Home | History | Annotate | Download | only in test
      1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 // This helper binary is only used for testing Chrome's SSL stack.
      6 
      7 #include <sys/types.h>
      8 #include <sys/socket.h>
      9 
     10 #include <openssl/bio.h>
     11 #include <openssl/ssl.h>
     12 #include <openssl/err.h>
     13 
     14 static const char kDefaultPEMFile[] = "net/data/ssl/certificates/ok_cert.pem";
     15 
     16 // Server Name Indication callback from OpenSSL
     17 static int sni_cb(SSL *s, int *ad, void *arg) {
     18   const char* servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
     19   if (servername && strcmp(servername, "test.example.com") == 0)
     20     *reinterpret_cast<bool*>(arg) = true;
     21 
     22   return SSL_TLSEXT_ERR_OK;
     23 }
     24 
     25 // Client certificate verification callback from OpenSSL
     26 static int verify_cb(int preverify_ok, X509_STORE_CTX *ctx) {
     27   return 1;
     28 }
     29 
     30 // Next Protocol Negotiation callback from OpenSSL
     31 static int next_proto_cb(SSL *ssl, const unsigned char **out,
     32                          unsigned int *outlen, void *arg) {
     33   bool* npn_mispredict = reinterpret_cast<bool*>(arg);
     34   static char kProtos[] = "\003foo\003bar";
     35   static char kProtos2[] = "\003baz\003boo";
     36   static unsigned count = 0;
     37 
     38   if (!*npn_mispredict || count == 0) {
     39     *out = (const unsigned char*) kProtos;
     40     *outlen = sizeof(kProtos) - 1;
     41   } else {
     42     *out = (const unsigned char*) kProtos2;
     43     *outlen = sizeof(kProtos2) - 1;
     44   }
     45   count++;
     46   return SSL_TLSEXT_ERR_OK;
     47 }
     48 
     49 int
     50 main(int argc, char **argv) {
     51   SSL_library_init();
     52   ERR_load_crypto_strings();
     53   OpenSSL_add_all_algorithms();
     54   SSL_load_error_strings();
     55 
     56   bool sni = false, sni_good = false, snap_start = false;
     57   bool snap_start_recovery = false, sslv3 = false, session_tickets = false;
     58   bool fail_resume = false, client_cert = false, npn = false;
     59   bool npn_mispredict = false;
     60 
     61   const char* key_file = kDefaultPEMFile;
     62   const char* cert_file = kDefaultPEMFile;
     63 
     64   for (int i = 1; i < argc; i++) {
     65     if (strcmp(argv[i], "sni") == 0) {
     66       // Require SNI
     67       sni = true;
     68     } else if (strcmp(argv[i], "snap-start") == 0) {
     69       // Support Snap Start
     70       snap_start = true;
     71     } else if (strcmp(argv[i], "snap-start-recovery") == 0) {
     72       // Support Snap Start, but always trigger a recovery
     73       snap_start = true;
     74       snap_start_recovery = true;
     75     } else if (strcmp(argv[i], "sslv3") == 0) {
     76       // Use SSLv3
     77       sslv3 = true;
     78     } else if (strcmp(argv[i], "session-tickets") == 0) {
     79       // Enable Session Tickets
     80       session_tickets = true;
     81     } else if (strcmp(argv[i], "fail-resume") == 0) {
     82       // Always fail to resume sessions
     83       fail_resume = true;
     84     } else if (strcmp(argv[i], "client-cert") == 0) {
     85       // Request a client certificate
     86       client_cert = true;
     87     } else if (strcmp(argv[i], "npn") == 0) {
     88       // Advertise NPN
     89       npn = true;
     90     } else if (strcmp(argv[i], "npn-mispredict") == 0) {
     91       // Advertise NPN
     92       npn = true;
     93       npn_mispredict = true;
     94     } else if (strcmp(argv[i], "--key-file") == 0) {
     95       // Use alternative key file
     96       i++;
     97       if (i == argc) {
     98         fprintf(stderr, "Missing argument to --key-file\n");
     99         return 1;
    100       }
    101       key_file = argv[i];
    102     } else if (strcmp(argv[i], "--cert-file") == 0) {
    103       // Use alternative certificate file
    104       i++;
    105       if (i == argc) {
    106         fprintf(stderr, "Missing argument to --cert-file\n");
    107         return 1;
    108       }
    109       cert_file = argv[i];
    110     } else {
    111       fprintf(stderr, "Unknown argument: %s\n", argv[i]);
    112       return 1;
    113     }
    114   }
    115 
    116   SSL_CTX* ctx;
    117 
    118   if (sslv3) {
    119     ctx = SSL_CTX_new(SSLv3_server_method());
    120   } else {
    121     ctx = SSL_CTX_new(TLSv1_server_method());
    122   }
    123 
    124   if (sni) {
    125     SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
    126     SSL_CTX_set_tlsext_servername_arg(ctx, &sni_good);
    127   }
    128 
    129   BIO* key = BIO_new(BIO_s_file());
    130   if (BIO_read_filename(key, key_file) <= 0) {
    131     fprintf(stderr, "Failed to read %s\n", key_file);
    132     return 1;
    133   }
    134 
    135   EVP_PKEY *pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, NULL);
    136   if (!pkey) {
    137     fprintf(stderr, "Failed to parse %s\n", key_file);
    138     return 1;
    139   }
    140   BIO_free(key);
    141 
    142 
    143   BIO* cert = BIO_new(BIO_s_file());
    144   if (BIO_read_filename(cert, cert_file) <= 0) {
    145     fprintf(stderr, "Failed to read %s\n", cert_file);
    146     return 1;
    147   }
    148 
    149   X509 *pcert = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
    150   if (!pcert) {
    151     fprintf(stderr, "Failed to parse %s\n", cert_file);
    152     return 1;
    153   }
    154   BIO_free(cert);
    155 
    156   if (SSL_CTX_use_certificate(ctx, pcert) <= 0) {
    157     fprintf(stderr, "Failed to load %s\n", cert_file);
    158     return 1;
    159   }
    160 
    161   if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) {
    162     fprintf(stderr, "Failed to load %s\n", key_file);
    163     return 1;
    164   }
    165 
    166   if (!SSL_CTX_check_private_key(ctx)) {
    167     fprintf(stderr, "Public and private keys don't match\n");
    168     return 1;
    169   }
    170 
    171   if (client_cert)
    172     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb);
    173 
    174   if (session_tickets)
    175     SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH);
    176 
    177   if (snap_start) {
    178     static const unsigned char orbit[8] = {1, 2, 3, 4, 5, 6, 7, 8};
    179     SSL_CTX_set_snap_start_orbit(ctx, orbit);
    180   }
    181 
    182   if (npn)
    183     SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &npn_mispredict);
    184 
    185   unsigned connection_limit = 1;
    186   if (snap_start || session_tickets)
    187     connection_limit = 2;
    188   if (npn_mispredict)
    189     connection_limit = 3;
    190 
    191   for (unsigned connections = 0; connections < connection_limit;
    192        connections++) {
    193     const int fd = accept(3, NULL, NULL);
    194 
    195     SSL* server = SSL_new(ctx);
    196     BIO* bio = BIO_new_socket(fd, 1 /* take ownership of fd */);
    197     SSL_set_bio(server, bio, bio);
    198 
    199     if (fail_resume) {
    200       SSL_set_session_id_context(server, (unsigned char*) &connections,
    201                                  sizeof(connections));
    202     }
    203 
    204     int err;
    205     for (;;) {
    206       const int ret = SSL_accept(server);
    207       if (ret == 1)
    208         break;
    209 
    210       err = SSL_get_error(server, ret);
    211       if (err == SSL_ERROR_WANT_READ)
    212         continue;
    213       if (err == SSL_ERROR_SERVER_RANDOM_VALIDATION_PENDING && snap_start) {
    214         SSL_set_suggested_server_random_validity(
    215             server, !snap_start_recovery);
    216         continue;
    217       }
    218       ERR_print_errors_fp(stderr);
    219       fprintf(stderr, "SSL_accept failed: %d\n", err);
    220       return 1;
    221     }
    222 
    223     if (sni && !sni_good) {
    224       fprintf(stderr, "SNI failed\n");
    225       return 1;
    226     }
    227 
    228     if (npn) {
    229       const unsigned char *data, *expected_data;
    230       unsigned len, expected_len;
    231       SSL_get0_next_proto_negotiated(server, &data, &len);
    232       if (!npn_mispredict || connections == 0) {
    233         expected_data = (unsigned char*) "foo";
    234         expected_len = 3;
    235       } else {
    236         expected_data = (unsigned char*) "baz";
    237         expected_len = 3;
    238       }
    239       if (len != expected_len || memcmp(data, expected_data, len) != 0) {
    240         fprintf(stderr, "Bad NPN: %d\n", len);
    241         return 1;
    242       }
    243     }
    244 
    245     unsigned char buffer[6];
    246 
    247     int ret = SSL_read(server, buffer, sizeof(buffer));
    248     if (ret == -1) {
    249       err = SSL_get_error(server, ret);
    250       ERR_print_errors_fp(stderr);
    251       fprintf(stderr, "SSL_read failed: %d\n", err);
    252     }
    253     if (memcmp(buffer, "hello!", sizeof(buffer)) == 0) {
    254       SSL_write(server, "goodbye!", 8);
    255     }
    256 
    257     SSL_shutdown(server);
    258     SSL_shutdown(server);
    259   }
    260 
    261   SSL_CTX_free(ctx);
    262 
    263   return 0;
    264 }
    265