Use ChaCha only if prioritized by clnt

IFF the client has ChaCha first, and server cipher priority is used,
and the new SSL_OP_PRIORITIZE_CHACHA_FOR_MOBILE option is used,
then reprioritize ChaCha above everything else. This way, A matching
ChaCha cipher will be selected if there is a match. If no ChaCha ciphers
match, then the other ciphers are used.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4436)

9 files changed, 424 insertions, 1 deletions

diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 188ec9ed96..78eaa012e2 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -39,6 +39,7 @@ void HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result)
     OPENSSL_free(result->server_alpn_negotiated);
     sk_X509_NAME_pop_free(result->server_ca_names, X509_NAME_free);
     sk_X509_NAME_pop_free(result->client_ca_names, X509_NAME_free);
+    OPENSSL_free(result->cipher);
     OPENSSL_free(result);
 }
 
@@ -1324,6 +1325,7 @@ static HANDSHAKE_RESULT *do_handshake_internal(
     EVP_PKEY *tmp_key;
     const STACK_OF(X509_NAME) *names;
     time_t start;
+    const char* cipher;
 
     if (ret == NULL)
         return NULL;
@@ -1543,6 +1545,9 @@ static HANDSHAKE_RESULT *do_handshake_internal(
     ret->client_resumed = SSL_session_reused(client.ssl);
     ret->server_resumed = SSL_session_reused(server.ssl);
 
+    cipher = SSL_CIPHER_get_name(SSL_get_current_cipher(client.ssl));
+    ret->cipher = dup_str((const unsigned char*)cipher, strlen(cipher));
+
     if (session_out != NULL)
         *session_out = SSL_get1_session(client.ssl);
 
diff --git a/test/handshake_helper.h b/test/handshake_helper.h
index 96c670e387..9dcbeb78f7 100644
--- a/test/handshake_helper.h
+++ b/test/handshake_helper.h
@@ -64,6 +64,7 @@ typedef struct handshake_result {
     STACK_OF(X509_NAME) *client_ca_names;
     /* Session id status */
     ssl_session_id_t session_id;
+    char *cipher;
 } HANDSHAKE_RESULT;
 
 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 42bf4625d3..3b1447b9f2 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -28,7 +28,7 @@ map { s/\^// } @conf_files if $^O eq "VMS";
 
 # We hard-code the number of tests to double-check that the globbing above
 # finds all files as expected.
-plan tests => 24;  # = scalar @conf_srcs
+plan tests => 25;  # = scalar @conf_srcs
 
 # Some test results depend on the configuration of enabled protocols. We only
 # verify generated sources in the default configuration.
diff --git a/test/ssl-tests/25-cipher.conf b/test/ssl-tests/25-cipher.conf
new file mode 100644
index 0000000000..101ee7c517
--- /dev/null
+++ b/test/ssl-tests/25-cipher.conf
@@ -0,0 +1,244 @@
+# Generated with generate_ssl_tests.pl
+
+num_tests = 9
+
+test-0 = 0-cipher-server-1
+test-1 = 1-cipher-server-2
+test-2 = 2-cipher-server-client-list
+test-3 = 3-cipher-server-pref-1
+test-4 = 4-cipher-server-pref-2
+test-5 = 5-cipher-server-pref-client-list
+test-6 = 6-cipher-server-pref-not-mobile
+test-7 = 7-cipher-server-pref-mobile
+test-8 = 8-cipher-server-pref-mobile2
+# ===========================================================
+
+[0-cipher-server-1]
+ssl_conf = 0-cipher-server-1-ssl
+
+[0-cipher-server-1-ssl]
+server = 0-cipher-server-1-server
+client = 0-cipher-server-1-client
+
+[0-cipher-server-1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[0-cipher-server-1-client]
+CipherString = ECDHE-RSA-AES256-SHA384
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-0]
+ExpectedCipher = ECDHE-RSA-AES256-SHA384
+
+
+# ===========================================================
+
+[1-cipher-server-2]
+ssl_conf = 1-cipher-server-2-ssl
+
+[1-cipher-server-2-ssl]
+server = 1-cipher-server-2-server
+client = 1-cipher-server-2-client
+
+[1-cipher-server-2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[1-cipher-server-2-client]
+CipherString = ECDHE-RSA-AES128-SHA256
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-1]
+ExpectedCipher = ECDHE-RSA-AES128-SHA256
+
+
+# ===========================================================
+
+[2-cipher-server-client-list]
+ssl_conf = 2-cipher-server-client-list-ssl
+
+[2-cipher-server-client-list-ssl]
+server = 2-cipher-server-client-list-server
+client = 2-cipher-server-client-list-client
+
+[2-cipher-server-client-list-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[2-cipher-server-client-list-client]
+CipherString = ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-2]
+ExpectedCipher = ECDHE-RSA-AES128-SHA256
+
+
+# ===========================================================
+
+[3-cipher-server-pref-1]
+ssl_conf = 3-cipher-server-pref-1-ssl
+
+[3-cipher-server-pref-1-ssl]
+server = 3-cipher-server-pref-1-server
+client = 3-cipher-server-pref-1-client
+
+[3-cipher-server-pref-1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+MaxProtocol = TLSv1.2
+Options = ServerPreference
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[3-cipher-server-pref-1-client]
+CipherString = ECDHE-RSA-AES256-SHA384
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-3]
+ExpectedCipher = ECDHE-RSA-AES256-SHA384
+
+
+# ===========================================================
+
+[4-cipher-server-pref-2]
+ssl_conf = 4-cipher-server-pref-2-ssl
+
+[4-cipher-server-pref-2-ssl]
+server = 4-cipher-server-pref-2-server
+client = 4-cipher-server-pref-2-client
+
+[4-cipher-server-pref-2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+MaxProtocol = TLSv1.2
+Options = ServerPreference
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[4-cipher-server-pref-2-client]
+CipherString = ECDHE-RSA-AES128-SHA256
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-4]
+ExpectedCipher = ECDHE-RSA-AES128-SHA256
+
+
+# ===========================================================
+
+[5-cipher-server-pref-client-list]
+ssl_conf = 5-cipher-server-pref-client-list-ssl
+
+[5-cipher-server-pref-client-list-ssl]
+server = 5-cipher-server-pref-client-list-server
+client = 5-cipher-server-pref-client-list-client
+
+[5-cipher-server-pref-client-list-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+MaxProtocol = TLSv1.2
+Options = ServerPreference
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[5-cipher-server-pref-client-list-client]
+CipherString = ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-5]
+ExpectedCipher = ECDHE-RSA-AES256-SHA384
+
+
+# ===========================================================
+
+[6-cipher-server-pref-not-mobile]
+ssl_conf = 6-cipher-server-pref-not-mobile-ssl
+
+[6-cipher-server-pref-not-mobile-ssl]
+server = 6-cipher-server-pref-not-mobile-server
+client = 6-cipher-server-pref-not-mobile-client
+
+[6-cipher-server-pref-not-mobile-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305
+MaxProtocol = TLSv1.2
+Options = ServerPreference
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[6-cipher-server-pref-not-mobile-client]
+CipherString = ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-6]
+ExpectedCipher = ECDHE-RSA-AES256-SHA384
+
+
+# ===========================================================
+
+[7-cipher-server-pref-mobile]
+ssl_conf = 7-cipher-server-pref-mobile-ssl
+
+[7-cipher-server-pref-mobile-ssl]
+server = 7-cipher-server-pref-mobile-server
+client = 7-cipher-server-pref-mobile-client
+
+[7-cipher-server-pref-mobile-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305
+MaxProtocol = TLSv1.2
+Options = ServerPreference,PrioritizeChaCha
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[7-cipher-server-pref-mobile-client]
+CipherString = ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-7]
+ExpectedCipher = ECDHE-RSA-CHACHA20-POLY1305
+
+
+# ===========================================================
+
+[8-cipher-server-pref-mobile2]
+ssl_conf = 8-cipher-server-pref-mobile2-ssl
+
+[8-cipher-server-pref-mobile2-ssl]
+server = 8-cipher-server-pref-mobile2-server
+client = 8-cipher-server-pref-mobile2-client
+
+[8-cipher-server-pref-mobile2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305
+MaxProtocol = TLSv1.2
+Options = ServerPreference,PrioritizeChaCha
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[8-cipher-server-pref-mobile2-client]
+CipherString = ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CHACHA20-POLY1305
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-8]
+ExpectedCipher = ECDHE-RSA-AES256-SHA384
+
+
diff --git a/test/ssl-tests/25-cipher.conf.in b/test/ssl-tests/25-cipher.conf.in
new file mode 100644
index 0000000000..c4b0b0509a
--- /dev/null
+++ b/test/ssl-tests/25-cipher.conf.in
@@ -0,0 +1,151 @@
+# -*- mode: perl; -*-
+# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+## Test version negotiation
+
+use strict;
+use warnings;
+
+package ssltests;
+
+
+our @tests = (
+    {
+        name => "cipher-server-1",
+        server => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256",
+	},
+        client => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES256-SHA384"
+        },
+        test => {
+            "ExpectedCipher" => "ECDHE-RSA-AES256-SHA384",
+        },
+    },
+    {
+        name => "cipher-server-2",
+        server => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256",
+	},
+        client => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES128-SHA256"
+        },
+        test => {
+            "ExpectedCipher" => "ECDHE-RSA-AES128-SHA256",
+        },
+    },
+    {
+        name => "cipher-server-client-list",
+        server => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256",
+	},
+        client => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384",
+        },
+        test => {
+            "ExpectedCipher" => "ECDHE-RSA-AES128-SHA256",
+        },
+    },
+    {
+        name => "cipher-server-pref-1",
+        server => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256",
+	    "Options" => "ServerPreference",
+	},
+        client => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES256-SHA384"
+        },
+        test => {
+            "ExpectedCipher" => "ECDHE-RSA-AES256-SHA384",
+        },
+    },
+    {
+        name => "cipher-server-pref-2",
+        server => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256",
+	    "Options" => "ServerPreference",
+	},
+        client => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES128-SHA256"
+        },
+        test => {
+            "ExpectedCipher" => "ECDHE-RSA-AES128-SHA256",
+        },
+    },
+    {
+        name => "cipher-server-pref-client-list",
+        server => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256",
+	    "Options" => "ServerPreference",
+	},
+        client => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384",
+        },
+        test => {
+            "ExpectedCipher" => "ECDHE-RSA-AES256-SHA384",
+        },
+    },
+    {
+        name => "cipher-server-pref-not-mobile",
+        server => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305",
+	    "Options" => "ServerPreference",
+	},
+        client => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384",
+        },
+        test => {
+            "ExpectedCipher" => "ECDHE-RSA-AES256-SHA384",
+        },
+    },
+    {
+        name => "cipher-server-pref-mobile",
+        server => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305",
+	    "Options" => "ServerPreference,PrioritizeChaCha",
+	},
+        client => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384",
+        },
+        test => {
+            "ExpectedCipher" => "ECDHE-RSA-CHACHA20-POLY1305",
+        },
+    },
+    {
+        name => "cipher-server-pref-mobile2",
+        server => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305",
+	    "Options" => "ServerPreference,PrioritizeChaCha",
+	},
+        client => {
+	    "MaxProtocol" => "TLSv1.2",
+	    "CipherString" => "ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CHACHA20-POLY1305",
+        },
+        test => {
+            "ExpectedCipher" => "ECDHE-RSA-AES256-SHA384",
+        },
+    },
+);
diff --git a/test/ssl_test.c b/test/ssl_test.c
index dcdd867f43..a21a0f773b 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -318,6 +318,18 @@ static int check_client_ca_names(HANDSHAKE_RESULT *result,
                           result->client_ca_names);
 }
 
+static int check_cipher(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
+{
+    if (test_ctx->expected_cipher == NULL)
+        return 1;
+    if (!TEST_ptr(result->cipher))
+        return 0;
+    if (!TEST_str_eq(test_ctx->expected_cipher,
+                     result->cipher))
+        return 0;
+    return 1;
+}
+
 /*
  * This could be further simplified by constructing an expected
  * HANDSHAKE_RESULT, and implementing comparison methods for
@@ -338,6 +350,7 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
 #ifndef OPENSSL_NO_NEXTPROTONEG
         ret &= check_npn(result, test_ctx);
 #endif
+        ret &= check_cipher(result, test_ctx);
         ret &= check_alpn(result, test_ctx);
         ret &= check_resumption(result, test_ctx);
         ret &= check_tmp_key(result, test_ctx);
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index 62417ac2c1..71445c5e24 100644
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -615,6 +615,10 @@ __owur static int parse_expected_client_ca_names(SSL_TEST_CTX *test_ctx,
     return parse_expected_ca_names(&test_ctx->expected_client_ca_names, value);
 }
 
+/* ExpectedCipher */
+
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, expected_cipher)
+
 /* Known test options and their corresponding parse methods. */
 
 /* Top-level options. */
@@ -650,6 +654,7 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
     { "ExpectedClientSignType", &parse_expected_client_sign_type },
     { "ExpectedClientCANames", &parse_expected_client_ca_names },
     { "UseSCTP", &parse_test_use_sctp },
+    { "ExpectedCipher", &parse_test_expected_cipher },
 };
 
 /* Nested client options. */
@@ -728,6 +733,7 @@ void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx)
     OPENSSL_free(ctx->expected_alpn_protocol);
     sk_X509_NAME_pop_free(ctx->expected_server_ca_names, X509_NAME_free);
     sk_X509_NAME_pop_free(ctx->expected_client_ca_names, X509_NAME_free);
+    OPENSSL_free(ctx->expected_cipher);
     OPENSSL_free(ctx);
 }
 
diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h
index cec6b77f73..2d7b0c207f 100644
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@@ -210,6 +210,7 @@ typedef struct {
     int use_sctp;
     /* Whether to expect a session id from the server */
     ssl_session_id_t session_id_expected;
+    char *expected_cipher;
 } SSL_TEST_CTX;
 
 const char *ssl_test_result_name(ssl_test_result_t result);
diff --git a/test/ssl_test_ctx_test.c b/test/ssl_test_ctx_test.c
index d064511df2..70ebb2a0bd 100644
--- a/test/ssl_test_ctx_test.c
+++ b/test/ssl_test_ctx_test.c
@@ -93,6 +93,8 @@ static int testctx_eq(SSL_TEST_CTX *ctx, SSL_TEST_CTX *ctx2)
                             ctx2->expected_npn_protocol)
             || !TEST_str_eq(ctx->expected_alpn_protocol,
                             ctx2->expected_alpn_protocol)
+            || !TEST_str_eq(ctx->expected_cipher,
+                            ctx2->expected_cipher)
             || !TEST_int_eq(ctx->resumption_expected,
                             ctx2->resumption_expected)
             || !TEST_int_eq(ctx->session_id_expected,