X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/SecurityTests/clxutils/sslSession/sslSession.cpp?ds=sidebyside

diff --git a/SecurityTests/clxutils/sslSession/sslSession.cpp b/SecurityTests/clxutils/sslSession/sslSession.cpp
new file mode 100644
index 00000000..3f691c85
--- /dev/null
+++ b/SecurityTests/clxutils/sslSession/sslSession.cpp
@@ -0,0 +1,293 @@
+/*
+ * sslSession.cpp - basic 2-thread SSL server/client session
+ */
+#include <Security/SecureTransport.h>
+#include <Security/Security.h>
+#include <clAppUtils/sslAppUtils.h>
+#include <clAppUtils/ioSock.h>
+#include <clAppUtils/sslThreading.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <utilLib/common.h>
+#include <security_cdsa_utils/cuPrintCert.h>
+#include <security_utilities/threading.h>
+#include <security_utilities/devrandom.h>
+
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>
+#include <sys/param.h>
+
+#define PORT_DEF			4000
+#define HOST_DEF			"localhost"
+#define DH_PARAMS			"dhParams_512.der"
+
+static void usage(char **argv)
+{
+	printf("Usage: %s server_kc [options]\n", argv[0]);
+	printf("options:\n");
+	printf("   P=port (default = %d)\n", PORT_DEF);
+	printf("   c=client_kc (default is none)\n");
+	printf("   d (DSA, default is RSA)\n");
+	printf("   f (D-H, default is RSA)\n");
+	printf("   a anchor File for client side (typically, the server's cert)\n");
+	printf("   A anchor file for server side (typically, the client's cert)\n");
+	printf("   h hostname (default is %s)\n", HOST_DEF);
+	printf("   k (skip hostname check)\n");
+	printf("   b (non blocking I/O)\n");
+	printf("   u Require client authentication\n");
+	printf("   x Expect policy verify error on client side\n");
+	printf("   X Expect policy verify error on server side\n");
+	printf("   z=kc_pwd\n");
+	printf("   R (ringBuffer I/O)\n");
+	printf("   l=loops (default 1)\n");
+	printf("   q(uiet)\n");
+	printf("   v(erbose)\n");
+	exit(1);
+}
+
+#define IGNORE_SIGPIPE	1
+#if 	IGNORE_SIGPIPE
+#include <signal.h>
+
+void sigpipe(int sig) 
+{ 
+}
+#endif	/* IGNORE_SIGPIPE */
+
+static SSLCipherSuite ciphers[] = {
+	SSL_RSA_WITH_RC4_128_SHA, SSL_NO_SUCH_CIPHERSUITE
+};
+
+/*
+ * Default params for each test. Main() adjust this per cmd line
+ * args.
+ */
+SslAppTestParams serverDefaults = 
+{
+	"no name here",
+	false,				// skipHostNameCHeck
+	PORT_DEF,	
+	NULL, NULL,			// RingBuffers
+	false,				// noProtSpec
+	kTLSProtocol1,	
+	NULL,				// acceptedProts - not used in this test
+	NULL,				// myCerts - const
+	NULL,				// password
+	true,				// idIsTrustedRoot
+	false,				// disableCertVerify
+	NULL,				// anchorFile
+	false,				// replaceAnchors
+	kNeverAuthenticate,
+	false,				// resumeEnable
+	ciphers,			// ciphers
+	false,				// nonBlocking 
+	NULL,				// dhParams
+	0,					// dhParamsLen
+	noErr,				// expectRtn
+	kTLSProtocol1,		// expectVersion
+	kSSLClientCertNone,
+	SSL_CIPHER_IGNORE,
+	false,				// quiet
+	false,				// silent
+	false,				// verbose
+	{0},				// lock
+	{0},				// cond
+	false,				// serverReady
+	0,					// clientDone
+	false,				// serverAbort
+	/* returned */
+	kSSLProtocolUnknown,
+	SSL_NULL_WITH_NULL_NULL,
+	kSSLClientCertNone,
+	noHardwareErr
+	
+};
+
+SslAppTestParams clientDefaults = 
+{
+	HOST_DEF,
+	false,				// skipHostNameCHeck
+	PORT_DEF,		
+	NULL, NULL,			// RingBuffers
+	false,				// noProtSpec
+	kTLSProtocol1,	
+	NULL,				// acceptedProts - not used in this test
+	NULL,				// myCerts - const
+	NULL,				// password
+	true,				// idIsTrustedRoot
+	false,				// disableCertVerify
+	NULL,				// anchorFile
+	false,				// replaceAnchors
+	kNeverAuthenticate,
+	false,				// resumeEnable
+	NULL,				// ciphers
+	false,				// nonBlocking 
+	NULL,				// dhParams
+	0,					// dhParamsLen
+	noErr,				// expectRtn
+	kTLSProtocol1,		// expectVersion
+	kSSLClientCertNone,
+	SSL_CIPHER_IGNORE,
+	false,				// quiet
+	false,				// silent
+	false,				// verbose
+	{0},				// lock
+	{0},				// cond
+	false,				// serverReady
+	0,					// clientDone
+	false,				// serverAbort
+	/* returned */
+	kSSLProtocolUnknown,
+	SSL_NULL_WITH_NULL_NULL,
+	kSSLClientCertNone,
+	noHardwareErr
+	
+};
+
+int main(int argc, char **argv)
+{
+	int 				ourRtn = 0;
+	char	 			*argp;
+	bool				dhEnable = false;
+	unsigned			loop;
+	unsigned 			loops = 1;
+	bool				ringBufferIo = false;
+	RingBuffer			serverToClientRing;
+	RingBuffer			clientToServerRing;
+
+	if(argc < 2) {
+		usage(argv);
+	}
+	serverDefaults.myCertKcName = argv[1];
+	for(int arg=2; arg<argc; arg++) {
+		argp = argv[arg];
+		switch(argp[0]) {
+			case 'c':
+				clientDefaults.myCertKcName = &argp[2];
+			case 'q':
+				serverDefaults.quiet = clientDefaults.quiet = true;
+				break;
+			case 'v':
+				serverDefaults.verbose = clientDefaults.verbose = true;
+				break;
+			case 'p':
+				serverDefaults.port = clientDefaults.port = atoi(&argp[2]);
+				break;
+			case 'b':
+				serverDefaults.nonBlocking = clientDefaults.nonBlocking = 
+						true;
+				break;
+			case 'd':
+				ciphers[0] = SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA;
+				dhEnable = true;
+				break;
+			case 'f':
+				ciphers[0] = SSL_DH_anon_WITH_RC4_128_MD5;
+				dhEnable = true;
+				break;
+			case 'h':
+				if(++arg == argc) {
+					usage(argv);
+				}
+				clientDefaults.hostName=argv[arg];
+				break;
+			case 'k':
+				clientDefaults.skipHostNameCheck = true;
+				break;
+			case 'a':
+				if(++arg == argc) {
+					usage(argv);
+				}
+				clientDefaults.anchorFile = serverDefaults.anchorFile = argv[arg];
+				break;
+			case 'A':
+				if(++arg == argc) {
+					usage(argv);
+				}
+				serverDefaults.anchorFile = argv[arg];
+				break;
+			case 'z':
+				serverDefaults.password = &argp[2];
+				break;
+			case 'P':
+				serverDefaults.port = clientDefaults.port = atoi(&argp[2]);
+				break;
+			case 'u':
+				serverDefaults.authenticate = kAlwaysAuthenticate;
+				if(serverDefaults.expectCertState == kSSLClientCertNone) {
+					serverDefaults.expectCertState = kSSLClientCertSent;
+				}
+				/* else it was set by 'X' option */
+				if(clientDefaults.expectCertState == kSSLClientCertNone) {
+					clientDefaults.expectCertState = kSSLClientCertSent;
+				}
+				/* else...ditto */
+				break;
+			case 'x':
+				/* server side has bad cert */
+				clientDefaults.expectRtn = errSSLXCertChainInvalid;
+				serverDefaults.expectRtn = errSSLPeerCertUnknown;
+				break;
+			case 'X':
+				/* client side has bad cert */
+				serverDefaults.expectRtn = errSSLXCertChainInvalid;
+				clientDefaults.expectRtn = errSSLPeerCertUnknown;
+				serverDefaults.expectCertState = kSSLClientCertRejected;
+				clientDefaults.expectCertState = kSSLClientCertRejected;
+				break;
+			case 'R':
+				ringBufferIo = true;
+				break;
+			case 'l':
+				loops = atoi(&argp[2]);
+				break;
+			default:
+				usage(argv);
+		}
+	}
+	
+	#if IGNORE_SIGPIPE
+	signal(SIGPIPE, sigpipe);
+	#endif
+	
+	if(ringBufferIo) {
+		/* set up ring buffers */
+		ringBufSetup(&serverToClientRing, "serveToClient", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
+		ringBufSetup(&clientToServerRing, "clientToServe", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
+		serverDefaults.serverToClientRing = &serverToClientRing;
+		serverDefaults.clientToServerRing = &clientToServerRing;
+		clientDefaults.serverToClientRing = &serverToClientRing;
+		clientDefaults.clientToServerRing = &clientToServerRing;
+	}
+	if(dhEnable) {
+		/* snag D-H params */
+		if(readFile(DH_PARAMS, (unsigned char **)&serverDefaults.dhParams, 
+				&serverDefaults.dhParamsLen)) {
+			printf("***Error reading Diffie-Hellman params."
+				" Patience, grasshopper.\n");
+		}
+	}
+	testStartBanner("sslSession", argc, argv);
+	for(loop=0; loop<loops; loop++) {
+		ourRtn = sslRunSession(&serverDefaults, &clientDefaults, NULL);
+		if(ourRtn) {
+			break;
+		}
+	}
+	if(!clientDefaults.quiet) {
+		if(ourRtn == 0) {
+			if(!serverDefaults.quiet) {
+				printf("===== %s test PASSED =====\n", argv[0]);
+			}
+		}
+		else {
+			printf("****FAIL: %d errors detected\n", ourRtn);
+		}
+	}
+	
+	return ourRtn;
+}