mirror/openvpn3
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn3.git synced 2024-09-20 12:12:15 +02:00
Code
1a5e4a7558
openvpn3/test/unittests/test_ssl.cpp
Frank Lichtenheld 6715afd4c7 test_ssl: fix ssl.enablelegacyProvider 
Since we didn't have any regular builds against
OpenSSL 3.0 so far we didn't notice that it was
broken by commit 291e675748
(Move SSL context from OpenSSL Context to OpenSSL Config)

Since context is now part of config, we need to use
separate configs.

Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
2022-04-07 12:14:23 +02:00

143 lines
4.7 KiB
C++
Raw Blame History

// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2019 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
#include "test_common.h"
using namespace openvpn;
#include <openvpn/ssl/sslchoose.hpp>
#include <openvpn/ssl/sslapi.hpp>
TEST(ssl, sslciphersuites)
{
SSLFactoryAPI::Ptr sslfact;
SSLLib::SSLAPI::Config::Ptr sslcfg(new SSLLib::SSLAPI::Config);
sslcfg->set_local_cert_enabled(false);
sslcfg->set_flags(SSLConst::NO_VERIFY_PEER);
sslcfg->set_tls_ciphersuite_list("TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256");
sslfact = sslcfg->new_factory();
sslcfg->set_tls_ciphersuite_list("TLS_CHACHA2000");
#if defined(USE_MBEDTLS) || OPENSSL_VERSION_NUMBER < 0x10100000L
/* Ignored on non TLS 1.3 implementations */
sslfact = sslcfg->new_factory();
#else
/* This is invalid and should throw an exception */
EXPECT_THROW(sslcfg->new_factory(), SSLFactoryAPI::ssl_context_error);
#endif
}
TEST(ssl, sslciphers)
{
RandomAPI::Ptr rng(new FakeSecureRand);
bool previousLogOutput = testLog->isStdoutEnabled();
testLog->setPrintOutput(false);
SSLFactoryAPI::Ptr sslfact;
SSLLib::SSLAPI::Config::Ptr sslcfg(new SSLLib::SSLAPI::Config);
sslcfg->set_local_cert_enabled(false);
sslcfg->set_flags(SSLConst::NO_VERIFY_PEER);
sslcfg->set_rng(rng);
/* This list mixes IANA and OpenSSL ciphers to see if ciphers are translated for mbed TLS and for OpenSSL */
sslcfg->set_tls_cipher_list("TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:AES256-SHA");
sslfact = sslcfg->new_factory();
sslfact->ssl();
testLog->setPrintOutput(previousLogOutput);
}
TEST(ssl, tls_groups)
{
RandomAPI::Ptr rng(new FakeSecureRand);
SSLFactoryAPI::Ptr sslfact;
SSLLib::SSLAPI::Config::Ptr sslcfg(new SSLLib::SSLAPI::Config);
sslcfg->set_local_cert_enabled(false);
sslcfg->set_flags(SSLConst::NO_VERIFY_PEER);
sslcfg->set_rng(rng);
sslcfg->set_tls_groups("secp521r1:secp384r1");
/* Should not throw an error */
auto f = sslcfg->new_factory();
f->ssl();
sslcfg->set_tls_groups("secp521r1:secp384r1:greenhell");
testLog->startCollecting();
f = sslcfg->new_factory();
f->ssl();
#ifdef USE_OPENSSL
EXPECT_EQ("OpenSSL -- warning ignoring unknown group 'greenhell' in tls-groups\n",testLog->stopCollecting());
#else
EXPECT_EQ("mbed TLS -- warning ignoring unknown group 'greenhell' in tls-groups\n", testLog->stopCollecting());
#endif
}
#if defined(USE_OPENSSL)
TEST(ssl, translate_ciphers_openssl)
{
bool previousLogOutput = testLog->isStdoutEnabled();
testLog->setPrintOutput(false);
EXPECT_EQ("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:AES256-SHA",
OpenSSLContext::translate_cipher_list("TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:AES256-SHA"));
EXPECT_EQ("DEFAULT", OpenSSLContext::translate_cipher_list("DEFAULT"));
EXPECT_EQ("NONSENSE:AES256-SHA", OpenSSLContext::translate_cipher_list("NONSENSE:AES256-SHA"));
testLog->setPrintOutput(previousLogOutput);
}
#endif
#if defined(USE_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000L
TEST(ssl, enablelegacyProvider)
{
RandomAPI::Ptr rng(new FakeSecureRand);
SSLLib::SSLAPI::Config::Ptr sslcfg(new SSLLib::SSLAPI::Config);
sslcfg->set_local_cert_enabled(false);
sslcfg->set_flags(SSLConst::NO_VERIFY_PEER);
sslcfg->set_rng(rng);
auto f_nolegacy = sslcfg->new_factory();
EXPECT_EQ(SSLLib::CryptoAPI::CipherContext::is_supported(f_nolegacy->libctx(), openvpn::CryptoAlgs::BF_CBC), false);
SSLLib::SSLAPI::Config::Ptr sslcfg_legacy(new SSLLib::SSLAPI::Config);
sslcfg_legacy->set_local_cert_enabled(false);
sslcfg_legacy->set_flags(SSLConst::NO_VERIFY_PEER);
sslcfg_legacy->set_rng(rng);
sslcfg_legacy->enable_legacy_algorithms(true);
/* Should not throw an error */
auto f_legacy = sslcfg_legacy->new_factory();
EXPECT_EQ(SSLLib::CryptoAPI::CipherContext::is_supported(f_legacy->libctx(), openvpn::CryptoAlgs::BF_CBC), true);
}
#endif
View Git Blame Copy Permalink