src/net/test/openssl_helper.cc - cobalt - Git at Google

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 // This helper binary is only used for testing Chrome's SSL stack.

 #include <sys/types.h>
 #include <sys/socket.h>

 #include <openssl/bio.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>

 static const char kDefaultPEMFile[] = "net/data/ssl/certificates/ok_cert.pem";

 // Server Name Indication callback from OpenSSL
 static int sni_cb(SSL *s, int *ad, void *arg) {
   const char* servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
   if (servername && strcmp(servername, "test.example.com") == 0)
     *reinterpret_cast<bool*>(arg) = true;

   return SSL_TLSEXT_ERR_OK;
 }

 // Client certificate verification callback from OpenSSL
 static int verify_cb(int preverify_ok, X509_STORE_CTX *ctx) {
   return 1;
 }

 // Next Protocol Negotiation callback from OpenSSL
 static int next_proto_cb(SSL *ssl, const unsigned char **out,
                          unsigned int *outlen, void *arg) {
   bool* npn_mispredict = reinterpret_cast<bool*>(arg);
   static char kProtos[] = "\003foo\003bar";
   static char kProtos2[] = "\003baz\003boo";
   static unsigned count = 0;

   if (!*npn_mispredict || count == 0) {
     *out = (const unsigned char*) kProtos;
     *outlen = sizeof(kProtos) - 1;
   } else {
     *out = (const unsigned char*) kProtos2;
     *outlen = sizeof(kProtos2) - 1;
   }
   count++;
   return SSL_TLSEXT_ERR_OK;
 }

 int
 main(int argc, char **argv) {
   SSL_library_init();
   ERR_load_crypto_strings();
   OpenSSL_add_all_algorithms();
   SSL_load_error_strings();

   bool sni = false, sni_good = false, snap_start = false;
   bool snap_start_recovery = false, sslv3 = false, session_tickets = false;
   bool fail_resume = false, client_cert = false, npn = false;
   bool npn_mispredict = false;

   const char* key_file = kDefaultPEMFile;
   const char* cert_file = kDefaultPEMFile;

   for (int i = 1; i < argc; i++) {
     if (strcmp(argv[i], "sni") == 0) {
       // Require SNI
       sni = true;
     } else if (strcmp(argv[i], "snap-start") == 0) {
       // Support Snap Start
       snap_start = true;
     } else if (strcmp(argv[i], "snap-start-recovery") == 0) {
       // Support Snap Start, but always trigger a recovery
       snap_start = true;
       snap_start_recovery = true;
     } else if (strcmp(argv[i], "sslv3") == 0) {
       // Use SSLv3
       sslv3 = true;
     } else if (strcmp(argv[i], "session-tickets") == 0) {
       // Enable Session Tickets
       session_tickets = true;
     } else if (strcmp(argv[i], "fail-resume") == 0) {
       // Always fail to resume sessions
       fail_resume = true;
     } else if (strcmp(argv[i], "client-cert") == 0) {
       // Request a client certificate
       client_cert = true;
     } else if (strcmp(argv[i], "npn") == 0) {
       // Advertise NPN
       npn = true;
     } else if (strcmp(argv[i], "npn-mispredict") == 0) {
       // Advertise NPN
       npn = true;
       npn_mispredict = true;
     } else if (strcmp(argv[i], "--key-file") == 0) {
       // Use alternative key file
       i++;
       if (i == argc) {
         fprintf(stderr, "Missing argument to --key-file\n");
         return 1;
       }
       key_file = argv[i];
     } else if (strcmp(argv[i], "--cert-file") == 0) {
       // Use alternative certificate file
       i++;
       if (i == argc) {
         fprintf(stderr, "Missing argument to --cert-file\n");
         return 1;
       }
       cert_file = argv[i];
     } else {
       fprintf(stderr, "Unknown argument: %s\n", argv[i]);
       return 1;
     }
   }

   SSL_CTX* ctx;

   if (sslv3) {
     ctx = SSL_CTX_new(SSLv3_server_method());
   } else {
     ctx = SSL_CTX_new(TLSv1_server_method());
   }

   if (sni) {
     SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
     SSL_CTX_set_tlsext_servername_arg(ctx, &sni_good);
   }

   BIO* key = BIO_new(BIO_s_file());
   if (BIO_read_filename(key, key_file) <= 0) {
     fprintf(stderr, "Failed to read %s\n", key_file);
     return 1;
   }

   EVP_PKEY *pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, NULL);
   if (!pkey) {
     fprintf(stderr, "Failed to parse %s\n", key_file);
     return 1;
   }
   BIO_free(key);


   BIO* cert = BIO_new(BIO_s_file());
   if (BIO_read_filename(cert, cert_file) <= 0) {
     fprintf(stderr, "Failed to read %s\n", cert_file);
     return 1;
   }

   X509 *pcert = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
   if (!pcert) {
     fprintf(stderr, "Failed to parse %s\n", cert_file);
     return 1;
   }
   BIO_free(cert);

   if (SSL_CTX_use_certificate(ctx, pcert) <= 0) {
     fprintf(stderr, "Failed to load %s\n", cert_file);
     return 1;
   }

   if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) {
     fprintf(stderr, "Failed to load %s\n", key_file);
     return 1;
   }

   if (!SSL_CTX_check_private_key(ctx)) {
     fprintf(stderr, "Public and private keys don't match\n");
     return 1;
   }

   if (client_cert)
     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb);

   if (session_tickets)
     SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH);

   if (snap_start) {
     static const unsigned char orbit[8] = {1, 2, 3, 4, 5, 6, 7, 8};
     SSL_CTX_set_snap_start_orbit(ctx, orbit);
   }

   if (npn)
     SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &npn_mispredict);

   unsigned connection_limit = 1;
   if (snap_start || session_tickets)
     connection_limit = 2;
   if (npn_mispredict)
     connection_limit = 3;

   for (unsigned connections = 0; connections < connection_limit;
        connections++) {
     const int fd = accept(3, NULL, NULL);

     SSL* server = SSL_new(ctx);
     BIO* bio = BIO_new_socket(fd, 1 /* take ownership of fd */);
     SSL_set_bio(server, bio, bio);

     if (fail_resume) {
       SSL_set_session_id_context(server, (unsigned char*) &connections,
                                  sizeof(connections));
     }

     int err;
     for (;;) {
       const int ret = SSL_accept(server);
       if (ret == 1)
         break;

       err = SSL_get_error(server, ret);
       if (err == SSL_ERROR_WANT_READ)
         continue;
       if (err == SSL_ERROR_SERVER_RANDOM_VALIDATION_PENDING && snap_start) {
         SSL_set_suggested_server_random_validity(
             server, !snap_start_recovery);
         continue;
       }
       ERR_print_errors_fp(stderr);
       fprintf(stderr, "SSL_accept failed: %d\n", err);
       return 1;
     }

     if (sni && !sni_good) {
       fprintf(stderr, "SNI failed\n");
       return 1;
     }

     if (npn) {
       const unsigned char *data, *expected_data;
       unsigned len, expected_len;
       SSL_get0_next_proto_negotiated(server, &data, &len);
       if (!npn_mispredict || connections == 0) {
         expected_data = (unsigned char*) "foo";
         expected_len = 3;
       } else {
         expected_data = (unsigned char*) "baz";
         expected_len = 3;
       }
       if (len != expected_len || memcmp(data, expected_data, len) != 0) {
         fprintf(stderr, "Bad NPN: %d\n", len);
         return 1;
       }
     }

     unsigned char buffer[6];

     int ret = SSL_read(server, buffer, sizeof(buffer));
     if (ret == -1) {
       err = SSL_get_error(server, ret);
       ERR_print_errors_fp(stderr);
       fprintf(stderr, "SSL_read failed: %d\n", err);
     }
     if (memcmp(buffer, "hello!", sizeof(buffer)) == 0) {
       SSL_write(server, "goodbye!", 8);
     }

     SSL_shutdown(server);
     SSL_shutdown(server);
   }

   SSL_CTX_free(ctx);

   return 0;
 }
	// Copyright (c) 2010 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	// This helper binary is only used for testing Chrome's SSL stack.

	#include <sys/types.h>
	#include <sys/socket.h>

	#include <openssl/bio.h>
	#include <openssl/ssl.h>
	#include <openssl/err.h>

	static const char kDefaultPEMFile[] = "net/data/ssl/certificates/ok_cert.pem";

	// Server Name Indication callback from OpenSSL
	static int sni_cb(SSL s, int ad, void *arg) {
	const char* servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
	if (servername && strcmp(servername, "test.example.com") == 0)
	reinterpret_cast<bool>(arg) = true;

	return SSL_TLSEXT_ERR_OK;
	}

	// Client certificate verification callback from OpenSSL
	static int verify_cb(int preverify_ok, X509_STORE_CTX *ctx) {
	return 1;
	}

	// Next Protocol Negotiation callback from OpenSSL
	static int next_proto_cb(SSL ssl, const unsigned char *out,
	unsigned int outlen, void arg) {
	bool* npn_mispredict = reinterpret_cast<bool*>(arg);
	static char kProtos[] = "\003foo\003bar";
	static char kProtos2[] = "\003baz\003boo";
	static unsigned count = 0;

	if (!*npn_mispredict \|\| count == 0) {
	out = (const unsigned char) kProtos;
	*outlen = sizeof(kProtos) - 1;
	} else {
	out = (const unsigned char) kProtos2;
	*outlen = sizeof(kProtos2) - 1;
	}
	count++;
	return SSL_TLSEXT_ERR_OK;
	}

	int
	main(int argc, char **argv) {
	SSL_library_init();
	ERR_load_crypto_strings();
	OpenSSL_add_all_algorithms();
	SSL_load_error_strings();

	bool sni = false, sni_good = false, snap_start = false;
	bool snap_start_recovery = false, sslv3 = false, session_tickets = false;
	bool fail_resume = false, client_cert = false, npn = false;
	bool npn_mispredict = false;

	const char* key_file = kDefaultPEMFile;
	const char* cert_file = kDefaultPEMFile;

	for (int i = 1; i < argc; i++) {
	if (strcmp(argv[i], "sni") == 0) {
	// Require SNI
	sni = true;
	} else if (strcmp(argv[i], "snap-start") == 0) {
	// Support Snap Start
	snap_start = true;
	} else if (strcmp(argv[i], "snap-start-recovery") == 0) {
	// Support Snap Start, but always trigger a recovery
	snap_start = true;
	snap_start_recovery = true;
	} else if (strcmp(argv[i], "sslv3") == 0) {
	// Use SSLv3
	sslv3 = true;
	} else if (strcmp(argv[i], "session-tickets") == 0) {
	// Enable Session Tickets
	session_tickets = true;
	} else if (strcmp(argv[i], "fail-resume") == 0) {
	// Always fail to resume sessions
	fail_resume = true;
	} else if (strcmp(argv[i], "client-cert") == 0) {
	// Request a client certificate
	client_cert = true;
	} else if (strcmp(argv[i], "npn") == 0) {
	// Advertise NPN
	npn = true;
	} else if (strcmp(argv[i], "npn-mispredict") == 0) {
	// Advertise NPN
	npn = true;
	npn_mispredict = true;
	} else if (strcmp(argv[i], "--key-file") == 0) {
	// Use alternative key file
	i++;
	if (i == argc) {
	fprintf(stderr, "Missing argument to --key-file\n");
	return 1;
	}
	key_file = argv[i];
	} else if (strcmp(argv[i], "--cert-file") == 0) {
	// Use alternative certificate file
	i++;
	if (i == argc) {
	fprintf(stderr, "Missing argument to --cert-file\n");
	return 1;
	}
	cert_file = argv[i];
	} else {
	fprintf(stderr, "Unknown argument: %s\n", argv[i]);
	return 1;
	}
	}

	SSL_CTX* ctx;

	if (sslv3) {
	ctx = SSL_CTX_new(SSLv3_server_method());
	} else {
	ctx = SSL_CTX_new(TLSv1_server_method());
	}

	if (sni) {
	SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
	SSL_CTX_set_tlsext_servername_arg(ctx, &sni_good);
	}

	BIO* key = BIO_new(BIO_s_file());
	if (BIO_read_filename(key, key_file) <= 0) {
	fprintf(stderr, "Failed to read %s\n", key_file);
	return 1;
	}

	EVP_PKEY *pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, NULL);
	if (!pkey) {
	fprintf(stderr, "Failed to parse %s\n", key_file);
	return 1;
	}
	BIO_free(key);


	BIO* cert = BIO_new(BIO_s_file());
	if (BIO_read_filename(cert, cert_file) <= 0) {
	fprintf(stderr, "Failed to read %s\n", cert_file);
	return 1;
	}

	X509 *pcert = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
	if (!pcert) {
	fprintf(stderr, "Failed to parse %s\n", cert_file);
	return 1;
	}
	BIO_free(cert);

	if (SSL_CTX_use_certificate(ctx, pcert) <= 0) {
	fprintf(stderr, "Failed to load %s\n", cert_file);
	return 1;
	}

	if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) {
	fprintf(stderr, "Failed to load %s\n", key_file);
	return 1;
	}

	if (!SSL_CTX_check_private_key(ctx)) {
	fprintf(stderr, "Public and private keys don't match\n");
	return 1;
	}

	if (client_cert)
	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb);

	if (session_tickets)
	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH);

	if (snap_start) {
	static const unsigned char orbit[8] = {1, 2, 3, 4, 5, 6, 7, 8};
	SSL_CTX_set_snap_start_orbit(ctx, orbit);
	}

	if (npn)
	SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &npn_mispredict);

	unsigned connection_limit = 1;
	if (snap_start \|\| session_tickets)
	connection_limit = 2;
	if (npn_mispredict)
	connection_limit = 3;

	for (unsigned connections = 0; connections < connection_limit;
	connections++) {
	const int fd = accept(3, NULL, NULL);

	SSL* server = SSL_new(ctx);
	BIO* bio = BIO_new_socket(fd, 1 /* take ownership of fd */);
	SSL_set_bio(server, bio, bio);

	if (fail_resume) {
	SSL_set_session_id_context(server, (unsigned char*) &connections,
	sizeof(connections));
	}

	int err;
	for (;;) {
	const int ret = SSL_accept(server);
	if (ret == 1)
	break;

	err = SSL_get_error(server, ret);
	if (err == SSL_ERROR_WANT_READ)
	continue;
	if (err == SSL_ERROR_SERVER_RANDOM_VALIDATION_PENDING && snap_start) {
	SSL_set_suggested_server_random_validity(
	server, !snap_start_recovery);
	continue;
	}
	ERR_print_errors_fp(stderr);
	fprintf(stderr, "SSL_accept failed: %d\n", err);
	return 1;
	}

	if (sni && !sni_good) {
	fprintf(stderr, "SNI failed\n");
	return 1;
	}

	if (npn) {
	const unsigned char data, expected_data;
	unsigned len, expected_len;
	SSL_get0_next_proto_negotiated(server, &data, &len);
	if (!npn_mispredict \|\| connections == 0) {
	expected_data = (unsigned char*) "foo";
	expected_len = 3;
	} else {
	expected_data = (unsigned char*) "baz";
	expected_len = 3;
	}
	if (len != expected_len \|\| memcmp(data, expected_data, len) != 0) {
	fprintf(stderr, "Bad NPN: %d\n", len);
	return 1;
	}
	}

	unsigned char buffer[6];

	int ret = SSL_read(server, buffer, sizeof(buffer));
	if (ret == -1) {
	err = SSL_get_error(server, ret);
	ERR_print_errors_fp(stderr);
	fprintf(stderr, "SSL_read failed: %d\n", err);
	}
	if (memcmp(buffer, "hello!", sizeof(buffer)) == 0) {
	SSL_write(server, "goodbye!", 8);
	}

	SSL_shutdown(server);
	SSL_shutdown(server);
	}

	SSL_CTX_free(ctx);

	return 0;
	}