cipherlist_test.c revision 1.1.1.1
1 /* 2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * https://www.openssl.org/source/license.html 8 * or in the file LICENSE in the source distribution. 9 */ 10 11 #include <stdio.h> 12 #include <string.h> 13 14 #include <openssl/opensslconf.h> 15 #include <openssl/err.h> 16 #include <openssl/e_os2.h> 17 #include <openssl/ssl.h> 18 #include <openssl/ssl3.h> 19 #include <openssl/tls1.h> 20 21 #include "internal/nelem.h" 22 #include "testutil.h" 23 24 typedef struct cipherlist_test_fixture { 25 const char *test_case_name; 26 SSL_CTX *server; 27 SSL_CTX *client; 28 } CIPHERLIST_TEST_FIXTURE; 29 30 31 static void tear_down(CIPHERLIST_TEST_FIXTURE *fixture) 32 { 33 if (fixture != NULL) { 34 SSL_CTX_free(fixture->server); 35 SSL_CTX_free(fixture->client); 36 fixture->server = fixture->client = NULL; 37 OPENSSL_free(fixture); 38 } 39 } 40 41 static CIPHERLIST_TEST_FIXTURE *set_up(const char *const test_case_name) 42 { 43 CIPHERLIST_TEST_FIXTURE *fixture; 44 45 if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) 46 return NULL; 47 fixture->test_case_name = test_case_name; 48 if (!TEST_ptr(fixture->server = SSL_CTX_new(TLS_server_method())) 49 || !TEST_ptr(fixture->client = SSL_CTX_new(TLS_client_method()))) { 50 tear_down(fixture); 51 return NULL; 52 } 53 return fixture; 54 } 55 56 /* 57 * All ciphers in the DEFAULT cipherlist meet the default security level. 58 * However, default supported ciphers exclude SRP and PSK ciphersuites 59 * for which no callbacks have been set up. 60 * 61 * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled, 62 * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA 63 * are currently broken and should be considered mission impossible in libssl. 64 */ 65 static const uint32_t default_ciphers_in_order[] = { 66 #ifndef OPENSSL_NO_TLS1_3 67 TLS1_3_CK_AES_256_GCM_SHA384, 68 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 69 TLS1_3_CK_CHACHA20_POLY1305_SHA256, 70 # endif 71 TLS1_3_CK_AES_128_GCM_SHA256, 72 #endif 73 #ifndef OPENSSL_NO_TLS1_2 74 # ifndef OPENSSL_NO_EC 75 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 76 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 77 # endif 78 # ifndef OPENSSL_NO_DH 79 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 80 # endif 81 82 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 83 # ifndef OPENSSL_NO_EC 84 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 85 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305, 86 # endif 87 # ifndef OPENSSL_NO_DH 88 TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305, 89 # endif 90 # endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ 91 92 # ifndef OPENSSL_NO_EC 93 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 94 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 95 # endif 96 # ifndef OPENSSL_NO_DH 97 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 98 # endif 99 # ifndef OPENSSL_NO_EC 100 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 101 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 102 # endif 103 # ifndef OPENSSL_NO_DH 104 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, 105 # endif 106 # ifndef OPENSSL_NO_EC 107 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 108 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 109 # endif 110 # ifndef OPENSSL_NO_DH 111 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 112 # endif 113 #endif /* !OPENSSL_NO_TLS1_2 */ 114 115 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) 116 /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */ 117 # ifndef OPENSSL_NO_EC 118 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 119 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 120 # endif 121 #ifndef OPENSSL_NO_DH 122 TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 123 # endif 124 # ifndef OPENSSL_NO_EC 125 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 126 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 127 # endif 128 # ifndef OPENSSL_NO_DH 129 TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 130 # endif 131 #endif /* !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) */ 132 133 #ifndef OPENSSL_NO_TLS1_2 134 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 135 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 136 #endif 137 #ifndef OPENSSL_NO_TLS1_2 138 TLS1_CK_RSA_WITH_AES_256_SHA256, 139 TLS1_CK_RSA_WITH_AES_128_SHA256, 140 #endif 141 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) 142 /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */ 143 TLS1_CK_RSA_WITH_AES_256_SHA, 144 TLS1_CK_RSA_WITH_AES_128_SHA, 145 #endif 146 }; 147 148 static int test_default_cipherlist(SSL_CTX *ctx) 149 { 150 STACK_OF(SSL_CIPHER) *ciphers = NULL; 151 SSL *ssl = NULL; 152 int i, ret = 0, num_expected_ciphers, num_ciphers; 153 uint32_t expected_cipher_id, cipher_id; 154 155 if (ctx == NULL) 156 return 0; 157 158 if (!TEST_ptr(ssl = SSL_new(ctx)) 159 || !TEST_ptr(ciphers = SSL_get1_supported_ciphers(ssl))) 160 goto err; 161 162 num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order); 163 num_ciphers = sk_SSL_CIPHER_num(ciphers); 164 if (!TEST_int_eq(num_ciphers, num_expected_ciphers)) 165 goto err; 166 167 for (i = 0; i < num_ciphers; i++) { 168 expected_cipher_id = default_ciphers_in_order[i]; 169 cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i)); 170 if (!TEST_int_eq(cipher_id, expected_cipher_id)) { 171 TEST_info("Wrong cipher at position %d", i); 172 goto err; 173 } 174 } 175 176 ret = 1; 177 178 err: 179 sk_SSL_CIPHER_free(ciphers); 180 SSL_free(ssl); 181 return ret; 182 } 183 184 static int execute_test(CIPHERLIST_TEST_FIXTURE *fixture) 185 { 186 return fixture != NULL 187 && test_default_cipherlist(fixture->server) 188 && test_default_cipherlist(fixture->client); 189 } 190 191 #define SETUP_CIPHERLIST_TEST_FIXTURE() \ 192 SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up) 193 194 #define EXECUTE_CIPHERLIST_TEST() \ 195 EXECUTE_TEST(execute_test, tear_down) 196 197 static int test_default_cipherlist_implicit(void) 198 { 199 SETUP_CIPHERLIST_TEST_FIXTURE(); 200 EXECUTE_CIPHERLIST_TEST(); 201 return result; 202 } 203 204 static int test_default_cipherlist_explicit(void) 205 { 206 SETUP_CIPHERLIST_TEST_FIXTURE(); 207 if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, "DEFAULT")) 208 || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, "DEFAULT"))) { 209 tear_down(fixture); 210 fixture = NULL; 211 } 212 EXECUTE_CIPHERLIST_TEST(); 213 return result; 214 } 215 216 /* SSL_CTX_set_cipher_list() should fail if it clears all TLSv1.2 ciphers. */ 217 static int test_default_cipherlist_clear(void) 218 { 219 SSL *s = NULL; 220 SETUP_CIPHERLIST_TEST_FIXTURE(); 221 222 if (!TEST_int_eq(SSL_CTX_set_cipher_list(fixture->server, "no-such"), 0)) 223 goto end; 224 225 if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_CIPHER_MATCH)) 226 goto end; 227 228 s = SSL_new(fixture->client); 229 230 if (!TEST_ptr(s)) 231 goto end; 232 233 if (!TEST_int_eq(SSL_set_cipher_list(s, "no-such"), 0)) 234 goto end; 235 236 if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), 237 SSL_R_NO_CIPHER_MATCH)) 238 goto end; 239 240 result = 1; 241 end: 242 SSL_free(s); 243 tear_down(fixture); 244 return result; 245 } 246 247 /* SSL_CTX_set_cipher_list matching with cipher standard name */ 248 static int test_stdname_cipherlist(void) 249 { 250 SETUP_CIPHERLIST_TEST_FIXTURE(); 251 if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, TLS1_RFC_RSA_WITH_AES_128_SHA)) 252 || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, TLS1_RFC_RSA_WITH_AES_128_SHA))) { 253 goto end; 254 } 255 result = 1; 256 end: 257 tear_down(fixture); 258 fixture = NULL; 259 return result; 260 } 261 262 int setup_tests(void) 263 { 264 ADD_TEST(test_default_cipherlist_implicit); 265 ADD_TEST(test_default_cipherlist_explicit); 266 ADD_TEST(test_default_cipherlist_clear); 267 ADD_TEST(test_stdname_cipherlist); 268 return 1; 269 } 270
Indexes created Sun Mar 01 05:31:48 UTC 2026