+++ /dev/null
-/*
- * sslCipher.cpp - test SSL ciphersuite protocol negotiation, client
- * and server side
- */
-#include <Security/SecureTransport.h>
-#include <Security/Security.h>
-#include <clAppUtils/sslAppUtils.h>
-#include <clAppUtils/ioSock.h>
-#include <clAppUtils/sslThreading.h>
-#include <security_cdsa_utils/cuFileIo.h>
-#include <utilLib/common.h>
-#include <security_cdsa_utils/cuPrintCert.h>
-#include <security_utilities/threading.h>
-#include <security_utilities/devrandom.h>
-
-#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <time.h>
-#include <ctype.h>
-#include <sys/param.h>
-
-/* default start port; caller can specify random start port */
-#define STARTING_PORT 5000
-
-#define MIN_RAND_PORT 1500
-#define MAX_RAND_PORT 7000
-
-/*
- * Expected errors for negotiation failure
- */
-#define SERVER_NEGOTIATE_FAIL errSSLNegotiation
-#define CLIENT_NEGOTIATE_FAIL errSSLPeerHandshakeFail
-
-#define RSA_SERVER_KC "localcert"
-#define RSA_SERVER_ROOT "localcert.cer"
-#define DSA_SERVER_KC "dsacert"
-#define DSA_SERVER_ROOT "dsacert.cer"
-
-#define DH_PARAM_FILE_512 "dhParams_512.der"
-#define DH_PARAM_FILE_1024 "dhParams_1024.der"
-
-/* main() fills these in using sslKeychainPath() */
-static char rsaKcPath[MAXPATHLEN];
-static char dsaKcPath[MAXPATHLEN];
-
-static void usage(char **argv)
-{
- printf("Usage: %s [options]\n", argv[0]);
- printf("options:\n");
- printf(" q(uiet)\n");
- printf(" v(erbose)\n");
- printf(" p=startingPortNum\n");
- printf(" t=startTestNum\n");
- printf(" T=endTestNum\n");
- printf(" g=startGroupNum\n");
- printf(" l (large, 1024 bit Diffie-Hellman; default is 512)\n");
- printf(" r(andom start port, default=%d)\n", STARTING_PORT);
- printf(" b (non blocking I/O)\n");
- printf(" s=serverCertName; default %s\n", RSA_SERVER_ROOT);
- printf(" d=clientCertName; default %s\n", DSA_SERVER_ROOT);
- printf(" R (ringBuffer I/O)\n");
- exit(1);
-}
-
-/*
- * Parameters defining one group of tests
- */
-typedef struct {
- const char *groupDesc;
- const char *serveAcceptProts;
- const char *clientAcceptProts;
- SSLProtocol expectProt;
-} GroupParams;
-
-/*
- * Certificate parameters
- */
-typedef struct {
- const char *kcName;
- const char *kcPassword; // last component of KC name */
- const char *rootName;
-} CertParams;
-
-/*
- * Parameters defining one individual test
- */
-typedef struct {
- const char *testDesc;
- SSLCipherSuite expectCipher;
- const CertParams *certParams;
- /*
- * In this test all failures are the same
- */
- bool shouldWork;
-} CipherParams;
-
-/* one of three cert params */
-static CertParams certRSA = { rsaKcPath, RSA_SERVER_KC, RSA_SERVER_ROOT };
-static CertParams certDSA = { dsaKcPath, DSA_SERVER_KC, DSA_SERVER_ROOT };
-static CertParams certNone = {NULL, NULL};
-
-/* Note we're skipping SSL2-specific testing for simplicity's sake */
-static const GroupParams sslGroupParams[] =
-{
- { "TLS1", "23t", "3t", kTLSProtocol1 },
- { "SSL3", "23", "3t", kSSLProtocol3 }
-};
-#define NUM_GROUP_PARAMS \
- (sizeof(sslGroupParams) / sizeof(sslGroupParams[0]))
-
-/* some special-purpose ciphersuite arrays */
-
-#ifdef not_used
-/* just SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
-static const SSLCipherSuite suites_RsaExpDh40[] = {
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-#endif
-
-/* declare test name and expected cipher suite */
-#define SSL_NAC(cname) #cname, cname
-
-/*
- * Note: the client is the only side which actually gets to
- * prioritize its requested CipherSuites. The server has to
- * go along with the first one on the client's list which the
- * server implements.
- */
-const CipherParams sslCipherParams[] =
-{
- {
- SSL_NAC(TLS_RSA_WITH_AES_128_CBC_SHA),
- &certRSA, true
- },
- {
- SSL_NAC(TLS_DH_DSS_WITH_AES_128_CBC_SHA),
- &certDSA, false
- },
- {
- SSL_NAC(TLS_DH_RSA_WITH_AES_128_CBC_SHA),
- &certRSA, false
- },
- {
- SSL_NAC(TLS_DHE_DSS_WITH_AES_128_CBC_SHA),
- &certDSA, true
- },
- {
- SSL_NAC(TLS_DHE_RSA_WITH_AES_128_CBC_SHA),
- &certRSA, true
- },
- {
- SSL_NAC(TLS_DH_anon_WITH_AES_128_CBC_SHA),
- &certNone, true
- },
- {
- SSL_NAC(TLS_RSA_WITH_AES_256_CBC_SHA),
- &certRSA, true
- },
- {
- SSL_NAC(TLS_DH_DSS_WITH_AES_256_CBC_SHA),
- &certDSA, false
- },
- {
- SSL_NAC(TLS_DH_RSA_WITH_AES_256_CBC_SHA),
- &certRSA, false
- },
- {
- SSL_NAC(TLS_DHE_DSS_WITH_AES_256_CBC_SHA),
- &certDSA, true
- },
- {
- SSL_NAC(TLS_DHE_RSA_WITH_AES_256_CBC_SHA),
- &certRSA, true
- },
- {
- SSL_NAC(TLS_DH_anon_WITH_AES_256_CBC_SHA),
- &certNone, true
- },
- {
- SSL_NAC(SSL_RSA_EXPORT_WITH_RC4_40_MD5),
- &certRSA, true
- },
- {
- SSL_NAC(SSL_RSA_WITH_RC4_128_MD5),
- &certRSA, true
- },
- {
- SSL_NAC(SSL_RSA_WITH_RC4_128_SHA),
- &certRSA, true
- },
- {
- SSL_NAC(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5),
- &certRSA, true
- },
- /* skip SSL_RSA_WITH_IDEA_CBC_SHA, check later as unimpl */
- {
- SSL_NAC(SSL_RSA_EXPORT_WITH_DES40_CBC_SHA),
- &certRSA, true
- },
- {
- SSL_NAC(SSL_RSA_WITH_DES_CBC_SHA),
- &certRSA, true
- },
- {
- SSL_NAC(SSL_RSA_WITH_3DES_EDE_CBC_SHA),
- &certRSA, true
- },
- {
- SSL_NAC(SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA),
- &certDSA, false
- },
- {
- SSL_NAC(SSL_DH_DSS_WITH_DES_CBC_SHA),
- &certDSA, false
- },
- {
- SSL_NAC(SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA),
- &certDSA, false
- },
- {
- SSL_NAC(SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA),
- &certRSA, false
- },
- {
- SSL_NAC(SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA),
- &certDSA, true
- },
- {
- SSL_NAC(SSL_DHE_DSS_WITH_DES_CBC_SHA),
- &certDSA, true
- },
- {
- SSL_NAC(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA),
- &certDSA, true
- },
- {
- SSL_NAC(SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA),
- &certRSA, true
- },
- {
- SSL_NAC(SSL_DHE_RSA_WITH_DES_CBC_SHA),
- &certRSA, true
- },
- {
- SSL_NAC(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA),
- &certRSA, true
- },
- {
- SSL_NAC(SSL_DH_anon_EXPORT_WITH_RC4_40_MD5),
- &certNone, true
- },
- {
- SSL_NAC(SSL_DH_anon_WITH_RC4_128_MD5),
- &certNone, true
- },
- {
- SSL_NAC(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA),
- &certNone, true
- },
- {
- SSL_NAC(SSL_DH_anon_WITH_DES_CBC_SHA),
- &certNone, true
- },
- {
- SSL_NAC(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA),
- &certNone, true
- },
- {
- SSL_NAC(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA),
- &certNone, true
- },
- {
- SSL_NAC(SSL_FORTEZZA_DMS_WITH_NULL_SHA),
- &certNone, false
- },
- {
- SSL_NAC(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA),
- &certNone, false
- },
-};
-
-#define NUM_CIPHER_PARAMS \
- (sizeof(sslCipherParams) / sizeof(sslCipherParams[0]))
-
-#define IGNORE_SIGPIPE 1
-#if IGNORE_SIGPIPE
-#include <signal.h>
-
-void sigpipe(int sig)
-{
-}
-#endif /* IGNORE_SIGPIPE */
-
-/*
- * Default params for each test. Main() will make a copy of this and
- * adjust its copy on a per-test basis.
- */
-static SslAppTestParams serverDefaults =
-{
- "no name here",
- false, // skipHostNameCHeck
- 0, // port - test must set this
- NULL, NULL, // RingBuffers
- false, // noProtSpec
- kSSLProtocolUnknown,// not used
- NULL, // acceptedProts
- NULL, // myCerts
- NULL, // password
- true, // idIsTrustedRoot
- false, // disableCertVerify
- NULL, // anchorFile
- false, // replaceAnchors
- kNeverAuthenticate,
- false, // resumeEnable
- NULL, // ciphers - default - server accepts all
- false, // nonBlocking
- NULL, // dhParams
- 0, // dhParamsLen
- noErr, // expectRtn
- kTLSProtocol1, // expectVersion
- kSSLClientCertNone,
- SSL_NULL_WITH_NULL_NULL,
- false, // quiet
- false, // silent
- false, // verbose
- {0}, // lock
- {0}, // cond
- false, // serverReady
- 0, // clientDone
- false, // serverAbort
- /* returned */
- kSSLProtocolUnknown,
- SSL_NULL_WITH_NULL_NULL,
- kSSLClientCertNone,
- noHardwareErr
-
-};
-
-SslAppTestParams clientDefaults =
-{
- "localhost",
- false, // skipHostNameCHeck
- 0, // port - test must set this
- NULL, NULL, // RingBuffers
- false, // noProtSpec
- kSSLProtocolUnknown,// not used
- NULL, // acceptedProts
- NULL, // myCertKcName
- NULL, // password
- true, // idIsTrustedRoot
- false, // disableCertVerify
- NULL, // anchorFile
- true, // replaceAnchors
- kNeverAuthenticate,
- false, // resumeEnable
- NULL, // ciphers - set in test loop
- false, // nonBlocking
- NULL, // dhParams
- 0, // dhParamsLen
- noErr, // expectRtn
- kTLSProtocol1, // expectVersion
- kSSLClientCertNone,
- SSL_NULL_WITH_NULL_NULL,
- false, // quiet
- false, // silent
- false, // verbose
- {0}, // lock
- {0}, // cond
- false, // serverReady
- 0, // clientDone
- false, // serverAbort
- /* returned */
- kSSLProtocolUnknown,
- SSL_NULL_WITH_NULL_NULL,
- kSSLClientCertNone,
- noHardwareErr
-};
-
-
-int main(int argc, char **argv)
-{
- int ourRtn = 0;
- char *argp;
- SslAppTestParams clientParams;
- SslAppTestParams serverParams;
- unsigned short portNum = STARTING_PORT;
- const GroupParams *groupParams;
- const CipherParams *cipherParams;
- unsigned testNum;
- unsigned groupNum;
- int thisRtn;
- SSLCipherSuite clientCiphers[3];
- SSLCipherSuite serverCiphers[3];
- RingBuffer serverToClientRing;
- RingBuffer clientToServerRing;
- bool ringBufferIo = false;
-
- /* user-spec'd variables */
- unsigned startTest = 0;
- unsigned endTest = NUM_CIPHER_PARAMS;
- unsigned startGroup = 0;
- const char *dhParamFile = DH_PARAM_FILE_512;
-
- for(int arg=1; arg<argc; arg++) {
- argp = argv[arg];
- switch(argp[0]) {
- case 'q':
- serverDefaults.quiet = clientDefaults.quiet = true;
- break;
- case 'v':
- serverDefaults.verbose = clientDefaults.verbose = true;
- break;
- case 'p':
- portNum = atoi(&argp[2]);
- break;
- case 't':
- startTest = atoi(&argp[2]);
- break;
- case 'T':
- endTest = atoi(&argp[2]) + 1;
- break;
- case 'g':
- startGroup = atoi(&argp[2]);
- break;
- case 'b':
- serverDefaults.nonBlocking = clientDefaults.nonBlocking =
- true;
- break;
- case 'l':
- dhParamFile = DH_PARAM_FILE_1024;
- break;
- case 'r':
- portNum = genRand(MIN_RAND_PORT, MAX_RAND_PORT);
- break;
- case 's':
- certRSA.rootName = &argp[2];
- break;
- case 'd':
- certDSA.rootName = &argp[2];
- break;
- case 'R':
- ringBufferIo = true;
- break;
- default:
- usage(argv);
- }
- }
-
- if(sslCheckFile(certRSA.rootName)) {
- exit(1);
- }
- if(sslCheckFile(certDSA.rootName)) {
- exit(1);
- }
- if(ringBufferIo) {
- /* set up ring buffers */
- ringBufSetup(&serverToClientRing, "serveToClient", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
- ringBufSetup(&clientToServerRing, "clientToServe", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
- serverDefaults.serverToClientRing = &serverToClientRing;
- serverDefaults.clientToServerRing = &clientToServerRing;
- clientDefaults.serverToClientRing = &serverToClientRing;
- clientDefaults.clientToServerRing = &clientToServerRing;
- }
-
-#if IGNORE_SIGPIPE
- signal(SIGPIPE, sigpipe);
- #endif
-
- /* convert keychain names to paths for root */
- sslKeychainPath(RSA_SERVER_KC, rsaKcPath);
- sslKeychainPath(DSA_SERVER_KC, dsaKcPath);
-
- /* Diffie-Hellman params, we're going to need them */
- int r = readFile(dhParamFile, (unsigned char **)&serverDefaults.dhParams,
- &serverDefaults.dhParamsLen);
- if(r) {
- printf("***Error reading diffie-hellman params from %s; aborting\n",
- dhParamFile);
- exit(1);
- }
-
- testStartBanner("sslCipher", argc, argv);
-
- serverParams.port = portNum - 1; // gets incremented by SSL_THR_SETUP
-
- /*
- * To enable negotiation failures to occur, we have to pass
- * in ciphersuite arrays which contain at least one valid
- * ciphersuite to both client and server, but they can not
- * be the same (or else that valid suite will be used).
- */
- clientCiphers[1] = SSL_RSA_WITH_RC4_128_MD5;
- serverCiphers[1] = SSL_RSA_WITH_RC4_128_SHA;
- clientCiphers[2] = SSL_NO_SUCH_CIPHERSUITE;
- serverCiphers[2] = SSL_NO_SUCH_CIPHERSUITE;
-
- for(groupNum=startGroup; groupNum<NUM_GROUP_PARAMS; groupNum++) {
- groupParams = &sslGroupParams[groupNum];
- if(!serverDefaults.quiet) {
- printf("...%s\n", groupParams->groupDesc);
- }
- for(testNum=startTest; testNum<endTest; testNum++) {
- cipherParams = &sslCipherParams[testNum];
- SSL_THR_SETUP(serverParams, clientParams, clientDefaults,
- serverDefault);
- if(ringBufferIo) {
- ringBufferReset(&serverToClientRing);
- ringBufferReset(&clientToServerRing);
- }
- /* per-group (must be after SSL_THR_SETUP) */
- serverParams.acceptedProts = groupParams->serveAcceptProts;
- clientParams.acceptedProts = groupParams->clientAcceptProts;
- serverParams.expectVersion = groupParams->expectProt;
- clientParams.expectVersion = groupParams->expectProt;
-
- /* per-test */
- clientCiphers[0] = cipherParams->expectCipher;
- serverCiphers[0] = cipherParams->expectCipher;
- clientParams.ciphers = clientCiphers;
- serverParams.ciphers = serverCiphers;
- serverParams.expectCipher = cipherParams->expectCipher;
- clientParams.expectCipher = cipherParams->expectCipher;
-
- const CertParams *certParams = cipherParams->certParams;
- serverParams.myCertKcName = certParams->kcName;
- serverParams.password = certParams->kcPassword;
- clientParams.anchorFile = certParams->rootName;
-
- if(cipherParams->shouldWork) {
- serverParams.expectRtn = noErr;
- clientParams.expectRtn = noErr;
- }
- else {
- serverParams.expectRtn = SERVER_NEGOTIATE_FAIL;
- clientParams.expectRtn = CLIENT_NEGOTIATE_FAIL;
-
- /* server completed protocol version negotiation,
- * but client didn't */
- clientParams.expectVersion = kSSLProtocolUnknown;
- }
- SSL_THR_RUN_NUM(serverParams, clientParams,
- cipherParams->testDesc, ourRtn, testNum);
- }
- }
-
-done:
- if(!clientParams.quiet) {
- if(ourRtn == 0) {
- printf("===== %s test PASSED =====\n", argv[0]);
- }
- else {
- printf("****%s FAIL: %d errors detected\n", argv[0],ourRtn);
- }
- }
-
- return ourRtn;
-}
projects / apple / security.git / blobdiff