test/cipherlist_test.c

   1 /*
   2  * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the OpenSSL licenses, (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  * https://www.openssl.org/source/license.html
   8  * or in the file LICENSE in the source distribution.
   9  */
  10
  11 #include <stdio.h>
  12
  13 #include <openssl/opensslconf.h>
  14 #include <openssl/err.h>
  15 #include <openssl/e_os2.h>
  16 #include <openssl/ssl.h>
  17 #include <openssl/ssl3.h>
  18 #include <openssl/tls1.h>
  19
  20 #include "e_os.h"
  21 #include "testutil.h"
  22
  23 typedef struct cipherlist_test_fixture {
  24     const char *test_case_name;
  25     SSL_CTX *server;
  26     SSL_CTX *client;
  27 } CIPHERLIST_TEST_FIXTURE;
  28
  29
  30 static CIPHERLIST_TEST_FIXTURE set_up(const char *const test_case_name)
  31 {
  32     CIPHERLIST_TEST_FIXTURE fixture;
  33     fixture.test_case_name = test_case_name;
  34     fixture.server = SSL_CTX_new(TLS_server_method());
  35     fixture.client = SSL_CTX_new(TLS_client_method());
  36     OPENSSL_assert(fixture.client != NULL && fixture.server != NULL);
  37     return fixture;
  38 }
  39
  40 /*
  41  * All ciphers in the DEFAULT cipherlist meet the default security level.
  42  * However, default supported ciphers exclude SRP and PSK ciphersuites
  43  * for which no callbacks have been set up.
  44  *
  45  * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled,
  46  * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA
  47  * are currently broken and should be considered mission impossible in libssl.
  48  */
  49 static const uint32_t default_ciphers_in_order[] = {
  50 #ifndef OPENSSL_NO_TLS1_2
  51 # ifndef OPENSSL_NO_EC
  52     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  53     TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  54 # endif
  55 # ifndef OPENSSL_NO_DH
  56     TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
  57 # endif
  58
  59 # if !defined OPENSSL_NO_CHACHA && !defined OPENSSL_NO_POLY1305
  60 #  ifndef OPENSSL_NO_EC
  61     TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  62     TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  63 #  endif
  64 #  ifndef OPENSSL_NO_DH
  65     TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
  66 #  endif
  67 # endif  /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
  68
  69 # ifndef OPENSSL_NO_EC
  70     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  71     TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  72 # endif
  73 # ifndef OPENSSL_NO_DH
  74     TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
  75 # endif
  76 # ifndef OPENSSL_NO_EC
  77     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
  78     TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
  79 # endif
  80 # ifndef OPENSSL_NO_DH
  81     TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
  82 # endif
  83 # ifndef OPENSSL_NO_EC
  84     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
  85     TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
  86 # endif
  87 # ifndef OPENSSL_NO_DH
  88     TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
  89 # endif
  90 #endif  /* !OPENSSL_NO_TLS1_2 */
  91
  92 #ifndef OPENSSL_NO_EC
  93     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  94     TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  95 #endif
  96 #ifndef OPENSSL_NO_DH
  97     TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
  98 #endif
  99 #ifndef OPENSSL_NO_EC
 100     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 101     TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 102 #endif
 103 #ifndef OPENSSL_NO_DH
 104     TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
 105 #endif
 106
 107 #ifndef OPENSSL_NO_DES
 108 # ifndef OPENSSL_NO_EC
 109     TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
 110     TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
 111 # endif
 112 # ifndef OPENSSL_NO_DH
 113     SSL3_CK_DHE_RSA_DES_192_CBC3_SHA,
 114 # endif
 115 #endif  /* !OPENSSL_NO_DES */
 116
 117 #ifndef OPENSSL_NO_TLS1_2
 118     TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
 119     TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
 120     TLS1_CK_RSA_WITH_AES_256_SHA256,
 121     TLS1_CK_RSA_WITH_AES_128_SHA256,
 122 #endif
 123
 124     TLS1_CK_RSA_WITH_AES_256_SHA,
 125     TLS1_CK_RSA_WITH_AES_128_SHA,
 126 #ifndef OPENSSL_NO_DES
 127     SSL3_CK_RSA_DES_192_CBC3_SHA,
 128 #endif
 129 };
 130
 131 static int test_default_cipherlist(SSL_CTX *ctx)
 132 {
 133     STACK_OF(SSL_CIPHER) *ciphers;
 134     SSL *ssl;
 135     int i, ret = 0, num_expected_ciphers, num_ciphers;
 136     uint32_t expected_cipher_id, cipher_id;
 137
 138     ssl = SSL_new(ctx);
 139     OPENSSL_assert(ssl != NULL);
 140
 141     ciphers = SSL_get1_supported_ciphers(ssl);
 142     OPENSSL_assert(ciphers != NULL);
 143     num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order);
 144     num_ciphers = sk_SSL_CIPHER_num(ciphers);
 145     if (num_ciphers != num_expected_ciphers) {
 146         fprintf(stderr, "Expected %d supported ciphers, got %d.\n",
 147                 num_expected_ciphers, num_ciphers);
 148         goto err;
 149     }
 150
 151     for (i = 0; i < num_ciphers; i++) {
 152         expected_cipher_id = default_ciphers_in_order[i];
 153         cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i));
 154         if (cipher_id != expected_cipher_id) {
 155             fprintf(stderr, "Wrong cipher at position %d: expected %x, "
 156                     "got %x\n", i, expected_cipher_id, cipher_id);
 157             goto err;
 158         }
 159     }
 160
 161     ret = 1;
 162
 163  err:
 164     sk_SSL_CIPHER_free(ciphers);
 165     SSL_free(ssl);
 166     return ret;
 167 }
 168
 169 static int execute_test(CIPHERLIST_TEST_FIXTURE fixture)
 170 {
 171     return test_default_cipherlist(fixture.server)
 172         && test_default_cipherlist(fixture.client);
 173 }
 174
 175 static void tear_down(CIPHERLIST_TEST_FIXTURE fixture)
 176 {
 177     SSL_CTX_free(fixture.server);
 178     SSL_CTX_free(fixture.client);
 179     ERR_print_errors_fp(stderr);
 180 }
 181
 182 #define SETUP_CIPHERLIST_TEST_FIXTURE() \
 183     SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up)
 184
 185 #define EXECUTE_CIPHERLIST_TEST() \
 186     EXECUTE_TEST(execute_test, tear_down)
 187
 188 static int test_default_cipherlist_implicit()
 189 {
 190     SETUP_CIPHERLIST_TEST_FIXTURE();
 191     EXECUTE_CIPHERLIST_TEST();
 192 }
 193
 194 static int test_default_cipherlist_explicit()
 195 {
 196     SETUP_CIPHERLIST_TEST_FIXTURE();
 197     OPENSSL_assert(SSL_CTX_set_cipher_list(fixture.server, "DEFAULT"));
 198     OPENSSL_assert(SSL_CTX_set_cipher_list(fixture.client, "DEFAULT"));
 199     EXECUTE_CIPHERLIST_TEST();
 200 }
 201
 202 int main(int argc, char **argv)
 203 {
 204     int result = 0;
 205
 206     ADD_TEST(test_default_cipherlist_implicit);
 207     ADD_TEST(test_default_cipherlist_explicit);
 208
 209     result = run_tests(argv[0]);
 210
 211     return result;
 212 }