sslPing.cpp   [plain text]

/* sslPing.c - simple version sslPing test */

#include "testParams.h"
#include <stdlib.h>
#include <stdio.h>
#include <Security/SecureTransport.h>
#include "ioSockThr.h"
#include "testutil.h"
#include <security_utilities/threading.h>
#include <utilLib/common.h>

#define DEFAULT_GETMSG  	"GET / HTTP/1.0\r\n\r\n"
#define DEFAULT_PORT    	 443

#define LOCALHOST_RANGE			0

#define ALLOW_ANY_ROOT			0

/*
 * List of hosts. All support all three protocols and access to "/".
 */
typedef struct {
	const char *hostName;
	unsigned short port;
} sslHostDef;

#if		LOCALHOST_RANGE
static const sslHostDef knownSslHosts[] = 
{
	{ "localhost", 1300 },
	{ "localhost", 1301 },
	{ "localhost", 1302 },
	{ "localhost", 1303 },
	{ "localhost", 1304 },
	{ "localhost", 1305 },
	{ "localhost", 1306 },
	{ "localhost", 1307 }
};
#else	/* LOCALHOST_RANGE */
static const sslHostDef knownSslHosts[] = 
{
	{"www.amazon.com", DEFAULT_PORT },
	{"store.apple.com", DEFAULT_PORT },
	{"www.thawte.com", DEFAULT_PORT },
	{"account.authorize.net", DEFAULT_PORT },
	{"gmail.google.com", DEFAULT_PORT },
	{"digitalid.verisign.com", DEFAULT_PORT},
	{"www.firstamlink.com", DEFAULT_PORT},
	{"remote.harpercollins.com", DEFAULT_PORT},
	{"mbanxonlinebanking.harrisbank.com", DEFAULT_PORT},
};
#endif	/* LOCALHOST_RANGE */
#define NUM_KNOWN_HOSTS (sizeof(knownSslHosts) / sizeof(sslHostDef))

/* for memory leak debug only, with only one thread running */
#define DO_PAUSE			0

/*
 * Snag test-specific opts. 
 *
 * -- [23t] for SSL2, SSL3, TLS1 only operation. Default is all, randomly.
 * -- m - multi sites; default is just one
 * -- r - enable resumable sessions.  
 */
static int initFlag;
static SSLProtocol globalTryProt = kSSLProtocolUnknown;
static const char *globalProtStr = NULL;
static bool justOneHost = 1;

/*
 * Enable resumable sessions. Setting this true exercises the session cache
 * logic in ST but significantly decreases the testing of most of the
 * rest of the handshaking (including cert chain verification). 
 * Also, when this is true, once a given site has negotiated a given
 * protocol version, ST disallows negotiation of a higher version with
 * that site.
 */
static bool resumeEnable = 0;


int sslPingInit(TestParams *testParams)
{
	if(initFlag) {
		return 0;
	}
	if(testParams->testOpts == NULL) {
		initFlag = 1;
		return 0;
	}
	char *testOpts;
	for(testOpts=testParams->testOpts; *testOpts; testOpts++) {
		switch(*testOpts) {
			case '2':
				globalTryProt = kSSLProtocol2;
				globalProtStr = "SSL2";
				break;
			case '3':
				globalTryProt = kSSLProtocol3Only;
				globalProtStr = "SSL3";
				break;
			case 't':
				globalTryProt = kTLSProtocol1Only;
				globalProtStr = "TLS1";
				break;
			case 'm':
				justOneHost = 0;
				break;
			case 'r':
				resumeEnable = 1;
				break;
			default:
				/* for other tests */
				break;
		}
	}
	if(!testParams->quiet) {
		printf("...sslPing using %s only\n", globalProtStr);
	}
	initFlag = 1;
	return 0;
}


/* gethostbyname, called by MakeServerConnection, is not thread-safe. */
static Mutex connectLock;

#define ENABLE_SSL2 0

/* 
 * Roll the dice and select a random host and SSL protocol 
 */
static const char *selectHostAndProt(
	unsigned short &port,
	SSLProtocol &tryProt,
	const char *&protStr)
{
	unsigned char r[2];
	
	appGetRandomBytes(r, 2);
	if(globalTryProt != kSSLProtocolUnknown) {
		/* user spec'd at cmd line */
		tryProt = globalTryProt;
		protStr = globalProtStr;
	}
	else {
        unsigned modulo = ENABLE_SSL2 ? 5 : 4;
		switch(r[0] % modulo) {
			case 0:	
				tryProt = kSSLProtocol3; 
				protStr = "SSL3";
				break;
			case 1:	
				tryProt = kSSLProtocol3Only; 
				protStr = "SSL3Only";
				break;
			case 2:	
				tryProt = kTLSProtocol1; 
				protStr = "TLS1";
				break;
			case 3:	
				tryProt = kTLSProtocol1Only; 
				protStr = "TLS1Only";
				break;
			case 4:	
				tryProt = kSSLProtocol2; 
				protStr = "SSL2";
				break;
			default:
				printf("Huh?\n");
				exit(1);
		}
	}
	const sslHostDef *hostDef;
	if(justOneHost) {
		hostDef = &knownSslHosts[0];
	}
	else {
		hostDef = &(knownSslHosts[r[1] % NUM_KNOWN_HOSTS]);
	}
	port = hostDef->port;
	return hostDef->hostName;
}
	
/*
 * Perform one SSL diagnostic session. Returns nonzero on error. Normally no
 * output to stdout except initial "connecting to" message, unless there 
 * is a really screwed up error (i.e., something not directly related 
 * to the SSL conection). 
 */
#define RCV_BUF_SIZE		256

static OSStatus doSslPing(
	SSLProtocol				tryVersion,
	const char				*hostName,			// e.g., "www.amazon.com"
	unsigned short			port,
	const char				*getMsg,			// e.g., "GET / HTTP/1.0\r\n\r\n" 
	CSSM_BOOL				allowExpired,
	CSSM_BOOL				keepConnected,
	CSSM_BOOL				requireNotify,		// require closure notify in V3 mode
	SSLProtocol				*negVersion,		// RETURNED
	SSLCipherSuite			*negCipher)			// RETURNED
{
    PeerSpec            peerId;
	otSocket			sock = 0;
    OSStatus            ortn;
    SSLContextRef       ctx = NULL;
    size_t              length;
	size_t				actLen;
    uint8               rcvBuf[RCV_BUF_SIZE];
	
    *negVersion = kSSLProtocolUnknown;
    *negCipher = SSL_NULL_WITH_NULL_NULL;
    
	/* first make sure requested server is there */
	connectLock.lock();
	ortn = MakeServerConnection(hostName, port, &sock, &peerId);
	connectLock.unlock();
    if(ortn) {
    	printf("MakeServerConnection(%s) returned %d; aborting\n", 
			hostName, (int)ortn);
    	return ortn;
    }

	/* 
	 * Set up a SecureTransport session.
	 * First the standard calls.
	 */
	ortn = SSLNewContext(false, &ctx);
	if(ortn) {
		printSslErrStr("SSLNewContext", ortn);
		goto cleanup;
	} 
	ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
	if(ortn) {
		printSslErrStr("SSLSetIOFuncs", ortn);
		goto cleanup;
	} 
	ortn = SSLSetProtocolVersion(ctx, tryVersion);
	if(ortn) {
		printSslErrStr("SSLSetProtocolVersion", ortn);
		goto cleanup;
	} 
	ortn = SSLSetConnection(ctx, (SSLConnectionRef)sock);
	if(ortn) {
		printSslErrStr("SSLSetConnection", ortn);
		goto cleanup;
	}
	if(resumeEnable) {
		ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
		if(ortn) {
			printSslErrStr("SSLSetPeerID", ortn);
			goto cleanup;
		}
	}
	
	/* 
	 * SecureTransport options.
	 */ 
	if(allowExpired) {
		ortn = SSLSetAllowsExpiredCerts(ctx, true);
		if(ortn) {
			printSslErrStr("SSLSetAllowExpiredCerts", ortn);
			goto cleanup;
		}
	}
	
	#if ALLOW_ANY_ROOT
	ortn = SSLSetAllowsAnyRoot(ctx, true);
	if(ortn) {
		printSslErrStr("SSLSetAllowAnyRoot", ortn);
		goto cleanup;
	}
	#endif
	
    do
    {   ortn = SSLHandshake(ctx);
	    if(ortn == errSSLWouldBlock) {
	    	/* keep UI responsive */ 
	    	// outputDot();
	    }
    } while (ortn == errSSLWouldBlock);
	
	/* this works even if handshake failed due to cert chain invalid */
	// not for this version... copyPeerCerts(ctx, peerCerts);

	SSLGetNegotiatedCipher(ctx, negCipher);
	SSLGetNegotiatedProtocolVersion(ctx, negVersion);
	
    if(ortn) {
		printf("\n");
    	goto cleanup;
    }

	length = strlen(getMsg);
	ortn = SSLWrite(ctx, getMsg, length, &actLen);

	/* 
	 * Try to snag RCV_BUF_SIZE bytes. Exit if (!keepConnected and we get any data
	 * at all), or (keepConnected and err != (none, wouldBlock)).
	 */
    while (1) {   
		actLen = 0;
        ortn = SSLRead(ctx, rcvBuf, RCV_BUF_SIZE, &actLen);
        if(actLen == 0) {
        	// outputDot();
        }
        if (ortn == errSSLWouldBlock) {
			/* for this loop, these are identical */
            ortn = noErr;
        }
		// if((actLen > 0) && dumpRxData) {
		// not here...	dumpAscii(rcvBuf, actLen);
		// }
		if(keepConnected) {
			if(ortn != noErr) {
				/* connection closed by server or by error */
				break;
			}
		}
		else if(actLen > 0) {
        	/* good enough, we connected */
        	break;
        }
    }
	//printf("\n");
	
    /* convert normal "shutdown" into zero err rtn */
	if(ortn == errSSLClosedGraceful) {
		ortn = noErr;
	}
	if((ortn == errSSLClosedNoNotify) && !requireNotify) {
		/* relaxed disconnect rules */
		ortn = noErr;
	}
    if (ortn == noErr) {
        ortn = SSLClose(ctx);
	}
cleanup:
	if(sock) {
		endpointShutdown(sock);
	}
	if(ctx) {
	    SSLDisposeContext(ctx);  
	}    
	return ortn;
}

int sslPing(TestParams *testParams)
{
	unsigned 		loopNum;
	SSLProtocol		negVersion;
	SSLProtocol		tryVersion;
	const char 		*hostName;
	unsigned short	port;
	SSLCipherSuite	negCipher;
	OSStatus		err;
	const char		*protStr;
	
	for(loopNum=0; loopNum<testParams->numLoops; loopNum++) {
		if(!testParams->quiet) {
			printChar(testParams->progressChar);
		}
		hostName = selectHostAndProt(port, tryVersion, protStr);
		if(testParams->verbose) {
			printf("\nConnecting to host %s with %s...", 
				hostName, protStr); 
			fflush(stdout);
		}
		err = doSslPing(tryVersion,
			hostName,	
			port,
			DEFAULT_GETMSG,
			CSSM_FALSE,				// allowExpired
			CSSM_FALSE,				// keepConnected
			CSSM_FALSE,				// requireNotify
			&negVersion,
			&negCipher);
		if(err) {
			printf("sslPing error (%d)\n", (int)err);
			break;
		}
		if(testParams->verbose) {
			switch(negVersion) {
				case kSSLProtocol2:
					printf("negVersion = SSL2\n");
					break;
				case kSSLProtocol3:
					printf("negVersion = SSL3\n");
					break;
				case kTLSProtocol1:
					printf("negVersion = TLS1\n");
					break;
				default:
					printf("unknown negVersion! (%d)\n", 
						(int)negVersion);
					break;
			}
		}
		#if DO_PAUSE
		fpurge(stdin);
		printf("Hit CR to proceed: ");
		getchar();
		#endif
	}
	return (int)err;
}