X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/822b670c6f91d089ccb51b77e24b6ac80406b337..dd5fb164cf5b32c462296bc65e289e100f74b59a:/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c?ds=sidebyside diff --git a/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c b/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c index c07b4126..3d20d1fa 100644 --- a/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c +++ b/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c @@ -74,7 +74,8 @@ static const SSLCipherSuite SupportedCipherSuites[] = { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, - // TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + /* RC4 */ + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, @@ -90,6 +91,12 @@ static const SSLCipherSuite SupportedCipherSuites[] = { SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_anon_WITH_NULL_SHA, + TLS_ECDH_anon_WITH_RC4_128_SHA, + TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_anon_WITH_AES_128_CBC_SHA, + TLS_ECDH_anon_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, @@ -337,6 +344,9 @@ out: static bool check_peer_cert(SSLContextRef ctx, const ssl_test_handle *ssl, SecTrustRef *trust) { + CFMutableArrayRef peer_cert_array = NULL; + CFMutableArrayRef orig_peer_cert_array = NULL; + /* verify peer cert chain */ require_noerr(SSLCopyPeerTrust(ctx, trust), out); SecTrustResultType trust_result = 0; @@ -344,12 +354,9 @@ static bool check_peer_cert(SSLContextRef ctx, const ssl_test_handle *ssl, SecTr require_noerr(SecTrustEvaluate(*trust, &trust_result), out); CFIndex n_certs = SecTrustGetCertificateCount(*trust); - /* fprintf(stderr, "%ld certs; trust_eval: %d\n", n_certs, trust_result); */ - CFMutableArrayRef peer_cert_array = - CFArrayCreateMutable(NULL, n_certs, &kCFTypeArrayCallBacks); - CFMutableArrayRef orig_peer_cert_array = - CFArrayCreateMutableCopy(NULL, n_certs, ssl->peer_certs); + peer_cert_array = CFArrayCreateMutable(NULL, n_certs, &kCFTypeArrayCallBacks); + orig_peer_cert_array = CFArrayCreateMutableCopy(NULL, n_certs, ssl->peer_certs); while (n_certs--) CFArrayInsertValueAtIndex(peer_cert_array, 0, SecTrustGetCertificateAtIndex(*trust, n_certs)); @@ -362,19 +369,13 @@ static bool check_peer_cert(SSLContextRef ctx, const ssl_test_handle *ssl, SecTr CFRelease(peer_cert); require(CFEqual(orig_peer_cert_array, peer_cert_array), out); - CFRelease(orig_peer_cert_array); - CFRelease(peer_cert_array); - - /* - CFStringRef cert_name = SecCertificateCopySubjectSummary(cert); - char cert_name_buffer[1024]; - require(CFStringGetFileSystemRepresentation(cert_name, - cert_name_buffer, sizeof(cert_name_buffer)), out); - fprintf(stderr, "cert name: %s\n", cert_name_buffer); - CFRelease(trust); - */ + CFReleaseNull(orig_peer_cert_array); + CFReleaseNull(peer_cert_array); + return true; out: + CFReleaseNull(orig_peer_cert_array); + CFReleaseNull(peer_cert_array); return false; } @@ -402,7 +403,6 @@ static void *securetransport_ssl_thread(void *arg) require_noerr(ortn=SSLGetSessionState(ctx,&ssl_state), out); require_action(ssl_state==kSSLIdle, out, ortn = -1); - //uint64_t start = mach_absolute_time(); do { ortn = SSLHandshake(ctx); require_noerr(SSLGetSessionState(ctx,&ssl_state), out); @@ -463,21 +463,13 @@ static void *securetransport_ssl_thread(void *arg) require_string(!got_server_auth, out, "got server auth during resumption??"); require_string(check_peer_cert(ctx, ssl, &trust), out, "Certificate check failed (resumption case)"); } - //uint64_t elapsed = mach_absolute_time() - start; - //fprintf(stderr, "setr elapsed: %lld\n", elapsed); - - /* - SSLProtocol proto = kSSLProtocolUnknown; - require_noerr_quiet(SSLGetNegotiatedProtocolVersion(ctx, &proto), out); */ SSLCipherSuite cipherSuite; require_noerr_quiet(ortn = SSLGetNegotiatedCipher(ctx, &cipherSuite), out); - //fprintf(stderr, "st negotiated %s\n", sslcipher_itoa(cipherSuite)); if(ssl->is_dtls) { size_t sz; SSLGetDatagramWriteSize(ctx, &sz); - //fprintf(stderr, "Max Write Size = %ld\n", sz); } Boolean sessionWasResumed = false; @@ -485,8 +477,6 @@ static void *securetransport_ssl_thread(void *arg) size_t session_id_length = sizeof(session_id_data); require_noerr_quiet(ortn = SSLGetResumableSessionInfo(ctx, &sessionWasResumed, session_id_data, &session_id_length), out); require_action(ssl->dh_anonymous || (ssl->is_session_resume == sessionWasResumed), out, ortn = -1); - // if (sessionWasResumed) fprintf(stderr, "st resumed session\n"); - //hexdump(session_id_data, session_id_length); #define BUFSIZE (8*1024) unsigned char ibuf[BUFSIZE], obuf[BUFSIZE]; @@ -495,7 +485,6 @@ static void *securetransport_ssl_thread(void *arg) size_t len; if (ssl->is_server) { memset(obuf, i, BUFSIZE); - // SecRandomCopyBytes(kSecRandomDefault, sizeof(obuf), obuf); require_noerr(ortn = SSLWrite(ctx, obuf, BUFSIZE, &len), out); require_action(len == BUFSIZE, out, ortn = -1); @@ -508,11 +497,8 @@ static void *securetransport_ssl_thread(void *arg) size_t l=len; ortn = SSLRead(ctx, ibuf+len, BUFSIZE-len, &l); len+=l; - //printf("SSLRead [%p] %d, l=%zd len=%zd\n", ctx, (int)ortn, l, len); } - //printf("SSLRead [%p] done\n", ctx); - require_noerr(ortn, out); require_action(len == BUFSIZE, out, ortn = -1); @@ -567,14 +553,10 @@ tests(void) CFArrayRef server_rsa_certs = server_chain(); CFArrayRef server_ec_certs = server_ec_chain(); CFArrayRef client_certs = trusted_client_chain(); - ok(server_rsa_certs, "got rsa server cert chain"); - ok(server_ec_certs, "got ec server cert chain"); - ok(client_certs, "got rsa client cert chain"); + require(server_rsa_certs != NULL, end); + require(server_ec_certs != NULL, end); + require(client_certs != NULL, end); -/* Enable this if you want to test a specific d/i/k/l/m/p combination */ -#if 0 - int i=0, l=0, k=0, p=0; { { -#else int i,k,l, p; for (p=0; p