Security-58286.20.16.tar.gz

[apple/security.git] / OSX / libsecurity_ssl / regressions / ssl-46-SSLGetSupportedCiphers.c

diff --git a/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c b/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
index cf3b3b3f2d30a8bed79895d9f9635fc59124cf6e..ef0ef929b6bc370df2524ab0df3dfe3e3b322628 100644 (file)
--- a/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
@@ -141,6 +141,27 @@ const SSLCipherSuite legacy_DHE_ciphersuites[] = {
 
 
 const SSLCipherSuite standard_ciphersuites[] = {
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA256,
+    TLS_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA,
+    TLS_RSA_WITH_AES_128_CBC_SHA,
+};
+
+const SSLCipherSuite default_ciphersuites[] = {
     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
@@ -241,6 +262,14 @@ const SSLCipherSuite TLSv1_fallback_ciphersuites[] = {
     SSL_RSA_WITH_3DES_EDE_CBC_SHA,
 };
 
+const SSLCipherSuite anonymous_ciphersuites[] = {
+    TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
+    TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
+    TLS_DH_anon_WITH_AES_256_CBC_SHA256,
+    TLS_DH_anon_WITH_AES_256_CBC_SHA,
+    TLS_DH_anon_WITH_AES_128_CBC_SHA256,
+    TLS_DH_anon_WITH_AES_128_CBC_SHA
+};
 
 
 static int test_GetEnabledCiphers(SSLContextRef ssl, unsigned expected_num_ciphers, const SSLCipherSuite *expected_ciphers)
@@ -249,10 +278,9 @@ static int test_GetEnabledCiphers(SSLContextRef ssl, unsigned expected_num_ciphe
     size_t size;
     int fail=1;
     SSLCipherSuite *ciphers = NULL;
-    OSStatus err;
 
-    err=SSLSetIOFuncs(ssl, &SocketRead, &SocketWrite);
-    err=SSLSetConnection(ssl, NULL);
+    require_noerr(SSLSetIOFuncs(ssl, &SocketRead, &SocketWrite), out);
+    require_noerr(SSLSetConnection(ssl, NULL), out);
 
     require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_ciphers), out);
     require_string(num_ciphers==expected_num_ciphers, out, "wrong ciphersuites number");
@@ -268,8 +296,7 @@ static int test_GetEnabledCiphers(SSLContextRef ssl, unsigned expected_num_ciphe
     free(ciphers);
     ciphers = NULL;
 
-    err=SSLHandshake(ssl);
-
+    require(SSLHandshake(ssl) == errSSLWouldBlock, out);
 
     require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_ciphers), out);
     require_string(num_ciphers==expected_num_ciphers, out, "wrong ciphersuites number");
@@ -373,17 +400,47 @@ out:
     if(ssl) CFRelease(ssl);
 }
 
+static void
+test_default(SSLProtocolSide side)
+{
+    SSLContextRef ssl = NULL;
+    bool server = (side == kSSLServerSide);
+
+    ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
+    ok(ssl, "test_config: SSLCreateContext(1) failed (%s)", server?"server":"client");
+    require(ssl, out);
+
+    /* The order of this tests does matter, be careful when adding tests */
+    ok(!test_GetSupportedCiphers(ssl, server), "test_default: GetSupportedCiphers test failed (%s)", server?"server":"client");
+    ok(!test_GetEnabledCiphers(ssl, sizeof(default_ciphersuites)/sizeof(SSLCipherSuite), default_ciphersuites), "test_default: GetEnabledCiphers test failed (%s)", server?"server":"client");
+
+    CFRelease(ssl); ssl=NULL;
+
+    ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
+    ok(ssl, "test_default: SSLCreateContext(2) failed (%s)", server?"server":"client");
+    require(ssl, out);
+
+    ok(!test_SetEnabledCiphers(ssl), "test_config: SetEnabledCiphers test failed (%s)", server?"server":"client");
+
+out:
+    if(ssl) CFRelease(ssl);
+}
+
+
 
 
 int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv)
 {
-    plan_tests(132);
+    plan_tests(178);
 
     test_dhe(kSSLClientSide, true);
     test_dhe(kSSLServerSide, true);
     test_dhe(kSSLClientSide, false);
     test_dhe(kSSLServerSide, false);
 
+    test_default(kSSLClientSide);
+    test_default(kSSLServerSide);
+
 #define TEST_CONFIG(x, y) do {  \
     test_config(kSSLClientSide, x, sizeof(y)/sizeof(SSLCipherSuite), y); \
     test_config(kSSLServerSide, x, sizeof(y)/sizeof(SSLCipherSuite), y); \
@@ -395,9 +452,12 @@ int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv)
     TEST_CONFIG(kSSLSessionConfig_legacy_DHE, legacy_DHE_ciphersuites);
     TEST_CONFIG(kSSLSessionConfig_standard, standard_ciphersuites);
     TEST_CONFIG(kSSLSessionConfig_RC4_fallback, legacy_ciphersuites);
-    TEST_CONFIG(kSSLSessionConfig_TLSv1_fallback, standard_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_TLSv1_fallback, default_ciphersuites);
     TEST_CONFIG(kSSLSessionConfig_TLSv1_RC4_fallback, legacy_ciphersuites);
-    TEST_CONFIG(kSSLSessionConfig_default, legacy_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_default, default_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_anonymous, anonymous_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_3DES_fallback, default_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_TLSv1_3DES_fallback, default_ciphersuites);
 
     return 0;
 }