+++ /dev/null
-/*
- * sslServe.cpp : perform one server side sesssion
- */
-#include <Security/SecureTransport.h>
-#include <Security/Security.h>
-#include <clAppUtils/sslAppUtils.h>
-#include <clAppUtils/ioSock.h>
-#include <clAppUtils/sslThreading.h>
-#include <clAppUtils/ringBufferIo.h>
-#include <security_cdsa_utils/cuFileIo.h>
-#include <utilLib/common.h>
-#include <security_cdsa_utils/cuPrintCert.h>
-
-#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <ctype.h>
-#include <sys/param.h>
-
-#define BIND_RETRIES 50
-
-#define SERVER_MESSAGE "HTTP/1.0 200 OK\015\012\015\012" \
- "<HTML><HEAD><TITLE>SecureTransport Test Server</TITLE></HEAD>" \
- "<BODY><H2>Secure connection established.</H2>" \
- "Message from the 'sslServe' test library.\015\012</BODY>" \
- "</HTML>\015\012"
-
-#define READBUF_LEN 256
-
-/*
- * When true, delay setting the serverReady semaphore until we've finished
- * setting up our SSLContext. This is a workaround for known thread-unsafety
- * related to module attach and detach and context create/destroy:
- *
- * <rdar://problem/6618834> Crash in KCCursorImpl::next
- * <rdar://problem/6621552> module/context handles not thread safe
- */
-#define SERVER_READY_DELAY 1
-
-/*
- * params->lock is held for us by runSession() - we use it as a semapahore by
- * unlocking it when we've created a port to listen on.
- * This is generally run from a thread via sslRunSession() and
- * sslServerThread() in sslAppUtils.cpp.
- */
-OSStatus sslAppServe(
- SslAppTestParams *params)
-{
- otSocket listenSock = 0;
- otSocket acceptSock = 0;
- PeerSpec peerId;
- OSStatus ortn = noErr;
- SSLContextRef ctx = NULL;
- SecKeychainRef serverKc = nil;
- CFArrayRef serverCerts = nil;
- RingBuffers ringBufs = {params->clientToServerRing, params->serverToClientRing};
-
- sslThrDebug("Server", "starting");
- params->negVersion = kSSLProtocolUnknown;
- params->negCipher = SSL_NULL_WITH_NULL_NULL;
- params->ortn = noHardwareErr;
-
- if(params->serverToClientRing == NULL) {
- /* set up a socket on which to listen */
- for(unsigned retry=0; retry<BIND_RETRIES; retry++) {
- ortn = ListenForClients(params->port, params->nonBlocking,
- &listenSock);
- switch(ortn) {
- case noErr:
- break;
- case opWrErr:
- /* port already in use - try another */
- params->port++;
- if(params->verbose || THREADING_DEBUG) {
- printf("...retrying ListenForClients at port %d\n",
- params->port);
- }
- break;
- default:
- break;
- }
- if(ortn != opWrErr) {
- break;
- }
- }
- }
-
- #if !SERVER_READY_DELAY
- /* let main thread know a socket is ready */
- if(pthread_mutex_lock(¶ms->pthreadMutex)) {
- printf("***Error acquiring server lock; aborting.\n");
- return -1;
- }
- params->serverReady = true;
- if(pthread_cond_broadcast(¶ms->pthreadCond)) {
- printf("***Error waking main thread; aborting.\n");
- return -1;
- }
- if(pthread_mutex_unlock(¶ms->pthreadMutex)) {
- printf("***Error acquiring server lock; aborting.\n");
- return -1;
- }
-
- if(ortn) {
- printf("ListenForClients returned %d; aborting\n", (int)ortn);
- return ortn;
- }
-
- if(params->serverToClientRing == NULL) {
- /* wait for a connection */
- if(params->verbose) {
- printf("Waiting for client connection...");
- fflush(stdout);
- }
- ortn = AcceptClientConnection(listenSock, &acceptSock, &peerId);
- if(ortn) {
- printf("AcceptClientConnection returned %d; aborting\n", (int)ortn);
- return ortn;
- }
- }
- #endif /* SERVER_READY_DELAY */
-
- /*
- * Set up a SecureTransport session.
- */
- ortn = SSLNewContext(true, &ctx);
- if(ortn) {
- printSslErrStr("SSLNewContext", ortn);
- goto cleanup;
- }
-
- #if !SERVER_READY_DELAY
- if(params->serverToClientRing) {
- /* RingBuffer I/O */
- ortn = SSLSetIOFuncs(ctx, ringReadFunc, ringWriteFunc);
- if(ortn) {
- printSslErrStr("SSLSetIOFuncs", ortn);
- goto cleanup;
- }
- ortn = SSLSetConnection(ctx, (SSLConnectionRef)&ringBufs);
- if(ortn) {
- printSslErrStr("SSLSetConnection", ortn);
- goto cleanup;
- }
- }
- else {
- /* normal socket I/O */
- ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
- if(ortn) {
- printSslErrStr("SSLSetIOFuncs", ortn);
- goto cleanup;
- }
- ortn = SSLSetConnection(ctx, (SSLConnectionRef)acceptSock);
- if(ortn) {
- printSslErrStr("SSLSetConnection", ortn);
- goto cleanup;
- }
- }
- #endif /* SERVER_READY_DELAY */
-
- if(params->anchorFile) {
- ortn = sslAddTrustedRoot(ctx, params->anchorFile,
- params->replaceAnchors);
- if(ortn) {
- goto cleanup;
- }
- }
- if(params->myCertKcName != NULL) {
- /* if not, better be trying anonymous diff-hellman... :-) */
- serverCerts = getSslCerts(params->myCertKcName, CSSM_FALSE, CSSM_FALSE, NULL,
- &serverKc);
- if(serverCerts == nil) {
- exit(1);
- }
- if(params->password) {
- ortn = SecKeychainUnlock(serverKc, strlen(params->password),
- (void *)params->password, true);
- if(ortn) {
- printf("SecKeychainUnlock returned %d\n", (int)ortn);
- /* oh well */
- }
- }
- if(params->idIsTrustedRoot) {
- /* assume this is a root we want to implicitly trust */
- ortn = addIdentityAsTrustedRoot(ctx, serverCerts);
- if(ortn) {
- goto cleanup;
- }
- }
- ortn = SSLSetCertificate(ctx, serverCerts);
- if(ortn) {
- printSslErrStr("SSLSetCertificate", ortn);
- goto cleanup;
- }
- }
-
- if(params->disableCertVerify) {
- ortn = SSLSetEnableCertVerify(ctx, false);
- if(ortn) {
- printSslErrStr("SSLSetEnableCertVerify", ortn);
- goto cleanup;
- }
- }
- if(!params->noProtSpec) {
- ortn = sslSetProtocols(ctx, params->acceptedProts, params->tryVersion);
- if(ortn) {
- goto cleanup;
- }
- }
- if(params->resumeEnable) {
- ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
- if(ortn) {
- printSslErrStr("SSLSetPeerID", ortn);
- goto cleanup;
- }
- }
- if(params->ciphers != NULL) {
- ortn = sslSetEnabledCiphers(ctx, params->ciphers);
- if(ortn) {
- goto cleanup;
- }
- }
- if(params->authenticate != kNeverAuthenticate) {
- ortn = SSLSetClientSideAuthenticate(ctx, params->authenticate);
- if(ortn) {
- printSslErrStr("SSLSetClientSideAuthenticate", ortn);
- goto cleanup;
- }
- }
- if(params->dhParams) {
- ortn = SSLSetDiffieHellmanParams(ctx, params->dhParams,
- params->dhParamsLen);
- if(ortn) {
- printSslErrStr("SSLSetDiffieHellmanParams", ortn);
- goto cleanup;
- }
- }
-
- #if SERVER_READY_DELAY
- /* let main thread know server is fully functional */
- if(pthread_mutex_lock(¶ms->pthreadMutex)) {
- printf("***Error acquiring server lock; aborting.\n");
- ortn = internalComponentErr;
- goto cleanup;
- }
- params->serverReady = true;
- if(pthread_cond_broadcast(¶ms->pthreadCond)) {
- printf("***Error waking main thread; aborting.\n");
- ortn = internalComponentErr;
- goto cleanup;
- }
- if(pthread_mutex_unlock(¶ms->pthreadMutex)) {
- printf("***Error acquiring server lock; aborting.\n");
- ortn = internalComponentErr;
- goto cleanup;
- }
-
- if(params->serverToClientRing == NULL) {
- /* wait for a connection */
- if(params->verbose) {
- printf("Waiting for client connection...");
- fflush(stdout);
- }
- ortn = AcceptClientConnection(listenSock, &acceptSock, &peerId);
- if(ortn) {
- printf("AcceptClientConnection returned %d; aborting\n", (int)ortn);
- return ortn;
- }
- }
-
- /* Last part of SSLContext setup, now that we're connected to the client */
- if(params->serverToClientRing) {
- /* RingBuffer I/O */
- ortn = SSLSetIOFuncs(ctx, ringReadFunc, ringWriteFunc);
- if(ortn) {
- printSslErrStr("SSLSetIOFuncs", ortn);
- goto cleanup;
- }
- ortn = SSLSetConnection(ctx, (SSLConnectionRef)&ringBufs);
- if(ortn) {
- printSslErrStr("SSLSetConnection", ortn);
- goto cleanup;
- }
- }
- else {
- /* normal socket I/O */
- ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
- if(ortn) {
- printSslErrStr("SSLSetIOFuncs", ortn);
- goto cleanup;
- }
- ortn = SSLSetConnection(ctx, (SSLConnectionRef)acceptSock);
- if(ortn) {
- printSslErrStr("SSLSetConnection", ortn);
- goto cleanup;
- }
- }
-
- #endif /* SERVER_READY_DELAY */
-
- /* Perform SSL/TLS handshake */
- do {
- ortn = SSLHandshake(ctx);
- if((ortn == errSSLWouldBlock) && !params->silent) {
- /* keep UI responsive */
- sslOutputDot();
- }
- } while (ortn == errSSLWouldBlock);
-
- SSLGetClientCertificateState(ctx, ¶ms->certState);
- SSLGetNegotiatedCipher(ctx, ¶ms->negCipher);
- SSLGetNegotiatedProtocolVersion(ctx, ¶ms->negVersion);
-
- if(params->verbose) {
- printf("\n");
- }
- if(ortn) {
- goto cleanup;
- }
-
- /* wait for one complete line */
- char readBuf[READBUF_LEN];
- size_t length;
- while(ortn == noErr) {
- length = READBUF_LEN;
- ortn = SSLRead(ctx, readBuf, length, &length);
- if (ortn == errSSLWouldBlock) {
- /* keep trying */
- ortn = noErr;
- continue;
- }
- if(length == 0) {
- /* keep trying */
- continue;
- }
-
- /* poor person's line completion scan */
- for(unsigned i=0; i<length; i++) {
- if((readBuf[i] == '\n') || (readBuf[i] == '\r')) {
- goto serverResp;
- }
- }
- }
-
-serverResp:
- /* send out canned response */
- ortn = SSLWrite(ctx, SERVER_MESSAGE, strlen(SERVER_MESSAGE), &length);
- if(ortn) {
- printSslErrStr("SSLWrite", ortn);
- }
-
-cleanup:
- /*
- * always do close, even on error - to flush outgoing write queue
- */
- if(ctx) {
- OSStatus cerr = SSLClose(ctx);
- if(ortn == noErr) {
- ortn = cerr;
- }
- }
- while(!params->clientDone && !params->serverAbort && (ortn == params->expectRtn)) {
- usleep(100);
- }
- if(acceptSock) {
- endpointShutdown(acceptSock);
- }
- ringBuffersClose(&ringBufs); /* tolerates NULLs */
- if(listenSock) {
- endpointShutdown(listenSock);
- }
- if(ctx) {
- SSLDisposeContext(ctx);
- }
- params->ortn = ortn;
- sslThrDebug("Server", "done");
- return ortn;
-}
projects / apple / security.git / blobdiff