]> git.saurik.com Git - apple/security.git/blobdiff - OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c
Security-59754.80.3.tar.gz
[apple/security.git] / OSX / libsecurity_ssl / regressions / ssl-42-ciphers.c
index c07b4126bb14e4f975b988a688c1b418d1fda04a..79d61fb59178a5685964a8d598dca0e8977ababa 100644 (file)
@@ -20,6 +20,7 @@
 #include <Security/SecRandom.h>
 
 #include <utilities/array_size.h>
 #include <Security/SecRandom.h>
 
 #include <utilities/array_size.h>
+#include <utilities/SecCFRelease.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -74,7 +75,8 @@ static const SSLCipherSuite SupportedCipherSuites[] = {
     TLS_RSA_WITH_AES_128_CBC_SHA,
     SSL_RSA_WITH_3DES_EDE_CBC_SHA,
 
     TLS_RSA_WITH_AES_128_CBC_SHA,
     SSL_RSA_WITH_3DES_EDE_CBC_SHA,
 
-    //    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+    /* RC4 */
+    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
     SSL_RSA_WITH_RC4_128_SHA,
     SSL_RSA_WITH_RC4_128_MD5,
     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
     SSL_RSA_WITH_RC4_128_SHA,
     SSL_RSA_WITH_RC4_128_MD5,
@@ -90,6 +92,12 @@ static const SSLCipherSuite SupportedCipherSuites[] = {
     SSL_DH_anon_WITH_RC4_128_MD5,
     SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
 
     SSL_DH_anon_WITH_RC4_128_MD5,
     SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
 
+    TLS_ECDH_anon_WITH_NULL_SHA,
+    TLS_ECDH_anon_WITH_RC4_128_SHA,
+    TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
+    TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
+
     TLS_ECDHE_ECDSA_WITH_NULL_SHA,
     TLS_ECDHE_RSA_WITH_NULL_SHA,
 
     TLS_ECDHE_ECDSA_WITH_NULL_SHA,
     TLS_ECDHE_RSA_WITH_NULL_SHA,
 
@@ -337,6 +345,9 @@ out:
 
 static bool check_peer_cert(SSLContextRef ctx, const ssl_test_handle *ssl, SecTrustRef *trust)
 {
 
 static bool check_peer_cert(SSLContextRef ctx, const ssl_test_handle *ssl, SecTrustRef *trust)
 {
+    CFMutableArrayRef peer_cert_array = NULL;
+    CFMutableArrayRef orig_peer_cert_array = NULL;
+
     /* verify peer cert chain */
     require_noerr(SSLCopyPeerTrust(ctx, trust), out);
     SecTrustResultType trust_result = 0;
     /* verify peer cert chain */
     require_noerr(SSLCopyPeerTrust(ctx, trust), out);
     SecTrustResultType trust_result = 0;
@@ -344,12 +355,9 @@ static bool check_peer_cert(SSLContextRef ctx, const ssl_test_handle *ssl, SecTr
     require_noerr(SecTrustEvaluate(*trust, &trust_result), out);
 
     CFIndex n_certs = SecTrustGetCertificateCount(*trust);
     require_noerr(SecTrustEvaluate(*trust, &trust_result), out);
 
     CFIndex n_certs = SecTrustGetCertificateCount(*trust);
-    /* fprintf(stderr, "%ld certs; trust_eval: %d\n", n_certs, trust_result); */
 
 
-    CFMutableArrayRef peer_cert_array =
-    CFArrayCreateMutable(NULL, n_certs, &kCFTypeArrayCallBacks);
-    CFMutableArrayRef orig_peer_cert_array =
-        CFArrayCreateMutableCopy(NULL, n_certs, ssl->peer_certs);
+    peer_cert_array = CFArrayCreateMutable(NULL, n_certs, &kCFTypeArrayCallBacks);
+    orig_peer_cert_array = CFArrayCreateMutableCopy(NULL, n_certs, ssl->peer_certs);
     while (n_certs--)
         CFArrayInsertValueAtIndex(peer_cert_array, 0,
                                   SecTrustGetCertificateAtIndex(*trust, n_certs));
     while (n_certs--)
         CFArrayInsertValueAtIndex(peer_cert_array, 0,
                                   SecTrustGetCertificateAtIndex(*trust, n_certs));
@@ -362,19 +370,13 @@ static bool check_peer_cert(SSLContextRef ctx, const ssl_test_handle *ssl, SecTr
     CFRelease(peer_cert);
 
     require(CFEqual(orig_peer_cert_array, peer_cert_array), out);
     CFRelease(peer_cert);
 
     require(CFEqual(orig_peer_cert_array, peer_cert_array), out);
-    CFRelease(orig_peer_cert_array);
-    CFRelease(peer_cert_array);
-
-    /*
-     CFStringRef cert_name = SecCertificateCopySubjectSummary(cert);
-     char cert_name_buffer[1024];
-     require(CFStringGetFileSystemRepresentation(cert_name,
-     cert_name_buffer, sizeof(cert_name_buffer)), out);
-     fprintf(stderr, "cert name: %s\n", cert_name_buffer);
-     CFRelease(trust);
-     */
+    CFReleaseNull(orig_peer_cert_array);
+    CFReleaseNull(peer_cert_array);
+
     return true;
 out:
     return true;
 out:
+    CFReleaseNull(orig_peer_cert_array);
+    CFReleaseNull(peer_cert_array);
     return false;
 }
 
     return false;
 }
 
@@ -402,7 +404,6 @@ static void *securetransport_ssl_thread(void *arg)
     require_noerr(ortn=SSLGetSessionState(ctx,&ssl_state), out);
     require_action(ssl_state==kSSLIdle, out, ortn = -1);
 
     require_noerr(ortn=SSLGetSessionState(ctx,&ssl_state), out);
     require_action(ssl_state==kSSLIdle, out, ortn = -1);
 
-    //uint64_t start = mach_absolute_time();
     do {
         ortn = SSLHandshake(ctx);
         require_noerr(SSLGetSessionState(ctx,&ssl_state), out);
     do {
         ortn = SSLHandshake(ctx);
         require_noerr(SSLGetSessionState(ctx,&ssl_state), out);
@@ -463,21 +464,13 @@ static void *securetransport_ssl_thread(void *arg)
         require_string(!got_server_auth, out, "got server auth during resumption??");
         require_string(check_peer_cert(ctx, ssl, &trust), out, "Certificate check failed (resumption case)");
     }
         require_string(!got_server_auth, out, "got server auth during resumption??");
         require_string(check_peer_cert(ctx, ssl, &trust), out, "Certificate check failed (resumption case)");
     }
-    //uint64_t elapsed = mach_absolute_time() - start;
-    //fprintf(stderr, "setr elapsed: %lld\n", elapsed);
-
-    /*
-    SSLProtocol proto = kSSLProtocolUnknown;
-    require_noerr_quiet(SSLGetNegotiatedProtocolVersion(ctx, &proto), out); */
 
     SSLCipherSuite cipherSuite;
     require_noerr_quiet(ortn = SSLGetNegotiatedCipher(ctx, &cipherSuite), out);
 
     SSLCipherSuite cipherSuite;
     require_noerr_quiet(ortn = SSLGetNegotiatedCipher(ctx, &cipherSuite), out);
-    //fprintf(stderr, "st negotiated %s\n", sslcipher_itoa(cipherSuite));
 
     if(ssl->is_dtls) {
         size_t sz;
         SSLGetDatagramWriteSize(ctx, &sz);
 
     if(ssl->is_dtls) {
         size_t sz;
         SSLGetDatagramWriteSize(ctx, &sz);
-        //fprintf(stderr, "Max Write Size = %ld\n", sz);
     }
 
        Boolean sessionWasResumed = false;
     }
 
        Boolean sessionWasResumed = false;
@@ -485,8 +478,6 @@ static void *securetransport_ssl_thread(void *arg)
     size_t session_id_length = sizeof(session_id_data);
     require_noerr_quiet(ortn = SSLGetResumableSessionInfo(ctx, &sessionWasResumed, session_id_data, &session_id_length), out);
     require_action(ssl->dh_anonymous || (ssl->is_session_resume == sessionWasResumed), out, ortn = -1);
     size_t session_id_length = sizeof(session_id_data);
     require_noerr_quiet(ortn = SSLGetResumableSessionInfo(ctx, &sessionWasResumed, session_id_data, &session_id_length), out);
     require_action(ssl->dh_anonymous || (ssl->is_session_resume == sessionWasResumed), out, ortn = -1);
-    // if (sessionWasResumed) fprintf(stderr, "st resumed session\n");
-    //hexdump(session_id_data, session_id_length);
 
 #define BUFSIZE (8*1024)
     unsigned char ibuf[BUFSIZE], obuf[BUFSIZE];
 
 #define BUFSIZE (8*1024)
     unsigned char ibuf[BUFSIZE], obuf[BUFSIZE];
@@ -495,7 +486,6 @@ static void *securetransport_ssl_thread(void *arg)
         size_t len;
         if (ssl->is_server) {
             memset(obuf, i, BUFSIZE);
         size_t len;
         if (ssl->is_server) {
             memset(obuf, i, BUFSIZE);
-            // SecRandomCopyBytes(kSecRandomDefault, sizeof(obuf), obuf);
             require_noerr(ortn = SSLWrite(ctx, obuf, BUFSIZE, &len), out);
             require_action(len == BUFSIZE, out, ortn = -1);
 
             require_noerr(ortn = SSLWrite(ctx, obuf, BUFSIZE, &len), out);
             require_action(len == BUFSIZE, out, ortn = -1);
 
@@ -508,11 +498,8 @@ static void *securetransport_ssl_thread(void *arg)
             size_t l=len;
             ortn = SSLRead(ctx, ibuf+len, BUFSIZE-len, &l);
             len+=l;
             size_t l=len;
             ortn = SSLRead(ctx, ibuf+len, BUFSIZE-len, &l);
             len+=l;
-            //printf("SSLRead [%p] %d, l=%zd len=%zd\n", ctx, (int)ortn, l, len);
         }
 
         }
 
-        //printf("SSLRead [%p] done\n", ctx);
-
         require_noerr(ortn, out);
         require_action(len == BUFSIZE, out, ortn = -1);
 
         require_noerr(ortn, out);
         require_action(len == BUFSIZE, out, ortn = -1);
 
@@ -567,14 +554,10 @@ tests(void)
     CFArrayRef server_rsa_certs = server_chain();
     CFArrayRef server_ec_certs = server_ec_chain();
     CFArrayRef client_certs = trusted_client_chain();
     CFArrayRef server_rsa_certs = server_chain();
     CFArrayRef server_ec_certs = server_ec_chain();
     CFArrayRef client_certs = trusted_client_chain();
-    ok(server_rsa_certs, "got rsa server cert chain");
-    ok(server_ec_certs, "got ec server cert chain");
-    ok(client_certs, "got rsa client cert chain");
+    require(server_rsa_certs != NULL, end);
+    require(server_ec_certs != NULL, end);
+    require(client_certs != NULL, end);
 
 
-/* Enable this if you want to test a specific d/i/k/l/m/p combination */
-#if 0
-    int i=0, l=0, k=0, p=0; { {
-#else
     int i,k,l, p;
 
     for (p=0; p<nprotos; p++)
     int i,k,l, p;
 
     for (p=0; p<nprotos; p++)
@@ -586,7 +569,6 @@ tests(void)
 
         for (i=0; i<SupportedCipherSuitesCount; i++)
         for (l = 0; l<2; l++) { /* resumption or not */
 
         for (i=0; i<SupportedCipherSuitesCount; i++)
         for (l = 0; l<2; l++) { /* resumption or not */
-#endif
             uint16_t cs = (uint16_t)(SupportedCipherSuites[i]);
             KeyExchangeMethod kem = sslCipherSuiteGetKeyExchangeMethod(cs);
             SSL_CipherAlgorithm cipher = sslCipherSuiteGetSymmetricCipherAlgorithm(cs);
             uint16_t cs = (uint16_t)(SupportedCipherSuites[i]);
             KeyExchangeMethod kem = sslCipherSuiteGetKeyExchangeMethod(cs);
             SSL_CipherAlgorithm cipher = sslCipherSuiteGetSymmetricCipherAlgorithm(cs);
@@ -630,7 +612,9 @@ tests(void)
                 skip("This ciphersuite is not supported for this protocol version", 1, version_ok);
 
                 int sp[2];
                 skip("This ciphersuite is not supported for this protocol version", 1, version_ok);
 
                 int sp[2];
-                if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp)) exit(errno);
+                if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp)) {
+                    exit(errno);
+                }
                 fcntl(sp[0], F_SETNOSIGPIPE, 1);
                 fcntl(sp[1], F_SETNOSIGPIPE, 1);
 
                 fcntl(sp[0], F_SETNOSIGPIPE, 1);
                 fcntl(sp[1], F_SETNOSIGPIPE, 1);
 
@@ -641,7 +625,6 @@ tests(void)
                 SSLAuthenticate client_side_auth = k;
 
                 uint32_t session_id = (p<<24) | (k<<16) | (i+1);
                 SSLAuthenticate client_side_auth = k;
 
                 uint32_t session_id = (p<<24) | (k<<16) | (i+1);
-                //fprintf(stderr, "session_id: %d\n", session_id);
                 server = ssl_test_handle_create(session_id, (l == 1), true /*server*/,
                                                 client_side_auth, dh_anonymous, dtls,
                                                 sp[0], server_certs, client_certs, protos[p]);
                 server = ssl_test_handle_create(session_id, (l == 1), true /*server*/,
                                                 client_side_auth, dh_anonymous, dtls,
                                                 sp[0], server_certs, client_certs, protos[p]);
@@ -666,7 +649,7 @@ tests(void)
                 pthread_create(&client_thread, NULL, securetransport_ssl_thread, client);
                 pthread_create(&server_thread, NULL, securetransport_ssl_thread, server);
 
                 pthread_create(&client_thread, NULL, securetransport_ssl_thread, client);
                 pthread_create(&server_thread, NULL, securetransport_ssl_thread, server);
 
-                int server_err, client_err;
+                intptr_t server_err, client_err;
                 pthread_join(client_thread, (void*)&client_err);
                 pthread_join(server_thread, (void*)&server_err);
 
                 pthread_join(client_thread, (void*)&client_err);
                 pthread_join(server_thread, (void*)&server_err);
 
@@ -693,17 +676,16 @@ out:
     } /* all configs */
 
 
     } /* all configs */
 
 
+end:
+    CFReleaseSafe(client_certs);
     CFReleaseSafe(server_ec_certs);
     CFReleaseSafe(server_rsa_certs);
     CFReleaseSafe(server_ec_certs);
     CFReleaseSafe(server_rsa_certs);
-    CFReleaseSafe(client_certs);
-
 }
 
 int ssl_42_ciphers(int argc, char *const *argv)
 {
 
 }
 
 int ssl_42_ciphers(int argc, char *const *argv)
 {
 
-    plan_tests(3 * 2 * nprotos * SupportedCipherSuitesCount /* client auth 0/1/2 * #resumptions * #protos * #ciphers */
-                + 3 /*cert*/);
+    plan_tests(3 * 2 * nprotos * SupportedCipherSuitesCount /* client auth 0/1/2 * #resumptions * #protos * #ciphers */);
 
     tests();
 
 
     tests();