1// Copyright (c) 2010 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5// This helper binary is only used for testing Chrome's SSL stack. 6 7#include <sys/types.h> 8#include <sys/socket.h> 9 10#include <openssl/bio.h> 11#include <openssl/ssl.h> 12#include <openssl/err.h> 13 14static const char kDefaultPEMFile[] = "net/data/ssl/certificates/ok_cert.pem"; 15 16// Server Name Indication callback from OpenSSL 17static int sni_cb(SSL *s, int *ad, void *arg) { 18 const char* servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 19 if (servername && strcmp(servername, "test.example.com") == 0) 20 *reinterpret_cast<bool*>(arg) = true; 21 22 return SSL_TLSEXT_ERR_OK; 23} 24 25// Client certificate verification callback from OpenSSL 26static int verify_cb(int preverify_ok, X509_STORE_CTX *ctx) { 27 return 1; 28} 29 30// Next Protocol Negotiation callback from OpenSSL 31static int next_proto_cb(SSL *ssl, const unsigned char **out, 32 unsigned int *outlen, void *arg) { 33 bool* npn_mispredict = reinterpret_cast<bool*>(arg); 34 static char kProtos[] = "\003foo\003bar"; 35 static char kProtos2[] = "\003baz\003boo"; 36 static unsigned count = 0; 37 38 if (!*npn_mispredict || count == 0) { 39 *out = (const unsigned char*) kProtos; 40 *outlen = sizeof(kProtos) - 1; 41 } else { 42 *out = (const unsigned char*) kProtos2; 43 *outlen = sizeof(kProtos2) - 1; 44 } 45 count++; 46 return SSL_TLSEXT_ERR_OK; 47} 48 49int 50main(int argc, char **argv) { 51 SSL_library_init(); 52 ERR_load_crypto_strings(); 53 OpenSSL_add_all_algorithms(); 54 SSL_load_error_strings(); 55 56 bool sni = false, sni_good = false, snap_start = false; 57 bool snap_start_recovery = false, sslv3 = false, session_tickets = false; 58 bool fail_resume = false, client_cert = false, npn = false; 59 bool npn_mispredict = false; 60 61 const char* key_file = kDefaultPEMFile; 62 const char* cert_file = kDefaultPEMFile; 63 64 for (int i = 1; i < argc; i++) { 65 if (strcmp(argv[i], "sni") == 0) { 66 // Require SNI 67 sni = true; 68 } else if (strcmp(argv[i], "snap-start") == 0) { 69 // Support Snap Start 70 snap_start = true; 71 } else if (strcmp(argv[i], "snap-start-recovery") == 0) { 72 // Support Snap Start, but always trigger a recovery 73 snap_start = true; 74 snap_start_recovery = true; 75 } else if (strcmp(argv[i], "sslv3") == 0) { 76 // Use SSLv3 77 sslv3 = true; 78 } else if (strcmp(argv[i], "session-tickets") == 0) { 79 // Enable Session Tickets 80 session_tickets = true; 81 } else if (strcmp(argv[i], "fail-resume") == 0) { 82 // Always fail to resume sessions 83 fail_resume = true; 84 } else if (strcmp(argv[i], "client-cert") == 0) { 85 // Request a client certificate 86 client_cert = true; 87 } else if (strcmp(argv[i], "npn") == 0) { 88 // Advertise NPN 89 npn = true; 90 } else if (strcmp(argv[i], "npn-mispredict") == 0) { 91 // Advertise NPN 92 npn = true; 93 npn_mispredict = true; 94 } else if (strcmp(argv[i], "--key-file") == 0) { 95 // Use alternative key file 96 i++; 97 if (i == argc) { 98 fprintf(stderr, "Missing argument to --key-file\n"); 99 return 1; 100 } 101 key_file = argv[i]; 102 } else if (strcmp(argv[i], "--cert-file") == 0) { 103 // Use alternative certificate file 104 i++; 105 if (i == argc) { 106 fprintf(stderr, "Missing argument to --cert-file\n"); 107 return 1; 108 } 109 cert_file = argv[i]; 110 } else { 111 fprintf(stderr, "Unknown argument: %s\n", argv[i]); 112 return 1; 113 } 114 } 115 116 SSL_CTX* ctx; 117 118 if (sslv3) { 119 ctx = SSL_CTX_new(SSLv3_server_method()); 120 } else { 121 ctx = SSL_CTX_new(TLSv1_server_method()); 122 } 123 124 if (sni) { 125 SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb); 126 SSL_CTX_set_tlsext_servername_arg(ctx, &sni_good); 127 } 128 129 BIO* key = BIO_new(BIO_s_file()); 130 if (BIO_read_filename(key, key_file) <= 0) { 131 fprintf(stderr, "Failed to read %s\n", key_file); 132 return 1; 133 } 134 135 EVP_PKEY *pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, NULL); 136 if (!pkey) { 137 fprintf(stderr, "Failed to parse %s\n", key_file); 138 return 1; 139 } 140 BIO_free(key); 141 142 143 BIO* cert = BIO_new(BIO_s_file()); 144 if (BIO_read_filename(cert, cert_file) <= 0) { 145 fprintf(stderr, "Failed to read %s\n", cert_file); 146 return 1; 147 } 148 149 X509 *pcert = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL); 150 if (!pcert) { 151 fprintf(stderr, "Failed to parse %s\n", cert_file); 152 return 1; 153 } 154 BIO_free(cert); 155 156 if (SSL_CTX_use_certificate(ctx, pcert) <= 0) { 157 fprintf(stderr, "Failed to load %s\n", cert_file); 158 return 1; 159 } 160 161 if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) { 162 fprintf(stderr, "Failed to load %s\n", key_file); 163 return 1; 164 } 165 166 if (!SSL_CTX_check_private_key(ctx)) { 167 fprintf(stderr, "Public and private keys don't match\n"); 168 return 1; 169 } 170 171 if (client_cert) 172 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb); 173 174 if (session_tickets) 175 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH); 176 177 if (snap_start) { 178 static const unsigned char orbit[8] = {1, 2, 3, 4, 5, 6, 7, 8}; 179 SSL_CTX_set_snap_start_orbit(ctx, orbit); 180 } 181 182 if (npn) 183 SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &npn_mispredict); 184 185 unsigned connection_limit = 1; 186 if (snap_start || session_tickets) 187 connection_limit = 2; 188 if (npn_mispredict) 189 connection_limit = 3; 190 191 for (unsigned connections = 0; connections < connection_limit; 192 connections++) { 193 const int fd = accept(3, NULL, NULL); 194 195 SSL* server = SSL_new(ctx); 196 BIO* bio = BIO_new_socket(fd, 1 /* take ownership of fd */); 197 SSL_set_bio(server, bio, bio); 198 199 if (fail_resume) { 200 SSL_set_session_id_context(server, (unsigned char*) &connections, 201 sizeof(connections)); 202 } 203 204 int err; 205 for (;;) { 206 const int ret = SSL_accept(server); 207 if (ret == 1) 208 break; 209 210 err = SSL_get_error(server, ret); 211 if (err == SSL_ERROR_WANT_READ) 212 continue; 213 if (err == SSL_ERROR_SERVER_RANDOM_VALIDATION_PENDING && snap_start) { 214 SSL_set_suggested_server_random_validity( 215 server, !snap_start_recovery); 216 continue; 217 } 218 ERR_print_errors_fp(stderr); 219 fprintf(stderr, "SSL_accept failed: %d\n", err); 220 return 1; 221 } 222 223 if (sni && !sni_good) { 224 fprintf(stderr, "SNI failed\n"); 225 return 1; 226 } 227 228 if (npn) { 229 const unsigned char *data, *expected_data; 230 unsigned len, expected_len; 231 SSL_get0_next_proto_negotiated(server, &data, &len); 232 if (!npn_mispredict || connections == 0) { 233 expected_data = (unsigned char*) "foo"; 234 expected_len = 3; 235 } else { 236 expected_data = (unsigned char*) "baz"; 237 expected_len = 3; 238 } 239 if (len != expected_len || memcmp(data, expected_data, len) != 0) { 240 fprintf(stderr, "Bad NPN: %d\n", len); 241 return 1; 242 } 243 } 244 245 unsigned char buffer[6]; 246 247 int ret = SSL_read(server, buffer, sizeof(buffer)); 248 if (ret == -1) { 249 err = SSL_get_error(server, ret); 250 ERR_print_errors_fp(stderr); 251 fprintf(stderr, "SSL_read failed: %d\n", err); 252 } 253 if (memcmp(buffer, "hello!", sizeof(buffer)) == 0) { 254 SSL_write(server, "goodbye!", 8); 255 } 256 257 SSL_shutdown(server); 258 SSL_shutdown(server); 259 } 260 261 SSL_CTX_free(ctx); 262 263 return 0; 264} 265