]> git.saurik.com Git - apple/security.git/blob - libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-55471.14.tar.gz
[apple/security.git] / libsecurity_ssl / regressions / ssl-46-SSLGetSupportedCiphers.c
1 //
2 // ssl-46-SSLGetSupportedCiphers.c
3 // libsecurity_ssl
4 //
5 // Created by Fabrice Gautier on 10/15/12.
6 //
7 //
8
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <Security/SecureTransport.h>
12 #include <AssertMacros.h>
13
14 #include "ssl_regressions.h"
15 #include "ssl-utils.h"
16
17
18 #include "cipherSpecs.h"
19
20 static int test_GetSupportedCiphers(SSLContextRef ssl)
21 {
22 size_t max_ciphers = 0;
23 int fail=1;
24 SSLCipherSuite *ciphers = NULL;
25
26 require_noerr(SSLGetNumberSupportedCiphers(ssl, &max_ciphers), out);
27
28 size_t size = max_ciphers * sizeof (SSLCipherSuite);
29 ciphers = (SSLCipherSuite *) malloc(size);
30
31 require_string(ciphers, out, "out of memory");
32 memset(ciphers, 0xff, size);
33
34 size_t num_ciphers = max_ciphers;
35 require_noerr(SSLGetSupportedCiphers(ssl, ciphers, &num_ciphers), out);
36
37
38 for (size_t i = 0; i < num_ciphers; i++) {
39 require(ciphers[i]!=(SSLCipherSuite)(-1), out);
40 }
41
42 /* Success! */
43 fail=0;
44
45 out:
46 if(ciphers) free(ciphers);
47 return fail;
48 }
49
50 static
51 int allowed_default_ciphers(SSLCipherSuite cs)
52 {
53 switch (cs) {
54
55 /* BAD to enable by default */
56
57
58 /*
59 * Tags for SSL 2 cipher kinds which are not specified
60 * for SSL 3.
61 */
62 case SSL_RSA_WITH_RC2_CBC_MD5:
63 case SSL_RSA_WITH_IDEA_CBC_MD5:
64 case SSL_RSA_WITH_DES_CBC_MD5:
65 case SSL_RSA_WITH_3DES_EDE_CBC_MD5:
66
67 /* Export and Simple DES ciphers */
68 case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
69 case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
70 case SSL_RSA_WITH_IDEA_CBC_SHA:
71 case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:
72 case SSL_RSA_WITH_DES_CBC_SHA:
73 case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
74 case SSL_DH_DSS_WITH_DES_CBC_SHA:
75 case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
76 case SSL_DH_RSA_WITH_DES_CBC_SHA:
77 case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
78 case SSL_DHE_DSS_WITH_DES_CBC_SHA:
79 case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
80 case SSL_DHE_RSA_WITH_DES_CBC_SHA:
81 case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5:
82 case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA:
83 case SSL_DH_anon_WITH_DES_CBC_SHA:
84 case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
85 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
86
87 case SSL_NO_SUCH_CIPHERSUITE:
88
89 /* Null ciphers. */
90 case TLS_NULL_WITH_NULL_NULL:
91 case TLS_RSA_WITH_NULL_MD5:
92 case TLS_RSA_WITH_NULL_SHA:
93 case TLS_RSA_WITH_NULL_SHA256:
94 case TLS_ECDH_ECDSA_WITH_NULL_SHA:
95 case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
96 case TLS_ECDHE_RSA_WITH_NULL_SHA:
97 case TLS_ECDH_RSA_WITH_NULL_SHA:
98 case TLS_ECDH_anon_WITH_NULL_SHA:
99
100 /* Completely anonymous Diffie-Hellman */
101 case TLS_DH_anon_WITH_RC4_128_MD5:
102 case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
103 case TLS_DH_anon_WITH_AES_128_CBC_SHA:
104 case TLS_DH_anon_WITH_AES_256_CBC_SHA:
105 case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
106 case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
107 case TLS_DH_anon_WITH_AES_128_GCM_SHA256:
108 case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
109 case TLS_ECDH_anon_WITH_RC4_128_SHA:
110 case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA:
111 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA:
112 case TLS_ECDH_anon_WITH_AES_256_CBC_SHA:
113
114 return 0;
115
116
117 /* OK to enable by default */
118
119 /* Server provided RSA certificate for key exchange. */
120 case TLS_RSA_WITH_RC4_128_MD5:
121 case TLS_RSA_WITH_RC4_128_SHA:
122 case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
123 case TLS_RSA_WITH_AES_128_CBC_SHA:
124 case TLS_RSA_WITH_AES_256_CBC_SHA:
125 case TLS_RSA_WITH_AES_128_CBC_SHA256:
126 case TLS_RSA_WITH_AES_256_CBC_SHA256:
127 return 1;
128
129 /* Server-authenticated (and optionally client-authenticated) Diffie-Hellman. */
130 case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
131 case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
132 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
133 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
134 case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
135 case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
136 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
137 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
138 case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
139 case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
140 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
141 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
142 case TLS_DH_DSS_WITH_AES_128_CBC_SHA256:
143 case TLS_DH_RSA_WITH_AES_128_CBC_SHA256:
144 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
145 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
146 case TLS_DH_DSS_WITH_AES_256_CBC_SHA256:
147 case TLS_DH_RSA_WITH_AES_256_CBC_SHA256:
148 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
149 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
150
151 case TLS_RSA_WITH_AES_128_GCM_SHA256:
152 case TLS_RSA_WITH_AES_256_GCM_SHA384:
153 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
154 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
155 case TLS_DH_RSA_WITH_AES_128_GCM_SHA256:
156 case TLS_DH_RSA_WITH_AES_256_GCM_SHA384:
157 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
158 case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
159 case TLS_DH_DSS_WITH_AES_128_GCM_SHA256:
160 case TLS_DH_DSS_WITH_AES_256_GCM_SHA384:
161
162 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
163 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
164 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
165 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
166 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
167 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
168 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
169 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
170 case TLS_ECDH_RSA_WITH_RC4_128_SHA:
171 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
172 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
173 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
174 case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
175 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
176 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
177 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
178
179 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
180 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
181 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
182 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
183 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
184 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
185 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
186 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
187
188 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
189 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
190 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
191 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
192 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
193 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
194 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
195 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
196
197 /* RFC 5746 - Secure Renegotiation */
198 case TLS_EMPTY_RENEGOTIATION_INFO_SCSV:
199 return 1;
200
201 /* unknown cipher ? */
202 default:
203 return 0;
204 }
205 }
206
207 static OSStatus SocketWrite(SSLConnectionRef conn, const void *data, size_t *length)
208 {
209 return errSSLWouldBlock;
210 }
211
212 static OSStatus SocketRead(SSLConnectionRef conn, void *data, size_t *length)
213 {
214 return errSSLWouldBlock;
215 }
216
217
218 static int test_GetEnabledCiphers(SSLContextRef ssl)
219 {
220 size_t max_ciphers = 0;
221 int fail=1;
222 SSLCipherSuite *ciphers = NULL;
223 OSStatus err;
224
225 err=SSLSetIOFuncs(ssl, &SocketRead, &SocketWrite);
226 err=SSLSetConnection(ssl, NULL);
227 err=SSLHandshake(ssl);
228
229 require_noerr(SSLGetNumberEnabledCiphers(ssl, &max_ciphers), out);
230
231 size_t size = max_ciphers * sizeof (SSLCipherSuite);
232 ciphers = (SSLCipherSuite *) malloc(size);
233
234 require_string(ciphers, out, "out of memory");
235 memset(ciphers, 0xff, size);
236
237 size_t num_ciphers = max_ciphers;
238 require_noerr(SSLGetEnabledCiphers(ssl, ciphers, &num_ciphers), out);
239
240 for (size_t i = 0; i < num_ciphers; i++) {
241 char csname[256];
242 snprintf(csname, 256, "(%04x) %s", ciphers[i], ciphersuite_name(ciphers[i]));
243 /* Uncomment the next line if you want to list the default enabled ciphers */
244 //printf("%s\n", csname);
245 require_string(allowed_default_ciphers(ciphers[i]), out, csname);
246 }
247
248 /* Success! */
249 fail=0;
250
251 out:
252 if(ciphers) free(ciphers);
253 return fail;
254 }
255
256 static int test_SetEnabledCiphers(SSLContextRef ssl)
257 {
258 int fail=1;
259 size_t num_enabled;
260
261 /* This should not fail as long as we have one valid cipher in this table */
262 SSLCipherSuite ciphers[] = {
263 SSL_RSA_WITH_RC2_CBC_MD5, /* unsupported */
264 TLS_RSA_WITH_NULL_SHA, /* supported by not enabled by default */
265 TLS_RSA_WITH_AES_128_CBC_SHA, /* Supported and enabled by default */
266 };
267
268 require_noerr(SSLSetEnabledCiphers(ssl, ciphers, sizeof(ciphers)/sizeof(SSLCipherSuite)), out);
269 require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_enabled), out);
270
271 require(num_enabled==2, out); /* 2 ciphers in the above table are supported */
272
273 /* Success! */
274 fail=0;
275
276 out:
277 return fail;
278 }
279
280
281 static void
282 test(void)
283 {
284 SSLContextRef ssl = NULL;
285
286 require(ssl=SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType), out);
287 ok(ssl, "SSLCreateContext failed");
288
289 /* The order of this tests does matter, be careful when adding tests */
290 ok(!test_GetSupportedCiphers(ssl), "GetSupportedCiphers test failed");
291 ok(!test_GetEnabledCiphers(ssl), "GetEnabledCiphers test failed");
292
293 CFRelease(ssl); ssl=NULL;
294
295 require(ssl=SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType), out);
296 ok(ssl, "SSLCreateContext failed");
297
298 ok(!test_SetEnabledCiphers(ssl), "SetEnabledCiphers test failed");
299
300 out:
301 if(ssl) CFRelease(ssl);
302 }
303
304
305 int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv)
306 {
307 plan_tests(5);
308
309 test();
310
311 return 0;
312 }
313
mirror of Security