From 57988c83bb4b3f1780f045880ac4a8f36a51c55c Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 17 Dec 2020 17:38:17 +0100
Subject: libinterimap: new option SSL_ciphersuites to set the TLSv1.3
 ciphersuites.

Also, clarify that SSL_cipherlist only applies to TLSv1.2 and below.
See SSL_CTX_set_cipher_list(3ssl).
---
 tests/list                         |  1 +
 tests/tls-ciphers/interimap.remote |  1 +
 tests/tls-ciphers/remote.conf      |  1 +
 tests/tls-ciphers/t                | 31 +++++++++++++++++++++++++++++++
 tests/tls-rsa+ecdsa/t              |  4 +++-
 5 files changed, 37 insertions(+), 1 deletion(-)
 create mode 120000 tests/tls-ciphers/interimap.remote
 create mode 120000 tests/tls-ciphers/remote.conf
 create mode 100644 tests/tls-ciphers/t

(limited to 'tests')

diff --git a/tests/list b/tests/list
index cb31a73..d1058ba 100644
--- a/tests/list
+++ b/tests/list
@@ -54,6 +54,7 @@ split-set   Split large sets to avoid extra-long command lines
     tls-rsa+ecdsa           pubkey fingerprint pinning for dual-cert RSA+ECDSA
     tls-sni                 TLS servername extension (SNI)
     tls-protocols           force TLS protocol versions
+    tls-ciphers             force TLS cipher list/suites
 
 . Live synchronization (60s)
     sync-live            local/remote simulation
diff --git a/tests/tls-ciphers/interimap.remote b/tests/tls-ciphers/interimap.remote
new file mode 120000
index 0000000..daf3741
--- /dev/null
+++ b/tests/tls-ciphers/interimap.remote
@@ -0,0 +1 @@
+../tls/interimap.remote
\ No newline at end of file
diff --git a/tests/tls-ciphers/remote.conf b/tests/tls-ciphers/remote.conf
new file mode 120000
index 0000000..6029749
--- /dev/null
+++ b/tests/tls-ciphers/remote.conf
@@ -0,0 +1 @@
+../tls/remote.conf
\ No newline at end of file
diff --git a/tests/tls-ciphers/t b/tests/tls-ciphers/t
new file mode 100644
index 0000000..0dfc771
--- /dev/null
+++ b/tests/tls-ciphers/t
@@ -0,0 +1,31 @@
+# backup config
+install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"
+with_remote_config() {
+    install -m0600 "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config"
+    cat >>"$XDG_CONFIG_HOME/interimap/config"
+}
+
+with_remote_config <<-EOF
+	SSL_protocol_max = TLSv1.2
+	SSL_cipherlist = DHE-RSA-AES128-SHA256:ALL:!COMPLEMENTOFDEFAULT:!eNULL
+EOF
+interimap --debug || error
+grep -Fx "remote: SSL cipher: DHE-RSA-AES128-SHA256 (128 bits)" <"$STDERR" || error
+
+with_remote_config <<-EOF
+	SSL_protocol_max = TLSv1.2
+	SSL_cipherlist = NONEXISTENT:ECDHE-RSA-AES256-SHA384:ALL:!COMPLEMENTOFDEFAULT:!eNULL
+	SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+EOF
+interimap --debug || error
+grep -Fx "remote: SSL cipher: ECDHE-RSA-AES256-SHA384 (256 bits)" <"$STDERR" || error
+
+with_remote_config <<-EOF
+	SSL_protocol_min = TLSv1.3
+	SSL_cipherlist = DHE-RSA-AES128-SHA256
+	SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+EOF
+interimap --debug || error
+grep -Fx "remote: SSL cipher: TLS_CHACHA20_POLY1305_SHA256 (256 bits)" <"$STDERR" || error
+
+# vim: set filetype=sh :
diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t
index 8b811fd..c9f5b96 100644
--- a/tests/tls-rsa+ecdsa/t
+++ b/tests/tls-rsa+ecdsa/t
@@ -36,7 +36,9 @@ grep -Fx -e "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_S
          -e "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_ALT_SHA256" \
          <"$STDERR" || error
 
-# force RSA (XXX do we really have to force TLSv1.2 here?)
+# force RSA
+# XXX we also have to force TLS <=1.2 here as the TLSv1.3 ciphersuites
+# don't specify the certificate type (nor key exchange)
 cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
 	SSL_protocol_max = TLSv1.2
 	SSL_cipherlist = EECDH+AESGCM+aRSA
-- 
cgit v1.2.3