| cipherlist_test.c (1.1.1.2) | cipherlist_test.c (1.1.1.1) |
|---|---|
| 1/* | 1/* |
| 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. | 2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. |
| 3 * 4 * Licensed under the OpenSSL licenses, (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * https://www.openssl.org/source/license.html 8 * or in the file LICENSE in the source distribution. 9 */ 10 11#include <stdio.h> | 3 * 4 * Licensed under the OpenSSL licenses, (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * https://www.openssl.org/source/license.html 8 * or in the file LICENSE in the source distribution. 9 */ 10 11#include <stdio.h> |
| 12#include <string.h> | |
| 13 14#include <openssl/opensslconf.h> 15#include <openssl/err.h> 16#include <openssl/e_os2.h> 17#include <openssl/ssl.h> 18#include <openssl/ssl3.h> 19#include <openssl/tls1.h> 20 | 12 13#include <openssl/opensslconf.h> 14#include <openssl/err.h> 15#include <openssl/e_os2.h> 16#include <openssl/ssl.h> 17#include <openssl/ssl3.h> 18#include <openssl/tls1.h> 19 |
| 21#include "internal/nelem.h" | 20#include "e_os.h" |
| 22#include "testutil.h" 23 24typedef struct cipherlist_test_fixture { 25 const char *test_case_name; 26 SSL_CTX *server; 27 SSL_CTX *client; 28} CIPHERLIST_TEST_FIXTURE; 29 30 | 21#include "testutil.h" 22 23typedef struct cipherlist_test_fixture { 24 const char *test_case_name; 25 SSL_CTX *server; 26 SSL_CTX *client; 27} CIPHERLIST_TEST_FIXTURE; 28 29 |
| 31static void tear_down(CIPHERLIST_TEST_FIXTURE *fixture) | 30static CIPHERLIST_TEST_FIXTURE set_up(const char *const test_case_name) |
| 32{ | 31{ |
| 33 if (fixture != NULL) { 34 SSL_CTX_free(fixture->server); 35 SSL_CTX_free(fixture->client); 36 fixture->server = fixture->client = NULL; 37 OPENSSL_free(fixture); 38 } 39} 40 41static CIPHERLIST_TEST_FIXTURE *set_up(const char *const test_case_name) 42{ 43 CIPHERLIST_TEST_FIXTURE *fixture; 44 45 if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) 46 return NULL; 47 fixture->test_case_name = test_case_name; 48 if (!TEST_ptr(fixture->server = SSL_CTX_new(TLS_server_method())) 49 || !TEST_ptr(fixture->client = SSL_CTX_new(TLS_client_method()))) { 50 tear_down(fixture); 51 return NULL; 52 } | 32 CIPHERLIST_TEST_FIXTURE fixture; 33 fixture.test_case_name = test_case_name; 34 fixture.server = SSL_CTX_new(TLS_server_method()); 35 fixture.client = SSL_CTX_new(TLS_client_method()); 36 OPENSSL_assert(fixture.client != NULL && fixture.server != NULL); |
| 53 return fixture; 54} 55 56/* 57 * All ciphers in the DEFAULT cipherlist meet the default security level. 58 * However, default supported ciphers exclude SRP and PSK ciphersuites 59 * for which no callbacks have been set up. 60 * 61 * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled, 62 * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA 63 * are currently broken and should be considered mission impossible in libssl. 64 */ 65static const uint32_t default_ciphers_in_order[] = { | 37 return fixture; 38} 39 40/* 41 * All ciphers in the DEFAULT cipherlist meet the default security level. 42 * However, default supported ciphers exclude SRP and PSK ciphersuites 43 * for which no callbacks have been set up. 44 * 45 * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled, 46 * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA 47 * are currently broken and should be considered mission impossible in libssl. 48 */ 49static const uint32_t default_ciphers_in_order[] = { |
| 66#ifndef OPENSSL_NO_TLS1_3 67 TLS1_3_CK_AES_256_GCM_SHA384, 68# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 69 TLS1_3_CK_CHACHA20_POLY1305_SHA256, 70# endif 71 TLS1_3_CK_AES_128_GCM_SHA256, 72#endif | |
| 73#ifndef OPENSSL_NO_TLS1_2 74# ifndef OPENSSL_NO_EC 75 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 76 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 77# endif 78# ifndef OPENSSL_NO_DH 79 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 80# endif 81 | 50#ifndef OPENSSL_NO_TLS1_2 51# ifndef OPENSSL_NO_EC 52 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 53 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 54# endif 55# ifndef OPENSSL_NO_DH 56 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 57# endif 58 |
| 82# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) | 59# if !defined OPENSSL_NO_CHACHA && !defined OPENSSL_NO_POLY1305 |
| 83# ifndef OPENSSL_NO_EC 84 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 85 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305, 86# endif 87# ifndef OPENSSL_NO_DH 88 TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305, 89# endif 90# endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ --- 16 unchanged lines hidden (view full) --- 107 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 108 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 109# endif 110# ifndef OPENSSL_NO_DH 111 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 112# endif 113#endif /* !OPENSSL_NO_TLS1_2 */ 114 | 60# ifndef OPENSSL_NO_EC 61 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 62 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305, 63# endif 64# ifndef OPENSSL_NO_DH 65 TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305, 66# endif 67# endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ --- 16 unchanged lines hidden (view full) --- 84 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 85 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 86# endif 87# ifndef OPENSSL_NO_DH 88 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 89# endif 90#endif /* !OPENSSL_NO_TLS1_2 */ 91 |
| 115#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) 116 /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */ 117# ifndef OPENSSL_NO_EC | 92#ifndef OPENSSL_NO_EC |
| 118 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 119 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, | 93 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 94 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, |
| 120# endif 121 #ifndef OPENSSL_NO_DH | 95#endif 96#ifndef OPENSSL_NO_DH |
| 122 TLS1_CK_DHE_RSA_WITH_AES_256_SHA, | 97 TLS1_CK_DHE_RSA_WITH_AES_256_SHA, |
| 123# endif 124# ifndef OPENSSL_NO_EC | 98#endif 99#ifndef OPENSSL_NO_EC |
| 125 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 126 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, | 100 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 101 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
| 127# endif 128# ifndef OPENSSL_NO_DH | 102#endif 103#ifndef OPENSSL_NO_DH |
| 129 TLS1_CK_DHE_RSA_WITH_AES_128_SHA, | 104 TLS1_CK_DHE_RSA_WITH_AES_128_SHA, |
| 130# endif 131#endif /* !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) */ | 105#endif |
| 132 133#ifndef OPENSSL_NO_TLS1_2 134 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 135 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, | 106 107#ifndef OPENSSL_NO_TLS1_2 108 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 109 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, |
| 136#endif 137#ifndef OPENSSL_NO_TLS1_2 | |
| 138 TLS1_CK_RSA_WITH_AES_256_SHA256, 139 TLS1_CK_RSA_WITH_AES_128_SHA256, 140#endif | 110 TLS1_CK_RSA_WITH_AES_256_SHA256, 111 TLS1_CK_RSA_WITH_AES_128_SHA256, 112#endif |
| 141#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) 142 /* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */ | 113 |
| 143 TLS1_CK_RSA_WITH_AES_256_SHA, 144 TLS1_CK_RSA_WITH_AES_128_SHA, | 114 TLS1_CK_RSA_WITH_AES_256_SHA, 115 TLS1_CK_RSA_WITH_AES_128_SHA, |
| 145#endif | |
| 146}; 147 148static int test_default_cipherlist(SSL_CTX *ctx) 149{ | 116}; 117 118static int test_default_cipherlist(SSL_CTX *ctx) 119{ |
| 150 STACK_OF(SSL_CIPHER) *ciphers = NULL; 151 SSL *ssl = NULL; | 120 STACK_OF(SSL_CIPHER) *ciphers; 121 SSL *ssl; |
| 152 int i, ret = 0, num_expected_ciphers, num_ciphers; 153 uint32_t expected_cipher_id, cipher_id; 154 | 122 int i, ret = 0, num_expected_ciphers, num_ciphers; 123 uint32_t expected_cipher_id, cipher_id; 124 |
| 155 if (ctx == NULL) 156 return 0; | 125 ssl = SSL_new(ctx); 126 OPENSSL_assert(ssl != NULL); |
| 157 | 127 |
| 158 if (!TEST_ptr(ssl = SSL_new(ctx)) 159 || !TEST_ptr(ciphers = SSL_get1_supported_ciphers(ssl))) 160 goto err; 161 | 128 ciphers = SSL_get1_supported_ciphers(ssl); 129 OPENSSL_assert(ciphers != NULL); |
| 162 num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order); 163 num_ciphers = sk_SSL_CIPHER_num(ciphers); | 130 num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order); 131 num_ciphers = sk_SSL_CIPHER_num(ciphers); |
| 164 if (!TEST_int_eq(num_ciphers, num_expected_ciphers)) | 132 if (num_ciphers != num_expected_ciphers) { 133 fprintf(stderr, "Expected %d supported ciphers, got %d.\n", 134 num_expected_ciphers, num_ciphers); |
| 165 goto err; | 135 goto err; |
| 136 } |
|
| 166 167 for (i = 0; i < num_ciphers; i++) { 168 expected_cipher_id = default_ciphers_in_order[i]; 169 cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i)); | 137 138 for (i = 0; i < num_ciphers; i++) { 139 expected_cipher_id = default_ciphers_in_order[i]; 140 cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i)); |
| 170 if (!TEST_int_eq(cipher_id, expected_cipher_id)) { 171 TEST_info("Wrong cipher at position %d", i); | 141 if (cipher_id != expected_cipher_id) { 142 fprintf(stderr, "Wrong cipher at position %d: expected %x, " 143 "got %x\n", i, expected_cipher_id, cipher_id); |
| 172 goto err; 173 } 174 } 175 176 ret = 1; 177 178 err: 179 sk_SSL_CIPHER_free(ciphers); 180 SSL_free(ssl); 181 return ret; 182} 183 | 144 goto err; 145 } 146 } 147 148 ret = 1; 149 150 err: 151 sk_SSL_CIPHER_free(ciphers); 152 SSL_free(ssl); 153 return ret; 154} 155 |
| 184static int execute_test(CIPHERLIST_TEST_FIXTURE *fixture) | 156static int execute_test(CIPHERLIST_TEST_FIXTURE fixture) |
| 185{ | 157{ |
| 186 return fixture != NULL 187 && test_default_cipherlist(fixture->server) 188 && test_default_cipherlist(fixture->client); | 158 return test_default_cipherlist(fixture.server) 159 && test_default_cipherlist(fixture.client); |
| 189} 190 | 160} 161 |
| 162static void tear_down(CIPHERLIST_TEST_FIXTURE fixture) 163{ 164 SSL_CTX_free(fixture.server); 165 SSL_CTX_free(fixture.client); 166 ERR_print_errors_fp(stderr); 167} 168 |
|
| 191#define SETUP_CIPHERLIST_TEST_FIXTURE() \ 192 SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up) 193 194#define EXECUTE_CIPHERLIST_TEST() \ 195 EXECUTE_TEST(execute_test, tear_down) 196 | 169#define SETUP_CIPHERLIST_TEST_FIXTURE() \ 170 SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up) 171 172#define EXECUTE_CIPHERLIST_TEST() \ 173 EXECUTE_TEST(execute_test, tear_down) 174 |
| 197static int test_default_cipherlist_implicit(void) | 175static int test_default_cipherlist_implicit() |
| 198{ 199 SETUP_CIPHERLIST_TEST_FIXTURE(); | 176{ 177 SETUP_CIPHERLIST_TEST_FIXTURE(); |
| 200 if (fixture == NULL) 201 return 0; | |
| 202 EXECUTE_CIPHERLIST_TEST(); | 178 EXECUTE_CIPHERLIST_TEST(); |
| 203 return result; | |
| 204} 205 | 179} 180 |
| 206static int test_default_cipherlist_explicit(void) | 181static int test_default_cipherlist_explicit() |
| 207{ 208 SETUP_CIPHERLIST_TEST_FIXTURE(); | 182{ 183 SETUP_CIPHERLIST_TEST_FIXTURE(); |
| 209 if (fixture == NULL) 210 return 0; 211 if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, "DEFAULT")) 212 || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, "DEFAULT"))) 213 tear_down(fixture); | 184 OPENSSL_assert(SSL_CTX_set_cipher_list(fixture.server, "DEFAULT")); 185 OPENSSL_assert(SSL_CTX_set_cipher_list(fixture.client, "DEFAULT")); |
| 214 EXECUTE_CIPHERLIST_TEST(); | 186 EXECUTE_CIPHERLIST_TEST(); |
| 215 return result; | |
| 216} 217 | 187} 188 |
| 218int setup_tests(void) | 189int main(int argc, char **argv) |
| 219{ | 190{ |
| 191 int result = 0; 192 |
|
| 220 ADD_TEST(test_default_cipherlist_implicit); 221 ADD_TEST(test_default_cipherlist_explicit); | 193 ADD_TEST(test_default_cipherlist_implicit); 194 ADD_TEST(test_default_cipherlist_explicit); |
| 222 return 1; | 195 196 result = run_tests(argv[0]); 197 198 return result; |
| 223} | 199} |