]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_ssl/regressions/ssl-utils.c
Security-59306.11.20.tar.gz
[apple/security.git] / OSX / libsecurity_ssl / regressions / ssl-utils.c
1 /*
2 * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 #include <Security/Security.h>
26 #include <AssertMacros.h>
27
28 #include "ssl-utils.h"
29
30 #include <Security/SecCertificatePriv.h>
31 #include "test-certs/CA-RSA_Cert.h"
32 #include "test-certs/ServerRSA_Key.h"
33 #include "test-certs/ServerRSA_Cert_CA-RSA.h"
34 #include "test-certs/ClientRSA_Key.h"
35 #include "test-certs/ClientRSA_Cert_CA-RSA.h"
36 #include "test-certs/UntrustedClientRSA_Key.h"
37 #include "test-certs/UntrustedClientRSA_Cert_Untrusted-CA-RSA.h"
38
39 #include <Security/SecIdentityPriv.h>
40 #include <Security/SecCertificatePriv.h>
41 #include <utilities/SecCFRelease.h>
42
43 #include "test-certs/eckey.h"
44 #include "test-certs/eccert.h"
45 #include "test-certs/ecclientcert.h"
46 #include "test-certs/ecclientkey.h"
47 #include "privkey-1.h"
48 #include "cert-1.h"
49
50 #if TARGET_OS_IPHONE
51 #include <Security/SecRSAKey.h>
52 #include <Security/SecECKey.h>
53 #endif
54
55
56 static
57 SecKeyRef create_private_key_from_der(bool ecdsa, const unsigned char *pkey_der, size_t pkey_der_len)
58 {
59 SecKeyRef privKey;
60 #if TARGET_OS_IPHONE
61 if(ecdsa) {
62 privKey = SecKeyCreateECPrivateKey(kCFAllocatorDefault, pkey_der, pkey_der_len, kSecKeyEncodingPkcs1);
63 } else {
64 privKey = SecKeyCreateRSAPrivateKey(kCFAllocatorDefault, pkey_der, pkey_der_len, kSecKeyEncodingPkcs1);
65 }
66 #else
67 CFErrorRef error = NULL;
68 CFDataRef keyData = CFDataCreate(kCFAllocatorDefault, pkey_der, pkey_der_len);
69 CFMutableDictionaryRef parameters = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
70 CFDictionarySetValue(parameters, kSecAttrKeyType, ecdsa?kSecAttrKeyTypeECDSA:kSecAttrKeyTypeRSA);
71 CFDictionarySetValue(parameters, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
72 privKey = SecKeyCreateFromData(parameters, keyData, &error);
73 CFReleaseNull(keyData);
74 CFReleaseNull(parameters);
75 CFReleaseNull(error);
76 #endif
77 return privKey;
78 }
79
80 static
81 CFArrayRef CF_RETURNS_RETAINED chain_from_der(bool ecdsa, const unsigned char *pkey_der, size_t pkey_der_len, const unsigned char *cert_der, size_t cert_der_len)
82 {
83 SecKeyRef pkey = NULL;
84 SecCertificateRef cert = NULL;
85 SecIdentityRef ident = NULL;
86 CFArrayRef items = NULL;
87
88 require(pkey = create_private_key_from_der(ecdsa, pkey_der, pkey_der_len), errOut);
89 require(cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, cert_der, cert_der_len), errOut);
90 require(ident = SecIdentityCreate(kCFAllocatorDefault, cert, pkey), errOut);
91 require(items = CFArrayCreate(kCFAllocatorDefault, (const void **)&ident, 1, &kCFTypeArrayCallBacks), errOut);
92
93 errOut:
94 CFReleaseNull(pkey);
95 CFReleaseNull(cert);
96 CFReleaseNull(ident);
97 return items;
98 }
99
100 CFArrayRef server_ec_chain(void)
101 {
102 return chain_from_der(true, eckey_der, eckey_der_len, eccert_der, eccert_der_len);
103 }
104
105 CFArrayRef trusted_roots(void)
106 {
107 SecCertificateRef cert = NULL;
108 CFArrayRef roots = NULL;
109
110 require(cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, CA_RSA_Cert_der, CA_RSA_Cert_der_len), errOut);
111 require(roots = CFArrayCreate(kCFAllocatorDefault, (const void **)&cert, 1, &kCFTypeArrayCallBacks), errOut);
112
113 errOut:
114 CFReleaseNull(cert);
115 return roots;
116 }
117
118 CFArrayRef server_chain(void)
119 {
120 return chain_from_der(false, ServerRSA_Key_der, ServerRSA_Key_der_len,
121 ServerRSA_Cert_CA_RSA_der, ServerRSA_Cert_CA_RSA_der_len);
122 }
123
124 CFArrayRef trusted_client_chain(void)
125 {
126 return chain_from_der(false, ClientRSA_Key_der, ClientRSA_Key_der_len,
127 ClientRSA_Cert_CA_RSA_der, ClientRSA_Cert_CA_RSA_der_len);
128 }
129
130 CFArrayRef trusted_ec_client_chain(void)
131 {
132 return chain_from_der(true, ecclientkey_der, ecclientkey_der_len, ecclientcert_der, ecclientcert_der_len);
133 }
134
135 CFArrayRef untrusted_client_chain(void)
136 {
137 return chain_from_der(false, UntrustedClientRSA_Key_der, UntrustedClientRSA_Key_der_len,
138 UntrustedClientRSA_Cert_Untrusted_CA_RSA_der, UntrustedClientRSA_Cert_Untrusted_CA_RSA_der_len);
139 }
140
141 const char *ciphersuite_name(SSLCipherSuite cs)
142 {
143
144 #define C(x) case x: return #x;
145 switch (cs) {
146
147 /* TLS 1.2 addenda, RFC 5246 */
148
149 /* Initial state. */
150 C(TLS_NULL_WITH_NULL_NULL)
151
152 /* Server provided RSA certificate for key exchange. */
153 C(TLS_RSA_WITH_NULL_MD5)
154 C(TLS_RSA_WITH_NULL_SHA)
155 C(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
156 C(TLS_RSA_WITH_AES_128_CBC_SHA)
157 C(TLS_RSA_WITH_AES_256_CBC_SHA)
158 C(TLS_RSA_WITH_NULL_SHA256)
159 C(TLS_RSA_WITH_AES_128_CBC_SHA256)
160 C(TLS_RSA_WITH_AES_256_CBC_SHA256)
161
162 /* Server-authenticated (and optionally client-authenticated) Diffie-Hellman. */
163 C(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA)
164 C(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA)
165 C(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA)
166 C(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
167 C(TLS_DH_DSS_WITH_AES_128_CBC_SHA)
168 C(TLS_DH_RSA_WITH_AES_128_CBC_SHA)
169 C(TLS_DHE_DSS_WITH_AES_128_CBC_SHA)
170 C(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
171 C(TLS_DH_DSS_WITH_AES_256_CBC_SHA)
172 C(TLS_DH_RSA_WITH_AES_256_CBC_SHA)
173 C(TLS_DHE_DSS_WITH_AES_256_CBC_SHA)
174 C(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
175 C(TLS_DH_DSS_WITH_AES_128_CBC_SHA256)
176 C(TLS_DH_RSA_WITH_AES_128_CBC_SHA256)
177 C(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256)
178 C(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)
179 C(TLS_DH_DSS_WITH_AES_256_CBC_SHA256)
180 C(TLS_DH_RSA_WITH_AES_256_CBC_SHA256)
181 C(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256)
182 C(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
183
184 /* Completely anonymous Diffie-Hellman */
185 C(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA)
186 C(TLS_DH_anon_WITH_AES_128_CBC_SHA)
187 C(TLS_DH_anon_WITH_AES_256_CBC_SHA)
188 C(TLS_DH_anon_WITH_AES_128_CBC_SHA256)
189 C(TLS_DH_anon_WITH_AES_256_CBC_SHA256)
190
191 /* Addenda from rfc 5288 AES Galois Counter Mode (GCM) Cipher Suites
192 for TLS. */
193 C(TLS_RSA_WITH_AES_128_GCM_SHA256)
194 C(TLS_RSA_WITH_AES_256_GCM_SHA384)
195 C(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
196 C(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)
197 C(TLS_DH_RSA_WITH_AES_128_GCM_SHA256)
198 C(TLS_DH_RSA_WITH_AES_256_GCM_SHA384)
199 C(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256)
200 C(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384)
201 C(TLS_DH_DSS_WITH_AES_128_GCM_SHA256)
202 C(TLS_DH_DSS_WITH_AES_256_GCM_SHA384)
203 C(TLS_DH_anon_WITH_AES_128_GCM_SHA256)
204 C(TLS_DH_anon_WITH_AES_256_GCM_SHA384)
205
206 /* ECDSA addenda, RFC 4492 */
207 C(TLS_ECDH_ECDSA_WITH_NULL_SHA)
208 C(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA)
209 C(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA)
210 C(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA)
211 C(TLS_ECDHE_ECDSA_WITH_NULL_SHA)
212 C(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA)
213 C(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
214 C(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
215 C(TLS_ECDH_RSA_WITH_NULL_SHA)
216 C(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA)
217 C(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA)
218 C(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA)
219 C(TLS_ECDHE_RSA_WITH_NULL_SHA)
220 C(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
221 C(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
222 C(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
223 C(TLS_ECDH_anon_WITH_NULL_SHA)
224 C(TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA)
225 C(TLS_ECDH_anon_WITH_AES_128_CBC_SHA)
226 C(TLS_ECDH_anon_WITH_AES_256_CBC_SHA)
227
228 /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
229 HMAC SHA-256/384. */
230 C(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)
231 C(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384)
232 C(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256)
233 C(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384)
234 C(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
235 C(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384)
236 C(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256)
237 C(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384)
238
239 /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
240 SHA-256/384 and AES Galois Counter Mode (GCM) */
241 C(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
242 C(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
243 C(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256)
244 C(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384)
245 C(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
246 C(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
247 C(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256)
248 C(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384)
249
250 /* RFC 5746 - Secure Renegotiation */
251 C(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)
252
253 /*
254 * Tags for SSL 2 cipher kinds which are not specified
255 * for SSL 3.
256 */
257 C(SSL_RSA_WITH_RC2_CBC_MD5)
258 C(SSL_RSA_WITH_IDEA_CBC_MD5)
259 C(SSL_RSA_WITH_DES_CBC_MD5)
260 C(SSL_RSA_WITH_3DES_EDE_CBC_MD5)
261 C(SSL_NO_SUCH_CIPHERSUITE)
262
263 C(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5)
264 C(SSL_RSA_WITH_IDEA_CBC_SHA)
265 C(SSL_RSA_EXPORT_WITH_DES40_CBC_SHA)
266 C(SSL_RSA_WITH_DES_CBC_SHA)
267 C(SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA)
268 C(SSL_DH_DSS_WITH_DES_CBC_SHA)
269 C(SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA)
270 C(SSL_DH_RSA_WITH_DES_CBC_SHA)
271 C(SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA)
272 C(SSL_DHE_DSS_WITH_DES_CBC_SHA)
273 C(SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA)
274 C(SSL_DHE_RSA_WITH_DES_CBC_SHA)
275 C(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA)
276 C(SSL_DH_anon_WITH_DES_CBC_SHA)
277 C(SSL_FORTEZZA_DMS_WITH_NULL_SHA)
278 C(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA)
279
280 /* PSK */
281 C(TLS_PSK_WITH_AES_256_CBC_SHA384)
282 C(TLS_PSK_WITH_AES_128_CBC_SHA256)
283 C(TLS_PSK_WITH_AES_256_CBC_SHA)
284 C(TLS_PSK_WITH_AES_128_CBC_SHA)
285 C(TLS_PSK_WITH_3DES_EDE_CBC_SHA)
286 C(TLS_PSK_WITH_NULL_SHA384)
287 C(TLS_PSK_WITH_NULL_SHA256)
288 C(TLS_PSK_WITH_NULL_SHA)
289
290
291 default:
292 return "Unknown Ciphersuite";
293 }
294
295 }