test/cipherlist_test.c

   1 /*
   2  * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the OpenSSL licenses, (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  * https://www.openssl.org/source/license.html
   8  * or in the file LICENSE in the source distribution.
   9  */
  10
  11 #include <stdio.h>
  12
  13 #include <openssl/opensslconf.h>
  14 #include <openssl/err.h>
  15 #include <openssl/e_os2.h>
  16 #include <openssl/ssl.h>
  17 #include <openssl/ssl3.h>
  18 #include <openssl/tls1.h>
  19
  20 #include "e_os.h"
  21 #include "test_main.h"
  22 #include "testutil.h"
  23
  24 typedef struct cipherlist_test_fixture {
  25     const char *test_case_name;
  26     SSL_CTX *server;
  27     SSL_CTX *client;
  28 } CIPHERLIST_TEST_FIXTURE;
  29
  30
  31 static CIPHERLIST_TEST_FIXTURE set_up(const char *const test_case_name)
  32 {
  33     CIPHERLIST_TEST_FIXTURE fixture;
  34     fixture.test_case_name = test_case_name;
  35     fixture.server = SSL_CTX_new(TLS_server_method());
  36     fixture.client = SSL_CTX_new(TLS_client_method());
  37     OPENSSL_assert(fixture.client != NULL && fixture.server != NULL);
  38     return fixture;
  39 }
  40
  41 /*
  42  * All ciphers in the DEFAULT cipherlist meet the default security level.
  43  * However, default supported ciphers exclude SRP and PSK ciphersuites
  44  * for which no callbacks have been set up.
  45  *
  46  * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled,
  47  * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA
  48  * are currently broken and should be considered mission impossible in libssl.
  49  */
  50 static const uint32_t default_ciphers_in_order[] = {
  51 #ifndef OPENSSL_NO_TLS1_2
  52 # ifndef OPENSSL_NO_EC
  53     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  54     TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  55 # endif
  56 # ifndef OPENSSL_NO_DH
  57     TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
  58 # endif
  59
  60 # if !defined OPENSSL_NO_CHACHA && !defined OPENSSL_NO_POLY1305
  61 #  ifndef OPENSSL_NO_EC
  62     TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  63     TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  64 #  endif
  65 #  ifndef OPENSSL_NO_DH
  66     TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
  67 #  endif
  68 # endif  /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
  69
  70 # ifndef OPENSSL_NO_EC
  71     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  72     TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  73 # endif
  74 # ifndef OPENSSL_NO_DH
  75     TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
  76 # endif
  77 # ifndef OPENSSL_NO_EC
  78     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
  79     TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
  80 # endif
  81 # ifndef OPENSSL_NO_DH
  82     TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
  83 # endif
  84 # ifndef OPENSSL_NO_EC
  85     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
  86     TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
  87 # endif
  88 # ifndef OPENSSL_NO_DH
  89     TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
  90 # endif
  91 #endif  /* !OPENSSL_NO_TLS1_2 */
  92
  93 #ifndef OPENSSL_NO_EC
  94     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  95     TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  96 #endif
  97 #ifndef OPENSSL_NO_DH
  98     TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
  99 #endif
 100 #ifndef OPENSSL_NO_EC
 101     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 102     TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 103 #endif
 104 #ifndef OPENSSL_NO_DH
 105     TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
 106 #endif
 107
 108 #ifndef OPENSSL_NO_TLS1_2
 109     TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
 110     TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
 111 #endif
 112 #ifndef OPENSSL_NO_TLS1_3
 113     TLS1_3_CK_AES_128_GCM_SHA256,
 114 #endif
 115 #ifndef OPENSSL_NO_TLS1_2
 116     TLS1_CK_RSA_WITH_AES_256_SHA256,
 117     TLS1_CK_RSA_WITH_AES_128_SHA256,
 118 #endif
 119     TLS1_CK_RSA_WITH_AES_256_SHA,
 120     TLS1_CK_RSA_WITH_AES_128_SHA,
 121 };
 122
 123 static int test_default_cipherlist(SSL_CTX *ctx)
 124 {
 125     STACK_OF(SSL_CIPHER) *ciphers;
 126     SSL *ssl;
 127     int i, ret = 0, num_expected_ciphers, num_ciphers;
 128     uint32_t expected_cipher_id, cipher_id;
 129
 130     ssl = SSL_new(ctx);
 131     OPENSSL_assert(ssl != NULL);
 132
 133     ciphers = SSL_get1_supported_ciphers(ssl);
 134     OPENSSL_assert(ciphers != NULL);
 135     num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order);
 136     num_ciphers = sk_SSL_CIPHER_num(ciphers);
 137     if (num_ciphers != num_expected_ciphers) {
 138         fprintf(stderr, "Expected %d supported ciphers, got %d.\n",
 139                 num_expected_ciphers, num_ciphers);
 140         goto err;
 141     }
 142
 143     for (i = 0; i < num_ciphers; i++) {
 144         expected_cipher_id = default_ciphers_in_order[i];
 145         cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i));
 146         if (cipher_id != expected_cipher_id) {
 147             fprintf(stderr, "Wrong cipher at position %d: expected %x, "
 148                     "got %x\n", i, expected_cipher_id, cipher_id);
 149             goto err;
 150         }
 151     }
 152
 153     ret = 1;
 154
 155  err:
 156     sk_SSL_CIPHER_free(ciphers);
 157     SSL_free(ssl);
 158     return ret;
 159 }
 160
 161 static int execute_test(CIPHERLIST_TEST_FIXTURE fixture)
 162 {
 163     return test_default_cipherlist(fixture.server)
 164         && test_default_cipherlist(fixture.client);
 165 }
 166
 167 static void tear_down(CIPHERLIST_TEST_FIXTURE fixture)
 168 {
 169     SSL_CTX_free(fixture.server);
 170     SSL_CTX_free(fixture.client);
 171 }
 172
 173 #define SETUP_CIPHERLIST_TEST_FIXTURE() \
 174     SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up)
 175
 176 #define EXECUTE_CIPHERLIST_TEST() \
 177     EXECUTE_TEST(execute_test, tear_down)
 178
 179 static int test_default_cipherlist_implicit()
 180 {
 181     SETUP_CIPHERLIST_TEST_FIXTURE();
 182     EXECUTE_CIPHERLIST_TEST();
 183 }
 184
 185 static int test_default_cipherlist_explicit()
 186 {
 187     SETUP_CIPHERLIST_TEST_FIXTURE();
 188     OPENSSL_assert(SSL_CTX_set_cipher_list(fixture.server, "DEFAULT"));
 189     OPENSSL_assert(SSL_CTX_set_cipher_list(fixture.client, "DEFAULT"));
 190     EXECUTE_CIPHERLIST_TEST();
 191 }
 192
 193 void register_tests()
 194 {
 195     ADD_TEST(test_default_cipherlist_implicit);
 196     ADD_TEST(test_default_cipherlist_explicit);
 197 }