mirror/openvpn3
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn3.git synced 2024-09-20 12:12:15 +02:00
Code
bdc135c0d6
openvpn3/test/unittests/test_ssl.cpp
James Yonan fc0e12fdf7
Unit tests: added new "fake-secure" random source that's guaranteed to be deterministic 
Signed-off-by: James Yonan <james@openvpn.net>
2020-08-19 18:52:51 +02:00

116 lines
3.8 KiB
C++
Raw Blame History

// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2019 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
#include "test_common.h"
using namespace openvpn;
#include <openvpn/ssl/sslchoose.hpp>
#include <openvpn/ssl/sslapi.hpp>
TEST(ssl, sslciphersuites)
{
SSLFactoryAPI::Ptr sslfact;
SSLLib::SSLAPI::Config::Ptr sslcfg(new SSLLib::SSLAPI::Config);
sslcfg->set_local_cert_enabled(false);
sslcfg->set_flags(SSLConst::NO_VERIFY_PEER);
sslcfg->set_tls_ciphersuite_list("TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256");
sslfact = sslcfg->new_factory();
sslcfg->set_tls_ciphersuite_list("TLS_CHACHA2000");
#if defined(USE_MBEDTLS) || OPENSSL_VERSION_NUMBER < 0x10100000L
/* Ignored on non TLS 1.3 implementations */
sslfact = sslcfg->new_factory();
#else
/* This is invalid and should throw an exception */
EXPECT_THROW(sslcfg->new_factory(), SSLFactoryAPI::ssl_context_error);
#endif
}
TEST(ssl, sslciphers)
{
RandomAPI::Ptr rng(new FakeSecureRand);
bool previousLogOutput = testLog->isStdoutEnabled();
testLog->setPrintOutput(false);
SSLFactoryAPI::Ptr sslfact;
SSLLib::SSLAPI::Config::Ptr sslcfg(new SSLLib::SSLAPI::Config);
sslcfg->set_local_cert_enabled(false);
sslcfg->set_flags(SSLConst::NO_VERIFY_PEER);
sslcfg->set_rng(rng);
/* This list mixes IANA and OpenSSL ciphers to see if ciphers are translated for mbed TLS and for OpenSSL */
sslcfg->set_tls_cipher_list("TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:AES256-SHA");
sslfact = sslcfg->new_factory();
sslfact->ssl();
testLog->setPrintOutput(previousLogOutput);
}
TEST(ssl, tls_groups)
{
RandomAPI::Ptr rng(new FakeSecureRand);
SSLFactoryAPI::Ptr sslfact;
SSLLib::SSLAPI::Config::Ptr sslcfg(new SSLLib::SSLAPI::Config);
sslcfg->set_local_cert_enabled(false);
sslcfg->set_flags(SSLConst::NO_VERIFY_PEER);
sslcfg->set_rng(rng);
sslcfg->set_tls_groups("secp521r1:secp384r1");
/* Should not throw an error */
auto f = sslcfg->new_factory();
f->ssl();
sslcfg->set_tls_groups("secp521r1:secp384r1:greenhell");
testLog->startCollecting();
f = sslcfg->new_factory();
f->ssl();
#ifdef USE_OPENSSL
EXPECT_EQ("OpenSSL -- warning ignoring unknown group 'greenhell' in tls-groups\n",testLog->stopCollecting());
#else
EXPECT_EQ("mbed TLS -- warning ignoring unknown group 'greenhell' in tls-groups\n", testLog->stopCollecting());
#endif
}
#if defined(USE_OPENSSL)
TEST(ssl, translate_ciphers_openssl)
{
bool previousLogOutput = testLog->isStdoutEnabled();
testLog->setPrintOutput(false);
EXPECT_EQ("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:AES256-SHA",
OpenSSLContext::translate_cipher_list("TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:AES256-SHA"));
EXPECT_EQ("DEFAULT", OpenSSLContext::translate_cipher_list("DEFAULT"));
EXPECT_EQ("NONSENSE:AES256-SHA", OpenSSLContext::translate_cipher_list("NONSENSE:AES256-SHA"));
testLog->setPrintOutput(previousLogOutput);
}
#endif
View Git Blame Copy Permalink