cipherlist_test.c 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269
  1. /*
  2. * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License");
  5. * you may not use this file except in compliance with the License.
  6. * You may obtain a copy of the License at
  7. * https://www.openssl.org/source/license.html
  8. * or in the file LICENSE in the source distribution.
  9. */
  10. #include <stdio.h>
  11. #include <string.h>
  12. #include <openssl/opensslconf.h>
  13. #include <openssl/err.h>
  14. #include <openssl/e_os2.h>
  15. #include <openssl/ssl.h>
  16. #include <openssl/ssl3.h>
  17. #include <openssl/tls1.h>
  18. #include "internal/nelem.h"
  19. #include "testutil.h"
  20. typedef struct cipherlist_test_fixture {
  21. const char *test_case_name;
  22. SSL_CTX *server;
  23. SSL_CTX *client;
  24. } CIPHERLIST_TEST_FIXTURE;
  25. static void tear_down(CIPHERLIST_TEST_FIXTURE *fixture)
  26. {
  27. if (fixture != NULL) {
  28. SSL_CTX_free(fixture->server);
  29. SSL_CTX_free(fixture->client);
  30. fixture->server = fixture->client = NULL;
  31. OPENSSL_free(fixture);
  32. }
  33. }
  34. static CIPHERLIST_TEST_FIXTURE *set_up(const char *const test_case_name)
  35. {
  36. CIPHERLIST_TEST_FIXTURE *fixture;
  37. if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
  38. return NULL;
  39. fixture->test_case_name = test_case_name;
  40. if (!TEST_ptr(fixture->server = SSL_CTX_new(TLS_server_method()))
  41. || !TEST_ptr(fixture->client = SSL_CTX_new(TLS_client_method()))) {
  42. tear_down(fixture);
  43. return NULL;
  44. }
  45. return fixture;
  46. }
  47. /*
  48. * All ciphers in the DEFAULT cipherlist meet the default security level.
  49. * However, default supported ciphers exclude SRP and PSK ciphersuites
  50. * for which no callbacks have been set up.
  51. *
  52. * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled,
  53. * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA
  54. * are currently broken and should be considered mission impossible in libssl.
  55. */
  56. static const uint32_t default_ciphers_in_order[] = {
  57. #ifndef OPENSSL_NO_TLS1_3
  58. TLS1_3_CK_AES_256_GCM_SHA384,
  59. # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
  60. TLS1_3_CK_CHACHA20_POLY1305_SHA256,
  61. # endif
  62. TLS1_3_CK_AES_128_GCM_SHA256,
  63. #endif
  64. #ifndef OPENSSL_NO_TLS1_2
  65. # ifndef OPENSSL_NO_EC
  66. TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  67. TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  68. # endif
  69. # ifndef OPENSSL_NO_DH
  70. TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
  71. # endif
  72. # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
  73. # ifndef OPENSSL_NO_EC
  74. TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  75. TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  76. # endif
  77. # ifndef OPENSSL_NO_DH
  78. TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
  79. # endif
  80. # endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
  81. # ifndef OPENSSL_NO_EC
  82. TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  83. TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  84. # endif
  85. # ifndef OPENSSL_NO_DH
  86. TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
  87. # endif
  88. # ifndef OPENSSL_NO_EC
  89. TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
  90. TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
  91. # endif
  92. # ifndef OPENSSL_NO_DH
  93. TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
  94. # endif
  95. # ifndef OPENSSL_NO_EC
  96. TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
  97. TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
  98. # endif
  99. # ifndef OPENSSL_NO_DH
  100. TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
  101. # endif
  102. #endif /* !OPENSSL_NO_TLS1_2 */
  103. #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
  104. /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */
  105. # ifndef OPENSSL_NO_EC
  106. TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  107. TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  108. # endif
  109. #ifndef OPENSSL_NO_DH
  110. TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
  111. # endif
  112. # ifndef OPENSSL_NO_EC
  113. TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  114. TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  115. # endif
  116. # ifndef OPENSSL_NO_DH
  117. TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
  118. # endif
  119. #endif /* !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) */
  120. #ifndef OPENSSL_NO_TLS1_2
  121. TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
  122. TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
  123. #endif
  124. #ifndef OPENSSL_NO_TLS1_2
  125. TLS1_CK_RSA_WITH_AES_256_SHA256,
  126. TLS1_CK_RSA_WITH_AES_128_SHA256,
  127. #endif
  128. #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
  129. /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */
  130. TLS1_CK_RSA_WITH_AES_256_SHA,
  131. TLS1_CK_RSA_WITH_AES_128_SHA,
  132. #endif
  133. };
  134. static int test_default_cipherlist(SSL_CTX *ctx)
  135. {
  136. STACK_OF(SSL_CIPHER) *ciphers = NULL;
  137. SSL *ssl = NULL;
  138. int i, ret = 0, num_expected_ciphers, num_ciphers;
  139. uint32_t expected_cipher_id, cipher_id;
  140. if (ctx == NULL)
  141. return 0;
  142. if (!TEST_ptr(ssl = SSL_new(ctx))
  143. || !TEST_ptr(ciphers = SSL_get1_supported_ciphers(ssl)))
  144. goto err;
  145. num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order);
  146. num_ciphers = sk_SSL_CIPHER_num(ciphers);
  147. if (!TEST_int_eq(num_ciphers, num_expected_ciphers))
  148. goto err;
  149. for (i = 0; i < num_ciphers; i++) {
  150. expected_cipher_id = default_ciphers_in_order[i];
  151. cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i));
  152. if (!TEST_int_eq(cipher_id, expected_cipher_id)) {
  153. TEST_info("Wrong cipher at position %d", i);
  154. goto err;
  155. }
  156. }
  157. ret = 1;
  158. err:
  159. sk_SSL_CIPHER_free(ciphers);
  160. SSL_free(ssl);
  161. return ret;
  162. }
  163. static int execute_test(CIPHERLIST_TEST_FIXTURE *fixture)
  164. {
  165. return fixture != NULL
  166. && test_default_cipherlist(fixture->server)
  167. && test_default_cipherlist(fixture->client);
  168. }
  169. #define SETUP_CIPHERLIST_TEST_FIXTURE() \
  170. SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up)
  171. #define EXECUTE_CIPHERLIST_TEST() \
  172. EXECUTE_TEST(execute_test, tear_down)
  173. static int test_default_cipherlist_implicit(void)
  174. {
  175. SETUP_CIPHERLIST_TEST_FIXTURE();
  176. EXECUTE_CIPHERLIST_TEST();
  177. return result;
  178. }
  179. static int test_default_cipherlist_explicit(void)
  180. {
  181. SETUP_CIPHERLIST_TEST_FIXTURE();
  182. if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, "DEFAULT"))
  183. || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, "DEFAULT"))) {
  184. tear_down(fixture);
  185. fixture = NULL;
  186. }
  187. EXECUTE_CIPHERLIST_TEST();
  188. return result;
  189. }
  190. /* SSL_CTX_set_cipher_list() should fail if it clears all TLSv1.2 ciphers. */
  191. static int test_default_cipherlist_clear(void)
  192. {
  193. SSL *s = NULL;
  194. SETUP_CIPHERLIST_TEST_FIXTURE();
  195. if (!TEST_int_eq(SSL_CTX_set_cipher_list(fixture->server, "no-such"), 0))
  196. goto end;
  197. if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_CIPHER_MATCH))
  198. goto end;
  199. s = SSL_new(fixture->client);
  200. if (!TEST_ptr(s))
  201. goto end;
  202. if (!TEST_int_eq(SSL_set_cipher_list(s, "no-such"), 0))
  203. goto end;
  204. if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
  205. SSL_R_NO_CIPHER_MATCH))
  206. goto end;
  207. result = 1;
  208. end:
  209. SSL_free(s);
  210. tear_down(fixture);
  211. return result;
  212. }
  213. /* SSL_CTX_set_cipher_list matching with cipher standard name */
  214. static int test_stdname_cipherlist(void)
  215. {
  216. SETUP_CIPHERLIST_TEST_FIXTURE();
  217. if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, TLS1_RFC_RSA_WITH_AES_128_SHA))
  218. || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, TLS1_RFC_RSA_WITH_AES_128_SHA))) {
  219. goto end;
  220. }
  221. result = 1;
  222. end:
  223. tear_down(fixture);
  224. fixture = NULL;
  225. return result;
  226. }
  227. int setup_tests(void)
  228. {
  229. ADD_TEST(test_default_cipherlist_implicit);
  230. ADD_TEST(test_default_cipherlist_explicit);
  231. ADD_TEST(test_default_cipherlist_clear);
  232. ADD_TEST(test_stdname_cipherlist);
  233. return 1;
  234. }