]> git.saurik.com Git - apple/security.git/blob - Security/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57031.30.12.tar.gz
[apple/security.git] / Security / libsecurity_ssl / regressions / ssl-46-SSLGetSupportedCiphers.c
1 /*
2 * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <Security/SecureTransport.h>
28 #include <AssertMacros.h>
29
30 #include "ssl_regressions.h"
31 #include "ssl-utils.h"
32
33
34 #include "cipherSpecs.h"
35
36 static int test_GetSupportedCiphers(SSLContextRef ssl)
37 {
38 size_t max_ciphers = 0;
39 int fail=1;
40 SSLCipherSuite *ciphers = NULL;
41
42 require_noerr(SSLGetNumberSupportedCiphers(ssl, &max_ciphers), out);
43
44 size_t size = max_ciphers * sizeof (SSLCipherSuite);
45 ciphers = (SSLCipherSuite *) malloc(size);
46
47 require_string(ciphers, out, "out of memory");
48 memset(ciphers, 0xff, size);
49
50 size_t num_ciphers = max_ciphers;
51 require_noerr(SSLGetSupportedCiphers(ssl, ciphers, &num_ciphers), out);
52
53
54 for (size_t i = 0; i < num_ciphers; i++) {
55 require(ciphers[i]!=(SSLCipherSuite)(-1), out);
56 }
57
58 /* Success! */
59 fail=0;
60
61 out:
62 if(ciphers) free(ciphers);
63 return fail;
64 }
65
66 static
67 int allowed_default_ciphers(SSLCipherSuite cs)
68 {
69 switch (cs) {
70
71 /* BAD to enable by default */
72
73
74 /*
75 * Tags for SSL 2 cipher kinds which are not specified
76 * for SSL 3.
77 */
78 case SSL_RSA_WITH_RC2_CBC_MD5:
79 case SSL_RSA_WITH_IDEA_CBC_MD5:
80 case SSL_RSA_WITH_DES_CBC_MD5:
81 case SSL_RSA_WITH_3DES_EDE_CBC_MD5:
82
83 /* Export and Simple DES ciphers */
84 case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
85 case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
86 case SSL_RSA_WITH_IDEA_CBC_SHA:
87 case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:
88 case SSL_RSA_WITH_DES_CBC_SHA:
89 case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
90 case SSL_DH_DSS_WITH_DES_CBC_SHA:
91 case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
92 case SSL_DH_RSA_WITH_DES_CBC_SHA:
93 case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
94 case SSL_DHE_DSS_WITH_DES_CBC_SHA:
95 case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
96 case SSL_DHE_RSA_WITH_DES_CBC_SHA:
97 case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5:
98 case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA:
99 case SSL_DH_anon_WITH_DES_CBC_SHA:
100 case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
101 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
102
103 case SSL_NO_SUCH_CIPHERSUITE:
104
105 /* Null ciphers. */
106 case TLS_NULL_WITH_NULL_NULL:
107 case TLS_RSA_WITH_NULL_MD5:
108 case TLS_RSA_WITH_NULL_SHA:
109 case TLS_RSA_WITH_NULL_SHA256:
110 case TLS_ECDH_ECDSA_WITH_NULL_SHA:
111 case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
112 case TLS_ECDHE_RSA_WITH_NULL_SHA:
113 case TLS_ECDH_RSA_WITH_NULL_SHA:
114 case TLS_ECDH_anon_WITH_NULL_SHA:
115
116 /* Completely anonymous Diffie-Hellman */
117 case TLS_DH_anon_WITH_RC4_128_MD5:
118 case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
119 case TLS_DH_anon_WITH_AES_128_CBC_SHA:
120 case TLS_DH_anon_WITH_AES_256_CBC_SHA:
121 case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
122 case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
123 case TLS_DH_anon_WITH_AES_128_GCM_SHA256:
124 case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
125 case TLS_ECDH_anon_WITH_RC4_128_SHA:
126 case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA:
127 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA:
128 case TLS_ECDH_anon_WITH_AES_256_CBC_SHA:
129
130 return 0;
131
132
133 /* OK to enable by default */
134
135 /* Server provided RSA certificate for key exchange. */
136 case TLS_RSA_WITH_RC4_128_MD5:
137 case TLS_RSA_WITH_RC4_128_SHA:
138 case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
139 case TLS_RSA_WITH_AES_128_CBC_SHA:
140 case TLS_RSA_WITH_AES_256_CBC_SHA:
141 case TLS_RSA_WITH_AES_128_CBC_SHA256:
142 case TLS_RSA_WITH_AES_256_CBC_SHA256:
143 return 1;
144
145 /* Server-authenticated (and optionally client-authenticated) Diffie-Hellman. */
146 case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
147 case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
148 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
149 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
150 case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
151 case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
152 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
153 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
154 case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
155 case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
156 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
157 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
158 case TLS_DH_DSS_WITH_AES_128_CBC_SHA256:
159 case TLS_DH_RSA_WITH_AES_128_CBC_SHA256:
160 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
161 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
162 case TLS_DH_DSS_WITH_AES_256_CBC_SHA256:
163 case TLS_DH_RSA_WITH_AES_256_CBC_SHA256:
164 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
165 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
166
167 case TLS_RSA_WITH_AES_128_GCM_SHA256:
168 case TLS_RSA_WITH_AES_256_GCM_SHA384:
169 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
170 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
171 case TLS_DH_RSA_WITH_AES_128_GCM_SHA256:
172 case TLS_DH_RSA_WITH_AES_256_GCM_SHA384:
173 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
174 case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
175 case TLS_DH_DSS_WITH_AES_128_GCM_SHA256:
176 case TLS_DH_DSS_WITH_AES_256_GCM_SHA384:
177
178 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
179 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
180 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
181 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
182 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
183 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
184 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
185 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
186 case TLS_ECDH_RSA_WITH_RC4_128_SHA:
187 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
188 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
189 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
190 case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
191 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
192 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
193 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
194
195 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
196 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
197 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
198 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
199 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
200 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
201 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
202 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
203
204 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
205 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
206 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
207 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
208 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
209 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
210 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
211 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
212
213 /* RFC 5746 - Secure Renegotiation */
214 case TLS_EMPTY_RENEGOTIATION_INFO_SCSV:
215 return 1;
216
217 /* unknown cipher ? */
218 default:
219 return 0;
220 }
221 }
222
223 static OSStatus SocketWrite(SSLConnectionRef conn, const void *data, size_t *length)
224 {
225 return errSSLWouldBlock;
226 }
227
228 static OSStatus SocketRead(SSLConnectionRef conn, void *data, size_t *length)
229 {
230 return errSSLWouldBlock;
231 }
232
233
234 static int test_GetEnabledCiphers(SSLContextRef ssl)
235 {
236 size_t max_ciphers = 0;
237 int fail=1;
238 SSLCipherSuite *ciphers = NULL;
239 OSStatus err;
240
241 err=SSLSetIOFuncs(ssl, &SocketRead, &SocketWrite);
242 err=SSLSetConnection(ssl, NULL);
243 err=SSLHandshake(ssl);
244
245 require_noerr(SSLGetNumberEnabledCiphers(ssl, &max_ciphers), out);
246
247 size_t size = max_ciphers * sizeof (SSLCipherSuite);
248 ciphers = (SSLCipherSuite *) malloc(size);
249
250 require_string(ciphers, out, "out of memory");
251 memset(ciphers, 0xff, size);
252
253 size_t num_ciphers = max_ciphers;
254 require_noerr(SSLGetEnabledCiphers(ssl, ciphers, &num_ciphers), out);
255
256 for (size_t i = 0; i < num_ciphers; i++) {
257 char csname[256];
258 snprintf(csname, 256, "(%04x) %s", ciphers[i], ciphersuite_name(ciphers[i]));
259 /* Uncomment the next line if you want to list the default enabled ciphers */
260 //printf("%s\n", csname);
261 require_string(allowed_default_ciphers(ciphers[i]), out, csname);
262 }
263
264 /* Success! */
265 fail=0;
266
267 out:
268 if(ciphers) free(ciphers);
269 return fail;
270 }
271
272 static int test_SetEnabledCiphers(SSLContextRef ssl)
273 {
274 int fail=1;
275 size_t num_enabled;
276
277 /* This should not fail as long as we have one valid cipher in this table */
278 SSLCipherSuite ciphers[] = {
279 SSL_RSA_WITH_RC2_CBC_MD5, /* unsupported */
280 TLS_RSA_WITH_NULL_SHA, /* supported by not enabled by default */
281 TLS_RSA_WITH_AES_128_CBC_SHA, /* Supported and enabled by default */
282 };
283
284 require_noerr(SSLSetEnabledCiphers(ssl, ciphers, sizeof(ciphers)/sizeof(SSLCipherSuite)), out);
285 require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_enabled), out);
286
287 require(num_enabled==2, out); /* 2 ciphers in the above table are supported */
288
289 /* Success! */
290 fail=0;
291
292 out:
293 return fail;
294 }
295
296
297 static void
298 test(void)
299 {
300 SSLContextRef ssl = NULL;
301
302 require(ssl=SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType), out);
303 ok(ssl, "SSLCreateContext failed");
304
305 /* The order of this tests does matter, be careful when adding tests */
306 ok(!test_GetSupportedCiphers(ssl), "GetSupportedCiphers test failed");
307 ok(!test_GetEnabledCiphers(ssl), "GetEnabledCiphers test failed");
308
309 CFRelease(ssl); ssl=NULL;
310
311 require(ssl=SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType), out);
312 ok(ssl, "SSLCreateContext failed");
313
314 ok(!test_SetEnabledCiphers(ssl), "SetEnabledCiphers test failed");
315
316 out:
317 if(ssl) CFRelease(ssl);
318 }
319
320
321 int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv)
322 {
323 plan_tests(5);
324
325 test();
326
327 return 0;
328 }
329
mirror of Security