]>
Commit | Line | Data |
---|---|---|
5a22cf96 EK |
1 | /* |
2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the OpenSSL licenses, (the "License"); | |
5 | * you may not use this file except in compliance with the License. | |
6 | * You may obtain a copy of the License at | |
7 | * https://www.openssl.org/source/license.html | |
8 | * or in the file LICENSE in the source distribution. | |
9 | */ | |
10 | ||
11 | #include <stdio.h> | |
12 | ||
13 | #include <openssl/opensslconf.h> | |
14 | #include <openssl/err.h> | |
15 | #include <openssl/e_os2.h> | |
16 | #include <openssl/ssl.h> | |
17 | #include <openssl/ssl3.h> | |
18 | #include <openssl/tls1.h> | |
19 | ||
20 | #include "e_os.h" | |
e364c3b2 | 21 | #include "test_main.h" |
5a22cf96 EK |
22 | #include "testutil.h" |
23 | ||
24 | typedef struct cipherlist_test_fixture { | |
25 | const char *test_case_name; | |
26 | SSL_CTX *server; | |
27 | SSL_CTX *client; | |
28 | } CIPHERLIST_TEST_FIXTURE; | |
29 | ||
30 | ||
31 | static CIPHERLIST_TEST_FIXTURE set_up(const char *const test_case_name) | |
32 | { | |
33 | CIPHERLIST_TEST_FIXTURE fixture; | |
34 | fixture.test_case_name = test_case_name; | |
35 | fixture.server = SSL_CTX_new(TLS_server_method()); | |
36 | fixture.client = SSL_CTX_new(TLS_client_method()); | |
37 | OPENSSL_assert(fixture.client != NULL && fixture.server != NULL); | |
38 | return fixture; | |
39 | } | |
40 | ||
41 | /* | |
42 | * All ciphers in the DEFAULT cipherlist meet the default security level. | |
43 | * However, default supported ciphers exclude SRP and PSK ciphersuites | |
44 | * for which no callbacks have been set up. | |
45 | * | |
46 | * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled, | |
47 | * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA | |
48 | * are currently broken and should be considered mission impossible in libssl. | |
49 | */ | |
50 | static const uint32_t default_ciphers_in_order[] = { | |
51 | #ifndef OPENSSL_NO_TLS1_2 | |
52 | # ifndef OPENSSL_NO_EC | |
53 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | |
54 | TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | |
55 | # endif | |
56 | # ifndef OPENSSL_NO_DH | |
57 | TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, | |
58 | # endif | |
59 | ||
60 | # if !defined OPENSSL_NO_CHACHA && !defined OPENSSL_NO_POLY1305 | |
61 | # ifndef OPENSSL_NO_EC | |
62 | TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |
63 | TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |
64 | # endif | |
65 | # ifndef OPENSSL_NO_DH | |
66 | TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305, | |
67 | # endif | |
68 | # endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ | |
69 | ||
70 | # ifndef OPENSSL_NO_EC | |
71 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |
72 | TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |
73 | # endif | |
74 | # ifndef OPENSSL_NO_DH | |
75 | TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, | |
76 | # endif | |
77 | # ifndef OPENSSL_NO_EC | |
78 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, | |
79 | TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, | |
80 | # endif | |
81 | # ifndef OPENSSL_NO_DH | |
82 | TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, | |
83 | # endif | |
84 | # ifndef OPENSSL_NO_EC | |
85 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, | |
86 | TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, | |
87 | # endif | |
88 | # ifndef OPENSSL_NO_DH | |
89 | TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, | |
90 | # endif | |
91 | #endif /* !OPENSSL_NO_TLS1_2 */ | |
92 | ||
93 | #ifndef OPENSSL_NO_EC | |
94 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | |
95 | TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, | |
96 | #endif | |
97 | #ifndef OPENSSL_NO_DH | |
98 | TLS1_CK_DHE_RSA_WITH_AES_256_SHA, | |
99 | #endif | |
100 | #ifndef OPENSSL_NO_EC | |
101 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | |
102 | TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, | |
103 | #endif | |
104 | #ifndef OPENSSL_NO_DH | |
105 | TLS1_CK_DHE_RSA_WITH_AES_128_SHA, | |
106 | #endif | |
107 | ||
5a22cf96 EK |
108 | #ifndef OPENSSL_NO_TLS1_2 |
109 | TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, | |
110 | TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, | |
582a17d6 MC |
111 | #endif |
112 | #ifndef OPENSSL_NO_TLS1_3 | |
1bbede20 DSH |
113 | TLS1_3_CK_AES_256_GCM_SHA384, |
114 | TLS1_3_CK_CHACHA20_POLY1305_SHA256, | |
582a17d6 MC |
115 | TLS1_3_CK_AES_128_GCM_SHA256, |
116 | #endif | |
117 | #ifndef OPENSSL_NO_TLS1_2 | |
5a22cf96 EK |
118 | TLS1_CK_RSA_WITH_AES_256_SHA256, |
119 | TLS1_CK_RSA_WITH_AES_128_SHA256, | |
120 | #endif | |
5a22cf96 EK |
121 | TLS1_CK_RSA_WITH_AES_256_SHA, |
122 | TLS1_CK_RSA_WITH_AES_128_SHA, | |
5a22cf96 EK |
123 | }; |
124 | ||
125 | static int test_default_cipherlist(SSL_CTX *ctx) | |
126 | { | |
127 | STACK_OF(SSL_CIPHER) *ciphers; | |
128 | SSL *ssl; | |
129 | int i, ret = 0, num_expected_ciphers, num_ciphers; | |
130 | uint32_t expected_cipher_id, cipher_id; | |
131 | ||
132 | ssl = SSL_new(ctx); | |
133 | OPENSSL_assert(ssl != NULL); | |
134 | ||
135 | ciphers = SSL_get1_supported_ciphers(ssl); | |
136 | OPENSSL_assert(ciphers != NULL); | |
137 | num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order); | |
138 | num_ciphers = sk_SSL_CIPHER_num(ciphers); | |
2fae041d | 139 | if (!TEST_int_eq(num_ciphers, num_expected_ciphers)) |
5a22cf96 | 140 | goto err; |
5a22cf96 EK |
141 | |
142 | for (i = 0; i < num_ciphers; i++) { | |
143 | expected_cipher_id = default_ciphers_in_order[i]; | |
144 | cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i)); | |
2fae041d P |
145 | if (!TEST_int_eq(cipher_id, expected_cipher_id)) { |
146 | TEST_info("Wrong cipher at position %d", i); | |
5a22cf96 EK |
147 | goto err; |
148 | } | |
149 | } | |
150 | ||
151 | ret = 1; | |
152 | ||
153 | err: | |
154 | sk_SSL_CIPHER_free(ciphers); | |
155 | SSL_free(ssl); | |
156 | return ret; | |
157 | } | |
158 | ||
159 | static int execute_test(CIPHERLIST_TEST_FIXTURE fixture) | |
160 | { | |
161 | return test_default_cipherlist(fixture.server) | |
162 | && test_default_cipherlist(fixture.client); | |
163 | } | |
164 | ||
165 | static void tear_down(CIPHERLIST_TEST_FIXTURE fixture) | |
166 | { | |
167 | SSL_CTX_free(fixture.server); | |
168 | SSL_CTX_free(fixture.client); | |
5a22cf96 EK |
169 | } |
170 | ||
171 | #define SETUP_CIPHERLIST_TEST_FIXTURE() \ | |
172 | SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up) | |
173 | ||
174 | #define EXECUTE_CIPHERLIST_TEST() \ | |
175 | EXECUTE_TEST(execute_test, tear_down) | |
176 | ||
177 | static int test_default_cipherlist_implicit() | |
178 | { | |
179 | SETUP_CIPHERLIST_TEST_FIXTURE(); | |
180 | EXECUTE_CIPHERLIST_TEST(); | |
181 | } | |
182 | ||
183 | static int test_default_cipherlist_explicit() | |
184 | { | |
185 | SETUP_CIPHERLIST_TEST_FIXTURE(); | |
186 | OPENSSL_assert(SSL_CTX_set_cipher_list(fixture.server, "DEFAULT")); | |
187 | OPENSSL_assert(SSL_CTX_set_cipher_list(fixture.client, "DEFAULT")); | |
188 | EXECUTE_CIPHERLIST_TEST(); | |
189 | } | |
190 | ||
e364c3b2 | 191 | void register_tests() |
5a22cf96 | 192 | { |
5a22cf96 EK |
193 | ADD_TEST(test_default_cipherlist_implicit); |
194 | ADD_TEST(test_default_cipherlist_explicit); | |
5a22cf96 | 195 | } |