1// Copyright (c) 2010 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5// This helper binary is only used for testing Chrome's SSL stack.
6
7#include <sys/types.h>
8#include <sys/socket.h>
9
10#include <openssl/bio.h>
11#include <openssl/ssl.h>
12#include <openssl/err.h>
13
14static const char kDefaultPEMFile[] = "net/data/ssl/certificates/ok_cert.pem";
15
16// Server Name Indication callback from OpenSSL
17static int sni_cb(SSL *s, int *ad, void *arg) {
18  const char* servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
19  if (servername && strcmp(servername, "test.example.com") == 0)
20    *reinterpret_cast<bool*>(arg) = true;
21
22  return SSL_TLSEXT_ERR_OK;
23}
24
25// Client certificate verification callback from OpenSSL
26static int verify_cb(int preverify_ok, X509_STORE_CTX *ctx) {
27  return 1;
28}
29
30// Next Protocol Negotiation callback from OpenSSL
31static int next_proto_cb(SSL *ssl, const unsigned char **out,
32                         unsigned int *outlen, void *arg) {
33  bool* npn_mispredict = reinterpret_cast<bool*>(arg);
34  static char kProtos[] = "\003foo\003bar";
35  static char kProtos2[] = "\003baz\003boo";
36  static unsigned count = 0;
37
38  if (!*npn_mispredict || count == 0) {
39    *out = (const unsigned char*) kProtos;
40    *outlen = sizeof(kProtos) - 1;
41  } else {
42    *out = (const unsigned char*) kProtos2;
43    *outlen = sizeof(kProtos2) - 1;
44  }
45  count++;
46  return SSL_TLSEXT_ERR_OK;
47}
48
49int
50main(int argc, char **argv) {
51  SSL_library_init();
52  ERR_load_crypto_strings();
53  OpenSSL_add_all_algorithms();
54  SSL_load_error_strings();
55
56  bool sni = false, sni_good = false, snap_start = false;
57  bool snap_start_recovery = false, sslv3 = false, session_tickets = false;
58  bool fail_resume = false, client_cert = false, npn = false;
59  bool npn_mispredict = false;
60
61  const char* key_file = kDefaultPEMFile;
62  const char* cert_file = kDefaultPEMFile;
63
64  for (int i = 1; i < argc; i++) {
65    if (strcmp(argv[i], "sni") == 0) {
66      // Require SNI
67      sni = true;
68    } else if (strcmp(argv[i], "snap-start") == 0) {
69      // Support Snap Start
70      snap_start = true;
71    } else if (strcmp(argv[i], "snap-start-recovery") == 0) {
72      // Support Snap Start, but always trigger a recovery
73      snap_start = true;
74      snap_start_recovery = true;
75    } else if (strcmp(argv[i], "sslv3") == 0) {
76      // Use SSLv3
77      sslv3 = true;
78    } else if (strcmp(argv[i], "session-tickets") == 0) {
79      // Enable Session Tickets
80      session_tickets = true;
81    } else if (strcmp(argv[i], "fail-resume") == 0) {
82      // Always fail to resume sessions
83      fail_resume = true;
84    } else if (strcmp(argv[i], "client-cert") == 0) {
85      // Request a client certificate
86      client_cert = true;
87    } else if (strcmp(argv[i], "npn") == 0) {
88      // Advertise NPN
89      npn = true;
90    } else if (strcmp(argv[i], "npn-mispredict") == 0) {
91      // Advertise NPN
92      npn = true;
93      npn_mispredict = true;
94    } else if (strcmp(argv[i], "--key-file") == 0) {
95      // Use alternative key file
96      i++;
97      if (i == argc) {
98        fprintf(stderr, "Missing argument to --key-file\n");
99        return 1;
100      }
101      key_file = argv[i];
102    } else if (strcmp(argv[i], "--cert-file") == 0) {
103      // Use alternative certificate file
104      i++;
105      if (i == argc) {
106        fprintf(stderr, "Missing argument to --cert-file\n");
107        return 1;
108      }
109      cert_file = argv[i];
110    } else {
111      fprintf(stderr, "Unknown argument: %s\n", argv[i]);
112      return 1;
113    }
114  }
115
116  SSL_CTX* ctx;
117
118  if (sslv3) {
119    ctx = SSL_CTX_new(SSLv3_server_method());
120  } else {
121    ctx = SSL_CTX_new(TLSv1_server_method());
122  }
123
124  if (sni) {
125    SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
126    SSL_CTX_set_tlsext_servername_arg(ctx, &sni_good);
127  }
128
129  BIO* key = BIO_new(BIO_s_file());
130  if (BIO_read_filename(key, key_file) <= 0) {
131    fprintf(stderr, "Failed to read %s\n", key_file);
132    return 1;
133  }
134
135  EVP_PKEY *pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, NULL);
136  if (!pkey) {
137    fprintf(stderr, "Failed to parse %s\n", key_file);
138    return 1;
139  }
140  BIO_free(key);
141
142
143  BIO* cert = BIO_new(BIO_s_file());
144  if (BIO_read_filename(cert, cert_file) <= 0) {
145    fprintf(stderr, "Failed to read %s\n", cert_file);
146    return 1;
147  }
148
149  X509 *pcert = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
150  if (!pcert) {
151    fprintf(stderr, "Failed to parse %s\n", cert_file);
152    return 1;
153  }
154  BIO_free(cert);
155
156  if (SSL_CTX_use_certificate(ctx, pcert) <= 0) {
157    fprintf(stderr, "Failed to load %s\n", cert_file);
158    return 1;
159  }
160
161  if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) {
162    fprintf(stderr, "Failed to load %s\n", key_file);
163    return 1;
164  }
165
166  if (!SSL_CTX_check_private_key(ctx)) {
167    fprintf(stderr, "Public and private keys don't match\n");
168    return 1;
169  }
170
171  if (client_cert)
172    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb);
173
174  if (session_tickets)
175    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH);
176
177  if (snap_start) {
178    static const unsigned char orbit[8] = {1, 2, 3, 4, 5, 6, 7, 8};
179    SSL_CTX_set_snap_start_orbit(ctx, orbit);
180  }
181
182  if (npn)
183    SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &npn_mispredict);
184
185  unsigned connection_limit = 1;
186  if (snap_start || session_tickets)
187    connection_limit = 2;
188  if (npn_mispredict)
189    connection_limit = 3;
190
191  for (unsigned connections = 0; connections < connection_limit;
192       connections++) {
193    const int fd = accept(3, NULL, NULL);
194
195    SSL* server = SSL_new(ctx);
196    BIO* bio = BIO_new_socket(fd, 1 /* take ownership of fd */);
197    SSL_set_bio(server, bio, bio);
198
199    if (fail_resume) {
200      SSL_set_session_id_context(server, (unsigned char*) &connections,
201                                 sizeof(connections));
202    }
203
204    int err;
205    for (;;) {
206      const int ret = SSL_accept(server);
207      if (ret == 1)
208        break;
209
210      err = SSL_get_error(server, ret);
211      if (err == SSL_ERROR_WANT_READ)
212        continue;
213      if (err == SSL_ERROR_SERVER_RANDOM_VALIDATION_PENDING && snap_start) {
214        SSL_set_suggested_server_random_validity(
215            server, !snap_start_recovery);
216        continue;
217      }
218      ERR_print_errors_fp(stderr);
219      fprintf(stderr, "SSL_accept failed: %d\n", err);
220      return 1;
221    }
222
223    if (sni && !sni_good) {
224      fprintf(stderr, "SNI failed\n");
225      return 1;
226    }
227
228    if (npn) {
229      const unsigned char *data, *expected_data;
230      unsigned len, expected_len;
231      SSL_get0_next_proto_negotiated(server, &data, &len);
232      if (!npn_mispredict || connections == 0) {
233        expected_data = (unsigned char*) "foo";
234        expected_len = 3;
235      } else {
236        expected_data = (unsigned char*) "baz";
237        expected_len = 3;
238      }
239      if (len != expected_len || memcmp(data, expected_data, len) != 0) {
240        fprintf(stderr, "Bad NPN: %d\n", len);
241        return 1;
242      }
243    }
244
245    unsigned char buffer[6];
246
247    int ret = SSL_read(server, buffer, sizeof(buffer));
248    if (ret == -1) {
249      err = SSL_get_error(server, ret);
250      ERR_print_errors_fp(stderr);
251      fprintf(stderr, "SSL_read failed: %d\n", err);
252    }
253    if (memcmp(buffer, "hello!", sizeof(buffer)) == 0) {
254      SSL_write(server, "goodbye!", 8);
255    }
256
257    SSL_shutdown(server);
258    SSL_shutdown(server);
259  }
260
261  SSL_CTX_free(ctx);
262
263  return 0;
264}
265