OSX/libsecurity_ssl/regressions/SecureTransportTests/STLegacyTests+sslciphers.m

   1 /*
   2  * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 #include <stdio.h>
  26 #include <stdlib.h>
  27 #include <Security/SecureTransportPriv.h>
  28 #include <AssertMacros.h>
  29 #include <utilities/SecCFRelease.h>
  30
  31 #include "ssl-utils.h"
  32
  33 #include "cipherSpecs.h"
  34 #import "STLegacyTests.h"
  35
  36 #pragma clang diagnostic push
  37 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
  38
  39 @implementation STLegacyTests (sslciphers)
  40
  41 static int test_GetSupportedCiphers(SSLContextRef ssl, bool server)
  42 {
  43     size_t max_ciphers = 0;
  44     int fail=1;
  45     SSLCipherSuite *ciphers = NULL;
  46
  47     require_noerr(SSLGetNumberSupportedCiphers(ssl, &max_ciphers), out);
  48
  49     size_t size = max_ciphers * sizeof (SSLCipherSuite);
  50     ciphers = (SSLCipherSuite *) malloc(size);
  51
  52     require_string(ciphers, out, "out of memory");
  53     memset(ciphers, 0xff, size);
  54
  55     size_t num_ciphers = max_ciphers;
  56     require_noerr(SSLGetSupportedCiphers(ssl, ciphers, &num_ciphers), out);
  57
  58     for (size_t i = 0; i < num_ciphers; i++) {
  59         require(ciphers[i]!=(SSLCipherSuite)(-1), out);
  60     }
  61
  62     /* Success! */
  63     fail=0;
  64
  65 out:
  66     if(ciphers) free(ciphers);
  67     return fail;
  68 }
  69
  70
  71 static OSStatus SocketWrite(SSLConnectionRef conn, const void *data, size_t *length)
  72 {
  73     return errSSLWouldBlock;
  74 }
  75
  76 static OSStatus SocketRead(SSLConnectionRef conn, void *data, size_t *length)
  77 {
  78     return errSSLWouldBlock;
  79 }
  80
  81
  82
  83 static const SSLCipherSuite legacy_ciphersuites[] = {
  84     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  85     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  86     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  87     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  88     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  89     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  90     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
  91     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  92     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  93     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  94     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  95     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  96     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  97     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
  98     TLS_RSA_WITH_AES_256_GCM_SHA384,
  99     TLS_RSA_WITH_AES_128_GCM_SHA256,
 100     TLS_RSA_WITH_AES_256_CBC_SHA256,
 101     TLS_RSA_WITH_AES_128_CBC_SHA256,
 102     TLS_RSA_WITH_AES_256_CBC_SHA,
 103     TLS_RSA_WITH_AES_128_CBC_SHA,
 104     SSL_RSA_WITH_3DES_EDE_CBC_SHA,
 105 };
 106
 107 const SSLCipherSuite legacy_DHE_ciphersuites[] = {
 108     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 109     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 110     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 111     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 112     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 113     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 114     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
 115     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 116     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 117     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
 118     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 119     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 120     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 121     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
 122     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
 123     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
 124     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
 125     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
 126     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
 127     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
 128     SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
 129     TLS_RSA_WITH_AES_256_GCM_SHA384,
 130     TLS_RSA_WITH_AES_128_GCM_SHA256,
 131     TLS_RSA_WITH_AES_256_CBC_SHA256,
 132     TLS_RSA_WITH_AES_128_CBC_SHA256,
 133     TLS_RSA_WITH_AES_256_CBC_SHA,
 134     TLS_RSA_WITH_AES_128_CBC_SHA,
 135     SSL_RSA_WITH_3DES_EDE_CBC_SHA,
 136 };
 137
 138
 139
 140 const SSLCipherSuite standard_ciphersuites[] = {
 141     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 142     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 143     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 144     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 145     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 146     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 147     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 148     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 149     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
 150     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 151     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 152     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 153     TLS_RSA_WITH_AES_256_GCM_SHA384,
 154     TLS_RSA_WITH_AES_128_GCM_SHA256,
 155     TLS_RSA_WITH_AES_256_CBC_SHA256,
 156     TLS_RSA_WITH_AES_128_CBC_SHA256,
 157     TLS_RSA_WITH_AES_256_CBC_SHA,
 158     TLS_RSA_WITH_AES_128_CBC_SHA,
 159 };
 160
 161 const SSLCipherSuite default_ciphersuites[] = {
 162     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 163     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 164     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 165     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 166     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 167     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 168     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
 169     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 170     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 171     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
 172     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 173     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 174     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 175     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
 176     TLS_RSA_WITH_AES_256_GCM_SHA384,
 177     TLS_RSA_WITH_AES_128_GCM_SHA256,
 178     TLS_RSA_WITH_AES_256_CBC_SHA256,
 179     TLS_RSA_WITH_AES_128_CBC_SHA256,
 180     TLS_RSA_WITH_AES_256_CBC_SHA,
 181     TLS_RSA_WITH_AES_128_CBC_SHA,
 182     SSL_RSA_WITH_3DES_EDE_CBC_SHA,
 183 };
 184
 185 const SSLCipherSuite ATSv1_ciphersuites[] = {
 186     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 187     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 188     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 189     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 190     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 191     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 192     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 193     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 194     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
 195     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 196     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 197     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 198 };
 199
 200 const SSLCipherSuite ATSv1_noPFS_ciphersuites[] = {
 201     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 202     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 203     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 204     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 205     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 206     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 207     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 208     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 209     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
 210     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 211     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 212     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 213
 214     TLS_RSA_WITH_AES_256_GCM_SHA384,
 215     TLS_RSA_WITH_AES_128_GCM_SHA256,
 216     TLS_RSA_WITH_AES_256_CBC_SHA256,
 217     TLS_RSA_WITH_AES_128_CBC_SHA256,
 218     TLS_RSA_WITH_AES_256_CBC_SHA,
 219     TLS_RSA_WITH_AES_128_CBC_SHA,
 220 };
 221
 222 const SSLCipherSuite TLSv1_RC4_fallback_ciphersuites[] = {
 223     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 224     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 225     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 226     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 227     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
 228     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
 229     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 230     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 231     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 232     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
 233     TLS_RSA_WITH_AES_256_CBC_SHA256,
 234     TLS_RSA_WITH_AES_128_CBC_SHA256,
 235     TLS_RSA_WITH_AES_256_CBC_SHA,
 236     TLS_RSA_WITH_AES_128_CBC_SHA,
 237     SSL_RSA_WITH_3DES_EDE_CBC_SHA,
 238 };
 239
 240 const SSLCipherSuite TLSv1_fallback_ciphersuites[] = {
 241     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 242     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 243     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 244     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 245     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
 246     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
 247     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 248     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 249     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 250     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
 251     TLS_RSA_WITH_AES_256_CBC_SHA256,
 252     TLS_RSA_WITH_AES_128_CBC_SHA256,
 253     TLS_RSA_WITH_AES_256_CBC_SHA,
 254     TLS_RSA_WITH_AES_128_CBC_SHA,
 255     SSL_RSA_WITH_3DES_EDE_CBC_SHA,
 256 };
 257
 258 const SSLCipherSuite anonymous_ciphersuites[] = {
 259     TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
 260     TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
 261     TLS_DH_anon_WITH_AES_256_CBC_SHA256,
 262     TLS_DH_anon_WITH_AES_256_CBC_SHA,
 263     TLS_DH_anon_WITH_AES_128_CBC_SHA256,
 264     TLS_DH_anon_WITH_AES_128_CBC_SHA
 265 };
 266
 267
 268 static int test_GetEnabledCiphers(SSLContextRef ssl, unsigned expected_num_ciphers, const SSLCipherSuite *expected_ciphers)
 269 {
 270     size_t num_ciphers;
 271     size_t size;
 272     int fail=1;
 273     SSLCipherSuite *ciphers = NULL;
 274
 275     require_noerr(SSLSetIOFuncs(ssl, &SocketRead, &SocketWrite), out);
 276     require_noerr(SSLSetConnection(ssl, NULL), out);
 277
 278     require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_ciphers), out);
 279     require_string(num_ciphers==expected_num_ciphers, out, "wrong ciphersuites number");
 280
 281     size = num_ciphers * sizeof (SSLCipherSuite);
 282     ciphers = (SSLCipherSuite *) malloc(size);
 283     require_string(ciphers, out, "out of memory");
 284     memset(ciphers, 0xff, size);
 285
 286     require_noerr(SSLGetEnabledCiphers(ssl, ciphers, &num_ciphers), out);
 287     require_string(memcmp(ciphers, expected_ciphers, size)==0, out, "wrong ciphersuites");
 288
 289     free(ciphers);
 290     ciphers = NULL;
 291
 292     require(SSLHandshake(ssl) == errSSLWouldBlock, out);
 293
 294     require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_ciphers), out);
 295     require_string(num_ciphers==expected_num_ciphers, out, "wrong ciphersuites number");
 296
 297     size = num_ciphers * sizeof (SSLCipherSuite);
 298     ciphers = (SSLCipherSuite *) malloc(size);
 299     require_string(ciphers, out, "out of memory");
 300     memset(ciphers, 0xff, size);
 301
 302     require_noerr(SSLGetEnabledCiphers(ssl, ciphers, &num_ciphers), out);
 303     require_string(memcmp(ciphers, expected_ciphers, size)==0, out, "wrong ciphersuites");
 304
 305     /* Success! */
 306     fail=0;
 307
 308 out:
 309     free(ciphers);
 310     return fail;
 311 }
 312
 313 static int test_SetEnabledCiphers(SSLContextRef ssl)
 314 {
 315     int fail=1;
 316     size_t num_enabled;
 317
 318     /* This should not fail as long as we have one valid cipher in this table */
 319     SSLCipherSuite ciphers[] = {
 320         SSL_RSA_WITH_RC2_CBC_MD5, /* unsupported */
 321         TLS_RSA_WITH_NULL_SHA, /* supported by not enabled by default */
 322         TLS_RSA_WITH_AES_128_CBC_SHA, /* Supported and enabled by default */
 323     };
 324
 325     require_noerr(SSLSetEnabledCiphers(ssl, ciphers, sizeof(ciphers)/sizeof(SSLCipherSuite)), out);
 326     require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_enabled), out);
 327
 328     require(num_enabled==2, out); /* 2 ciphers in the above table are supported */
 329
 330     /* Success! */
 331     fail=0;
 332
 333 out:
 334     return fail;
 335 }
 336
 337
 338 - (void)test_dhe: (SSLProtocolSide) side dhe_enabled: (bool) dhe_enabled
 339 {
 340     SSLContextRef ssl = NULL;
 341     bool server = (side == kSSLServerSide);
 342
 343     ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
 344     XCTAssert(ssl != NULL, "test_dhe: SSLCreateContext(1) failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled");
 345     require(ssl, out);
 346
 347     XCTAssertEqual(noErr, SSLSetDHEEnabled(ssl, dhe_enabled),"test_dhe: SSLSetDHEEnabled failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled");
 348
 349     unsigned num = (dhe_enabled?sizeof(legacy_DHE_ciphersuites):sizeof(legacy_ciphersuites))/sizeof(SSLCipherSuite);
 350     const SSLCipherSuite *ciphers = dhe_enabled?legacy_DHE_ciphersuites:legacy_ciphersuites;
 351     /* The order of this tests does matter, be careful when adding tests */
 352     XCTAssert(!test_GetSupportedCiphers(ssl, server), "test_dhe: GetSupportedCiphers test failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled");
 353     XCTAssert(!test_GetEnabledCiphers(ssl, num, ciphers), "test_dhe: GetEnabledCiphers test failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled");
 354
 355     CFRelease(ssl); ssl=NULL;
 356
 357     ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
 358     XCTAssert(ssl, "test_dhe: SSLCreateContext(2) failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled");
 359     require(ssl, out);
 360
 361     XCTAssert(!test_SetEnabledCiphers(ssl), "test_dhe: SetEnabledCiphers test failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled");
 362
 363 out:
 364     if(ssl) CFRelease(ssl);
 365 }
 366
 367 -(void) test_config: (SSLProtocolSide) side config: (CFStringRef) config num: (unsigned) num cipherList: (const SSLCipherSuite*) ciphers
 368 {
 369     SSLContextRef ssl = NULL;
 370     bool server = (side == kSSLServerSide);
 371
 372     ssl = SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
 373     XCTAssert(ssl, "test_config: SSLCreateContext(1) failed (%s,%@)", server?"server":"client", config);
 374
 375     XCTAssertEqual(errSecSuccess, SSLSetSessionConfig(ssl, config), "test_config: SSLSetSessionConfig failed (%s,%@)", server?"server":"client", config);
 376
 377     /* The order of this tests does matter, be careful when adding tests */
 378     XCTAssert(!test_GetSupportedCiphers(ssl, server), "test_config: GetSupportedCiphers test failed (%s,%@)", server?"server":"client", config);
 379     XCTAssert(!test_GetEnabledCiphers(ssl, num, ciphers), "test_config: GetEnabledCiphers test failed (%s,%@)", server?"server":"client", config);
 380
 381     CFRelease(ssl); ssl=NULL;
 382
 383     ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
 384     XCTAssert(ssl, "test_config: SSLCreateContext(2) failed (%s,%@)", server?"server":"client", config);
 385     require(ssl, out);
 386
 387     XCTAssert(!test_SetEnabledCiphers(ssl), "test_config: SetEnabledCiphers test failed (%s,%@)", server?"server":"client", config);
 388
 389 out:
 390     if(ssl) CFRelease(ssl);
 391 }
 392
 393 -(void) test_default: (SSLProtocolSide) side
 394 {
 395     SSLContextRef ssl = NULL;
 396     bool server = (side == kSSLServerSide);
 397
 398     ssl = SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
 399     XCTAssert(ssl != NULL, "test_config: SSLCreateContext(1) failed (%s)", server?"server":"client");
 400     require(ssl, out);
 401
 402     /* The order of this tests does matter, be careful when adding tests */
 403     XCTAssert(!test_GetSupportedCiphers(ssl, server), "test_default: GetSupportedCiphers test failed (%s)", server?"server":"client");
 404     XCTAssert(!test_GetEnabledCiphers(ssl, sizeof(default_ciphersuites)/sizeof(SSLCipherSuite), default_ciphersuites), "test_default: GetEnabledCiphers test failed (%s)", server?"server":"client");
 405
 406     CFRelease(ssl); ssl=NULL;
 407
 408     ssl = SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
 409     XCTAssert(ssl, "test_default: SSLCreateContext(2) failed (%s)", server?"server":"client");
 410     require(ssl, out);
 411
 412     XCTAssert(!test_SetEnabledCiphers(ssl), "test_config: SetEnabledCiphers test failed (%s)", server?"server":"client");
 413
 414 out:
 415     if (ssl) {
 416         CFRelease(ssl);
 417     }
 418 }
 419
 420 -(void) test_get_cipher_tls_version
 421 {
 422     SSLContextRef ctx = NULL;
 423     size_t num_ciphers;
 424     SSLCipherSuite *ciphers = NULL;
 425     SSLProtocol sslmin, sslmax;
 426
 427     ctx = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
 428     XCTAssert(ctx, "Error creating SSL context");
 429     XCTAssertEqual(errSecSuccess, SSLGetNumberEnabledCiphers(ctx, &num_ciphers));
 430     ciphers = (SSLCipherSuite *) malloc(num_ciphers * sizeof (SSLCipherSuite));
 431
 432     XCTAssertEqual(errSecSuccess, SSLGetEnabledCiphers(ctx, ciphers, &num_ciphers), "Error getting enabled ciphers");
 433     for (size_t i = 0; i < num_ciphers; i++) {
 434         sslmin = SSLCiphersuiteMinimumTLSVersion(ciphers[i]);
 435         XCTAssertNotEqual(kSSLProtocolUnknown, sslmin);
 436         sslmax = SSLCiphersuiteMaximumTLSVersion(ciphers[i]);
 437     }
 438     free(ciphers);
 439     CFReleaseNull(ctx);
 440 }
 441
 442 -(void) test_cipher_group_to_list
 443 {
 444     SSLCiphersuiteGroup group = kSSLCiphersuiteGroupDefault;
 445     size_t cipher_count = 0;
 446     const SSLCipherSuite *list = SSLCiphersuiteGroupToCiphersuiteList(group, &cipher_count);
 447     XCTAssert(list, "Error getting cipher list for group");
 448 }
 449
 450 -(void) testSSLCiphers
 451 {
 452     [self test_dhe:kSSLClientSide dhe_enabled:true];
 453     [self test_dhe:kSSLServerSide dhe_enabled:true];
 454         [self test_dhe:kSSLClientSide dhe_enabled:false];
 455     [self test_dhe:kSSLServerSide dhe_enabled:false];
 456
 457     [self test_default:kSSLClientSide];
 458     [self test_default:kSSLServerSide];
 459
 460 #define TEST_CONFIG(x, y) do {  \
 461     [self test_config:kSSLClientSide config:x num:sizeof(y)/sizeof(SSLCipherSuite) cipherList:y]; \
 462     [self test_config:kSSLServerSide config:x num:sizeof(y)/sizeof(SSLCipherSuite) cipherList:y]; \
 463 } while(0)
 464
 465     TEST_CONFIG(kSSLSessionConfig_ATSv1, ATSv1_ciphersuites);
 466     TEST_CONFIG(kSSLSessionConfig_ATSv1_noPFS, ATSv1_noPFS_ciphersuites);
 467     TEST_CONFIG(kSSLSessionConfig_legacy, legacy_ciphersuites);
 468     TEST_CONFIG(kSSLSessionConfig_legacy_DHE, legacy_DHE_ciphersuites);
 469     TEST_CONFIG(kSSLSessionConfig_standard, standard_ciphersuites);
 470     TEST_CONFIG(kSSLSessionConfig_RC4_fallback, legacy_ciphersuites);
 471     TEST_CONFIG(kSSLSessionConfig_TLSv1_fallback, default_ciphersuites);
 472     TEST_CONFIG(kSSLSessionConfig_TLSv1_RC4_fallback, legacy_ciphersuites);
 473     TEST_CONFIG(kSSLSessionConfig_default, default_ciphersuites);
 474     TEST_CONFIG(kSSLSessionConfig_anonymous, anonymous_ciphersuites);
 475     TEST_CONFIG(kSSLSessionConfig_3DES_fallback, default_ciphersuites);
 476     TEST_CONFIG(kSSLSessionConfig_TLSv1_3DES_fallback, default_ciphersuites);
 477
 478 }
 479
 480 @end
 481
 482 #pragma clang diagnostic pop