Update SSL backends and unit test (#4254)

pjsip · Jan 20, 2025 · 093da33 · 093da33
1 parent 11ad831
commit 093da33
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 66 deletions.
diff --git a/pjlib/include/pj/ssl_sock.h b/pjlib/include/pj/ssl_sock.h
@@ -447,6 +447,18 @@ typedef enum pj_ssl_cipher {
     PJ_TLS_DH_anon_WITH_AES_128_CBC_SHA256      = 0x0000006C,
     PJ_TLS_DH_anon_WITH_AES_256_CBC_SHA256      = 0x0000006D,
 
+    PJ_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  = 0x0000c02c,
+    PJ_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    = 0x0000c030,
+    PJ_TLS_DHE_DSS_WITH_AES_256_GCM_SHA384      = 0x000000a3,
+    PJ_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      = 0x0000009f,
+    PJ_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  = 0x0000c02b,
+    PJ_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    = 0x0000c02f,
+
+    /* TLS 1.3 cipher suites */
+    PJ_TLS_AES_128_GCM_SHA256                   = 0x00001301,
+    PJ_TLS_AES_256_GCM_SHA384                   = 0x00001302,
+    PJ_TLS_CHACHA20_POLY1305_SHA256             = 0x00001303,
+
     /* TLS (deprecated) */
     PJ_TLS_RSA_EXPORT_WITH_RC4_40_MD5           = 0x00000003,
     PJ_TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5       = 0x00000006,
@@ -788,27 +800,33 @@ typedef struct pj_ssl_sock_cb
 typedef enum pj_ssl_sock_proto
 {
     /**
-     * Default protocol of backend. 
+     * Default protocol of backend.
+     * Typically this will be set to all supported non-deprecated protocols,
+     * which, currently is TLSv1.2 and TLSv1.3.
      */   
     PJ_SSL_SOCK_PROTO_DEFAULT = 0,
 
     /** 
-     * SSLv2.0 protocol.          
+     * SSLv2.0 protocol.
+     * This protocol has been deprecated.
      */
     PJ_SSL_SOCK_PROTO_SSL2    = (1 << 0),
 
     /** 
-     * SSLv3.0 protocol.          
+     * SSLv3.0 protocol.
+     * This protocol has been deprecated.
      */
     PJ_SSL_SOCK_PROTO_SSL3    = (1 << 1),
 
     /**
-     * TLSv1.0 protocol.          
+     * TLSv1.0 protocol.
+     * This protocol has been deprecated.
      */
     PJ_SSL_SOCK_PROTO_TLS1    = (1 << 2),
 
     /** 
      * TLSv1.1 protocol.
+     * This protocol has been deprecated.
      */
     PJ_SSL_SOCK_PROTO_TLS1_1  = (1 << 3),
 
@@ -823,11 +841,14 @@ typedef enum pj_ssl_sock_proto
     PJ_SSL_SOCK_PROTO_TLS1_3  = (1 << 5),
 
     /** 
-     * Certain backend implementation e.g:OpenSSL, has feature to enable all
-     * protocol. 
+     * This protocol has been deprecated.
      */
     PJ_SSL_SOCK_PROTO_SSL23   = (1 << 16) - 1,
-    PJ_SSL_SOCK_PROTO_ALL = PJ_SSL_SOCK_PROTO_SSL23,
+
+    /**
+     * This will enable all the backend's supported protocols.
+     */
+    PJ_SSL_SOCK_PROTO_ALL     = (1 << 16) - 1,
 
     /**
      * DTLSv1.0 protocol.         

diff --git a/pjlib/src/pj/ssl_sock_apple.m b/pjlib/src/pj/ssl_sock_apple.m
@@ -926,9 +926,7 @@ static pj_status_t network_create_params(pj_ssl_sock_t * ssock,
 
     /* Set min and max protocol version */
     if (ssock->param.proto == PJ_SSL_SOCK_PROTO_DEFAULT) {
-        ssock->param.proto = PJ_SSL_SOCK_PROTO_TLS1 |
-                             PJ_SSL_SOCK_PROTO_TLS1_1 |
-                             PJ_SSL_SOCK_PROTO_TLS1_2 |
+        ssock->param.proto = PJ_SSL_SOCK_PROTO_TLS1_2 |
                              PJ_SSL_SOCK_PROTO_TLS1_3;
     }
 

diff --git a/pjlib/src/pj/ssl_sock_gtls.c b/pjlib/src/pj/ssl_sock_gtls.c
@@ -433,10 +433,10 @@ static pj_status_t tls_priorities_set(pj_ssl_sock_t *ssock)
     pj_strset(&cipher_list, buf, 0);
     pj_strset(&priority, priority_buf, 0);
 
-    if (ssock->param.proto == PJ_SSL_SOCK_PROTO_DEFAULT)
-        ssock->param.proto = PJ_SSL_SOCK_PROTO_TLS1 |
-                             PJ_SSL_SOCK_PROTO_TLS1_1 |
-                             PJ_SSL_SOCK_PROTO_TLS1_2;
+    if (ssock->param.proto == PJ_SSL_SOCK_PROTO_DEFAULT) {
+        ssock->param.proto = PJ_SSL_SOCK_PROTO_TLS1_2 |
+                             PJ_SSL_SOCK_PROTO_TLS1_3;
+    }
 
     /* For each level, enable only the requested protocol */
     pj_strcat2(&priority, "NORMAL:-VERS-ALL:");

diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c
@@ -1137,37 +1137,13 @@ static pj_status_t init_ossl_ctx(pj_ssl_sock_t *ssock)
     int rc;
     pj_status_t status;
 
-    if (ssock->param.proto == PJ_SSL_SOCK_PROTO_DEFAULT)
-        ssock->param.proto = PJ_SSL_SOCK_PROTO_SSL23;
-
-    /* Determine SSL method to use */
-    /* Specific version methods are deprecated since 1.1.0 */
-#if (USING_LIBRESSL && LIBRESSL_VERSION_NUMBER < 0x2020100fL)\
-    || OPENSSL_VERSION_NUMBER < 0x10100000L
-    switch (ssock->param.proto) {
-    case PJ_SSL_SOCK_PROTO_TLS1:
-        ssl_method = (SSL_METHOD*)TLSv1_method();
-        break;
-#ifndef OPENSSL_NO_SSL2
-    case PJ_SSL_SOCK_PROTO_SSL2:
-        ssl_method = (SSL_METHOD*)SSLv2_method();
-        break;
-#endif
-#ifndef OPENSSL_NO_SSL3_METHOD
-    case PJ_SSL_SOCK_PROTO_SSL3:
-        ssl_method = (SSL_METHOD*)SSLv3_method();
-#endif
-        break;
+    if (ssock->param.proto == PJ_SSL_SOCK_PROTO_DEFAULT) {
+        ssock->param.proto = PJ_SSL_SOCK_PROTO_TLS1_2 |
+                             PJ_SSL_SOCK_PROTO_TLS1_3;
     }
-#endif
 
     if (!ssl_method) {
-#if (USING_LIBRESSL && LIBRESSL_VERSION_NUMBER < 0x2020100fL)\
-    || OPENSSL_VERSION_NUMBER < 0x10100000L
-        ssl_method = (SSL_METHOD*)SSLv23_method();
-#else
         ssl_method = (SSL_METHOD*)TLS_method();
-#endif
 
 #ifdef SSL_OP_NO_SSLv2
         /** Check if SSLv2 is enabled */
@@ -1630,8 +1606,10 @@ static pj_status_t ssl_create(pj_ssl_sock_t *ssock)
 
     set_entropy(ssock);
 
-    if (ssock->param.proto == PJ_SSL_SOCK_PROTO_DEFAULT)
-        ssock->param.proto = PJ_SSL_SOCK_PROTO_SSL23;
+    if (ssock->param.proto == PJ_SSL_SOCK_PROTO_DEFAULT) {
+        ssock->param.proto = PJ_SSL_SOCK_PROTO_TLS1_2 |
+                             PJ_SSL_SOCK_PROTO_TLS1_3;
+    }
 
     /* Create SSL context */
     if (SERVER_SUPPORT_SESSION_REUSE && ssock->is_server) {
@@ -1809,7 +1787,7 @@ static pj_status_t set_cipher_list(pj_ssl_sock_t *ssock)
     enum { BUF_SIZE = 8192 };
     pj_str_t cipher_list;
     unsigned i, j;
-    int ret;
+    int ret, ret2 = 1;
 
     if (ssock->param.ciphers_num == 0) {
         ret = SSL_CTX_set_cipher_list(ossock->ossl_ctx, PJ_SSL_SOCK_OSSL_CIPHERS);
@@ -1859,9 +1837,15 @@ static pj_status_t set_cipher_list(pj_ssl_sock_t *ssock)
     /* Put NULL termination in the generated cipher list */
     cipher_list.ptr[cipher_list.slen] = '\0';
 
-    /* Finally, set chosen cipher list */
+    /* Finally, set chosen cipher list.
+     * SSL_CTX_set_cipher_list() is for TLSv1.2 and below, while
+     * SSL_CTX_set_ciphersuites() is for TLSv1.3.
+     */
     ret = SSL_CTX_set_cipher_list(ossock->ossl_ctx, buf);
-    if (ret < 1) {
+    ret2 = SSL_CTX_set_ciphersuites(ossock->ossl_ctx, buf);
+    if (ret < 1 && ret2 < 1) {
+        PJ_LOG(4, (THIS_FILE, "Failed setting cipher list %s",
+                              cipher_list.ptr));
         pj_pool_release(tmp_pool);
         return GET_SSL_STATUS(ssock);
     }

diff --git a/pjlib/src/pjlib-test/ssl_sock.c b/pjlib/src/pjlib-test/ssl_sock.c
@@ -476,7 +476,7 @@ static int https_client_test(unsigned ms_timeout)
 
     pj_sockaddr_init(PJ_AF_INET, &local_addr, pj_strset2(&tmp_st, "0.0.0.0"), 0);
     pj_sockaddr_init(PJ_AF_INET, &rem_addr, pj_strset2(&tmp_st, HTTP_SERVER_ADDR), HTTP_SERVER_PORT);
-    status = pj_ssl_sock_start_connect(ssock, pool, &local_addr, &rem_addr, sizeof(rem_addr));
+    status = pj_ssl_sock_start_connect(ssock, pool, &local_addr, &rem_addr, pj_sockaddr_get_len(&local_addr));
     if (status == PJ_SUCCESS) {
         ssl_on_connect_complete(ssock, PJ_SUCCESS);
     } else if (status == PJ_EPENDING) {
@@ -1611,9 +1611,8 @@ int ssl_sock_test(void)
 
     PJ_LOG(3,("", "..https client test"));
     ret = https_client_test(30000);
-    // Ignore test result as internet connection may not be available.
-    //if (ret != 0)
-        //return ret;
+    if (ret != 0)
+        return ret;
 
 #ifndef PJ_SYMBIAN
 
@@ -1631,22 +1630,20 @@ int ssl_sock_test(void)
      */
 
 #if (PJ_SSL_SOCK_IMP != PJ_SSL_SOCK_IMP_SCHANNEL)
-    PJ_LOG(3,("", "..echo test w/ TLSv1 and PJ_TLS_RSA_WITH_AES_256_CBC_SHA cipher"));
-    ret = echo_test(PJ_SSL_SOCK_PROTO_TLS1, PJ_SSL_SOCK_PROTO_TLS1, 
-                    PJ_TLS_RSA_WITH_AES_256_CBC_SHA, PJ_TLS_RSA_WITH_AES_256_CBC_SHA, 
+    PJ_LOG(3,("", "..echo test w/ TLSv1.2 and PJ_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher"));
+    ret = echo_test(PJ_SSL_SOCK_PROTO_TLS1_2, PJ_SSL_SOCK_PROTO_TLS1_2,
+                    PJ_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+                    PJ_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                     PJ_FALSE, PJ_FALSE);
     if (ret != 0)
         return ret;
 
-    /* SSLv23 is deprecated */
-    /*
-    PJ_LOG(3,("", "..echo test w/ SSLv23 and PJ_TLS_RSA_WITH_AES_256_CBC_SHA cipher"));
-    ret = echo_test(PJ_SSL_SOCK_PROTO_SSL23, PJ_SSL_SOCK_PROTO_SSL23, 
-                    PJ_TLS_RSA_WITH_AES_256_CBC_SHA, PJ_TLS_RSA_WITH_AES_256_CBC_SHA,
+    PJ_LOG(3,("", "..echo test w/ TLSv1.3 and PJ_TLS_AES_128_GCM_SHA256 cipher"));
+    ret = echo_test(PJ_SSL_SOCK_PROTO_TLS1_3, PJ_SSL_SOCK_PROTO_TLS1_3,
+                    PJ_TLS_AES_128_GCM_SHA256, PJ_TLS_AES_128_GCM_SHA256,
                     PJ_FALSE, PJ_FALSE);
     if (ret != 0)
         return ret;
-    */
 #endif
 
     PJ_LOG(3,("", "..echo test w/ compatible proto: server TLSv1.2 vs client TLSv1.2"));
@@ -1664,9 +1661,10 @@ int ssl_sock_test(void)
     if (ret != 0)
         return ret;
 
-    PJ_LOG(3,("", "..echo test w/ incompatible proto: server TLSv1 vs client SSL3"));
-    ret = echo_test(PJ_SSL_SOCK_PROTO_TLS1, PJ_SSL_SOCK_PROTO_SSL3, 
-                    PJ_TLS_RSA_WITH_DES_CBC_SHA, PJ_TLS_RSA_WITH_DES_CBC_SHA,
+    PJ_LOG(3,("", "..echo test w/ incompatible proto: server TLSv1.3 vs client TLSv1.2"));
+    ret = echo_test(PJ_SSL_SOCK_PROTO_TLS1_3, PJ_SSL_SOCK_PROTO_TLS1_2,
+                    PJ_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+                    PJ_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                     PJ_FALSE, PJ_FALSE);
     if (ret == 0)
         return PJ_EBUG;
@@ -1682,8 +1680,9 @@ int ssl_sock_test(void)
         return PJ_EBUG;
 #endif
 
-/* We can't seem to enable certain ciphers only. SSLSetEnabledCiphers() is
- * deprecated and we only have sec_protocol_options_append_tls_ciphersuite(),
+/* With Apple SSL, we can't seem to enable certain ciphers only.
+ * SSLSetEnabledCiphers() is deprecated and we only have
+ * sec_protocol_options_append_tls_ciphersuite(),
  * but there's no API to remove certain or all ciphers.
  */
 #if (PJ_SSL_SOCK_IMP != PJ_SSL_SOCK_IMP_APPLE && PJ_SSL_SOCK_IMP != PJ_SSL_SOCK_IMP_SCHANNEL)
@@ -1698,14 +1697,14 @@ int ssl_sock_test(void)
 #if (PJ_SSL_SOCK_IMP != PJ_SSL_SOCK_IMP_SCHANNEL)
     PJ_LOG(3,("", "..echo test w/ client cert required but not provided"));
     ret = echo_test(PJ_SSL_SOCK_PROTO_DEFAULT, PJ_SSL_SOCK_PROTO_DEFAULT, 
-                    PJ_TLS_RSA_WITH_AES_256_CBC_SHA, PJ_TLS_RSA_WITH_AES_256_CBC_SHA,
+                    -1, -1,
                     PJ_TRUE, PJ_FALSE);
     if (ret == 0)
         return PJ_EBUG;
 
     PJ_LOG(3,("", "..echo test w/ client cert required and provided"));
     ret = echo_test(PJ_SSL_SOCK_PROTO_DEFAULT, PJ_SSL_SOCK_PROTO_DEFAULT, 
-                    PJ_TLS_RSA_WITH_AES_256_CBC_SHA, PJ_TLS_RSA_WITH_AES_256_CBC_SHA,
+                    -1, -1,
                     PJ_TRUE, PJ_TRUE);
     if (ret != 0)
         return ret;