Context Navigation

cipherlist_test.c

Last change on this file was 104078, checked in by vboxsync, 2 months ago
openssl-3.1.5: Applied and adjusted our OpenSSL changes to 3.1.4. bugref:10638
File size: 7.0 KB

Line
1	/*
2	* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License");
5	* you may not use this file except in compliance with the License.
6	* You may obtain a copy of the License at
7	* https://www.openssl.org/source/license.html
8	* or in the file LICENSE in the source distribution.
9	*/
10
11	#include <stdio.h>
12	#include <string.h>
13
14	#include <openssl/opensslconf.h>
15	#include <openssl/err.h>
16	#include <openssl/e_os2.h>
17	#include <openssl/ssl.h>
18	#include <openssl/ssl3.h>
19	#include <openssl/tls1.h>
20
21	#include "internal/nelem.h"
22	#include "testutil.h"
23
24	typedef struct cipherlist_test_fixture {
25	const char *test_case_name;
26	SSL_CTX *server;
27	SSL_CTX *client;
28	} CIPHERLIST_TEST_FIXTURE;
29
30
31	static void tear_down(CIPHERLIST_TEST_FIXTURE *fixture)
32	{
33	if (fixture != NULL) {
34	SSL_CTX_free(fixture->server);
35	SSL_CTX_free(fixture->client);
36	fixture->server = fixture->client = NULL;
37	OPENSSL_free(fixture);
38	}
39	}
40
41	static CIPHERLIST_TEST_FIXTURE set_up(const char const test_case_name)
42	{
43	CIPHERLIST_TEST_FIXTURE *fixture;
44
45	if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
46	return NULL;
47	fixture->test_case_name = test_case_name;
48	if (!TEST_ptr(fixture->server = SSL_CTX_new(TLS_server_method()))
49	\|\| !TEST_ptr(fixture->client = SSL_CTX_new(TLS_client_method()))) {
50	tear_down(fixture);
51	return NULL;
52	}
53	return fixture;
54	}
55
56	/*
57	* All ciphers in the DEFAULT cipherlist meet the default security level.
58	* However, default supported ciphers exclude SRP and PSK ciphersuites
59	* for which no callbacks have been set up.
60	*
61	* Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled,
62	* and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA
63	* are currently broken and should be considered mission impossible in libssl.
64	*/
65	static const uint32_t default_ciphers_in_order[] = {
66	#ifndef OPENSSL_NO_TLS1_3
67	TLS1_3_CK_AES_256_GCM_SHA384,
68	# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
69	TLS1_3_CK_CHACHA20_POLY1305_SHA256,
70	# endif
71	TLS1_3_CK_AES_128_GCM_SHA256,
72	#endif
73	#ifndef OPENSSL_NO_TLS1_2
74	# ifndef OPENSSL_NO_EC
75	TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
76	TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
77	# endif
78	# ifndef OPENSSL_NO_DH
79	TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
80	# endif
81
82	# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
83	# ifndef OPENSSL_NO_EC
84	TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
85	TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
86	# endif
87	# ifndef OPENSSL_NO_DH
88	TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
89	# endif
90	# endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
91
92	# ifndef OPENSSL_NO_EC
93	TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
94	TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
95	# endif
96	# ifndef OPENSSL_NO_DH
97	TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
98	# endif
99	# ifndef OPENSSL_NO_EC
100	TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
101	TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
102	# endif
103	# ifndef OPENSSL_NO_DH
104	TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
105	# endif
106	# ifndef OPENSSL_NO_EC
107	TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
108	TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
109	# endif
110	# ifndef OPENSSL_NO_DH
111	TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
112	# endif
113	#endif /* !OPENSSL_NO_TLS1_2 */
114
115	#if !defined(OPENSSL_NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_3)
116	/* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */
117	# ifndef OPENSSL_NO_EC
118	TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
119	TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
120	# endif
121	#ifndef OPENSSL_NO_DH
122	TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
123	# endif
124	# ifndef OPENSSL_NO_EC
125	TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
126	TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
127	# endif
128	# ifndef OPENSSL_NO_DH
129	TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
130	# endif
131	#endif /* !defined(OPENSSL_NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_3) */
132
133	#ifndef OPENSSL_NO_TLS1_2
134	TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
135	TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
136	#endif
137	#ifndef OPENSSL_NO_TLS1_2
138	TLS1_CK_RSA_WITH_AES_256_SHA256,
139	TLS1_CK_RSA_WITH_AES_128_SHA256,
140	#endif
141	#if !defined(OPENSSL_NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_3)
142	/* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */
143	TLS1_CK_RSA_WITH_AES_256_SHA,
144	TLS1_CK_RSA_WITH_AES_128_SHA,
145	#endif
146	};
147
148	static int test_default_cipherlist(SSL_CTX *ctx)
149	{
150	STACK_OF(SSL_CIPHER) *ciphers = NULL;
151	SSL *ssl = NULL;
152	int i, ret = 0, num_expected_ciphers, num_ciphers;
153	uint32_t expected_cipher_id, cipher_id;
154
155	if (ctx == NULL)
156	return 0;
157
158	if (!TEST_ptr(ssl = SSL_new(ctx))
159	\|\| !TEST_ptr(ciphers = SSL_get1_supported_ciphers(ssl)))
160	goto err;
161
162	num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order);
163	num_ciphers = sk_SSL_CIPHER_num(ciphers);
164	if (!TEST_int_eq(num_ciphers, num_expected_ciphers))
165	goto err;
166
167	for (i = 0; i < num_ciphers; i++) {
168	expected_cipher_id = default_ciphers_in_order[i];
169	cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i));
170	if (!TEST_int_eq(cipher_id, expected_cipher_id)) {
171	TEST_info("Wrong cipher at position %d", i);
172	goto err;
173	}
174	}
175
176	ret = 1;
177
178	err:
179	sk_SSL_CIPHER_free(ciphers);
180	SSL_free(ssl);
181	return ret;
182	}
183
184	static int execute_test(CIPHERLIST_TEST_FIXTURE *fixture)
185	{
186	return fixture != NULL
187	&& test_default_cipherlist(fixture->server)
188	&& test_default_cipherlist(fixture->client);
189	}
190
191	#define SETUP_CIPHERLIST_TEST_FIXTURE() \
192	SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up)
193
194	#define EXECUTE_CIPHERLIST_TEST() \
195	EXECUTE_TEST(execute_test, tear_down)
196
197	static int test_default_cipherlist_implicit(void)
198	{
199	SETUP_CIPHERLIST_TEST_FIXTURE();
200	EXECUTE_CIPHERLIST_TEST();
201	return result;
202	}
203
204	static int test_default_cipherlist_explicit(void)
205	{
206	SETUP_CIPHERLIST_TEST_FIXTURE();
207	if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, "DEFAULT"))
208	\|\| !TEST_true(SSL_CTX_set_cipher_list(fixture->client, "DEFAULT"))) {
209	tear_down(fixture);
210	fixture = NULL;
211	}
212	EXECUTE_CIPHERLIST_TEST();
213	return result;
214	}
215
216	/* SSL_CTX_set_cipher_list() should fail if it clears all TLSv1.2 ciphers. */
217	static int test_default_cipherlist_clear(void)
218	{
219	SSL *s = NULL;
220	SETUP_CIPHERLIST_TEST_FIXTURE();
221
222	if (!TEST_int_eq(SSL_CTX_set_cipher_list(fixture->server, "no-such"), 0))
223	goto end;
224
225	if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_CIPHER_MATCH))
226	goto end;
227
228	s = SSL_new(fixture->client);
229
230	if (!TEST_ptr(s))
231	goto end;
232
233	if (!TEST_int_eq(SSL_set_cipher_list(s, "no-such"), 0))
234	goto end;
235
236	if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
237	SSL_R_NO_CIPHER_MATCH))
238	goto end;
239
240	result = 1;
241	end:
242	SSL_free(s);
243	tear_down(fixture);
244	return result;
245	}
246
247	int setup_tests(void)
248	{
249	ADD_TEST(test_default_cipherlist_implicit);
250	ADD_TEST(test_default_cipherlist_explicit);
251	ADD_TEST(test_default_cipherlist_clear);
252	return 1;
253	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: vbox/trunk/src/libs/openssl-3.1.5/test/cipherlist_test.c

Download in other formats: