--- /dev/null
+/*
+ * sslSession.cpp - basic 2-thread SSL server/client session
+ */
+#include <Security/SecureTransport.h>
+#include <Security/Security.h>
+#include <clAppUtils/sslAppUtils.h>
+#include <clAppUtils/ioSock.h>
+#include <clAppUtils/sslThreading.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <utilLib/common.h>
+#include <security_cdsa_utils/cuPrintCert.h>
+#include <security_utilities/threading.h>
+#include <security_utilities/devrandom.h>
+
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>
+#include <sys/param.h>
+
+#define PORT_DEF 4000
+#define HOST_DEF "localhost"
+#define DH_PARAMS "dhParams_512.der"
+
+static void usage(char **argv)
+{
+ printf("Usage: %s server_kc [options]\n", argv[0]);
+ printf("options:\n");
+ printf(" P=port (default = %d)\n", PORT_DEF);
+ printf(" c=client_kc (default is none)\n");
+ printf(" d (DSA, default is RSA)\n");
+ printf(" f (D-H, default is RSA)\n");
+ printf(" a anchor File for client side (typically, the server's cert)\n");
+ printf(" A anchor file for server side (typically, the client's cert)\n");
+ printf(" h hostname (default is %s)\n", HOST_DEF);
+ printf(" k (skip hostname check)\n");
+ printf(" b (non blocking I/O)\n");
+ printf(" u Require client authentication\n");
+ printf(" x Expect policy verify error on client side\n");
+ printf(" X Expect policy verify error on server side\n");
+ printf(" z=kc_pwd\n");
+ printf(" R (ringBuffer I/O)\n");
+ printf(" l=loops (default 1)\n");
+ printf(" q(uiet)\n");
+ printf(" v(erbose)\n");
+ exit(1);
+}
+
+#define IGNORE_SIGPIPE 1
+#if IGNORE_SIGPIPE
+#include <signal.h>
+
+void sigpipe(int sig)
+{
+}
+#endif /* IGNORE_SIGPIPE */
+
+static SSLCipherSuite ciphers[] = {
+ SSL_RSA_WITH_RC4_128_SHA, SSL_NO_SUCH_CIPHERSUITE
+};
+
+/*
+ * Default params for each test. Main() adjust this per cmd line
+ * args.
+ */
+SslAppTestParams serverDefaults =
+{
+ "no name here",
+ false, // skipHostNameCHeck
+ PORT_DEF,
+ NULL, NULL, // RingBuffers
+ false, // noProtSpec
+ kTLSProtocol1,
+ NULL, // acceptedProts - not used in this test
+ NULL, // myCerts - const
+ NULL, // password
+ true, // idIsTrustedRoot
+ false, // disableCertVerify
+ NULL, // anchorFile
+ false, // replaceAnchors
+ kNeverAuthenticate,
+ false, // resumeEnable
+ ciphers, // ciphers
+ false, // nonBlocking
+ NULL, // dhParams
+ 0, // dhParamsLen
+ noErr, // expectRtn
+ kTLSProtocol1, // expectVersion
+ kSSLClientCertNone,
+ SSL_CIPHER_IGNORE,
+ false, // quiet
+ false, // silent
+ false, // verbose
+ {0}, // lock
+ {0}, // cond
+ false, // serverReady
+ 0, // clientDone
+ false, // serverAbort
+ /* returned */
+ kSSLProtocolUnknown,
+ SSL_NULL_WITH_NULL_NULL,
+ kSSLClientCertNone,
+ noHardwareErr
+
+};
+
+SslAppTestParams clientDefaults =
+{
+ HOST_DEF,
+ false, // skipHostNameCHeck
+ PORT_DEF,
+ NULL, NULL, // RingBuffers
+ false, // noProtSpec
+ kTLSProtocol1,
+ NULL, // acceptedProts - not used in this test
+ NULL, // myCerts - const
+ NULL, // password
+ true, // idIsTrustedRoot
+ false, // disableCertVerify
+ NULL, // anchorFile
+ false, // replaceAnchors
+ kNeverAuthenticate,
+ false, // resumeEnable
+ NULL, // ciphers
+ false, // nonBlocking
+ NULL, // dhParams
+ 0, // dhParamsLen
+ noErr, // expectRtn
+ kTLSProtocol1, // expectVersion
+ kSSLClientCertNone,
+ SSL_CIPHER_IGNORE,
+ false, // quiet
+ false, // silent
+ false, // verbose
+ {0}, // lock
+ {0}, // cond
+ false, // serverReady
+ 0, // clientDone
+ false, // serverAbort
+ /* returned */
+ kSSLProtocolUnknown,
+ SSL_NULL_WITH_NULL_NULL,
+ kSSLClientCertNone,
+ noHardwareErr
+
+};
+
+int main(int argc, char **argv)
+{
+ int ourRtn = 0;
+ char *argp;
+ bool dhEnable = false;
+ unsigned loop;
+ unsigned loops = 1;
+ bool ringBufferIo = false;
+ RingBuffer serverToClientRing;
+ RingBuffer clientToServerRing;
+
+ if(argc < 2) {
+ usage(argv);
+ }
+ serverDefaults.myCertKcName = argv[1];
+ for(int arg=2; arg<argc; arg++) {
+ argp = argv[arg];
+ switch(argp[0]) {
+ case 'c':
+ clientDefaults.myCertKcName = &argp[2];
+ case 'q':
+ serverDefaults.quiet = clientDefaults.quiet = true;
+ break;
+ case 'v':
+ serverDefaults.verbose = clientDefaults.verbose = true;
+ break;
+ case 'p':
+ serverDefaults.port = clientDefaults.port = atoi(&argp[2]);
+ break;
+ case 'b':
+ serverDefaults.nonBlocking = clientDefaults.nonBlocking =
+ true;
+ break;
+ case 'd':
+ ciphers[0] = SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA;
+ dhEnable = true;
+ break;
+ case 'f':
+ ciphers[0] = SSL_DH_anon_WITH_RC4_128_MD5;
+ dhEnable = true;
+ break;
+ case 'h':
+ if(++arg == argc) {
+ usage(argv);
+ }
+ clientDefaults.hostName=argv[arg];
+ break;
+ case 'k':
+ clientDefaults.skipHostNameCheck = true;
+ break;
+ case 'a':
+ if(++arg == argc) {
+ usage(argv);
+ }
+ clientDefaults.anchorFile = serverDefaults.anchorFile = argv[arg];
+ break;
+ case 'A':
+ if(++arg == argc) {
+ usage(argv);
+ }
+ serverDefaults.anchorFile = argv[arg];
+ break;
+ case 'z':
+ serverDefaults.password = &argp[2];
+ break;
+ case 'P':
+ serverDefaults.port = clientDefaults.port = atoi(&argp[2]);
+ break;
+ case 'u':
+ serverDefaults.authenticate = kAlwaysAuthenticate;
+ if(serverDefaults.expectCertState == kSSLClientCertNone) {
+ serverDefaults.expectCertState = kSSLClientCertSent;
+ }
+ /* else it was set by 'X' option */
+ if(clientDefaults.expectCertState == kSSLClientCertNone) {
+ clientDefaults.expectCertState = kSSLClientCertSent;
+ }
+ /* else...ditto */
+ break;
+ case 'x':
+ /* server side has bad cert */
+ clientDefaults.expectRtn = errSSLXCertChainInvalid;
+ serverDefaults.expectRtn = errSSLPeerCertUnknown;
+ break;
+ case 'X':
+ /* client side has bad cert */
+ serverDefaults.expectRtn = errSSLXCertChainInvalid;
+ clientDefaults.expectRtn = errSSLPeerCertUnknown;
+ serverDefaults.expectCertState = kSSLClientCertRejected;
+ clientDefaults.expectCertState = kSSLClientCertRejected;
+ break;
+ case 'R':
+ ringBufferIo = true;
+ break;
+ case 'l':
+ loops = atoi(&argp[2]);
+ break;
+ default:
+ usage(argv);
+ }
+ }
+
+ #if IGNORE_SIGPIPE
+ signal(SIGPIPE, sigpipe);
+ #endif
+
+ if(ringBufferIo) {
+ /* set up ring buffers */
+ ringBufSetup(&serverToClientRing, "serveToClient", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
+ ringBufSetup(&clientToServerRing, "clientToServe", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
+ serverDefaults.serverToClientRing = &serverToClientRing;
+ serverDefaults.clientToServerRing = &clientToServerRing;
+ clientDefaults.serverToClientRing = &serverToClientRing;
+ clientDefaults.clientToServerRing = &clientToServerRing;
+ }
+ if(dhEnable) {
+ /* snag D-H params */
+ if(readFile(DH_PARAMS, (unsigned char **)&serverDefaults.dhParams,
+ &serverDefaults.dhParamsLen)) {
+ printf("***Error reading Diffie-Hellman params."
+ " Patience, grasshopper.\n");
+ }
+ }
+ testStartBanner("sslSession", argc, argv);
+ for(loop=0; loop<loops; loop++) {
+ ourRtn = sslRunSession(&serverDefaults, &clientDefaults, NULL);
+ if(ourRtn) {
+ break;
+ }
+ }
+ if(!clientDefaults.quiet) {
+ if(ourRtn == 0) {
+ if(!serverDefaults.quiet) {
+ printf("===== %s test PASSED =====\n", argv[0]);
+ }
+ }
+ else {
+ printf("****FAIL: %d errors detected\n", ourRtn);
+ }
+ }
+
+ return ourRtn;
+}
projects / apple / security.git / blobdiff