diff options
Diffstat (limited to 'test/test_cipher.py')
-rw-r--r-- | test/test_cipher.py | 254 |
1 files changed, 169 insertions, 85 deletions
diff --git a/test/test_cipher.py b/test/test_cipher.py index 55989bd..a91f411 100644 --- a/test/test_cipher.py +++ b/test/test_cipher.py @@ -10,9 +10,50 @@ WITH_ECC=47 cwd = os.getcwd() srcdir = os.path.dirname(cwd) exe = "%s/test_cipher" % srcdir +openssl = "/usr/bin/openssl" ciphernum = 0 +CIPHERS_NOT_IN_NSS = ['ECDH-RSA-AES128-SHA256', + 'ECDH-ECDSA-AES128-GCM-SHA256', + 'ECDH-ECDSA-AES128-SHA256', + 'ECDH-RSA-AES128-GCM-SHA256', + 'EXP-DES-CBC-SHA', +] + +def assert_equal_openssl(nss_ciphers, ossl_ciphers): + (nss, err, rc) = run([exe, "--o", nss_ciphers]) + assert rc == 0 + (ossl, err, rc) = run([openssl, "ciphers", ossl_ciphers]) + assert rc == 0 + + nss_list = nss.strip().split(':') + nss_list.sort() + + ossl_list = ossl.strip().split(':') + ossl_list = list(set(ossl_list)) + ossl_list.sort() + + # NSS doesn't support the SHA-384 ciphers, remove them from the OpenSSL + # output. + t = list() + for o in ossl_list: + if 'SHA384' in o: + continue + if o in CIPHERS_NOT_IN_NSS: + continue + t.append(o) + ossl_list = t + + if len(nss_list) > len(ossl_list): + diff = set(nss_list) - set(ossl_list) + elif len(ossl_list) > len(nss_list): + diff = set(ossl_list) - set(nss_list) + else: + diff = '' + + assert nss_list == ossl_list, '%r != %r. Difference %r' % (':'.join(nss_list), ':'.join(ossl_list), diff) + class test_ciphers(object): @classmethod def setUpClass(cls): @@ -20,131 +61,172 @@ class test_ciphers(object): assert rc == 0 cls.ciphernum = int(out) + def test_RSA(self): + assert_equal_openssl("RSA", "RSA:-SSLv2:-SEED:-IDEA") + + def test_kRSA(self): + assert_equal_openssl("kRSA", "kRSA:-SSLv2:-SEED:-IDEA") + + def test_aRSA(self): + assert_equal_openssl("aRSA", "aRSA:-SSLv2:-SEED:-IDEA:-DH") + + def test_EDH(self): + # No DH ciphers supported yet + (out, err, rc) = run([exe, "EDH"]) + assert rc == 1 + def test_RC4(self): - (out, err, rc) = run([exe, "RC4"]) - assert rc == 0 - if self.ciphernum < WITH_ECC: - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc4_56_sha') - else: - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc4_56_sha, ecdh_ecdsa_rc4_128_sha, ecdhe_ecdsa_rc4_128_sha, ecdh_rsa_128_sha, ecdhe_rsa_rc4_128_sha, ecdh_anon_rc4_128sha') + assert_equal_openssl("RC4", "RC4:-KRB5:-PSK:-ADH") + + def test_RC2(self): + assert_equal_openssl("RC2", "RC2:-SSLv2:-KRB5") def test_AES(self): - (out, err, rc) = run([exe, "AES"]) - assert rc == 0 - if self.ciphernum < WITH_ECC: - assert_equal(out, 'rsa_aes_128_sha, rsa_aes_256_sha, aes_128_sha_256, aes_256_sha_256, rsa_aes_128_gcm_sha_256') - else: - assert_equal(out, 'rsa_aes_128_sha, rsa_aes_256_sha, aes_128_sha_256, aes_256_sha_256, rsa_aes_128_gcm_sha_256, ecdh_ecdsa_rc4_128_sha, ecdh_ecdsa_3des_sha, ecdh_ecdsa_aes_128_sha, ecdh_ecdsa_aes_256_sha, ecdhe_ecdsa_rc4_128_sha, ecdhe_ecdsa_3des_sha, ecdhe_ecdsa_aes_128_sha, ecdhe_ecdsa_aes_256_sha, ecdh_rsa_128_sha, ecdh_rsa_3des_sha, ecdh_rsa_aes_128_sha, ecdh_rsa_aes_256_sha, ecdhe_rsa_aes_128_sha, ecdhe_rsa_aes_256_sha, ecdh_anon_aes_128_sha, ecdh_anon_aes_256_sha, ecdhe_ecdsa_aes_128_sha_256, ecdhe_rsa_aes_128_sha_256, ecdhe_ecdsa_aes_128_gcm_sha_256, ecdhe_rsa_aes_128_gcm_sha_256') + assert_equal_openssl("AES", "AES:-PSK:-ADH:-DSS:-DH") + def test_AESGCM(self): + assert_equal_openssl("AESGCM", "AESGCM:-PSK:-ADH:-DSS:-DH") + + def test_AES128(self): + assert_equal_openssl("AES128", "AES128:-PSK:-ADH:-DSS:-DH") + + def test_AES256(self): + assert_equal_openssl("AES256", "AES256:-PSK:-ADH:-DSS:-DH") + + def test_CAMELLIA(self): + assert_equal_openssl("CAMELLIA", "CAMELLIA:-DH") + + def test_CAMELLIA128(self): + assert_equal_openssl("CAMELLIA128", "CAMELLIA128:-DH") + + def test_CAMELLIA256(self): + assert_equal_openssl("CAMELLIA256", "CAMELLIA256:-DH") + + def test_3DES(self): + assert_equal_openssl("3DES", "3DES:-SSLv2:-PSK:-KRB5:-DH") + + def test_DES(self): + assert_equal_openssl("DES", "DES:-SSLv2:-KRB5:-DH") def test_ALL(self): - (out, err, rc) = run([exe, "ALL"]) - assert rc == 0 - if self.ciphernum < WITH_ECC: - 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, rsa_aes_128_sha, rsa_aes_256_sha, aes_128_sha_256, aes_256_sha_256, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, rsa_aes_128_gcm_sha_256' - else: - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, rsa_aes_128_sha, rsa_aes_256_sha, aes_128_sha_256, aes_256_sha_256, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, rsa_aes_128_gcm_sha_256, fips_3des_sha, fips_des_sha, ecdh_ecdsa_rc4_128_sha, ecdh_ecdsa_3des_sha, ecdh_ecdsa_aes_128_sha, ecdh_ecdsa_aes_256_sha, ecdhe_ecdsa_rc4_128_sha, ecdhe_ecdsa_3des_sha, ecdhe_ecdsa_aes_128_sha, ecdhe_ecdsa_aes_256_sha, ecdh_rsa_128_sha, ecdh_rsa_3des_sha, ecdh_rsa_aes_128_sha, ecdh_rsa_aes_256_sha, ecdhe_rsa_rc4_128_sha, ecdhe_rsa_3des_sha, ecdhe_rsa_aes_128_sha, ecdhe_rsa_aes_256_sha, ecdh_anon_rc4_128sha, ecdh_anon_3des_sha, ecdh_anon_aes_128_sha, ecdh_anon_aes_256_sha, ecdhe_ecdsa_aes_128_sha_256, ecdhe_rsa_aes_128_sha_256, ecdhe_ecdsa_aes_128_gcm_sha_256, ecdhe_rsa_aes_128_gcm_sha_256') + assert_equal_openssl("ALL", "ALL:-SSLv2:-KRB5:-ADH:-DH:-DSS:-PSK:-SEED:-IDEA") def test_ALL_no_AES(self): - (out, err, rc) = run([exe, "ALL:-AES"]) - assert rc == 0 - if self.ciphernum < WITH_ECC: - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha') - else: - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha, ecdhe_rsa_rc4_128_sha, ecdhe_rsa_3des_sha, ecdh_anon_rc4_128sha, ecdh_anon_3des_sha') + assert_equal_openssl("ALL:-AES", "ALL:-AES:-SSLv2:-KRB5:-ADH:-DH:-DSS:-PSK:-SEED:-IDEA") + + def test_COMPLEMENTOFALL(self): + assert_equal_openssl("COMPLEMENTOFALL", "COMPLEMENTOFALL") + + # skipping DEFAULT as we use the NSS defaults + # skipping COMPLEMENTOFDEFAULT as these are all ADH ciphers def test_SSLv3(self): - (out, err, rc) = run([exe, "SSLv3"]) - assert rc == 0 - if self.ciphernum < WITH_ECC: - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, rsa_aes_128_sha, rsa_aes_256_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha') - else: - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, rsa_aes_128_sha, rsa_aes_256_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha, ecdh_ecdsa_rc4_128_sha, ecdh_ecdsa_3des_sha, ecdh_ecdsa_aes_128_sha, ecdh_ecdsa_aes_256_sha, ecdhe_ecdsa_rc4_128_sha, ecdhe_ecdsa_3des_sha, ecdhe_ecdsa_aes_128_sha, ecdhe_ecdsa_aes_256_sha, ecdh_rsa_128_sha, ecdh_rsa_3des_sha, ecdh_rsa_aes_128_sha, ecdh_rsa_aes_256_sha, ecdhe_rsa_rc4_128_sha, ecdhe_rsa_3des_sha, ecdhe_rsa_aes_128_sha, ecdhe_rsa_aes_256_sha, ecdh_anon_rc4_128sha, ecdh_anon_3des_sha, ecdh_anon_aes_128_sha, ecdh_anon_aes_256_sha') + assert_equal_openssl("SSLv3", "SSLv3:-KRB5:-PSK:-ADH:-EDH:-SEED:-IDEA") def test_SSLv3_equals_TLSv1(self): - (out, err, rc) = run([exe, "SSLv3"]) - (out2, err2, rc2) = run([exe, "TLSv1"]) + (nss, err, rc) = run([exe, "--o", "SSLv3"]) + (nss2, err, rc2) = run([exe, "--o", "TLSv1"]) assert rc == 0 assert rc2 == 0 - assert_equal(out, out2) + assert_equal(nss, nss2) def test_TLSv12(self): - if self.ciphernum < WITH_ECC: - raise nose.SkipTest('ECC disabled') - (out, err, rc) = run([exe, "TLSv12"]) - assert rc == 0 - assert_equal(out, 'aes_128_sha_256, aes_256_sha_256, rsa_aes_128_gcm_sha_256, ecdhe_ecdsa_aes_128_sha_256, ecdhe_rsa_aes_128_sha_256, ecdhe_ecdsa_aes_128_gcm_sha_256, ecdhe_rsa_aes_128_gcm_sha_256') + assert_equal_openssl("TLSv1.2", "TLSv1.2:TLSv1.2:-ADH:-DH:-DSS") def test_NULL(self): - (out, err, rc) = run([exe, "NULL"]) - assert rc == 0 - if self.ciphernum < WITH_ECC: - assert_equal(out, 'rsa_null_md5, rsa_null_sha, null_sha_256') - else: - assert_equal(out, 'rsa_null_md5, rsa_null_sha, null_sha_256, ecdh_ecdsa_null_sha, ecdhe_ecdsa_null_sha, ecdh_rsa_null_sha, ecdhe_rsa_null, ecdh_anon_null_sha') + assert_equal_openssl("NULL", "NULL") def test_nss_rsa_rc4_128(self): + # Test NSS cipher parsing (out, err, rc) = run([exe, "+rsa_rc4_128_md5,+rsa_rc4_128_sha"]) assert rc == 0 assert_equal(out, 'rsa_rc4_128_md5, rsa_rc4_128_sha') - def test_openssl_cipher(self): - (out, err, rc) = run([exe, "DES-CBC3-SHA"]) - assert rc == 0 - assert_equal(out, 'rsa_3des_sha') + def test_EXP(self): + assert_equal_openssl("EXP", "EXP:-SSLv2:-DH:-KRB5") - def test_openssl_cipherlist(self): - (out, err, rc) = run([exe, "DES-CBC3-SHA:RC4-SHA"]) - assert rc == 0 - assert_equal(out, 'rsa_rc4_128_sha, rsa_3des_sha') + def test_EXPORT(self): + assert_equal_openssl("EXPORT", "EXPORT:-SSLv2:-DH:-KRB5") - def test_EXP(self): - (out, err, rc) = run([exe, "EXP"]) - assert rc == 0 - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc2_40_md5, rsa_des_56_sha, rsa_rc4_56_sha') + def test_EXPORT40(self): + assert_equal_openssl("EXPORT40", "EXPORT40:-SSLv2:-ADH:-DH:-KRB5") def test_MD5(self): - (out, err, rc) = run([exe, "MD5"]) - assert rc == 0 - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc2_40_md5') + assert_equal_openssl("MD5", "MD5:-SSLv2:-DH:-KRB5") def test_SHA(self): - (out, err, rc) = run([exe, "SHA"]) - assert rc == 0 - if self.ciphernum < WITH_ECC: - assert_equal(out, 'rsa_rc4_128_sha, rsa_des_sha, rsa_3des_sha, rsa_aes_128_sha, rsa_aes_256_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha') - else: - assert_equal(out, 'rsa_rc4_128_sha, rsa_des_sha, rsa_3des_sha, rsa_aes_128_sha, rsa_aes_256_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha, ecdh_ecdsa_rc4_128_sha, ecdh_ecdsa_3des_sha, ecdh_ecdsa_aes_128_sha, ecdh_ecdsa_aes_256_sha, ecdhe_ecdsa_rc4_128_sha, ecdhe_ecdsa_3des_sha, ecdhe_ecdsa_aes_128_sha, ecdhe_ecdsa_aes_256_sha, ecdh_rsa_128_sha, ecdh_rsa_3des_sha, ecdh_rsa_aes_128_sha, ecdh_rsa_aes_256_sha, ecdhe_rsa_rc4_128_sha, ecdhe_rsa_3des_sha, ecdhe_rsa_aes_128_sha, ecdhe_rsa_aes_256_sha, ecdh_anon_rc4_128sha, ecdh_anon_3des_sha, ecdh_anon_aes_128_sha, ecdh_anon_aes_256_sha') + assert_equal_openssl("SHA", "SHA:-SSLv2:-DH:-KRB5:-PSK:-IDEA:-SEED") + + def test_HIGH(self): + assert_equal_openssl("HIGH", "HIGH:-SSLv2:-DH:-ADH:-KRB5:-PSK") + + def test_MEDIUM(self): + assert_equal_openssl("MEDIUM", "MEDIUM:-SSLv2:-ADH:-KRB5:-PSK:-SEED:-IDEA") + + def test_LOW(self): + assert_equal_openssl("LOW", "LOW:-SSLv2:-DH:-ADH:-KRB5") def test_SHA256(self): - (out, err, rc) = run([exe, "SHA256"]) - assert rc == 0 - if self.ciphernum < WITH_ECC: - assert_equal(out, 'aes_128_sha_256, aes_256_sha_256') - else: - assert_equal(out, 'aes_128_sha_256, aes_256_sha_256, ecdhe_ecdsa_aes_128_sha_256, ecdhe_rsa_aes_128_sha_256') + assert_equal_openssl("SHA256", "SHA256:-ADH:-DSS:-DH") def test_SHA_MD5_minus_AES(self): - (out, err, rc) = run([exe, "SHA:MD5:-AES"]) - assert rc == 0 - if self.ciphernum < WITH_ECC: - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha') - else: - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha, ecdhe_rsa_rc4_128_sha, ecdhe_rsa_3des_sha, ecdh_anon_rc4_128sha, ecdh_anon_3des_sha') + assert_equal_openssl("SHA:MD5:-AES", "SHA:MD5:-AES:-SSLv2:-DH:-DSS:-KRB5:-SEED:-PSK:-IDEA") - def test_SHA_MD5_not_AES_HIGH(self): - (out, err, rc) = run([exe, "!AES:SHA:MD5"]) - assert rc == 0 - if self.ciphernum < WITH_ECC: - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha') - else: - assert_equal(out, 'rsa_rc4_40_md5, rsa_rc4_128_md5, rsa_rc4_128_sha, rsa_rc2_40_md5, rsa_des_sha, rsa_3des_sha, camelia_128_sha, rsa_des_56_sha, rsa_rc4_56_sha, camelia_256_sha, fips_3des_sha, fips_des_sha, ecdhe_rsa_rc4_128_sha, ecdhe_rsa_3des_sha, ecdh_anon_rc4_128sha, ecdh_anon_3des_sha') + def test_SHA_MD5_not_AES(self): + assert_equal_openssl("!AES:SHA:MD5", "!AES:SHA:MD5:-SSLv2:-DH:-KRB5:-DSS:-SEED:-PSK:-IDEA") + + def test_aECDH(self): + assert_equal_openssl("aECDH", "aECDH") + + def test_kECDHe(self): + assert_equal_openssl("kECDHe", "kECDHe") + + def test_kECDHr(self): + assert_equal_openssl("kECDHr", "kECDHr") + + def test_kEECDH(self): + assert_equal_openssl("kEECDH", "kEECDH") + + def test_ECDH(self): + assert_equal_openssl("ECDH", "ECDH") + + def test_AES_no_ECDH(self): + assert_equal_openssl("AES:-ECDH", "AES:-ECDH:-ADH:-PSK:-DH") + assert_equal_openssl("AES+RSA", "AES+RSA") + + def test_logical_and_3DES_RSA(self): + assert_equal_openssl("3DES+RSA", "3DES+RSA:-SSLv2") + + def test_logical_and_RSA_RC4(self): + assert_equal_openssl("RSA+RC4", "RSA+RC4:-SSLv2") + + def test_logical_and_ECDH_SHA(self): + assert_equal_openssl("ECDH+SHA", "ECDH+SHA") + + def test_logical_and_RSA_RC4_no_SHA(self): + assert_equal_openssl("RSA+RC4:!SHA", "RSA+RC4:-SSLv2:!SHA") + + def test_additive_RSA_RC4(self): + assert_equal_openssl("RSA:+RC4", "RSA:+RC4:-SSLv2:-SEED:-IDEA") + + def test_negative_plus_RSA_MD5(self): + assert_equal_openssl("-RC2:RSA+MD5", "-RC2:RSA+MD5:-SSLv2") def test_nss_subtraction(self): (out, err, rc) = run([exe, "+rsa_rc4_128_md5,+rsa_rc4_128_sha,-rsa_rc4_128_md5"]) assert rc == 0 assert_equal(out, 'rsa_rc4_128_sha') + def test_openssl_cipher(self): + (out, err, rc) = run([exe, "DES-CBC3-SHA"]) + assert rc == 0 + assert_equal(out, 'rsa_3des_sha') + + def test_openssl_cipherlist(self): + (out, err, rc) = run([exe, "DES-CBC3-SHA:RC4-SHA"]) + assert rc == 0 + assert_equal(out, 'rsa_rc4_128_sha, rsa_3des_sha') + # As long as at least one is valid, things are ok def test_nss_unknown(self): (out, err, rc) = run([exe, "+rsa_rc4_128_md5,+unknown"]) @@ -156,7 +238,9 @@ class test_ciphers(object): assert rc == 0 assert_equal(out, 'aes_128_sha_256') + def test_openssl_single_cipher(self): + assert_equal_openssl("RC4-SHA", "RC4-SHA") + def test_invalid_format(self): (out, err, rc) = run([exe, "none"]) assert rc == 1 - assert_equal(err, 'nss_engine_cipher.c:291, invalid cipher string none. Format is +cipher1,-cipher2...Unable to parse cipher list') |