]> git.saurik.com Git - apple/security.git/blobdiff - OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
projects / apple / security.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security-58286.20.16.tar.gz
[apple/security.git] / OSX / libsecurity_ssl / regressions / ssl-46-SSLGetSupportedCiphers.c
diff --git a/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c b/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
index 6ba45aadc5bc6ed15928406c31a68c7951e17a78..ef0ef929b6bc370df2524ab0df3dfe3e3b322628 100644 (file)
--- a/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
@@ -62,165 +62,6 @@ out:
     return fail;
 }
 
     return fail;
 }
 
-static
-int allowed_default_ciphers(SSLCipherSuite cs, bool server, bool dhe_enabled)
-{
-    switch (cs) {
-
-        /* BAD to enable by default */
-
-
-        /*
-         * Tags for SSL 2 cipher kinds which are not specified
-         * for SSL 3.
-         */
-        case SSL_RSA_WITH_RC2_CBC_MD5:
-        case SSL_RSA_WITH_IDEA_CBC_MD5:
-        case SSL_RSA_WITH_DES_CBC_MD5:
-        case SSL_RSA_WITH_3DES_EDE_CBC_MD5:
-
-        /* Export and Simple DES ciphers */
-        case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
-        case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
-        case SSL_RSA_WITH_IDEA_CBC_SHA:
-        case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:
-        case SSL_RSA_WITH_DES_CBC_SHA:
-        case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
-        case SSL_DH_DSS_WITH_DES_CBC_SHA:
-        case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
-        case SSL_DH_RSA_WITH_DES_CBC_SHA:
-        case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
-        case SSL_DHE_DSS_WITH_DES_CBC_SHA:
-        case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
-        case SSL_DHE_RSA_WITH_DES_CBC_SHA:
-        case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5:
-        case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA:
-        case SSL_DH_anon_WITH_DES_CBC_SHA:
-        case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
-        case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
-
-        case SSL_NO_SUCH_CIPHERSUITE:
-
-        /* Null ciphers. */
-        case TLS_NULL_WITH_NULL_NULL:
-        case TLS_RSA_WITH_NULL_MD5:
-        case TLS_RSA_WITH_NULL_SHA:
-        case TLS_RSA_WITH_NULL_SHA256:
-        case TLS_ECDH_ECDSA_WITH_NULL_SHA:
-        case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
-        case TLS_ECDHE_RSA_WITH_NULL_SHA:
-        case TLS_ECDH_RSA_WITH_NULL_SHA:
-        case TLS_ECDH_anon_WITH_NULL_SHA:
-
-        /* Completely anonymous Diffie-Hellman */
-        case TLS_DH_anon_WITH_RC4_128_MD5:
-        case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
-        case TLS_DH_anon_WITH_AES_128_CBC_SHA:
-        case TLS_DH_anon_WITH_AES_256_CBC_SHA:
-        case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
-        case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
-        case TLS_DH_anon_WITH_AES_128_GCM_SHA256:
-        case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
-        case TLS_ECDH_anon_WITH_RC4_128_SHA:
-        case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA:
-        case TLS_ECDH_anon_WITH_AES_128_CBC_SHA:
-        case TLS_ECDH_anon_WITH_AES_256_CBC_SHA:
-
-
-        /* Sstatic Diffie-Hellman and DSS */
-        case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
-        case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
-        case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
-        case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
-        case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
-        case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
-        case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
-        case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
-        case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
-        case TLS_DH_DSS_WITH_AES_128_CBC_SHA256:
-        case TLS_DH_RSA_WITH_AES_128_CBC_SHA256:
-        case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
-        case TLS_DH_DSS_WITH_AES_256_CBC_SHA256:
-        case TLS_DH_RSA_WITH_AES_256_CBC_SHA256:
-        case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
-        case TLS_DH_RSA_WITH_AES_128_GCM_SHA256:
-        case TLS_DH_RSA_WITH_AES_256_GCM_SHA384:
-        case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
-        case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
-        case TLS_DH_DSS_WITH_AES_128_GCM_SHA256:
-        case TLS_DH_DSS_WITH_AES_256_GCM_SHA384:
-
-            return 0;
-
-
-        /* OK to enable by default on the client only (not supported on server) */
-        case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
-        case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
-        case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
-        case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
-        case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
-        case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
-        case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
-        case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
-        case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
-        case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
-        case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
-        case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
-        case TLS_ECDH_RSA_WITH_RC4_128_SHA:
-        case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
-        case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
-        case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
-            return !server;
-
-        /* OK to enable by default for both client and server */
-
-        case TLS_RSA_WITH_RC4_128_MD5:
-        case TLS_RSA_WITH_RC4_128_SHA:
-        case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
-        case TLS_RSA_WITH_AES_128_CBC_SHA:
-        case TLS_RSA_WITH_AES_256_CBC_SHA:
-        case TLS_RSA_WITH_AES_128_CBC_SHA256:
-        case TLS_RSA_WITH_AES_256_CBC_SHA256:
-        case TLS_RSA_WITH_AES_128_GCM_SHA256:
-        case TLS_RSA_WITH_AES_256_GCM_SHA384:
-
-
-        case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
-        case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
-        case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
-        case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
-        case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
-        case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
-        case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
-        case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
-        case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
-        case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
-        case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
-        case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
-        case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
-        case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
-        case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
-        case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
-            return 1;
-
-        case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
-        case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
-        case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
-        case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
-        case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
-        case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
-        case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
-            return dhe_enabled;
-
-        /* RFC 5746 - Secure Renegotiation - not specified by the user or returned by APIs*/
-        case TLS_EMPTY_RENEGOTIATION_INFO_SCSV:
-            return 0;
-
-        /* unknown cipher ? */
-        default:
-            return 0;
-    }
-}
 
 static OSStatus SocketWrite(SSLConnectionRef conn, const void *data, size_t *length)
 {
 
 static OSStatus SocketWrite(SSLConnectionRef conn, const void *data, size_t *length)
 {
@@ -233,80 +74,250 @@ static OSStatus SocketRead(SSLConnectionRef conn, void *data, size_t *length)
 }
 
 
 }
 
 
-static int test_GetEnabledCiphers(SSLContextRef ssl, bool server, bool dhe_enabled)
+
+static const SSLCipherSuite legacy_ciphersuites[] = {
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA256,
+    TLS_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA,
+    TLS_RSA_WITH_AES_128_CBC_SHA,
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+    SSL_RSA_WITH_RC4_128_SHA,
+    SSL_RSA_WITH_RC4_128_MD5,
+};
+
+const SSLCipherSuite legacy_DHE_ciphersuites[] = {
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA256,
+    TLS_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA,
+    TLS_RSA_WITH_AES_128_CBC_SHA,
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+    SSL_RSA_WITH_RC4_128_SHA,
+    SSL_RSA_WITH_RC4_128_MD5,
+};
+
+
+
+const SSLCipherSuite standard_ciphersuites[] = {
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA256,
+    TLS_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA,
+    TLS_RSA_WITH_AES_128_CBC_SHA,
+};
+
+const SSLCipherSuite default_ciphersuites[] = {
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA256,
+    TLS_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA,
+    TLS_RSA_WITH_AES_128_CBC_SHA,
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,
+};
+
+const SSLCipherSuite ATSv1_ciphersuites[] = {
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+};
+
+const SSLCipherSuite ATSv1_noPFS_ciphersuites[] = {
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+
+    TLS_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA256,
+    TLS_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA,
+    TLS_RSA_WITH_AES_128_CBC_SHA,
+};
+
+const SSLCipherSuite TLSv1_RC4_fallback_ciphersuites[] = {
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_RSA_WITH_AES_256_CBC_SHA256,
+    TLS_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA,
+    TLS_RSA_WITH_AES_128_CBC_SHA,
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+    SSL_RSA_WITH_RC4_128_SHA,
+    SSL_RSA_WITH_RC4_128_MD5,
+};
+
+const SSLCipherSuite TLSv1_fallback_ciphersuites[] = {
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_RSA_WITH_AES_256_CBC_SHA256,
+    TLS_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA,
+    TLS_RSA_WITH_AES_128_CBC_SHA,
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,
+};
+
+const SSLCipherSuite anonymous_ciphersuites[] = {
+    TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
+    TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
+    TLS_DH_anon_WITH_AES_256_CBC_SHA256,
+    TLS_DH_anon_WITH_AES_256_CBC_SHA,
+    TLS_DH_anon_WITH_AES_128_CBC_SHA256,
+    TLS_DH_anon_WITH_AES_128_CBC_SHA
+};
+
+
+static int test_GetEnabledCiphers(SSLContextRef ssl, unsigned expected_num_ciphers, const SSLCipherSuite *expected_ciphers)
 {
 {
-    size_t max_ciphers = 0;
     size_t num_ciphers;
     size_t num_ciphers;
-    size_t num_ciphers_2;
     size_t size;
     int fail=1;
     SSLCipherSuite *ciphers = NULL;
     size_t size;
     int fail=1;
     SSLCipherSuite *ciphers = NULL;
-    SSLCipherSuite *ciphers_2 = NULL;
-    OSStatus err;
-
-    err=SSLSetIOFuncs(ssl, &SocketRead, &SocketWrite);
-    err=SSLSetConnection(ssl, NULL);
-
-    require_noerr(SSLGetNumberEnabledCiphers(ssl, &max_ciphers), out);
-
-    err=SSLHandshake(ssl);
 
 
-    require_noerr(SSLGetNumberEnabledCiphers(ssl, &max_ciphers), out);
+    require_noerr(SSLSetIOFuncs(ssl, &SocketRead, &SocketWrite), out);
+    require_noerr(SSLSetConnection(ssl, NULL), out);
 
 
-    require(max_ciphers == (dhe_enabled?32:25), out);
+    require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_ciphers), out);
+    require_string(num_ciphers==expected_num_ciphers, out, "wrong ciphersuites number");
 
 
-    size = max_ciphers * sizeof (SSLCipherSuite);
+    size = num_ciphers * sizeof (SSLCipherSuite);
     ciphers = (SSLCipherSuite *) malloc(size);
     require_string(ciphers, out, "out of memory");
     memset(ciphers, 0xff, size);
 
     ciphers = (SSLCipherSuite *) malloc(size);
     require_string(ciphers, out, "out of memory");
     memset(ciphers, 0xff, size);
 
-    num_ciphers = max_ciphers;
     require_noerr(SSLGetEnabledCiphers(ssl, ciphers, &num_ciphers), out);
     require_noerr(SSLGetEnabledCiphers(ssl, ciphers, &num_ciphers), out);
+    require_string(memcmp(ciphers, expected_ciphers, size)==0, out, "wrong ciphersuites");
 
 
-    //printf("Ciphers Enabled before first handshake: %zd\n", num_ciphers);
+    free(ciphers);
+    ciphers = NULL;
 
 
-    for (size_t i = 0; i < num_ciphers; i++) {
-        char csname[256];
-        snprintf(csname, 256, "(%04x) %s", ciphers[i], ciphersuite_name(ciphers[i]));
-        /* Uncomment the next line if you want to list the default enabled ciphers */
-        //printf("%s\n", csname);
-        require_string(allowed_default_ciphers(ciphers[i], server, dhe_enabled), out, csname);
-    }
-
-    err=SSLHandshake(ssl);
-
-    require_noerr(SSLGetNumberEnabledCiphers(ssl, &max_ciphers), out);
+    require(SSLHandshake(ssl) == errSSLWouldBlock, out);
 
 
-    size = max_ciphers * sizeof (SSLCipherSuite);
-    ciphers_2 = (SSLCipherSuite *) malloc(size);
-    require_string(ciphers_2, out, "out of memory");
-    memset(ciphers_2, 0xff, size);
+    require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_ciphers), out);
+    require_string(num_ciphers==expected_num_ciphers, out, "wrong ciphersuites number");
 
 
-    num_ciphers_2 = max_ciphers;
-    require_noerr(SSLGetEnabledCiphers(ssl, ciphers_2, &num_ciphers_2), out);
-
-    //printf("Ciphers Enabled after first handshake: %zd\n", num_ciphers_2);
-
-    for (size_t i = 0; i < num_ciphers_2; i++) {
-        char csname[256];
-        snprintf(csname, 256, "(%04x) %s", ciphers_2[i], ciphersuite_name(ciphers_2[i]));
-        /* Uncomment the next line if you want to list the default enabled ciphers */
-        //printf("%s\n", csname);
-    }
+    size = num_ciphers * sizeof (SSLCipherSuite);
+    ciphers = (SSLCipherSuite *) malloc(size);
+    require_string(ciphers, out, "out of memory");
+    memset(ciphers, 0xff, size);
 
 
-    require(num_ciphers_2 == num_ciphers, out);
-    require((memcmp(ciphers, ciphers_2, num_ciphers*sizeof(uint16_t)) == 0), out);
+    require_noerr(SSLGetEnabledCiphers(ssl, ciphers, &num_ciphers), out);
+    require_string(memcmp(ciphers, expected_ciphers, size)==0, out, "wrong ciphersuites");
 
     /* Success! */
     fail=0;
 
 out:
 
     /* Success! */
     fail=0;
 
 out:
-    if(ciphers) free(ciphers);
-    if(ciphers_2) free(ciphers_2);
+    free(ciphers);
     return fail;
 }
 
     return fail;
 }
 
-static int test_SetEnabledCiphers(SSLContextRef ssl, bool server)
+static int test_SetEnabledCiphers(SSLContextRef ssl)
 {
     int fail=1;
     size_t num_enabled;
 {
     int fail=1;
     size_t num_enabled;
@@ -332,42 +343,122 @@ out:
 
 
 static void
 
 
 static void
-test(SSLProtocolSide side, bool dhe_enabled)
+test_dhe(SSLProtocolSide side, bool dhe_enabled)
 {
     SSLContextRef ssl = NULL;
     bool server = (side == kSSLServerSide);
 
 {
     SSLContextRef ssl = NULL;
     bool server = (side == kSSLServerSide);
 
-    require(ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType), out);
-    ok(ssl, "SSLCreateContext failed");
+    ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
+    ok(ssl, "test_dhe: SSLCreateContext(1) failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled");
+    require(ssl, out);
 
 
-    ok_status(SSLSetDHEEnabled(ssl, dhe_enabled));
+    ok_status(SSLSetDHEEnabled(ssl, dhe_enabled),"test_dhe: SSLSetDHEEnabled failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled");
 
 
+    unsigned num = (dhe_enabled?sizeof(legacy_DHE_ciphersuites):sizeof(legacy_ciphersuites))/sizeof(SSLCipherSuite);
+    const SSLCipherSuite *ciphers = dhe_enabled?legacy_DHE_ciphersuites:legacy_ciphersuites;
     /* The order of this tests does matter, be careful when adding tests */
     /* The order of this tests does matter, be careful when adding tests */
-    ok(!test_GetSupportedCiphers(ssl, server), "GetSupportedCiphers test failed");
-    ok(!test_GetEnabledCiphers(ssl, server, dhe_enabled), "GetEnabledCiphers test failed");
+    ok(!test_GetSupportedCiphers(ssl, server), "test_dhe: GetSupportedCiphers test failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled");
+    ok(!test_GetEnabledCiphers(ssl, num, ciphers), "test_dhe: GetEnabledCiphers test failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled");
 
     CFRelease(ssl); ssl=NULL;
 
 
     CFRelease(ssl); ssl=NULL;
 
-    require(ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType), out);
-    ok(ssl, "SSLCreateContext failed");
-    
-    ok(!test_SetEnabledCiphers(ssl, server), "SetEnabledCiphers test failed");
+    ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
+    ok(ssl, "test_dhe: SSLCreateContext(2) failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled");
+    require(ssl, out);
+
+    ok(!test_SetEnabledCiphers(ssl), "test_dhe: SetEnabledCiphers test failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled");
 
 out:
     if(ssl) CFRelease(ssl);
 }
 
 
 out:
     if(ssl) CFRelease(ssl);
 }
 
+static void
+test_config(SSLProtocolSide side, CFStringRef config, unsigned num, const SSLCipherSuite *ciphers)
+{
+    SSLContextRef ssl = NULL;
+    bool server = (side == kSSLServerSide);
 
 
-int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv)
+    ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
+    ok(ssl, "test_config: SSLCreateContext(1) failed (%s,%@)", server?"server":"client", config);
+    require(ssl, out);
+
+    ok_status(SSLSetSessionConfig(ssl, config), "test_config: SSLSetSessionConfig failed (%s,%@)", server?"server":"client", config);
+
+    /* The order of this tests does matter, be careful when adding tests */
+    ok(!test_GetSupportedCiphers(ssl, server), "test_config: GetSupportedCiphers test failed (%s,%@)", server?"server":"client", config);
+    ok(!test_GetEnabledCiphers(ssl, num, ciphers), "test_config: GetEnabledCiphers test failed (%s,%@)", server?"server":"client", config);
+
+    CFRelease(ssl); ssl=NULL;
+
+    ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
+    ok(ssl, "test_config: SSLCreateContext(2) failed (%s,%@)", server?"server":"client", config);
+    require(ssl, out);
+
+    ok(!test_SetEnabledCiphers(ssl), "test_config: SetEnabledCiphers test failed (%s,%@)", server?"server":"client", config);
+
+out:
+    if(ssl) CFRelease(ssl);
+}
+
+static void
+test_default(SSLProtocolSide side)
 {
 {
-    plan_tests(24);
+    SSLContextRef ssl = NULL;
+    bool server = (side == kSSLServerSide);
+
+    ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
+    ok(ssl, "test_config: SSLCreateContext(1) failed (%s)", server?"server":"client");
+    require(ssl, out);
+
+    /* The order of this tests does matter, be careful when adding tests */
+    ok(!test_GetSupportedCiphers(ssl, server), "test_default: GetSupportedCiphers test failed (%s)", server?"server":"client");
+    ok(!test_GetEnabledCiphers(ssl, sizeof(default_ciphersuites)/sizeof(SSLCipherSuite), default_ciphersuites), "test_default: GetEnabledCiphers test failed (%s)", server?"server":"client");
+
+    CFRelease(ssl); ssl=NULL;
+
+    ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
+    ok(ssl, "test_default: SSLCreateContext(2) failed (%s)", server?"server":"client");
+    require(ssl, out);
+
+    ok(!test_SetEnabledCiphers(ssl), "test_config: SetEnabledCiphers test failed (%s)", server?"server":"client");
+
+out:
+    if(ssl) CFRelease(ssl);
+}
+
 
 
-    test(kSSLClientSide, true);
-    test(kSSLServerSide, true);
-    test(kSSLClientSide, false);
-    test(kSSLServerSide, false);
 
 
 
 
+int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv)
+{
+    plan_tests(178);
+
+    test_dhe(kSSLClientSide, true);
+    test_dhe(kSSLServerSide, true);
+    test_dhe(kSSLClientSide, false);
+    test_dhe(kSSLServerSide, false);
+
+    test_default(kSSLClientSide);
+    test_default(kSSLServerSide);
+
+#define TEST_CONFIG(x, y) do {  \
+    test_config(kSSLClientSide, x, sizeof(y)/sizeof(SSLCipherSuite), y); \
+    test_config(kSSLServerSide, x, sizeof(y)/sizeof(SSLCipherSuite), y); \
+} while(0)
+
+    TEST_CONFIG(kSSLSessionConfig_ATSv1, ATSv1_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_ATSv1_noPFS, ATSv1_noPFS_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_legacy, legacy_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_legacy_DHE, legacy_DHE_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_standard, standard_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_RC4_fallback, legacy_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_TLSv1_fallback, default_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_TLSv1_RC4_fallback, legacy_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_default, default_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_anonymous, anonymous_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_3DES_fallback, default_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_TLSv1_3DES_fallback, default_ciphersuites);
+
     return 0;
 }
 
     return 0;
 }
 
mirror of Security