From 7d7f6834e542e53f604b46a72d57fad773d4b2bc Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 19 Mar 2018 09:08:06 +0100 Subject: Enhance ssltestlib's create_ssl_ctx_pair to take min and max proto version Have all test programs using that function specify those versions. Additionally, have the remaining test programs that use SSL_CTX_new directly specify at least the maximum protocol version. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/5663) --- test/asynciotest.c | 3 +- test/clienthellotest.c | 2 ++ test/dtlstest.c | 5 +-- test/fatalerrtest.c | 5 +-- test/recordlentest.c | 1 + test/ssl_test.c | 27 ++++++++++++++ test/sslapitest.c | 95 +++++++++++++++++++++++++++----------------------- test/sslbuffertest.c | 1 + test/sslcorrupttest.c | 6 ++-- test/ssltest_old.c | 21 +++++++---- test/ssltestlib.c | 17 +++++++++ test/ssltestlib.h | 1 + test/tls13ccstest.c | 1 + 13 files changed, 127 insertions(+), 58 deletions(-) diff --git a/test/asynciotest.c b/test/asynciotest.c index 179fe2620d..8d15fcb84d 100644 --- a/test/asynciotest.c +++ b/test/asynciotest.c @@ -299,7 +299,8 @@ static int test_asyncio(int test) char buf[sizeof(testdata)]; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - &serverctx, &clientctx, cert, privkey))) + TLS1_VERSION, TLS_MAX_VERSION, + &serverctx, &clientctx, cert, privkey))) goto end; /* diff --git a/test/clienthellotest.c b/test/clienthellotest.c index 5eded83bda..10e3b1b1b1 100644 --- a/test/clienthellotest.c +++ b/test/clienthellotest.c @@ -78,6 +78,8 @@ static int test_client_hello(int currtest) ctx = SSL_CTX_new(TLS_method()); if (!TEST_ptr(ctx)) goto end; + if (!TEST_true(SSL_CTX_set_max_proto_version(ctx, TLS_MAX_VERSION))) + goto end; switch(currtest) { case TEST_SET_SESSION_TICK_DATA_VER_NEG: diff --git a/test/dtlstest.c b/test/dtlstest.c index 7e511f7d6f..f4f9924a86 100644 --- a/test/dtlstest.c +++ b/test/dtlstest.c @@ -61,8 +61,9 @@ static int test_dtls_unprocessed(int testidx) timer_cb_count = 0; if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(), - DTLS_client_method(), &sctx, - &cctx, cert, privkey))) + DTLS_client_method(), + DTLS1_VERSION, DTLS_MAX_VERSION, + &sctx, &cctx, cert, privkey))) return 0; if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES128-SHA"))) diff --git a/test/fatalerrtest.c b/test/fatalerrtest.c index 85b11c84aa..d3a23e5f3d 100644 --- a/test/fatalerrtest.c +++ b/test/fatalerrtest.c @@ -28,8 +28,9 @@ static int test_fatalerr(void) 0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y' }; - if (!TEST_true(create_ssl_ctx_pair(TLS_method(), TLS_method(), &sctx, &cctx, - cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(TLS_method(), TLS_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey))) goto err; /* diff --git a/test/recordlentest.c b/test/recordlentest.c index 824c09fc34..17e5499db7 100644 --- a/test/recordlentest.c +++ b/test/recordlentest.c @@ -103,6 +103,7 @@ static int test_record_overflow(int idx) ERR_clear_error(); if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx, cert, privkey))) goto end; diff --git a/test/ssl_test.c b/test/ssl_test.c index 778c330313..ddb338bb67 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -406,15 +406,27 @@ static int test_handshake(int idx) #ifndef OPENSSL_NO_DTLS if (test_ctx->method == SSL_TEST_METHOD_DTLS) { server_ctx = SSL_CTX_new(DTLS_server_method()); + if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, + DTLS_MAX_VERSION))) + goto err; if (test_ctx->extra.server.servername_callback != SSL_TEST_SERVERNAME_CB_NONE) { if (!TEST_ptr(server2_ctx = SSL_CTX_new(DTLS_server_method()))) goto err; } client_ctx = SSL_CTX_new(DTLS_client_method()); + if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, + DTLS_MAX_VERSION))) + goto err; if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) { resume_server_ctx = SSL_CTX_new(DTLS_server_method()); + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, + DTLS_MAX_VERSION))) + goto err; resume_client_ctx = SSL_CTX_new(DTLS_client_method()); + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, + DTLS_MAX_VERSION))) + goto err; if (!TEST_ptr(resume_server_ctx) || !TEST_ptr(resume_client_ctx)) goto err; @@ -423,17 +435,32 @@ static int test_handshake(int idx) #endif if (test_ctx->method == SSL_TEST_METHOD_TLS) { server_ctx = SSL_CTX_new(TLS_server_method()); + if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, + TLS_MAX_VERSION))) + goto err; /* SNI on resumption isn't supported/tested yet. */ if (test_ctx->extra.server.servername_callback != SSL_TEST_SERVERNAME_CB_NONE) { if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method()))) goto err; + if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, + TLS_MAX_VERSION))) + goto err; } client_ctx = SSL_CTX_new(TLS_client_method()); + if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, + TLS_MAX_VERSION))) + goto err; if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) { resume_server_ctx = SSL_CTX_new(TLS_server_method()); + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, + TLS_MAX_VERSION))) + goto err; resume_client_ctx = SSL_CTX_new(TLS_client_method()); + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, + TLS_MAX_VERSION))) + goto err; if (!TEST_ptr(resume_server_ctx) || !TEST_ptr(resume_client_ctx)) goto err; diff --git a/test/sslapitest.c b/test/sslapitest.c index a0da25f246..3dcf735325 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -272,6 +272,7 @@ static int test_keylog(void) if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx, cert, privkey))) return 0; @@ -349,9 +350,9 @@ static int test_keylog_no_master_key(void) server_log_buffer_index = 0; error_writing_log = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), &sctx, - &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey))) return 0; if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL) @@ -452,9 +453,9 @@ static int test_client_hello_cb(void) SSL *clientssl = NULL, *serverssl = NULL; int testctr = 0, testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), &sctx, - &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey))) goto end; SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr); @@ -490,7 +491,9 @@ end: #endif static int execute_test_large_message(const SSL_METHOD *smeth, - const SSL_METHOD *cmeth, int read_ahead) + const SSL_METHOD *cmeth, + int min_version, int max_version, + int read_ahead) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; @@ -508,8 +511,8 @@ static int execute_test_large_message(const SSL_METHOD *smeth, if (!TEST_ptr(chaincert)) goto end; - if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx, - &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version, + &sctx, &cctx, cert, privkey))) goto end; if (read_ahead) { @@ -566,12 +569,14 @@ static int execute_test_large_message(const SSL_METHOD *smeth, static int test_large_message_tls(void) { return execute_test_large_message(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, 0); } static int test_large_message_tls_read_ahead(void) { return execute_test_large_message(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, 1); } @@ -583,7 +588,9 @@ static int test_large_message_dtls(void) * read_ahead is set. */ return execute_test_large_message(DTLS_server_method(), - DTLS_client_method(), 0); + DTLS_client_method(), + DTLS1_VERSION, DTLS_MAX_VERSION, + 0); } #endif @@ -642,8 +649,9 @@ static int test_tlsext_status_type(void) OCSP_RESPID *id = NULL; BIO *certbio = NULL; - if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx, - &cctx, cert, privkey)) + if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey)) return 0; if (SSL_CTX_get_tlsext_status_type(cctx) != -1) @@ -806,9 +814,9 @@ static int execute_test_session(int maxprot, int use_int_cache, new_called = remove_called = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), &sctx, - &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey))) return 0; /* @@ -1341,9 +1349,9 @@ static int test_set_sigalgs(int idx) curr = testctx ? &testsigalgs[idx] : &testsigalgs[idx - OSSL_NELEM(testsigalgs)]; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), &sctx, - &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey))) return 0; /* @@ -1558,9 +1566,9 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl, SSL **serverssl, SSL_SESSION **sess, int idx) { - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), sctx, - cctx, cert, privkey)) + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + sctx, cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)) || !TEST_true(SSL_CTX_set_max_early_data(*cctx, @@ -2440,9 +2448,9 @@ static int test_ciphersuite_change(void) const SSL_CIPHER *aes_128_gcm_sha256 = NULL; /* Create a session based on SHA-256 */ - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), &sctx, - &cctx, cert, privkey)) + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")) || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, @@ -2573,9 +2581,9 @@ static int test_tls13_psk(int idx) }; int testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), &sctx, - &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey))) goto end; /* @@ -2808,9 +2816,9 @@ static int test_stateless(void) SSL *serverssl = NULL, *clientssl = NULL; int testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), &sctx, - &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey))) goto end; /* The arrival of CCS messages can confuse the test */ @@ -3032,14 +3040,15 @@ static int test_custom_exts(int tst) clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0; snicb = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), &sctx, - &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey))) goto end; if (tst == 2 - && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2, - NULL, cert, privkey))) + && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, + TLS1_VERSION, TLS_MAX_VERSION, + &sctx2, NULL, cert, privkey))) goto end; @@ -3308,9 +3317,9 @@ static int test_export_key_mat(int tst) if (tst == 3) return 1; #endif - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), &sctx, - &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey))) goto end; OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols)); @@ -3488,9 +3497,9 @@ static int test_ssl_clear(int idx) #endif /* Create an initial connection */ - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), &sctx, - &cctx, cert, privkey)) + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey)) || (idx == 1 && !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))) @@ -3644,8 +3653,8 @@ static int test_pha_key_update(void) SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx, cert, privkey))) return 0; diff --git a/test/sslbuffertest.c b/test/sslbuffertest.c index a1c3c6a6a3..7616eea2d5 100644 --- a/test/sslbuffertest.c +++ b/test/sslbuffertest.c @@ -166,6 +166,7 @@ int setup_tests(void) return 0; if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, &serverctx, &clientctx, cert, pkey)) { TEST_error("Failed to create SSL_CTX pair\n"); return 0; diff --git a/test/sslcorrupttest.c b/test/sslcorrupttest.c index 192310036a..b06ce8128d 100644 --- a/test/sslcorrupttest.c +++ b/test/sslcorrupttest.c @@ -193,9 +193,9 @@ static int test_ssl_corrupt(int testidx) TEST_info("Starting #%d, %s", testidx, cipher_list[testidx]); - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), - TLS_client_method(), &sctx, - &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey))) return 0; if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher_list[testidx]))) diff --git a/test/ssltest_old.c b/test/ssltest_old.c index 7d31d368c7..0661a42bbd 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -1330,17 +1330,24 @@ int main(int argc, char *argv[]) } else if (tls1_2) { min_version = TLS1_2_VERSION; max_version = TLS1_2_VERSION; + } else { + min_version = SSL3_VERSION; + max_version = TLS_MAX_VERSION; } #endif #ifndef OPENSSL_NO_DTLS - if (dtls || dtls1 || dtls12) + if (dtls || dtls1 || dtls12) { meth = DTLS_method(); - if (dtls1) { - min_version = DTLS1_VERSION; - max_version = DTLS1_VERSION; - } else if (dtls12) { - min_version = DTLS1_2_VERSION; - max_version = DTLS1_2_VERSION; + if (dtls1) { + min_version = DTLS1_VERSION; + max_version = DTLS1_VERSION; + } else if (dtls12) { + min_version = DTLS1_2_VERSION; + max_version = DTLS1_2_VERSION; + } else { + min_version = DTLS_MIN_VERSION; + max_version = DTLS_MAX_VERSION; + } } #endif diff --git a/test/ssltestlib.c b/test/ssltestlib.c index 4473c670d7..f7dc65f734 100644 --- a/test/ssltestlib.c +++ b/test/ssltestlib.c @@ -511,6 +511,7 @@ static int mempacket_test_puts(BIO *bio, const char *str) } int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, + int min_proto_version, int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, char *privkeyfile) { @@ -521,6 +522,22 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, || (cctx != NULL && !TEST_ptr(clientctx = SSL_CTX_new(cm)))) goto err; + if ((min_proto_version > 0 + && !TEST_true(SSL_CTX_set_min_proto_version(serverctx, + min_proto_version))) + || (max_proto_version > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(serverctx, + max_proto_version)))) + goto err; + if (clientctx != NULL + && ((min_proto_version > 0 + && !TEST_true(SSL_CTX_set_min_proto_version(serverctx, + min_proto_version))) + || (max_proto_version > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(serverctx, + max_proto_version))))) + goto err; + if (!TEST_int_eq(SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM), 1) || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(serverctx, privkeyfile, diff --git a/test/ssltestlib.h b/test/ssltestlib.h index 385833bad8..9d1ceb0718 100644 --- a/test/ssltestlib.h +++ b/test/ssltestlib.h @@ -13,6 +13,7 @@ # include int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, + int min_proto_version, int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, char *privkeyfile); int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, diff --git a/test/tls13ccstest.c b/test/tls13ccstest.c index afea0ea58d..41e4896fa9 100644 --- a/test/tls13ccstest.c +++ b/test/tls13ccstest.c @@ -255,6 +255,7 @@ static int test_tls13ccs(int tst) chsessidlen = 0; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_max_early_data(sctx, SSL3_RT_MAX_PLAIN_LENGTH)) -- cgit v1.2.3