]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_ssl/regressions/SecureTransportTests/STLegacyTests+clientauth.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-58286.270.3.0.1.tar.gz
[apple/security.git] / OSX / libsecurity_ssl / regressions / SecureTransportTests / STLegacyTests+clientauth.m
1
2 #include <stdbool.h>
3 #include <pthread.h>
4 #include <fcntl.h>
5 #include <sys/mman.h>
6 #include <unistd.h>
7
8 #include <CoreFoundation/CoreFoundation.h>
9
10 #include <AssertMacros.h>
11 #include <Security/SecureTransportPriv.h> /* SSLSetOption */
12 #include <Security/SecureTransport.h>
13 #include <Security/SecPolicy.h>
14 #include <Security/SecTrust.h>
15 #include <Security/SecIdentity.h>
16 #include <Security/SecIdentityPriv.h>
17 #include <Security/SecCertificatePriv.h>
18 #include <Security/SecKeyPriv.h>
19 #include <Security/SecItem.h>
20 #include <Security/SecRandom.h>
21
22 #include <utilities/array_size.h>
23 #include <string.h>
24 #include <sys/types.h>
25 #include <sys/socket.h>
26 #include <errno.h>
27 #include <stdlib.h>
28 #include <mach/mach_time.h>
29
30 #if TARGET_OS_IPHONE
31 #include <Security/SecRSAKey.h>
32 #endif
33
34 #include "ssl-utils.h"
35 #import "STLegacyTests.h"
36
37 @implementation STLegacyTests (clientauth)
38
39 /*
40 SSL Client Auth tests:
41
42 Test both the client and server side.
43
44 Server side test goals:
45 Verify Server behavior in the following cases:
46 Server configuration:
47 - when using kTryAuthenticate vs kAlwaysAuthenticate
48 - with or without breakOnClientAuth.
49 - AnonDH and PSK ciphersuites.
50 Client configuration:
51 - Client sends back no cert vs a cert.
52 - Client sends back an unsupported cert.
53 - Client sends back a malformed cert.
54 - Client cert is trusted vs untrusted.
55 - Client does not have private key (ie: Certificate Verify message should fail).
56 Behavior to verify:
57 - handshake pass or fail
58 - SSLGetClientCertificateState returns expected results
59
60 Client side test goals:
61 Client configuration:
62 - with or without breakOnCertRequest.
63 - no cert, vs cert.
64 Server config:
65 - No client cert requested, vs client cert requested vs client cert required.
66 Behavior to verify:
67 - handshake pass or fail
68 - SSLGetClientCertificateState returns expected results
69
70 */
71
72
73 static OSStatus SocketWrite(SSLConnectionRef conn, const void *data, size_t *length)
74 {
75 size_t len = *length;
76 uint8_t *ptr = (uint8_t *)data;
77
78 do {
79 ssize_t ret;
80 do {
81 ret = write((int)conn, ptr, len);
82 } while ((ret < 0) && (errno == EAGAIN || errno == EINTR));
83 if (ret > 0) {
84 len -= ret;
85 ptr += ret;
86 }
87 else
88 return -36;
89 } while (len > 0);
90
91 *length = *length - len;
92 return errSecSuccess;
93 }
94
95 static OSStatus SocketRead(SSLConnectionRef conn, void *data, size_t *length)
96 {
97 size_t len = *length;
98 uint8_t *ptr = (uint8_t *)data;
99
100 do {
101 ssize_t ret;
102 do {
103 ret = read((int)conn, ptr, len);
104 } while ((ret < 0) && (errno == EINPROGRESS || errno == EAGAIN || errno == EINTR));
105 if (ret > 0) {
106 len -= ret;
107 ptr += ret;
108 } else {
109 printf("read error(%d): ret=%zd, errno=%d\n", (int)conn, ret, errno);
110 return -errno;
111 }
112 } while (len > 0);
113
114 *length = *length - len;
115 return errSecSuccess;
116 }
117
118 typedef struct {
119 SSLContextRef st;
120 int comm;
121 bool break_on_req;
122 CFArrayRef certs;
123 int auth; //expected client auth behavior of the server (0=no request, 1=optional , 2=required)
124 } ssl_client_handle;
125
126 static ssl_client_handle *
127 ssl_client_handle_create(bool break_on_req, int comm, CFArrayRef certs, CFArrayRef trustedCA, int auth)
128 {
129 ssl_client_handle *handle = calloc(1, sizeof(ssl_client_handle));
130 SSLContextRef ctx = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
131
132 require(handle, out);
133 require(ctx, out);
134
135 require_noerr(SSLSetIOFuncs(ctx,
136 (SSLReadFunc)SocketRead, (SSLWriteFunc)SocketWrite), out);
137 require_noerr(SSLSetConnection(ctx, (SSLConnectionRef)(intptr_t)comm), out);
138 static const char *peer_domain_name = "localhost";
139 require_noerr(SSLSetPeerDomainName(ctx, peer_domain_name,
140 strlen(peer_domain_name)), out);
141
142 require_noerr(SSLSetTrustedRoots(ctx, trustedCA, true), out);
143
144
145 /* Setting client certificate in advance */
146 if (!break_on_req && certs) {
147 require_noerr(SSLSetCertificate(ctx, certs), out);
148 }
149
150 if (break_on_req) {
151 require_noerr(SSLSetSessionOption(ctx,
152 kSSLSessionOptionBreakOnCertRequested, true), out);
153 }
154
155 handle->break_on_req = break_on_req;
156 handle->comm = comm;
157 handle->certs = certs;
158 handle->st = ctx;
159 handle->auth = auth;
160
161 return handle;
162
163 out:
164 if (ctx)
165 CFRelease(ctx);
166 if (handle)
167 free(handle);
168
169 return NULL;
170 }
171
172 static void
173 ssl_client_handle_destroy(ssl_client_handle *handle)
174 {
175 if(handle) {
176 SSLClose(handle->st);
177 CFRelease(handle->st);
178 free(handle);
179 }
180 }
181
182 static void *securetransport_ssl_client_thread(void *arg)
183 {
184 OSStatus ortn;
185 ssl_client_handle * ssl = (ssl_client_handle *)arg;
186 SSLContextRef ctx = ssl->st;
187 bool got_client_cert_req = false;
188 SSLSessionState ssl_state;
189
190 pthread_setname_np("client thread");
191
192 require_noerr(ortn=SSLGetSessionState(ctx,&ssl_state), out);
193 require_action(ssl_state==kSSLIdle, out, ortn = -1);
194
195 do {
196 ortn = SSLHandshake(ctx);
197 require_noerr(SSLGetSessionState(ctx,&ssl_state), out);
198
199 if (ortn == errSSLClientCertRequested) {
200 require_string(ssl->auth, out, "cert req not expected");
201 require_string(ssl_state==kSSLHandshake, out, "wrong client handshake state after errSSLClientCertRequested");
202 require_string(!got_client_cert_req, out, "second client cert req");
203 got_client_cert_req = true;
204
205 SSLClientCertificateState clientState;
206 SSLGetClientCertificateState(ctx, &clientState);
207 require_string(clientState==kSSLClientCertRequested, out, "Wrong client cert state after cert request");
208
209 require_string(ssl->break_on_req, out, "errSSLClientCertRequested in run not testing that");
210 if(ssl->certs) {
211 require_noerr(SSLSetCertificate(ctx, ssl->certs), out);
212 }
213
214 } else if (ortn == errSSLWouldBlock) {
215 require_string(ssl_state==kSSLHandshake, out, "Wrong client handshake state after errSSLWouldBlock");
216 }
217 } while (ortn == errSSLWouldBlock || ortn == errSSLClientCertRequested);
218
219 require_string((got_client_cert_req || !ssl->auth || !ssl->break_on_req), out, "didn't get client cert req as expected");
220
221
222 out:
223 SSLClose(ssl->st);
224 close(ssl->comm);
225 pthread_exit((void *)(intptr_t)ortn);
226 return NULL;
227 }
228
229
230 typedef struct {
231 SSLContextRef st;
232 int comm;
233 SSLAuthenticate client_auth;
234 CFArrayRef certs;
235 } ssl_server_handle;
236
237 static ssl_server_handle *
238 ssl_server_handle_create(SSLAuthenticate client_auth, int comm, CFArrayRef certs, CFArrayRef trustedCA)
239 {
240 ssl_server_handle *handle = calloc(1, sizeof(ssl_server_handle));
241 SSLContextRef ctx = SSLCreateContext(kCFAllocatorDefault, kSSLServerSide, kSSLStreamType);
242
243 require(handle, out);
244 require(ctx, out);
245
246 require_noerr(SSLSetIOFuncs(ctx,
247 (SSLReadFunc)SocketRead, (SSLWriteFunc)SocketWrite), out);
248 require_noerr(SSLSetConnection(ctx, (SSLConnectionRef)(intptr_t)comm), out);
249
250 require_noerr(SSLSetCertificate(ctx, certs), out);
251
252 require_noerr(SSLSetTrustedRoots(ctx, trustedCA, true), out);
253
254 SSLAuthenticate auth;
255 require_noerr(SSLSetClientSideAuthenticate(ctx, client_auth), out);
256 require_noerr(SSLGetClientSideAuthenticate(ctx, &auth), out);
257 require(auth==client_auth, out);
258
259 handle->client_auth = client_auth;
260 handle->comm = comm;
261 handle->certs = certs;
262 handle->st = ctx;
263
264 return handle;
265
266 out:
267 if (ctx)
268 CFRelease(ctx);
269 if (handle)
270 free(handle);
271
272 return NULL;
273 }
274
275 static void
276 ssl_server_handle_destroy(ssl_server_handle *handle)
277 {
278 if(handle) {
279 SSLClose(handle->st);
280 CFRelease(handle->st);
281 free(handle);
282 }
283 }
284
285 static void *securetransport_ssl_server_thread(void *arg)
286 {
287 OSStatus ortn;
288 ssl_server_handle * ssl = (ssl_server_handle *)arg;
289 SSLContextRef ctx = ssl->st;
290 SSLSessionState ssl_state;
291
292 pthread_setname_np("server thread");
293
294 require_noerr(ortn=SSLGetSessionState(ctx,&ssl_state), out);
295 require_action(ssl_state==kSSLIdle, out, ortn = -1);
296
297 do {
298 ortn = SSLHandshake(ctx);
299 require_noerr(SSLGetSessionState(ctx,&ssl_state), out);
300
301 if (ortn == errSSLWouldBlock) {
302 require_action(ssl_state==kSSLHandshake, out, ortn = -1);
303 }
304 } while (ortn == errSSLWouldBlock);
305
306 require_noerr_quiet(ortn, out);
307
308 require_action(ssl_state==kSSLConnected, out, ortn = -1);
309
310 out:
311 SSLClose(ssl->st);
312 close(ssl->comm);
313 pthread_exit((void *)(intptr_t)ortn);
314 return NULL;
315 }
316
317
318
319 -(void)testClientAuth
320 {
321 pthread_t client_thread, server_thread;
322 CFArrayRef server_certs = server_chain();
323 CFArrayRef trusted_ca = trusted_roots();
324
325 XCTAssert(server_certs, "got server certs");
326 XCTAssert(trusted_ca, "got trusted roots");
327
328 int i, j, k;
329
330 for (i=0; i<3; i++) {/* client side cert: 0 = no cert, 1 = trusted cert, 2 = untrusted cert. */
331 for (j=0; j<2; j++) { /* break on cert request */
332 for (k=0; k<3; k++) { /* server behvior: 0 = no cert request, 1 = optional cert, 2 = required cert */
333
334 int sp[2];
335 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp)) exit(errno);
336 fcntl(sp[0], F_SETNOSIGPIPE, 1);
337 fcntl(sp[1], F_SETNOSIGPIPE, 1);
338
339 bool break_on_req = (j!=0);
340 SSLClientAuthenticationType auth = (k == 0) ? kNeverAuthenticate
341 : (k == 1) ? kTryAuthenticate
342 : kAlwaysAuthenticate;
343
344 CFArrayRef client_certs = (i == 0) ? NULL
345 : (i == 1) ? trusted_client_chain()
346 : untrusted_client_chain();
347
348 ssl_client_handle *client;
349 client = ssl_client_handle_create(break_on_req, sp[0], client_certs, trusted_ca, auth);
350
351 ssl_server_handle *server;
352 server = ssl_server_handle_create(auth, sp[1], server_certs, trusted_ca);
353
354 pthread_create(&client_thread, NULL, securetransport_ssl_client_thread, client);
355 pthread_create(&server_thread, NULL, securetransport_ssl_server_thread, server);
356
357 intptr_t server_err, client_err;
358 int expected_server_err = 0, expected_client_err = 0;
359 SSLClientCertificateState client_cauth_state, server_cauth_state;
360 SSLClientCertificateState expected_client_cauth_state = 0, expected_server_cauth_state = 0;
361
362
363 if(((k == 2) && (i != 1)) // Server requires good cert, but client not sending good cert,
364 || ((k == 1) && (i == 2)) // Or server request optionally, and client sending bad cert.
365 ) {
366 expected_client_err = errSSLPeerCertUnknown;
367 expected_server_err = errSSLXCertChainInvalid;
368 }
369
370
371 if(k != 0) {
372 if(i == 0) {
373 expected_client_cauth_state = kSSLClientCertRequested;
374 expected_server_cauth_state = kSSLClientCertRequested;
375 } else {
376 expected_client_cauth_state = kSSLClientCertSent;
377 expected_server_cauth_state = kSSLClientCertSent;
378 }
379 }
380
381 pthread_join(client_thread, (void*)&client_err);
382 pthread_join(server_thread, (void*)&server_err);
383
384
385 XCTAssertEqual(errSecSuccess, SSLGetClientCertificateState(client->st, &client_cauth_state), "SSLGetClientCertificateState (client %d:%d:%d)", i, j, k);
386 XCTAssertEqual(errSecSuccess, SSLGetClientCertificateState(client->st, &server_cauth_state), "SSLGetClientCertificateState (server %d:%d:%d)", i, j, k);
387
388 XCTAssertEqual(client_err, expected_client_err, "unexpected error %d!=%d (client %d:%d:%d)", (int)client_err, expected_client_err, i, j, k);
389 XCTAssertEqual(server_err, expected_server_err, "unexpected error %d!=%d (server %d:%d:%d)", (int)server_err, expected_server_err, i, j, k);
390
391 XCTAssertEqual(client_cauth_state, expected_client_cauth_state, "unexpected client auth state %d!=%d (client %d:%d:%d)", client_cauth_state, expected_client_cauth_state, i, j, k);
392 XCTAssertEqual(server_cauth_state, expected_server_cauth_state, "unexpected client auth state %d!=%d (server %d:%d:%d)", server_cauth_state, expected_server_cauth_state, i, j, k);
393
394
395 ssl_server_handle_destroy(server);
396 ssl_client_handle_destroy(client);
397
398 CFReleaseSafe(client_certs);
399 }
400 }
401 }
402
403 CFReleaseSafe(server_certs);
404 CFReleaseSafe(trusted_ca);
405 }
406
407 @end
mirror of Security