--- /dev/null
+//
+// ssl-46-SSLGetSupportedCiphers.c
+// libsecurity_ssl
+//
+// Created by Fabrice Gautier on 10/15/12.
+//
+//
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <Security/SecureTransport.h>
+#include <AssertMacros.h>
+
+#include "ssl_regressions.h"
+#include "ssl-utils.h"
+
+
+#include "cipherSpecs.h"
+
+static int test_GetSupportedCiphers(SSLContextRef ssl)
+{
+ size_t max_ciphers = 0;
+ int fail=1;
+ SSLCipherSuite *ciphers = NULL;
+
+ require_noerr(SSLGetNumberSupportedCiphers(ssl, &max_ciphers), out);
+
+ size_t size = max_ciphers * sizeof (SSLCipherSuite);
+ ciphers = (SSLCipherSuite *) malloc(size);
+
+ require_string(ciphers, out, "out of memory");
+ memset(ciphers, 0xff, size);
+
+ size_t num_ciphers = max_ciphers;
+ require_noerr(SSLGetSupportedCiphers(ssl, ciphers, &num_ciphers), out);
+
+
+ for (size_t i = 0; i < num_ciphers; i++) {
+ require(ciphers[i]!=(SSLCipherSuite)(-1), out);
+ }
+
+ /* Success! */
+ fail=0;
+
+out:
+ if(ciphers) free(ciphers);
+ return fail;
+}
+
+static
+int allowed_default_ciphers(SSLCipherSuite cs)
+{
+ switch (cs) {
+
+ /* BAD to enable by default */
+
+
+ /*
+ * Tags for SSL 2 cipher kinds which are not specified
+ * for SSL 3.
+ */
+ case SSL_RSA_WITH_RC2_CBC_MD5:
+ case SSL_RSA_WITH_IDEA_CBC_MD5:
+ case SSL_RSA_WITH_DES_CBC_MD5:
+ case SSL_RSA_WITH_3DES_EDE_CBC_MD5:
+
+ /* Export and Simple DES ciphers */
+ case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
+ case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
+ case SSL_RSA_WITH_IDEA_CBC_SHA:
+ case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:
+ case SSL_RSA_WITH_DES_CBC_SHA:
+ case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
+ case SSL_DH_DSS_WITH_DES_CBC_SHA:
+ case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
+ case SSL_DH_RSA_WITH_DES_CBC_SHA:
+ case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
+ case SSL_DHE_DSS_WITH_DES_CBC_SHA:
+ case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
+ case SSL_DHE_RSA_WITH_DES_CBC_SHA:
+ case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5:
+ case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA:
+ case SSL_DH_anon_WITH_DES_CBC_SHA:
+ case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
+ case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
+
+ case SSL_NO_SUCH_CIPHERSUITE:
+
+ /* Null ciphers. */
+ case TLS_NULL_WITH_NULL_NULL:
+ case TLS_RSA_WITH_NULL_MD5:
+ case TLS_RSA_WITH_NULL_SHA:
+ case TLS_RSA_WITH_NULL_SHA256:
+ case TLS_ECDH_ECDSA_WITH_NULL_SHA:
+ case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
+ case TLS_ECDHE_RSA_WITH_NULL_SHA:
+ case TLS_ECDH_RSA_WITH_NULL_SHA:
+ case TLS_ECDH_anon_WITH_NULL_SHA:
+
+ /* Completely anonymous Diffie-Hellman */
+ case TLS_DH_anon_WITH_RC4_128_MD5:
+ case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
+ case TLS_DH_anon_WITH_AES_128_CBC_SHA:
+ case TLS_DH_anon_WITH_AES_256_CBC_SHA:
+ case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
+ case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
+ case TLS_DH_anon_WITH_AES_128_GCM_SHA256:
+ case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
+ case TLS_ECDH_anon_WITH_RC4_128_SHA:
+ case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA:
+ case TLS_ECDH_anon_WITH_AES_128_CBC_SHA:
+ case TLS_ECDH_anon_WITH_AES_256_CBC_SHA:
+
+ return 0;
+
+
+ /* OK to enable by default */
+
+ /* Server provided RSA certificate for key exchange. */
+ case TLS_RSA_WITH_RC4_128_MD5:
+ case TLS_RSA_WITH_RC4_128_SHA:
+ case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
+ case TLS_RSA_WITH_AES_128_CBC_SHA:
+ case TLS_RSA_WITH_AES_256_CBC_SHA:
+ case TLS_RSA_WITH_AES_128_CBC_SHA256:
+ case TLS_RSA_WITH_AES_256_CBC_SHA256:
+ return 1;
+
+ /* Server-authenticated (and optionally client-authenticated) Diffie-Hellman. */
+ case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
+ case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
+ case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
+ case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
+ case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
+ case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
+ case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
+ case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
+ case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
+ case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
+ case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
+ case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
+ case TLS_DH_DSS_WITH_AES_128_CBC_SHA256:
+ case TLS_DH_RSA_WITH_AES_128_CBC_SHA256:
+ case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
+ case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
+ case TLS_DH_DSS_WITH_AES_256_CBC_SHA256:
+ case TLS_DH_RSA_WITH_AES_256_CBC_SHA256:
+ case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
+ case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
+
+ case TLS_RSA_WITH_AES_128_GCM_SHA256:
+ case TLS_RSA_WITH_AES_256_GCM_SHA384:
+ case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
+ case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
+ case TLS_DH_RSA_WITH_AES_128_GCM_SHA256:
+ case TLS_DH_RSA_WITH_AES_256_GCM_SHA384:
+ case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
+ case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
+ case TLS_DH_DSS_WITH_AES_128_GCM_SHA256:
+ case TLS_DH_DSS_WITH_AES_256_GCM_SHA384:
+
+ case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
+ case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
+ case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
+ case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
+ case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
+ case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
+ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
+ case TLS_ECDH_RSA_WITH_RC4_128_SHA:
+ case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
+ case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
+ case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
+ case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
+ case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
+
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
+ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
+ case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
+ case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
+ case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
+ case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
+
+ case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
+ case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
+ case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
+ case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
+ case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
+ case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
+ case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
+ case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
+
+ /* RFC 5746 - Secure Renegotiation */
+ case TLS_EMPTY_RENEGOTIATION_INFO_SCSV:
+ return 1;
+
+ /* unknown cipher ? */
+ default:
+ return 0;
+ }
+}
+
+static OSStatus SocketWrite(SSLConnectionRef conn, const void *data, size_t *length)
+{
+ return errSSLWouldBlock;
+}
+
+static OSStatus SocketRead(SSLConnectionRef conn, void *data, size_t *length)
+{
+ return errSSLWouldBlock;
+}
+
+
+static int test_GetEnabledCiphers(SSLContextRef ssl)
+{
+ size_t max_ciphers = 0;
+ int fail=1;
+ SSLCipherSuite *ciphers = NULL;
+ OSStatus err;
+
+ err=SSLSetIOFuncs(ssl, &SocketRead, &SocketWrite);
+ err=SSLSetConnection(ssl, NULL);
+ err=SSLHandshake(ssl);
+
+ require_noerr(SSLGetNumberEnabledCiphers(ssl, &max_ciphers), out);
+
+ size_t size = max_ciphers * sizeof (SSLCipherSuite);
+ ciphers = (SSLCipherSuite *) malloc(size);
+
+ require_string(ciphers, out, "out of memory");
+ memset(ciphers, 0xff, size);
+
+ size_t num_ciphers = max_ciphers;
+ require_noerr(SSLGetEnabledCiphers(ssl, ciphers, &num_ciphers), out);
+
+ for (size_t i = 0; i < num_ciphers; i++) {
+ char csname[256];
+ snprintf(csname, 256, "(%04x) %s", ciphers[i], ciphersuite_name(ciphers[i]));
+ /* Uncomment the next line if you want to list the default enabled ciphers */
+ //printf("%s\n", csname);
+ require_string(allowed_default_ciphers(ciphers[i]), out, csname);
+ }
+
+ /* Success! */
+ fail=0;
+
+out:
+ if(ciphers) free(ciphers);
+ return fail;
+}
+
+static int test_SetEnabledCiphers(SSLContextRef ssl)
+{
+ int fail=1;
+ size_t num_enabled;
+
+ /* This should not fail as long as we have one valid cipher in this table */
+ SSLCipherSuite ciphers[] = {
+ SSL_RSA_WITH_RC2_CBC_MD5, /* unsupported */
+ TLS_RSA_WITH_NULL_SHA, /* supported by not enabled by default */
+ TLS_RSA_WITH_AES_128_CBC_SHA, /* Supported and enabled by default */
+ };
+
+ require_noerr(SSLSetEnabledCiphers(ssl, ciphers, sizeof(ciphers)/sizeof(SSLCipherSuite)), out);
+ require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_enabled), out);
+
+ require(num_enabled==2, out); /* 2 ciphers in the above table are supported */
+
+ /* Success! */
+ fail=0;
+
+out:
+ return fail;
+}
+
+
+static void
+test(void)
+{
+ SSLContextRef ssl = NULL;
+
+ require(ssl=SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType), out);
+ ok(ssl, "SSLCreateContext failed");
+
+ /* The order of this tests does matter, be careful when adding tests */
+ ok(!test_GetSupportedCiphers(ssl), "GetSupportedCiphers test failed");
+ ok(!test_GetEnabledCiphers(ssl), "GetEnabledCiphers test failed");
+
+ CFRelease(ssl); ssl=NULL;
+
+ require(ssl=SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType), out);
+ ok(ssl, "SSLCreateContext failed");
+
+ ok(!test_SetEnabledCiphers(ssl), "SetEnabledCiphers test failed");
+
+out:
+ if(ssl) CFRelease(ssl);
+}
+
+
+int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv)
+{
+ plan_tests(5);
+
+ test();
+
+ return 0;
+}
+
projects / apple / security.git / blobdiff