net/test/openssl_helper.cc - Issue 4524003: net: add Snap Start tests

Side by Side Diff: net/test/openssl_helper.cc

Issue 4524003: net: add Snap Start tests (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 10 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 // This helper binary is only used for testing Chrome's SSL stack.

	6

	7 #include <sys/types.h>
	Mike Belshe 2010/11/08 16:41:10 nit: This is clearly going to be linux/mac only.. nit: This is clearly going to be linux/mac only...
	8 #include <sys/socket.h>

	9

	10 #include <openssl/bio.h>

	11 #include <openssl/ssl.h>

	12 #include <openssl/err.h>

	13

	14 static const char kDefaultPEMFile[] = "net/data/ssl/certificates/ok_cert.pem";

	15

	16 // Server Name Indication callback from OpenSSL

	17 static int sni_cb(SSL s, int ad, void *arg) {

	18 const char* servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);

	19 if (servername && strcmp(servername, "test.example.com") == 0)

	20 reinterpret_cast<bool>(arg) = true;

	21

	22 return SSL_TLSEXT_ERR_OK;

	23 }

	24

	25 // Client certificate verification callback from OpenSSL

	26 static int verify_cb(int preverify_ok, X509_STORE_CTX *ctx) {

	27 return 1;

	28 }

	29

	30 // Next Protocol Negotiation callback from OpenSSL

	31 static int next_proto_cb(SSL ssl, const unsigned char *out,

	32 unsigned int outlen, void arg) {

	33 static char kProtos[] = "\003foo\003bar";

	34 out = (const unsigned char) kProtos;

	35 *outlen = sizeof(kProtos) - 1;

	36 return SSL_TLSEXT_ERR_OK;

	37 }

	38

	39 int

	40 main(int argc, char **argv) {

	41 SSL_library_init();

	42 ERR_load_crypto_strings();

	43 OpenSSL_add_all_algorithms();

	44 SSL_load_error_strings();

	45

	46 bool sni = false, sni_good = false, snap_start = false;

	47 bool snap_start_recovery = false, sslv3 = false, session_tickets = false;

	48 bool fail_resume = false, client_cert = false, npn = false;

	49

	50 const char* key_file = kDefaultPEMFile;

	51 const char* cert_file = kDefaultPEMFile;

	52

	53 for (int i = 1; i < argc; i++) {

	54 if (strcmp(argv[i], "sni") == 0) {

	55 // Require SNI

	56 sni = true;

	57 } else if (strcmp(argv[i], "snap-start") == 0) {

	58 // Support Snap Start

	59 snap_start = true;

	60 } else if (strcmp(argv[i], "snap-start-recovery") == 0) {

	61 // Support Snap Start, but always trigger a recovery

	62 snap_start = true;

	63 snap_start_recovery = true;

	64 } else if (strcmp(argv[i], "sslv3") == 0) {

	65 // Use SSLv3

	66 sslv3 = true;

	67 } else if (strcmp(argv[i], "session-tickets") == 0) {

	68 // Enable Session Tickets

	69 session_tickets = true;

	70 } else if (strcmp(argv[i], "fail-resume") == 0) {

	71 // Always fail to resume sessions

	72 fail_resume = true;

	73 } else if (strcmp(argv[i], "client-cert") == 0) {

	74 // Request a client certificate

	75 client_cert = true;

	76 } else if (strcmp(argv[i], "npn") == 0) {

	77 // Advertise NPN

	78 npn = true;

	79 } else if (strcmp(argv[i], "--key-file") == 0) {

	80 // Use alternative key file

	81 i++;

	82 if (i == argc) {

	83 fprintf(stderr, "Missing argument to --key-file\n");

	84 return 1;

	85 }

	86 key_file = argv[i];

	87 } else if (strcmp(argv[i], "--cert-file") == 0) {

	88 // Use alternative certificate file

	89 i++;

	90 if (i == argc) {

	91 fprintf(stderr, "Missing argument to --cert-file\n");

	92 return 1;

	93 }

	94 cert_file = argv[i];

	95 } else {

	96 fprintf(stderr, "Unknown argument: %s\n", argv[i]);

	97 return 1;

	98 }

	99 }

	100

	101 SSL_CTX* ctx;

	102

	103 if (sslv3) {

	104 ctx = SSL_CTX_new(SSLv3_server_method());

	105 } else {

	106 ctx = SSL_CTX_new(TLSv1_server_method());

	107 }

	108

	109 if (sni) {

	110 SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);

	111 SSL_CTX_set_tlsext_servername_arg(ctx, &sni_good);

	112 }

	113

	114 BIO* key = BIO_new(BIO_s_file());

	115 if (BIO_read_filename(key, key_file) <= 0) {

	116 fprintf(stderr, "Failed to read %s\n", key_file);

	117 return 1;

	118 }

	119

	120 EVP_PKEY *pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, NULL);

	121 if (!pkey) {

	122 fprintf(stderr, "Failed to parse %s\n", key_file);

	123 return 1;

	124 }

	125 BIO_free(key);

	126

	127

	128 BIO* cert = BIO_new(BIO_s_file());

	129 if (BIO_read_filename(cert, cert_file) <= 0) {

	130 fprintf(stderr, "Failed to read %s\n", cert_file);

	131 return 1;

	132 }

	133

	134 X509 *pcert = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);

	135 if (!pcert) {

	136 fprintf(stderr, "Failed to parse %s\n", cert_file);

	137 return 1;

	138 }

	139 BIO_free(cert);

	140

	141 if (SSL_CTX_use_certificate(ctx, pcert) <= 0) {

	142 fprintf(stderr, "Failed to load %s\n", cert_file);

	143 return 1;

	144 }

	145

	146 if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) {

	147 fprintf(stderr, "Failed to load %s\n", key_file);

	148 return 1;

	149 }

	150

	151 if (!SSL_CTX_check_private_key(ctx)) {

	152 fprintf(stderr, "Public and private keys don't match\n");

	153 return 1;

	154 }

	155

	156 if (client_cert)

	157 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb);

	158

	159 if (session_tickets)

	160 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH);

	161

	162 if (snap_start) {

	163 static const unsigned char orbit[8] = {1, 2, 3, 4, 5, 6, 7, 8};

	164 SSL_CTX_set_snap_start_orbit(ctx, orbit);

	165 }

	166

	167 if (npn)

	168 SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, NULL);

	169

	170 unsigned connection_limit = 1;

	171 if (snap_start \|\| session_tickets)

	172 connection_limit = 2;

	173

	174 for (unsigned connections = 0; connections < connection_limit;

	175 connections++) {

	176 const int fd = accept(3, NULL, NULL);

	177

	178 SSL* server = SSL_new(ctx);

	179 BIO* bio = BIO_new_socket(fd, 1 /* take ownership of fd */);

	180 SSL_set_bio(server, bio, bio);

	181

	182 if (fail_resume) {

	183 SSL_set_session_id_context(server, (unsigned char*) &connections,

	184 sizeof(connections));

	185 }

	186

	187 int err;

	188 for (;;) {

	189 const int ret = SSL_accept(server);

	190 if (ret != 1) {
	Paweł Hajdan Jr. 2010/11/08 16:55:33 nit: Simpler: if (ret == 1) break; ... nit: Simpler: if (ret == 1) break; ...
	191 err = SSL_get_error(server, ret);

	192 if (err == SSL_ERROR_WANT_READ)

	193 continue;

	194 if (err == SSL_ERROR_SERVER_RANDOM_VALIDATION_PENDING && snap_start) {

	195 SSL_set_suggested_server_random_validity(

	196 server, !snap_start_recovery);

	197 continue;

	198 }

	199 ERR_print_errors_fp(stderr);

	200 fprintf(stderr, "SSL_accept failed: %d\n", err);

	201 return 1;

	202 } else {

	203 break;

	204 }

	205 }

	206

	207 if (sni && !sni_good) {

	208 fprintf(stderr, "SNI failed\n");

	209 return 1;

	210 }

	211

	212 if (npn) {

	213 const unsigned char *data;

	214 unsigned len;

	215 SSL_get0_next_proto_negotiated(server, &data, &len);

	216 if (len != 3 \|\| memcmp(data, "bar", 3) != 0) {

	217 fprintf(stderr, "Bad NPN: %d\n", len);

	218 return 1;

	219 }

	220 }

	221

	222 unsigned char buffer[6];

	223

	224 int ret = SSL_read(server, buffer, sizeof(buffer));

	225 if (ret == -1) {

	226 err = SSL_get_error(server, ret);

	227 ERR_print_errors_fp(stderr);

	228 fprintf(stderr, "SSL_read failed: %d\n", err);

	229 }

	230 if (memcmp(buffer, "hello!", sizeof(buffer)) == 0) {

	231 SSL_write(server, "goodbye!", 8);

	232 }

	233

	234 SSL_shutdown(server);

	235 SSL_shutdown(server);

	236 }

	237

	238 SSL_CTX_free(ctx);

	239

	240 return 0;

	241 }

OLD	NEW

« net/socket/ssl_client_socket_snapstart_unittest.cc ('K') | « net/socket/ssl_client_socket_snapstart_unittest.cc ('k') | no next file » | no next file with comments »