]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/cipherlist_test.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update copyright year
[thirdparty/openssl.git] / test / cipherlist_test.c
CommitLineData
5a22cf96 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
5a22cf96
EK		 3 *
4 * Licensed under the OpenSSL licenses, (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 * https://www.openssl.org/source/license.html
8 * or in the file LICENSE in the source distribution.
9 */
10
11#include <stdio.h>
019e47ce 12#include <string.h>
5a22cf96
EK		 13
14#include <openssl/opensslconf.h>
15#include <openssl/err.h>
16#include <openssl/e_os2.h>
17#include <openssl/ssl.h>
18#include <openssl/ssl3.h>
19#include <openssl/tls1.h>
20
176db6dc 21#include "internal/nelem.h"
5a22cf96
EK		 22#include "testutil.h"
23
24typedef struct cipherlist_test_fixture {
25 const char *test_case_name;
26 SSL_CTX *server;
27 SSL_CTX *client;
28} CIPHERLIST_TEST_FIXTURE;
29
30
019e47ce 31static void tear_down(CIPHERLIST_TEST_FIXTURE *fixture)
5a22cf96 32{
019e47ce
P		 33 if (fixture != NULL) {
34 SSL_CTX_free(fixture->server);
35 SSL_CTX_free(fixture->client);
36 fixture->server = fixture->client = NULL;
2326bba0 37 OPENSSL_free(fixture);
019e47ce
P		 38 }
39}
40
41static CIPHERLIST_TEST_FIXTURE *set_up(const char *const test_case_name)
42{
2326bba0 43 CIPHERLIST_TEST_FIXTURE *fixture;
019e47ce 44
2326bba0
P		 45 if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
46 return NULL;
47 fixture->test_case_name = test_case_name;
48 if (!TEST_ptr(fixture->server = SSL_CTX_new(TLS_server_method()))
49 || !TEST_ptr(fixture->client = SSL_CTX_new(TLS_client_method()))) {
50 tear_down(fixture);
019e47ce
P		 51 return NULL;
52 }
2326bba0 53 return fixture;
5a22cf96
EK		 54}
55
56/*
57 * All ciphers in the DEFAULT cipherlist meet the default security level.
58 * However, default supported ciphers exclude SRP and PSK ciphersuites
59 * for which no callbacks have been set up.
60 *
61 * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled,
62 * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA
63 * are currently broken and should be considered mission impossible in libssl.
64 */
65static const uint32_t default_ciphers_in_order[] = {
66#ifndef OPENSSL_NO_TLS1_2
67# ifndef OPENSSL_NO_EC
68 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
69 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
70# endif
71# ifndef OPENSSL_NO_DH
72 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
73# endif
74
71cff963 75# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5a22cf96
EK		 76# ifndef OPENSSL_NO_EC
77 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
78 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
79# endif
80# ifndef OPENSSL_NO_DH
81 TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
82# endif
83# endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
84
85# ifndef OPENSSL_NO_EC
86 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
87 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
88# endif
89# ifndef OPENSSL_NO_DH
90 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
91# endif
92# ifndef OPENSSL_NO_EC
93 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
94 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
95# endif
96# ifndef OPENSSL_NO_DH
97 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
98# endif
99# ifndef OPENSSL_NO_EC
100 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
101 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
102# endif
103# ifndef OPENSSL_NO_DH
104 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
105# endif
106#endif /* !OPENSSL_NO_TLS1_2 */
107
c423ecaa
MC		 108#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
109 /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */
110# ifndef OPENSSL_NO_EC
5a22cf96
EK		 111 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
112 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
c423ecaa
MC		 113# endif
114 #ifndef OPENSSL_NO_DH
5a22cf96 115 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
c423ecaa
MC		 116# endif
117# ifndef OPENSSL_NO_EC
5a22cf96
EK		 118 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
119 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
c423ecaa
MC		 120# endif
121# ifndef OPENSSL_NO_DH
5a22cf96 122 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
c423ecaa
MC		 123# endif
124#endif /* !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) */
5a22cf96 125
5a22cf96
EK		 126#ifndef OPENSSL_NO_TLS1_2
127 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
128 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
582a17d6
MC		 129#endif
130#ifndef OPENSSL_NO_TLS1_3
1bbede20 131 TLS1_3_CK_AES_256_GCM_SHA384,
71cff963 132# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
1bbede20 133 TLS1_3_CK_CHACHA20_POLY1305_SHA256,
71cff963 134# endif
582a17d6
MC		 135 TLS1_3_CK_AES_128_GCM_SHA256,
136#endif
137#ifndef OPENSSL_NO_TLS1_2
5a22cf96
EK		 138 TLS1_CK_RSA_WITH_AES_256_SHA256,
139 TLS1_CK_RSA_WITH_AES_128_SHA256,
140#endif
c423ecaa
MC		 141#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
142 /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */
5a22cf96
EK		 143 TLS1_CK_RSA_WITH_AES_256_SHA,
144 TLS1_CK_RSA_WITH_AES_128_SHA,
c423ecaa 145#endif
5a22cf96
EK		 146};
147
148static int test_default_cipherlist(SSL_CTX *ctx)
149{
019e47ce
P		 150 STACK_OF(SSL_CIPHER) *ciphers = NULL;
151 SSL *ssl = NULL;
5a22cf96
EK		 152 int i, ret = 0, num_expected_ciphers, num_ciphers;
153 uint32_t expected_cipher_id, cipher_id;
154
019e47ce
P		 155 if (ctx == NULL)
156 return 0;
157
158 if (!TEST_ptr(ssl = SSL_new(ctx))
159 || !TEST_ptr(ciphers = SSL_get1_supported_ciphers(ssl)))
160 goto err;
5a22cf96 161
5a22cf96
EK		 162 num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order);
163 num_ciphers = sk_SSL_CIPHER_num(ciphers);
2fae041d 164 if (!TEST_int_eq(num_ciphers, num_expected_ciphers))
5a22cf96 165 goto err;
5a22cf96
EK		 166
167 for (i = 0; i < num_ciphers; i++) {
168 expected_cipher_id = default_ciphers_in_order[i];
169 cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i));
2fae041d
P		 170 if (!TEST_int_eq(cipher_id, expected_cipher_id)) {
171 TEST_info("Wrong cipher at position %d", i);
5a22cf96
EK		 172 goto err;
173 }
174 }
175
176 ret = 1;
177
178 err:
179 sk_SSL_CIPHER_free(ciphers);
180 SSL_free(ssl);
181 return ret;
182}
183
019e47ce 184static int execute_test(CIPHERLIST_TEST_FIXTURE *fixture)
5a22cf96 185{
019e47ce
P		 186 return fixture != NULL
187 && test_default_cipherlist(fixture->server)
188 && test_default_cipherlist(fixture->client);
5a22cf96
EK		 189}
190
191#define SETUP_CIPHERLIST_TEST_FIXTURE() \
99801878 192 SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up)
5a22cf96
EK		 193
194#define EXECUTE_CIPHERLIST_TEST() \
195 EXECUTE_TEST(execute_test, tear_down)
196
31a80694 197static int test_default_cipherlist_implicit(void)
5a22cf96
EK		 198{
199 SETUP_CIPHERLIST_TEST_FIXTURE();
99801878
P		 200 if (fixture == NULL)
201 return 0;
5a22cf96 202 EXECUTE_CIPHERLIST_TEST();
99801878 203 return result;
5a22cf96
EK		 204}
205
31a80694 206static int test_default_cipherlist_explicit(void)
5a22cf96
EK		 207{
208 SETUP_CIPHERLIST_TEST_FIXTURE();
019e47ce
P		 209 if (fixture == NULL)
210 return 0;
211 if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, "DEFAULT"))
212 || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, "DEFAULT")))
213 tear_down(fixture);
5a22cf96 214 EXECUTE_CIPHERLIST_TEST();
99801878 215 return result;
5a22cf96
EK		 216}
217
ad887416 218int setup_tests()
5a22cf96 219{
5a22cf96
EK		 220 ADD_TEST(test_default_cipherlist_implicit);
221 ADD_TEST(test_default_cipherlist_explicit);
ad887416 222 return 1;
5a22cf96 223}
A mirror of the official openssl repository