1296273Sjkim/* Written by Matt Caswell for the OpenSSL Project */ 2296273Sjkim/* ==================================================================== 3296273Sjkim * Copyright (c) 2016 The OpenSSL Project. All rights reserved. 4296273Sjkim * 5296273Sjkim * Redistribution and use in source and binary forms, with or without 6296273Sjkim * modification, are permitted provided that the following conditions 7296273Sjkim * are met: 8296273Sjkim * 9296273Sjkim * 1. Redistributions of source code must retain the above copyright 10296273Sjkim * notice, this list of conditions and the following disclaimer. 11296273Sjkim * 12296273Sjkim * 2. Redistributions in binary form must reproduce the above copyright 13296273Sjkim * notice, this list of conditions and the following disclaimer in 14296273Sjkim * the documentation and/or other materials provided with the 15296273Sjkim * distribution. 16296273Sjkim * 17296273Sjkim * 3. All advertising materials mentioning features or use of this 18296273Sjkim * software must display the following acknowledgment: 19296273Sjkim * "This product includes software developed by the OpenSSL Project 20296273Sjkim * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 21296273Sjkim * 22296273Sjkim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23296273Sjkim * endorse or promote products derived from this software without 24296273Sjkim * prior written permission. For written permission, please contact 25296273Sjkim * openssl-core@openssl.org. 26296273Sjkim * 27296273Sjkim * 5. Products derived from this software may not be called "OpenSSL" 28296273Sjkim * nor may "OpenSSL" appear in their names without prior written 29296273Sjkim * permission of the OpenSSL Project. 30296273Sjkim * 31296273Sjkim * 6. Redistributions of any form whatsoever must retain the following 32296273Sjkim * acknowledgment: 33296273Sjkim * "This product includes software developed by the OpenSSL Project 34296273Sjkim * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 35296273Sjkim * 36296273Sjkim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37296273Sjkim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38296273Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39296273Sjkim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40296273Sjkim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41296273Sjkim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42296273Sjkim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43296273Sjkim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44296273Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45296273Sjkim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46296273Sjkim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47296273Sjkim * OF THE POSSIBILITY OF SUCH DAMAGE. 48296273Sjkim * ==================================================================== 49296273Sjkim * 50296273Sjkim * This product includes cryptographic software written by Eric Young 51296273Sjkim * (eay@cryptsoft.com). This product includes software written by Tim 52296273Sjkim * Hudson (tjh@cryptsoft.com). 53296273Sjkim * 54296273Sjkim */ 55296273Sjkim 56296273Sjkim#include <stdlib.h> 57296273Sjkim#include <openssl/bio.h> 58296273Sjkim#include <openssl/ssl.h> 59296273Sjkim#include <openssl/err.h> 60296273Sjkim 61296273Sjkim 62296273Sjkim#define TOTAL_NUM_TESTS 2 63296273Sjkim#define TEST_SSL_CTX 0 64296273Sjkim 65296273Sjkim#define SSLV2ON 1 66296273Sjkim#define SSLV2OFF 0 67296273Sjkim 68296273SjkimSSL_CONF_CTX *confctx; 69296273SjkimSSL_CTX *ctx; 70296273SjkimSSL *ssl; 71296273Sjkim 72296273Sjkimstatic int checksslv2(int test, int sslv2) 73296273Sjkim{ 74296273Sjkim int options; 75296273Sjkim if (test == TEST_SSL_CTX) { 76296273Sjkim options = SSL_CTX_get_options(ctx); 77296273Sjkim } else { 78296273Sjkim options = SSL_get_options(ssl); 79296273Sjkim } 80296273Sjkim return ((options & SSL_OP_NO_SSLv2) == 0) ^ (sslv2 == SSLV2OFF); 81296273Sjkim} 82296273Sjkim 83296273Sjkimint main(int argc, char *argv[]) 84296273Sjkim{ 85296273Sjkim BIO *err; 86296273Sjkim int testresult = 0; 87306195Sjkim int currtest = 0; 88296273Sjkim 89296273Sjkim SSL_library_init(); 90296273Sjkim SSL_load_error_strings(); 91296273Sjkim 92296273Sjkim err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); 93296273Sjkim 94296273Sjkim CRYPTO_malloc_debug_init(); 95296273Sjkim CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); 96296273Sjkim CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); 97296273Sjkim 98296273Sjkim 99296273Sjkim confctx = SSL_CONF_CTX_new(); 100296273Sjkim ctx = SSL_CTX_new(SSLv23_method()); 101296273Sjkim ssl = SSL_new(ctx); 102296273Sjkim if (confctx == NULL || ctx == NULL) 103296273Sjkim goto end; 104296273Sjkim 105296273Sjkim SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE 106296273Sjkim | SSL_CONF_FLAG_CLIENT 107296273Sjkim | SSL_CONF_FLAG_SERVER); 108296273Sjkim 109296273Sjkim /* 110296273Sjkim * For each test set up an SSL_CTX and SSL and see whether SSLv2 is enabled 111296273Sjkim * as expected after various SSL_CONF_cmd("Protocol", ...) calls. 112296273Sjkim */ 113296273Sjkim for (currtest = 0; currtest < TOTAL_NUM_TESTS; currtest++) { 114296273Sjkim BIO_printf(err, "SSLv2 CONF Test number %d\n", currtest); 115296273Sjkim if (currtest == TEST_SSL_CTX) 116296273Sjkim SSL_CONF_CTX_set_ssl_ctx(confctx, ctx); 117296273Sjkim else 118296273Sjkim SSL_CONF_CTX_set_ssl(confctx, ssl); 119296273Sjkim 120296273Sjkim /* SSLv2 should be off by default */ 121296273Sjkim if (!checksslv2(currtest, SSLV2OFF)) { 122296273Sjkim BIO_printf(err, "SSLv2 CONF Test: Off by default test FAIL\n"); 123296273Sjkim goto end; 124296273Sjkim } 125296273Sjkim 126296273Sjkim if (SSL_CONF_cmd(confctx, "Protocol", "ALL") != 2 127296273Sjkim || !SSL_CONF_CTX_finish(confctx)) { 128296273Sjkim BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n"); 129296273Sjkim goto end; 130296273Sjkim } 131296273Sjkim 132296273Sjkim /* Should still be off even after ALL Protocols on */ 133296273Sjkim if (!checksslv2(currtest, SSLV2OFF)) { 134296273Sjkim BIO_printf(err, "SSLv2 CONF Test: Off after config #1 FAIL\n"); 135296273Sjkim goto end; 136296273Sjkim } 137296273Sjkim 138296273Sjkim if (SSL_CONF_cmd(confctx, "Protocol", "SSLv2") != 2 139296273Sjkim || !SSL_CONF_CTX_finish(confctx)) { 140296273Sjkim BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n"); 141296273Sjkim goto end; 142296273Sjkim } 143296273Sjkim 144296273Sjkim /* Should still be off even if explicitly asked for */ 145296273Sjkim if (!checksslv2(currtest, SSLV2OFF)) { 146296273Sjkim BIO_printf(err, "SSLv2 CONF Test: Off after config #2 FAIL\n"); 147296273Sjkim goto end; 148296273Sjkim } 149296273Sjkim 150296273Sjkim if (SSL_CONF_cmd(confctx, "Protocol", "-SSLv2") != 2 151296273Sjkim || !SSL_CONF_CTX_finish(confctx)) { 152296273Sjkim BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");; 153296273Sjkim goto end; 154296273Sjkim } 155296273Sjkim 156296273Sjkim if (!checksslv2(currtest, SSLV2OFF)) { 157296273Sjkim BIO_printf(err, "SSLv2 CONF Test: Off after config #3 FAIL\n"); 158296273Sjkim goto end; 159296273Sjkim } 160296273Sjkim 161296273Sjkim if (currtest == TEST_SSL_CTX) 162296273Sjkim SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); 163296273Sjkim else 164296273Sjkim SSL_clear_options(ssl, SSL_OP_NO_SSLv2); 165296273Sjkim 166296273Sjkim if (!checksslv2(currtest, SSLV2ON)) { 167296273Sjkim BIO_printf(err, "SSLv2 CONF Test: On after clear FAIL\n"); 168296273Sjkim goto end; 169296273Sjkim } 170296273Sjkim 171296273Sjkim if (SSL_CONF_cmd(confctx, "Protocol", "ALL") != 2 172296273Sjkim || !SSL_CONF_CTX_finish(confctx)) { 173296273Sjkim BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n"); 174296273Sjkim goto end; 175296273Sjkim } 176296273Sjkim 177296273Sjkim /* Option has been cleared and config says have SSLv2 so should be on */ 178296273Sjkim if (!checksslv2(currtest, SSLV2ON)) { 179296273Sjkim BIO_printf(err, "SSLv2 CONF Test: On after config #1 FAIL\n"); 180296273Sjkim goto end; 181296273Sjkim } 182296273Sjkim 183296273Sjkim if (SSL_CONF_cmd(confctx, "Protocol", "SSLv2") != 2 184296273Sjkim || !SSL_CONF_CTX_finish(confctx)) { 185296273Sjkim BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n"); 186296273Sjkim goto end; 187296273Sjkim } 188296273Sjkim 189296273Sjkim /* Option has been cleared and config says have SSLv2 so should be on */ 190296273Sjkim if (!checksslv2(currtest, SSLV2ON)) { 191296273Sjkim BIO_printf(err, "SSLv2 CONF Test: On after config #2 FAIL\n"); 192296273Sjkim goto end; 193296273Sjkim } 194296273Sjkim 195296273Sjkim if (SSL_CONF_cmd(confctx, "Protocol", "-SSLv2") != 2 196296273Sjkim || !SSL_CONF_CTX_finish(confctx)) { 197296273Sjkim BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n"); 198296273Sjkim goto end; 199296273Sjkim } 200296273Sjkim 201296273Sjkim /* Option has been cleared but config says no SSLv2 so should be off */ 202296273Sjkim if (!checksslv2(currtest, SSLV2OFF)) { 203296273Sjkim BIO_printf(err, "SSLv2 CONF Test: Off after config #4 FAIL\n"); 204296273Sjkim goto end; 205296273Sjkim } 206296273Sjkim 207296273Sjkim } 208296273Sjkim 209296273Sjkim testresult = 1; 210296273Sjkim 211296273Sjkim end: 212296273Sjkim SSL_free(ssl); 213296273Sjkim SSL_CTX_free(ctx); 214296273Sjkim SSL_CONF_CTX_free(confctx); 215296273Sjkim 216296273Sjkim if (!testresult) { 217296273Sjkim printf("SSLv2 CONF test: FAILED (Test %d)\n", currtest); 218296273Sjkim ERR_print_errors(err); 219296273Sjkim } else { 220296273Sjkim printf("SSLv2 CONF test: PASSED\n"); 221296273Sjkim } 222296273Sjkim 223296273Sjkim ERR_free_strings(); 224296273Sjkim ERR_remove_thread_state(NULL); 225296273Sjkim EVP_cleanup(); 226296273Sjkim CRYPTO_cleanup_all_ex_data(); 227296273Sjkim CRYPTO_mem_leaks(err); 228296273Sjkim BIO_free(err); 229296273Sjkim 230296273Sjkim return testresult ? EXIT_SUCCESS : EXIT_FAILURE; 231296273Sjkim} 232