+++ /dev/null
-/*
- * sslEAP - test EAP-FAST style PAC-based session resumption.
- *
- * This only works with a debug Security.framework since server side
- * PAC support is not present in deployment builds.
- *
- * Written by Doug Mitchell.
- */
-#include <Security/SecureTransport.h>
-#include <Security/SecureTransportPriv.h>
-#include <clAppUtils/sslAppUtils.h>
-#include <security_cdsa_utils/cuFileIo.h>
-#include <utilLib/common.h>
-#include <clAppUtils/ringBufferIo.h>
-#include "ringBufferThreads.h" /* like the ones in clAppUtils, tailored for EAP/PAC */
-
-#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <ctype.h>
-#include <sys/param.h>
-#include <CoreFoundation/CoreFoundation.h>
-#include <security_utilities/devrandom.h>
-
-#define DEFAULT_XFER 1024 /* total xfer size in bytes */
-
-/* we might make these user-tweakable */
-#define DEFAULT_NUM_BUFS 16
-#define DEFAULT_BUF_SIZE 2048 /* in the ring buffers */
-#define DEFAULT_CHUNK 1024 /* bytes to write per SSLWrite() */
-#define SESSION_TICKET_SIZE 512
-
-static void usage(char **argv)
-{
- printf("Usage: %s [option ...]\n", argv[0]);
- printf("Options:\n");
- printf(" -x transferSize -- default=%d; 0=forever\n", DEFAULT_XFER);
- printf(" -k keychainName -- not needed if PAC will be done\n");
- printf(" -n -- *NO* PAC\n");
- printf(" -h hostName -- force a SSLSetPeerDomainName on client side\n");
- printf(" -p (pause on error)\n");
- exit(1);
-}
-
-int main(int argc, char **argv)
-{
- RingBuffer serverToClientRing;
- RingBuffer clientToServerRing;
- unsigned numBufs = DEFAULT_NUM_BUFS;
- unsigned bufSize = DEFAULT_BUF_SIZE;
- unsigned chunkSize = DEFAULT_CHUNK;
- unsigned char clientBuf[DEFAULT_CHUNK];
- unsigned char serverBuf[DEFAULT_CHUNK];
- RingBufferArgs clientArgs;
- RingBufferArgs serverArgs;
- bool abortFlag = false;
- pthread_t client_thread = NULL;
- int result;
- OSStatus ortn;
- unsigned char sessionTicket[SESSION_TICKET_SIZE];
- int ourRtn = 0;
- CFArrayRef idArray = NULL; /* for SSLSetCertificate */
- CFArrayRef anchorArray = NULL; /* trusted roots */
- char *hostName = NULL;
-
- /* user-spec'd variables */
- char *kcName = NULL;
- unsigned xferSize = DEFAULT_XFER;
- bool pauseOnError = false;
- bool runForever = false;
- bool skipPAC = false;
-
- extern int optind;
- extern char *optarg;
- int arg;
- optind = 1;
- while ((arg = getopt(argc, argv, "x:c:k:h:np")) != -1) {
- switch (arg) {
- case 'x':
- {
- unsigned xsize = atoi(optarg);
- if(xsize == 0) {
- runForever = true;
- /* and leave xferSize alone */
- }
- else {
- xferSize = xsize;
- }
- break;
- }
- case 'k':
- kcName = optarg;
- break;
- case 'n':
- skipPAC = true;
- break;
- case 'h':
- /* mainly to test EAP session ticket and ServerName simultaneously */
- hostName = optarg;
- break;
- case 'p':
- pauseOnError = true;
- break;
- default:
- usage(argv);
- }
- }
- if(optind != argc) {
- usage(argv);
- }
-
- /* set up ring buffers */
- ringBufSetup(&serverToClientRing, "serveToClient", numBufs, bufSize);
- ringBufSetup(&clientToServerRing, "clientToServe", numBufs, bufSize);
-
- /* get optional server SecIdentity */
- if(kcName) {
- SecKeychainRef kcRef = NULL;
- SecCertificateRef anchorCert = NULL;
- SecIdentityRef idRef = NULL;
- idArray = getSslCerts(kcName,
- CSSM_FALSE, /* encryptOnly */
- CSSM_FALSE, /* completeCertChain */
- NULL, /* anchorFile */
- &kcRef);
- if(idArray == NULL) {
- printf("***Can't get signing cert from %s\n", kcName);
- exit(1);
- }
- idRef = (SecIdentityRef)CFArrayGetValueAtIndex(idArray, 0);
- ortn = SecIdentityCopyCertificate(idRef, &anchorCert);
- if(ortn) {
- cssmPerror("SecIdentityCopyCertificate", ortn);
- exit(1);
- }
- anchorArray = CFArrayCreate(NULL, (const void **)&anchorCert,
- 1, &kCFTypeArrayCallBacks);
- CFRelease(kcRef);
- CFRelease(anchorCert);
- }
-
- /* set up server side */
- memset(&serverArgs, 0, sizeof(serverArgs));
- serverArgs.xferSize = xferSize;
- serverArgs.xferBuf = serverBuf;
- serverArgs.chunkSize = chunkSize;
- serverArgs.ringWrite = &serverToClientRing;
- serverArgs.ringRead = &clientToServerRing;
- serverArgs.goFlag = &clientArgs.iAmReady;
- serverArgs.abortFlag = &abortFlag;
- serverArgs.pauseOnError = pauseOnError;
- appGetRandomBytes(serverArgs.sharedSecret, SHARED_SECRET_SIZE);
- if(!skipPAC) {
- serverArgs.setMasterSecret = true;
- }
- serverArgs.idArray = idArray;
- serverArgs.trustedRoots = anchorArray;
-
- /* set up client side */
- memset(&clientArgs, 0, sizeof(clientArgs));
- clientArgs.xferSize = xferSize;
- clientArgs.xferBuf = clientBuf;
- clientArgs.chunkSize = chunkSize;
- clientArgs.ringWrite = &clientToServerRing;
- clientArgs.ringRead = &serverToClientRing;
- clientArgs.goFlag = &serverArgs.iAmReady;
- clientArgs.abortFlag = &abortFlag;
- clientArgs.pauseOnError = pauseOnError;
- memmove(clientArgs.sharedSecret, serverArgs.sharedSecret, SHARED_SECRET_SIZE);
- clientArgs.hostName = hostName;
-
- /* for now set up an easily recognizable ticket */
- for(unsigned dex=0; dex<SESSION_TICKET_SIZE; dex++) {
- sessionTicket[dex] = dex;
- }
- clientArgs.sessionTicket = sessionTicket;
- clientArgs.sessionTicketLen = SESSION_TICKET_SIZE;
- /* client always tries setting the master secret in this test */
- clientArgs.setMasterSecret = true;
- clientArgs.trustedRoots = anchorArray;
-
- /* fire up client thread */
- result = pthread_create(&client_thread, NULL,
- rbClientThread, &clientArgs);
- if(result) {
- printf("***pthread_create returned %d, aborting\n", result);
- exit(1);
- }
-
- /*
- * And the server pseudo thread. This returns when all data has been transferred.
- */
- ortn = rbServerThread(&serverArgs);
-
- if(abortFlag) {
- printf("***Test aborted.\n");
- exit(1);
- }
-
- printf("\n");
-
- printf("SSL Protocol Version : %s\n",
- sslGetProtocolVersionString(serverArgs.negotiatedProt));
- printf("SSL Cipher : %s\n",
- sslGetCipherSuiteString(serverArgs.negotiatedCipher));
-
- if(skipPAC) {
- if(clientArgs.sessionWasResumed) {
- printf("***skipPAC true, but client reported sessionWasResumed\n");
- ourRtn = -1;
- }
- if(serverArgs.sessionWasResumed) {
- printf("***skipPAC true, but server reported sessionWasResumed\n");
- ourRtn = -1;
- }
- if(ourRtn == 0) {
- printf("...PAC session attempted by client; refused by server;\n");
- printf(" Normal session proceeded correctly.\n");
- }
- }
- else {
- if(!clientArgs.sessionWasResumed) {
- printf("***client reported !sessionWasResumed\n");
- ourRtn = -1;
- }
- if(!serverArgs.sessionWasResumed) {
- printf("***server reported !sessionWasResumed\n");
- ourRtn = -1;
- }
- if(memcmp(clientBuf, serverBuf, DEFAULT_CHUNK)) {
- printf("***Data miscompare***\n");
- ourRtn = -1;
- }
- if(ourRtn == 0) {
- printf("...PAC session resumed correctly.\n");
- }
- }
- /* FIXME other stuff? */
-
- return ourRtn;
-}
-
-
-
projects / apple / security.git / blobdiff