sslAlert.cpp   [plain text]

/*
 * sslAlert.cpp - test alert msg sending and processing, client and server side
 */
#include <Security/SecureTransport.h>
#include <Security/Security.h>
#include <clAppUtils/sslAppUtils.h>
#include <clAppUtils/ioSock.h>
#include <clAppUtils/sslThreading.h>
#include <utilLib/common.h>
#include <security_cdsa_utils/cuPrintCert.h>
#include <security_utilities/threading.h>
#include <security_utilities/devrandom.h>

#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <time.h>
#include <ctype.h>
#include <sys/param.h>

#define STARTING_PORT			2000

/* 
 * localcert is a KC containing server cert and signing key
 * assumptions: 
 *	-- common name = "localcert"
 *  -- password of KC = "localcert"
 */
#define SERVER_KC		"localcert"
#define SERVER_ROOT		"localcert.cer"
/*
 * clientcert is a KC containing client cert and signing key
 * assumptions: 
 *  -- password of KC = "clientcert"
 *  -- note common name not checked by SecureTransport when verifying client cert chain
 */
#define CLIENT_KC		"clientcert"
#define CLIENT_ROOT		"clientcert.cer"

/* main() fills these in using sslKeychainPath() */
static char serverKcPath[MAXPATHLEN];
static char clientKcPath[MAXPATHLEN];

static void usage(char **argv)
{
	printf("Usage: %s [options]\n", argv[0]);
	printf("options:\n");
	printf("   q(uiet)\n");
	printf("   v(erbose)\n");
	printf("   p=startingPortNum\n");
	printf("   b (non blocking I/O)\n");
	printf("   s=serverCertName; default %s\n", SERVER_ROOT);
	printf("   c=clientCertName; default %s\n", CLIENT_ROOT);
	printf("   R (ringBuffer I/O)\n");
	printf("   l=loops (default=1; 0=forever)\n");
	exit(1);
}

#define IGNORE_SIGPIPE	1
#if 	IGNORE_SIGPIPE
#include <signal.h>

void sigpipe(int sig) 
{ 
}
#endif	/* IGNORE_SIGPIPE */

/*
 * Default params for each test. Main() will make a copy of this and 
 * adjust its copy on a per-test basis.
 */
SslAppTestParams serverDefaults = 
{
	"no name here",
	false,				// skipHostNameCHeck
	0,					// port - test must set this	
	NULL, NULL,			// RingBuffers
	false,				// noProtSpec
	kTLSProtocol1,
	NULL,				// acceptedProts
	serverKcPath,		// myCerts
	SERVER_KC,			// password
	true,				// idIsTrustedRoot
	false,				// disableCertVerify
	NULL,				// anchorFile
	false,				// replaceAnchors
	kNeverAuthenticate,
	false,				// resumeEnable
	NULL,				// ciphers
	false,				// nonBlocking
	NULL,				// dhParams
	0,					// dhParamsLen
	noErr,				// expectRtn
	kTLSProtocol1,		// expectVersion
	kSSLClientCertNone,
	SSL_CIPHER_IGNORE,
	false,				// quiet
	false,				// silent
	false,				// verbose
	{0},				// lock
	{0},				// cond
	false,				// serverReady
	0,					// clientDone
	false,				// serverAbort
	/* returned */
	kSSLProtocolUnknown,
	SSL_NULL_WITH_NULL_NULL,
	kSSLClientCertNone,
	noHardwareErr
	
};

SslAppTestParams clientDefaults = 
{
	"localhost",
	false,				// skipHostNameCHeck
	0,					// port - test must set this
	NULL, NULL,			// RingBuffers
	false,				// noProtSpec
	kTLSProtocol1,
	NULL,				// acceptedProts
	NULL,				// myCertKcName
	CLIENT_KC,			// password - only meaningful when test sets myCertKcName
	true,				// idIsTrustedRoot
	false,				// disableCertVerify
	SERVER_ROOT,		// anchorFile
	false,				// replaceAnchors
	kNeverAuthenticate,
	false,				// resumeEnable
	NULL,				// ciphers
	false,				// nonBlocking
	NULL,				// dhParams
	0,					// dhParamsLen
	noErr,				// expectRtn
	kTLSProtocol1,		// expectVersion
	kSSLClientCertNone,
	SSL_CIPHER_IGNORE,
	false,				// quiet
	false,				// silent
	false,				// verbose
	{0},				// lock
	{0},				// cond
	false,				// serverReady
	0,					// clientDone
	false,				// serverAbort
	/* returned */
	kSSLProtocolUnknown,
	SSL_NULL_WITH_NULL_NULL,
	kSSLClientCertNone,
	noHardwareErr
};


int main(int argc, char **argv)
{
	int 				ourRtn = 0;
	char	 			*argp;
	int 				thisRtn;
	SslAppTestParams 	clientParams;
	SslAppTestParams 	serverParams;
	const char			*desc;
	unsigned short		portNum = STARTING_PORT;
	const char			*clientCert = CLIENT_ROOT;
	RingBuffer			serverToClientRing;
	RingBuffer			clientToServerRing;
	bool				ringBufferIo = false;
	unsigned 			loopNum = 0;
	unsigned 			loops = 1;

	for(int arg=1; arg<argc; arg++) {
		argp = argv[arg];
		switch(argp[0]) {
			case 'q':
				serverDefaults.quiet = clientDefaults.quiet = true;
				break;
			case 'v':
				serverDefaults.verbose = clientDefaults.verbose = true;
				break;
			case 'b':
				serverDefaults.nonBlocking = clientDefaults.nonBlocking = 
						true;
				break;
			case 'p':
				portNum = atoi(&argp[2]);
				break;
			case 's':
				clientDefaults.anchorFile = &argp[2];
				break;
			case 'c':
				clientCert = &argp[2];
				break;
			case 'R':
				ringBufferIo = true;
				break;
			case 'l':
				loops = atoi(&argp[2]);
				break;
			default:
				usage(argv);
		}
	}
	
	#if IGNORE_SIGPIPE
	signal(SIGPIPE, sigpipe);
	#endif
	
	if(sslCheckFile(clientDefaults.anchorFile)) {
		exit(1);
	}
	if(sslCheckFile(clientCert)) {
		exit(1);
	}

	if(ringBufferIo) {
		/* set up ring buffers */
		ringBufSetup(&serverToClientRing, "serveToClient", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
		ringBufSetup(&clientToServerRing, "clientToServe", DEFAULT_NUM_RB_BUFS, DEFAULT_BUF_RB_SIZE);
		serverDefaults.serverToClientRing = &serverToClientRing;
		serverDefaults.clientToServerRing = &clientToServerRing;
		clientDefaults.serverToClientRing = &serverToClientRing;
		clientDefaults.clientToServerRing = &clientToServerRing;
	}

	/* convert keychain names to paths for root */
	sslKeychainPath(SERVER_KC, serverKcPath);
	sslKeychainPath(CLIENT_KC, clientKcPath);
	
	testStartBanner("sslAlert", argc, argv);
	// printf("sslAlert: server KC: %s\n", serverKcPath);
	// printf("sslAlert: client KC: %s\n", clientKcPath);
	
	/*
	 * We could get real fancy and have a bunch of elaborate tables describing
	 * what's supposed to happen in each test case, but I really don't think
	 * it's worth it. 
	 */
	for(;;) {
		desc = "basic TLS1, nothing fancy";
		clientParams = clientDefaults; serverParams = serverDefaults;
		serverParams.port = portNum;
		SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);

		desc = "client doesn't recognize server root";
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
		clientParams.anchorFile = NULL;
		clientParams.expectRtn = errSSLUnknownRootCert;
		serverParams.expectRtn = errSSLPeerUnknownCA;
		SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);

		desc = "negotiate down to SSL3, server limited";
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
		serverParams.tryVersion = kSSLProtocol3;
		serverParams.expectVersion = kSSLProtocol3;
		clientParams.expectVersion = kSSLProtocol3;
		SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);

		desc = "negotiate down to SSL3, client limited";
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
		clientParams.tryVersion = kSSLProtocol3;
		clientParams.expectVersion = kSSLProtocol3;
		serverParams.expectVersion = kSSLProtocol3;
		SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);

		desc = "successful client authentication";
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
		clientParams.myCertKcName = clientKcPath;
		serverParams.anchorFile = clientCert;
		serverParams.authenticate = kAlwaysAuthenticate;
		clientParams.expectCertState = kSSLClientCertSent; 
		serverParams.expectCertState = kSSLClientCertSent; 
		SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);

		desc = "client authentication, server doesn't recognize root TLS1";
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
		clientParams.myCertKcName = clientKcPath;
		/* no anchor file for server; unrecognized */
		serverParams.authenticate = kAlwaysAuthenticate;
		clientParams.expectCertState = kSSLClientCertRejected; 
		serverParams.expectCertState = kSSLClientCertRejected; 
		serverParams.expectRtn = errSSLUnknownRootCert;
		clientParams.expectRtn = errSSLPeerUnknownCA;
		SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);

		desc = "client authentication, server doesn't recognize root SSL3";
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
		clientParams.tryVersion = kSSLProtocol3;
		clientParams.expectVersion = kSSLProtocol3;
		serverParams.expectVersion = kSSLProtocol3;
		clientParams.myCertKcName = clientKcPath;
		/* no anchor file for server; unrecognized */
		serverParams.authenticate = kAlwaysAuthenticate;
		clientParams.expectCertState = kSSLClientCertRejected; 
		serverParams.expectCertState = kSSLClientCertRejected; 
		serverParams.expectRtn = errSSLUnknownRootCert;
		clientParams.expectRtn = errSSLPeerUnsupportedCert;
		thisRtn = sslRunSession(&serverParams, &clientParams, desc);
		if(thisRtn) {
			if(testError(clientParams.quiet)) {
				goto done;
			}
		}

		desc = "server requires authentication, no client cert, TLS1";
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
		serverParams.authenticate = kAlwaysAuthenticate;
		clientParams.expectCertState = kSSLClientCertRequested; 
		serverParams.expectCertState = kSSLClientCertRequested; 
		serverParams.expectRtn = errSSLXCertChainInvalid;
		clientParams.expectRtn = errSSLPeerCertUnknown;
		SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);

		desc = "server requires authentication, no client cert, SSL3";
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
		clientParams.tryVersion      = kSSLProtocol3;
		clientParams.expectVersion   = kSSLProtocol3;
		serverParams.expectVersion   = kSSLProtocol3;
		serverParams.authenticate    = kAlwaysAuthenticate;
		clientParams.expectCertState = kSSLClientCertRequested; 
		serverParams.expectCertState = kSSLClientCertRequested; 
		serverParams.expectRtn = errSSLProtocol;
		clientParams.expectRtn = errSSLPeerUnexpectedMsg;
		SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);

		desc = "server (only) requests authentication, no client cert, TLS1";
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
		serverParams.authenticate = kTryAuthenticate;
		clientParams.expectCertState = kSSLClientCertRequested; 
		serverParams.expectCertState = kSSLClientCertRequested; 
		SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);

		desc = "server (only) requests authentication, no client cert, SSL3";
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
		clientParams.tryVersion      = kSSLProtocol3;
		clientParams.expectVersion   = kSSLProtocol3;
		serverParams.expectVersion   = kSSLProtocol3;
		serverParams.authenticate    = kTryAuthenticate;
		clientParams.expectCertState = kSSLClientCertRequested; 
		serverParams.expectCertState = kSSLClientCertRequested; 
		SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);

		desc = "server (only) requests authentication, client cert w/unknown root, TLS1";
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
		serverParams.authenticate = kTryAuthenticate;
		clientParams.expectCertState = kSSLClientCertRejected; 
		serverParams.expectCertState = kSSLClientCertRejected; 
		clientParams.myCertKcName = clientKcPath;
		/* no anchor file for server; unrecognized */
		serverParams.expectRtn = errSSLUnknownRootCert;
		clientParams.expectRtn = errSSLPeerUnknownCA;
		SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);

		desc = "server (only) requests authentication, client cert w/unknown root, SSL3";
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		SSL_THR_SETUP(serverParams, clientParams, clientDefaults, serverDefault);
		clientParams.tryVersion      = kSSLProtocol3;
		clientParams.expectVersion   = kSSLProtocol3;
		serverParams.expectVersion   = kSSLProtocol3;
		serverParams.authenticate    = kTryAuthenticate;
		clientParams.expectCertState = kSSLClientCertRejected; 
		serverParams.expectCertState = kSSLClientCertRejected; 
		clientParams.myCertKcName = clientKcPath;
		/* no anchor file for server; unrecognized */
		serverParams.expectRtn = errSSLUnknownRootCert;
		clientParams.expectRtn = errSSLPeerUnsupportedCert;
		SSL_THR_RUN(serverParams, clientParams, desc, ourRtn);
		if(ringBufferIo) {
			ringBufferReset(&serverToClientRing);
			ringBufferReset(&clientToServerRing);
		}
		
		if(loops) {
			if(++loopNum == loops) {
				break;
			}
			printf("...loop %u\n", loopNum);
		}
	}

done:
	if(!clientParams.quiet) {
		if(ourRtn == 0) {
			printf("===== sslAlert test PASSED =====\n");
		}
		else {
			printf("****FAIL: %d errors detected\n", ourRtn);
		}
	}
	
	return ourRtn;
}