c193976540b3cc3a3c1f8927a3bfb8dbbd9a2ccf
[openssl.git] / test / cipherlist_test.c
1 /*
2  * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL licenses, (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  * https://www.openssl.org/source/license.html
8  * or in the file LICENSE in the source distribution.
9  */
10
11 #include <stdio.h>
12 #include <string.h>
13
14 #include <openssl/opensslconf.h>
15 #include <openssl/err.h>
16 #include <openssl/e_os2.h>
17 #include <openssl/ssl.h>
18 #include <openssl/ssl3.h>
19 #include <openssl/tls1.h>
20
21 #include "e_os.h"
22 #include "testutil.h"
23
24 typedef struct cipherlist_test_fixture {
25     const char *test_case_name;
26     SSL_CTX *server;
27     SSL_CTX *client;
28 } CIPHERLIST_TEST_FIXTURE;
29
30
31 static void tear_down(CIPHERLIST_TEST_FIXTURE *fixture)
32 {
33     if (fixture != NULL) {
34         SSL_CTX_free(fixture->server);
35         SSL_CTX_free(fixture->client);
36         fixture->server = fixture->client = NULL;
37     }
38 }
39
40 static CIPHERLIST_TEST_FIXTURE *set_up(const char *const test_case_name)
41 {
42     static CIPHERLIST_TEST_FIXTURE fixture;
43
44     memset(&fixture, 0, sizeof(fixture));
45     fixture.test_case_name = test_case_name;
46     if (!TEST_ptr(fixture.server = SSL_CTX_new(TLS_server_method()))
47             || !TEST_ptr(fixture.client = SSL_CTX_new(TLS_client_method()))) {
48         tear_down(&fixture);
49         return NULL;
50     }
51     return &fixture;
52 }
53
54 /*
55  * All ciphers in the DEFAULT cipherlist meet the default security level.
56  * However, default supported ciphers exclude SRP and PSK ciphersuites
57  * for which no callbacks have been set up.
58  *
59  * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled,
60  * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA
61  * are currently broken and should be considered mission impossible in libssl.
62  */
63 static const uint32_t default_ciphers_in_order[] = {
64 #ifndef OPENSSL_NO_TLS1_2
65 # ifndef OPENSSL_NO_EC
66     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
67     TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
68 # endif
69 # ifndef OPENSSL_NO_DH
70     TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
71 # endif
72
73 # if !defined OPENSSL_NO_CHACHA && !defined OPENSSL_NO_POLY1305
74 #  ifndef OPENSSL_NO_EC
75     TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
76     TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
77 #  endif
78 #  ifndef OPENSSL_NO_DH
79     TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
80 #  endif
81 # endif  /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
82
83 # ifndef OPENSSL_NO_EC
84     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
85     TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
86 # endif
87 # ifndef OPENSSL_NO_DH
88     TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
89 # endif
90 # ifndef OPENSSL_NO_EC
91     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
92     TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
93 # endif
94 # ifndef OPENSSL_NO_DH
95     TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
96 # endif
97 # ifndef OPENSSL_NO_EC
98     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
99     TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
100 # endif
101 # ifndef OPENSSL_NO_DH
102     TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
103 # endif
104 #endif  /* !OPENSSL_NO_TLS1_2 */
105
106 #ifndef OPENSSL_NO_EC
107     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
108     TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
109 #endif
110 #ifndef OPENSSL_NO_DH
111     TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
112 #endif
113 #ifndef OPENSSL_NO_EC
114     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
115     TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
116 #endif
117 #ifndef OPENSSL_NO_DH
118     TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
119 #endif
120
121 #ifndef OPENSSL_NO_TLS1_2
122     TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
123     TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
124 #endif
125 #ifndef OPENSSL_NO_TLS1_3
126     TLS1_3_CK_AES_256_GCM_SHA384,
127     TLS1_3_CK_CHACHA20_POLY1305_SHA256,
128     TLS1_3_CK_AES_128_GCM_SHA256,
129 #endif
130 #ifndef OPENSSL_NO_TLS1_2
131     TLS1_CK_RSA_WITH_AES_256_SHA256,
132     TLS1_CK_RSA_WITH_AES_128_SHA256,
133 #endif
134     TLS1_CK_RSA_WITH_AES_256_SHA,
135     TLS1_CK_RSA_WITH_AES_128_SHA,
136 };
137
138 static int test_default_cipherlist(SSL_CTX *ctx)
139 {
140     STACK_OF(SSL_CIPHER) *ciphers = NULL;
141     SSL *ssl = NULL;
142     int i, ret = 0, num_expected_ciphers, num_ciphers;
143     uint32_t expected_cipher_id, cipher_id;
144
145     if (ctx == NULL)
146         return 0;
147
148     if (!TEST_ptr(ssl = SSL_new(ctx))
149             || !TEST_ptr(ciphers = SSL_get1_supported_ciphers(ssl)))
150         goto err;
151
152     num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order);
153     num_ciphers = sk_SSL_CIPHER_num(ciphers);
154     if (!TEST_int_eq(num_ciphers, num_expected_ciphers))
155         goto err;
156
157     for (i = 0; i < num_ciphers; i++) {
158         expected_cipher_id = default_ciphers_in_order[i];
159         cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i));
160         if (!TEST_int_eq(cipher_id, expected_cipher_id)) {
161             TEST_info("Wrong cipher at position %d", i);
162             goto err;
163         }
164     }
165
166     ret = 1;
167
168  err:
169     sk_SSL_CIPHER_free(ciphers);
170     SSL_free(ssl);
171     return ret;
172 }
173
174 static int execute_test(CIPHERLIST_TEST_FIXTURE *fixture)
175 {
176     return fixture != NULL
177         && test_default_cipherlist(fixture->server)
178         && test_default_cipherlist(fixture->client);
179 }
180
181 #define SETUP_CIPHERLIST_TEST_FIXTURE() \
182     SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE *, set_up)
183
184 #define EXECUTE_CIPHERLIST_TEST() \
185     EXECUTE_TEST(execute_test, tear_down)
186
187 static int test_default_cipherlist_implicit()
188 {
189     SETUP_CIPHERLIST_TEST_FIXTURE();
190     EXECUTE_CIPHERLIST_TEST();
191 }
192
193 static int test_default_cipherlist_explicit()
194 {
195     SETUP_CIPHERLIST_TEST_FIXTURE();
196     if (fixture == NULL)
197         return 0;
198     if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, "DEFAULT"))
199             || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, "DEFAULT")))
200         tear_down(fixture);
201     EXECUTE_CIPHERLIST_TEST();
202 }
203
204 int setup_tests()
205 {
206     ADD_TEST(test_default_cipherlist_implicit);
207     ADD_TEST(test_default_cipherlist_explicit);
208     return 1;
209 }