]> git.saurik.com Git - apple/security.git/blob - SecurityTests/clxutils/sslAlert/sslAlert.cpp
Security-57031.30.12.tar.gz
[apple/security.git] / SecurityTests / clxutils / sslAlert / sslAlert.cpp
1 /*
2 * sslAlert.cpp - test alert msg sending and processing, client and server side
3 */
4 #include <Security/SecureTransport.h>
5 #include <Security/Security.h>
6 #include <clAppUtils/sslAppUtils.h>
7 #include <clAppUtils/ioSock.h>
8 #include <clAppUtils/sslThreading.h>
9 #include <utilLib/common.h>
10 #include <security_cdsa_utils/cuPrintCert.h>
11 #include <security_utilities/threading.h>
12 #include <security_utilities/devrandom.h>
13
14 #include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
15 #include <stdio.h>
16 #include <stdlib.h>
17 #include <unistd.h>
18 #include <string.h>
19 #include <time.h>
20 #include <ctype.h>
21 #include <sys/param.h>
22
23 #define STARTING_PORT 2000
24
25 /*
26 * localcert is a KC containing server cert and signing key
27 * assumptions:
28 * -- common name = "localcert"
29 * -- password of KC = "localcert"
30 */
31 #define SERVER_KC "localcert"
32 #define SERVER_ROOT "localcert.cer"
33 /*
34 * clientcert is a KC containing client cert and signing key
35 * assumptions:
36 * -- password of KC = "clientcert"
37 * -- note common name not checked by SecureTransport when verifying client cert chain
38 */
39 #define CLIENT_KC "clientcert"
40 #define CLIENT_ROOT "clientcert.cer"
41
42 /* main() fills these in using sslKeychainPath() */
43 static char serverKcPath[MAXPATHLEN];
44 static char clientKcPath[MAXPATHLEN];
45
46 static void usage(char **argv)
47 {
48 printf("Usage: %s [options]\n", argv[0]);
49 printf("options:\n");
50 printf(" q(uiet)\n");
51 printf(" v(erbose)\n");
52 printf(" p=startingPortNum\n");
53 printf(" b (non blocking I/O)\n");
54 printf(" s=serverCertName; default %s\n", SERVER_ROOT);
55 printf(" c=clientCertName; default %s\n", CLIENT_ROOT);
56 printf(" R (ringBuffer I/O)\n");
57 printf(" l=loops (default=1; 0=forever)\n");
58 exit(1);
59 }
60
61 #define IGNORE_SIGPIPE 1
62 #if IGNORE_SIGPIPE
63 #include <signal.h>
64
65 void sigpipe(int sig)
66 {
67 }
68 #endif /* IGNORE_SIGPIPE */
69
70 /*
71 * Default params for each test. Main() will make a copy of this and
72 * adjust its copy on a per-test basis.
73 */
74 SslAppTestParams serverDefaults =
75 {
76 "no name here",
77 false, // skipHostNameCHeck
78 0, // port - test must set this
79 NULL, NULL, // RingBuffers
80 false, // noProtSpec
81 kTLSProtocol1,
82 NULL, // acceptedProts
83 serverKcPath, // myCerts
84 SERVER_KC, // password
85 true, // idIsTrustedRoot
86 false, // disableCertVerify
87 NULL, // anchorFile
88 false, // replaceAnchors
89 kNeverAuthenticate,
90 false, // resumeEnable
91 NULL, // ciphers
92 false, // nonBlocking
93 NULL, // dhParams
94 0, // dhParamsLen
95 noErr, // expectRtn
96 kTLSProtocol1, // expectVersion
97 kSSLClientCertNone,
98 SSL_CIPHER_IGNORE,
99 false, // quiet
100 false, // silent
101 false, // verbose
102 {0}, // lock
103 {0}, // cond
104 false, // serverReady
105 0, // clientDone
106 false, // serverAbort
107 /* returned */
108 kSSLProtocolUnknown,
109 SSL_NULL_WITH_NULL_NULL,
110 kSSLClientCertNone,
111 noHardwareErr
112
113 };
114
115 SslAppTestParams clientDefaults =
116 {
117 "localhost",
118 false, // skipHostNameCHeck
119 0, // port - test must set this
120 NULL, NULL, // RingBuffers
121 false, // noProtSpec
122 kTLSProtocol1,
123 NULL, // acceptedProts
124 NULL, // myCertKcName
125 CLIENT_KC, // password - only meaningful when test sets myCertKcName
126 true, // idIsTrustedRoot
127 false, // disableCertVerify
128 SERVER_ROOT, // anchorFile
129 false, // replaceAnchors
130 kNeverAuthenticate,
131 false, // resumeEnable
132 NULL, // ciphers
133 false, // nonBlocking
134 NULL, // dhParams
135 0, // dhParamsLen
136 noErr, // expectRtn
137 kTLSProtocol1, // expectVersion
138 kSSLClientCertNone,
139 SSL_CIPHER_IGNORE,
140 false, // quiet
141 false, // silent
142 false, // verbose
143 {0}, // lock
144 {0}, // cond
145 false, // serverReady
146 0, // clientDone
147 false, // serverAbort
148 /* returned */
149 kSSLProtocolUnknown,
150 SSL_NULL_WITH_NULL_NULL,
151 kSSLClientCertNone,
152 noHardwareErr
153 };
154
155
156 int main(int argc, char **argv)
157 {
158 int ourRtn = 0;
159 char *argp;
160 int thisRtn;
161 SslAppTestParams clientParams;
162 SslAppTestParams serverParams;
163 const char *desc;
164 unsigned short portNum = STARTING_PORT;
165 const char *clientCert = CLIENT_ROOT;
166 RingBuffer serverToClientRing;
167 RingBuffer clientToServerRing;
168 bool ringBufferIo = false;
169 unsigned loopNum = 0;
170 unsigned loops = 1;
171
172 for(int arg=1; arg<argc; arg++) {
173 argp = argv[arg];
174 switch(argp[0]) {
175 case 'q':
176 serverDefaults.quiet = clientDefaults.quiet = true;
177 break;
178 case 'v':
179 serverDefaults.verbose = clientDefaults.verbose = true;
180 break;
181 case 'b':
182 serverDefaults.nonBlocking = clientDefaults.nonBlocking =
183 true;
184 break;
185 case 'p':
186 portNum = atoi(&argp[2]);
187 break;
188 case 's':
189 clientDefaults.anchorFile = &argp[2];
190 break;
191 case 'c':
192 clientCert = &argp[2];
193 break;
194 case 'R':
195 ringBufferIo = true;
196 break;
197 case 'l':
198 loops = atoi(&argp[2]);
199 break;
200 default:
201 usage(argv);
202 }
203 }
204
205 #if IGNORE_SIGPIPE
206 signal(SIGPIPE, sigpipe);
207 #endif
208
209 if(sslCheckFile(clientDefaults.anchorFile)) {
210 exit(1);
211 }
212 if(sslCheckFile(clientCert)) {
213 exit(1);
214 }
215
216 if(ringBufferIo) {
217 /* set up ring buffers */
218 ringBufSetup(&serverToClientRing, "serveToClient", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
219 ringBufSetup(&clientToServerRing, "clientToServe", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
220 serverDefaults.serverToClientRing = &serverToClientRing;
221 serverDefaults.clientToServerRing = &clientToServerRing;
222 clientDefaults.serverToClientRing = &serverToClientRing;
223 clientDefaults.clientToServerRing = &clientToServerRing;
224 }
225
226 /* convert keychain names to paths for root */
227 sslKeychainPath(SERVER_KC, serverKcPath);
228 sslKeychainPath(CLIENT_KC, clientKcPath);
229
230 testStartBanner("sslAlert", argc, argv);
231 // printf("sslAlert: server KC: %s\n", serverKcPath);
232 // printf("sslAlert: client KC: %s\n", clientKcPath);
233
234 /*
235 * We could get real fancy and have a bunch of elaborate tables describing
236 * what's supposed to happen in each test case, but I really don't think
237 * it's worth it.
238 */
239 for(;;) {
240 desc = "basic TLS1, nothing fancy";
241 clientParams = clientDefaults; serverParams = serverDefaults;
242 serverParams.port = portNum;
243 SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
244
245 desc = "client doesn't recognize server root";
246 if(ringBufferIo) {
247 ringBufferReset(&serverToClientRing);
248 ringBufferReset(&clientToServerRing);
249 }
250 SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
251 clientParams.anchorFile = NULL;
252 clientParams.expectRtn = errSSLUnknownRootCert;
253 serverParams.expectRtn = errSSLPeerUnknownCA;
254 SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
255
256 desc = "negotiate down to SSL3, server limited";
257 if(ringBufferIo) {
258 ringBufferReset(&serverToClientRing);
259 ringBufferReset(&clientToServerRing);
260 }
261 SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
262 serverParams.tryVersion = kSSLProtocol3;
263 serverParams.expectVersion = kSSLProtocol3;
264 clientParams.expectVersion = kSSLProtocol3;
265 SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
266
267 desc = "negotiate down to SSL3, client limited";
268 if(ringBufferIo) {
269 ringBufferReset(&serverToClientRing);
270 ringBufferReset(&clientToServerRing);
271 }
272 SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
273 clientParams.tryVersion = kSSLProtocol3;
274 clientParams.expectVersion = kSSLProtocol3;
275 serverParams.expectVersion = kSSLProtocol3;
276 SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
277
278 desc = "successful client authentication";
279 if(ringBufferIo) {
280 ringBufferReset(&serverToClientRing);
281 ringBufferReset(&clientToServerRing);
282 }
283 SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
284 clientParams.myCertKcName = clientKcPath;
285 serverParams.anchorFile = clientCert;
286 serverParams.authenticate = kAlwaysAuthenticate;
287 clientParams.expectCertState = kSSLClientCertSent;
288 serverParams.expectCertState = kSSLClientCertSent;
289 SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
290
291 desc = "client authentication, server doesn't recognize root TLS1";
292 if(ringBufferIo) {
293 ringBufferReset(&serverToClientRing);
294 ringBufferReset(&clientToServerRing);
295 }
296 SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
297 clientParams.myCertKcName = clientKcPath;
298 /* no anchor file for server; unrecognized */
299 serverParams.authenticate = kAlwaysAuthenticate;
300 clientParams.expectCertState = kSSLClientCertRejected;
301 serverParams.expectCertState = kSSLClientCertRejected;
302 serverParams.expectRtn = errSSLUnknownRootCert;
303 clientParams.expectRtn = errSSLPeerUnknownCA;
304 SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
305
306 desc = "client authentication, server doesn't recognize root SSL3";
307 if(ringBufferIo) {
308 ringBufferReset(&serverToClientRing);
309 ringBufferReset(&clientToServerRing);
310 }
311 SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
312 clientParams.tryVersion = kSSLProtocol3;
313 clientParams.expectVersion = kSSLProtocol3;
314 serverParams.expectVersion = kSSLProtocol3;
315 clientParams.myCertKcName = clientKcPath;
316 /* no anchor file for server; unrecognized */
317 serverParams.authenticate = kAlwaysAuthenticate;
318 clientParams.expectCertState = kSSLClientCertRejected;
319 serverParams.expectCertState = kSSLClientCertRejected;
320 serverParams.expectRtn = errSSLUnknownRootCert;
321 clientParams.expectRtn = errSSLPeerUnsupportedCert;
322 thisRtn = sslRunSession(&serverParams, &clientParams, desc);
323 if(thisRtn) {
324 if(testError(clientParams.quiet)) {
325 goto done;
326 }
327 }
328
329 desc = "server requires authentication, no client cert, TLS1";
330 if(ringBufferIo) {
331 ringBufferReset(&serverToClientRing);
332 ringBufferReset(&clientToServerRing);
333 }
334 SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
335 serverParams.authenticate = kAlwaysAuthenticate;
336 clientParams.expectCertState = kSSLClientCertRequested;
337 serverParams.expectCertState = kSSLClientCertRequested;
338 serverParams.expectRtn = errSSLXCertChainInvalid;
339 clientParams.expectRtn = errSSLPeerCertUnknown;
340 SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
341
342 desc = "server requires authentication, no client cert, SSL3";
343 if(ringBufferIo) {
344 ringBufferReset(&serverToClientRing);
345 ringBufferReset(&clientToServerRing);
346 }
347 SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
348 clientParams.tryVersion = kSSLProtocol3;
349 clientParams.expectVersion = kSSLProtocol3;
350 serverParams.expectVersion = kSSLProtocol3;
351 serverParams.authenticate = kAlwaysAuthenticate;
352 clientParams.expectCertState = kSSLClientCertRequested;
353 serverParams.expectCertState = kSSLClientCertRequested;
354 serverParams.expectRtn = errSSLProtocol;
355 clientParams.expectRtn = errSSLPeerUnexpectedMsg;
356 SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
357
358 desc = "server (only) requests authentication, no client cert, TLS1";
359 if(ringBufferIo) {
360 ringBufferReset(&serverToClientRing);
361 ringBufferReset(&clientToServerRing);
362 }
363 SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
364 serverParams.authenticate = kTryAuthenticate;
365 clientParams.expectCertState = kSSLClientCertRequested;
366 serverParams.expectCertState = kSSLClientCertRequested;
367 SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
368
369 desc = "server (only) requests authentication, no client cert, SSL3";
370 if(ringBufferIo) {
371 ringBufferReset(&serverToClientRing);
372 ringBufferReset(&clientToServerRing);
373 }
374 SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
375 clientParams.tryVersion = kSSLProtocol3;
376 clientParams.expectVersion = kSSLProtocol3;
377 serverParams.expectVersion = kSSLProtocol3;
378 serverParams.authenticate = kTryAuthenticate;
379 clientParams.expectCertState = kSSLClientCertRequested;
380 serverParams.expectCertState = kSSLClientCertRequested;
381 SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
382
383 desc = "server (only) requests authentication, client cert w/unknown root, TLS1";
384 if(ringBufferIo) {
385 ringBufferReset(&serverToClientRing);
386 ringBufferReset(&clientToServerRing);
387 }
388 SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
389 serverParams.authenticate = kTryAuthenticate;
390 clientParams.expectCertState = kSSLClientCertRejected;
391 serverParams.expectCertState = kSSLClientCertRejected;
392 clientParams.myCertKcName = clientKcPath;
393 /* no anchor file for server; unrecognized */
394 serverParams.expectRtn = errSSLUnknownRootCert;
395 clientParams.expectRtn = errSSLPeerUnknownCA;
396 SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
397
398 desc = "server (only) requests authentication, client cert w/unknown root, SSL3";
399 if(ringBufferIo) {
400 ringBufferReset(&serverToClientRing);
401 ringBufferReset(&clientToServerRing);
402 }
403 SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
404 clientParams.tryVersion = kSSLProtocol3;
405 clientParams.expectVersion = kSSLProtocol3;
406 serverParams.expectVersion = kSSLProtocol3;
407 serverParams.authenticate = kTryAuthenticate;
408 clientParams.expectCertState = kSSLClientCertRejected;
409 serverParams.expectCertState = kSSLClientCertRejected;
410 clientParams.myCertKcName = clientKcPath;
411 /* no anchor file for server; unrecognized */
412 serverParams.expectRtn = errSSLUnknownRootCert;
413 clientParams.expectRtn = errSSLPeerUnsupportedCert;
414 SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
415 if(ringBufferIo) {
416 ringBufferReset(&serverToClientRing);
417 ringBufferReset(&clientToServerRing);
418 }
419
420 if(loops) {
421 if(++loopNum == loops) {
422 break;
423 }
424 printf("...loop %u\n", loopNum);
425 }
426 }
427
428 done:
429 if(!clientParams.quiet) {
430 if(ourRtn == 0) {
431 printf("===== sslAlert test PASSED =====\n");
432 }
433 else {
434 printf("****FAIL: %d errors detected\n", ourRtn);
435 }
436 }
437
438 return ourRtn;
439 }