1 /*
2  * Copyright (c) Facebook, Inc. and its affiliates.
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <folly/io/async/test/SSLUtil.h>
18 
19 #include <algorithm>
20 #include <set>
21 
22 namespace {
23 
24 std::set<std::string> const suitesFor13{
25     "TLS_AES_256_GCM_SHA384",
26     "TLS_CHACHA20_POLY1305_SHA256",
27     "TLS_AES_128_GCM_SHA256",
28     "TLS_AES_128_CCM_8_SHA256",
29     "TLS_AES_128_CCM_SHA256",
30 };
31 
32 } // namespace
33 
34 namespace folly {
35 namespace test {
36 
getCiphersFromSSL(SSL * s)37 std::vector<std::string> getCiphersFromSSL(SSL* s) {
38   std::vector<std::string> osslCiphers;
39   for (int i = 0;; i++) {
40     auto c = SSL_get_cipher_list(s, i);
41     if (c == nullptr) {
42       break;
43     }
44     osslCiphers.emplace_back(std::move(c));
45   }
46 
47   return osslCiphers;
48 }
49 
getNonTLS13CipherList(SSL * s)50 std::vector<std::string> getNonTLS13CipherList(SSL* s) {
51   // OpenSSL 1.1.1 added TLS 1.3 support; SSL_get_cipher_list will return
52   // TLS 1.3 ciphersuites, even if they are not explicitly added by
53   // SSL_CTX_set_cipher_list (This is to ensure that applications built against
54   // 1.1.0 which did not have TLS 1.3 support would still be able to
55   // transparently begin negotiating TLS 1.3).
56   //
57   // For the time being, filter out any TLS 1.3 ciphers that appear in the
58   // returned list. A more accurate test would be to determine at runtime
59   // if TLS 1.3 support is available, and assert that the TLS 1.3 ciphersuites
60   // are added regardless of what we put in SSL_CTX_set_cipher_list
61 
62   auto ciphers = getCiphersFromSSL(s);
63   ciphers.erase(
64       std::remove_if(
65           begin(ciphers),
66           end(ciphers),
67           [](const std::string& cipher) {
68             return suitesFor13.count(cipher) > 0;
69           }),
70       end(ciphers));
71   return ciphers;
72 }
73 
getTLS13Ciphersuites(SSL * s)74 std::vector<std::string> getTLS13Ciphersuites(SSL* s) {
75   auto ciphers = getCiphersFromSSL(s);
76   ciphers.erase(
77       std::remove_if(
78           begin(ciphers),
79           end(ciphers),
80           [](const std::string& cipher) {
81             return suitesFor13.count(cipher) == 0;
82           }),
83       end(ciphers));
84   return ciphers;
85 }
86 
87 } // namespace test
88 } // namespace folly
89