2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL licenses, (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 * https://www.openssl.org/source/license.html
8 * or in the file LICENSE in the source distribution.
14 #include <openssl/opensslconf.h>
15 #include <openssl/err.h>
16 #include <openssl/e_os2.h>
17 #include <openssl/ssl.h>
18 #include <openssl/ssl3.h>
19 #include <openssl/tls1.h>
24 typedef struct cipherlist_test_fixture {
25 const char *test_case_name;
28 } CIPHERLIST_TEST_FIXTURE;
31 static void tear_down(CIPHERLIST_TEST_FIXTURE *fixture)
33 if (fixture != NULL) {
34 SSL_CTX_free(fixture->server);
35 SSL_CTX_free(fixture->client);
36 fixture->server = fixture->client = NULL;
40 static CIPHERLIST_TEST_FIXTURE *set_up(const char *const test_case_name)
42 static CIPHERLIST_TEST_FIXTURE fixture;
44 memset(&fixture, 0, sizeof(fixture));
45 fixture.test_case_name = test_case_name;
46 if (!TEST_ptr(fixture.server = SSL_CTX_new(TLS_server_method()))
47 || !TEST_ptr(fixture.client = SSL_CTX_new(TLS_client_method()))) {
55 * All ciphers in the DEFAULT cipherlist meet the default security level.
56 * However, default supported ciphers exclude SRP and PSK ciphersuites
57 * for which no callbacks have been set up.
59 * Supported ciphers also exclude TLSv1.2 ciphers if TLSv1.2 is disabled,
60 * and individual disabled algorithms. However, NO_RSA, NO_AES and NO_SHA
61 * are currently broken and should be considered mission impossible in libssl.
63 static const uint32_t default_ciphers_in_order[] = {
64 #ifndef OPENSSL_NO_TLS1_2
65 # ifndef OPENSSL_NO_EC
66 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
67 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
69 # ifndef OPENSSL_NO_DH
70 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
73 # if !defined OPENSSL_NO_CHACHA && !defined OPENSSL_NO_POLY1305
74 # ifndef OPENSSL_NO_EC
75 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
76 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
78 # ifndef OPENSSL_NO_DH
79 TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
81 # endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
83 # ifndef OPENSSL_NO_EC
84 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
85 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
87 # ifndef OPENSSL_NO_DH
88 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
90 # ifndef OPENSSL_NO_EC
91 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
92 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
94 # ifndef OPENSSL_NO_DH
95 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
97 # ifndef OPENSSL_NO_EC
98 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
99 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
101 # ifndef OPENSSL_NO_DH
102 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
104 #endif /* !OPENSSL_NO_TLS1_2 */
106 #ifndef OPENSSL_NO_EC
107 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
108 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
110 #ifndef OPENSSL_NO_DH
111 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
113 #ifndef OPENSSL_NO_EC
114 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
115 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
117 #ifndef OPENSSL_NO_DH
118 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
121 #ifndef OPENSSL_NO_TLS1_2
122 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
123 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
125 #ifndef OPENSSL_NO_TLS1_3
126 TLS1_3_CK_AES_256_GCM_SHA384,
127 TLS1_3_CK_CHACHA20_POLY1305_SHA256,
128 TLS1_3_CK_AES_128_GCM_SHA256,
130 #ifndef OPENSSL_NO_TLS1_2
131 TLS1_CK_RSA_WITH_AES_256_SHA256,
132 TLS1_CK_RSA_WITH_AES_128_SHA256,
134 TLS1_CK_RSA_WITH_AES_256_SHA,
135 TLS1_CK_RSA_WITH_AES_128_SHA,
138 static int test_default_cipherlist(SSL_CTX *ctx)
140 STACK_OF(SSL_CIPHER) *ciphers = NULL;
142 int i, ret = 0, num_expected_ciphers, num_ciphers;
143 uint32_t expected_cipher_id, cipher_id;
148 if (!TEST_ptr(ssl = SSL_new(ctx))
149 || !TEST_ptr(ciphers = SSL_get1_supported_ciphers(ssl)))
152 num_expected_ciphers = OSSL_NELEM(default_ciphers_in_order);
153 num_ciphers = sk_SSL_CIPHER_num(ciphers);
154 if (!TEST_int_eq(num_ciphers, num_expected_ciphers))
157 for (i = 0; i < num_ciphers; i++) {
158 expected_cipher_id = default_ciphers_in_order[i];
159 cipher_id = SSL_CIPHER_get_id(sk_SSL_CIPHER_value(ciphers, i));
160 if (!TEST_int_eq(cipher_id, expected_cipher_id)) {
161 TEST_info("Wrong cipher at position %d", i);
169 sk_SSL_CIPHER_free(ciphers);
174 static int execute_test(CIPHERLIST_TEST_FIXTURE *fixture)
176 return fixture != NULL
177 && test_default_cipherlist(fixture->server)
178 && test_default_cipherlist(fixture->client);
181 #define SETUP_CIPHERLIST_TEST_FIXTURE() \
182 SETUP_TEST_FIXTURE(CIPHERLIST_TEST_FIXTURE *, set_up)
184 #define EXECUTE_CIPHERLIST_TEST() \
185 EXECUTE_TEST(execute_test, tear_down)
187 static int test_default_cipherlist_implicit()
189 SETUP_CIPHERLIST_TEST_FIXTURE();
190 EXECUTE_CIPHERLIST_TEST();
193 static int test_default_cipherlist_explicit()
195 SETUP_CIPHERLIST_TEST_FIXTURE();
198 if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, "DEFAULT"))
199 || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, "DEFAULT")))
201 EXECUTE_CIPHERLIST_TEST();
204 void register_tests()
206 ADD_TEST(test_default_cipherlist_implicit);
207 ADD_TEST(test_default_cipherlist_explicit);