TLS_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
- // TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+ /* RC4 */
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_MD5,
SSL_DH_anon_WITH_RC4_128_MD5,
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDH_anon_WITH_NULL_SHA,
+ TLS_ECDH_anon_WITH_RC4_128_SHA,
+ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
+
TLS_ECDHE_ECDSA_WITH_NULL_SHA,
TLS_ECDHE_RSA_WITH_NULL_SHA,
static bool check_peer_cert(SSLContextRef ctx, const ssl_test_handle *ssl, SecTrustRef *trust)
{
+ CFMutableArrayRef peer_cert_array = NULL;
+ CFMutableArrayRef orig_peer_cert_array = NULL;
+
/* verify peer cert chain */
require_noerr(SSLCopyPeerTrust(ctx, trust), out);
SecTrustResultType trust_result = 0;
require_noerr(SecTrustEvaluate(*trust, &trust_result), out);
CFIndex n_certs = SecTrustGetCertificateCount(*trust);
- /* fprintf(stderr, "%ld certs; trust_eval: %d\n", n_certs, trust_result); */
- CFMutableArrayRef peer_cert_array =
- CFArrayCreateMutable(NULL, n_certs, &kCFTypeArrayCallBacks);
- CFMutableArrayRef orig_peer_cert_array =
- CFArrayCreateMutableCopy(NULL, n_certs, ssl->peer_certs);
+ peer_cert_array = CFArrayCreateMutable(NULL, n_certs, &kCFTypeArrayCallBacks);
+ orig_peer_cert_array = CFArrayCreateMutableCopy(NULL, n_certs, ssl->peer_certs);
while (n_certs--)
CFArrayInsertValueAtIndex(peer_cert_array, 0,
SecTrustGetCertificateAtIndex(*trust, n_certs));
CFRelease(peer_cert);
require(CFEqual(orig_peer_cert_array, peer_cert_array), out);
- CFRelease(orig_peer_cert_array);
- CFRelease(peer_cert_array);
-
- /*
- CFStringRef cert_name = SecCertificateCopySubjectSummary(cert);
- char cert_name_buffer[1024];
- require(CFStringGetFileSystemRepresentation(cert_name,
- cert_name_buffer, sizeof(cert_name_buffer)), out);
- fprintf(stderr, "cert name: %s\n", cert_name_buffer);
- CFRelease(trust);
- */
+ CFReleaseNull(orig_peer_cert_array);
+ CFReleaseNull(peer_cert_array);
+
return true;
out:
+ CFReleaseNull(orig_peer_cert_array);
+ CFReleaseNull(peer_cert_array);
return false;
}
require_noerr(ortn=SSLGetSessionState(ctx,&ssl_state), out);
require_action(ssl_state==kSSLIdle, out, ortn = -1);
- //uint64_t start = mach_absolute_time();
do {
ortn = SSLHandshake(ctx);
require_noerr(SSLGetSessionState(ctx,&ssl_state), out);
require_string(!got_server_auth, out, "got server auth during resumption??");
require_string(check_peer_cert(ctx, ssl, &trust), out, "Certificate check failed (resumption case)");
}
- //uint64_t elapsed = mach_absolute_time() - start;
- //fprintf(stderr, "setr elapsed: %lld\n", elapsed);
-
- /*
- SSLProtocol proto = kSSLProtocolUnknown;
- require_noerr_quiet(SSLGetNegotiatedProtocolVersion(ctx, &proto), out); */
SSLCipherSuite cipherSuite;
require_noerr_quiet(ortn = SSLGetNegotiatedCipher(ctx, &cipherSuite), out);
- //fprintf(stderr, "st negotiated %s\n", sslcipher_itoa(cipherSuite));
if(ssl->is_dtls) {
size_t sz;
SSLGetDatagramWriteSize(ctx, &sz);
- //fprintf(stderr, "Max Write Size = %ld\n", sz);
}
Boolean sessionWasResumed = false;
size_t session_id_length = sizeof(session_id_data);
require_noerr_quiet(ortn = SSLGetResumableSessionInfo(ctx, &sessionWasResumed, session_id_data, &session_id_length), out);
require_action(ssl->dh_anonymous || (ssl->is_session_resume == sessionWasResumed), out, ortn = -1);
- // if (sessionWasResumed) fprintf(stderr, "st resumed session\n");
- //hexdump(session_id_data, session_id_length);
#define BUFSIZE (8*1024)
unsigned char ibuf[BUFSIZE], obuf[BUFSIZE];
size_t len;
if (ssl->is_server) {
memset(obuf, i, BUFSIZE);
- // SecRandomCopyBytes(kSecRandomDefault, sizeof(obuf), obuf);
require_noerr(ortn = SSLWrite(ctx, obuf, BUFSIZE, &len), out);
require_action(len == BUFSIZE, out, ortn = -1);
size_t l=len;
ortn = SSLRead(ctx, ibuf+len, BUFSIZE-len, &l);
len+=l;
- //printf("SSLRead [%p] %d, l=%zd len=%zd\n", ctx, (int)ortn, l, len);
}
- //printf("SSLRead [%p] done\n", ctx);
-
require_noerr(ortn, out);
require_action(len == BUFSIZE, out, ortn = -1);
CFArrayRef server_rsa_certs = server_chain();
CFArrayRef server_ec_certs = server_ec_chain();
CFArrayRef client_certs = trusted_client_chain();
- ok(server_rsa_certs, "got rsa server cert chain");
- ok(server_ec_certs, "got ec server cert chain");
- ok(client_certs, "got rsa client cert chain");
+ require(server_rsa_certs != NULL, end);
+ require(server_ec_certs != NULL, end);
+ require(client_certs != NULL, end);
-/* Enable this if you want to test a specific d/i/k/l/m/p combination */
-#if 0
- int i=0, l=0, k=0, p=0; { {
-#else
int i,k,l, p;
for (p=0; p<nprotos; p++)
for (i=0; i<SupportedCipherSuitesCount; i++)
for (l = 0; l<2; l++) { /* resumption or not */
-#endif
uint16_t cs = (uint16_t)(SupportedCipherSuites[i]);
KeyExchangeMethod kem = sslCipherSuiteGetKeyExchangeMethod(cs);
SSL_CipherAlgorithm cipher = sslCipherSuiteGetSymmetricCipherAlgorithm(cs);
+ tls_protocol_version min_version = sslCipherSuiteGetMinSupportedTLSVersion(cs);
+
CFArrayRef server_certs;
if(kem == SSL_ECDHE_ECDSA) {
SKIP:{
bool dtls = (protos[p] == kDTLSProtocol1);
- bool dtls_ok = (cipher != SSL_CipherAlgorithmRC4_128);
bool server_ok = ((kem != SSL_ECDH_ECDSA) && (kem != SSL_ECDH_RSA) && (kem != SSL_ECDH_anon));
bool dh_anonymous = ((kem == SSL_DH_anon) || (kem == TLS_PSK));
-
+ bool version_ok;
+
+ switch(protos[p]) {
+ case kDTLSProtocol1:
+ version_ok = cipher != SSL_CipherAlgorithmRC4_128 && (min_version != tls_protocol_version_TLS_1_2);
+ break;
+ case kSSLProtocol3:
+ version_ok = (min_version == tls_protocol_version_SSL_3);
+ break;
+ case kTLSProtocol1:
+ case kTLSProtocol11:
+ version_ok = (min_version != tls_protocol_version_TLS_1_2);
+ break;
+ case kTLSProtocol12:
+ version_ok = true;
+ break;
+ default:
+ version_ok = false;
+
+ }
skip("This ciphersuite is not supported by Server", 1, server_ok);
- skip("This ciphersuite is not supported for DTLS", 1, (dtls_ok || !dtls));
+ skip("This ciphersuite is not supported for this protocol version", 1, version_ok);
int sp[2];
- if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp)) exit(errno);
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp)) {
+ exit(errno);
+ }
fcntl(sp[0], F_SETNOSIGPIPE, 1);
fcntl(sp[1], F_SETNOSIGPIPE, 1);
SSLAuthenticate client_side_auth = k;
uint32_t session_id = (p<<24) | (k<<16) | (i+1);
- //fprintf(stderr, "session_id: %d\n", session_id);
server = ssl_test_handle_create(session_id, (l == 1), true /*server*/,
client_side_auth, dh_anonymous, dtls,
sp[0], server_certs, client_certs, protos[p]);
pthread_create(&client_thread, NULL, securetransport_ssl_thread, client);
pthread_create(&server_thread, NULL, securetransport_ssl_thread, server);
- int server_err, client_err;
+ intptr_t server_err, client_err;
pthread_join(client_thread, (void*)&client_err);
pthread_join(server_thread, (void*)&server_err);
} /* all configs */
+end:
+ CFReleaseSafe(client_certs);
CFReleaseSafe(server_ec_certs);
CFReleaseSafe(server_rsa_certs);
- CFReleaseSafe(client_certs);
-
}
int ssl_42_ciphers(int argc, char *const *argv)
{
- plan_tests(3 * 2 * nprotos * SupportedCipherSuitesCount /* client auth 0/1/2 * #resumptions * #protos * #ciphers */
- + 3 /*cert*/);
+ plan_tests(3 * 2 * nprotos * SupportedCipherSuitesCount /* client auth 0/1/2 * #resumptions * #protos * #ciphers */);
tests();
projects / apple / security.git / blobdiff