X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/5c19dc3ae3bd8e40a9c028b0deddd50ff337692c..dd5fb164cf5b32c462296bc65e289e100f74b59a:/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c?ds=inline diff --git a/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c b/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c index 6ba45aad..ef0ef929 100644 --- a/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c +++ b/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c @@ -62,165 +62,6 @@ out: return fail; } -static -int allowed_default_ciphers(SSLCipherSuite cs, bool server, bool dhe_enabled) -{ - switch (cs) { - - /* BAD to enable by default */ - - - /* - * Tags for SSL 2 cipher kinds which are not specified - * for SSL 3. - */ - case SSL_RSA_WITH_RC2_CBC_MD5: - case SSL_RSA_WITH_IDEA_CBC_MD5: - case SSL_RSA_WITH_DES_CBC_MD5: - case SSL_RSA_WITH_3DES_EDE_CBC_MD5: - - /* Export and Simple DES ciphers */ - case SSL_RSA_EXPORT_WITH_RC4_40_MD5: - case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: - case SSL_RSA_WITH_IDEA_CBC_SHA: - case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA: - case SSL_RSA_WITH_DES_CBC_SHA: - case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: - case SSL_DH_DSS_WITH_DES_CBC_SHA: - case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: - case SSL_DH_RSA_WITH_DES_CBC_SHA: - case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: - case SSL_DHE_DSS_WITH_DES_CBC_SHA: - case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: - case SSL_DHE_RSA_WITH_DES_CBC_SHA: - case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5: - case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA: - case SSL_DH_anon_WITH_DES_CBC_SHA: - case SSL_FORTEZZA_DMS_WITH_NULL_SHA: - case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: - - case SSL_NO_SUCH_CIPHERSUITE: - - /* Null ciphers. */ - case TLS_NULL_WITH_NULL_NULL: - case TLS_RSA_WITH_NULL_MD5: - case TLS_RSA_WITH_NULL_SHA: - case TLS_RSA_WITH_NULL_SHA256: - case TLS_ECDH_ECDSA_WITH_NULL_SHA: - case TLS_ECDHE_ECDSA_WITH_NULL_SHA: - case TLS_ECDHE_RSA_WITH_NULL_SHA: - case TLS_ECDH_RSA_WITH_NULL_SHA: - case TLS_ECDH_anon_WITH_NULL_SHA: - - /* Completely anonymous Diffie-Hellman */ - case TLS_DH_anon_WITH_RC4_128_MD5: - case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA: - case TLS_DH_anon_WITH_AES_128_CBC_SHA: - case TLS_DH_anon_WITH_AES_256_CBC_SHA: - case TLS_DH_anon_WITH_AES_128_CBC_SHA256: - case TLS_DH_anon_WITH_AES_256_CBC_SHA256: - case TLS_DH_anon_WITH_AES_128_GCM_SHA256: - case TLS_DH_anon_WITH_AES_256_GCM_SHA384: - case TLS_ECDH_anon_WITH_RC4_128_SHA: - case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDH_anon_WITH_AES_128_CBC_SHA: - case TLS_ECDH_anon_WITH_AES_256_CBC_SHA: - - - /* Sstatic Diffie-Hellman and DSS */ - case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: - case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: - case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: - case TLS_DH_DSS_WITH_AES_128_CBC_SHA: - case TLS_DH_RSA_WITH_AES_128_CBC_SHA: - case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: - case TLS_DH_DSS_WITH_AES_256_CBC_SHA: - case TLS_DH_RSA_WITH_AES_256_CBC_SHA: - case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: - case TLS_DH_DSS_WITH_AES_128_CBC_SHA256: - case TLS_DH_RSA_WITH_AES_128_CBC_SHA256: - case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: - case TLS_DH_DSS_WITH_AES_256_CBC_SHA256: - case TLS_DH_RSA_WITH_AES_256_CBC_SHA256: - case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: - case TLS_DH_RSA_WITH_AES_128_GCM_SHA256: - case TLS_DH_RSA_WITH_AES_256_GCM_SHA384: - case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: - case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: - case TLS_DH_DSS_WITH_AES_128_GCM_SHA256: - case TLS_DH_DSS_WITH_AES_256_GCM_SHA384: - - return 0; - - - /* OK to enable by default on the client only (not supported on server) */ - case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: - case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: - case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: - case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: - case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: - case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: - case TLS_ECDH_RSA_WITH_RC4_128_SHA: - case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: - return !server; - - /* OK to enable by default for both client and server */ - - case TLS_RSA_WITH_RC4_128_MD5: - case TLS_RSA_WITH_RC4_128_SHA: - case TLS_RSA_WITH_3DES_EDE_CBC_SHA: - case TLS_RSA_WITH_AES_128_CBC_SHA: - case TLS_RSA_WITH_AES_256_CBC_SHA: - case TLS_RSA_WITH_AES_128_CBC_SHA256: - case TLS_RSA_WITH_AES_256_CBC_SHA256: - case TLS_RSA_WITH_AES_128_GCM_SHA256: - case TLS_RSA_WITH_AES_256_GCM_SHA384: - - - case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: - case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: - case TLS_ECDHE_RSA_WITH_RC4_128_SHA: - case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: - case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: - case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: - case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - return 1; - - case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: - case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: - case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: - return dhe_enabled; - - /* RFC 5746 - Secure Renegotiation - not specified by the user or returned by APIs*/ - case TLS_EMPTY_RENEGOTIATION_INFO_SCSV: - return 0; - - /* unknown cipher ? */ - default: - return 0; - } -} static OSStatus SocketWrite(SSLConnectionRef conn, const void *data, size_t *length) { @@ -233,80 +74,250 @@ static OSStatus SocketRead(SSLConnectionRef conn, void *data, size_t *length) } -static int test_GetEnabledCiphers(SSLContextRef ssl, bool server, bool dhe_enabled) + +static const SSLCipherSuite legacy_ciphersuites[] = { + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + SSL_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, + SSL_RSA_WITH_RC4_128_SHA, + SSL_RSA_WITH_RC4_128_MD5, +}; + +const SSLCipherSuite legacy_DHE_ciphersuites[] = { + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + SSL_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, + SSL_RSA_WITH_RC4_128_SHA, + SSL_RSA_WITH_RC4_128_MD5, +}; + + + +const SSLCipherSuite standard_ciphersuites[] = { + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, +}; + +const SSLCipherSuite default_ciphersuites[] = { + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + SSL_RSA_WITH_3DES_EDE_CBC_SHA, +}; + +const SSLCipherSuite ATSv1_ciphersuites[] = { + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, +}; + +const SSLCipherSuite ATSv1_noPFS_ciphersuites[] = { + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + + TLS_RSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, +}; + +const SSLCipherSuite TLSv1_RC4_fallback_ciphersuites[] = { + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + SSL_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, + SSL_RSA_WITH_RC4_128_SHA, + SSL_RSA_WITH_RC4_128_MD5, +}; + +const SSLCipherSuite TLSv1_fallback_ciphersuites[] = { + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + SSL_RSA_WITH_3DES_EDE_CBC_SHA, +}; + +const SSLCipherSuite anonymous_ciphersuites[] = { + TLS_ECDH_anon_WITH_AES_256_CBC_SHA, + TLS_ECDH_anon_WITH_AES_128_CBC_SHA, + TLS_DH_anon_WITH_AES_256_CBC_SHA256, + TLS_DH_anon_WITH_AES_256_CBC_SHA, + TLS_DH_anon_WITH_AES_128_CBC_SHA256, + TLS_DH_anon_WITH_AES_128_CBC_SHA +}; + + +static int test_GetEnabledCiphers(SSLContextRef ssl, unsigned expected_num_ciphers, const SSLCipherSuite *expected_ciphers) { - size_t max_ciphers = 0; size_t num_ciphers; - size_t num_ciphers_2; size_t size; int fail=1; SSLCipherSuite *ciphers = NULL; - SSLCipherSuite *ciphers_2 = NULL; - OSStatus err; - - err=SSLSetIOFuncs(ssl, &SocketRead, &SocketWrite); - err=SSLSetConnection(ssl, NULL); - - require_noerr(SSLGetNumberEnabledCiphers(ssl, &max_ciphers), out); - - err=SSLHandshake(ssl); - require_noerr(SSLGetNumberEnabledCiphers(ssl, &max_ciphers), out); + require_noerr(SSLSetIOFuncs(ssl, &SocketRead, &SocketWrite), out); + require_noerr(SSLSetConnection(ssl, NULL), out); - require(max_ciphers == (dhe_enabled?32:25), out); + require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_ciphers), out); + require_string(num_ciphers==expected_num_ciphers, out, "wrong ciphersuites number"); - size = max_ciphers * sizeof (SSLCipherSuite); + size = num_ciphers * sizeof (SSLCipherSuite); ciphers = (SSLCipherSuite *) malloc(size); require_string(ciphers, out, "out of memory"); memset(ciphers, 0xff, size); - num_ciphers = max_ciphers; require_noerr(SSLGetEnabledCiphers(ssl, ciphers, &num_ciphers), out); + require_string(memcmp(ciphers, expected_ciphers, size)==0, out, "wrong ciphersuites"); - //printf("Ciphers Enabled before first handshake: %zd\n", num_ciphers); + free(ciphers); + ciphers = NULL; - for (size_t i = 0; i < num_ciphers; i++) { - char csname[256]; - snprintf(csname, 256, "(%04x) %s", ciphers[i], ciphersuite_name(ciphers[i])); - /* Uncomment the next line if you want to list the default enabled ciphers */ - //printf("%s\n", csname); - require_string(allowed_default_ciphers(ciphers[i], server, dhe_enabled), out, csname); - } - - err=SSLHandshake(ssl); - - require_noerr(SSLGetNumberEnabledCiphers(ssl, &max_ciphers), out); + require(SSLHandshake(ssl) == errSSLWouldBlock, out); - size = max_ciphers * sizeof (SSLCipherSuite); - ciphers_2 = (SSLCipherSuite *) malloc(size); - require_string(ciphers_2, out, "out of memory"); - memset(ciphers_2, 0xff, size); + require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_ciphers), out); + require_string(num_ciphers==expected_num_ciphers, out, "wrong ciphersuites number"); - num_ciphers_2 = max_ciphers; - require_noerr(SSLGetEnabledCiphers(ssl, ciphers_2, &num_ciphers_2), out); - - //printf("Ciphers Enabled after first handshake: %zd\n", num_ciphers_2); - - for (size_t i = 0; i < num_ciphers_2; i++) { - char csname[256]; - snprintf(csname, 256, "(%04x) %s", ciphers_2[i], ciphersuite_name(ciphers_2[i])); - /* Uncomment the next line if you want to list the default enabled ciphers */ - //printf("%s\n", csname); - } + size = num_ciphers * sizeof (SSLCipherSuite); + ciphers = (SSLCipherSuite *) malloc(size); + require_string(ciphers, out, "out of memory"); + memset(ciphers, 0xff, size); - require(num_ciphers_2 == num_ciphers, out); - require((memcmp(ciphers, ciphers_2, num_ciphers*sizeof(uint16_t)) == 0), out); + require_noerr(SSLGetEnabledCiphers(ssl, ciphers, &num_ciphers), out); + require_string(memcmp(ciphers, expected_ciphers, size)==0, out, "wrong ciphersuites"); /* Success! */ fail=0; out: - if(ciphers) free(ciphers); - if(ciphers_2) free(ciphers_2); + free(ciphers); return fail; } -static int test_SetEnabledCiphers(SSLContextRef ssl, bool server) +static int test_SetEnabledCiphers(SSLContextRef ssl) { int fail=1; size_t num_enabled; @@ -332,42 +343,122 @@ out: static void -test(SSLProtocolSide side, bool dhe_enabled) +test_dhe(SSLProtocolSide side, bool dhe_enabled) { SSLContextRef ssl = NULL; bool server = (side == kSSLServerSide); - require(ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType), out); - ok(ssl, "SSLCreateContext failed"); + ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType); + ok(ssl, "test_dhe: SSLCreateContext(1) failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled"); + require(ssl, out); - ok_status(SSLSetDHEEnabled(ssl, dhe_enabled)); + ok_status(SSLSetDHEEnabled(ssl, dhe_enabled),"test_dhe: SSLSetDHEEnabled failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled"); + unsigned num = (dhe_enabled?sizeof(legacy_DHE_ciphersuites):sizeof(legacy_ciphersuites))/sizeof(SSLCipherSuite); + const SSLCipherSuite *ciphers = dhe_enabled?legacy_DHE_ciphersuites:legacy_ciphersuites; /* The order of this tests does matter, be careful when adding tests */ - ok(!test_GetSupportedCiphers(ssl, server), "GetSupportedCiphers test failed"); - ok(!test_GetEnabledCiphers(ssl, server, dhe_enabled), "GetEnabledCiphers test failed"); + ok(!test_GetSupportedCiphers(ssl, server), "test_dhe: GetSupportedCiphers test failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled"); + ok(!test_GetEnabledCiphers(ssl, num, ciphers), "test_dhe: GetEnabledCiphers test failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled"); CFRelease(ssl); ssl=NULL; - require(ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType), out); - ok(ssl, "SSLCreateContext failed"); - - ok(!test_SetEnabledCiphers(ssl, server), "SetEnabledCiphers test failed"); + ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType); + ok(ssl, "test_dhe: SSLCreateContext(2) failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled"); + require(ssl, out); + + ok(!test_SetEnabledCiphers(ssl), "test_dhe: SetEnabledCiphers test failed (%s, %s)", server?"server":"client", dhe_enabled?"enabled":"disabled"); out: if(ssl) CFRelease(ssl); } +static void +test_config(SSLProtocolSide side, CFStringRef config, unsigned num, const SSLCipherSuite *ciphers) +{ + SSLContextRef ssl = NULL; + bool server = (side == kSSLServerSide); -int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv) + ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType); + ok(ssl, "test_config: SSLCreateContext(1) failed (%s,%@)", server?"server":"client", config); + require(ssl, out); + + ok_status(SSLSetSessionConfig(ssl, config), "test_config: SSLSetSessionConfig failed (%s,%@)", server?"server":"client", config); + + /* The order of this tests does matter, be careful when adding tests */ + ok(!test_GetSupportedCiphers(ssl, server), "test_config: GetSupportedCiphers test failed (%s,%@)", server?"server":"client", config); + ok(!test_GetEnabledCiphers(ssl, num, ciphers), "test_config: GetEnabledCiphers test failed (%s,%@)", server?"server":"client", config); + + CFRelease(ssl); ssl=NULL; + + ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType); + ok(ssl, "test_config: SSLCreateContext(2) failed (%s,%@)", server?"server":"client", config); + require(ssl, out); + + ok(!test_SetEnabledCiphers(ssl), "test_config: SetEnabledCiphers test failed (%s,%@)", server?"server":"client", config); + +out: + if(ssl) CFRelease(ssl); +} + +static void +test_default(SSLProtocolSide side) { - plan_tests(24); + SSLContextRef ssl = NULL; + bool server = (side == kSSLServerSide); + + ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType); + ok(ssl, "test_config: SSLCreateContext(1) failed (%s)", server?"server":"client"); + require(ssl, out); + + /* The order of this tests does matter, be careful when adding tests */ + ok(!test_GetSupportedCiphers(ssl, server), "test_default: GetSupportedCiphers test failed (%s)", server?"server":"client"); + ok(!test_GetEnabledCiphers(ssl, sizeof(default_ciphersuites)/sizeof(SSLCipherSuite), default_ciphersuites), "test_default: GetEnabledCiphers test failed (%s)", server?"server":"client"); + + CFRelease(ssl); ssl=NULL; + + ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType); + ok(ssl, "test_default: SSLCreateContext(2) failed (%s)", server?"server":"client"); + require(ssl, out); + + ok(!test_SetEnabledCiphers(ssl), "test_config: SetEnabledCiphers test failed (%s)", server?"server":"client"); + +out: + if(ssl) CFRelease(ssl); +} + - test(kSSLClientSide, true); - test(kSSLServerSide, true); - test(kSSLClientSide, false); - test(kSSLServerSide, false); +int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv) +{ + plan_tests(178); + + test_dhe(kSSLClientSide, true); + test_dhe(kSSLServerSide, true); + test_dhe(kSSLClientSide, false); + test_dhe(kSSLServerSide, false); + + test_default(kSSLClientSide); + test_default(kSSLServerSide); + +#define TEST_CONFIG(x, y) do { \ + test_config(kSSLClientSide, x, sizeof(y)/sizeof(SSLCipherSuite), y); \ + test_config(kSSLServerSide, x, sizeof(y)/sizeof(SSLCipherSuite), y); \ +} while(0) + + TEST_CONFIG(kSSLSessionConfig_ATSv1, ATSv1_ciphersuites); + TEST_CONFIG(kSSLSessionConfig_ATSv1_noPFS, ATSv1_noPFS_ciphersuites); + TEST_CONFIG(kSSLSessionConfig_legacy, legacy_ciphersuites); + TEST_CONFIG(kSSLSessionConfig_legacy_DHE, legacy_DHE_ciphersuites); + TEST_CONFIG(kSSLSessionConfig_standard, standard_ciphersuites); + TEST_CONFIG(kSSLSessionConfig_RC4_fallback, legacy_ciphersuites); + TEST_CONFIG(kSSLSessionConfig_TLSv1_fallback, default_ciphersuites); + TEST_CONFIG(kSSLSessionConfig_TLSv1_RC4_fallback, legacy_ciphersuites); + TEST_CONFIG(kSSLSessionConfig_default, default_ciphersuites); + TEST_CONFIG(kSSLSessionConfig_anonymous, anonymous_ciphersuites); + TEST_CONFIG(kSSLSessionConfig_3DES_fallback, default_ciphersuites); + TEST_CONFIG(kSSLSessionConfig_TLSv1_3DES_fallback, default_ciphersuites); + return 0; }