2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL licenses, (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 * https://www.openssl.org/source/license.html
8 * or in the file LICENSE in the source distribution.
13 #include <openssl/opensslconf.h>
14 #include <openssl/err.h>
15 #include <openssl/e_os2.h>
16 #include <openssl/ssl.h>
17 #include <openssl/ssl3.h>
18 #include <openssl/tls1.h>
23 typedef struct cipherlist_test_fixture {
24 const char *test_case_name;
27 } CIPHERLIST_TEST_FIXTURE;
30 static CIPHERLIST_TEST_FIXTURE set_up(const char *const test_case_name)
32 CIPHERLIST_TEST_FIXTURE fixture;
33 fixture.test_case_name = test_case_name;
34 fixture.server = SSL_CTX_new(TLS_server_method());
35 fixture.client = SSL_CTX_new(TLS_client_method());
36 TEST_check(fixture.client != NULL && fixture.server != NULL);
41 * All ciphers in the DEFAULT cipherlist meet the default security level.
42 * However, default supported ciphers exclude SRP and PSK ciphersuites
43 * for which no callbacks have been set up.
45 * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled,
46 * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA
47 * are currently broken and should be considered mission impossible in libssl.
49 static const uint32_t default_ciphers_in_order[] = {
50 #ifndef OPENSSL_NO_TLS1_2
51 # ifndef OPENSSL_NO_EC
52 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
53 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
55 # ifndef OPENSSL_NO_DH
56 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
59 # if !defined OPENSSL_NO_CHACHA && !defined OPENSSL_NO_POLY1305
60 # ifndef OPENSSL_NO_EC
61 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
62 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
64 # ifndef OPENSSL_NO_DH
65 TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
67 # endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
69 # ifndef OPENSSL_NO_EC
70 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
71 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
73 # ifndef OPENSSL_NO_DH
74 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
76 # ifndef OPENSSL_NO_EC
77 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
78 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
80 # ifndef OPENSSL_NO_DH
81 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
83 # ifndef OPENSSL_NO_EC
84 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
85 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
87 # ifndef OPENSSL_NO_DH
88 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
90 #endif /* !OPENSSL_NO_TLS1_2 */
93 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
94 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
97 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
100 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
101 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
103 #ifndef OPENSSL_NO_DH
104 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
107 #ifndef OPENSSL_NO_TLS1_2
108 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
109 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
111 #ifndef OPENSSL_NO_TLS1_3
112 TLS1_3_CK_AES_256_GCM_SHA384,
113 TLS1_3_CK_CHACHA20_POLY1305_SHA256,
114 TLS1_3_CK_AES_128_GCM_SHA256,
116 #ifndef OPENSSL_NO_TLS1_2
117 TLS1_CK_RSA_WITH_AES_256_SHA256,
118 TLS1_CK_RSA_WITH_AES_128_SHA256,
120 TLS1_CK_RSA_WITH_AES_256_SHA,
121 TLS1_CK_RSA_WITH_AES_128_SHA,
124 static int test_default_cipherlist(SSL_CTX *ctx)
126 STACK_OF(SSL_CIPHER) *ciphers;
128 int i, ret = 0, num_expected_ciphers, num_ciphers;
129 uint32_t expected_cipher_id, cipher_id;
132 TEST_check(ssl != NULL);
134 ciphers = SSL_get1_supported_ciphers(ssl);
135 TEST_check(ciphers != NULL);
136 num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order);
137 num_ciphers = sk_SSL_CIPHER_num(ciphers);
138 if (!TEST_int_eq(num_ciphers, num_expected_ciphers))
141 for (i = 0; i < num_ciphers; i++) {
142 expected_cipher_id = default_ciphers_in_order[i];
143 cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i));
144 if (!TEST_int_eq(cipher_id, expected_cipher_id)) {
145 TEST_info("Wrong cipher at position %d", i);
153 sk_SSL_CIPHER_free(ciphers);
158 static int execute_test(CIPHERLIST_TEST_FIXTURE fixture)
160 return test_default_cipherlist(fixture.server)
161 && test_default_cipherlist(fixture.client);
164 static void tear_down(CIPHERLIST_TEST_FIXTURE fixture)
166 SSL_CTX_free(fixture.server);
167 SSL_CTX_free(fixture.client);
170 #define SETUP_CIPHERLIST_TEST_FIXTURE() \
171 SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE, set_up)
173 #define EXECUTE_CIPHERLIST_TEST() \
174 EXECUTE_TEST(execute_test, tear_down)
176 static int test_default_cipherlist_implicit()
178 SETUP_CIPHERLIST_TEST_FIXTURE();
179 EXECUTE_CIPHERLIST_TEST();
182 static int test_default_cipherlist_explicit()
184 SETUP_CIPHERLIST_TEST_FIXTURE();
185 TEST_check(SSL_CTX_set_cipher_list(fixture.server, "DEFAULT"));
186 TEST_check(SSL_CTX_set_cipher_list(fixture.client, "DEFAULT"));
187 EXECUTE_CIPHERLIST_TEST();
190 void register_tests()
192 ADD_TEST(test_default_cipherlist_implicit);
193 ADD_TEST(test_default_cipherlist_explicit);