2 files changed, 146 insertions, 1 deletions
diff --git a/src/regress/lib/libssl/unit/Makefile b/src/regress/lib/libssl/unit/Makefile
index 1873be6923..48ae396327 100644
--- a/src/regress/lib/libssl/unit/Makefile
+++ b/src/regress/lib/libssl/unit/Makefile
@@ -1,6 +1,7 @@
-#       $OpenBSD: Makefile,v 1.6 2016/11/04 17:51:54 guenther Exp $
+#       $OpenBSD: Makefile,v 1.7 2016/12/30 16:58:12 jsing Exp $
 TEST_CASES+= cipher_list
+TEST_CASES+= ssl_versions
 TEST_CASES+= tls_ext_alpn
 REGRESS_TARGETS= all_tests
diff --git a/src/regress/lib/libssl/unit/ssl_versions.c b/src/regress/lib/libssl/unit/ssl_versions.c
new file mode 100644
index 0000000000..32f7b3eea2
--- /dev/null
+++ b/src/regress/lib/libssl/unit/ssl_versions.c
@@ -0,0 +1,144 @@
+/* $OpenBSD: ssl_versions.c,v 1.1 2016/12/30 16:58:12 jsing Exp $ */
+/*
+ * Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <openssl/ssl.h>
+int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
+struct version_range_test {
+        const long options;
+        const uint16_t minver;
+        const uint16_t maxver;
+};
+static struct version_range_test version_range_tests[] = {
+        {
+                .options = 0,
+                .minver = TLS1_VERSION,
+                .maxver = TLS1_2_VERSION,
+        },
+        {
+                .options = SSL_OP_NO_TLSv1,
+                .minver = TLS1_1_VERSION,
+                .maxver = TLS1_2_VERSION,
+        },
+        {
+                .options = SSL_OP_NO_TLSv1_2,
+                .minver = TLS1_VERSION,
+                .maxver = TLS1_1_VERSION,
+        },
+        {
+                .options = SSL_OP_NO_TLSv1_1,
+                .minver = TLS1_VERSION,
+                .maxver = TLS1_VERSION,
+        },
+        {
+                .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1,
+                .minver = TLS1_2_VERSION,
+                .maxver = TLS1_2_VERSION,
+        },
+        {
+                .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2,
+                .minver = TLS1_VERSION,
+                .maxver = TLS1_VERSION,
+        },
+        {
+                .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2,
+                .minver = TLS1_1_VERSION,
+                .maxver = TLS1_1_VERSION,
+        },
+        {
+                .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2,
+                .minver = 0,
+                .maxver = 0,
+        },
+};
+#define N_VERSION_RANGE_TESTS \
+    (sizeof(version_range_tests) / sizeof(*version_range_tests))
+static int
+test_ssl_enabled_version_range(void)
+{
+        struct version_range_test *vrt;
+        uint16_t minver, maxver;
+        SSL_CTX *ssl_ctx = NULL;
+        SSL *ssl = NULL;
+        int failed = 1;
+        size_t i;
+        if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { 
+                fprintf(stderr, "SSL_CTX_new() returned NULL\n");
+                goto failure;
+        }
+        if ((ssl = SSL_new(ssl_ctx)) == NULL) {
+                fprintf(stderr, "SSL_new() returned NULL\n");
+                goto failure;
+        }
+        failed = 0;
+        for (i = 0; i < N_VERSION_RANGE_TESTS; i++) {
+                vrt = &version_range_tests[i];
+                SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
+                    SSL_OP_NO_TLSv1_2);
+                SSL_set_options(ssl, vrt->options);
+                minver = maxver = 0xffff;
+                if (ssl_enabled_version_range(ssl, &minver, &maxver) == -1) {
+                        if (vrt->minver != 0 || vrt->maxver != 0) {
+                                fprintf(stderr, "FAIL: test %zu - failed but "
+                                    "wanted non-zero versions\n", i);
+                                failed++;
+                        }
+                        continue;
+                }
+                if (minver != vrt->minver) {
+                        fprintf(stderr, "FAIL: test %zu - got minver %x, "
+                            "want %x\n", i, minver, vrt->minver);
+                        failed++;
+                }
+                if (maxver != vrt->maxver) {
+                        fprintf(stderr, "FAIL: test %zu - got maxver %x, "
+                            "want %x\n", i, maxver, vrt->maxver);
+                        failed++;
+                }
+        }
+ failure:
+        SSL_CTX_free(ssl_ctx);
+        SSL_free(ssl);
+        return (failed);
+}
+int
+main(int argc, char **argv)
+{
+        int failed = 0;
+        SSL_library_init();
+        failed |= test_ssl_enabled_version_range();
+        if (failed == 0)
+                printf("PASS %s\n", __FILE__);
+        return (failed);
+}

diff --git a/src/regress/lib/libssl/unit/Makefile b/src/regress/lib/libssl/unit/Makefile index 1873be6923..48ae396327 100644 --- a/src/regress/lib/libssl/unit/Makefile +++ b/src/regress/lib/libssl/unit/Makefile
@@ -1,6 +1,7 @@
1	# $OpenBSD: Makefile,v 1.6 2016/11/04 17:51:54 guenther Exp $	1	# $OpenBSD: Makefile,v 1.7 2016/12/30 16:58:12 jsing Exp $
2		2
3	TEST_CASES+= cipher_list	3	TEST_CASES+= cipher_list
		4	TEST_CASES+= ssl_versions
4	TEST_CASES+= tls_ext_alpn	5	TEST_CASES+= tls_ext_alpn
5		6
6	REGRESS_TARGETS= all_tests	7	REGRESS_TARGETS= all_tests


diff --git a/src/regress/lib/libssl/unit/ssl_versions.c b/src/regress/lib/libssl/unit/ssl_versions.c new file mode 100644 index 0000000000..32f7b3eea2 --- /dev/null +++ b/src/regress/lib/libssl/unit/ssl_versions.c
@@ -0,0 +1,144 @@
		1	/* $OpenBSD: ssl_versions.c,v 1.1 2016/12/30 16:58:12 jsing Exp $ */
		2	/*
		3	* Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
		4	*
		5	* Permission to use, copy, modify, and distribute this software for any
		6	* purpose with or without fee is hereby granted, provided that the above
		7	* copyright notice and this permission notice appear in all copies.
		8	*
		9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16	*/
		17
		18	#include <openssl/ssl.h>
		19
		20	int ssl_enabled_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver);
		21
		22	struct version_range_test {
		23	const long options;
		24	const uint16_t minver;
		25	const uint16_t maxver;
		26	};
		27
		28	static struct version_range_test version_range_tests[] = {
		29	{
		30	.options = 0,
		31	.minver = TLS1_VERSION,
		32	.maxver = TLS1_2_VERSION,
		33	},
		34	{
		35	.options = SSL_OP_NO_TLSv1,
		36	.minver = TLS1_1_VERSION,
		37	.maxver = TLS1_2_VERSION,
		38	},
		39	{
		40	.options = SSL_OP_NO_TLSv1_2,
		41	.minver = TLS1_VERSION,
		42	.maxver = TLS1_1_VERSION,
		43	},
		44	{
		45	.options = SSL_OP_NO_TLSv1_1,
		46	.minver = TLS1_VERSION,
		47	.maxver = TLS1_VERSION,
		48	},
		49	{
		50	.options = SSL_OP_NO_TLSv1 \| SSL_OP_NO_TLSv1_1,
		51	.minver = TLS1_2_VERSION,
		52	.maxver = TLS1_2_VERSION,
		53	},
		54	{
		55	.options = SSL_OP_NO_TLSv1_1 \| SSL_OP_NO_TLSv1_2,
		56	.minver = TLS1_VERSION,
		57	.maxver = TLS1_VERSION,
		58	},
		59	{
		60	.options = SSL_OP_NO_TLSv1 \| SSL_OP_NO_TLSv1_2,
		61	.minver = TLS1_1_VERSION,
		62	.maxver = TLS1_1_VERSION,
		63	},
		64	{
		65	.options = SSL_OP_NO_TLSv1 \| SSL_OP_NO_TLSv1_1 \| SSL_OP_NO_TLSv1_2,
		66	.minver = 0,
		67	.maxver = 0,
		68	},
		69	};
		70
		71	#define N_VERSION_RANGE_TESTS \
		72	(sizeof(version_range_tests) / sizeof(*version_range_tests))
		73
		74	static int
		75	test_ssl_enabled_version_range(void)
		76	{
		77	struct version_range_test *vrt;
		78	uint16_t minver, maxver;
		79	SSL_CTX *ssl_ctx = NULL;
		80	SSL *ssl = NULL;
		81	int failed = 1;
		82	size_t i;
		83
		84	if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) {
		85	fprintf(stderr, "SSL_CTX_new() returned NULL\n");
		86	goto failure;
		87	}
		88	if ((ssl = SSL_new(ssl_ctx)) == NULL) {
		89	fprintf(stderr, "SSL_new() returned NULL\n");
		90	goto failure;
		91	}
		92
		93	failed = 0;
		94
		95	for (i = 0; i < N_VERSION_RANGE_TESTS; i++) {
		96	vrt = &version_range_tests[i];
		97
		98	SSL_clear_options(ssl, SSL_OP_NO_TLSv1 \| SSL_OP_NO_TLSv1_1 \|
		99	SSL_OP_NO_TLSv1_2);
		100	SSL_set_options(ssl, vrt->options);
		101
		102	minver = maxver = 0xffff;
		103
		104	if (ssl_enabled_version_range(ssl, &minver, &maxver) == -1) {
		105	if (vrt->minver != 0 \|\| vrt->maxver != 0) {
		106	fprintf(stderr, "FAIL: test %zu - failed but "
		107	"wanted non-zero versions\n", i);
		108	failed++;
		109	}
		110	continue;
		111	}
		112	if (minver != vrt->minver) {
		113	fprintf(stderr, "FAIL: test %zu - got minver %x, "
		114	"want %x\n", i, minver, vrt->minver);
		115	failed++;
		116	}
		117	if (maxver != vrt->maxver) {
		118	fprintf(stderr, "FAIL: test %zu - got maxver %x, "
		119	"want %x\n", i, maxver, vrt->maxver);
		120	failed++;
		121	}
		122	}
		123
		124	failure:
		125	SSL_CTX_free(ssl_ctx);
		126	SSL_free(ssl);
		127
		128	return (failed);
		129	}
		130
		131	int
		132	main(int argc, char **argv)
		133	{
		134	int failed = 0;
		135
		136	SSL_library_init();
		137
		138	failed \|= test_ssl_enabled_version_range();
		139
		140	if (failed == 0)
		141	printf("PASS %s\n", __FILE__);
		142
		143	return (failed);
		144	}