FAIL: test %zu - got shared " 533 "version %x, want %x\n", i, maxver, 534 svt->want_maxver); 535 failed++; 536 } 537 538 SSL_CTX_free(ssl_ctx); 539 SSL_free(ssl); 540 ssl_ctx = NULL; 541 ssl = NULL; 542 } 543 544 err: 545 SSL_CTX_free(ssl_ctx); 546 SSL_free(ssl); 547 548 return (failed); 549 } 550 551 struct min_max_version_test { 552 const SSL_METHOD *(*ssl_method)(void); 553 const uint16_t minver; 554 const uint16_t maxver; 555 const uint16_t want_minver; 556 const uint16_t want_maxver; 557 const int want_min_fail; 558 const int want_max_fail; 559 }; 560 561 static struct min_max_version_test min_max_version_tests[] = { 562 { 563 .ssl_method = TLS_method, 564 .minver = 0, 565 .maxver = 0, 566 .want_minver = 0, 567 .want_maxver = 0, 568 }, 569 { 570 .ssl_method = TLS_method, 571 .minver = TLS1_VERSION, 572 .maxver = 0, 573 .want_minver = TLS1_VERSION, 574 .want_maxver = 0, 575 }, 576 { 577 .ssl_method = TLS_method, 578 .minver = 0, 579 .maxver = TLS1_2_VERSION, 580 .want_minver = 0, 581 .want_maxver = TLS1_2_VERSION, 582 }, 583 { 584 .ssl_method = TLS_method, 585 .minver = 0, 586 .maxver = TLS1_3_VERSION, 587 .want_minver = 0, 588 .want_maxver = TLS1_3_VERSION, 589 }, 590 { 591 .ssl_method = TLS_method, 592 .minver = TLS1_VERSION, 593 .maxver = TLS1_2_VERSION, 594 .want_minver = TLS1_VERSION, 595 .want_maxver = TLS1_2_VERSION, 596 }, 597 { 598 .ssl_method = TLS_method, 599 .minver = TLS1_1_VERSION, 600 .maxver = 0, 601 .want_minver = TLS1_1_VERSION, 602 .want_maxver = 0, 603 }, 604 { 605 .ssl_method = TLS_method, 606 .minver = TLS1_2_VERSION, 607 .maxver = 0, 608 .want_minver = TLS1_2_VERSION, 609 .want_maxver = 0, 610 }, 611 { 612 .ssl_method = TLS_method, 613 .minver = 0x0300, 614 .maxver = 0, 615 .want_minver = TLS1_VERSION, 616 .want_maxver = 0, 617 }, 618 { 619 .ssl_method = TLS_method, 620 .minver = 0x0305, 621 .maxver = 0, 622 .want_min_fail = 1, 623 }, 624 { 625 .ssl_method = TLS_method, 626 .minver = 0, 627 .maxver = 0x0305, 628 .want_minver = 0, 629 .want_maxver = TLS1_3_VERSION, 630 }, 631 { 632 .ssl_method = TLS_method, 633 .minver = 0, 634 .maxver = TLS1_1_VERSION, 635 .want_minver = 0, 636 .want_maxver = TLS1_1_VERSION, 637 }, 638 { 639 .ssl_method = TLS_method, 640 .minver = 0, 641 .maxver = TLS1_VERSION, 642 .want_minver = 0, 643 .want_maxver = TLS1_VERSION, 644 }, 645 { 646 .ssl_method = TLS_method, 647 .minver = 0, 648 .maxver = 0x0300, 649 .want_max_fail = 1, 650 }, 651 { 652 .ssl_method = TLS_method, 653 .minver = TLS1_2_VERSION, 654 .maxver = TLS1_1_VERSION, 655 .want_minver = TLS1_2_VERSION, 656 .want_maxver = 0, 657 .want_max_fail = 1, 658 }, 659 { 660 .ssl_method = TLSv1_1_method, 661 .minver = 0, 662 .maxver = 0, 663 .want_minver = 0, 664 .want_maxver = 0, 665 }, 666 { 667 .ssl_method = TLSv1_1_method, 668 .minver = TLS1_VERSION, 669 .maxver = TLS1_2_VERSION, 670 .want_minver = TLS1_1_VERSION, 671 .want_maxver = TLS1_1_VERSION, 672 }, 673 { 674 .ssl_method = TLSv1_1_method, 675 .minver = TLS1_2_VERSION, 676 .maxver = 0, 677 .want_minver = 0, 678 .want_maxver = 0, 679 .want_min_fail = 1, 680 }, 681 { 682 .ssl_method = TLSv1_1_method, 683 .minver = 0, 684 .maxver = TLS1_VERSION, 685 .want_minver = 0, 686 .want_maxver = 0, 687 .want_max_fail = 1, 688 }, 689 { 690 .ssl_method = DTLS_method, 691 .minver = 0, 692 .maxver = 0, 693 .want_minver = 0, 694 .want_maxver = 0, 695 }, 696 { 697 .ssl_method = DTLS_method, 698 .minver = 0, 699 .maxver = DTLS1_VERSION, 700 .want_minver = 0, 701 .want_maxver = DTLS1_VERSION, 702 }, 703 { 704 .ssl_method = DTLS_method, 705 .minver = DTLS1_VERSION, 706 .maxver = 0, 707 .want_minver = DTLS1_VERSION, 708 .want_maxver = 0, 709 }, 710 { 711 .ssl_method = DTLS_method, 712 .minver = DTLS1_VERSION, 713 .maxver = DTLS1_2_VERSION, 714 .want_minver = DTLS1_VERSION, 715 .want_maxver = DTLS1_2_VERSION, 716 }, 717 { 718 .ssl_method = DTLSv1_method, 719 .minver = 0, 720 .maxver = 0, 721 .want_minver = 0, 722 .want_maxver = 0, 723 }, 724 { 725 .ssl_method = DTLSv1_method, 726 .minver = DTLS1_VERSION, 727 .maxver = 0, 728 .want_minver = DTLS1_VERSION, 729 .want_maxver = 0, 730 }, 731 { 732 .ssl_method = DTLSv1_method, 733 .minver = 0, 734 .maxver = DTLS1_VERSION, 735 .want_minver = 0, 736 .want_maxver = DTLS1_VERSION, 737 }, 738 { 739 .ssl_method = DTLSv1_method, 740 .minver = 0, 741 .maxver = DTLS1_2_VERSION, 742 .want_minver = 0, 743 .want_maxver = DTLS1_VERSION, 744 }, 745 { 746 .ssl_method = DTLSv1_method, 747 .minver = TLS1_VERSION, 748 .maxver = TLS1_2_VERSION, 749 .want_minver = 0, 750 .want_maxver = 0, 751 .want_min_fail = 1, 752 .want_max_fail = 1, 753 }, 754 }; 755 756 #define N_MIN_MAX_VERSION_TESTS \ 757 (sizeof(min_max_version_tests) / sizeof(*min_max_version_tests)) 758 759 static int 760 test_ssl_min_max_version(void) 761 { 762 struct min_max_version_test *mmvt; 763 SSL_CTX *ssl_ctx = NULL; 764 SSL *ssl = NULL; 765 int failed = 0; 766 size_t i; 767 768 failed = 0; 769 770 fprintf(stderr, "INFO: starting min max version tests...\n"); 771 772 for (i = 0; i < N_MIN_MAX_VERSION_TESTS; i++) { 773 mmvt = &min_max_version_tests[i]; 774 775 if ((ssl_ctx = SSL_CTX_new(mmvt->ssl_method())) == NULL) { 776 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 777 return 1; 778 } 779 780 if (!SSL_CTX_set_min_proto_version(ssl_ctx, mmvt->minver)) { 781 if (!mmvt->want_min_fail) { 782 fprintf(stderr, "FAIL: test %zu - failed to set " 783 "SSL_CTX min version\n", i); 784 failed++; 785 } 786 goto next; 787 } 788 if (!SSL_CTX_set_max_proto_version(ssl_ctx, mmvt->maxver)) { 789 if (!mmvt->want_max_fail) { 790 fprintf(stderr, "FAIL: test %zu - failed to set " 791 "SSL_CTX min version\n", i); 792 failed++; 793 } 794 goto next; 795 } 796 797 if (mmvt->want_min_fail) { 798 fprintf(stderr, "FAIL: test %zu - successfully set " 799 "SSL_CTX min version, should have failed\n", i); 800 failed++; 801 goto next; 802 } 803 if (mmvt->want_max_fail) { 804 fprintf(stderr, "FAIL: test %zu - successfully set " 805 "SSL_CTX max version, should have failed\n", i); 806 failed++; 807 goto next; 808 } 809 810 if (SSL_CTX_get_min_proto_version(ssl_ctx) != mmvt->want_minver) { 811 fprintf(stderr, "FAIL: test %zu - got SSL_CTX min " 812 "version 0x%x, want 0x%x\n", i, 813 SSL_CTX_get_min_proto_version(ssl_ctx), mmvt->want_minver); 814 failed++; 815 goto next; 816 } 817 if (SSL_CTX_get_max_proto_version(ssl_ctx) != mmvt->want_maxver) { 818 fprintf(stderr, "FAIL: test %zu - got SSL_CTX max " 819 "version 0x%x, want 0x%x\n", i, 820 SSL_CTX_get_max_proto_version(ssl_ctx), mmvt->want_maxver); 821 failed++; 822 goto next; 823 } 824 825 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 826 fprintf(stderr, "SSL_new() returned NULL\n"); 827 return 1; 828 } 829 830 if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { 831 fprintf(stderr, "FAIL: test %zu - initial SSL min " 832 "version 0x%x, want 0x%x\n", i, 833 SSL_get_min_proto_version(ssl), mmvt->want_minver); 834 failed++; 835 goto next; 836 } 837 if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { 838 fprintf(stderr, "FAIL: test %zu - initial SSL max " 839 "version 0x%x, want 0x%x\n", i, 840 SSL_get_max_proto_version(ssl), mmvt->want_maxver); 841 failed++; 842 goto next; 843 } 844 845 if (!SSL_set_min_proto_version(ssl, mmvt->minver)) { 846 if (mmvt->want_min_fail) { 847 fprintf(stderr, "FAIL: test %zu - failed to set " 848 "SSL min version\n", i); 849 failed++; 850 } 851 goto next; 852 } 853 if (!SSL_set_max_proto_version(ssl, mmvt->maxver)) { 854 if (mmvt->want_max_fail) { 855 fprintf(stderr, "FAIL: test %zu - failed to set " 856 "SSL min version\n", i); 857 failed++; 858 } 859 goto next; 860 } 861 862 if (mmvt->want_min_fail) { 863 fprintf(stderr, "FAIL: test %zu - successfully set SSL " 864 "min version, should have failed\n", i); 865 failed++; 866 goto next; 867 } 868 if (mmvt->want_max_fail) { 869 fprintf(stderr, "FAIL: test %zu - successfully set SSL " 870 "max version, should have failed\n", i); 871 failed++; 872 goto next; 873 } 874 875 if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { 876 fprintf(stderr, "FAIL: test %zu - got SSL min " 877 "version 0x%x, want 0x%x\n", i, 878 SSL_get_min_proto_version(ssl), mmvt->want_minver); 879 failed++; 880 goto next; 881 } 882 if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { 883 fprintf(stderr, "FAIL: test %zu - got SSL max " 884 "version 0x%x, want 0x%x\n", i, 885 SSL_get_max_proto_version(ssl), mmvt->want_maxver); 886 failed++; 887 goto next; 888 } 889 890 next: 891 SSL_CTX_free(ssl_ctx); 892 SSL_free(ssl); 893 894 ssl_ctx = NULL; 895 ssl = NULL; 896 } 897 898 return (failed); 899 } 900 901 int 902 main(int argc, char **argv) 903 { 904 int failed = 0; 905 906 SSL_library_init(); 907 908 /* XXX - Test ssl_supported_version_range() */ 909 910 failed |= test_ssl_enabled_version_range(); 911 failed |= test_ssl_max_shared_version(); 912 failed |= test_ssl_min_max_version(); 913 914 if (failed == 0) 915 printf("PASS %s\n", __FILE__); 916 917 return (failed); 918 } 919