1 /* $OpenBSD: ssl_versions.c,v 1.7 2019/04/04 15:47:15 jsing Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <openssl/ssl.h> 19 20 #include "ssl_locl.h" 21 22 struct version_range_test { 23 const long options; 24 const uint16_t minver; 25 const uint16_t maxver; 26 const uint16_t want_minver; 27 const uint16_t want_maxver; 28 }; 29 30 static struct version_range_test version_range_tests[] = { 31 { 32 .options = 0, 33 .minver = TLS1_VERSION, 34 .maxver = TLS1_3_VERSION, 35 .want_minver = TLS1_VERSION, 36 .want_maxver = TLS1_3_VERSION, 37 }, 38 { 39 .options = 0, 40 .minver = TLS1_VERSION, 41 .maxver = TLS1_2_VERSION, 42 .want_minver = TLS1_VERSION, 43 .want_maxver = TLS1_2_VERSION, 44 }, 45 { 46 .options = SSL_OP_NO_TLSv1, 47 .minver = TLS1_VERSION, 48 .maxver = TLS1_2_VERSION, 49 .want_minver = TLS1_1_VERSION, 50 .want_maxver = TLS1_2_VERSION, 51 }, 52 { 53 .options = SSL_OP_NO_TLSv1_3, 54 .minver = TLS1_VERSION, 55 .maxver = TLS1_3_VERSION, 56 .want_minver = TLS1_VERSION, 57 .want_maxver = TLS1_2_VERSION, 58 }, 59 { 60 .options = SSL_OP_NO_TLSv1_2, 61 .minver = TLS1_VERSION, 62 .maxver = TLS1_2_VERSION, 63 .want_minver = TLS1_VERSION, 64 .want_maxver = TLS1_1_VERSION, 65 }, 66 { 67 .options = SSL_OP_NO_TLSv1_1, 68 .minver = TLS1_VERSION, 69 .maxver = TLS1_2_VERSION, 70 .want_minver = TLS1_VERSION, 71 .want_maxver = TLS1_VERSION, 72 }, 73 { 74 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 75 .minver = TLS1_VERSION, 76 .maxver = TLS1_2_VERSION, 77 .want_minver = TLS1_2_VERSION, 78 .want_maxver = TLS1_2_VERSION, 79 }, 80 { 81 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 82 .minver = TLS1_VERSION, 83 .maxver = TLS1_2_VERSION, 84 .want_minver = TLS1_VERSION, 85 .want_maxver = TLS1_VERSION, 86 }, 87 { 88 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2, 89 .minver = TLS1_VERSION, 90 .maxver = TLS1_2_VERSION, 91 .want_minver = TLS1_1_VERSION, 92 .want_maxver = TLS1_1_VERSION, 93 }, 94 { 95 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 96 SSL_OP_NO_TLSv1_2, 97 .minver = TLS1_VERSION, 98 .maxver = TLS1_2_VERSION, 99 .want_minver = 0, 100 .want_maxver = 0, 101 }, 102 { 103 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 104 SSL_OP_NO_TLSv1_2, 105 .minver = TLS1_VERSION, 106 .maxver = TLS1_3_VERSION, 107 .want_minver = TLS1_3_VERSION, 108 .want_maxver = TLS1_3_VERSION, 109 }, 110 { 111 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 112 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3, 113 .minver = TLS1_VERSION, 114 .maxver = TLS1_3_VERSION, 115 .want_minver = 0, 116 .want_maxver = 0, 117 }, 118 { 119 .options = 0, 120 .minver = TLS1_VERSION, 121 .maxver = TLS1_2_VERSION, 122 .want_minver = TLS1_VERSION, 123 .want_maxver = TLS1_2_VERSION, 124 }, 125 { 126 .options = 0, 127 .minver = TLS1_1_VERSION, 128 .maxver = TLS1_2_VERSION, 129 .want_minver = TLS1_1_VERSION, 130 .want_maxver = TLS1_2_VERSION, 131 }, 132 { 133 .options = 0, 134 .minver = TLS1_2_VERSION, 135 .maxver = TLS1_2_VERSION, 136 .want_minver = TLS1_2_VERSION, 137 .want_maxver = TLS1_2_VERSION, 138 }, 139 { 140 .options = 0, 141 .minver = TLS1_VERSION, 142 .maxver = TLS1_3_VERSION, 143 .want_minver = TLS1_VERSION, 144 .want_maxver = TLS1_3_VERSION, 145 }, 146 { 147 .options = 0, 148 .minver = TLS1_1_VERSION, 149 .maxver = TLS1_3_VERSION, 150 .want_minver = TLS1_1_VERSION, 151 .want_maxver = TLS1_3_VERSION, 152 }, 153 { 154 .options = 0, 155 .minver = TLS1_2_VERSION, 156 .maxver = TLS1_3_VERSION, 157 .want_minver = TLS1_2_VERSION, 158 .want_maxver = TLS1_3_VERSION, 159 }, 160 { 161 .options = 0, 162 .minver = TLS1_3_VERSION, 163 .maxver = TLS1_3_VERSION, 164 .want_minver = TLS1_3_VERSION, 165 .want_maxver = TLS1_3_VERSION, 166 }, 167 { 168 .options = 0, 169 .minver = TLS1_VERSION, 170 .maxver = TLS1_1_VERSION, 171 .want_minver = TLS1_VERSION, 172 .want_maxver = TLS1_1_VERSION, 173 }, 174 { 175 .options = 0, 176 .minver = TLS1_VERSION, 177 .maxver = TLS1_VERSION, 178 .want_minver = TLS1_VERSION, 179 .want_maxver = TLS1_VERSION, 180 }, 181 }; 182 183 #define N_VERSION_RANGE_TESTS \ 184 (sizeof(version_range_tests) / sizeof(*version_range_tests)) 185 186 static int 187 test_ssl_enabled_version_range(void) 188 { 189 struct version_range_test *vrt; 190 uint16_t minver, maxver; 191 SSL_CTX *ssl_ctx = NULL; 192 SSL *ssl = NULL; 193 int failed = 1; 194 size_t i; 195 196 if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { 197 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 198 goto failure; 199 } 200 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 201 fprintf(stderr, "SSL_new() returned NULL\n"); 202 goto failure; 203 } 204 205 failed = 0; 206 207 for (i = 0; i < N_VERSION_RANGE_TESTS; i++) { 208 vrt = &version_range_tests[i]; 209 210 SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 211 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); 212 SSL_set_options(ssl, vrt->options); 213 214 minver = maxver = 0xffff; 215 ssl->internal->min_version = vrt->minver; 216 ssl->internal->max_version = vrt->maxver; 217 218 if (ssl_enabled_version_range(ssl, &minver, &maxver) != 1) { 219 if (vrt->want_minver != 0 || vrt->want_maxver != 0) { 220 fprintf(stderr, "FAIL: test %zu - failed but " 221 "wanted non-zero versions\n", i); 222 failed++; 223 } 224 continue; 225 } 226 if (minver != vrt->want_minver) { 227 fprintf(stderr, "FAIL: test %zu - got minver %x, " 228 "want %x\n", i, minver, vrt->want_minver); 229 failed++; 230 } 231 if (maxver != vrt->want_maxver) { 232 fprintf(stderr, "FAIL: test %zu - got maxver %x, " 233 "want %x\n", i, maxver, vrt->want_maxver); 234 failed++; 235 } 236 } 237 238 failure: 239 SSL_CTX_free(ssl_ctx); 240 SSL_free(ssl); 241 242 return (failed); 243 } 244 245 struct shared_version_test { 246 const SSL_METHOD *(*ssl_method)(void); 247 const long options; 248 const uint16_t minver; 249 const uint16_t maxver; 250 const uint16_t peerver; 251 const uint16_t want_maxver; 252 }; 253 254 static struct shared_version_test shared_version_tests[] = { 255 { 256 .ssl_method = TLS_method, 257 .options = 0, 258 .minver = TLS1_VERSION, 259 .maxver = TLS1_2_VERSION, 260 .peerver = SSL2_VERSION, 261 .want_maxver = 0, 262 }, 263 { 264 .ssl_method = TLS_method, 265 .options = 0, 266 .minver = TLS1_VERSION, 267 .maxver = TLS1_2_VERSION, 268 .peerver = SSL3_VERSION, 269 .want_maxver = 0, 270 }, 271 { 272 .ssl_method = TLS_method, 273 .options = 0, 274 .minver = TLS1_VERSION, 275 .maxver = TLS1_2_VERSION, 276 .peerver = TLS1_VERSION, 277 .want_maxver = TLS1_VERSION, 278 }, 279 { 280 .ssl_method = TLS_method, 281 .options = 0, 282 .minver = TLS1_VERSION, 283 .maxver = TLS1_2_VERSION, 284 .peerver = TLS1_1_VERSION, 285 .want_maxver = TLS1_1_VERSION, 286 }, 287 { 288 .ssl_method = TLS_method, 289 .options = 0, 290 .minver = TLS1_VERSION, 291 .maxver = TLS1_2_VERSION, 292 .peerver = TLS1_2_VERSION, 293 .want_maxver = TLS1_2_VERSION, 294 }, 295 { 296 .ssl_method = TLS_method, 297 .options = 0, 298 .minver = TLS1_VERSION, 299 .maxver = TLS1_2_VERSION, 300 .peerver = TLS1_3_VERSION, 301 .want_maxver = TLS1_2_VERSION, 302 }, 303 { 304 .ssl_method = TLS_method, 305 .options = 0, 306 .minver = TLS1_VERSION, 307 .maxver = TLS1_2_VERSION, 308 .peerver = 0x7f12, 309 .want_maxver = TLS1_2_VERSION, 310 }, 311 { 312 .ssl_method = TLS_method, 313 .options = SSL_OP_NO_TLSv1_2, 314 .minver = TLS1_VERSION, 315 .maxver = TLS1_2_VERSION, 316 .peerver = TLS1_2_VERSION, 317 .want_maxver = TLS1_1_VERSION, 318 }, 319 { 320 .ssl_method = TLS_method, 321 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 322 .minver = TLS1_VERSION, 323 .maxver = TLS1_2_VERSION, 324 .peerver = TLS1_2_VERSION, 325 .want_maxver = TLS1_VERSION, 326 }, 327 { 328 .ssl_method = TLS_method, 329 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 330 .minver = TLS1_VERSION, 331 .maxver = TLS1_2_VERSION, 332 .peerver = TLS1_2_VERSION, 333 .want_maxver = 0, 334 }, 335 { 336 .ssl_method = TLS_method, 337 .options = SSL_OP_NO_TLSv1, 338 .minver = TLS1_VERSION, 339 .maxver = TLS1_2_VERSION, 340 .peerver = TLS1_1_VERSION, 341 .want_maxver = TLS1_1_VERSION, 342 }, 343 { 344 .ssl_method = TLS_method, 345 .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 346 .minver = TLS1_VERSION, 347 .maxver = TLS1_2_VERSION, 348 .peerver = TLS1_1_VERSION, 349 .want_maxver = 0, 350 }, 351 { 352 .ssl_method = TLS_method, 353 .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 354 .minver = TLS1_VERSION, 355 .maxver = TLS1_2_VERSION, 356 .peerver = TLS1_1_VERSION, 357 .want_maxver = TLS1_VERSION, 358 }, 359 { 360 .ssl_method = TLS_method, 361 .options = SSL_OP_NO_TLSv1, 362 .minver = TLS1_VERSION, 363 .maxver = TLS1_2_VERSION, 364 .peerver = TLS1_VERSION, 365 .want_maxver = 0, 366 }, 367 { 368 .ssl_method = TLS_method, 369 .options = 0, 370 .minver = TLS1_VERSION, 371 .maxver = TLS1_1_VERSION, 372 .peerver = TLS1_2_VERSION, 373 .want_maxver = TLS1_1_VERSION, 374 }, 375 { 376 .ssl_method = TLS_method, 377 .options = 0, 378 .minver = TLS1_VERSION, 379 .maxver = TLS1_VERSION, 380 .peerver = TLS1_2_VERSION, 381 .want_maxver = TLS1_VERSION, 382 }, 383 { 384 .ssl_method = TLSv1_method, 385 .options = 0, 386 .minver = TLS1_VERSION, 387 .maxver = TLS1_2_VERSION, 388 .peerver = TLS1_VERSION, 389 .want_maxver = TLS1_VERSION, 390 }, 391 { 392 .ssl_method = TLSv1_method, 393 .options = 0, 394 .minver = TLS1_1_VERSION, 395 .maxver = TLS1_2_VERSION, 396 .peerver = TLS1_VERSION, 397 .want_maxver = 0, 398 }, 399 { 400 .ssl_method = TLSv1_1_method, 401 .options = 0, 402 .minver = TLS1_VERSION, 403 .maxver = TLS1_2_VERSION, 404 .peerver = TLS1_1_VERSION, 405 .want_maxver = TLS1_1_VERSION, 406 }, 407 { 408 .ssl_method = DTLSv1_method, 409 .options = 0, 410 .minver = TLS1_VERSION, 411 .maxver = TLS1_2_VERSION, 412 .peerver = DTLS1_VERSION, 413 .want_maxver = DTLS1_VERSION, 414 }, 415 { 416 .ssl_method = DTLSv1_method, 417 .options = 0, 418 .minver = TLS1_VERSION, 419 .maxver = TLS1_2_VERSION, 420 .peerver = TLS1_2_VERSION, 421 .want_maxver = 0, 422 }, 423 }; 424 425 #define N_SHARED_VERSION_TESTS \ 426 (sizeof(shared_version_tests) / sizeof(*shared_version_tests)) 427 428 static int 429 test_ssl_max_shared_version(void) 430 { 431 struct shared_version_test *svt; 432 SSL_CTX *ssl_ctx = NULL; 433 SSL *ssl = NULL; 434 uint16_t maxver; 435 int failed = 0; 436 size_t i; 437 438 failed = 0; 439 440 for (i = 0; i < N_SHARED_VERSION_TESTS; i++) { 441 svt = &shared_version_tests[i]; 442 443 if ((ssl_ctx = SSL_CTX_new(svt->ssl_method())) == NULL) { 444 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 445 return 1; 446 } 447 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 448 fprintf(stderr, "SSL_new() returned NULL\n"); 449 return 1; 450 } 451 452 SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | 453 SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); 454 SSL_set_options(ssl, svt->options); 455 456 maxver = 0; 457 ssl->internal->min_version = svt->minver; 458 ssl->internal->max_version = svt->maxver; 459 460 if (ssl_max_shared_version(ssl, svt->peerver, &maxver) != 1) { 461 if (svt->want_maxver != 0) { 462 fprintf(stderr, "FAIL: test %zu - failed but " 463 "wanted non-zero shared version\n", i); 464 failed++; 465 } 466 continue; 467 } 468 if (maxver != svt->want_maxver) { 469 fprintf(stderr, "FAIL: test %zu - got shared " 470 "version %x, want %x\n", i, maxver, 471 svt->want_maxver); 472 failed++; 473 } 474 475 SSL_CTX_free(ssl_ctx); 476 SSL_free(ssl); 477 } 478 479 return (failed); 480 } 481 482 struct min_max_version_test { 483 const SSL_METHOD *(*ssl_method)(void); 484 const uint16_t minver; 485 const uint16_t maxver; 486 const uint16_t want_minver; 487 const uint16_t want_maxver; 488 }; 489 490 static struct min_max_version_test min_max_version_tests[] = { 491 { 492 .ssl_method = TLS_method, 493 .minver = 0, 494 .maxver = 0, 495 .want_minver = TLS1_VERSION, 496 .want_maxver = TLS1_2_VERSION, 497 }, 498 { 499 .ssl_method = TLS_method, 500 .minver = TLS1_VERSION, 501 .maxver = 0, 502 .want_minver = TLS1_VERSION, 503 .want_maxver = TLS1_2_VERSION, 504 }, 505 { 506 .ssl_method = TLS_method, 507 .minver = 0, 508 .maxver = TLS1_2_VERSION, 509 .want_minver = TLS1_VERSION, 510 .want_maxver = TLS1_2_VERSION, 511 }, 512 { 513 .ssl_method = TLS_method, 514 .minver = 0, 515 .maxver = TLS1_3_VERSION, 516 .want_minver = TLS1_VERSION, 517 .want_maxver = TLS1_2_VERSION, 518 }, 519 { 520 .ssl_method = TLS_method, 521 .minver = TLS1_VERSION, 522 .maxver = TLS1_2_VERSION, 523 .want_minver = TLS1_VERSION, 524 .want_maxver = TLS1_2_VERSION, 525 }, 526 { 527 .ssl_method = TLS_method, 528 .minver = TLS1_1_VERSION, 529 .maxver = 0, 530 .want_minver = TLS1_1_VERSION, 531 .want_maxver = TLS1_2_VERSION, 532 }, 533 { 534 .ssl_method = TLS_method, 535 .minver = TLS1_2_VERSION, 536 .maxver = 0, 537 .want_minver = TLS1_2_VERSION, 538 .want_maxver = TLS1_2_VERSION, 539 }, 540 { 541 .ssl_method = TLS_method, 542 .minver = 0x0300, 543 .maxver = 0, 544 .want_minver = TLS1_VERSION, 545 .want_maxver = TLS1_2_VERSION, 546 }, 547 { 548 .ssl_method = TLS_method, 549 .minver = 0x0305, 550 .maxver = 0, 551 .want_minver = 0, 552 .want_maxver = 0, 553 }, 554 { 555 .ssl_method = TLS_method, 556 .minver = 0, 557 .maxver = 0x0305, 558 .want_minver = TLS1_VERSION, 559 .want_maxver = TLS1_2_VERSION, 560 }, 561 { 562 .ssl_method = TLS_method, 563 .minver = 0, 564 .maxver = TLS1_1_VERSION, 565 .want_minver = TLS1_VERSION, 566 .want_maxver = TLS1_1_VERSION, 567 }, 568 { 569 .ssl_method = TLS_method, 570 .minver = 0, 571 .maxver = TLS1_VERSION, 572 .want_minver = TLS1_VERSION, 573 .want_maxver = TLS1_VERSION, 574 }, 575 { 576 .ssl_method = TLS_method, 577 .minver = 0, 578 .maxver = 0x0300, 579 .want_minver = 0, 580 .want_maxver = 0, 581 }, 582 { 583 .ssl_method = TLS_method, 584 .minver = TLS1_2_VERSION, 585 .maxver = TLS1_1_VERSION, 586 .want_minver = TLS1_2_VERSION, 587 .want_maxver = 0, 588 }, 589 { 590 .ssl_method = TLSv1_1_method, 591 .minver = 0, 592 .maxver = 0, 593 .want_minver = TLS1_1_VERSION, 594 .want_maxver = TLS1_1_VERSION, 595 }, 596 { 597 .ssl_method = TLSv1_1_method, 598 .minver = TLS1_VERSION, 599 .maxver = TLS1_2_VERSION, 600 .want_minver = TLS1_1_VERSION, 601 .want_maxver = TLS1_1_VERSION, 602 }, 603 { 604 .ssl_method = TLSv1_1_method, 605 .minver = TLS1_2_VERSION, 606 .maxver = 0, 607 .want_minver = 0, 608 .want_maxver = 0, 609 }, 610 { 611 .ssl_method = TLSv1_1_method, 612 .minver = 0, 613 .maxver = TLS1_VERSION, 614 .want_minver = 0, 615 .want_maxver = 0, 616 }, 617 { 618 .ssl_method = DTLSv1_method, 619 .minver = 0, 620 .maxver = 0, 621 .want_minver = DTLS1_VERSION, 622 .want_maxver = DTLS1_VERSION, 623 }, 624 { 625 .ssl_method = DTLSv1_method, 626 .minver = DTLS1_VERSION, 627 .maxver = 0, 628 .want_minver = DTLS1_VERSION, 629 .want_maxver = DTLS1_VERSION, 630 }, 631 { 632 .ssl_method = DTLSv1_method, 633 .minver = 0, 634 .maxver = DTLS1_VERSION, 635 .want_minver = DTLS1_VERSION, 636 .want_maxver = DTLS1_VERSION, 637 }, 638 { 639 .ssl_method = DTLSv1_method, 640 .minver = TLS1_VERSION, 641 .maxver = TLS1_2_VERSION, 642 .want_minver = 0, 643 .want_maxver = 0, 644 }, 645 }; 646 647 #define N_MIN_MAX_VERSION_TESTS \ 648 (sizeof(min_max_version_tests) / sizeof(*min_max_version_tests)) 649 650 static int 651 test_ssl_min_max_version(void) 652 { 653 struct min_max_version_test *mmvt; 654 SSL_CTX *ssl_ctx = NULL; 655 SSL *ssl = NULL; 656 int failed = 0; 657 size_t i; 658 659 failed = 0; 660 661 for (i = 0; i < N_MIN_MAX_VERSION_TESTS; i++) { 662 mmvt = &min_max_version_tests[i]; 663 664 if ((ssl_ctx = SSL_CTX_new(mmvt->ssl_method())) == NULL) { 665 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 666 return 1; 667 } 668 669 if (SSL_CTX_set_min_proto_version(ssl_ctx, mmvt->minver) != 1) { 670 if (mmvt->want_minver != 0) { 671 fprintf(stderr, "FAIL: test %zu - failed to set " 672 "SSL_CTX min version\n", i); 673 failed++; 674 } 675 goto next; 676 } 677 if (SSL_CTX_set_max_proto_version(ssl_ctx, mmvt->maxver) != 1) { 678 if (mmvt->want_maxver != 0) { 679 fprintf(stderr, "FAIL: test %zu - failed to set " 680 "SSL_CTX min version\n", i); 681 failed++; 682 } 683 goto next; 684 } 685 686 if (mmvt->want_minver == 0) { 687 fprintf(stderr, "FAIL: test %zu - successfully set " 688 "SSL_CTX min version, should have failed\n", i); 689 goto next; 690 } 691 if (mmvt->want_maxver == 0) { 692 fprintf(stderr, "FAIL: test %zu - successfully set " 693 "SSL_CTX max version, should have failed\n", i); 694 goto next; 695 } 696 697 if (SSL_CTX_get_min_proto_version(ssl_ctx) != mmvt->want_minver) { 698 fprintf(stderr, "FAIL: test %zu - got SSL_CTX min " 699 "version 0x%x, want 0x%x\n", i, 700 SSL_CTX_get_min_proto_version(ssl_ctx), mmvt->want_minver); 701 goto next; 702 } 703 if (SSL_CTX_get_max_proto_version(ssl_ctx) != mmvt->want_maxver) { 704 fprintf(stderr, "FAIL: test %zu - got SSL_CTX max " 705 "version 0x%x, want 0x%x\n", i, 706 SSL_CTX_get_max_proto_version(ssl_ctx), mmvt->want_maxver); 707 goto next; 708 } 709 710 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 711 fprintf(stderr, "SSL_new() returned NULL\n"); 712 return 1; 713 } 714 715 if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { 716 fprintf(stderr, "FAIL: test %zu - initial SSL min " 717 "version 0x%x, want 0x%x\n", i, 718 SSL_get_min_proto_version(ssl), mmvt->want_minver); 719 goto next; 720 } 721 if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { 722 fprintf(stderr, "FAIL: test %zu - initial SSL max " 723 "version 0x%x, want 0x%x\n", i, 724 SSL_get_max_proto_version(ssl), mmvt->want_maxver); 725 goto next; 726 } 727 728 if (SSL_set_min_proto_version(ssl, mmvt->minver) != 1) { 729 if (mmvt->want_minver != 0) { 730 fprintf(stderr, "FAIL: test %zu - failed to set " 731 "SSL min version\n", i); 732 failed++; 733 } 734 goto next; 735 } 736 if (SSL_set_max_proto_version(ssl, mmvt->maxver) != 1) { 737 if (mmvt->want_maxver != 0) { 738 fprintf(stderr, "FAIL: test %zu - failed to set " 739 "SSL min version\n", i); 740 failed++; 741 } 742 goto next; 743 } 744 745 if (mmvt->want_minver == 0) { 746 fprintf(stderr, "FAIL: test %zu - successfully set SSL " 747 "min version, should have failed\n", i); 748 goto next; 749 } 750 if (mmvt->want_maxver == 0) { 751 fprintf(stderr, "FAIL: test %zu - successfully set SSL " 752 "max version, should have failed\n", i); 753 goto next; 754 } 755 756 if (SSL_get_min_proto_version(ssl) != mmvt->want_minver) { 757 fprintf(stderr, "FAIL: test %zu - got SSL min " 758 "version 0x%x, want 0x%x\n", i, 759 SSL_get_min_proto_version(ssl), mmvt->want_minver); 760 goto next; 761 } 762 if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { 763 fprintf(stderr, "FAIL: test %zu - got SSL max " 764 "version 0x%x, want 0x%x\n", i, 765 SSL_get_max_proto_version(ssl), mmvt->want_maxver); 766 goto next; 767 } 768 769 next: 770 SSL_CTX_free(ssl_ctx); 771 SSL_free(ssl); 772 773 ssl_ctx = NULL; 774 ssl = NULL; 775 } 776 777 return (failed); 778 } 779 780 int 781 main(int argc, char **argv) 782 { 783 int failed = 0; 784 785 SSL_library_init(); 786 787 /* XXX - Test ssl_supported_version_range() */ 788 789 failed |= test_ssl_enabled_version_range(); 790 failed |= test_ssl_max_shared_version(); 791 failed |= test_ssl_min_max_version(); 792 793 if (failed == 0) 794 printf("PASS %s\n", __FILE__); 795 796 return (failed); 797 } 798