]>
Commit | Line | Data |
---|---|---|
5a22cf96 | 1 | /* |
6738bf14 | 2 | * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. |
5a22cf96 EK |
3 | * |
4 | * Licensed under the OpenSSL licenses, (the "License"); | |
5 | * you may not use this file except in compliance with the License. | |
6 | * You may obtain a copy of the License at | |
7 | * https://www.openssl.org/source/license.html | |
8 | * or in the file LICENSE in the source distribution. | |
9 | */ | |
10 | ||
11 | #include <stdio.h> | |
019e47ce | 12 | #include <string.h> |
5a22cf96 EK |
13 | |
14 | #include <openssl/opensslconf.h> | |
15 | #include <openssl/err.h> | |
16 | #include <openssl/e_os2.h> | |
17 | #include <openssl/ssl.h> | |
18 | #include <openssl/ssl3.h> | |
19 | #include <openssl/tls1.h> | |
20 | ||
176db6dc | 21 | #include "internal/nelem.h" |
5a22cf96 EK |
22 | #include "testutil.h" |
23 | ||
24 | typedef struct cipherlist_test_fixture { | |
25 | const char *test_case_name; | |
26 | SSL_CTX *server; | |
27 | SSL_CTX *client; | |
28 | } CIPHERLIST_TEST_FIXTURE; | |
29 | ||
30 | ||
019e47ce | 31 | static void tear_down(CIPHERLIST_TEST_FIXTURE *fixture) |
5a22cf96 | 32 | { |
019e47ce P |
33 | if (fixture != NULL) { |
34 | SSL_CTX_free(fixture->server); | |
35 | SSL_CTX_free(fixture->client); | |
36 | fixture->server = fixture->client = NULL; | |
2326bba0 | 37 | OPENSSL_free(fixture); |
019e47ce P |
38 | } |
39 | } | |
40 | ||
41 | static CIPHERLIST_TEST_FIXTURE *set_up(const char *const test_case_name) | |
42 | { | |
2326bba0 | 43 | CIPHERLIST_TEST_FIXTURE *fixture; |
019e47ce | 44 | |
2326bba0 P |
45 | if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) |
46 | return NULL; | |
47 | fixture->test_case_name = test_case_name; | |
48 | if (!TEST_ptr(fixture->server = SSL_CTX_new(TLS_server_method())) | |
49 | || !TEST_ptr(fixture->client = SSL_CTX_new(TLS_client_method()))) { | |
50 | tear_down(fixture); | |
019e47ce P |
51 | return NULL; |
52 | } | |
2326bba0 | 53 | return fixture; |
5a22cf96 EK |
54 | } |
55 | ||
56 | /* | |
57 | * All ciphers in the DEFAULT cipherlist meet the default security level. | |
58 | * However, default supported ciphers exclude SRP and PSK ciphersuites | |
59 | * for which no callbacks have been set up. | |
60 | * | |
61 | * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled, | |
62 | * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA | |
63 | * are currently broken and should be considered mission impossible in libssl. | |
64 | */ | |
65 | static const uint32_t default_ciphers_in_order[] = { | |
66 | #ifndef OPENSSL_NO_TLS1_2 | |
67 | # ifndef OPENSSL_NO_EC | |
68 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | |
69 | TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | |
70 | # endif | |
71 | # ifndef OPENSSL_NO_DH | |
72 | TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, | |
73 | # endif | |
74 | ||
71cff963 | 75 | # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) |
5a22cf96 EK |
76 | # ifndef OPENSSL_NO_EC |
77 | TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |
78 | TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |
79 | # endif | |
80 | # ifndef OPENSSL_NO_DH | |
81 | TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305, | |
82 | # endif | |
83 | # endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ | |
84 | ||
85 | # ifndef OPENSSL_NO_EC | |
86 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |
87 | TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |
88 | # endif | |
89 | # ifndef OPENSSL_NO_DH | |
90 | TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, | |
91 | # endif | |
92 | # ifndef OPENSSL_NO_EC | |
93 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, | |
94 | TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, | |
95 | # endif | |
96 | # ifndef OPENSSL_NO_DH | |
97 | TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, | |
98 | # endif | |
99 | # ifndef OPENSSL_NO_EC | |
100 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, | |
101 | TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, | |
102 | # endif | |
103 | # ifndef OPENSSL_NO_DH | |
104 | TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, | |
105 | # endif | |
106 | #endif /* !OPENSSL_NO_TLS1_2 */ | |
107 | ||
c423ecaa MC |
108 | #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) |
109 | /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */ | |
110 | # ifndef OPENSSL_NO_EC | |
5a22cf96 EK |
111 | TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
112 | TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, | |
c423ecaa MC |
113 | # endif |
114 | #ifndef OPENSSL_NO_DH | |
5a22cf96 | 115 | TLS1_CK_DHE_RSA_WITH_AES_256_SHA, |
c423ecaa MC |
116 | # endif |
117 | # ifndef OPENSSL_NO_EC | |
5a22cf96 EK |
118 | TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
119 | TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, | |
c423ecaa MC |
120 | # endif |
121 | # ifndef OPENSSL_NO_DH | |
5a22cf96 | 122 | TLS1_CK_DHE_RSA_WITH_AES_128_SHA, |
c423ecaa MC |
123 | # endif |
124 | #endif /* !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) */ | |
5a22cf96 | 125 | |
5a22cf96 EK |
126 | #ifndef OPENSSL_NO_TLS1_2 |
127 | TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, | |
128 | TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, | |
582a17d6 MC |
129 | #endif |
130 | #ifndef OPENSSL_NO_TLS1_3 | |
1bbede20 | 131 | TLS1_3_CK_AES_256_GCM_SHA384, |
71cff963 | 132 | # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) |
1bbede20 | 133 | TLS1_3_CK_CHACHA20_POLY1305_SHA256, |
71cff963 | 134 | # endif |
582a17d6 MC |
135 | TLS1_3_CK_AES_128_GCM_SHA256, |
136 | #endif | |
137 | #ifndef OPENSSL_NO_TLS1_2 | |
5a22cf96 EK |
138 | TLS1_CK_RSA_WITH_AES_256_SHA256, |
139 | TLS1_CK_RSA_WITH_AES_128_SHA256, | |
140 | #endif | |
c423ecaa MC |
141 | #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) |
142 | /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */ | |
5a22cf96 EK |
143 | TLS1_CK_RSA_WITH_AES_256_SHA, |
144 | TLS1_CK_RSA_WITH_AES_128_SHA, | |
c423ecaa | 145 | #endif |
5a22cf96 EK |
146 | }; |
147 | ||
148 | static int test_default_cipherlist(SSL_CTX *ctx) | |
149 | { | |
019e47ce P |
150 | STACK_OF(SSL_CIPHER) *ciphers = NULL; |
151 | SSL *ssl = NULL; | |
5a22cf96 EK |
152 | int i, ret = 0, num_expected_ciphers, num_ciphers; |
153 | uint32_t expected_cipher_id, cipher_id; | |
154 | ||
019e47ce P |
155 | if (ctx == NULL) |
156 | return 0; | |
157 | ||
158 | if (!TEST_ptr(ssl = SSL_new(ctx)) | |
159 | || !TEST_ptr(ciphers = SSL_get1_supported_ciphers(ssl))) | |
160 | goto err; | |
5a22cf96 | 161 | |
5a22cf96 EK |
162 | num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order); |
163 | num_ciphers = sk_SSL_CIPHER_num(ciphers); | |
2fae041d | 164 | if (!TEST_int_eq(num_ciphers, num_expected_ciphers)) |
5a22cf96 | 165 | goto err; |
5a22cf96 EK |
166 | |
167 | for (i = 0; i < num_ciphers; i++) { | |
168 | expected_cipher_id = default_ciphers_in_order[i]; | |
169 | cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i)); | |
2fae041d P |
170 | if (!TEST_int_eq(cipher_id, expected_cipher_id)) { |
171 | TEST_info("Wrong cipher at position %d", i); | |
5a22cf96 EK |
172 | goto err; |
173 | } | |
174 | } | |
175 | ||
176 | ret = 1; | |
177 | ||
178 | err: | |
179 | sk_SSL_CIPHER_free(ciphers); | |
180 | SSL_free(ssl); | |
181 | return ret; | |
182 | } | |
183 | ||
019e47ce | 184 | static int execute_test(CIPHERLIST_TEST_FIXTURE *fixture) |
5a22cf96 | 185 | { |
019e47ce P |
186 | return fixture != NULL |
187 | && test_default_cipherlist(fixture->server) | |
188 | && test_default_cipherlist(fixture->client); | |
5a22cf96 EK |
189 | } |
190 | ||
191 | #define SETUP_CIPHERLIST_TEST_FIXTURE() \ | |
99801878 | 192 | SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up) |
5a22cf96 EK |
193 | |
194 | #define EXECUTE_CIPHERLIST_TEST() \ | |
195 | EXECUTE_TEST(execute_test, tear_down) | |
196 | ||
31a80694 | 197 | static int test_default_cipherlist_implicit(void) |
5a22cf96 EK |
198 | { |
199 | SETUP_CIPHERLIST_TEST_FIXTURE(); | |
99801878 P |
200 | if (fixture == NULL) |
201 | return 0; | |
5a22cf96 | 202 | EXECUTE_CIPHERLIST_TEST(); |
99801878 | 203 | return result; |
5a22cf96 EK |
204 | } |
205 | ||
31a80694 | 206 | static int test_default_cipherlist_explicit(void) |
5a22cf96 EK |
207 | { |
208 | SETUP_CIPHERLIST_TEST_FIXTURE(); | |
019e47ce P |
209 | if (fixture == NULL) |
210 | return 0; | |
211 | if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, "DEFAULT")) | |
212 | || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, "DEFAULT"))) | |
213 | tear_down(fixture); | |
5a22cf96 | 214 | EXECUTE_CIPHERLIST_TEST(); |
99801878 | 215 | return result; |
5a22cf96 EK |
216 | } |
217 | ||
ad887416 | 218 | int setup_tests() |
5a22cf96 | 219 | { |
5a22cf96 EK |
220 | ADD_TEST(test_default_cipherlist_implicit); |
221 | ADD_TEST(test_default_cipherlist_explicit); | |
ad887416 | 222 | return 1; |
5a22cf96 | 223 | } |