]>
Commit | Line | Data |
---|---|---|
5a22cf96 | 1 | /* |
019e47ce | 2 | * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. |
5a22cf96 EK |
3 | * |
4 | * Licensed under the OpenSSL licenses, (the "License"); | |
5 | * you may not use this file except in compliance with the License. | |
6 | * You may obtain a copy of the License at | |
7 | * https://www.openssl.org/source/license.html | |
8 | * or in the file LICENSE in the source distribution. | |
9 | */ | |
10 | ||
11 | #include <stdio.h> | |
019e47ce | 12 | #include <string.h> |
5a22cf96 EK |
13 | |
14 | #include <openssl/opensslconf.h> | |
15 | #include <openssl/err.h> | |
16 | #include <openssl/e_os2.h> | |
17 | #include <openssl/ssl.h> | |
18 | #include <openssl/ssl3.h> | |
19 | #include <openssl/tls1.h> | |
20 | ||
176db6dc | 21 | #include "internal/nelem.h" |
5a22cf96 EK |
22 | #include "testutil.h" |
23 | ||
24 | typedef struct cipherlist_test_fixture { | |
25 | const char *test_case_name; | |
26 | SSL_CTX *server; | |
27 | SSL_CTX *client; | |
28 | } CIPHERLIST_TEST_FIXTURE; | |
29 | ||
30 | ||
019e47ce | 31 | static void tear_down(CIPHERLIST_TEST_FIXTURE *fixture) |
5a22cf96 | 32 | { |
019e47ce P |
33 | if (fixture != NULL) { |
34 | SSL_CTX_free(fixture->server); | |
35 | SSL_CTX_free(fixture->client); | |
36 | fixture->server = fixture->client = NULL; | |
2326bba0 | 37 | OPENSSL_free(fixture); |
019e47ce P |
38 | } |
39 | } | |
40 | ||
41 | static CIPHERLIST_TEST_FIXTURE *set_up(const char *const test_case_name) | |
42 | { | |
2326bba0 | 43 | CIPHERLIST_TEST_FIXTURE *fixture; |
019e47ce | 44 | |
2326bba0 P |
45 | if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) |
46 | return NULL; | |
47 | fixture->test_case_name = test_case_name; | |
48 | if (!TEST_ptr(fixture->server = SSL_CTX_new(TLS_server_method())) | |
49 | || !TEST_ptr(fixture->client = SSL_CTX_new(TLS_client_method()))) { | |
50 | tear_down(fixture); | |
019e47ce P |
51 | return NULL; |
52 | } | |
2326bba0 | 53 | return fixture; |
5a22cf96 EK |
54 | } |
55 | ||
56 | /* | |
57 | * All ciphers in the DEFAULT cipherlist meet the default security level. | |
58 | * However, default supported ciphers exclude SRP and PSK ciphersuites | |
59 | * for which no callbacks have been set up. | |
60 | * | |
61 | * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled, | |
62 | * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA | |
63 | * are currently broken and should be considered mission impossible in libssl. | |
64 | */ | |
65 | static const uint32_t default_ciphers_in_order[] = { | |
66 | #ifndef OPENSSL_NO_TLS1_2 | |
67 | # ifndef OPENSSL_NO_EC | |
68 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | |
69 | TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | |
70 | # endif | |
71 | # ifndef OPENSSL_NO_DH | |
72 | TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, | |
73 | # endif | |
74 | ||
75 | # if !defined OPENSSL_NO_CHACHA && !defined OPENSSL_NO_POLY1305 | |
76 | # ifndef OPENSSL_NO_EC | |
77 | TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |
78 | TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |
79 | # endif | |
80 | # ifndef OPENSSL_NO_DH | |
81 | TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305, | |
82 | # endif | |
83 | # endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ | |
84 | ||
85 | # ifndef OPENSSL_NO_EC | |
86 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |
87 | TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |
88 | # endif | |
89 | # ifndef OPENSSL_NO_DH | |
90 | TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, | |
91 | # endif | |
92 | # ifndef OPENSSL_NO_EC | |
93 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, | |
94 | TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, | |
95 | # endif | |
96 | # ifndef OPENSSL_NO_DH | |
97 | TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, | |
98 | # endif | |
99 | # ifndef OPENSSL_NO_EC | |
100 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, | |
101 | TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, | |
102 | # endif | |
103 | # ifndef OPENSSL_NO_DH | |
104 | TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, | |
105 | # endif | |
106 | #endif /* !OPENSSL_NO_TLS1_2 */ | |
107 | ||
108 | #ifndef OPENSSL_NO_EC | |
109 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | |
110 | TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, | |
111 | #endif | |
112 | #ifndef OPENSSL_NO_DH | |
113 | TLS1_CK_DHE_RSA_WITH_AES_256_SHA, | |
114 | #endif | |
115 | #ifndef OPENSSL_NO_EC | |
116 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | |
117 | TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, | |
118 | #endif | |
119 | #ifndef OPENSSL_NO_DH | |
120 | TLS1_CK_DHE_RSA_WITH_AES_128_SHA, | |
121 | #endif | |
122 | ||
5a22cf96 EK |
123 | #ifndef OPENSSL_NO_TLS1_2 |
124 | TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, | |
125 | TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, | |
582a17d6 MC |
126 | #endif |
127 | #ifndef OPENSSL_NO_TLS1_3 | |
1bbede20 DSH |
128 | TLS1_3_CK_AES_256_GCM_SHA384, |
129 | TLS1_3_CK_CHACHA20_POLY1305_SHA256, | |
582a17d6 MC |
130 | TLS1_3_CK_AES_128_GCM_SHA256, |
131 | #endif | |
132 | #ifndef OPENSSL_NO_TLS1_2 | |
5a22cf96 EK |
133 | TLS1_CK_RSA_WITH_AES_256_SHA256, |
134 | TLS1_CK_RSA_WITH_AES_128_SHA256, | |
135 | #endif | |
5a22cf96 EK |
136 | TLS1_CK_RSA_WITH_AES_256_SHA, |
137 | TLS1_CK_RSA_WITH_AES_128_SHA, | |
5a22cf96 EK |
138 | }; |
139 | ||
140 | static int test_default_cipherlist(SSL_CTX *ctx) | |
141 | { | |
019e47ce P |
142 | STACK_OF(SSL_CIPHER) *ciphers = NULL; |
143 | SSL *ssl = NULL; | |
5a22cf96 EK |
144 | int i, ret = 0, num_expected_ciphers, num_ciphers; |
145 | uint32_t expected_cipher_id, cipher_id; | |
146 | ||
019e47ce P |
147 | if (ctx == NULL) |
148 | return 0; | |
149 | ||
150 | if (!TEST_ptr(ssl = SSL_new(ctx)) | |
151 | || !TEST_ptr(ciphers = SSL_get1_supported_ciphers(ssl))) | |
152 | goto err; | |
5a22cf96 | 153 | |
5a22cf96 EK |
154 | num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order); |
155 | num_ciphers = sk_SSL_CIPHER_num(ciphers); | |
2fae041d | 156 | if (!TEST_int_eq(num_ciphers, num_expected_ciphers)) |
5a22cf96 | 157 | goto err; |
5a22cf96 EK |
158 | |
159 | for (i = 0; i < num_ciphers; i++) { | |
160 | expected_cipher_id = default_ciphers_in_order[i]; | |
161 | cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i)); | |
2fae041d P |
162 | if (!TEST_int_eq(cipher_id, expected_cipher_id)) { |
163 | TEST_info("Wrong cipher at position %d", i); | |
5a22cf96 EK |
164 | goto err; |
165 | } | |
166 | } | |
167 | ||
168 | ret = 1; | |
169 | ||
170 | err: | |
171 | sk_SSL_CIPHER_free(ciphers); | |
172 | SSL_free(ssl); | |
173 | return ret; | |
174 | } | |
175 | ||
019e47ce | 176 | static int execute_test(CIPHERLIST_TEST_FIXTURE *fixture) |
5a22cf96 | 177 | { |
019e47ce P |
178 | return fixture != NULL |
179 | && test_default_cipherlist(fixture->server) | |
180 | && test_default_cipherlist(fixture->client); | |
5a22cf96 EK |
181 | } |
182 | ||
183 | #define SETUP_CIPHERLIST_TEST_FIXTURE() \ | |
99801878 | 184 | SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up) |
5a22cf96 EK |
185 | |
186 | #define EXECUTE_CIPHERLIST_TEST() \ | |
187 | EXECUTE_TEST(execute_test, tear_down) | |
188 | ||
31a80694 | 189 | static int test_default_cipherlist_implicit(void) |
5a22cf96 EK |
190 | { |
191 | SETUP_CIPHERLIST_TEST_FIXTURE(); | |
99801878 P |
192 | if (fixture == NULL) |
193 | return 0; | |
5a22cf96 | 194 | EXECUTE_CIPHERLIST_TEST(); |
99801878 | 195 | return result; |
5a22cf96 EK |
196 | } |
197 | ||
31a80694 | 198 | static int test_default_cipherlist_explicit(void) |
5a22cf96 EK |
199 | { |
200 | SETUP_CIPHERLIST_TEST_FIXTURE(); | |
019e47ce P |
201 | if (fixture == NULL) |
202 | return 0; | |
203 | if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, "DEFAULT")) | |
204 | || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, "DEFAULT"))) | |
205 | tear_down(fixture); | |
5a22cf96 | 206 | EXECUTE_CIPHERLIST_TEST(); |
99801878 | 207 | return result; |
5a22cf96 EK |
208 | } |
209 | ||
ad887416 | 210 | int setup_tests() |
5a22cf96 | 211 | { |
5a22cf96 EK |
212 | ADD_TEST(test_default_cipherlist_implicit); |
213 | ADD_TEST(test_default_cipherlist_explicit); | |
ad887416 | 214 | return 1; |
5a22cf96 | 215 | } |