projects / thirdparty / openssl.git / blame
| Commit | Line | Data |
|---|---|---|
| 5a22cf96 EK |
1 | /* |
| 2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. | |
| 3 | * | |
| 4 | * Licensed under the OpenSSL licenses, (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * https://www.openssl.org/source/license.html | |
| 8 | * or in the file LICENSE in the source distribution. | |
| 9 | */ | |
| 10 | ||
| 11 | #include <stdio.h> | |
| 12 | ||
| 13 | #include <openssl/opensslconf.h> | |
| 14 | #include <openssl/err.h> | |
| 15 | #include <openssl/e_os2.h> | |
| 16 | #include <openssl/ssl.h> | |
| 17 | #include <openssl/ssl3.h> | |
| 18 | #include <openssl/tls1.h> | |
| 19 | ||
| 20 | #include "e_os.h" | |
| e364c3b2 | 21 | #include "test_main.h" |
| 5a22cf96 EK |
22 | #include "testutil.h" |
| 23 | ||
| 24 | typedef struct cipherlist_test_fixture { | |
| 25 | const char *test_case_name; | |
| 26 | SSL_CTX *server; | |
| 27 | SSL_CTX *client; | |
| 28 | } CIPHERLIST_TEST_FIXTURE; | |
| 29 | ||
| 30 | ||
| 31 | static CIPHERLIST_TEST_FIXTURE set_up(const char *const test_case_name) | |
| 32 | { | |
| 33 | CIPHERLIST_TEST_FIXTURE fixture; | |
| 34 | fixture.test_case_name = test_case_name; | |
| 35 | fixture.server = SSL_CTX_new(TLS_server_method()); | |
| 36 | fixture.client = SSL_CTX_new(TLS_client_method()); | |
| 37 | OPENSSL_assert(fixture.client != NULL && fixture.server != NULL); | |
| 38 | return fixture; | |
| 39 | } | |
| 40 | ||
| 41 | /* | |
| 42 | * All ciphers in the DEFAULT cipherlist meet the default security level. | |
| 43 | * However, default supported ciphers exclude SRP and PSK ciphersuites | |
| 44 | * for which no callbacks have been set up. | |
| 45 | * | |
| 46 | * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled, | |
| 47 | * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA | |
| 48 | * are currently broken and should be considered mission impossible in libssl. | |
| 49 | */ | |
| 50 | static const uint32_t default_ciphers_in_order[] = { | |
| 51 | #ifndef OPENSSL_NO_TLS1_2 | |
| 52 | # ifndef OPENSSL_NO_EC | |
| 53 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | |
| 54 | TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | |
| 55 | # endif | |
| 56 | # ifndef OPENSSL_NO_DH | |
| 57 | TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, | |
| 58 | # endif | |
| 59 | ||
| 60 | # if !defined OPENSSL_NO_CHACHA && !defined OPENSSL_NO_POLY1305 | |
| 61 | # ifndef OPENSSL_NO_EC | |
| 62 | TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |
| 63 | TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |
| 64 | # endif | |
| 65 | # ifndef OPENSSL_NO_DH | |
| 66 | TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305, | |
| 67 | # endif | |
| 68 | # endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ | |
| 69 | ||
| 70 | # ifndef OPENSSL_NO_EC | |
| 71 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |
| 72 | TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |
| 73 | # endif | |
| 74 | # ifndef OPENSSL_NO_DH | |
| 75 | TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, | |
| 76 | # endif | |
| 77 | # ifndef OPENSSL_NO_EC | |
| 78 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, | |
| 79 | TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, | |
| 80 | # endif | |
| 81 | # ifndef OPENSSL_NO_DH | |
| 82 | TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, | |
| 83 | # endif | |
| 84 | # ifndef OPENSSL_NO_EC | |
| 85 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, | |
| 86 | TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, | |
| 87 | # endif | |
| 88 | # ifndef OPENSSL_NO_DH | |
| 89 | TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, | |
| 90 | # endif | |
| 91 | #endif /* !OPENSSL_NO_TLS1_2 */ | |
| 92 | ||
| 93 | #ifndef OPENSSL_NO_EC | |
| 94 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | |
| 95 | TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, | |
| 96 | #endif | |
| 97 | #ifndef OPENSSL_NO_DH | |
| 98 | TLS1_CK_DHE_RSA_WITH_AES_256_SHA, | |
| 99 | #endif | |
| 100 | #ifndef OPENSSL_NO_EC | |
| 101 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | |
| 102 | TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, | |
| 103 | #endif | |
| 104 | #ifndef OPENSSL_NO_DH | |
| 105 | TLS1_CK_DHE_RSA_WITH_AES_128_SHA, | |
| 106 | #endif | |
| 107 | ||
| 5a22cf96 EK |
108 | #ifndef OPENSSL_NO_TLS1_2 |
| 109 | TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, | |
| 110 | TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, | |
| 582a17d6 MC |
111 | #endif |
| 112 | #ifndef OPENSSL_NO_TLS1_3 | |
| 113 | TLS1_3_CK_AES_128_GCM_SHA256, | |
| 114 | #endif | |
| 115 | #ifndef OPENSSL_NO_TLS1_2 | |
| 5a22cf96 EK |
116 | TLS1_CK_RSA_WITH_AES_256_SHA256, |
| 117 | TLS1_CK_RSA_WITH_AES_128_SHA256, | |
| 118 | #endif | |
| 5a22cf96 EK |
119 | TLS1_CK_RSA_WITH_AES_256_SHA, |
| 120 | TLS1_CK_RSA_WITH_AES_128_SHA, | |
| 5a22cf96 EK |
121 | }; |
| 122 | ||
| 123 | static int test_default_cipherlist(SSL_CTX *ctx) | |
| 124 | { | |
| 125 | STACK_OF(SSL_CIPHER) *ciphers; | |
| 126 | SSL *ssl; | |
| 127 | int i, ret = 0, num_expected_ciphers, num_ciphers; | |
| 128 | uint32_t expected_cipher_id, cipher_id; | |
| 129 | ||
| 130 | ssl = SSL_new(ctx); | |
| 131 | OPENSSL_assert(ssl != NULL); | |
| 132 | ||
| 133 | ciphers = SSL_get1_supported_ciphers(ssl); | |
| 134 | OPENSSL_assert(ciphers != NULL); | |
| 135 | num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order); | |
| 136 | num_ciphers = sk_SSL_CIPHER_num(ciphers); | |
| 137 | if (num_ciphers != num_expected_ciphers) { | |
| 138 | fprintf(stderr, "Expected %d supported ciphers, got %d.\n", | |
| 139 | num_expected_ciphers, num_ciphers); | |
| 140 | goto err; | |
| 141 | } | |
| 142 | ||
| 143 | for (i = 0; i < num_ciphers; i++) { | |
| 144 | expected_cipher_id = default_ciphers_in_order[i]; | |
| 145 | cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i)); | |
| 146 | if (cipher_id != expected_cipher_id) { | |
| 147 | fprintf(stderr, "Wrong cipher at position %d: expected %x, " | |
| 148 | "got %x\n", i, expected_cipher_id, cipher_id); | |
| 149 | goto err; | |
| 150 | } | |
| 151 | } | |
| 152 | ||
| 153 | ret = 1; | |
| 154 | ||
| 155 | err: | |
| 156 | sk_SSL_CIPHER_free(ciphers); | |
| 157 | SSL_free(ssl); | |
| 158 | return ret; | |
| 159 | } | |
| 160 | ||
| 161 | static int execute_test(CIPHERLIST_TEST_FIXTURE fixture) | |
| 162 | { | |
| 163 | return test_default_cipherlist(fixture.server) | |
| 164 | && test_default_cipherlist(fixture.client); | |
| 165 | } | |
| 166 | ||
| 167 | static void tear_down(CIPHERLIST_TEST_FIXTURE fixture) | |
| 168 | { | |
| 169 | SSL_CTX_free(fixture.server); | |
| 170 | SSL_CTX_free(fixture.client); | |
| 5a22cf96 EK |
171 | } |
| 172 | ||
| 173 | #define SETUP_CIPHERLIST_TEST_FIXTURE() \ | |
| 174 | SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up) | |
| 175 | ||
| 176 | #define EXECUTE_CIPHERLIST_TEST() \ | |
| 177 | EXECUTE_TEST(execute_test, tear_down) | |
| 178 | ||
| 179 | static int test_default_cipherlist_implicit() | |
| 180 | { | |
| 181 | SETUP_CIPHERLIST_TEST_FIXTURE(); | |
| 182 | EXECUTE_CIPHERLIST_TEST(); | |
| 183 | } | |
| 184 | ||
| 185 | static int test_default_cipherlist_explicit() | |
| 186 | { | |
| 187 | SETUP_CIPHERLIST_TEST_FIXTURE(); | |
| 188 | OPENSSL_assert(SSL_CTX_set_cipher_list(fixture.server, "DEFAULT")); | |
| 189 | OPENSSL_assert(SSL_CTX_set_cipher_list(fixture.client, "DEFAULT")); | |
| 190 | EXECUTE_CIPHERLIST_TEST(); | |
| 191 | } | |
| 192 | ||
| e364c3b2 | 193 | void register_tests() |
| 5a22cf96 | 194 | { |
| 5a22cf96 EK |
195 | ADD_TEST(test_default_cipherlist_implicit); |
| 196 | ADD_TEST(test_default_cipherlist_explicit); | |
| 5a22cf96 | 197 | } |