mirror of
https://github.com/OpenVPN/openvpn3.git
synced 2024-09-20 04:02:15 +02:00
Implement supporting IANA cipher names in tls-cipher and unit tests
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This commit is contained in:
Arne Schwabe
David Sommerseth
parent
6e463ca1f4
commit
941104cf49
@ -50,6 +50,7 @@
|
||||
#include <openvpn/ssl/sslapi.hpp>
|
||||
#include <openvpn/ssl/ssllog.hpp>
|
||||
#include <openvpn/ssl/verify_x509_name.hpp>
|
||||
#include <openvpn/ssl/iana_ciphers.hpp>
|
||||
|
||||
#include <openvpn/mbedtls/pki/x509cert.hpp>
|
||||
#include <openvpn/mbedtls/pki/x509certinfo.hpp>
|
||||
@ -976,6 +977,15 @@ namespace openvpn {
|
||||
int i=0;
|
||||
while(std::getline(cipher_list_ss, ciphersuite, ':'))
|
||||
{
|
||||
const tls_cipher_name_pair* pair = tls_get_cipher_name_pair(ciphersuite);
|
||||
|
||||
if (pair && pair->iana_name != ciphersuite)
|
||||
{
|
||||
OPENVPN_LOG_SSL("mbed TLS -- Deprecated cipher suite name '"
|
||||
<< pair->openssl_name << "' please use IANA name ' "
|
||||
<< pair->iana_name << "'");
|
||||
}
|
||||
|
||||
auto cipher_id = mbedtls_ssl_get_ciphersuite_id(ciphersuite.c_str());
|
||||
if (cipher_id != 0)
|
||||
{
|
||||
|
||||
@ -60,6 +60,7 @@
|
||||
#include <openvpn/ssl/sslapi.hpp>
|
||||
#include <openvpn/ssl/ssllog.hpp>
|
||||
#include <openvpn/ssl/sni_handler.hpp>
|
||||
#include <openvpn/ssl/iana_ciphers.hpp>
|
||||
#include <openvpn/openssl/util/error.hpp>
|
||||
#include <openvpn/openssl/pki/extpki.hpp>
|
||||
#include <openvpn/openssl/pki/x509.hpp>
|
||||
@ -574,7 +575,7 @@ namespace openvpn {
|
||||
TLSVersion::Type tls_version_min{TLSVersion::UNDEF}; // minimum TLS version that we will negotiate
|
||||
TLSCertProfile::Type tls_cert_profile{TLSCertProfile::UNDEF};
|
||||
std::string tls_cipher_list;
|
||||
std::string tls_ciphersuite_list
|
||||
std::string tls_ciphersuite_list;
|
||||
X509Track::ConfigSet x509_track_config;
|
||||
bool local_cert_enabled = true;
|
||||
bool client_session_tickets = false;
|
||||
@ -988,9 +989,45 @@ namespace openvpn {
|
||||
#endif
|
||||
};
|
||||
|
||||
private:
|
||||
/////// start of main class implementation
|
||||
static std::string translate_cipher_list(std::string cipherlist)
|
||||
{
|
||||
// OpenVPN 2.x accepts IANA ciphers instead in the cipher list, we need
|
||||
// to do the same
|
||||
|
||||
std::stringstream cipher_list_ss(cipherlist);
|
||||
std::string ciphersuite;
|
||||
|
||||
std::stringstream result;
|
||||
|
||||
|
||||
while(std::getline(cipher_list_ss, ciphersuite, ':'))
|
||||
{
|
||||
const tls_cipher_name_pair* pair = tls_get_cipher_name_pair(ciphersuite);
|
||||
|
||||
if (!result.str().empty())
|
||||
result << ":";
|
||||
|
||||
if (pair)
|
||||
{
|
||||
if (pair->iana_name != ciphersuite)
|
||||
{
|
||||
OPENVPN_LOG_SSL("OpenSSLContext: Deprecated cipher suite name '"
|
||||
<< pair->openssl_name << "' please use IANA name ' "
|
||||
<< pair->iana_name << "'");
|
||||
}
|
||||
result << pair->openssl_name;
|
||||
}
|
||||
else
|
||||
{
|
||||
result << ciphersuite;
|
||||
}
|
||||
}
|
||||
|
||||
return result.str();
|
||||
}
|
||||
|
||||
private:
|
||||
OpenSSLContext(Config* config_arg)
|
||||
: config(config_arg)
|
||||
{
|
||||
@ -1125,9 +1162,13 @@ namespace openvpn {
|
||||
/* Disable SSLv2 cipher suites*/
|
||||
":!SSLv2";
|
||||
|
||||
if (!config->tls_cipher_list.empty())
|
||||
std::string translated_cipherlist;
|
||||
|
||||
if (!config->tls_cipher_list.empty())
|
||||
{
|
||||
tls_cipher_list = config->tls_cipher_list.c_str();
|
||||
translated_cipherlist = translate_cipher_list(config->tls_cipher_list);
|
||||
|
||||
tls_cipher_list = translated_cipherlist.c_str();
|
||||
}
|
||||
|
||||
if (!SSL_CTX_set_cipher_list(ctx, tls_cipher_list))
|
||||
|
||||
174
openvpn/ssl/iana_ciphers.hpp
Normal file
174
openvpn/ssl/iana_ciphers.hpp
Normal file
@ -0,0 +1,174 @@
|
||||
// OpenVPN -- An application to securely tunnel IP networks
|
||||
// over a single port, with support for SSL/TLS-based
|
||||
// session authentication and key exchange,
|
||||
// packet encryption, packet authentication, and
|
||||
// packet compression.
|
||||
//
|
||||
// Copyright (C) 2020 OpenVPN Inc.
|
||||
//
|
||||
// This program is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Affero General Public License Version 3
|
||||
// as published by the Free Software Foundation.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Affero General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Affero General Public License
|
||||
// along with this program in the COPYING file.
|
||||
// If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
#pragma once
|
||||
|
||||
namespace openvpn {
|
||||
|
||||
struct tls_cipher_name_pair
|
||||
{
|
||||
const char* openssl_name;
|
||||
const char* iana_name;
|
||||
};
|
||||
|
||||
/**
|
||||
* SSL/TLS Cipher suite name translation table
|
||||
*/
|
||||
static const tls_cipher_name_pair tls_cipher_name_translation_table[] = {
|
||||
{"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"},
|
||||
{"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"},
|
||||
{"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"},
|
||||
{"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"},
|
||||
{"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"},
|
||||
{"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"},
|
||||
{"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"},
|
||||
{"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
|
||||
{"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"},
|
||||
{"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
|
||||
{"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"},
|
||||
{"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"},
|
||||
{"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"},
|
||||
{"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"},
|
||||
{"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"},
|
||||
{"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"},
|
||||
{"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"},
|
||||
{"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"},
|
||||
{"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"},
|
||||
{"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"},
|
||||
{"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"},
|
||||
{"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"},
|
||||
{"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"},
|
||||
{"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"},
|
||||
{"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"},
|
||||
{"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"},
|
||||
{"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"},
|
||||
{"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"},
|
||||
{"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"},
|
||||
{"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"},
|
||||
{"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"},
|
||||
{"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
|
||||
{"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
|
||||
{"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
|
||||
{"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
|
||||
{"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
|
||||
{"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"},
|
||||
{"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"},
|
||||
{"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"},
|
||||
{"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"},
|
||||
{"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"},
|
||||
{"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"},
|
||||
{"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"},
|
||||
{"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"},
|
||||
{"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"},
|
||||
{"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
|
||||
{"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
|
||||
{"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
|
||||
{"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
|
||||
{"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"},
|
||||
{"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"},
|
||||
{"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"},
|
||||
{"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"},
|
||||
{"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"},
|
||||
{"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"},
|
||||
{"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"},
|
||||
{"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
|
||||
{"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"},
|
||||
{"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"},
|
||||
{"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"},
|
||||
{"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
|
||||
{"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
|
||||
{"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
|
||||
{"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
|
||||
{"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"},
|
||||
{"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"},
|
||||
{"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"},
|
||||
{"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"},
|
||||
{"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"},
|
||||
{"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"},
|
||||
{"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"},
|
||||
{"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"},
|
||||
{"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
|
||||
{"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"},
|
||||
{"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"},
|
||||
{"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"},
|
||||
{"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
|
||||
{"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
|
||||
{"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
|
||||
{"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
|
||||
{"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
|
||||
{"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"},
|
||||
{"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"},
|
||||
{"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"},
|
||||
{"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"},
|
||||
{"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"},
|
||||
{"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"},
|
||||
{"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"},
|
||||
{"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"},
|
||||
{"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"},
|
||||
{"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"},
|
||||
{"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"},
|
||||
{"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
|
||||
{"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"},
|
||||
{"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
|
||||
{"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"},
|
||||
{"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"},
|
||||
{"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"},
|
||||
{"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"},
|
||||
{"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"},
|
||||
{"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"},
|
||||
{"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"},
|
||||
{"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"},
|
||||
{"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"},
|
||||
{"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"},
|
||||
{"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"},
|
||||
{"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"},
|
||||
{"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"},
|
||||
{"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"},
|
||||
{"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"},
|
||||
{"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"},
|
||||
{"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"},
|
||||
{"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"},
|
||||
{"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"},
|
||||
{"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"},
|
||||
{"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"},
|
||||
{"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"},
|
||||
{"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"},
|
||||
{"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"},
|
||||
{"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"},
|
||||
{"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"},
|
||||
{"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"},
|
||||
{"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
|
||||
{"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"}
|
||||
};
|
||||
|
||||
inline const tls_cipher_name_pair*
|
||||
tls_get_cipher_name_pair(const std::string& ciphername)
|
||||
{
|
||||
for (auto& pair: tls_cipher_name_translation_table)
|
||||
{
|
||||
if (pair.iana_name == ciphername || pair.openssl_name == ciphername)
|
||||
return &pair;
|
||||
}
|
||||
|
||||
/* No entry found, return NULL */
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
@ -19,23 +19,8 @@ else ()
|
||||
message("lzo not found, skipping lzo compression tests")
|
||||
endif ()
|
||||
|
||||
if (${USE_MBEDTLS})
|
||||
set(TESTS_CRYPTO
|
||||
test_mbedtls_x509certinfo.cpp
|
||||
)
|
||||
else ()
|
||||
set(TESTS_CRYPTO
|
||||
test_openssl_x509certinfo.cpp
|
||||
)
|
||||
endif ()
|
||||
|
||||
set(SOURCES
|
||||
core_tests.cpp
|
||||
test_route_emulation.cpp
|
||||
test_log.cpp
|
||||
test_comp.cpp
|
||||
test_b64.cpp
|
||||
test_verify_x509_name.cpp
|
||||
|
||||
${TESTS_CRYPTO}
|
||||
)
|
||||
|
||||
@ -55,7 +40,26 @@ set(CORE_TEST_DEFINES
|
||||
-DUNITTEST_SOURCE_DIR=\"${CMAKE_CURRENT_SOURCE_DIR}/\"
|
||||
)
|
||||
|
||||
add_executable(coreUnitTests ${SOURCES})
|
||||
add_executable(coreUnitTests
|
||||
core_tests.cpp
|
||||
test_route_emulation.cpp
|
||||
test_log.cpp
|
||||
test_comp.cpp
|
||||
test_b64.cpp
|
||||
test_verify_x509_name.cpp
|
||||
test_ssl.cpp
|
||||
)
|
||||
|
||||
if (${USE_MBEDTLS})
|
||||
target_sources(coreUnitTests PRIVATE
|
||||
test_mbedtls_x509certinfo.cpp
|
||||
)
|
||||
else ()
|
||||
target_sources(coreUnitTests PRIVATE
|
||||
test_openssl_x509certinfo.cpp
|
||||
)
|
||||
endif ()
|
||||
|
||||
|
||||
add_core_dependencies(coreUnitTests)
|
||||
target_link_libraries(coreUnitTests ${GTEST_LIB} ${EXTRA_LIBS})
|
||||
|
||||
80
test/unittests/test_ssl.cpp
Normal file
80
test/unittests/test_ssl.cpp
Normal file
@ -0,0 +1,80 @@
|
||||
// OpenVPN -- An application to securely tunnel IP networks
|
||||
// over a single port, with support for SSL/TLS-based
|
||||
// session authentication and key exchange,
|
||||
// packet encryption, packet authentication, and
|
||||
// packet compression.
|
||||
//
|
||||
// Copyright (C) 2012-2019 OpenVPN Inc.
|
||||
//
|
||||
// This program is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Affero General Public License Version 3
|
||||
// as published by the Free Software Foundation.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Affero General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Affero General Public License
|
||||
// along with this program in the COPYING file.
|
||||
|
||||
#include "test_common.h"
|
||||
|
||||
|
||||
using namespace openvpn;
|
||||
|
||||
#include <openvpn/ssl/sslchoose.hpp>
|
||||
#include <openvpn/ssl/sslapi.hpp>
|
||||
|
||||
TEST(ssl, sslciphersuites)
|
||||
{
|
||||
SSLFactoryAPI::Ptr sslfact;
|
||||
SSLLib::SSLAPI::Config::Ptr sslcfg(new SSLLib::SSLAPI::Config);
|
||||
sslcfg->set_local_cert_enabled(false);
|
||||
sslcfg->set_flags(SSLConst::NO_VERIFY_PEER);
|
||||
|
||||
sslcfg->set_tls_ciphersuite_list("TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256");
|
||||
|
||||
sslfact = sslcfg->new_factory();
|
||||
|
||||
|
||||
sslcfg->set_tls_ciphersuite_list("TLS_CHACHA2000");
|
||||
#if defined(USE_MBEDTLS) || OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
/* Ignored on non TLS 1.3 implementations */
|
||||
sslfact = sslcfg->new_factory();
|
||||
#else
|
||||
/* This is invalid and should throw an exception */
|
||||
EXPECT_THROW(sslcfg->new_factory(), SSLFactoryAPI::ssl_context_error);
|
||||
#endif
|
||||
}
|
||||
|
||||
TEST(ssl, sslciphers)
|
||||
{
|
||||
bool previousLogOutput = testLog->isStdoutEnabled();
|
||||
testLog->setPrintOutput(false);
|
||||
SSLFactoryAPI::Ptr sslfact;
|
||||
SSLLib::SSLAPI::Config::Ptr sslcfg(new SSLLib::SSLAPI::Config);
|
||||
sslcfg->set_local_cert_enabled(false);
|
||||
sslcfg->set_flags(SSLConst::NO_VERIFY_PEER);
|
||||
|
||||
/* This list mixes IANA and OpenSSL ciphers to see if ciphers are translated for mbed TLS and for OpenSSL */
|
||||
sslcfg->set_tls_cipher_list("TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:AES256-SHA");
|
||||
|
||||
sslfact = sslcfg->new_factory();
|
||||
|
||||
testLog->setPrintOutput(previousLogOutput);
|
||||
}
|
||||
|
||||
#if defined(USE_OPENSSL)
|
||||
TEST(ssl, translate_ciphers_openssl)
|
||||
{
|
||||
bool previousLogOutput = testLog->isStdoutEnabled();
|
||||
testLog->setPrintOutput(false);
|
||||
EXPECT_EQ("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:AES256-SHA",
|
||||
OpenSSLContext::translate_cipher_list("TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:AES256-SHA"));
|
||||
EXPECT_EQ("DEFAULT", OpenSSLContext::translate_cipher_list("DEFAULT"));
|
||||
EXPECT_EQ("NONSENSE:AES256-SHA", OpenSSLContext::translate_cipher_list("NONSENSE:AES256-SHA"));
|
||||
|
||||
testLog->setPrintOutput(previousLogOutput);
|
||||
}
|
||||
#endif
|
||||
Loading…
Reference in New Issue
Block a user