--- /dev/null
+/*
+ * Copyright (c) 2008-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * Trivial SSL server example, using SecureTransport / OS X version.
+ *
+ */
+
+#include <Security/SecureTransport.h>
+#include <Security/SecureTransportPriv.h>
+#include "sslAppUtils.h"
+#include "ioSock.h"
+#include "fileIo.h"
+
+#include <Security/SecBase.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>
+#include <sys/param.h>
+
+#include <Security/Security.h>
+#include <Security/SecCertificatePriv.h>
+
+#include <CoreFoundation/CoreFoundation.h>
+#include "printCert.h"
+
+#if NO_SERVER
+#include <securityd/spi.h>
+#endif
+
+/* Set true when PR-3074739 is merged to TOT */
+#define SET_DH_PARAMS_ENABLE 1
+
+/* true when using SSLCopyPeerCertificates() per Radar 3311892 */
+#define USE_COPY_PEER_CERTS 1
+
+/*
+ * Defaults, overridable by user.
+ */
+#define SERVER_MESSAGE "HTTP/1.0 200 OK\015\012Content-Type: text/html\015\012\015\012" \
+ "<HTML><HEAD><TITLE>SecureTransport Test Server</TITLE></HEAD>" \
+ "<BODY><H2>Secure connection established.</H2>" \
+ "Message from the 'sslServer' sample application.\015\012</BODY>" \
+ "</HTML>\015\012"
+
+/* For ease of debugging, pick a non-privileged port */
+#define DEFAULT_PORT 1200
+// #define DEFAULT_PORT 443
+
+#define DEFAULT_HOST "localhost"
+
+#define DEFAULT_KC "certkc"
+
+static void usage(char **argv)
+{
+ printf("Usage: %s [option ...]\n", argv[0]);
+ printf("Options:\n");
+ printf(" P=port Port to listen on; default is %d\n", DEFAULT_PORT);
+ printf(" k=keychain Contains server cert and keys.\n");
+ printf(" y=keychain Encryption-only cert and keys.\n");
+ printf(" e Allow Expired Certs\n");
+ printf(" r Allow any root cert\n");
+ printf(" E Allow Expired Roots\n");
+ printf(" x Disable Cert Verification\n");
+ printf(" f=fileBase Write Peer Certs to fileBase*\n");
+ printf(" c Display peer certs\n");
+ printf(" d Display received data\n");
+ printf(" C=cipherSuite (e=40-bit d=DES D=40-bit DES 3=3DES 4=RC4 $=40-bit RC4\n"
+ " 2=RC2 a=AES128 A=AES256 h=DH H=Anon DH r=DHE/RSA s=DH/DSS\n"
+ " n=RSA/NULL\n");
+ printf(" 2 SSLv2 only (default is best fit)\n");
+ printf(" 3 SSLv3 only (default is best fit)\n");
+ printf(" t TLSv1 only (default is best fit)\n");
+ printf(" o TLSv1, SSLv3 use kSSLProtocol__X__Only\n");
+ printf(" g={prot...} Specify legal protocols; prot = any combo of [23t]\n");
+ printf(" T=[nrsj] Verify client cert state = "
+ "none/requested/sent/rejected\n");
+ printf(" R Disable resumable session support\n");
+ printf(" i=timeout Session cache timeout\n");
+ printf(" u=[nat] Authentication: n=never; a=always; t=try\n");
+ printf(" b Non-blocking I/O\n");
+ printf(" a fileNmae Add fileName to list of trusted roots\n");
+ printf(" A fileName fileName is ONLY trusted root\n");
+ printf(" U filename Add filename to acceptable DNList (multiple times OK)\n");
+ printf(" D filename Diffie-Hellman parameters from filename\n");
+ printf(" z=password Unlock server keychain with password.\n");
+ printf(" H Do SecIdentityRef search instead of specific keychain\n");
+ printf(" M Complete cert chain (default assumes that our identity is root)\n");
+ printf(" 4 Disable anonymous ciphers\n");
+ printf(" p Pause after each phase\n");
+ printf(" l[=loops] Loop, performing multiple transactions\n");
+ printf(" q Quiet/diagnostic mode (site names and errors only)\n");
+ printf(" h Help\n");
+ exit(1);
+}
+
+/* snag a copy of current connection's peer certs so we can
+ * examine them later after the connection is closed */
+static OSStatus copyPeerCerts(
+ SSLContext *ctx,
+ CFArrayRef *peerCerts) // mallocd & RETURNED
+{
+ #if USE_COPY_PEER_CERTS
+ OSStatus ortn = SSLCopyPeerCertificates(ctx, peerCerts);
+ #else
+ OSStatus ortn = SSLGetPeerCertificates(ctx, peerCerts);
+ #endif
+ if(ortn) {
+ printf("***Error obtaining peer certs: %s\n",
+ sslGetSSLErrString(ortn));
+ }
+ return ortn;
+}
+
+/* free the cert array obtained via SSLGetPeerCertificates() */
+static void freePeerCerts(
+ CFArrayRef peerCerts)
+{
+ if(peerCerts == NULL) {
+ return;
+ }
+
+ #if USE_COPY_PEER_CERTS
+
+ /* Voila! Problem fixed. */
+ CFRelease(peerCerts);
+ return;
+
+ #else
+
+ CFIndex numCerts;
+ SecCertificateRef certData;
+ CFIndex i;
+
+ numCerts = CFArrayGetCount(peerCerts);
+ for(i=0; i<numCerts; i++) {
+ certData = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i);
+ CFRelease(certData);
+ }
+ CFRelease(peerCerts);
+ #endif
+}
+
+/* print reply received from server */
+static void dumpAscii(
+ uint8_t *rcvBuf,
+ uint32_t len)
+{
+ char *cp = (char *)rcvBuf;
+ uint32_t i;
+ char c;
+
+ for(i=0; i<len; i++) {
+ c = *cp++;
+ if(c == '\0') {
+ break;
+ }
+ switch(c) {
+ case '\n':
+ printf("\\n");
+ break;
+ case '\r':
+ printf("\\r");
+ break;
+ default:
+ if(isprint(c) && (c != '\n')) {
+ printf("%c", c);
+ }
+ else {
+ printf("<%02X>", ((unsigned)c) & 0xff);
+ }
+ break;
+ }
+
+ }
+ printf("\n");
+}
+
+static void doPause(const char *prompt) {
+ if(prompt) {
+ printf("%s. ", prompt);
+ }
+ fpurge(stdin);
+ printf("Continue (n/anything)? ");
+ char c = getchar();
+ if(c == 'n') {
+ exit(0);
+ }
+}
+
+/*
+ * Perform one SSL diagnostic server-side session. Returns nonzero on error.
+ * Normally no output to stdout except initial "waiting for connection" message,
+ * unless there is a really screwed up error (i.e., something not directly related
+ * to the SSL connection).
+ */
+#define RCV_BUF_SIZE 256
+
+static OSStatus sslServe(
+ otSocket listenSock,
+ unsigned short portNum,
+ SSLProtocol tryVersion, // only used if acceptedProts NULL
+ const char *acceptedProts,
+ CFArrayRef serverCerts, // required
+ char *password, // optional
+ CFArrayRef encryptServerCerts, // optional
+ bool allowExpired,
+ bool allowAnyRoot,
+ bool allowExpiredRoot,
+ bool disableCertVerify,
+ char *anchorFile,
+ bool replaceAnchors,
+ char cipherRestrict, // '2', 'd'. etc...'\0' for no
+ // restriction
+ SSLAuthenticate authenticate,
+ unsigned char *dhParams, // optional D-H parameters
+ unsigned dhParamsLen,
+ CFArrayRef acceptableDNList, // optional
+ bool resumableEnable,
+ uint32_t sessionCacheTimeout,// optional
+ bool disableAnonCiphers,
+ bool silent, // no stdout
+ bool pause,
+ SSLProtocol *negVersion, // RETURNED
+ SSLCipherSuite *negCipher, // RETURNED
+ SSLClientCertificateState *certState, // RETURNED
+ Boolean *sessionWasResumed, // RETURNED
+ unsigned char *sessionID, // mallocd by caller, RETURNED
+ size_t *sessionIDLength, // RETURNED
+ CFArrayRef *peerCerts, // mallocd & RETURNED
+ char **argv)
+{
+ otSocket acceptSock;
+ PeerSpec peerId;
+ OSStatus ortn;
+ SSLContextRef ctx = NULL;
+ size_t length;
+ uint8_t rcvBuf[RCV_BUF_SIZE];
+ const char *outMsg = SERVER_MESSAGE;
+
+ *negVersion = kSSLProtocolUnknown;
+ *negCipher = SSL_NULL_WITH_NULL_NULL;
+ *peerCerts = NULL;
+
+ #if IGNORE_SIGPIPE
+ signal(SIGPIPE, sigpipe);
+ #endif
+
+ /* first wait for a connection */
+ if(!silent) {
+ printf("Waiting for client connection on port %u...", portNum);
+ fflush(stdout);
+ }
+ ortn = AcceptClientConnection(listenSock, &acceptSock, &peerId);
+ if(ortn) {
+ printf("AcceptClientConnection returned %d; aborting\n", (int)ortn);
+ return ortn;
+ }
+
+ /*
+ * Set up a SecureTransport session.
+ * First the standard calls.
+ */
+ ortn = SSLNewContext(true, &ctx);
+ if(ortn) {
+ printSslErrStr("SSLNewContext", ortn);
+ goto cleanup;
+ }
+ ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
+ if(ortn) {
+ printSslErrStr("SSLSetIOFuncs", ortn);
+ goto cleanup;
+ }
+ ortn = SSLSetConnection(ctx, (SSLConnectionRef)acceptSock);
+ if(ortn) {
+ printSslErrStr("SSLSetConnection", ortn);
+ goto cleanup;
+ }
+
+ /* have to do these options befor setting server certs */
+ if(allowExpired) {
+ ortn = SSLSetAllowsExpiredCerts(ctx, true);
+ if(ortn) {
+ printSslErrStr("SSLSetAllowExpiredCerts", ortn);
+ goto cleanup;
+ }
+ }
+ if(allowAnyRoot) {
+ ortn = SSLSetAllowsAnyRoot(ctx, true);
+ if(ortn) {
+ printSslErrStr("SSLSetAllowAnyRoot", ortn);
+ goto cleanup;
+ }
+ }
+
+ if(anchorFile) {
+ ortn = sslAddTrustedRoot(ctx, anchorFile, replaceAnchors);
+ if(ortn) {
+ printf("***Error obtaining anchor file %s\n", anchorFile);
+ goto cleanup;
+ }
+ }
+ if(serverCerts != NULL) {
+ if(anchorFile == NULL) {
+ /* no specific anchors, so assume we want to trust this one */
+ ortn = addIdentityAsTrustedRoot(ctx, serverCerts);
+ if(ortn) {
+ goto cleanup;
+ }
+ }
+ ortn = SSLSetCertificate(ctx, serverCerts);
+ if(ortn) {
+ printSslErrStr("SSLSetCertificate", ortn);
+ goto cleanup;
+ }
+ }
+ if(encryptServerCerts) {
+ ortn = SSLSetEncryptionCertificate(ctx, encryptServerCerts);
+ if(ortn) {
+ printSslErrStr("SSLSetEncryptionCertificate", ortn);
+ goto cleanup;
+ }
+ }
+ if(allowExpiredRoot) {
+ ortn = SSLSetAllowsExpiredRoots(ctx, true);
+ if(ortn) {
+ printSslErrStr("SSLSetAllowsExpiredRoots", ortn);
+ goto cleanup;
+ }
+ }
+ if(disableCertVerify) {
+ ortn = SSLSetEnableCertVerify(ctx, false);
+ if(ortn) {
+ printSslErrStr("SSLSetEnableCertVerify", ortn);
+ goto cleanup;
+ }
+ }
+
+ /*
+ * SecureTransport options.
+ */
+ if(acceptedProts) {
+ ortn = SSLSetProtocolVersionEnabled(ctx, kSSLProtocolAll, false);
+ if(ortn) {
+ printSslErrStr("SSLSetProtocolVersionEnabled(all off)", ortn);
+ goto cleanup;
+ }
+ for(const char *cp = acceptedProts; *cp; cp++) {
+ SSLProtocol prot = kSSLProtocolUnknown;
+ switch(*cp) {
+ case '2':
+ prot = kSSLProtocol2;
+ break;
+ case '3':
+ prot = kSSLProtocol3;
+ break;
+ case 't':
+ prot = kTLSProtocol1;
+ break;
+ default:
+ usage(argv);
+ }
+ ortn = SSLSetProtocolVersionEnabled(ctx, prot, true);
+ if(ortn) {
+ printSslErrStr("SSLSetProtocolVersionEnabled", ortn);
+ goto cleanup;
+ }
+ }
+ }
+ else {
+ ortn = SSLSetProtocolVersion(ctx, tryVersion);
+ if(ortn) {
+ printSslErrStr("SSLSetProtocolVersion", ortn);
+ goto cleanup;
+ }
+ }
+ if(resumableEnable) {
+ ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
+ if(ortn) {
+ printSslErrStr("SSLSetPeerID", ortn);
+ goto cleanup;
+ }
+ }
+ if(cipherRestrict != '\0') {
+ ortn = sslSetCipherRestrictions(ctx, cipherRestrict);
+ if(ortn) {
+ goto cleanup;
+ }
+ }
+ if(authenticate != kNeverAuthenticate) {
+ ortn = SSLSetClientSideAuthenticate(ctx, authenticate);
+ if(ortn) {
+ printSslErrStr("SSLSetClientSideAuthenticate", ortn);
+ goto cleanup;
+ }
+ }
+ if(dhParams) {
+ ortn = SSLSetDiffieHellmanParams(ctx, dhParams, dhParamsLen);
+ if(ortn) {
+ printSslErrStr("SSLSetDiffieHellmanParams", ortn);
+ goto cleanup;
+ }
+ }
+ if(sessionCacheTimeout) {
+ ortn = SSLSetSessionCacheTimeout(ctx, sessionCacheTimeout);
+ if(ortn) {
+ printSslErrStr("SSLSetSessionCacheTimeout", ortn);
+ goto cleanup;
+ }
+ }
+ if(disableAnonCiphers) {
+ ortn = SSLSetAllowAnonymousCiphers(ctx, false);
+ if(ortn) {
+ printSslErrStr("SSLSetAllowAnonymousCiphers", ortn);
+ goto cleanup;
+ }
+ /* quickie test of the getter */
+ Boolean e;
+ ortn = SSLGetAllowAnonymousCiphers(ctx, &e);
+ if(ortn) {
+ printSslErrStr("SSLGetAllowAnonymousCiphers", ortn);
+ goto cleanup;
+ }
+ if(e) {
+ printf("***SSLGetAllowAnonymousCiphers() returned true; expected false\n");
+ ortn = errSecIO;
+ goto cleanup;
+ }
+ }
+/* XXX/cs
+ if(acceptableDNList) {
+ ortn = SSLSetCertificateAuthorities(ctx, acceptableDNList, TRUE);
+ if(ortn) {
+ printSslErrStr("SSLSetCertificateAuthorities", ortn);
+ goto cleanup;
+ }
+ }
+*/
+ /* end options */
+
+ if(pause) {
+ doPause("SSLContext initialized");
+ }
+
+ /* Perform SSL/TLS handshake */
+ do
+ { ortn = SSLHandshake(ctx);
+ if((ortn == errSSLWouldBlock) && !silent) {
+ /* keep UI responsive */
+ sslOutputDot();
+ }
+ } while (ortn == errSSLWouldBlock);
+
+ /* this works even if handshake failed due to cert chain invalid */
+ copyPeerCerts(ctx, peerCerts);
+
+ SSLGetClientCertificateState(ctx, certState);
+ SSLGetNegotiatedCipher(ctx, negCipher);
+ SSLGetNegotiatedProtocolVersion(ctx, negVersion);
+ *sessionIDLength = MAX_SESSION_ID_LENGTH;
+ SSLGetResumableSessionInfo(ctx, sessionWasResumed, sessionID,
+ sessionIDLength);
+
+ if(!silent) {
+ printf("\n");
+ }
+ if(ortn) {
+ goto cleanup;
+ }
+ if(pause) {
+ doPause("SSLContext handshake complete");
+ }
+
+ /* wait for one complete line or user says they've had enough */
+ while(ortn == errSecSuccess) {
+ length = sizeof(rcvBuf);
+ ortn = SSLRead(ctx, rcvBuf, length, &length);
+ if(length == 0) {
+ /* keep UI responsive */
+ sslOutputDot();
+ }
+ else {
+ /* print what we have */
+ printf("client request: ");
+ dumpAscii(rcvBuf, length);
+ }
+ if(pause) {
+ /* allow user to bail */
+ char resp;
+
+ fpurge(stdin);
+ printf("\nMore client request (y/anything): ");
+ resp = getchar();
+ if(resp != 'y') {
+ break;
+ }
+ }
+
+ /* poor person's line completion scan */
+ for(unsigned i=0; i<length; i++) {
+ if((rcvBuf[i] == '\n') || (rcvBuf[i] == '\r')) {
+ /* a labelled break would be nice here.... */
+ goto serverResp;
+ }
+ }
+ if (ortn == errSSLWouldBlock) {
+ ortn = errSecSuccess;
+ }
+ }
+
+serverResp:
+ if(pause) {
+ doPause("Client GET msg received");
+ }
+
+ /* send out canned response */
+ length = strlen(outMsg);
+ ortn = SSLWrite(ctx, outMsg, length, &length);
+ if(ortn) {
+ printSslErrStr("SSLWrite", ortn);
+ }
+ if(pause) {
+ doPause("Server response sent");
+ }
+cleanup:
+ /*
+ * always do close, even on error - to flush outgoing write queue
+ */
+ OSStatus cerr = SSLClose(ctx);
+ if(ortn == errSecSuccess) {
+ ortn = cerr;
+ }
+ if(acceptSock) {
+ endpointShutdown(acceptSock);
+ }
+ if(ctx) {
+ SSLDisposeContext(ctx);
+ }
+ /* FIXME - dispose of serverCerts */
+ return ortn;
+}
+
+static void showPeerCerts(
+ CFArrayRef peerCerts,
+ bool verbose)
+{
+ CFIndex numCerts;
+ SecCertificateRef certRef;
+ CFIndex i;
+
+ if(peerCerts == NULL) {
+ return;
+ }
+ numCerts = CFArrayGetCount(peerCerts);
+ for(i=0; i<numCerts; i++) {
+ certRef = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i);
+ printf("\n================== Server Cert %lu ===================\n\n", i);
+ print_cert(certRef, verbose);
+ printf("\n=============== End of Server Cert %lu ===============\n", i);
+ }
+}
+
+static void writePeerCerts(
+ CFArrayRef peerCerts,
+ const char *fileBase)
+{
+ CFIndex numCerts;
+ SecCertificateRef certRef;
+ CFIndex i;
+ char fileName[100];
+
+ if(peerCerts == NULL) {
+ return;
+ }
+ numCerts = CFArrayGetCount(peerCerts);
+ for(i=0; i<numCerts; i++) {
+ sprintf(fileName, "%s%02d.cer", fileBase, (int)i);
+ certRef = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i);
+ writeFile(fileName, SecCertificateGetBytePtr(certRef),
+ SecCertificateGetLength(certRef));
+ }
+ printf("...wrote %lu certs to fileBase %s\n", numCerts, fileBase);
+}
+
+static void showSSLResult(
+ SSLProtocol tryVersion,
+ char *acceptedProts,
+ OSStatus err,
+ SSLProtocol negVersion,
+ SSLCipherSuite negCipher,
+ Boolean sessionWasResumed,
+ unsigned char *sessionID,
+ size_t sessionIDLength,
+ CFArrayRef peerCerts,
+ bool displayPeerCerts,
+ SSLClientCertificateState certState,
+ char *fileBase) // non-NULL: write certs to file
+{
+ CFIndex numPeerCerts;
+
+ printf("\n");
+ if(acceptedProts) {
+ printf(" Allowed SSL versions : %s\n", acceptedProts);
+ }
+ else {
+ printf(" Attempted SSL version : %s\n",
+ sslGetProtocolVersionString(tryVersion));
+ }
+ printf(" Result : %s\n", sslGetSSLErrString(err));
+ printf(" Negotiated SSL version : %s\n",
+ sslGetProtocolVersionString(negVersion));
+ printf(" Negotiated CipherSuite : %s\n",
+ sslGetCipherSuiteString(negCipher));
+ if(certState != kSSLClientCertNone) {
+ printf(" Client Cert State : %s\n",
+ sslGetClientCertStateString(certState));
+ }
+ printf(" Resumed Session : ");
+ if(sessionWasResumed) {
+ for(unsigned dex=0; dex<sessionIDLength; dex++) {
+ printf("%02X ", sessionID[dex]);
+ if(((dex % 8) == 7) && (dex != (sessionIDLength - 1))) {
+ printf("\n ");
+ }
+ }
+ printf("\n");
+ }
+ else {
+ printf("NOT RESUMED\n");
+ }
+ if(peerCerts == NULL) {
+ numPeerCerts = 0;
+ }
+ else {
+ numPeerCerts = CFArrayGetCount(peerCerts);
+ }
+ printf(" Number of peer certs : %lu\n", numPeerCerts);
+ if(numPeerCerts != 0) {
+ if(displayPeerCerts) {
+ showPeerCerts(peerCerts, false);
+ }
+ if(fileBase != NULL) {
+ writePeerCerts(peerCerts, fileBase);
+ }
+ }
+ printf("\n");
+}
+
+static int verifyClientCertState(
+ bool verifyCertState,
+ SSLClientCertificateState expectState,
+ SSLClientCertificateState gotState)
+{
+ if(!verifyCertState) {
+ return 0;
+ }
+ if(expectState == gotState) {
+ return 0;
+ }
+ printf("***Expected clientCertState %s; got %s\n",
+ sslGetClientCertStateString(expectState),
+ sslGetClientCertStateString(gotState));
+ return 1;
+}
+
+int main(int argc, char **argv)
+{
+ OSStatus err;
+ int arg;
+ char fullFileBase[100];
+ SSLProtocol negVersion;
+ SSLCipherSuite negCipher;
+ Boolean sessionWasResumed;
+ unsigned char sessionID[MAX_SESSION_ID_LENGTH];
+ size_t sessionIDLength;
+ CFArrayRef peerCerts = NULL;
+ char *argp;
+ otSocket listenSock;
+ CFArrayRef serverCerts = nil; // required
+ CFArrayRef encryptCerts = nil; // optional
+ SecKeychainRef serverKc = nil;
+ SecKeychainRef encryptKc = nil;
+ int loopNum;
+ int errCount = 0;
+ SSLClientCertificateState certState; // obtained from sslServe
+
+ /* user-spec'd parameters */
+ unsigned short portNum = DEFAULT_PORT;
+ bool allowExpired = false;
+ bool allowAnyRoot = false;
+ char *fileBase = NULL;
+ bool displayRxData = false;
+ bool displayCerts = false;
+ char cipherRestrict = '\0';
+ SSLProtocol attemptProt = kTLSProtocol1;
+ bool protXOnly = false; // kSSLProtocol3Only,
+ // kTLSProtocol1Only
+ char *acceptedProts = NULL; // "23t" ==> SSLSetProtocolVersionEnabled
+ bool quiet = false;
+ bool resumableEnable = true;
+ bool pause = false;
+ char *keyChainName = NULL;
+ char *encryptKeyChainName = NULL;
+ int loops = 1;
+ SSLAuthenticate authenticate = kNeverAuthenticate;
+ bool nonBlocking = false;
+ bool allowExpiredRoot = false;
+ bool disableCertVerify = false;
+ char *anchorFile = NULL;
+ bool replaceAnchors = false;
+ bool vfyCertState = false;
+ SSLClientCertificateState expectCertState = kSSLClientCertNone;
+ char *password = NULL;
+ char *dhParamsFile = NULL;
+ unsigned char *dhParams = NULL;
+ unsigned dhParamsLen = 0;
+ bool doIdSearch = false;
+ bool completeCertChain = false;
+ uint32_t sessionCacheTimeout = 0;
+ bool disableAnonCiphers = false;
+ CFMutableArrayRef acceptableDNList = NULL;
+
+ for(arg=1; arg<argc; arg++) {
+ argp = argv[arg];
+ switch(argp[0]) {
+ case 'P':
+ portNum = atoi(&argp[2]);
+ break;
+ case 'k':
+ keyChainName = &argp[2];
+ break;
+ case 'y':
+ encryptKeyChainName = &argp[2];
+ break;
+ case 'e':
+ allowExpired = true;
+ break;
+ case 'E':
+ allowExpiredRoot = true;
+ break;
+ case 'x':
+ disableCertVerify = true;
+ break;
+ case 'a':
+ if(++arg == argc) {
+ /* requires another arg */
+ usage(argv);
+ }
+ anchorFile = argv[arg];
+ break;
+ case 'A':
+ if(++arg == argc) {
+ /* requires another arg */
+ usage(argv);
+ }
+ anchorFile = argv[arg];
+ replaceAnchors = true;
+ break;
+ case 'T':
+ if(argp[1] != '=') {
+ usage(argv);
+ }
+ vfyCertState = true;
+ switch(argp[2]) {
+ case 'n':
+ expectCertState = kSSLClientCertNone;
+ break;
+ case 'r':
+ expectCertState = kSSLClientCertRequested;
+ break;
+ case 's':
+ expectCertState = kSSLClientCertSent;
+ break;
+ case 'j':
+ expectCertState = kSSLClientCertRejected;
+ break;
+ default:
+ usage(argv);
+ }
+ break;
+ case 'r':
+ allowAnyRoot = true;
+ break;
+ case 'd':
+ displayRxData = true;
+ break;
+ case 'c':
+ displayCerts = true;
+ break;
+ case 'f':
+ fileBase = &argp[2];
+ break;
+ case 'C':
+ cipherRestrict = argp[2];
+ break;
+ case '2':
+ attemptProt = kSSLProtocol2;
+ break;
+ case '3':
+ attemptProt = kSSLProtocol3;
+ break;
+ case 't':
+ attemptProt = kTLSProtocol1;
+ break;
+ case 'o':
+ protXOnly = true;
+ break;
+ case 'g':
+ if(argp[1] != '=') {
+ usage(argv);
+ }
+ acceptedProts = &argp[2];
+ break;
+ case 'R':
+ resumableEnable = false;
+ break;
+ case 'b':
+ nonBlocking = true;
+ break;
+ case 'u':
+ if(argp[1] != '=') {
+ usage(argv);
+ }
+ switch(argp[2]) {
+ case 'a': authenticate = kAlwaysAuthenticate; break;
+ case 'n': authenticate = kNeverAuthenticate; break;
+ case 't': authenticate = kTryAuthenticate; break;
+ default: usage(argv);
+ }
+ break;
+ case 'D':
+ if(++arg == argc) {
+ /* requires another arg */
+ usage(argv);
+ }
+ dhParamsFile = argv[arg];
+ break;
+ case 'z':
+ password = &argp[2];
+ break;
+ case 'H':
+ doIdSearch = true;
+ break;
+ case 'M':
+ completeCertChain = true;
+ break;
+ case 'i':
+ sessionCacheTimeout = atoi(&argp[2]);
+ break;
+ case '4':
+ disableAnonCiphers = true;
+ break;
+ case 'p':
+ pause = true;
+ break;
+ case 'q':
+ quiet = true;
+ break;
+#if 0
+ case 'U':
+ if(++arg == argc) {
+ /* requires another arg */
+ usage(argv);
+ }
+ if(cspReadFile(argv[arg], &caCert, &caCertLen)) {
+ printf("***Error reading file %s. Aborting.\n", argv[arg]);
+ exit(1);
+ }
+ if(acceptableDNList == NULL) {
+ acceptableDNList = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ }
+ certData.Data = caCert;
+ certData.Length = caCertLen;
+ ortn = SecCertificateCreateFromData(&certData,
+ CSSM_CERT_X_509v3,
+ CSSM_CERT_ENCODING_DER,
+ &secCert);
+ if(ortn) {
+ cssmPerror("SecCertificateCreateFromData", ortn);
+ exit(1);
+ }
+ CFArrayAppendValue(acceptableDNList, secCert);
+ CFRelease(secCert);
+ break;
+#endif
+ case 'l':
+ if(argp[1] == '\0') {
+ /* no loop count --> loop forever */
+ loops = 0;
+ break;
+ }
+ else if(argp[1] != '=') {
+ usage(argv);
+ }
+ loops = atoi(&argp[2]);
+ break;
+ default:
+ usage(argv);
+ }
+ }
+
+#if NO_SERVER
+# if DEBUG
+ securityd_init();
+# endif
+#endif
+
+ /* get server cert and optional encryption cert as CFArrayRef */
+ if(keyChainName) {
+ serverCerts = getSslCerts(keyChainName, false, completeCertChain,
+ anchorFile, &serverKc);
+ if(serverCerts == nil) {
+ exit(1);
+ }
+ }
+ else
+#if 0
+ if(doIdSearch) {
+ OSStatus ortn = sslIdentityPicker(NULL, anchorFile, true, NULL, &serverCerts);
+ if(ortn) {
+ printf("***IdentitySearch failure; aborting.\n");
+ exit(1);
+ }
+ }
+ if(password) {
+ OSStatus ortn = SecKeychainUnlock(serverKc, strlen(password), password, true);
+ if(ortn) {
+ printf("SecKeychainUnlock returned %d\n", (int)ortn);
+ /* oh well */
+ }
+ }
+ if(encryptKeyChainName) {
+ encryptCerts = getSslCerts(encryptKeyChainName, true, completeCertChain,
+ anchorFile, &encryptKc);
+ if(encryptCerts == nil) {
+ exit(1);
+ }
+ }
+#endif
+ if(protXOnly) {
+ switch(attemptProt) {
+ case kTLSProtocol1:
+ attemptProt = kTLSProtocol1Only;
+ break;
+ case kSSLProtocol3:
+ attemptProt = kSSLProtocol3Only;
+ break;
+ default:
+ break;
+ }
+ }
+#if 0
+ if(dhParamsFile) {
+ int r = cspReadFile(dhParamsFile, &dhParams, &dhParamsLen);
+ if(r) {
+ printf("***Error reading diffie-hellman params from %s; aborting\n",
+ dhParamsFile);
+ }
+ }
+#endif
+
+ /* one-time only server port setup */
+ err = ListenForClients(portNum, nonBlocking, &listenSock);
+ if(err) {
+ printf("ListenForClients returned %d; aborting\n", (int)err);
+ exit(1);
+ }
+
+ for(loopNum=1; ; loopNum++) {
+ err = sslServe(listenSock,
+ portNum,
+ attemptProt,
+ acceptedProts,
+ serverCerts,
+ password,
+ encryptCerts,
+ allowExpired,
+ allowAnyRoot,
+ allowExpiredRoot,
+ disableCertVerify,
+ anchorFile,
+ replaceAnchors,
+ cipherRestrict,
+ authenticate,
+ dhParams,
+ dhParamsLen,
+ acceptableDNList,
+ resumableEnable,
+ sessionCacheTimeout,
+ disableAnonCiphers,
+ quiet,
+ pause,
+ &negVersion,
+ &negCipher,
+ &certState,
+ &sessionWasResumed,
+ sessionID,
+ &sessionIDLength,
+ &peerCerts,
+ argv);
+ if(err) {
+ errCount++;
+ }
+ if(!quiet) {
+ SSLProtocol tryProt = attemptProt;
+ showSSLResult(tryProt,
+ acceptedProts,
+ err,
+ negVersion,
+ negCipher,
+ sessionWasResumed,
+ sessionID,
+ sessionIDLength,
+ peerCerts,
+ displayCerts,
+ certState,
+ fileBase ? fullFileBase : NULL);
+ }
+ errCount += verifyClientCertState(vfyCertState, expectCertState,
+ certState);
+ freePeerCerts(peerCerts);
+ if(loops && (loopNum == loops)) {
+ break;
+ }
+ };
+
+ endpointShutdown(listenSock);
+
+ if(serverKc) {
+ CFRelease(serverKc);
+ }
+ if(encryptKc) {
+ CFRelease(encryptKc);
+ }
+ return errCount;
+
+}
+
+
projects / apple / security.git / blobdiff