search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Roll ANGLE DEPS.
[chromium-blink-merge.git] / net / test / openssl_helper.cc
blob25989cb60166607e0f67e01e176df506b0a2e157
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // This helper binary is only used for testing Chrome's SSL stack.
6
7 #include <sys/types.h>
8 #include <sys/socket.h>
9
10 #include <openssl/bio.h>
11 #include <openssl/ssl.h>
12 #include <openssl/err.h>
13
14 static const char kDefaultPEMFile[] = "net/data/ssl/certificates/ok_cert.pem";
15
16 // Server Name Indication callback from OpenSSL
17 static int sni_cb(SSL *s, int *ad, void *arg) {
18 const char* servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
19 if (servername && strcmp(servername, "test.example.com") == 0)
20 *reinterpret_cast<bool*>(arg) = true;
21
22 return SSL_TLSEXT_ERR_OK;
23 }
24
25 // Client certificate verification callback from OpenSSL
26 static int verify_cb(int preverify_ok, X509_STORE_CTX *ctx) {
27 return 1;
28 }
29
30 // Next Protocol Negotiation callback from OpenSSL
31 static int next_proto_cb(SSL *ssl, const unsigned char **out,
32 unsigned int *outlen, void *arg) {
33 bool* npn_mispredict = reinterpret_cast<bool*>(arg);
34 static char kProtos[] = "\003foo\003bar";
35 static char kProtos2[] = "\003baz\003boo";
36 static unsigned count = 0;
37
38 if (!*npn_mispredict || count == 0) {
39 *out = (const unsigned char*) kProtos;
40 *outlen = sizeof(kProtos) - 1;
41 } else {
42 *out = (const unsigned char*) kProtos2;
43 *outlen = sizeof(kProtos2) - 1;
44 }
45 count++;
46 return SSL_TLSEXT_ERR_OK;
47 }
48
49 int
50 main(int argc, char **argv) {
51 SSL_library_init();
52 ERR_load_crypto_strings();
53 OpenSSL_add_all_algorithms();
54 SSL_load_error_strings();
55
56 bool sni = false, sni_good = false, snap_start = false;
57 bool snap_start_recovery = false, sslv3 = false, session_tickets = false;
58 bool fail_resume = false, client_cert = false, npn = false;
59 bool npn_mispredict = false;
60
61 const char* key_file = kDefaultPEMFile;
62 const char* cert_file = kDefaultPEMFile;
63
64 for (int i = 1; i < argc; i++) {
65 if (strcmp(argv[i], "sni") == 0) {
66 // Require SNI
67 sni = true;
68 } else if (strcmp(argv[i], "snap-start") == 0) {
69 // Support Snap Start
70 snap_start = true;
71 } else if (strcmp(argv[i], "snap-start-recovery") == 0) {
72 // Support Snap Start, but always trigger a recovery
73 snap_start = true;
74 snap_start_recovery = true;
75 } else if (strcmp(argv[i], "sslv3") == 0) {
76 // Use SSLv3
77 sslv3 = true;
78 } else if (strcmp(argv[i], "session-tickets") == 0) {
79 // Enable Session Tickets
80 session_tickets = true;
81 } else if (strcmp(argv[i], "fail-resume") == 0) {
82 // Always fail to resume sessions
83 fail_resume = true;
84 } else if (strcmp(argv[i], "client-cert") == 0) {
85 // Request a client certificate
86 client_cert = true;
87 } else if (strcmp(argv[i], "npn") == 0) {
88 // Advertise NPN
89 npn = true;
90 } else if (strcmp(argv[i], "npn-mispredict") == 0) {
91 // Advertise NPN
92 npn = true;
93 npn_mispredict = true;
94 } else if (strcmp(argv[i], "--key-file") == 0) {
95 // Use alternative key file
96 i++;
97 if (i == argc) {
98 fprintf(stderr, "Missing argument to --key-file\n");
99 return 1;
100 }
101 key_file = argv[i];
102 } else if (strcmp(argv[i], "--cert-file") == 0) {
103 // Use alternative certificate file
104 i++;
105 if (i == argc) {
106 fprintf(stderr, "Missing argument to --cert-file\n");
107 return 1;
108 }
109 cert_file = argv[i];
110 } else {
111 fprintf(stderr, "Unknown argument: %s\n", argv[i]);
112 return 1;
113 }
114 }
115
116 SSL_CTX* ctx;
117
118 if (sslv3) {
119 ctx = SSL_CTX_new(SSLv3_server_method());
120 } else {
121 ctx = SSL_CTX_new(TLSv1_server_method());
122 }
123
124 if (sni) {
125 SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
126 SSL_CTX_set_tlsext_servername_arg(ctx, &sni_good);
127 }
128
129 BIO* key = BIO_new(BIO_s_file());
130 if (BIO_read_filename(key, key_file) <= 0) {
131 fprintf(stderr, "Failed to read %s\n", key_file);
132 return 1;
133 }
134
135 EVP_PKEY *pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, NULL);
136 if (!pkey) {
137 fprintf(stderr, "Failed to parse %s\n", key_file);
138 return 1;
139 }
140 BIO_free(key);
141
142
143 BIO* cert = BIO_new(BIO_s_file());
144 if (BIO_read_filename(cert, cert_file) <= 0) {
145 fprintf(stderr, "Failed to read %s\n", cert_file);
146 return 1;
147 }
148
149 X509 *pcert = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
150 if (!pcert) {
151 fprintf(stderr, "Failed to parse %s\n", cert_file);
152 return 1;
153 }
154 BIO_free(cert);
155
156 if (SSL_CTX_use_certificate(ctx, pcert) <= 0) {
157 fprintf(stderr, "Failed to load %s\n", cert_file);
158 return 1;
159 }
160
161 if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) {
162 fprintf(stderr, "Failed to load %s\n", key_file);
163 return 1;
164 }
165
166 if (!SSL_CTX_check_private_key(ctx)) {
167 fprintf(stderr, "Public and private keys don't match\n");
168 return 1;
169 }
170
171 if (client_cert)
172 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb);
173
174 if (session_tickets)
175 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH);
176
177 if (snap_start) {
178 static const unsigned char orbit[8] = {1, 2, 3, 4, 5, 6, 7, 8};
179 SSL_CTX_set_snap_start_orbit(ctx, orbit);
180 }
181
182 if (npn)
183 SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &npn_mispredict);
184
185 unsigned connection_limit = 1;
186 if (snap_start || session_tickets)
187 connection_limit = 2;
188 if (npn_mispredict)
189 connection_limit = 3;
190
191 for (unsigned connections = 0; connections < connection_limit;
192 connections++) {
193 const int fd = accept(3, NULL, NULL);
194
195 SSL* server = SSL_new(ctx);
196 BIO* bio = BIO_new_socket(fd, 1 /* take ownership of fd */);
197 SSL_set_bio(server, bio, bio);
198
199 if (fail_resume) {
200 SSL_set_session_id_context(server, (unsigned char*) &connections,
201 sizeof(connections));
202 }
203
204 int err;
205 for (;;) {
206 const int ret = SSL_accept(server);
207 if (ret == 1)
208 break;
209
210 err = SSL_get_error(server, ret);
211 if (err == SSL_ERROR_WANT_READ)
212 continue;
213 if (err == SSL_ERROR_SERVER_RANDOM_VALIDATION_PENDING && snap_start) {
214 SSL_set_suggested_server_random_validity(
215 server, !snap_start_recovery);
216 continue;
217 }
218 ERR_print_errors_fp(stderr);
219 fprintf(stderr, "SSL_accept failed: %d\n", err);
220 return 1;
221 }
222
223 if (sni && !sni_good) {
224 fprintf(stderr, "SNI failed\n");
225 return 1;
226 }
227
228 if (npn) {
229 const unsigned char *data, *expected_data;
230 unsigned len, expected_len;
231 SSL_get0_next_proto_negotiated(server, &data, &len);
232 if (!npn_mispredict || connections == 0) {
233 expected_data = (unsigned char*) "foo";
234 expected_len = 3;
235 } else {
236 expected_data = (unsigned char*) "baz";
237 expected_len = 3;
238 }
239 if (len != expected_len || memcmp(data, expected_data, len) != 0) {
240 fprintf(stderr, "Bad NPN: %d\n", len);
241 return 1;
242 }
243 }
244
245 unsigned char buffer[6];
246
247 int ret = SSL_read(server, buffer, sizeof(buffer));
248 if (ret == -1) {
249 err = SSL_get_error(server, ret);
250 ERR_print_errors_fp(stderr);
251 fprintf(stderr, "SSL_read failed: %d\n", err);
252 }
253 if (memcmp(buffer, "hello!", sizeof(buffer)) == 0) {
254 SSL_write(server, "goodbye!", 8);
255 }
256
257 SSL_shutdown(server);
258 SSL_shutdown(server);
259 }
260
261 SSL_CTX_free(ctx);
262
263 return 0;
264 }