2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL licenses, (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 * https://www.openssl.org/source/license.html
8 * or in the file LICENSE in the source distribution.
13 #include <openssl/opensslconf.h>
14 #include <openssl/err.h>
15 #include <openssl/e_os2.h>
16 #include <openssl/ssl.h>
17 #include <openssl/ssl3.h>
18 #include <openssl/tls1.h>
23 typedef struct cipherlist_test_fixture
{
24 const char *test_case_name
;
27 } CIPHERLIST_TEST_FIXTURE
;
30 static CIPHERLIST_TEST_FIXTURE
set_up(const char *const test_case_name
)
32 CIPHERLIST_TEST_FIXTURE fixture
;
33 fixture
.test_case_name
= test_case_name
;
34 fixture
.server
= SSL_CTX_new(TLS_server_method());
35 fixture
.client
= SSL_CTX_new(TLS_client_method());
36 OPENSSL_assert(fixture
.client
!= NULL
&& fixture
.server
!= NULL
);
41 * All ciphers in the DEFAULT cipherlist meet the default security level.
42 * However, default supported ciphers exclude SRP and PSK ciphersuites
43 * for which no callbacks have been set up.
45 * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled,
46 * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA
47 * are currently broken and should be considered mission impossible in libssl.
49 static const uint32_t default_ciphers_in_order
[] = {
50 #ifndef OPENSSL_NO_TLS1_2
51 # ifndef OPENSSL_NO_EC
52 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
,
53 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384
,
55 # ifndef OPENSSL_NO_DH
56 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384
,
59 # if !defined OPENSSL_NO_CHACHA && !defined OPENSSL_NO_POLY1305
60 # ifndef OPENSSL_NO_EC
61 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
,
62 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305
,
64 # ifndef OPENSSL_NO_DH
65 TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305
,
67 # endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
69 # ifndef OPENSSL_NO_EC
70 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
,
71 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256
,
73 # ifndef OPENSSL_NO_DH
74 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256
,
76 # ifndef OPENSSL_NO_EC
77 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384
,
78 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384
,
80 # ifndef OPENSSL_NO_DH
81 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256
,
83 # ifndef OPENSSL_NO_EC
84 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256
,
85 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256
,
87 # ifndef OPENSSL_NO_DH
88 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256
,
90 #endif /* !OPENSSL_NO_TLS1_2 */
93 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
,
94 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
,
97 TLS1_CK_DHE_RSA_WITH_AES_256_SHA
,
100 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
,
101 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
,
103 #ifndef OPENSSL_NO_DH
104 TLS1_CK_DHE_RSA_WITH_AES_128_SHA
,
107 #ifndef OPENSSL_NO_TLS1_2
108 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384
,
109 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256
,
110 TLS1_CK_RSA_WITH_AES_256_SHA256
,
111 TLS1_CK_RSA_WITH_AES_128_SHA256
,
114 TLS1_CK_RSA_WITH_AES_256_SHA
,
115 TLS1_CK_RSA_WITH_AES_128_SHA
,
118 static int test_default_cipherlist(SSL_CTX
*ctx
)
120 STACK_OF(SSL_CIPHER
) *ciphers
;
122 int i
, ret
= 0, num_expected_ciphers
, num_ciphers
;
123 uint32_t expected_cipher_id
, cipher_id
;
126 OPENSSL_assert(ssl
!= NULL
);
128 ciphers
= SSL_get1_supported_ciphers(ssl
);
129 OPENSSL_assert(ciphers
!= NULL
);
130 num_expected_ciphers
= OSSL_NELEM(default_ciphers_in_order
);
131 num_ciphers
= sk_SSL_CIPHER_num(ciphers
);
132 if (num_ciphers
!= num_expected_ciphers
) {
133 fprintf(stderr
, "Expected %d supported ciphers, got %d.\n",
134 num_expected_ciphers
, num_ciphers
);
138 for (i
= 0; i
< num_ciphers
; i
++) {
139 expected_cipher_id
= default_ciphers_in_order
[i
];
140 cipher_id
= SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers
, i
));
141 if (cipher_id
!= expected_cipher_id
) {
142 fprintf(stderr
, "Wrong cipher at position %d: expected %x, "
143 "got %x\n", i
, expected_cipher_id
, cipher_id
);
151 sk_SSL_CIPHER_free(ciphers
);
156 static int execute_test(CIPHERLIST_TEST_FIXTURE fixture
)
158 return test_default_cipherlist(fixture
.server
)
159 && test_default_cipherlist(fixture
.client
);
162 static void tear_down(CIPHERLIST_TEST_FIXTURE fixture
)
164 SSL_CTX_free(fixture
.server
);
165 SSL_CTX_free(fixture
.client
);
166 ERR_print_errors_fp(stderr
);
169 #define SETUP_CIPHERLIST_TEST_FIXTURE() \
170 SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up)
172 #define EXECUTE_CIPHERLIST_TEST() \
173 EXECUTE_TEST(execute_test, tear_down)
175 static int test_default_cipherlist_implicit()
177 SETUP_CIPHERLIST_TEST_FIXTURE();
178 EXECUTE_CIPHERLIST_TEST();
181 static int test_default_cipherlist_explicit()
183 SETUP_CIPHERLIST_TEST_FIXTURE();
184 OPENSSL_assert(SSL_CTX_set_cipher_list(fixture
.server
, "DEFAULT"));
185 OPENSSL_assert(SSL_CTX_set_cipher_list(fixture
.client
, "DEFAULT"));
186 EXECUTE_CIPHERLIST_TEST();
189 int main(int argc
, char **argv
)
193 ADD_TEST(test_default_cipherlist_implicit
);
194 ADD_TEST(test_default_cipherlist_explicit
);
196 result
= run_tests(argv
[0]);