+++ /dev/null
-/*
- * sslProt.cpp - test SSL protocol negotiation, client and server side
- *
- * This executes a preposterously exhaustive set of client/server runs
- * in which just about every permutation of server and client
- * protocol enables (using both SSLSetProtocolVersionEnabled and
- * SSLSetProtocolVersion) is examined. Resulting negotiated protocols
- * and error returns are verified.
- *
- * There are three different basic negotiation scenarios:
- *
- * -- Normal case, server and client agree.
- *
- * -- Server detects negotiation error. This can happen in two ways:
- * -- server doesn't allow SSL3 or TLS1 but gets an SSL3 client hello
- * (regardless of the requested protocol version in the packet)
- * -- server gets a client hello containing a protocol version
- * when the server supports neither that version not any
- * version below that. For example, server allows TLS1 only and
- * gets an SSL3 hello with requested version SSL3.
- *
- * -- Client detects negotiation error. In this case the server hello
- * contains a different version than the client hello (I.e., server
- * downgraded), but the client doesn't support the version the
- * server requested.
- *
- * In both of the failure cases, the peer which detects the error
- * drops the connection and returns errSSLNegotiation from its
- * SSLHandshake() call. The other peer sees a dropped connection
- * and returns errSSLClosedAbort from its SSLHandshake() call.
- * IN both cases, the negotiated protocol seen by the client is
- * kSSLProtocolUnknown. However when the client detects the error, the
- * server will see a valid negotiated protocol containing whatever it
- * sent to the client in its server hello message.
- */
-#include <Security/SecureTransport.h>
-#include <Security/Security.h>
-#include <clAppUtils/sslAppUtils.h>
-#include <clAppUtils/ioSock.h>
-#include <clAppUtils/sslThreading.h>
-#include <security_cdsa_utils/cuFileIo.h>
-#include <utilLib/common.h>
-#include <security_cdsa_utils/cuPrintCert.h>
-#include <security_utilities/threading.h>
-#include <security_utilities/devrandom.h>
-#include "dhParams512.h"
-
-#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <time.h>
-#include <ctype.h>
-#include <sys/param.h>
-
-#define STARTING_PORT 3000
-
-/*
- * localcert is a KC containing server cert and signing key
- * assumptions:
- * -- common name = "localcert"
- * -- password of KC = "localcert"
- */
-#define SERVER_KC "localcert"
-#define SERVER_ROOT "localcert.cer"
-
-/* main() fills this in using sslKeychainPath() */
-static char serverKcPath[MAXPATHLEN];
-
-static void usage(char **argv)
-{
- printf("Usage: %s [options]\n", argv[0]);
- printf("options:\n");
- printf(" q(uiet)\n");
- printf(" v(erbose)\n");
- printf(" d (Diffie-Hellman, no keychain needed)\n");
- printf(" p=startingPortNum\n");
- printf(" t=startTestNum\n");
- printf(" b (non blocking I/O)\n");
- printf(" s=serverCertName; default %s\n", SERVER_ROOT);
- printf(" R (ringBuffer I/O)\n");
- exit(1);
-}
-
-/*
- * Parameters defining one run
- */
-typedef struct {
- const char *groupDesc; // optional
- const char *testDesc; // required
- bool noServeProt; // don't set server protocol version
- SSLProtocol servTryVersion;
- const char *serveAcceptProts; // use TryVersion if this is NULL
- SSLProtocol expectServerProt; // expected negotiated result
- OSStatus serveStatus; // expected OSStatus
- bool noClientProt; // don't set client protocol version
- SSLProtocol clientTryVersion;
- const char *clientAcceptProts;
- SSLProtocol expectClientProt;
- OSStatus clientStatus;
- bool serverAbort; // allows server to close connection early
-} SslProtParams;
-
-SslProtParams protTestParams[] =
-{
-/*
- * FIXME this fails to compile to to radar 4104919. I really don't want to
- * remove these pragmas unless/until I hear a positive confirmation that that
- * Radar is not to be fixed.
- */
-// #pragma mark Unrestricted server via SSLSetProtocolVersion
- {
- "unrestricted server via SSLSetProtocolVersion",
- "client SSLSetProtocolVersion(TLS1)",
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(TLS1 only)",
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1Only, NULL, kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3)",
- false, kTLSProtocol1, NULL, kSSLProtocol3, noErr,
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3 only)",
- false, kTLSProtocol1, NULL, kSSLProtocol3, noErr,
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL2)",
- false, kTLSProtocol1, NULL, kSSLProtocol2, noErr,
- false, kSSLProtocol2, NULL, kSSLProtocol2, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(t)",
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1, "t", kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3t)",
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1, "3t", kTLSProtocol1, noErr, false
- },
- /* make sure default client is the same as "3t" - Radar 4233139 -
- * SSLv3 no longer enabled by default */
- {
- NULL, "client default",
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr,
- true, kSSLProtocolUnknown, NULL, kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23t)",
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1, "23t", kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3)",
- false, kTLSProtocol1, NULL, kSSLProtocol3, noErr,
- false, kTLSProtocol1, "3", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23)",
- false, kTLSProtocol1, NULL, kSSLProtocol3, noErr,
- false, kTLSProtocol1, "23", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2)",
- false, kTLSProtocol1, NULL, kSSLProtocol2, noErr,
- false, kTLSProtocol1, "2", kSSLProtocol2, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2t)",
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1, "2t", kTLSProtocol1, noErr, false
- },
-
- // #pragma mark === Server SSLSetProtocolVersion(TLS1 only)
- {
- "server SSLSetProtocolVersion(TLS1 only)",
- "client SSLSetProtocolVersion(TLS1)",
- false, kTLSProtocol1Only, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(TLS1 only)",
- false, kTLSProtocol1Only, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1Only, NULL, kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3)",
- false, kTLSProtocol1Only, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kSSLProtocol3, NULL, kSSLProtocolUnknown, errSSLClosedAbort,
- false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3 only)",
- false, kTLSProtocol1Only, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kSSLProtocol3Only, NULL, kSSLProtocolUnknown, errSSLConnectionRefused,
- true
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL2)",
- false, kTLSProtocol1Only, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kSSLProtocol2, NULL, kSSLProtocolUnknown, errSSLClosedAbort,
- true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(t)",
- false, kTLSProtocol1Only, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1, "t", kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3t)",
- false, kTLSProtocol1Only, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1, "3t", kTLSProtocol1, noErr, false
- },
- /* make sure default client is the same as "3t" */
- {
- NULL, "client default",
- false, kTLSProtocol1Only, NULL, kTLSProtocol1, noErr,
- true, kSSLProtocolUnknown, NULL, kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23t)",
- false, kTLSProtocol1Only, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1, "23t", kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3)",
- false, kTLSProtocol1Only, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "3", kSSLProtocolUnknown, errSSLConnectionRefused,
- true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23)",
- false, kTLSProtocol1Only, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "23", kSSLProtocolUnknown, errSSLClosedAbort,
- true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2)",
- false, kTLSProtocol1Only, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "2", kSSLProtocolUnknown, errSSLClosedAbort,
- true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2t)",
- false, kTLSProtocol1Only, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1, "2t", kTLSProtocol1, noErr, false
- },
-
- // #pragma mark === Server SSLSetProtocolVersion(SSL3)
- {
- "server SSLSetProtocolVersion(SSL3)",
- "client SSLSetProtocolVersion(TLS1)",
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr,
- false, kTLSProtocol1, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(TLS1 only)",
- /* negotiation error detected by client, not server */
- false, kSSLProtocol3, NULL, kSSLProtocol3, errSSLClosedAbort,
- false, kTLSProtocol1Only, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3)",
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr,
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3 only)",
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr,
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL2)",
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr,
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(t)",
- false, kSSLProtocol3, NULL, kSSLProtocol3, errSSLClosedAbort,
- false, kTLSProtocol1, "t", kSSLProtocolUnknown, errSSLNegotiation,
- false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3t)",
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr,
- false, kTLSProtocol1, "3t", kSSLProtocol3, noErr, false
- },
- /* make sure default client is the same as "3t" */
- {
- NULL, "client default",
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr,
- true, kSSLProtocolUnknown, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23t)",
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr,
- false, kTLSProtocol1, "23t", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3)",
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr,
- false, kTLSProtocol1, "3", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23)",
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr,
- false, kTLSProtocol1, "23", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2)",
- false, kSSLProtocol3, NULL, kSSLProtocol2, noErr,
- false, kTLSProtocol1, "2", kSSLProtocol2, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2t)",
- false, kSSLProtocol3, NULL, kSSLProtocol2, noErr,
- false, kTLSProtocol1, "2", kSSLProtocol2, noErr, false
- },
-
- // #pragma mark === Server SSLSetProtocolVersion(SSL3 only)
- {
- "server SSLSetProtocolVersion(SSL3 only)",
- "client SSLSetProtocolVersion(TLS1)",
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr,
- false, kTLSProtocol1, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(TLS1 only)",
- /* negotiation error detected by client, not server */
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, errSSLClosedAbort,
- false, kTLSProtocol1Only, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3)",
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr,
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3 only)",
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr,
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL2)",
- false, kSSLProtocol3Only, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kSSLProtocol2, NULL, kSSLProtocolUnknown, errSSLClosedAbort,
- true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(t)",
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, errSSLClosedAbort,
- false, kTLSProtocol1, "t", kSSLProtocolUnknown, errSSLNegotiation,
- false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3t)",
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr,
- false, kTLSProtocol1, "3t", kSSLProtocol3, noErr, false
- },
- /* make sure default client is the same as "3t" */
- {
- NULL, "client default",
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr,
- true, kSSLProtocolUnknown, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23t)",
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr,
- false, kTLSProtocol1, "23t", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3)",
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr,
- false, kTLSProtocol1, "3", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23)",
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr,
- false, kTLSProtocol1, "23", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2)",
- false, kSSLProtocol3Only, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "2", kSSLProtocolUnknown, errSSLClosedAbort,
- false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2t)",
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, errSSLClosedAbort,
- false, kTLSProtocol1, "2t", kSSLProtocolUnknown, errSSLNegotiation,
- false
- },
-
- // #pragma mark === Server SSLSetProtocolVersion(SSL2)
- {
- "server SSLSetProtocolVersion(SSL2)",
- "client SSLSetProtocolVersion(TLS1)",
- false, kSSLProtocol2, NULL, kSSLProtocol2, noErr,
- false, kTLSProtocol1, NULL, kSSLProtocol2, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(TLS1 only)",
- /* server won't even accept the non-SSL2 hello */
- false, kSSLProtocol2, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1Only, NULL, kSSLProtocolUnknown, errSSLConnectionRefused,
- true
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3)",
- false, kSSLProtocol2, NULL, kSSLProtocol2, noErr,
- false, kSSLProtocol3, NULL, kSSLProtocol2, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3 only)",
- false, kSSLProtocol2, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kSSLProtocol3Only, NULL, kSSLProtocolUnknown, errSSLConnectionRefused,
- true
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL2)",
- false, kSSLProtocol2, NULL, kSSLProtocol2, noErr,
- false, kSSLProtocol2, NULL, kSSLProtocol2, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(t)",
- false, kSSLProtocol2, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "t", kSSLProtocolUnknown, errSSLConnectionRefused,
- true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3t)",
- false, kSSLProtocol2, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "3t", kSSLProtocolUnknown, errSSLConnectionRefused,
- true
- },
- /* make sure default client is the same as "3t" */
- {
- NULL, "client default",
- false, kSSLProtocol2, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- true, kSSLProtocolUnknown, NULL, kSSLProtocolUnknown, errSSLConnectionRefused,
- true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23t)",
- false, kSSLProtocol2, NULL, kSSLProtocol2, noErr,
- false, kTLSProtocol1, "23t", kSSLProtocol2, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3)",
- false, kSSLProtocol2, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "3", kSSLProtocolUnknown, errSSLConnectionRefused,
- true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23)",
- false, kSSLProtocol2, NULL, kSSLProtocol2, noErr,
- false, kTLSProtocol1, "23", kSSLProtocol2, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2)",
- false, kSSLProtocol2, NULL, kSSLProtocol2, noErr,
- false, kTLSProtocol1, "2", kSSLProtocol2, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2t)",
- false, kSSLProtocol2, NULL, kSSLProtocol2, noErr,
- false, kTLSProtocol1, "2t", kSSLProtocol2, noErr, false
- },
-
- //#pragma mark === Unrestricted server via SSLSetProtocolVersionEnabled
- {
- "unrestricted server via SSLSetProtocolVersionEnabled",
- "client SSLSetProtocolVersion(TLS1)",
- false, kTLSProtocol1, "23t", kTLSProtocol1, noErr,
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(TLS1 only)",
- false, kTLSProtocol1, "23t", kTLSProtocol1, noErr,
- false, kTLSProtocol1Only, NULL, kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3)",
- false, kTLSProtocol1, "23t", kSSLProtocol3, noErr,
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3 only)",
- false, kTLSProtocol1, "23t", kSSLProtocol3, noErr,
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL2)",
- false, kTLSProtocol1, "23t", kSSLProtocol2, noErr,
- false, kSSLProtocol2, NULL, kSSLProtocol2, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(t)",
- false, kTLSProtocol1, "23t", kTLSProtocol1, noErr,
- false, kTLSProtocol1, "t", kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3t)",
- false, kTLSProtocol1, "23t", kTLSProtocol1, noErr,
- false, kTLSProtocol1, "3t", kTLSProtocol1, noErr
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23t)",
- false, kTLSProtocol1, "23t", kTLSProtocol1, noErr,
- false, kTLSProtocol1, "23t", kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3)",
- false, kTLSProtocol1, "23t", kSSLProtocol3, noErr,
- false, kTLSProtocol1, "3", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23)",
- false, kTLSProtocol1, "23t", kSSLProtocol3, noErr,
- false, kTLSProtocol1, "23", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2)",
- false, kTLSProtocol1, "23t", kSSLProtocol2, noErr,
- false, kTLSProtocol1, "2", kSSLProtocol2, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2t)",
- false, kTLSProtocol1, "23t", kTLSProtocol1, noErr,
- false, kTLSProtocol1, "2t", kTLSProtocol1, noErr, false
- },
-
- // #pragma mark === Server SSLSetProtocolVersionEnabled(t)
-
- {
- "server SSLSetProtocolVersionEnabled(t)",
- "client SSLSetProtocolVersion(TLS1)",
- false, kTLSProtocol1, "t", kTLSProtocol1, noErr,
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(TLS1 only)",
- false, kTLSProtocol1, "t", kTLSProtocol1, noErr,
- false, kTLSProtocol1Only, NULL, kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3)",
- false, kTLSProtocol1, "t", kSSLProtocolUnknown, errSSLNegotiation,
- false, kSSLProtocol3, NULL, kSSLProtocolUnknown, errSSLClosedAbort, true
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3 only)",
- false, kTLSProtocol1, "t", kSSLProtocolUnknown, errSSLNegotiation,
- false, kSSLProtocol3Only, NULL, kSSLProtocolUnknown, errSSLConnectionRefused, true
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL2)",
- false, kTLSProtocol1, "t", kSSLProtocolUnknown, errSSLNegotiation,
- false, kSSLProtocol2, NULL, kSSLProtocolUnknown, errSSLClosedAbort, true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(t)",
- false, kTLSProtocol1, "t", kTLSProtocol1, noErr,
- false, kTLSProtocol1, "t", kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3t)",
- false, kTLSProtocol1, "t", kTLSProtocol1, noErr,
- false, kTLSProtocol1, "3t", kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23t)",
- false, kTLSProtocol1, "t", kTLSProtocol1, noErr,
- false, kTLSProtocol1, "23t", kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3)",
- false, kTLSProtocol1, "t", kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "3", kSSLProtocolUnknown, errSSLConnectionRefused,
- true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23)",
- false, kTLSProtocol1, "t", kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "23", kSSLProtocolUnknown, errSSLClosedAbort,
- true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2)",
- false, kTLSProtocol1, "t", kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "2", kSSLProtocolUnknown, errSSLClosedAbort,
- true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2t)",
- false, kTLSProtocol1, "t", kTLSProtocol1, noErr,
- false, kTLSProtocol1, "2t", kTLSProtocol1, noErr, false
- },
-
- // #pragma mark === Server SSLSetProtocolVersionEnabled(23)
- {
- "server SSLSetProtocolVersionEnabled(23)",
- "client SSLSetProtocolVersion(TLS1)",
- false, kSSLProtocol2, "23", kSSLProtocol3, noErr,
- false, kTLSProtocol1, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(TLS1 only)",
- /* negotiation error detected by client, not server */
- false, kSSLProtocol2, "23", kSSLProtocol3, errSSLClosedAbort,
- false, kTLSProtocol1Only, NULL, kSSLProtocolUnknown, errSSLNegotiation, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3)",
- false, kSSLProtocol2, "23", kSSLProtocol3, noErr,
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3 only)",
- false, kSSLProtocol2, "23", kSSLProtocol3, noErr,
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL2)",
- false, kSSLProtocol2, "23", kSSLProtocol3, noErr,
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(t)",
- false, kSSLProtocol2, "23", kSSLProtocol3, errSSLClosedAbort,
- false, kTLSProtocol1, "t", kSSLProtocolUnknown, errSSLNegotiation, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3t)",
- false, kSSLProtocol2, "23", kSSLProtocol3, noErr,
- false, kTLSProtocol1, "3t", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23t)",
- false, kSSLProtocol2, "23", kSSLProtocol3, noErr,
- false, kTLSProtocol1, "23t", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3)",
- false, kSSLProtocol2, "23", kSSLProtocol3, noErr,
- false, kTLSProtocol1, "3", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23)",
- false, kSSLProtocol2, "23", kSSLProtocol3, noErr,
- false, kTLSProtocol1, "23", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2)",
- false, kSSLProtocol2, "23", kSSLProtocol2, noErr,
- false, kTLSProtocol1, "2", kSSLProtocol2, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2t)",
- false, kSSLProtocol2, "23", kSSLProtocol2, noErr,
- false, kTLSProtocol1, "2", kSSLProtocol2, noErr, false
- },
-
- // #pragma mark === Server SSLSetProtocolVersionEnabled(3)
- {
- "server SSLSetProtocolVersionEnabled(3)",
- "client SSLSetProtocolVersion(TLS1)",
- false, kSSLProtocol2, "3", kSSLProtocol3, noErr,
- false, kTLSProtocol1, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(TLS1 only)",
- /* negotiation error detected by client, not server */
- false, kSSLProtocol2, "3", kSSLProtocol3, errSSLClosedAbort,
- false, kTLSProtocol1Only, NULL, kSSLProtocolUnknown, errSSLNegotiation, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3)",
- false, kSSLProtocol2, "3", kSSLProtocol3, noErr,
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3 only)",
- false, kSSLProtocol2, "3", kSSLProtocol3, noErr,
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL2)",
- false, kSSLProtocol2, "3", kSSLProtocolUnknown, errSSLNegotiation,
- false, kSSLProtocol2, NULL, kSSLProtocolUnknown, errSSLClosedAbort, true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(t)",
- false, kSSLProtocol2, "3", kSSLProtocol3, errSSLClosedAbort,
- false, kTLSProtocol1, "t", kSSLProtocolUnknown, errSSLNegotiation, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3t)",
- false, kSSLProtocol2, "3", kSSLProtocol3, noErr,
- false, kTLSProtocol1, "3t", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23t)",
- false, kSSLProtocol2, "3", kSSLProtocol3, noErr,
- false, kTLSProtocol1, "23t", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3)",
- false, kSSLProtocol2, "3", kSSLProtocol3, noErr,
- false, kTLSProtocol1, "3", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23)",
- false, kSSLProtocol2, "3", kSSLProtocol3, noErr,
- false, kTLSProtocol1, "23", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2)",
- false, kSSLProtocol2, "3", kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "2", kSSLProtocolUnknown, errSSLClosedAbort, true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2t)",
- false, kSSLProtocol2, "3", kSSLProtocol3, errSSLClosedAbort,
- false, kTLSProtocol1, "2t", kSSLProtocolUnknown, errSSLNegotiation, false
- },
-
- /*
- * This is the real difference between
- * SSLSetProtocolVersionEnabled and SSLSetProtocolVersion
- */
- // #pragma mark === Server SSLSetProtocolVersionEnabled(3t)
- {
- "server SSLSetProtocolVersionEnabled(3t)",
- "client SSLSetProtocolVersion(TLS1)",
- false, kSSLProtocol2, "t3", kTLSProtocol1, noErr,
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr, false
- },
- /* make sure default server is the same as "t3" */
- {
- NULL,
- "client SSLSetProtocolVersion(TLS1), server default",
- true, kSSLProtocolUnknown, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1, NULL, kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(TLS1 only)",
- false, kSSLProtocol2, "t3", kTLSProtocol1, noErr,
- false, kTLSProtocol1Only, NULL, kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3)",
- false, kSSLProtocol2, "t3", kSSLProtocol3, noErr,
- false, kSSLProtocol3, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL3 only)",
- false, kSSLProtocol2, "t3", kSSLProtocol3, noErr,
- false, kSSLProtocol3Only, NULL, kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersion(SSL2)",
- false, kSSLProtocol2, "t3", kSSLProtocolUnknown, errSSLNegotiation,
- false, kSSLProtocol2, NULL, kSSLProtocolUnknown, errSSLClosedAbort, true
- },
- /* make sure default server is the same as "t3" */
- {
- NULL, "client SSLSetProtocolVersion(SSL2), server default",
- true, kSSLProtocolUnknown, NULL, kSSLProtocolUnknown, errSSLNegotiation,
- false, kSSLProtocol2, NULL, kSSLProtocolUnknown, errSSLClosedAbort, true
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(t)",
- false, kSSLProtocol2, "t3", kTLSProtocol1, noErr,
- false, kTLSProtocol1, "t", kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3t)",
- false, kSSLProtocol2, "t3", kTLSProtocol1, noErr,
- false, kTLSProtocol1, "3t", kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23t)",
- false, kSSLProtocol2, "t3", kTLSProtocol1, noErr,
- false, kTLSProtocol1, "23t", kTLSProtocol1, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(3)",
- false, kSSLProtocol2, "t3", kSSLProtocol3, noErr,
- false, kTLSProtocol1, "3", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(23)",
- false, kSSLProtocol2, "t3", kSSLProtocol3, noErr,
- false, kTLSProtocol1, "23", kSSLProtocol3, noErr, false
- },
- {
- NULL, "client SSLSetProtocolVersionEnabled(2)",
- false, kSSLProtocol2, "t3", kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "2", kSSLProtocolUnknown, errSSLClosedAbort, true
- },
- /* make sure default server is the same as "t3" */
- {
- NULL, "client SSLSetProtocolVersionEnabled(2)",
- false, kSSLProtocol2, "t3", kSSLProtocolUnknown, errSSLNegotiation,
- false, kTLSProtocol1, "2", kSSLProtocolUnknown, errSSLClosedAbort, true
- },
- {
- "server default", "client SSLSetProtocolVersionEnabled(2t)",
- true, kSSLProtocolUnknown, NULL, kTLSProtocol1, noErr,
- false, kTLSProtocol1, "2t", kTLSProtocol1, noErr, false
- },
-};
-
-#define NUM_SSL_PROT_TESTS (sizeof(protTestParams) / sizeof(protTestParams[0]))
-
-#define IGNORE_SIGPIPE 1
-#if IGNORE_SIGPIPE
-#include <signal.h>
-
-void sigpipe(int sig)
-{
-}
-#endif /* IGNORE_SIGPIPE */
-
-#define CERT_VFY_DISABLE false
-
-/*
- * Default params for each test. Main() will make a copy of this and
- * adjust its copy on a per-test basis.
- */
-SslAppTestParams serverDefaults =
-{
- "no name here",
- false, // skipHostNameCHeck
- 0, // port - test must set this
- NULL, NULL, // RingBuffers
- false, // noProtSpec
- kTLSProtocol1,
- NULL, // acceptedProts
- serverKcPath, // myCerts
- SERVER_KC, // password
- true, // idIsTrustedRoot
- CERT_VFY_DISABLE, // disableCertVerify
- NULL, // anchorFile
- false, // replaceAnchors
- kNeverAuthenticate,
- false, // resumeEnable
- NULL, // ciphers,
- false, // nonBlocking
- NULL, // dhParams
- 0, // dhParamsLen
- noErr, // expectRtn
- kTLSProtocol1, // expectVersion
- kSSLClientCertNone,
- SSL_CIPHER_IGNORE,
- false, // quiet
- false, // silent
- false, // verbose
- {0}, // lock
- {0}, // cond
- false, // serverReady
- 0, // clientDone
- false, // serverAbort
- /* returned */
- kSSLProtocolUnknown,
- SSL_NULL_WITH_NULL_NULL,
- kSSLClientCertNone,
- noHardwareErr
-
-};
-
-SslAppTestParams clientDefaults =
-{
- "localhost",
- false, // skipHostNameCHeck
- 0, // port - test must set this
- NULL, NULL, // RingBuffers
- false, // noProtSpec
- kTLSProtocol1,
- NULL, // acceptedProts
- NULL, // myCertKcName
- NULL, // password
- false, // idIsTrustedRoot
- CERT_VFY_DISABLE, // disableCertVerify
- SERVER_ROOT, // anchorFile
- false, // replaceAnchors
- kNeverAuthenticate,
- false, // resumeEnable
- NULL, // ciphers
- false, // nonBlocking
- NULL, // dhParams
- 0, // dhParamsLen
- noErr, // expectRtn
- kTLSProtocol1, // expectVersion
- kSSLClientCertNone,
- SSL_CIPHER_IGNORE,
- false, // quiet
- false, // silent
- false, // verbose
- {0}, // lock
- {0}, // cond
- false, // serverReady
- 0, // clientDone
- false, // serverAbort
- /* returned */
- kSSLProtocolUnknown,
- SSL_NULL_WITH_NULL_NULL,
- kSSLClientCertNone,
- noHardwareErr
-};
-
-
-int main(int argc, char **argv)
-{
- int ourRtn = 0;
- char *argp;
- SslAppTestParams clientParams;
- SslAppTestParams serverParams;
- unsigned short portNum = STARTING_PORT;
- SslProtParams *protParams;
- unsigned testNum;
- int thisRtn;
- unsigned startTest = 0;
- SSLCipherSuite ciphers[2]; // for Diffie-Hellman
- bool diffieHellman = false;
- RingBuffer serverToClientRing;
- RingBuffer clientToServerRing;
- bool ringBufferIo = false;
-
- for(int arg=1; arg<argc; arg++) {
- argp = argv[arg];
- switch(argp[0]) {
- case 'q':
- serverDefaults.quiet = clientDefaults.quiet = true;
- break;
- case 'v':
- serverDefaults.verbose = clientDefaults.verbose = true;
- break;
- case 'p':
- portNum = atoi(&argp[2]);
- break;
- case 't':
- startTest = atoi(&argp[2]);
- break;
- case 'd':
- diffieHellman = true;
- break;
- case 'b':
- serverDefaults.nonBlocking = clientDefaults.nonBlocking =
- true;
- break;
- case 's':
- clientDefaults.anchorFile = &argp[2];
- break;
- case 'R':
- ringBufferIo = true;
- break;
- default:
- usage(argv);
- }
- }
-
- if(sslCheckFile(clientDefaults.anchorFile)) {
- exit(1);
- }
- if(ringBufferIo) {
- /* set up ring buffers */
- ringBufSetup(&serverToClientRing, "serveToClient", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
- ringBufSetup(&clientToServerRing, "clientToServe", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
- serverDefaults.serverToClientRing = &serverToClientRing;
- serverDefaults.clientToServerRing = &clientToServerRing;
- clientDefaults.serverToClientRing = &serverToClientRing;
- clientDefaults.clientToServerRing = &clientToServerRing;
- }
-
- #if IGNORE_SIGPIPE
- signal(SIGPIPE, sigpipe);
- #endif
-
- /* convert keychain names to paths for root */
- sslKeychainPath(SERVER_KC, serverKcPath);
-
- testStartBanner("sslProt", argc, argv);
-
- serverParams.port = portNum - 1; // gets incremented by SSL_THR_SETUP
- if(diffieHellman) {
- ciphers[0] = SSL_DH_anon_WITH_RC4_128_MD5;
- ciphers[1] = SSL_NO_SUCH_CIPHERSUITE;
- serverDefaults.ciphers = ciphers;
- serverDefaults.dhParams = dhParams512;
- serverDefaults.dhParamsLen = sizeof(dhParams512);
- serverDefaults.myCertKcName = NULL;
- clientDefaults.anchorFile = NULL;
- }
- for(testNum=startTest; testNum<NUM_SSL_PROT_TESTS; testNum++) {
- protParams = &protTestParams[testNum];
-
- /*
- * Hack for Diffie-Hellman: just skip any tests which attempt
- * or expect SSL2 negotiation, since SSL2 doesn't have DH.
- */
- if(diffieHellman) {
- if((protParams->servTryVersion == kSSLProtocol2) ||
- (protParams->clientTryVersion == kSSLProtocol2) ||
- (protParams->serveAcceptProts &&
- !strcmp(protParams->serveAcceptProts, "2")) ||
- (protParams->clientAcceptProts &&
- !strcmp(protParams->clientAcceptProts, "2"))) {
- if(serverDefaults.verbose) {
- printf("...skipping %s for D-H\n",
- protParams->testDesc);
- }
- continue;
- }
- }
- if(protParams->groupDesc && !serverDefaults.quiet) {
- printf("...%s\n", protParams->groupDesc);
- }
- SSL_THR_SETUP(serverParams, clientParams, clientDefaults,
- serverDefault);
- if(ringBufferIo) {
- ringBufferReset(&serverToClientRing);
- ringBufferReset(&clientToServerRing);
- }
- serverParams.tryVersion = protParams->servTryVersion;
- clientParams.tryVersion = protParams->clientTryVersion;
- serverParams.acceptedProts = protParams->serveAcceptProts;
- clientParams.acceptedProts = protParams->clientAcceptProts;
- serverParams.expectVersion = protParams->expectServerProt;
- clientParams.expectVersion = protParams->expectClientProt;
- serverParams.expectRtn = protParams->serveStatus;
- clientParams.expectRtn = protParams->clientStatus;
- serverParams.serverAbort = protParams->serverAbort;
-
- SSL_THR_RUN_NUM(serverParams, clientParams, protParams->testDesc,
- ourRtn, testNum);
- }
-
-done:
- if(!clientParams.quiet) {
- if(ourRtn == 0) {
- printf("===== sslProt test PASSED =====\n");
- }
- else {
- printf("****FAIL: %d errors detected\n", ourRtn);
- }
- }
-
- return ourRtn;
-}
projects / apple / security.git / blobdiff