summaryrefslogtreecommitdiffstats
path: root/test/test_cipher.py
diff options
context:
space:
mode:
Diffstat (limited to 'test/test_cipher.py')
-rw-r--r--test/test_cipher.py254
1 files changed, 169 insertions, 85 deletions
diff --git a/test/test_cipher.py b/test/test_cipher.py
index 55989bd..a91f411 100644
--- a/test/test_cipher.py
+++ b/test/test_cipher.py
@@ -10,9 +10,50 @@ WITH_ECC=47
cwd = os.getcwd()
srcdir = os.path.dirname(cwd)
exe = "%s/test_cipher" % srcdir
+openssl = "/usr/bin/openssl"
ciphernum = 0
+CIPHERS_NOT_IN_NSS = ['ECDH-RSA-AES128-SHA256',
+ 'ECDH-ECDSA-AES128-GCM-SHA256',
+ 'ECDH-ECDSA-AES128-SHA256',
+ 'ECDH-RSA-AES128-GCM-SHA256',
+ 'EXP-DES-CBC-SHA',
+]
+
+def assert_equal_openssl(nss_ciphers, ossl_ciphers):
+ (nss, err, rc) = run([exe, "--o", nss_ciphers])
+ assert rc == 0
+ (ossl, err, rc) = run([openssl, "ciphers", ossl_ciphers])
+ assert rc == 0
+
+ nss_list = nss.strip().split(':')
+ nss_list.sort()
+
+ ossl_list = ossl.strip().split(':')
+ ossl_list = list(set(ossl_list))
+ ossl_list.sort()
+
+ # NSS doesn't support the SHA-384 ciphers, remove them from the OpenSSL
+ # output.
+ t = list()
+ for o in ossl_list:
+ if 'SHA384' in o:
+ continue
+ if o in CIPHERS_NOT_IN_NSS:
+ continue
+ t.append(o)
+ ossl_list = t
+
+ if len(nss_list) > len(ossl_list):
+ diff = set(nss_list) - set(ossl_list)
+ elif len(ossl_list) > len(nss_list):
+ diff = set(ossl_list) - set(nss_list)
+ else:
+ diff = ''
+
+ assert nss_list == ossl_list, '%r != %r. Difference %r' % (':'.join(nss_list), ':'.join(ossl_list), diff)
+
class test_ciphers(object):
@classmethod
def setUpClass(cls):
@@ -20,131 +61,172 @@ class test_ciphers(object):
assert rc == 0
cls.ciphernum = int(out)
+ def test_RSA(self):
+ assert_equal_openssl("RSA", "RSA:-SSLv2:-SEED:-IDEA")
+
+ def test_kRSA(self):
+ assert_equal_openssl("kRSA", "kRSA:-SSLv2:-SEED:-IDEA")
+
+ def test_aRSA(self):
+ assert_equal_openssl("aRSA", "aRSA:-SSLv2:-SEED:-IDEA:-DH")
+
+ def test_EDH(self):
+ # No DH ciphers supported yet
+ (out, err, rc) = run([exe, "EDH"])
+ assert rc == 1
+
def test_RC4(self):
- (out, err, rc) = run([exe, "RC4"])
- assert rc == 0
- if self.ciphernum < WITH_ECC:
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc4_56_sha')
- else:
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc4_56_sha, ecdh_ecdsa_rc4_128_sha, ecdhe_ecdsa_rc4_128_sha, ecdh_rsa_128_sha, ecdhe_rsa_rc4_128_sha, ecdh_anon_rc4_128sha')
+ assert_equal_openssl("RC4", "RC4:-KRB5:-PSK:-ADH")
+
+ def test_RC2(self):
+ assert_equal_openssl("RC2", "RC2:-SSLv2:-KRB5")
def test_AES(self):
- (out, err, rc) = run([exe, "AES"])
- assert rc == 0
- if self.ciphernum < WITH_ECC:
- assert_equal(out, 'rsa_aes_128_sha, rsa_aes_256_sha, aes_128_sha_256, aes_256_sha_256, rsa_aes_128_gcm_sha_256')
- else:
- assert_equal(out, 'rsa_aes_128_sha, rsa_aes_256_sha, aes_128_sha_256, aes_256_sha_256, rsa_aes_128_gcm_sha_256, ecdh_ecdsa_rc4_128_sha, ecdh_ecdsa_3des_sha, ecdh_ecdsa_aes_128_sha, ecdh_ecdsa_aes_256_sha, ecdhe_ecdsa_rc4_128_sha, ecdhe_ecdsa_3des_sha, ecdhe_ecdsa_aes_128_sha, ecdhe_ecdsa_aes_256_sha, ecdh_rsa_128_sha, ecdh_rsa_3des_sha, ecdh_rsa_aes_128_sha, ecdh_rsa_aes_256_sha, ecdhe_rsa_aes_128_sha, ecdhe_rsa_aes_256_sha, ecdh_anon_aes_128_sha, ecdh_anon_aes_256_sha, ecdhe_ecdsa_aes_128_sha_256, ecdhe_rsa_aes_128_sha_256, ecdhe_ecdsa_aes_128_gcm_sha_256, ecdhe_rsa_aes_128_gcm_sha_256')
+ assert_equal_openssl("AES", "AES:-PSK:-ADH:-DSS:-DH")
+ def test_AESGCM(self):
+ assert_equal_openssl("AESGCM", "AESGCM:-PSK:-ADH:-DSS:-DH")
+
+ def test_AES128(self):
+ assert_equal_openssl("AES128", "AES128:-PSK:-ADH:-DSS:-DH")
+
+ def test_AES256(self):
+ assert_equal_openssl("AES256", "AES256:-PSK:-ADH:-DSS:-DH")
+
+ def test_CAMELLIA(self):
+ assert_equal_openssl("CAMELLIA", "CAMELLIA:-DH")
+
+ def test_CAMELLIA128(self):
+ assert_equal_openssl("CAMELLIA128", "CAMELLIA128:-DH")
+
+ def test_CAMELLIA256(self):
+ assert_equal_openssl("CAMELLIA256", "CAMELLIA256:-DH")
+
+ def test_3DES(self):
+ assert_equal_openssl("3DES", "3DES:-SSLv2:-PSK:-KRB5:-DH")
+
+ def test_DES(self):
+ assert_equal_openssl("DES", "DES:-SSLv2:-KRB5:-DH")
def test_ALL(self):
- (out, err, rc) = run([exe, "ALL"])
- assert rc == 0
- if self.ciphernum < WITH_ECC:
- 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, rsa_aes_128_sha, rsa_aes_256_sha, aes_128_sha_256, aes_256_sha_256, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, rsa_aes_128_gcm_sha_256'
- else:
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, rsa_aes_128_sha, rsa_aes_256_sha, aes_128_sha_256, aes_256_sha_256, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, rsa_aes_128_gcm_sha_256, fips_3des_sha, fips_des_sha, ecdh_ecdsa_rc4_128_sha, ecdh_ecdsa_3des_sha, ecdh_ecdsa_aes_128_sha, ecdh_ecdsa_aes_256_sha, ecdhe_ecdsa_rc4_128_sha, ecdhe_ecdsa_3des_sha, ecdhe_ecdsa_aes_128_sha, ecdhe_ecdsa_aes_256_sha, ecdh_rsa_128_sha, ecdh_rsa_3des_sha, ecdh_rsa_aes_128_sha, ecdh_rsa_aes_256_sha, ecdhe_rsa_rc4_128_sha, ecdhe_rsa_3des_sha, ecdhe_rsa_aes_128_sha, ecdhe_rsa_aes_256_sha, ecdh_anon_rc4_128sha, ecdh_anon_3des_sha, ecdh_anon_aes_128_sha, ecdh_anon_aes_256_sha, ecdhe_ecdsa_aes_128_sha_256, ecdhe_rsa_aes_128_sha_256, ecdhe_ecdsa_aes_128_gcm_sha_256, ecdhe_rsa_aes_128_gcm_sha_256')
+ assert_equal_openssl("ALL", "ALL:-SSLv2:-KRB5:-ADH:-DH:-DSS:-PSK:-SEED:-IDEA")
def test_ALL_no_AES(self):
- (out, err, rc) = run([exe, "ALL:-AES"])
- assert rc == 0
- if self.ciphernum < WITH_ECC:
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha')
- else:
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha, ecdhe_rsa_rc4_128_sha, ecdhe_rsa_3des_sha, ecdh_anon_rc4_128sha, ecdh_anon_3des_sha')
+ assert_equal_openssl("ALL:-AES", "ALL:-AES:-SSLv2:-KRB5:-ADH:-DH:-DSS:-PSK:-SEED:-IDEA")
+
+ def test_COMPLEMENTOFALL(self):
+ assert_equal_openssl("COMPLEMENTOFALL", "COMPLEMENTOFALL")
+
+ # skipping DEFAULT as we use the NSS defaults
+ # skipping COMPLEMENTOFDEFAULT as these are all ADH ciphers
def test_SSLv3(self):
- (out, err, rc) = run([exe, "SSLv3"])
- assert rc == 0
- if self.ciphernum < WITH_ECC:
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, rsa_aes_128_sha, rsa_aes_256_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha')
- else:
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, rsa_aes_128_sha, rsa_aes_256_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha, ecdh_ecdsa_rc4_128_sha, ecdh_ecdsa_3des_sha, ecdh_ecdsa_aes_128_sha, ecdh_ecdsa_aes_256_sha, ecdhe_ecdsa_rc4_128_sha, ecdhe_ecdsa_3des_sha, ecdhe_ecdsa_aes_128_sha, ecdhe_ecdsa_aes_256_sha, ecdh_rsa_128_sha, ecdh_rsa_3des_sha, ecdh_rsa_aes_128_sha, ecdh_rsa_aes_256_sha, ecdhe_rsa_rc4_128_sha, ecdhe_rsa_3des_sha, ecdhe_rsa_aes_128_sha, ecdhe_rsa_aes_256_sha, ecdh_anon_rc4_128sha, ecdh_anon_3des_sha, ecdh_anon_aes_128_sha, ecdh_anon_aes_256_sha')
+ assert_equal_openssl("SSLv3", "SSLv3:-KRB5:-PSK:-ADH:-EDH:-SEED:-IDEA")
def test_SSLv3_equals_TLSv1(self):
- (out, err, rc) = run([exe, "SSLv3"])
- (out2, err2, rc2) = run([exe, "TLSv1"])
+ (nss, err, rc) = run([exe, "--o", "SSLv3"])
+ (nss2, err, rc2) = run([exe, "--o", "TLSv1"])
assert rc == 0
assert rc2 == 0
- assert_equal(out, out2)
+ assert_equal(nss, nss2)
def test_TLSv12(self):
- if self.ciphernum < WITH_ECC:
- raise nose.SkipTest('ECC disabled')
- (out, err, rc) = run([exe, "TLSv12"])
- assert rc == 0
- assert_equal(out, 'aes_128_sha_256, aes_256_sha_256, rsa_aes_128_gcm_sha_256, ecdhe_ecdsa_aes_128_sha_256, ecdhe_rsa_aes_128_sha_256, ecdhe_ecdsa_aes_128_gcm_sha_256, ecdhe_rsa_aes_128_gcm_sha_256')
+ assert_equal_openssl("TLSv1.2", "TLSv1.2:TLSv1.2:-ADH:-DH:-DSS")
def test_NULL(self):
- (out, err, rc) = run([exe, "NULL"])
- assert rc == 0
- if self.ciphernum < WITH_ECC:
- assert_equal(out, 'rsa_null_md5, rsa_null_sha, null_sha_256')
- else:
- assert_equal(out, 'rsa_null_md5, rsa_null_sha, null_sha_256, ecdh_ecdsa_null_sha, ecdhe_ecdsa_null_sha, ecdh_rsa_null_sha, ecdhe_rsa_null, ecdh_anon_null_sha')
+ assert_equal_openssl("NULL", "NULL")
def test_nss_rsa_rc4_128(self):
+ # Test NSS cipher parsing
(out, err, rc) = run([exe, "+rsa_rc4_128_md5,+rsa_rc4_128_sha"])
assert rc == 0
assert_equal(out, 'rsa_rc4_128_md5, rsa_rc4_128_sha')
- def test_openssl_cipher(self):
- (out, err, rc) = run([exe, "DES-CBC3-SHA"])
- assert rc == 0
- assert_equal(out, 'rsa_3des_sha')
+ def test_EXP(self):
+ assert_equal_openssl("EXP", "EXP:-SSLv2:-DH:-KRB5")
- def test_openssl_cipherlist(self):
- (out, err, rc) = run([exe, "DES-CBC3-SHA:RC4-SHA"])
- assert rc == 0
- assert_equal(out, 'rsa_rc4_128_sha, rsa_3des_sha')
+ def test_EXPORT(self):
+ assert_equal_openssl("EXPORT", "EXPORT:-SSLv2:-DH:-KRB5")
- def test_EXP(self):
- (out, err, rc) = run([exe, "EXP"])
- assert rc == 0
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc2_40_md5, rsa_des_56_sha, rsa_rc4_56_sha')
+ def test_EXPORT40(self):
+ assert_equal_openssl("EXPORT40", "EXPORT40:-SSLv2:-ADH:-DH:-KRB5")
def test_MD5(self):
- (out, err, rc) = run([exe, "MD5"])
- assert rc == 0
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc2_40_md5')
+ assert_equal_openssl("MD5", "MD5:-SSLv2:-DH:-KRB5")
def test_SHA(self):
- (out, err, rc) = run([exe, "SHA"])
- assert rc == 0
- if self.ciphernum < WITH_ECC:
- assert_equal(out, 'rsa_rc4_128_sha, rsa_des_sha, rsa_3des_sha, rsa_aes_128_sha, rsa_aes_256_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha')
- else:
- assert_equal(out, 'rsa_rc4_128_sha, rsa_des_sha, rsa_3des_sha, rsa_aes_128_sha, rsa_aes_256_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha, ecdh_ecdsa_rc4_128_sha, ecdh_ecdsa_3des_sha, ecdh_ecdsa_aes_128_sha, ecdh_ecdsa_aes_256_sha, ecdhe_ecdsa_rc4_128_sha, ecdhe_ecdsa_3des_sha, ecdhe_ecdsa_aes_128_sha, ecdhe_ecdsa_aes_256_sha, ecdh_rsa_128_sha, ecdh_rsa_3des_sha, ecdh_rsa_aes_128_sha, ecdh_rsa_aes_256_sha, ecdhe_rsa_rc4_128_sha, ecdhe_rsa_3des_sha, ecdhe_rsa_aes_128_sha, ecdhe_rsa_aes_256_sha, ecdh_anon_rc4_128sha, ecdh_anon_3des_sha, ecdh_anon_aes_128_sha, ecdh_anon_aes_256_sha')
+ assert_equal_openssl("SHA", "SHA:-SSLv2:-DH:-KRB5:-PSK:-IDEA:-SEED")
+
+ def test_HIGH(self):
+ assert_equal_openssl("HIGH", "HIGH:-SSLv2:-DH:-ADH:-KRB5:-PSK")
+
+ def test_MEDIUM(self):
+ assert_equal_openssl("MEDIUM", "MEDIUM:-SSLv2:-ADH:-KRB5:-PSK:-SEED:-IDEA")
+
+ def test_LOW(self):
+ assert_equal_openssl("LOW", "LOW:-SSLv2:-DH:-ADH:-KRB5")
def test_SHA256(self):
- (out, err, rc) = run([exe, "SHA256"])
- assert rc == 0
- if self.ciphernum < WITH_ECC:
- assert_equal(out, 'aes_128_sha_256, aes_256_sha_256')
- else:
- assert_equal(out, 'aes_128_sha_256, aes_256_sha_256, ecdhe_ecdsa_aes_128_sha_256, ecdhe_rsa_aes_128_sha_256')
+ assert_equal_openssl("SHA256", "SHA256:-ADH:-DSS:-DH")
def test_SHA_MD5_minus_AES(self):
- (out, err, rc) = run([exe, "SHA:MD5:-AES"])
- assert rc == 0
- if self.ciphernum < WITH_ECC:
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha')
- else:
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha, ecdhe_rsa_rc4_128_sha, ecdhe_rsa_3des_sha, ecdh_anon_rc4_128sha, ecdh_anon_3des_sha')
+ assert_equal_openssl("SHA:MD5:-AES", "SHA:MD5:-AES:-SSLv2:-DH:-DSS:-KRB5:-SEED:-PSK:-IDEA")
- def test_SHA_MD5_not_AES_HIGH(self):
- (out, err, rc) = run([exe, "!AES:SHA:MD5"])
- assert rc == 0
- if self.ciphernum < WITH_ECC:
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha')
- else:
- assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha, ecdhe_rsa_rc4_128_sha, ecdhe_rsa_3des_sha, ecdh_anon_rc4_128sha, ecdh_anon_3des_sha')
+ def test_SHA_MD5_not_AES(self):
+ assert_equal_openssl("!AES:SHA:MD5", "!AES:SHA:MD5:-SSLv2:-DH:-KRB5:-DSS:-SEED:-PSK:-IDEA")
+
+ def test_aECDH(self):
+ assert_equal_openssl("aECDH", "aECDH")
+
+ def test_kECDHe(self):
+ assert_equal_openssl("kECDHe", "kECDHe")
+
+ def test_kECDHr(self):
+ assert_equal_openssl("kECDHr", "kECDHr")
+
+ def test_kEECDH(self):
+ assert_equal_openssl("kEECDH", "kEECDH")
+
+ def test_ECDH(self):
+ assert_equal_openssl("ECDH", "ECDH")
+
+ def test_AES_no_ECDH(self):
+ assert_equal_openssl("AES:-ECDH", "AES:-ECDH:-ADH:-PSK:-DH")
+ assert_equal_openssl("AES+RSA", "AES+RSA")
+
+ def test_logical_and_3DES_RSA(self):
+ assert_equal_openssl("3DES+RSA", "3DES+RSA:-SSLv2")
+
+ def test_logical_and_RSA_RC4(self):
+ assert_equal_openssl("RSA+RC4", "RSA+RC4:-SSLv2")
+
+ def test_logical_and_ECDH_SHA(self):
+ assert_equal_openssl("ECDH+SHA", "ECDH+SHA")
+
+ def test_logical_and_RSA_RC4_no_SHA(self):
+ assert_equal_openssl("RSA+RC4:!SHA", "RSA+RC4:-SSLv2:!SHA")
+
+ def test_additive_RSA_RC4(self):
+ assert_equal_openssl("RSA:+RC4", "RSA:+RC4:-SSLv2:-SEED:-IDEA")
+
+ def test_negative_plus_RSA_MD5(self):
+ assert_equal_openssl("-RC2:RSA+MD5", "-RC2:RSA+MD5:-SSLv2")
def test_nss_subtraction(self):
(out, err, rc) = run([exe, "+rsa_rc4_128_md5,+rsa_rc4_128_sha,-rsa_rc4_128_md5"])
assert rc == 0
assert_equal(out, 'rsa_rc4_128_sha')
+ def test_openssl_cipher(self):
+ (out, err, rc) = run([exe, "DES-CBC3-SHA"])
+ assert rc == 0
+ assert_equal(out, 'rsa_3des_sha')
+
+ def test_openssl_cipherlist(self):
+ (out, err, rc) = run([exe, "DES-CBC3-SHA:RC4-SHA"])
+ assert rc == 0
+ assert_equal(out, 'rsa_rc4_128_sha, rsa_3des_sha')
+
# As long as at least one is valid, things are ok
def test_nss_unknown(self):
(out, err, rc) = run([exe, "+rsa_rc4_128_md5,+unknown"])
@@ -156,7 +238,9 @@ class test_ciphers(object):
assert rc == 0
assert_equal(out, 'aes_128_sha_256')
+ def test_openssl_single_cipher(self):
+ assert_equal_openssl("RC4-SHA", "RC4-SHA")
+
def test_invalid_format(self):
(out, err, rc) = run([exe, "none"])
assert rc == 1
- assert_equal(err, 'nss_engine_cipher.c:291, invalid cipher string none. Format is +cipher1,-cipher2...Unable to parse cipher list')
generated by cgit (git 2.34.1) at 2024-06-09 13:30:27 +0000