From 1aa07a55f7c4b5aa54a98dad9ca25ef5ca7cb37a Mon Sep 17 00:00:00 2001 From: jsing <> Date: Fri, 30 Dec 2016 16:58:12 +0000 Subject: Add regress coverage for enabled protocol version range. --- src/regress/lib/libssl/unit/Makefile | 3 +- src/regress/lib/libssl/unit/ssl_versions.c | 144 +++++++++++++++++++++++++++++ 2 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 src/regress/lib/libssl/unit/ssl_versions.c diff --git a/src/regress/lib/libssl/unit/Makefile b/src/regress/lib/libssl/unit/Makefile index 1873be6923..48ae396327 100644 --- a/src/regress/lib/libssl/unit/Makefile +++ b/src/regress/lib/libssl/unit/Makefile @@ -1,6 +1,7 @@ -# $OpenBSD: Makefile,v 1.6 2016/11/04 17:51:54 guenther Exp $ +# $OpenBSD: Makefile,v 1.7 2016/12/30 16:58:12 jsing Exp $ TEST_CASES+= cipher_list +TEST_CASES+= ssl_versions TEST_CASES+= tls_ext_alpn REGRESS_TARGETS= all_tests diff --git a/src/regress/lib/libssl/unit/ssl_versions.c b/src/regress/lib/libssl/unit/ssl_versions.c new file mode 100644 index 0000000000..32f7b3eea2 --- /dev/null +++ b/src/regress/lib/libssl/unit/ssl_versions.c @@ -0,0 +1,144 @@ +/* $OpenBSD: ssl_versions.c,v 1.1 2016/12/30 16:58:12 jsing Exp $ */ +/* + * Copyright (c) 2016 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); + +struct version_range_test { + const long options; + const uint16_t minver; + const uint16_t maxver; +}; + +static struct version_range_test version_range_tests[] = { + { + .options = 0, + .minver = TLS1_VERSION, + .maxver = TLS1_2_VERSION, + }, + { + .options = SSL_OP_NO_TLSv1, + .minver = TLS1_1_VERSION, + .maxver = TLS1_2_VERSION, + }, + { + .options = SSL_OP_NO_TLSv1_2, + .minver = TLS1_VERSION, + .maxver = TLS1_1_VERSION, + }, + { + .options = SSL_OP_NO_TLSv1_1, + .minver = TLS1_VERSION, + .maxver = TLS1_VERSION, + }, + { + .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, + .minver = TLS1_2_VERSION, + .maxver = TLS1_2_VERSION, + }, + { + .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, + .minver = TLS1_VERSION, + .maxver = TLS1_VERSION, + }, + { + .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2, + .minver = TLS1_1_VERSION, + .maxver = TLS1_1_VERSION, + }, + { + .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, + .minver = 0, + .maxver = 0, + }, +}; + +#define N_VERSION_RANGE_TESTS \ + (sizeof(version_range_tests) / sizeof(*version_range_tests)) + +static int +test_ssl_enabled_version_range(void) +{ + struct version_range_test *vrt; + uint16_t minver, maxver; + SSL_CTX *ssl_ctx = NULL; + SSL *ssl = NULL; + int failed = 1; + size_t i; + + if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { + fprintf(stderr, "SSL_CTX_new() returned NULL\n"); + goto failure; + } + if ((ssl = SSL_new(ssl_ctx)) == NULL) { + fprintf(stderr, "SSL_new() returned NULL\n"); + goto failure; + } + + failed = 0; + + for (i = 0; i < N_VERSION_RANGE_TESTS; i++) { + vrt = &version_range_tests[i]; + + SSL_clear_options(ssl, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | + SSL_OP_NO_TLSv1_2); + SSL_set_options(ssl, vrt->options); + + minver = maxver = 0xffff; + + if (ssl_enabled_version_range(ssl, &minver, &maxver) == -1) { + if (vrt->minver != 0 || vrt->maxver != 0) { + fprintf(stderr, "FAIL: test %zu - failed but " + "wanted non-zero versions\n", i); + failed++; + } + continue; + } + if (minver != vrt->minver) { + fprintf(stderr, "FAIL: test %zu - got minver %x, " + "want %x\n", i, minver, vrt->minver); + failed++; + } + if (maxver != vrt->maxver) { + fprintf(stderr, "FAIL: test %zu - got maxver %x, " + "want %x\n", i, maxver, vrt->maxver); + failed++; + } + } + + failure: + SSL_CTX_free(ssl_ctx); + SSL_free(ssl); + + return (failed); +} + +int +main(int argc, char **argv) +{ + int failed = 0; + + SSL_library_init(); + + failed |= test_ssl_enabled_version_range(); + + if (failed == 0) + printf("PASS %s\n", __FILE__); + + return (failed); +} -- cgit v1.2.3-55-g6feb