]>
Commit | Line | Data |
---|---|---|
5a22cf96 EK |
1 | /* |
2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the OpenSSL licenses, (the "License"); | |
5 | * you may not use this file except in compliance with the License. | |
6 | * You may obtain a copy of the License at | |
7 | * https://www.openssl.org/source/license.html | |
8 | * or in the file LICENSE in the source distribution. | |
9 | */ | |
10 | ||
11 | #include <stdio.h> | |
12 | ||
13 | #include <openssl/opensslconf.h> | |
14 | #include <openssl/err.h> | |
15 | #include <openssl/e_os2.h> | |
16 | #include <openssl/ssl.h> | |
17 | #include <openssl/ssl3.h> | |
18 | #include <openssl/tls1.h> | |
19 | ||
20 | #include "e_os.h" | |
e364c3b2 | 21 | #include "test_main.h" |
5a22cf96 EK |
22 | #include "testutil.h" |
23 | ||
24 | typedef struct cipherlist_test_fixture { | |
25 | const char *test_case_name; | |
26 | SSL_CTX *server; | |
27 | SSL_CTX *client; | |
28 | } CIPHERLIST_TEST_FIXTURE; | |
29 | ||
30 | ||
31 | static CIPHERLIST_TEST_FIXTURE set_up(const char *const test_case_name) | |
32 | { | |
33 | CIPHERLIST_TEST_FIXTURE fixture; | |
34 | fixture.test_case_name = test_case_name; | |
35 | fixture.server = SSL_CTX_new(TLS_server_method()); | |
36 | fixture.client = SSL_CTX_new(TLS_client_method()); | |
37 | OPENSSL_assert(fixture.client != NULL && fixture.server != NULL); | |
38 | return fixture; | |
39 | } | |
40 | ||
41 | /* | |
42 | * All ciphers in the DEFAULT cipherlist meet the default security level. | |
43 | * However, default supported ciphers exclude SRP and PSK ciphersuites | |
44 | * for which no callbacks have been set up. | |
45 | * | |
46 | * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled, | |
47 | * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA | |
48 | * are currently broken and should be considered mission impossible in libssl. | |
49 | */ | |
50 | static const uint32_t default_ciphers_in_order[] = { | |
51 | #ifndef OPENSSL_NO_TLS1_2 | |
52 | # ifndef OPENSSL_NO_EC | |
53 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | |
54 | TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | |
55 | # endif | |
56 | # ifndef OPENSSL_NO_DH | |
57 | TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, | |
58 | # endif | |
59 | ||
60 | # if !defined OPENSSL_NO_CHACHA && !defined OPENSSL_NO_POLY1305 | |
61 | # ifndef OPENSSL_NO_EC | |
62 | TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |
63 | TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |
64 | # endif | |
65 | # ifndef OPENSSL_NO_DH | |
66 | TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305, | |
67 | # endif | |
68 | # endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ | |
69 | ||
70 | # ifndef OPENSSL_NO_EC | |
71 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |
72 | TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |
73 | # endif | |
74 | # ifndef OPENSSL_NO_DH | |
75 | TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, | |
76 | # endif | |
77 | # ifndef OPENSSL_NO_EC | |
78 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, | |
79 | TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, | |
80 | # endif | |
81 | # ifndef OPENSSL_NO_DH | |
82 | TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, | |
83 | # endif | |
84 | # ifndef OPENSSL_NO_EC | |
85 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, | |
86 | TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, | |
87 | # endif | |
88 | # ifndef OPENSSL_NO_DH | |
89 | TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, | |
90 | # endif | |
91 | #endif /* !OPENSSL_NO_TLS1_2 */ | |
92 | ||
93 | #ifndef OPENSSL_NO_EC | |
94 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | |
95 | TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, | |
96 | #endif | |
97 | #ifndef OPENSSL_NO_DH | |
98 | TLS1_CK_DHE_RSA_WITH_AES_256_SHA, | |
99 | #endif | |
100 | #ifndef OPENSSL_NO_EC | |
101 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | |
102 | TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, | |
103 | #endif | |
104 | #ifndef OPENSSL_NO_DH | |
105 | TLS1_CK_DHE_RSA_WITH_AES_128_SHA, | |
106 | #endif | |
107 | ||
5a22cf96 EK |
108 | #ifndef OPENSSL_NO_TLS1_2 |
109 | TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, | |
110 | TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, | |
582a17d6 MC |
111 | #endif |
112 | #ifndef OPENSSL_NO_TLS1_3 | |
113 | TLS1_3_CK_AES_128_GCM_SHA256, | |
114 | #endif | |
115 | #ifndef OPENSSL_NO_TLS1_2 | |
5a22cf96 EK |
116 | TLS1_CK_RSA_WITH_AES_256_SHA256, |
117 | TLS1_CK_RSA_WITH_AES_128_SHA256, | |
118 | #endif | |
5a22cf96 EK |
119 | TLS1_CK_RSA_WITH_AES_256_SHA, |
120 | TLS1_CK_RSA_WITH_AES_128_SHA, | |
5a22cf96 EK |
121 | }; |
122 | ||
123 | static int test_default_cipherlist(SSL_CTX *ctx) | |
124 | { | |
125 | STACK_OF(SSL_CIPHER) *ciphers; | |
126 | SSL *ssl; | |
127 | int i, ret = 0, num_expected_ciphers, num_ciphers; | |
128 | uint32_t expected_cipher_id, cipher_id; | |
129 | ||
130 | ssl = SSL_new(ctx); | |
131 | OPENSSL_assert(ssl != NULL); | |
132 | ||
133 | ciphers = SSL_get1_supported_ciphers(ssl); | |
134 | OPENSSL_assert(ciphers != NULL); | |
135 | num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order); | |
136 | num_ciphers = sk_SSL_CIPHER_num(ciphers); | |
137 | if (num_ciphers != num_expected_ciphers) { | |
138 | fprintf(stderr, "Expected %d supported ciphers, got %d.\n", | |
139 | num_expected_ciphers, num_ciphers); | |
140 | goto err; | |
141 | } | |
142 | ||
143 | for (i = 0; i < num_ciphers; i++) { | |
144 | expected_cipher_id = default_ciphers_in_order[i]; | |
145 | cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i)); | |
146 | if (cipher_id != expected_cipher_id) { | |
147 | fprintf(stderr, "Wrong cipher at position %d: expected %x, " | |
148 | "got %x\n", i, expected_cipher_id, cipher_id); | |
149 | goto err; | |
150 | } | |
151 | } | |
152 | ||
153 | ret = 1; | |
154 | ||
155 | err: | |
156 | sk_SSL_CIPHER_free(ciphers); | |
157 | SSL_free(ssl); | |
158 | return ret; | |
159 | } | |
160 | ||
161 | static int execute_test(CIPHERLIST_TEST_FIXTURE fixture) | |
162 | { | |
163 | return test_default_cipherlist(fixture.server) | |
164 | && test_default_cipherlist(fixture.client); | |
165 | } | |
166 | ||
167 | static void tear_down(CIPHERLIST_TEST_FIXTURE fixture) | |
168 | { | |
169 | SSL_CTX_free(fixture.server); | |
170 | SSL_CTX_free(fixture.client); | |
5a22cf96 EK |
171 | } |
172 | ||
173 | #define SETUP_CIPHERLIST_TEST_FIXTURE() \ | |
174 | SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up) | |
175 | ||
176 | #define EXECUTE_CIPHERLIST_TEST() \ | |
177 | EXECUTE_TEST(execute_test, tear_down) | |
178 | ||
179 | static int test_default_cipherlist_implicit() | |
180 | { | |
181 | SETUP_CIPHERLIST_TEST_FIXTURE(); | |
182 | EXECUTE_CIPHERLIST_TEST(); | |
183 | } | |
184 | ||
185 | static int test_default_cipherlist_explicit() | |
186 | { | |
187 | SETUP_CIPHERLIST_TEST_FIXTURE(); | |
188 | OPENSSL_assert(SSL_CTX_set_cipher_list(fixture.server, "DEFAULT")); | |
189 | OPENSSL_assert(SSL_CTX_set_cipher_list(fixture.client, "DEFAULT")); | |
190 | EXECUTE_CIPHERLIST_TEST(); | |
191 | } | |
192 | ||
e364c3b2 | 193 | void register_tests() |
5a22cf96 | 194 | { |
5a22cf96 EK |
195 | ADD_TEST(test_default_cipherlist_implicit); |
196 | ADD_TEST(test_default_cipherlist_explicit); | |
5a22cf96 | 197 | } |