]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_ssl/regressions/ssl-utils.c
Security-57336.1.9.tar.gz
[apple/security.git] / OSX / libsecurity_ssl / regressions / ssl-utils.c
1 /*
2 * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 #include <Security/Security.h>
26 #include <AssertMacros.h>
27
28 #include "ssl-utils.h"
29
30 #include <Security/SecCertificatePriv.h>
31 #include "test-certs/CA-RSA_Cert.h"
32 #include "test-certs/ServerRSA_Key.h"
33 #include "test-certs/ServerRSA_Cert_CA-RSA.h"
34 #include "test-certs/ClientRSA_Key.h"
35 #include "test-certs/ClientRSA_Cert_CA-RSA.h"
36 #include "test-certs/UntrustedClientRSA_Key.h"
37 #include "test-certs/UntrustedClientRSA_Cert_Untrusted-CA-RSA.h"
38
39 #include <Security/SecIdentityPriv.h>
40 #include <Security/SecCertificatePriv.h>
41
42 #include "test-certs/eckey.h"
43 #include "test-certs/eccert.h"
44 #include "test-certs/ecclientcert.h"
45 #include "test-certs/ecclientkey.h"
46 #include "privkey-1.h"
47 #include "cert-1.h"
48
49 #if TARGET_OS_IPHONE
50 #include <Security/SecRSAKey.h>
51 #include <Security/SecECKey.h>
52 #endif
53
54
55 static
56 SecKeyRef create_private_key_from_der(bool ecdsa, const unsigned char *pkey_der, size_t pkey_der_len)
57 {
58 SecKeyRef privKey;
59 #if TARGET_OS_IPHONE
60 if(ecdsa) {
61 privKey = SecKeyCreateECPrivateKey(kCFAllocatorDefault, pkey_der, pkey_der_len, kSecKeyEncodingPkcs1);
62 } else {
63 privKey = SecKeyCreateRSAPrivateKey(kCFAllocatorDefault, pkey_der, pkey_der_len, kSecKeyEncodingPkcs1);
64 }
65 #else
66 CFErrorRef error = NULL;
67 CFDataRef keyData = CFDataCreate(kCFAllocatorDefault, pkey_der, pkey_der_len);
68 CFMutableDictionaryRef parameters = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
69 CFDictionarySetValue(parameters, kSecAttrKeyType, ecdsa?kSecAttrKeyTypeECDSA:kSecAttrKeyTypeRSA);
70 CFDictionarySetValue(parameters, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
71 privKey = SecKeyCreateFromData(parameters, keyData, &error);
72 CFReleaseNull(keyData);
73 CFReleaseNull(parameters);
74 CFReleaseNull(error);
75 #endif
76 return privKey;
77 }
78
79 static
80 CFArrayRef chain_from_der(bool ecdsa, const unsigned char *pkey_der, size_t pkey_der_len, const unsigned char *cert_der, size_t cert_der_len)
81 {
82 SecKeyRef pkey = NULL;
83 SecCertificateRef cert = NULL;
84 SecIdentityRef ident = NULL;
85 CFArrayRef items = NULL;
86
87 require(pkey = create_private_key_from_der(ecdsa, pkey_der, pkey_der_len), errOut);
88 require(cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, cert_der, cert_der_len), errOut);
89 require(ident = SecIdentityCreate(kCFAllocatorDefault, cert, pkey), errOut);
90 require(items = CFArrayCreate(kCFAllocatorDefault, (const void **)&ident, 1, &kCFTypeArrayCallBacks), errOut);
91
92 errOut:
93 CFReleaseSafe(pkey);
94 CFReleaseSafe(cert);
95 CFReleaseSafe(ident);
96 return items;
97 }
98
99 CFArrayRef server_ec_chain(void)
100 {
101 return chain_from_der(true, eckey_der, eckey_der_len, eccert_der, eccert_der_len);
102 }
103
104 CFArrayRef trusted_roots(void)
105 {
106 SecCertificateRef cert = NULL;
107 CFArrayRef roots = NULL;
108
109 require(cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, CA_RSA_Cert_der, CA_RSA_Cert_der_len), errOut);
110 require(roots = CFArrayCreate(kCFAllocatorDefault, (const void **)&cert, 1, &kCFTypeArrayCallBacks), errOut);
111
112 errOut:
113 CFReleaseSafe(cert);
114 return roots;
115 }
116
117 CFArrayRef server_chain(void)
118 {
119 return chain_from_der(false, ServerRSA_Key_der, ServerRSA_Key_der_len,
120 ServerRSA_Cert_CA_RSA_der, ServerRSA_Cert_CA_RSA_der_len);
121 }
122
123 CFArrayRef trusted_client_chain(void)
124 {
125 return chain_from_der(false, ClientRSA_Key_der, ClientRSA_Key_der_len,
126 ClientRSA_Cert_CA_RSA_der, ClientRSA_Cert_CA_RSA_der_len);
127 }
128
129 CFArrayRef trusted_ec_client_chain(void)
130 {
131 return chain_from_der(true, ecclientkey_der, ecclientkey_der_len, ecclientcert_der, ecclientcert_der_len);
132 }
133
134 CFArrayRef untrusted_client_chain(void)
135 {
136 return chain_from_der(false, UntrustedClientRSA_Key_der, UntrustedClientRSA_Key_der_len,
137 UntrustedClientRSA_Cert_Untrusted_CA_RSA_der, UntrustedClientRSA_Cert_Untrusted_CA_RSA_der_len);
138 }
139
140 const char *ciphersuite_name(SSLCipherSuite cs)
141 {
142
143 #define C(x) case x: return #x;
144 switch (cs) {
145
146 /* TLS 1.2 addenda, RFC 5246 */
147
148 /* Initial state. */
149 C(TLS_NULL_WITH_NULL_NULL)
150
151 /* Server provided RSA certificate for key exchange. */
152 C(TLS_RSA_WITH_NULL_MD5)
153 C(TLS_RSA_WITH_NULL_SHA)
154 C(TLS_RSA_WITH_RC4_128_MD5)
155 C(TLS_RSA_WITH_RC4_128_SHA)
156 C(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
157 C(TLS_RSA_WITH_AES_128_CBC_SHA)
158 C(TLS_RSA_WITH_AES_256_CBC_SHA)
159 C(TLS_RSA_WITH_NULL_SHA256)
160 C(TLS_RSA_WITH_AES_128_CBC_SHA256)
161 C(TLS_RSA_WITH_AES_256_CBC_SHA256)
162
163 /* Server-authenticated (and optionally client-authenticated) Diffie-Hellman. */
164 C(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA)
165 C(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA)
166 C(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA)
167 C(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
168 C(TLS_DH_DSS_WITH_AES_128_CBC_SHA)
169 C(TLS_DH_RSA_WITH_AES_128_CBC_SHA)
170 C(TLS_DHE_DSS_WITH_AES_128_CBC_SHA)
171 C(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
172 C(TLS_DH_DSS_WITH_AES_256_CBC_SHA)
173 C(TLS_DH_RSA_WITH_AES_256_CBC_SHA)
174 C(TLS_DHE_DSS_WITH_AES_256_CBC_SHA)
175 C(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
176 C(TLS_DH_DSS_WITH_AES_128_CBC_SHA256)
177 C(TLS_DH_RSA_WITH_AES_128_CBC_SHA256)
178 C(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256)
179 C(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)
180 C(TLS_DH_DSS_WITH_AES_256_CBC_SHA256)
181 C(TLS_DH_RSA_WITH_AES_256_CBC_SHA256)
182 C(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256)
183 C(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
184
185 /* Completely anonymous Diffie-Hellman */
186 C(TLS_DH_anon_WITH_RC4_128_MD5)
187 C(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA)
188 C(TLS_DH_anon_WITH_AES_128_CBC_SHA)
189 C(TLS_DH_anon_WITH_AES_256_CBC_SHA)
190 C(TLS_DH_anon_WITH_AES_128_CBC_SHA256)
191 C(TLS_DH_anon_WITH_AES_256_CBC_SHA256)
192
193 /* Addenda from rfc 5288 AES Galois Counter Mode (GCM) Cipher Suites
194 for TLS. */
195 C(TLS_RSA_WITH_AES_128_GCM_SHA256)
196 C(TLS_RSA_WITH_AES_256_GCM_SHA384)
197 C(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
198 C(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)
199 C(TLS_DH_RSA_WITH_AES_128_GCM_SHA256)
200 C(TLS_DH_RSA_WITH_AES_256_GCM_SHA384)
201 C(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256)
202 C(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384)
203 C(TLS_DH_DSS_WITH_AES_128_GCM_SHA256)
204 C(TLS_DH_DSS_WITH_AES_256_GCM_SHA384)
205 C(TLS_DH_anon_WITH_AES_128_GCM_SHA256)
206 C(TLS_DH_anon_WITH_AES_256_GCM_SHA384)
207
208 /* ECDSA addenda, RFC 4492 */
209 C(TLS_ECDH_ECDSA_WITH_NULL_SHA)
210 C(TLS_ECDH_ECDSA_WITH_RC4_128_SHA)
211 C(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA)
212 C(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA)
213 C(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA)
214 C(TLS_ECDHE_ECDSA_WITH_NULL_SHA)
215 C(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA)
216 C(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA)
217 C(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
218 C(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
219 C(TLS_ECDH_RSA_WITH_NULL_SHA)
220 C(TLS_ECDH_RSA_WITH_RC4_128_SHA)
221 C(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA)
222 C(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA)
223 C(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA)
224 C(TLS_ECDHE_RSA_WITH_NULL_SHA)
225 C(TLS_ECDHE_RSA_WITH_RC4_128_SHA)
226 C(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
227 C(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
228 C(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
229 C(TLS_ECDH_anon_WITH_NULL_SHA)
230 C(TLS_ECDH_anon_WITH_RC4_128_SHA)
231 C(TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA)
232 C(TLS_ECDH_anon_WITH_AES_128_CBC_SHA)
233 C(TLS_ECDH_anon_WITH_AES_256_CBC_SHA)
234
235 /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
236 HMAC SHA-256/384. */
237 C(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)
238 C(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384)
239 C(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256)
240 C(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384)
241 C(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
242 C(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384)
243 C(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256)
244 C(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384)
245
246 /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
247 SHA-256/384 and AES Galois Counter Mode (GCM) */
248 C(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
249 C(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
250 C(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256)
251 C(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384)
252 C(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
253 C(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
254 C(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256)
255 C(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384)
256
257 /* RFC 5746 - Secure Renegotiation */
258 C(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)
259
260 /*
261 * Tags for SSL 2 cipher kinds which are not specified
262 * for SSL 3.
263 */
264 C(SSL_RSA_WITH_RC2_CBC_MD5)
265 C(SSL_RSA_WITH_IDEA_CBC_MD5)
266 C(SSL_RSA_WITH_DES_CBC_MD5)
267 C(SSL_RSA_WITH_3DES_EDE_CBC_MD5)
268 C(SSL_NO_SUCH_CIPHERSUITE)
269
270 C(SSL_RSA_EXPORT_WITH_RC4_40_MD5)
271 C(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5)
272 C(SSL_RSA_WITH_IDEA_CBC_SHA)
273 C(SSL_RSA_EXPORT_WITH_DES40_CBC_SHA)
274 C(SSL_RSA_WITH_DES_CBC_SHA)
275 C(SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA)
276 C(SSL_DH_DSS_WITH_DES_CBC_SHA)
277 C(SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA)
278 C(SSL_DH_RSA_WITH_DES_CBC_SHA)
279 C(SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA)
280 C(SSL_DHE_DSS_WITH_DES_CBC_SHA)
281 C(SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA)
282 C(SSL_DHE_RSA_WITH_DES_CBC_SHA)
283 C(SSL_DH_anon_EXPORT_WITH_RC4_40_MD5)
284 C(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA)
285 C(SSL_DH_anon_WITH_DES_CBC_SHA)
286 C(SSL_FORTEZZA_DMS_WITH_NULL_SHA)
287 C(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA)
288
289 /* PSK */
290 C(TLS_PSK_WITH_AES_256_CBC_SHA384)
291 C(TLS_PSK_WITH_AES_128_CBC_SHA256)
292 C(TLS_PSK_WITH_AES_256_CBC_SHA)
293 C(TLS_PSK_WITH_AES_128_CBC_SHA)
294 C(TLS_PSK_WITH_RC4_128_SHA)
295 C(TLS_PSK_WITH_3DES_EDE_CBC_SHA)
296 C(TLS_PSK_WITH_NULL_SHA384)
297 C(TLS_PSK_WITH_NULL_SHA256)
298 C(TLS_PSK_WITH_NULL_SHA)
299
300
301 default:
302 return "Unknown Ciphersuite";
303 }
304
305 }