+++ /dev/null
-/* sslPing.c - simple version sslPing test */
-
-#include "testParams.h"
-#include <stdlib.h>
-#include <stdio.h>
-#include <Security/SecureTransport.h>
-#include "ioSockThr.h"
-#include "testutil.h"
-#include <security_utilities/threading.h>
-#include <utilLib/common.h>
-
-#define DEFAULT_GETMSG "GET / HTTP/1.0\r\n\r\n"
-#define DEFAULT_PORT 443
-
-#define LOCALHOST_RANGE 0
-
-#define ALLOW_ANY_ROOT 0
-
-/*
- * List of hosts. All support all three protocols and access to "/".
- */
-typedef struct {
- const char *hostName;
- unsigned short port;
-} sslHostDef;
-
-#if LOCALHOST_RANGE
-static const sslHostDef knownSslHosts[] =
-{
- { "localhost", 1300 },
- { "localhost", 1301 },
- { "localhost", 1302 },
- { "localhost", 1303 },
- { "localhost", 1304 },
- { "localhost", 1305 },
- { "localhost", 1306 },
- { "localhost", 1307 }
-};
-#else /* LOCALHOST_RANGE */
-static const sslHostDef knownSslHosts[] =
-{
- {"www.amazon.com", DEFAULT_PORT },
- {"store.apple.com", DEFAULT_PORT },
- {"www.thawte.com", DEFAULT_PORT },
- {"account.authorize.net", DEFAULT_PORT },
- {"gmail.google.com", DEFAULT_PORT },
- {"digitalid.verisign.com", DEFAULT_PORT},
- {"www.firstamlink.com", DEFAULT_PORT},
- {"remote.harpercollins.com", DEFAULT_PORT},
- {"mbanxonlinebanking.harrisbank.com", DEFAULT_PORT},
-};
-#endif /* LOCALHOST_RANGE */
-#define NUM_KNOWN_HOSTS (sizeof(knownSslHosts) / sizeof(sslHostDef))
-
-/* for memory leak debug only, with only one thread running */
-#define DO_PAUSE 0
-
-/*
- * Snag test-specific opts.
- *
- * -- [23t] for SSL2, SSL3, TLS1 only operation. Default is all, randomly.
- * -- m - multi sites; default is just one
- * -- r - enable resumable sessions.
- */
-static int initFlag;
-static SSLProtocol globalTryProt = kSSLProtocolUnknown;
-static const char *globalProtStr = NULL;
-static bool justOneHost = 1;
-
-/*
- * Enable resumable sessions. Setting this true exercises the session cache
- * logic in ST but significantly decreases the testing of most of the
- * rest of the handshaking (including cert chain verification).
- * Also, when this is true, once a given site has negotiated a given
- * protocol version, ST disallows negotiation of a higher version with
- * that site.
- */
-static bool resumeEnable = 0;
-
-
-int sslPingInit(TestParams *testParams)
-{
- if(initFlag) {
- return 0;
- }
- if(testParams->testOpts == NULL) {
- initFlag = 1;
- return 0;
- }
- char *testOpts;
- for(testOpts=testParams->testOpts; *testOpts; testOpts++) {
- switch(*testOpts) {
- case '2':
- globalTryProt = kSSLProtocol2;
- globalProtStr = "SSL2";
- break;
- case '3':
- globalTryProt = kSSLProtocol3Only;
- globalProtStr = "SSL3";
- break;
- case 't':
- globalTryProt = kTLSProtocol1Only;
- globalProtStr = "TLS1";
- break;
- case 'm':
- justOneHost = 0;
- break;
- case 'r':
- resumeEnable = 1;
- break;
- default:
- /* for other tests */
- break;
- }
- }
- if(!testParams->quiet) {
- printf("...sslPing using %s only\n", globalProtStr);
- }
- initFlag = 1;
- return 0;
-}
-
-
-/* gethostbyname, called by MakeServerConnection, is not thread-safe. */
-static Mutex connectLock;
-
-#define ENABLE_SSL2 0
-
-/*
- * Roll the dice and select a random host and SSL protocol
- */
-static const char *selectHostAndProt(
- unsigned short &port,
- SSLProtocol &tryProt,
- const char *&protStr)
-{
- unsigned char r[2];
-
- appGetRandomBytes(r, 2);
- if(globalTryProt != kSSLProtocolUnknown) {
- /* user spec'd at cmd line */
- tryProt = globalTryProt;
- protStr = globalProtStr;
- }
- else {
- unsigned modulo = ENABLE_SSL2 ? 5 : 4;
- switch(r[0] % modulo) {
- case 0:
- tryProt = kSSLProtocol3;
- protStr = "SSL3";
- break;
- case 1:
- tryProt = kSSLProtocol3Only;
- protStr = "SSL3Only";
- break;
- case 2:
- tryProt = kTLSProtocol1;
- protStr = "TLS1";
- break;
- case 3:
- tryProt = kTLSProtocol1Only;
- protStr = "TLS1Only";
- break;
- case 4:
- tryProt = kSSLProtocol2;
- protStr = "SSL2";
- break;
- default:
- printf("Huh?\n");
- exit(1);
- }
- }
- const sslHostDef *hostDef;
- if(justOneHost) {
- hostDef = &knownSslHosts[0];
- }
- else {
- hostDef = &(knownSslHosts[r[1] % NUM_KNOWN_HOSTS]);
- }
- port = hostDef->port;
- return hostDef->hostName;
-}
-
-/*
- * Perform one SSL diagnostic session. Returns nonzero on error. Normally no
- * output to stdout except initial "connecting to" message, unless there
- * is a really screwed up error (i.e., something not directly related
- * to the SSL conection).
- */
-#define RCV_BUF_SIZE 256
-
-static OSStatus doSslPing(
- SSLProtocol tryVersion,
- const char *hostName, // e.g., "www.amazon.com"
- unsigned short port,
- const char *getMsg, // e.g., "GET / HTTP/1.0\r\n\r\n"
- CSSM_BOOL allowExpired,
- CSSM_BOOL keepConnected,
- CSSM_BOOL requireNotify, // require closure notify in V3 mode
- SSLProtocol *negVersion, // RETURNED
- SSLCipherSuite *negCipher) // RETURNED
-{
- PeerSpec peerId;
- otSocket sock = 0;
- OSStatus ortn;
- SSLContextRef ctx = NULL;
- size_t length;
- size_t actLen;
- uint8 rcvBuf[RCV_BUF_SIZE];
-
- *negVersion = kSSLProtocolUnknown;
- *negCipher = SSL_NULL_WITH_NULL_NULL;
-
- /* first make sure requested server is there */
- connectLock.lock();
- ortn = MakeServerConnection(hostName, port, &sock, &peerId);
- connectLock.unlock();
- if(ortn) {
- printf("MakeServerConnection(%s) returned %d; aborting\n",
- hostName, (int)ortn);
- return ortn;
- }
-
- /*
- * Set up a SecureTransport session.
- * First the standard calls.
- */
- ortn = SSLNewContext(false, &ctx);
- if(ortn) {
- printSslErrStr("SSLNewContext", ortn);
- goto cleanup;
- }
- ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
- if(ortn) {
- printSslErrStr("SSLSetIOFuncs", ortn);
- goto cleanup;
- }
- ortn = SSLSetProtocolVersion(ctx, tryVersion);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersion", ortn);
- goto cleanup;
- }
- ortn = SSLSetConnection(ctx, (SSLConnectionRef)sock);
- if(ortn) {
- printSslErrStr("SSLSetConnection", ortn);
- goto cleanup;
- }
- if(resumeEnable) {
- ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
- if(ortn) {
- printSslErrStr("SSLSetPeerID", ortn);
- goto cleanup;
- }
- }
-
- /*
- * SecureTransport options.
- */
- if(allowExpired) {
- ortn = SSLSetAllowsExpiredCerts(ctx, true);
- if(ortn) {
- printSslErrStr("SSLSetAllowExpiredCerts", ortn);
- goto cleanup;
- }
- }
-
- #if ALLOW_ANY_ROOT
- ortn = SSLSetAllowsAnyRoot(ctx, true);
- if(ortn) {
- printSslErrStr("SSLSetAllowAnyRoot", ortn);
- goto cleanup;
- }
- #endif
-
- do
- { ortn = SSLHandshake(ctx);
- if(ortn == errSSLWouldBlock) {
- /* keep UI responsive */
- // outputDot();
- }
- } while (ortn == errSSLWouldBlock);
-
- /* this works even if handshake failed due to cert chain invalid */
- // not for this version... copyPeerCerts(ctx, peerCerts);
-
- SSLGetNegotiatedCipher(ctx, negCipher);
- SSLGetNegotiatedProtocolVersion(ctx, negVersion);
-
- if(ortn) {
- printf("\n");
- goto cleanup;
- }
-
- length = strlen(getMsg);
- ortn = SSLWrite(ctx, getMsg, length, &actLen);
-
- /*
- * Try to snag RCV_BUF_SIZE bytes. Exit if (!keepConnected and we get any data
- * at all), or (keepConnected and err != (none, wouldBlock)).
- */
- while (1) {
- actLen = 0;
- ortn = SSLRead(ctx, rcvBuf, RCV_BUF_SIZE, &actLen);
- if(actLen == 0) {
- // outputDot();
- }
- if (ortn == errSSLWouldBlock) {
- /* for this loop, these are identical */
- ortn = noErr;
- }
- // if((actLen > 0) && dumpRxData) {
- // not here... dumpAscii(rcvBuf, actLen);
- // }
- if(keepConnected) {
- if(ortn != noErr) {
- /* connection closed by server or by error */
- break;
- }
- }
- else if(actLen > 0) {
- /* good enough, we connected */
- break;
- }
- }
- //printf("\n");
-
- /* convert normal "shutdown" into zero err rtn */
- if(ortn == errSSLClosedGraceful) {
- ortn = noErr;
- }
- if((ortn == errSSLClosedNoNotify) && !requireNotify) {
- /* relaxed disconnect rules */
- ortn = noErr;
- }
- if (ortn == noErr) {
- ortn = SSLClose(ctx);
- }
-cleanup:
- if(sock) {
- endpointShutdown(sock);
- }
- if(ctx) {
- SSLDisposeContext(ctx);
- }
- return ortn;
-}
-
-int sslPing(TestParams *testParams)
-{
- unsigned loopNum;
- SSLProtocol negVersion;
- SSLProtocol tryVersion;
- const char *hostName;
- unsigned short port;
- SSLCipherSuite negCipher;
- OSStatus err;
- const char *protStr;
-
- for(loopNum=0; loopNum<testParams->numLoops; loopNum++) {
- if(!testParams->quiet) {
- printChar(testParams->progressChar);
- }
- hostName = selectHostAndProt(port, tryVersion, protStr);
- if(testParams->verbose) {
- printf("\nConnecting to host %s with %s...",
- hostName, protStr);
- fflush(stdout);
- }
- err = doSslPing(tryVersion,
- hostName,
- port,
- DEFAULT_GETMSG,
- CSSM_FALSE, // allowExpired
- CSSM_FALSE, // keepConnected
- CSSM_FALSE, // requireNotify
- &negVersion,
- &negCipher);
- if(err) {
- printf("sslPing error (%d)\n", (int)err);
- break;
- }
- if(testParams->verbose) {
- switch(negVersion) {
- case kSSLProtocol2:
- printf("negVersion = SSL2\n");
- break;
- case kSSLProtocol3:
- printf("negVersion = SSL3\n");
- break;
- case kTLSProtocol1:
- printf("negVersion = TLS1\n");
- break;
- default:
- printf("unknown negVersion! (%d)\n",
- (int)negVersion);
- break;
- }
- }
- #if DO_PAUSE
- fpurge(stdin);
- printf("Hit CR to proceed: ");
- getchar();
- #endif
- }
- return (int)err;
-}
-
projects / apple / security.git / blobdiff