Fix SSLContext tests that fail under OpenSSL 1.1.1

Summary:
SSL_CTX_get_cipher_list() has different semantics when running under
OpenSSL 1.1.1.

This adjusts the tests that explicitly call SSLContext::setCiphers() to only
check expectations against < TLS 1.3 cipher names.

Reviewed By: knekritz

Differential Revision: D17539611

fbshipit-source-id: c293bd1e6b886dbc575a0677a98776d256b23fb5

folly/io/async/test/SSLContextTest.cpp

@@ -19,6 +19,8 @@
 #include <folly/portability/GTest.h>
 #include <folly/ssl/OpenSSLPtrTypes.h>
 
+#include <folly/io/async/test/SSLUtil.h>
+
 using namespace std;
 using namespace testing;
 
@@ -31,12 +33,8 @@ class SSLContextTest : public testing::Test {
 };
 
 void SSLContextTest::verifySSLCipherList(const vector<string>& ciphers) {
-  int i = 0;
   ssl::SSLUniquePtr ssl(ctx.createSSL());
-  for (auto& cipher : ciphers) {
-    ASSERT_STREQ(cipher.c_str(), SSL_get_cipher_list(ssl.get(), i++));
-  }
-  ASSERT_EQ(nullptr, SSL_get_cipher_list(ssl.get(), i));
+  EXPECT_EQ(ciphers, test::getNonTLS13CipherList(ssl.get()));
 }
 
 TEST_F(SSLContextTest, TestSetCipherString) {
@@ -50,6 +48,24 @@ TEST_F(SSLContextTest, TestSetCipherList) {
   verifySSLCipherList(ciphers);
 }
 
+TEST_F(SSLContextTest, TestCipherRemoval) {
+  ctx.setCipherList({"ECDHE-RSA-AES128-SHA", "AES256-SHA"});
+  {
+    ssl::SSLUniquePtr ssl(ctx.createSSL());
+    auto ciphers = test::getCiphersFromSSL(ssl.get());
+    EXPECT_TRUE(
+        std::find(begin(ciphers), end(ciphers), "AES256-SHA") != end(ciphers));
+  }
+
+  ctx.setCipherList({"ECDHE-RSA-AES128-SHA"});
+  {
+    ssl::SSLUniquePtr ssl(ctx.createSSL());
+    auto ciphers = test::getCiphersFromSSL(ssl.get());
+    EXPECT_FALSE(
+        std::find(begin(ciphers), end(ciphers), "AES256-SHA") != end(ciphers));
+  }
+}
+
 TEST_F(SSLContextTest, TestLoadCertKey) {
   std::string certData, keyData, anotherKeyData;
   const char* certPath = "folly/io/async/test/certs/tests-cert.pem";

folly/io/async/test/SSLOptionsTest.cpp

@@ -19,6 +19,8 @@
 #include <folly/portability/GTest.h>
 #include <folly/ssl/OpenSSLPtrTypes.h>
 
+#include <folly/io/async/test/SSLUtil.h>
+
 using namespace std;
 using namespace testing;
 
@@ -30,12 +32,12 @@ TEST_F(SSLOptionsTest, TestSetCommonCipherList) {
   SSLContext ctx;
   ssl::setCipherSuites<ssl::SSLCommonOptions>(ctx);
 
-  int i = 0;
+  const auto& commonOptionCiphers = ssl::SSLCommonOptions::ciphers();
+  std::vector<std::string> commonOptionCiphersVec(
+      begin(commonOptionCiphers), end(commonOptionCiphers));
+
   ssl::SSLUniquePtr ssl(ctx.createSSL());
-  for (auto& cipher : ssl::SSLCommonOptions::ciphers()) {
-    ASSERT_STREQ(cipher, SSL_get_cipher_list(ssl.get(), i++));
-  }
-  ASSERT_EQ(nullptr, SSL_get_cipher_list(ssl.get(), i));
+  EXPECT_EQ(commonOptionCiphersVec, test::getNonTLS13CipherList(ssl.get()));
 }
 
 TEST_F(SSLOptionsTest, TestSetCipherListWithVector) {
@@ -43,12 +45,9 @@ TEST_F(SSLOptionsTest, TestSetCipherListWithVector) {
   auto ciphers = ssl::SSLCommonOptions::ciphers();
   ssl::setCipherSuites(ctx, ciphers);
 
-  int i = 0;
   ssl::SSLUniquePtr ssl(ctx.createSSL());
-  for (auto& cipher : ssl::SSLCommonOptions::ciphers()) {
-    ASSERT_STREQ(cipher, SSL_get_cipher_list(ssl.get(), i++));
-  }
-  ASSERT_EQ(nullptr, SSL_get_cipher_list(ssl.get(), i));
+  std::vector<std::string> expectedCiphers(begin(ciphers), end(ciphers));
+  EXPECT_EQ(expectedCiphers, test::getNonTLS13CipherList(ssl.get()));
 }
 
 } // namespace folly

folly/io/async/test/SSLUtil.h

+/*
+ * Copyright 2017-present Facebook, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <algorithm>
+#include <string>
+#include <vector>
+
+namespace folly {
+namespace test {
+
+static std::vector<std::string> getCiphersFromSSL(SSL* s) {
+  std::vector<std::string> osslCiphers;
+  for (int i = 0;; i++) {
+    auto c = SSL_get_cipher_list(s, i);
+    if (c == nullptr) {
+      break;
+    }
+    osslCiphers.emplace_back(std::move(c));
+  }
+
+  return osslCiphers;
+}
+
+static std::vector<std::string> getNonTLS13CipherList(SSL* s) {
+  // OpenSSL 1.1.1 added TLS 1.3 support; SSL_get_cipher_list will return
+  // TLS 1.3 ciphersuites, even if they are not explicitly added by
+  // SSL_CTX_set_cipher_list (This is to ensure that applications built against
+  // 1.1.0 which did not have TLS 1.3 support would still be able to
+  // transparently begin negotiating TLS 1.3).
+  //
+  // For the time being, filter out any TLS 1.3 ciphers that appear in the
+  // returned list. A more accurate test would be to determine at runtime
+  // if TLS 1.3 support is available, and assert that the TLS 1.3 ciphersuites
+  // are added regardless of what we put in SSL_CTX_set_cipher_list
+  static std::set<std::string> const suitesFor13{
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_CHACHA20_POLY1305_SHA256",
+      "TLS_AES_128_GCM_SHA256",
+  };
+
+  auto ciphers = getCiphersFromSSL(s);
+  ciphers.erase(
+      std::remove_if(
+          begin(ciphers),
+          end(ciphers),
+          [](const std::string& cipher) {
+            return suitesFor13.count(cipher) > 0;
+          }),
+      end(ciphers));
+  return ciphers;
+}
+
+} // namespace test
+} // namespace folly