--- /dev/null
+/*
+ * sslAlert.cpp - test alert msg sending and processing, client and server side
+ */
+#include <Security/SecureTransport.h>
+#include <Security/Security.h>
+#include <clAppUtils/sslAppUtils.h>
+#include <clAppUtils/ioSock.h>
+#include <clAppUtils/sslThreading.h>
+#include <utilLib/common.h>
+#include <security_cdsa_utils/cuPrintCert.h>
+#include <security_utilities/threading.h>
+#include <security_utilities/devrandom.h>
+
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>
+#include <sys/param.h>
+
+#define STARTING_PORT 2000
+
+/*
+ * localcert is a KC containing server cert and signing key
+ * assumptions:
+ * -- common name = "localcert"
+ * -- password of KC = "localcert"
+ */
+#define SERVER_KC "localcert"
+#define SERVER_ROOT "localcert.cer"
+/*
+ * clientcert is a KC containing client cert and signing key
+ * assumptions:
+ * -- password of KC = "clientcert"
+ * -- note common name not checked by SecureTransport when verifying client cert chain
+ */
+#define CLIENT_KC "clientcert"
+#define CLIENT_ROOT "clientcert.cer"
+
+/* main() fills these in using sslKeychainPath() */
+static char serverKcPath[MAXPATHLEN];
+static char clientKcPath[MAXPATHLEN];
+
+static void usage(char **argv)
+{
+ printf("Usage: %s [options]\n", argv[0]);
+ printf("options:\n");
+ printf(" q(uiet)\n");
+ printf(" v(erbose)\n");
+ printf(" p=startingPortNum\n");
+ printf(" b (non blocking I/O)\n");
+ printf(" s=serverCertName; default %s\n", SERVER_ROOT);
+ printf(" c=clientCertName; default %s\n", CLIENT_ROOT);
+ printf(" R (ringBuffer I/O)\n");
+ printf(" l=loops (default=1; 0=forever)\n");
+ exit(1);
+}
+
+#define IGNORE_SIGPIPE 1
+#if IGNORE_SIGPIPE
+#include <signal.h>
+
+void sigpipe(int sig)
+{
+}
+#endif /* IGNORE_SIGPIPE */
+
+/*
+ * Default params for each test. Main() will make a copy of this and
+ * adjust its copy on a per-test basis.
+ */
+SslAppTestParams serverDefaults =
+{
+ "no name here",
+ false, // skipHostNameCHeck
+ 0, // port - test must set this
+ NULL, NULL, // RingBuffers
+ false, // noProtSpec
+ kTLSProtocol1,
+ NULL, // acceptedProts
+ serverKcPath, // myCerts
+ SERVER_KC, // password
+ true, // idIsTrustedRoot
+ false, // disableCertVerify
+ NULL, // anchorFile
+ false, // replaceAnchors
+ kNeverAuthenticate,
+ false, // resumeEnable
+ NULL, // ciphers
+ false, // nonBlocking
+ NULL, // dhParams
+ 0, // dhParamsLen
+ noErr, // expectRtn
+ kTLSProtocol1, // expectVersion
+ kSSLClientCertNone,
+ SSL_CIPHER_IGNORE,
+ false, // quiet
+ false, // silent
+ false, // verbose
+ {0}, // lock
+ {0}, // cond
+ false, // serverReady
+ 0, // clientDone
+ false, // serverAbort
+ /* returned */
+ kSSLProtocolUnknown,
+ SSL_NULL_WITH_NULL_NULL,
+ kSSLClientCertNone,
+ noHardwareErr
+
+};
+
+SslAppTestParams clientDefaults =
+{
+ "localhost",
+ false, // skipHostNameCHeck
+ 0, // port - test must set this
+ NULL, NULL, // RingBuffers
+ false, // noProtSpec
+ kTLSProtocol1,
+ NULL, // acceptedProts
+ NULL, // myCertKcName
+ CLIENT_KC, // password - only meaningful when test sets myCertKcName
+ true, // idIsTrustedRoot
+ false, // disableCertVerify
+ SERVER_ROOT, // anchorFile
+ false, // replaceAnchors
+ kNeverAuthenticate,
+ false, // resumeEnable
+ NULL, // ciphers
+ false, // nonBlocking
+ NULL, // dhParams
+ 0, // dhParamsLen
+ noErr, // expectRtn
+ kTLSProtocol1, // expectVersion
+ kSSLClientCertNone,
+ SSL_CIPHER_IGNORE,
+ false, // quiet
+ false, // silent
+ false, // verbose
+ {0}, // lock
+ {0}, // cond
+ false, // serverReady
+ 0, // clientDone
+ false, // serverAbort
+ /* returned */
+ kSSLProtocolUnknown,
+ SSL_NULL_WITH_NULL_NULL,
+ kSSLClientCertNone,
+ noHardwareErr
+};
+
+
+int main(int argc, char **argv)
+{
+ int ourRtn = 0;
+ char *argp;
+ int thisRtn;
+ SslAppTestParams clientParams;
+ SslAppTestParams serverParams;
+ const char *desc;
+ unsigned short portNum = STARTING_PORT;
+ const char *clientCert = CLIENT_ROOT;
+ RingBuffer serverToClientRing;
+ RingBuffer clientToServerRing;
+ bool ringBufferIo = false;
+ unsigned loopNum = 0;
+ unsigned loops = 1;
+
+ for(int arg=1; arg<argc; arg++) {
+ argp = argv[arg];
+ switch(argp[0]) {
+ case 'q':
+ serverDefaults.quiet = clientDefaults.quiet = true;
+ break;
+ case 'v':
+ serverDefaults.verbose = clientDefaults.verbose = true;
+ break;
+ case 'b':
+ serverDefaults.nonBlocking = clientDefaults.nonBlocking =
+ true;
+ break;
+ case 'p':
+ portNum = atoi(&argp[2]);
+ break;
+ case 's':
+ clientDefaults.anchorFile = &argp[2];
+ break;
+ case 'c':
+ clientCert = &argp[2];
+ break;
+ case 'R':
+ ringBufferIo = true;
+ break;
+ case 'l':
+ loops = atoi(&argp[2]);
+ break;
+ default:
+ usage(argv);
+ }
+ }
+
+ #if IGNORE_SIGPIPE
+ signal(SIGPIPE, sigpipe);
+ #endif
+
+ if(sslCheckFile(clientDefaults.anchorFile)) {
+ exit(1);
+ }
+ if(sslCheckFile(clientCert)) {
+ exit(1);
+ }
+
+ if(ringBufferIo) {
+ /* set up ring buffers */
+ ringBufSetup(&serverToClientRing, "serveToClient", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
+ ringBufSetup(&clientToServerRing, "clientToServe", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
+ serverDefaults.serverToClientRing = &serverToClientRing;
+ serverDefaults.clientToServerRing = &clientToServerRing;
+ clientDefaults.serverToClientRing = &serverToClientRing;
+ clientDefaults.clientToServerRing = &clientToServerRing;
+ }
+
+ /* convert keychain names to paths for root */
+ sslKeychainPath(SERVER_KC, serverKcPath);
+ sslKeychainPath(CLIENT_KC, clientKcPath);
+
+ testStartBanner("sslAlert", argc, argv);
+ // printf("sslAlert: server KC: %s\n", serverKcPath);
+ // printf("sslAlert: client KC: %s\n", clientKcPath);
+
+ /*
+ * We could get real fancy and have a bunch of elaborate tables describing
+ * what's supposed to happen in each test case, but I really don't think
+ * it's worth it.
+ */
+ for(;;) {
+ desc = "basic TLS1, nothing fancy";
+ clientParams = clientDefaults; serverParams = serverDefaults;
+ serverParams.port = portNum;
+ SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
+
+ desc = "client doesn't recognize server root";
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+ SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
+ clientParams.anchorFile = NULL;
+ clientParams.expectRtn = errSSLUnknownRootCert;
+ serverParams.expectRtn = errSSLPeerUnknownCA;
+ SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
+
+ desc = "negotiate down to SSL3, server limited";
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+ SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
+ serverParams.tryVersion = kSSLProtocol3;
+ serverParams.expectVersion = kSSLProtocol3;
+ clientParams.expectVersion = kSSLProtocol3;
+ SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
+
+ desc = "negotiate down to SSL3, client limited";
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+ SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
+ clientParams.tryVersion = kSSLProtocol3;
+ clientParams.expectVersion = kSSLProtocol3;
+ serverParams.expectVersion = kSSLProtocol3;
+ SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
+
+ desc = "successful client authentication";
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+ SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
+ clientParams.myCertKcName = clientKcPath;
+ serverParams.anchorFile = clientCert;
+ serverParams.authenticate = kAlwaysAuthenticate;
+ clientParams.expectCertState = kSSLClientCertSent;
+ serverParams.expectCertState = kSSLClientCertSent;
+ SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
+
+ desc = "client authentication, server doesn't recognize root TLS1";
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+ SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
+ clientParams.myCertKcName = clientKcPath;
+ /* no anchor file for server; unrecognized */
+ serverParams.authenticate = kAlwaysAuthenticate;
+ clientParams.expectCertState = kSSLClientCertRejected;
+ serverParams.expectCertState = kSSLClientCertRejected;
+ serverParams.expectRtn = errSSLUnknownRootCert;
+ clientParams.expectRtn = errSSLPeerUnknownCA;
+ SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
+
+ desc = "client authentication, server doesn't recognize root SSL3";
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+ SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
+ clientParams.tryVersion = kSSLProtocol3;
+ clientParams.expectVersion = kSSLProtocol3;
+ serverParams.expectVersion = kSSLProtocol3;
+ clientParams.myCertKcName = clientKcPath;
+ /* no anchor file for server; unrecognized */
+ serverParams.authenticate = kAlwaysAuthenticate;
+ clientParams.expectCertState = kSSLClientCertRejected;
+ serverParams.expectCertState = kSSLClientCertRejected;
+ serverParams.expectRtn = errSSLUnknownRootCert;
+ clientParams.expectRtn = errSSLPeerUnsupportedCert;
+ thisRtn = sslRunSession(&serverParams, &clientParams, desc);
+ if(thisRtn) {
+ if(testError(clientParams.quiet)) {
+ goto done;
+ }
+ }
+
+ desc = "server requires authentication, no client cert, TLS1";
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+ SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
+ serverParams.authenticate = kAlwaysAuthenticate;
+ clientParams.expectCertState = kSSLClientCertRequested;
+ serverParams.expectCertState = kSSLClientCertRequested;
+ serverParams.expectRtn = errSSLXCertChainInvalid;
+ clientParams.expectRtn = errSSLPeerCertUnknown;
+ SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
+
+ desc = "server requires authentication, no client cert, SSL3";
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+ SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
+ clientParams.tryVersion = kSSLProtocol3;
+ clientParams.expectVersion = kSSLProtocol3;
+ serverParams.expectVersion = kSSLProtocol3;
+ serverParams.authenticate = kAlwaysAuthenticate;
+ clientParams.expectCertState = kSSLClientCertRequested;
+ serverParams.expectCertState = kSSLClientCertRequested;
+ serverParams.expectRtn = errSSLProtocol;
+ clientParams.expectRtn = errSSLPeerUnexpectedMsg;
+ SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
+
+ desc = "server (only) requests authentication, no client cert, TLS1";
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+ SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
+ serverParams.authenticate = kTryAuthenticate;
+ clientParams.expectCertState = kSSLClientCertRequested;
+ serverParams.expectCertState = kSSLClientCertRequested;
+ SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
+
+ desc = "server (only) requests authentication, no client cert, SSL3";
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+ SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
+ clientParams.tryVersion = kSSLProtocol3;
+ clientParams.expectVersion = kSSLProtocol3;
+ serverParams.expectVersion = kSSLProtocol3;
+ serverParams.authenticate = kTryAuthenticate;
+ clientParams.expectCertState = kSSLClientCertRequested;
+ serverParams.expectCertState = kSSLClientCertRequested;
+ SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
+
+ desc = "server (only) requests authentication, client cert w/unknown root, TLS1";
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+ SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
+ serverParams.authenticate = kTryAuthenticate;
+ clientParams.expectCertState = kSSLClientCertRejected;
+ serverParams.expectCertState = kSSLClientCertRejected;
+ clientParams.myCertKcName = clientKcPath;
+ /* no anchor file for server; unrecognized */
+ serverParams.expectRtn = errSSLUnknownRootCert;
+ clientParams.expectRtn = errSSLPeerUnknownCA;
+ SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
+
+ desc = "server (only) requests authentication, client cert w/unknown root, SSL3";
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+ SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
+ clientParams.tryVersion = kSSLProtocol3;
+ clientParams.expectVersion = kSSLProtocol3;
+ serverParams.expectVersion = kSSLProtocol3;
+ serverParams.authenticate = kTryAuthenticate;
+ clientParams.expectCertState = kSSLClientCertRejected;
+ serverParams.expectCertState = kSSLClientCertRejected;
+ clientParams.myCertKcName = clientKcPath;
+ /* no anchor file for server; unrecognized */
+ serverParams.expectRtn = errSSLUnknownRootCert;
+ clientParams.expectRtn = errSSLPeerUnsupportedCert;
+ SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
+ if(ringBufferIo) {
+ ringBufferReset(&serverToClientRing);
+ ringBufferReset(&clientToServerRing);
+ }
+
+ if(loops) {
+ if(++loopNum == loops) {
+ break;
+ }
+ printf("...loop %u\n", loopNum);
+ }
+ }
+
+done:
+ if(!clientParams.quiet) {
+ if(ourRtn == 0) {
+ printf("===== sslAlert test PASSED =====\n");
+ }
+ else {
+ printf("****FAIL: %d errors detected\n", ourRtn);
+ }
+ }
+
+ return ourRtn;
+}
projects / apple / security.git / blobdiff