Security-58286.20.16.tar.gz

[apple/security.git] / OSX / libsecurity_ssl / regressions / ssl-42-ciphers.c
diff --git a/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c b/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c

index c07b4126bb14e4f975b988a688c1b418d1fda04a..3d20d1fa03c6a90d4d2680fd2c3bcfcbdd682e32 100644 (file)
--- a/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c
@@ -74,7 +74,8 @@ static const SSLCipherSuite SupportedCipherSuites[] = {
      TLS_RSA_WITH_AES_128_CBC_SHA,
      SSL_RSA_WITH_3DES_EDE_CBC_SHA,
  
-    //    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+    /* RC4 */
+    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
      TLS_ECDHE_RSA_WITH_RC4_128_SHA,
      SSL_RSA_WITH_RC4_128_SHA,
      SSL_RSA_WITH_RC4_128_MD5,
@@ -90,6 +91,12 @@ static const SSLCipherSuite SupportedCipherSuites[] = {
      SSL_DH_anon_WITH_RC4_128_MD5,
      SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
  
+    TLS_ECDH_anon_WITH_NULL_SHA,
+    TLS_ECDH_anon_WITH_RC4_128_SHA,
+    TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
+    TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
+
      TLS_ECDHE_ECDSA_WITH_NULL_SHA,
      TLS_ECDHE_RSA_WITH_NULL_SHA,
  
@@ -337,6 +344,9 @@ out:
  
  static bool check_peer_cert(SSLContextRef ctx, const ssl_test_handle *ssl, SecTrustRef *trust)
  {
+    CFMutableArrayRef peer_cert_array = NULL;
+    CFMutableArrayRef orig_peer_cert_array = NULL;
+
      /* verify peer cert chain */
      require_noerr(SSLCopyPeerTrust(ctx, trust), out);
      SecTrustResultType trust_result = 0;
@@ -344,12 +354,9 @@ static bool check_peer_cert(SSLContextRef ctx, const ssl_test_handle *ssl, SecTr
      require_noerr(SecTrustEvaluate(*trust, &trust_result), out);
  
      CFIndex n_certs = SecTrustGetCertificateCount(*trust);
-    /* fprintf(stderr, "%ld certs; trust_eval: %d\n", n_certs, trust_result); */
  
-    CFMutableArrayRef peer_cert_array =
-    CFArrayCreateMutable(NULL, n_certs, &kCFTypeArrayCallBacks);
-    CFMutableArrayRef orig_peer_cert_array =
-        CFArrayCreateMutableCopy(NULL, n_certs, ssl->peer_certs);
+    peer_cert_array = CFArrayCreateMutable(NULL, n_certs, &kCFTypeArrayCallBacks);
+    orig_peer_cert_array = CFArrayCreateMutableCopy(NULL, n_certs, ssl->peer_certs);
      while (n_certs--)
          CFArrayInsertValueAtIndex(peer_cert_array, 0,
                                    SecTrustGetCertificateAtIndex(*trust, n_certs));
@@ -362,19 +369,13 @@ static bool check_peer_cert(SSLContextRef ctx, const ssl_test_handle *ssl, SecTr
      CFRelease(peer_cert);
  
      require(CFEqual(orig_peer_cert_array, peer_cert_array), out);
-    CFRelease(orig_peer_cert_array);
-    CFRelease(peer_cert_array);
-
-    /*
-     CFStringRef cert_name = SecCertificateCopySubjectSummary(cert);
-     char cert_name_buffer[1024];
-     require(CFStringGetFileSystemRepresentation(cert_name,
-     cert_name_buffer, sizeof(cert_name_buffer)), out);
-     fprintf(stderr, "cert name: %s\n", cert_name_buffer);
-     CFRelease(trust);
-     */
+    CFReleaseNull(orig_peer_cert_array);
+    CFReleaseNull(peer_cert_array);
+
      return true;
  out:
+    CFReleaseNull(orig_peer_cert_array);
+    CFReleaseNull(peer_cert_array);
      return false;
  }
  
@@ -402,7 +403,6 @@ static void *securetransport_ssl_thread(void *arg)
      require_noerr(ortn=SSLGetSessionState(ctx,&ssl_state), out);
      require_action(ssl_state==kSSLIdle, out, ortn = -1);
  
-    //uint64_t start = mach_absolute_time();
      do {
          ortn = SSLHandshake(ctx);
          require_noerr(SSLGetSessionState(ctx,&ssl_state), out);
@@ -463,21 +463,13 @@ static void *securetransport_ssl_thread(void *arg)
          require_string(!got_server_auth, out, "got server auth during resumption??");
          require_string(check_peer_cert(ctx, ssl, &trust), out, "Certificate check failed (resumption case)");
      }
-    //uint64_t elapsed = mach_absolute_time() - start;
-    //fprintf(stderr, "setr elapsed: %lld\n", elapsed);
-
-    /*
-    SSLProtocol proto = kSSLProtocolUnknown;
-    require_noerr_quiet(SSLGetNegotiatedProtocolVersion(ctx, &proto), out); */
  
      SSLCipherSuite cipherSuite;
      require_noerr_quiet(ortn = SSLGetNegotiatedCipher(ctx, &cipherSuite), out);
-    //fprintf(stderr, "st negotiated %s\n", sslcipher_itoa(cipherSuite));
  
      if(ssl->is_dtls) {
          size_t sz;
          SSLGetDatagramWriteSize(ctx, &sz);
-        //fprintf(stderr, "Max Write Size = %ld\n", sz);
      }
  
         Boolean sessionWasResumed = false;
@@ -485,8 +477,6 @@ static void *securetransport_ssl_thread(void *arg)
      size_t session_id_length = sizeof(session_id_data);
      require_noerr_quiet(ortn = SSLGetResumableSessionInfo(ctx, &sessionWasResumed, session_id_data, &session_id_length), out);
      require_action(ssl->dh_anonymous || (ssl->is_session_resume == sessionWasResumed), out, ortn = -1);
-    // if (sessionWasResumed) fprintf(stderr, "st resumed session\n");
-    //hexdump(session_id_data, session_id_length);
  
  #define BUFSIZE (8*1024)
      unsigned char ibuf[BUFSIZE], obuf[BUFSIZE];
@@ -495,7 +485,6 @@ static void *securetransport_ssl_thread(void *arg)
          size_t len;
          if (ssl->is_server) {
              memset(obuf, i, BUFSIZE);
-            // SecRandomCopyBytes(kSecRandomDefault, sizeof(obuf), obuf);
              require_noerr(ortn = SSLWrite(ctx, obuf, BUFSIZE, &len), out);
              require_action(len == BUFSIZE, out, ortn = -1);
  
@@ -508,11 +497,8 @@ static void *securetransport_ssl_thread(void *arg)
              size_t l=len;
              ortn = SSLRead(ctx, ibuf+len, BUFSIZE-len, &l);
              len+=l;
-            //printf("SSLRead [%p] %d, l=%zd len=%zd\n", ctx, (int)ortn, l, len);
          }
  
-        //printf("SSLRead [%p] done\n", ctx);
-
          require_noerr(ortn, out);
          require_action(len == BUFSIZE, out, ortn = -1);
  
@@ -567,14 +553,10 @@ tests(void)
      CFArrayRef server_rsa_certs = server_chain();
      CFArrayRef server_ec_certs = server_ec_chain();
      CFArrayRef client_certs = trusted_client_chain();
-    ok(server_rsa_certs, "got rsa server cert chain");
-    ok(server_ec_certs, "got ec server cert chain");
-    ok(client_certs, "got rsa client cert chain");
+    require(server_rsa_certs != NULL, end);
+    require(server_ec_certs != NULL, end);
+    require(client_certs != NULL, end);
  
-/* Enable this if you want to test a specific d/i/k/l/m/p combination */
-#if 0
-    int i=0, l=0, k=0, p=0; { {
-#else
      int i,k,l, p;
  
      for (p=0; p<nprotos; p++)
@@ -586,7 +568,6 @@ tests(void)
  
          for (i=0; i<SupportedCipherSuitesCount; i++)
          for (l = 0; l<2; l++) { /* resumption or not */
-#endif
              uint16_t cs = (uint16_t)(SupportedCipherSuites[i]);
              KeyExchangeMethod kem = sslCipherSuiteGetKeyExchangeMethod(cs);
              SSL_CipherAlgorithm cipher = sslCipherSuiteGetSymmetricCipherAlgorithm(cs);
@@ -630,7 +611,9 @@ tests(void)
                  skip("This ciphersuite is not supported for this protocol version", 1, version_ok);
  
                  int sp[2];
-                if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp)) exit(errno);
+                if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp)) {
+                    exit(errno);
+                }
                  fcntl(sp[0], F_SETNOSIGPIPE, 1);
                  fcntl(sp[1], F_SETNOSIGPIPE, 1);
  
@@ -641,7 +624,6 @@ tests(void)
                  SSLAuthenticate client_side_auth = k;
  
                  uint32_t session_id = (p<<24) | (k<<16) | (i+1);
-                //fprintf(stderr, "session_id: %d\n", session_id);
                  server = ssl_test_handle_create(session_id, (l == 1), true /*server*/,
                                                  client_side_auth, dh_anonymous, dtls,
                                                  sp[0], server_certs, client_certs, protos[p]);
@@ -666,7 +648,7 @@ tests(void)
                  pthread_create(&client_thread, NULL, securetransport_ssl_thread, client);
                  pthread_create(&server_thread, NULL, securetransport_ssl_thread, server);
  
-                int server_err, client_err;
+                intptr_t server_err, client_err;
                  pthread_join(client_thread, (void*)&client_err);
                  pthread_join(server_thread, (void*)&server_err);
  
@@ -693,17 +675,16 @@ out:
      } /* all configs */
  
  
+end:
+    CFReleaseSafe(client_certs);
      CFReleaseSafe(server_ec_certs);
      CFReleaseSafe(server_rsa_certs);
-    CFReleaseSafe(client_certs);
-
  }
  
  int ssl_42_ciphers(int argc, char *const *argv)
  {
  
-    plan_tests(3 * 2 * nprotos * SupportedCipherSuitesCount /* client auth 0/1/2 * #resumptions * #protos * #ciphers */
-                + 3 /*cert*/);
+    plan_tests(3 * 2 * nprotos * SupportedCipherSuitesCount /* client auth 0/1/2 * #resumptions * #protos * #ciphers */);
  
      tests();