112 this.protocol = protocol; |
112 this.protocol = protocol; |
113 this.clientAuth = clientAuth; |
113 this.clientAuth = clientAuth; |
114 } |
114 } |
115 |
115 |
116 boolean isEnabled() { |
116 boolean isEnabled() { |
117 // ignore SCSV |
117 return TLSCipherStatus.isEnabled(cipherSuite, protocol); |
118 if (cipherSuite.equals("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) { |
|
119 return false; |
|
120 } |
|
121 |
|
122 // ignore exportable cipher suite for TLSv1.1 |
|
123 if (protocol.equals("TLSv1.1")) { |
|
124 if(cipherSuite.indexOf("_EXPORT_") != -1) { |
|
125 return false; |
|
126 } |
|
127 } |
|
128 |
|
129 return true; |
|
130 } |
118 } |
131 |
119 |
132 public String toString() { |
120 public String toString() { |
133 String s = cipherSuite + " in " + protocol + " mode"; |
121 String s = cipherSuite + " in " + protocol + " mode"; |
134 if (clientAuth != null) { |
122 if (clientAuth != null) { |
135 s += " with " + clientAuth + " client authentication"; |
123 s += " with " + clientAuth + " client authentication"; |
136 } |
124 } |
137 return s; |
125 return s; |
138 } |
126 } |
139 |
127 |
|
128 static enum TLSCipherStatus { |
|
129 // cipher suites supported since TLS 1.2 |
|
130 CS_01("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF), |
|
131 CS_02("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF), |
|
132 CS_03("TLS_RSA_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF), |
|
133 CS_04("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF), |
|
134 CS_05("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF), |
|
135 CS_06("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF), |
|
136 CS_07("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF), |
|
137 |
|
138 CS_08("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), |
|
139 CS_09("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), |
|
140 CS_10("TLS_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), |
|
141 CS_11("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), |
|
142 CS_12("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), |
|
143 CS_13("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), |
|
144 CS_14("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), |
|
145 |
|
146 CS_15("TLS_DH_anon_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF), |
|
147 CS_16("TLS_DH_anon_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), |
|
148 CS_17("TLS_RSA_WITH_NULL_SHA256", 0x0303, 0xFFFF), |
|
149 |
|
150 // cipher suites obsoleted since TLS 1.2 |
|
151 CS_50("SSL_RSA_WITH_DES_CBC_SHA", 0x0000, 0x0303), |
|
152 CS_51("SSL_DHE_RSA_WITH_DES_CBC_SHA", 0x0000, 0x0303), |
|
153 CS_52("SSL_DHE_DSS_WITH_DES_CBC_SHA", 0x0000, 0x0303), |
|
154 CS_53("SSL_DH_anon_WITH_DES_CBC_SHA", 0x0000, 0x0303), |
|
155 CS_54("TLS_KRB5_WITH_DES_CBC_SHA", 0x0000, 0x0303), |
|
156 CS_55("TLS_KRB5_WITH_DES_CBC_MD5", 0x0000, 0x0303), |
|
157 |
|
158 // cipher suites obsoleted since TLS 1.1 |
|
159 CS_60("SSL_RSA_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302), |
|
160 CS_61("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302), |
|
161 CS_62("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302), |
|
162 CS_63("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302), |
|
163 CS_64("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302), |
|
164 CS_65("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302), |
|
165 CS_66("TLS_KRB5_EXPORT_WITH_RC4_40_SHA", 0x0000, 0x0302), |
|
166 CS_67("TLS_KRB5_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302), |
|
167 CS_68("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", 0x0000, 0x0302), |
|
168 CS_69("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", 0x0000, 0x0302), |
|
169 |
|
170 // ignore TLS_EMPTY_RENEGOTIATION_INFO_SCSV always |
|
171 CS_99("TLS_EMPTY_RENEGOTIATION_INFO_SCSV", 0xFFFF, 0x0000); |
|
172 |
|
173 // the cipher suite name |
|
174 final String cipherSuite; |
|
175 |
|
176 // supported since protocol version |
|
177 final int supportedSince; |
|
178 |
|
179 // obsoleted since protocol version |
|
180 final int obsoletedSince; |
|
181 |
|
182 TLSCipherStatus(String cipherSuite, |
|
183 int supportedSince, int obsoletedSince) { |
|
184 this.cipherSuite = cipherSuite; |
|
185 this.supportedSince = supportedSince; |
|
186 this.obsoletedSince = obsoletedSince; |
|
187 } |
|
188 |
|
189 static boolean isEnabled(String cipherSuite, String protocol) { |
|
190 int versionNumber = toVersionNumber(protocol); |
|
191 |
|
192 if (versionNumber < 0) { |
|
193 return true; // unlikely to happen |
|
194 } |
|
195 |
|
196 for (TLSCipherStatus status : TLSCipherStatus.values()) { |
|
197 if (cipherSuite.equals(status.cipherSuite)) { |
|
198 if ((versionNumber < status.supportedSince) || |
|
199 (versionNumber >= status.obsoletedSince)) { |
|
200 return false; |
|
201 } |
|
202 |
|
203 return true; |
|
204 } |
|
205 } |
|
206 |
|
207 return true; |
|
208 } |
|
209 |
|
210 private static int toVersionNumber(String protocol) { |
|
211 int versionNumber = -1; |
|
212 |
|
213 switch (protocol) { |
|
214 case "SSLv2Hello": |
|
215 versionNumber = 0x0002; |
|
216 break; |
|
217 case "SSLv3": |
|
218 versionNumber = 0x0300; |
|
219 break; |
|
220 case "TLSv1": |
|
221 versionNumber = 0x0301; |
|
222 break; |
|
223 case "TLSv1.1": |
|
224 versionNumber = 0x0302; |
|
225 break; |
|
226 case "TLSv1.2": |
|
227 versionNumber = 0x0303; |
|
228 break; |
|
229 default: |
|
230 // unlikely to happen |
|
231 } |
|
232 |
|
233 return versionNumber; |
|
234 } |
|
235 } |
140 } |
236 } |
141 |
237 |
142 private List<TestParameters> tests; |
238 private List<TestParameters> tests; |
143 private Iterator<TestParameters> testIterator; |
239 private Iterator<TestParameters> testIterator; |
144 private SSLSocketFactory factory; |
240 private SSLSocketFactory factory; |