]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/cipherlist_test.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove getenv(OPENSSL_FIPS) in openssl command
[thirdparty/openssl.git] / test / cipherlist_test.c
CommitLineData
5a22cf96 1/*
454afd98 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
5a22cf96 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License");
5a22cf96
EK		 5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 * https://www.openssl.org/source/license.html
8 * or in the file LICENSE in the source distribution.
9 */
10
11#include <stdio.h>
019e47ce 12#include <string.h>
5a22cf96
EK		 13
14#include <openssl/opensslconf.h>
15#include <openssl/err.h>
16#include <openssl/e_os2.h>
17#include <openssl/ssl.h>
18#include <openssl/ssl3.h>
19#include <openssl/tls1.h>
20
176db6dc 21#include "internal/nelem.h"
5a22cf96
EK		 22#include "testutil.h"
23
852c2ed2
RS		 24DEFINE_STACK_OF_CONST(SSL_CIPHER)
25
5a22cf96
EK		 26typedef struct cipherlist_test_fixture {
27 const char *test_case_name;
28 SSL_CTX *server;
29 SSL_CTX *client;
30} CIPHERLIST_TEST_FIXTURE;
31
32
019e47ce 33static void tear_down(CIPHERLIST_TEST_FIXTURE *fixture)
5a22cf96 34{
019e47ce
P		 35 if (fixture != NULL) {
36 SSL_CTX_free(fixture->server);
37 SSL_CTX_free(fixture->client);
38 fixture->server = fixture->client = NULL;
2326bba0 39 OPENSSL_free(fixture);
019e47ce
P		 40 }
41}
42
43static CIPHERLIST_TEST_FIXTURE *set_up(const char *const test_case_name)
44{
2326bba0 45 CIPHERLIST_TEST_FIXTURE *fixture;
019e47ce 46
2326bba0
P		 47 if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
48 return NULL;
49 fixture->test_case_name = test_case_name;
50 if (!TEST_ptr(fixture->server = SSL_CTX_new(TLS_server_method()))
51 || !TEST_ptr(fixture->client = SSL_CTX_new(TLS_client_method()))) {
52 tear_down(fixture);
019e47ce
P		 53 return NULL;
54 }
2326bba0 55 return fixture;
5a22cf96
EK		 56}
57
58/*
59 * All ciphers in the DEFAULT cipherlist meet the default security level.
60 * However, default supported ciphers exclude SRP and PSK ciphersuites
61 * for which no callbacks have been set up.
62 *
63 * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled,
64 * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA
65 * are currently broken and should be considered mission impossible in libssl.
66 */
67static const uint32_t default_ciphers_in_order[] = {
f865b081
MC		 68#ifndef OPENSSL_NO_TLS1_3
69 TLS1_3_CK_AES_256_GCM_SHA384,
70# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
71 TLS1_3_CK_CHACHA20_POLY1305_SHA256,
72# endif
73 TLS1_3_CK_AES_128_GCM_SHA256,
74#endif
5a22cf96
EK		 75#ifndef OPENSSL_NO_TLS1_2
76# ifndef OPENSSL_NO_EC
77 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
78 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
79# endif
80# ifndef OPENSSL_NO_DH
81 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
82# endif
83
71cff963 84# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5a22cf96
EK		 85# ifndef OPENSSL_NO_EC
86 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
87 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
88# endif
89# ifndef OPENSSL_NO_DH
90 TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
91# endif
92# endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
93
94# ifndef OPENSSL_NO_EC
95 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
96 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
97# endif
98# ifndef OPENSSL_NO_DH
99 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
100# endif
101# ifndef OPENSSL_NO_EC
102 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
103 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
104# endif
105# ifndef OPENSSL_NO_DH
106 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
107# endif
108# ifndef OPENSSL_NO_EC
109 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
110 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
111# endif
112# ifndef OPENSSL_NO_DH
113 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
114# endif
115#endif /* !OPENSSL_NO_TLS1_2 */
116
c423ecaa
MC		 117#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
118 /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */
119# ifndef OPENSSL_NO_EC
5a22cf96
EK		 120 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
121 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
c423ecaa
MC		 122# endif
123 #ifndef OPENSSL_NO_DH
5a22cf96 124 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
c423ecaa
MC		 125# endif
126# ifndef OPENSSL_NO_EC
5a22cf96
EK		 127 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
128 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
c423ecaa
MC		 129# endif
130# ifndef OPENSSL_NO_DH
5a22cf96 131 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
c423ecaa
MC		 132# endif
133#endif /* !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) */
5a22cf96 134
5a22cf96
EK		 135#ifndef OPENSSL_NO_TLS1_2
136 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
137 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
582a17d6 138#endif
582a17d6 139#ifndef OPENSSL_NO_TLS1_2
5a22cf96
EK		 140 TLS1_CK_RSA_WITH_AES_256_SHA256,
141 TLS1_CK_RSA_WITH_AES_128_SHA256,
142#endif
c423ecaa
MC		 143#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
144 /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */
5a22cf96
EK		 145 TLS1_CK_RSA_WITH_AES_256_SHA,
146 TLS1_CK_RSA_WITH_AES_128_SHA,
c423ecaa 147#endif
5a22cf96
EK		 148};
149
150static int test_default_cipherlist(SSL_CTX *ctx)
151{
019e47ce
P		 152 STACK_OF(SSL_CIPHER) *ciphers = NULL;
153 SSL *ssl = NULL;
5a22cf96
EK		 154 int i, ret = 0, num_expected_ciphers, num_ciphers;
155 uint32_t expected_cipher_id, cipher_id;
156
019e47ce
P		 157 if (ctx == NULL)
158 return 0;
159
160 if (!TEST_ptr(ssl = SSL_new(ctx))
161 || !TEST_ptr(ciphers = SSL_get1_supported_ciphers(ssl)))
162 goto err;
5a22cf96 163
5a22cf96
EK		 164 num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order);
165 num_ciphers = sk_SSL_CIPHER_num(ciphers);
2fae041d 166 if (!TEST_int_eq(num_ciphers, num_expected_ciphers))
5a22cf96 167 goto err;
5a22cf96
EK		 168
169 for (i = 0; i < num_ciphers; i++) {
170 expected_cipher_id = default_ciphers_in_order[i];
171 cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i));
2fae041d
P		 172 if (!TEST_int_eq(cipher_id, expected_cipher_id)) {
173 TEST_info("Wrong cipher at position %d", i);
5a22cf96
EK		 174 goto err;
175 }
176 }
177
178 ret = 1;
179
180 err:
181 sk_SSL_CIPHER_free(ciphers);
182 SSL_free(ssl);
183 return ret;
184}
185
019e47ce 186static int execute_test(CIPHERLIST_TEST_FIXTURE *fixture)
5a22cf96 187{
019e47ce
P		 188 return fixture != NULL
189 && test_default_cipherlist(fixture->server)
190 && test_default_cipherlist(fixture->client);
5a22cf96
EK		 191}
192
193#define SETUP_CIPHERLIST_TEST_FIXTURE() \
99801878 194 SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up)
5a22cf96
EK		 195
196#define EXECUTE_CIPHERLIST_TEST() \
197 EXECUTE_TEST(execute_test, tear_down)
198
31a80694 199static int test_default_cipherlist_implicit(void)
5a22cf96
EK		 200{
201 SETUP_CIPHERLIST_TEST_FIXTURE();
99801878
P		 202 if (fixture == NULL)
203 return 0;
5a22cf96 204 EXECUTE_CIPHERLIST_TEST();
99801878 205 return result;
5a22cf96
EK		 206}
207
31a80694 208static int test_default_cipherlist_explicit(void)
5a22cf96
EK		 209{
210 SETUP_CIPHERLIST_TEST_FIXTURE();
019e47ce
P		 211 if (fixture == NULL)
212 return 0;
213 if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, "DEFAULT"))
214 || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, "DEFAULT")))
215 tear_down(fixture);
5a22cf96 216 EXECUTE_CIPHERLIST_TEST();
99801878 217 return result;
5a22cf96
EK		 218}
219
3c83c5ba
SR		 220/* SSL_CTX_set_cipher_list() should fail if it clears all TLSv1.2 ciphers. */
221static int test_default_cipherlist_clear(void)
222{
223 SETUP_CIPHERLIST_TEST_FIXTURE();
224 SSL *s = NULL;
225
226 if (fixture == NULL)
227 return 0;
228
229 if (!TEST_int_eq(SSL_CTX_set_cipher_list(fixture->server, "no-such"), 0))
230 goto end;
231
232 if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_CIPHER_MATCH))
233 goto end;
234
235 s = SSL_new(fixture->client);
236
237 if (!TEST_ptr(s))
238 goto end;
239
240 if (!TEST_int_eq(SSL_set_cipher_list(s, "no-such"), 0))
241 goto end;
242
243 if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
244 SSL_R_NO_CIPHER_MATCH))
245 goto end;
246
247 result = 1;
248end:
249 SSL_free(s);
250 tear_down(fixture);
251 return result;
252}
253
3cb7c5cf 254int setup_tests(void)
5a22cf96 255{
5a22cf96
EK		 256 ADD_TEST(test_default_cipherlist_implicit);
257 ADD_TEST(test_default_cipherlist_explicit);
3c83c5ba 258 ADD_TEST(test_default_cipherlist_clear);
ad887416 259 return 1;
5a22cf96 260}
A mirror of the official openssl repository