cipherlist_test.c 7.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260
  1. /*
  2. * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License");
  5. * you may not use this file except in compliance with the License.
  6. * You may obtain a copy of the License at
  7. * https://www.openssl.org/source/license.html
  8. * or in the file LICENSE in the source distribution.
  9. */
  10. #include <stdio.h>
  11. #include <string.h>
  12. #include <openssl/opensslconf.h>
  13. #include <openssl/err.h>
  14. #include <openssl/e_os2.h>
  15. #include <openssl/ssl.h>
  16. #include <openssl/ssl3.h>
  17. #include <openssl/tls1.h>
  18. #include "internal/nelem.h"
  19. #include "testutil.h"
  20. DEFINE_STACK_OF_CONST(SSL_CIPHER)
  21. typedef struct cipherlist_test_fixture {
  22. const char *test_case_name;
  23. SSL_CTX *server;
  24. SSL_CTX *client;
  25. } CIPHERLIST_TEST_FIXTURE;
  26. static void tear_down(CIPHERLIST_TEST_FIXTURE *fixture)
  27. {
  28. if (fixture != NULL) {
  29. SSL_CTX_free(fixture->server);
  30. SSL_CTX_free(fixture->client);
  31. fixture->server = fixture->client = NULL;
  32. OPENSSL_free(fixture);
  33. }
  34. }
  35. static CIPHERLIST_TEST_FIXTURE *set_up(const char *const test_case_name)
  36. {
  37. CIPHERLIST_TEST_FIXTURE *fixture;
  38. if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
  39. return NULL;
  40. fixture->test_case_name = test_case_name;
  41. if (!TEST_ptr(fixture->server = SSL_CTX_new(TLS_server_method()))
  42. || !TEST_ptr(fixture->client = SSL_CTX_new(TLS_client_method()))) {
  43. tear_down(fixture);
  44. return NULL;
  45. }
  46. return fixture;
  47. }
  48. /*
  49. * All ciphers in the DEFAULT cipherlist meet the default security level.
  50. * However, default supported ciphers exclude SRP and PSK ciphersuites
  51. * for which no callbacks have been set up.
  52. *
  53. * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled,
  54. * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA
  55. * are currently broken and should be considered mission impossible in libssl.
  56. */
  57. static const uint32_t default_ciphers_in_order[] = {
  58. #ifndef OPENSSL_NO_TLS1_3
  59. TLS1_3_CK_AES_256_GCM_SHA384,
  60. # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
  61. TLS1_3_CK_CHACHA20_POLY1305_SHA256,
  62. # endif
  63. TLS1_3_CK_AES_128_GCM_SHA256,
  64. #endif
  65. #ifndef OPENSSL_NO_TLS1_2
  66. # ifndef OPENSSL_NO_EC
  67. TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  68. TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  69. # endif
  70. # ifndef OPENSSL_NO_DH
  71. TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
  72. # endif
  73. # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
  74. # ifndef OPENSSL_NO_EC
  75. TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  76. TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  77. # endif
  78. # ifndef OPENSSL_NO_DH
  79. TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
  80. # endif
  81. # endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
  82. # ifndef OPENSSL_NO_EC
  83. TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  84. TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  85. # endif
  86. # ifndef OPENSSL_NO_DH
  87. TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
  88. # endif
  89. # ifndef OPENSSL_NO_EC
  90. TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
  91. TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
  92. # endif
  93. # ifndef OPENSSL_NO_DH
  94. TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
  95. # endif
  96. # ifndef OPENSSL_NO_EC
  97. TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
  98. TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
  99. # endif
  100. # ifndef OPENSSL_NO_DH
  101. TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
  102. # endif
  103. #endif /* !OPENSSL_NO_TLS1_2 */
  104. #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
  105. /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */
  106. # ifndef OPENSSL_NO_EC
  107. TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  108. TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  109. # endif
  110. #ifndef OPENSSL_NO_DH
  111. TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
  112. # endif
  113. # ifndef OPENSSL_NO_EC
  114. TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  115. TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  116. # endif
  117. # ifndef OPENSSL_NO_DH
  118. TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
  119. # endif
  120. #endif /* !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) */
  121. #ifndef OPENSSL_NO_TLS1_2
  122. TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
  123. TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
  124. #endif
  125. #ifndef OPENSSL_NO_TLS1_2
  126. TLS1_CK_RSA_WITH_AES_256_SHA256,
  127. TLS1_CK_RSA_WITH_AES_128_SHA256,
  128. #endif
  129. #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
  130. /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */
  131. TLS1_CK_RSA_WITH_AES_256_SHA,
  132. TLS1_CK_RSA_WITH_AES_128_SHA,
  133. #endif
  134. };
  135. static int test_default_cipherlist(SSL_CTX *ctx)
  136. {
  137. STACK_OF(SSL_CIPHER) *ciphers = NULL;
  138. SSL *ssl = NULL;
  139. int i, ret = 0, num_expected_ciphers, num_ciphers;
  140. uint32_t expected_cipher_id, cipher_id;
  141. if (ctx == NULL)
  142. return 0;
  143. if (!TEST_ptr(ssl = SSL_new(ctx))
  144. || !TEST_ptr(ciphers = SSL_get1_supported_ciphers(ssl)))
  145. goto err;
  146. num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order);
  147. num_ciphers = sk_SSL_CIPHER_num(ciphers);
  148. if (!TEST_int_eq(num_ciphers, num_expected_ciphers))
  149. goto err;
  150. for (i = 0; i < num_ciphers; i++) {
  151. expected_cipher_id = default_ciphers_in_order[i];
  152. cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i));
  153. if (!TEST_int_eq(cipher_id, expected_cipher_id)) {
  154. TEST_info("Wrong cipher at position %d", i);
  155. goto err;
  156. }
  157. }
  158. ret = 1;
  159. err:
  160. sk_SSL_CIPHER_free(ciphers);
  161. SSL_free(ssl);
  162. return ret;
  163. }
  164. static int execute_test(CIPHERLIST_TEST_FIXTURE *fixture)
  165. {
  166. return fixture != NULL
  167. && test_default_cipherlist(fixture->server)
  168. && test_default_cipherlist(fixture->client);
  169. }
  170. #define SETUP_CIPHERLIST_TEST_FIXTURE() \
  171. SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up)
  172. #define EXECUTE_CIPHERLIST_TEST() \
  173. EXECUTE_TEST(execute_test, tear_down)
  174. static int test_default_cipherlist_implicit(void)
  175. {
  176. SETUP_CIPHERLIST_TEST_FIXTURE();
  177. if (fixture == NULL)
  178. return 0;
  179. EXECUTE_CIPHERLIST_TEST();
  180. return result;
  181. }
  182. static int test_default_cipherlist_explicit(void)
  183. {
  184. SETUP_CIPHERLIST_TEST_FIXTURE();
  185. if (fixture == NULL)
  186. return 0;
  187. if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, "DEFAULT"))
  188. || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, "DEFAULT")))
  189. tear_down(fixture);
  190. EXECUTE_CIPHERLIST_TEST();
  191. return result;
  192. }
  193. /* SSL_CTX_set_cipher_list() should fail if it clears all TLSv1.2 ciphers. */
  194. static int test_default_cipherlist_clear(void)
  195. {
  196. SETUP_CIPHERLIST_TEST_FIXTURE();
  197. SSL *s = NULL;
  198. if (fixture == NULL)
  199. return 0;
  200. if (!TEST_int_eq(SSL_CTX_set_cipher_list(fixture->server, "no-such"), 0))
  201. goto end;
  202. if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_CIPHER_MATCH))
  203. goto end;
  204. s = SSL_new(fixture->client);
  205. if (!TEST_ptr(s))
  206. goto end;
  207. if (!TEST_int_eq(SSL_set_cipher_list(s, "no-such"), 0))
  208. goto end;
  209. if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
  210. SSL_R_NO_CIPHER_MATCH))
  211. goto end;
  212. result = 1;
  213. end:
  214. SSL_free(s);
  215. tear_down(fixture);
  216. return result;
  217. }
  218. int setup_tests(void)
  219. {
  220. ADD_TEST(test_default_cipherlist_implicit);
  221. ADD_TEST(test_default_cipherlist_explicit);
  222. ADD_TEST(test_default_cipherlist_clear);
  223. return 1;
  224. }