regress_ssl.c revision 1.2.12.2
1 /* $NetBSD: regress_ssl.c,v 1.2.12.2 2015/01/07 12:13:38 msaitoh Exp $ */ 2 3 /* 4 * Copyright (c) 2009-2012 Niels Provos and Nick Mathewson 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. The name of the author may not be used to endorse or promote products 15 * derived from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 // Get rid of OSX 10.7 and greater deprecation warnings. 30 #if defined(__APPLE__) && defined(__clang__) 31 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 32 #endif 33 34 #ifdef _WIN32 35 #include <winsock2.h> 36 #include <windows.h> 37 #endif 38 39 #ifndef _WIN32 40 #include <sys/types.h> 41 #include <sys/socket.h> 42 #include <netinet/in.h> 43 #endif 44 45 #include "event2/util.h" 46 #include "event2/event.h" 47 #include "event2/bufferevent_ssl.h" 48 #include "event2/buffer.h" 49 #include "event2/listener.h" 50 51 #include "regress.h" 52 #include "tinytest.h" 53 #include "tinytest_macros.h" 54 55 #include <openssl/ssl.h> 56 #include <openssl/bio.h> 57 #include <openssl/err.h> 58 #include <openssl/pem.h> 59 60 #include <string.h> 61 62 /* A short pre-generated key, to save the cost of doing an RSA key generation 63 * step during the unit tests. It's only 512 bits long, and it is published 64 * in this file, so you would have to be very foolish to consider using it in 65 * your own code. */ 66 static const char KEY[] = 67 "-----BEGIN RSA PRIVATE KEY-----\n" 68 "MIIBOgIBAAJBAKibTEzXjj+sqpipePX1lEk5BNFuL/dDBbw8QCXgaJWikOiKHeJq\n" 69 "3FQ0OmCnmpkdsPFE4x3ojYmmdgE2i0dJwq0CAwEAAQJAZ08gpUS+qE1IClps/2gG\n" 70 "AAer6Bc31K2AaiIQvCSQcH440cp062QtWMC3V5sEoWmdLsbAHFH26/9ZHn5zAflp\n" 71 "gQIhANWOx/UYeR8HD0WREU5kcuSzgzNLwUErHLzxP7U6aojpAiEAyh2H35CjN/P7\n" 72 "NhcZ4QYw3PeUWpqgJnaE/4i80BSYkSUCIQDLHFhLYLJZ80HwHTADif/ISn9/Ow6b\n" 73 "p6BWh3DbMar/eQIgBPS6azH5vpp983KXkNv9AL4VZi9ac/b+BeINdzC6GP0CIDmB\n" 74 "U6GFEQTZ3IfuiVabG5pummdC4DNbcdI+WKrSFNmQ\n" 75 "-----END RSA PRIVATE KEY-----\n"; 76 77 static EVP_PKEY * 78 getkey(void) 79 { 80 EVP_PKEY *key; 81 BIO *bio; 82 83 /* new read-only BIO backed by KEY. */ 84 bio = BIO_new_mem_buf((char*)KEY, -1); 85 tt_assert(bio); 86 87 key = PEM_read_bio_PrivateKey(bio,NULL,NULL,NULL); 88 BIO_free(bio); 89 tt_assert(key); 90 91 return key; 92 end: 93 return NULL; 94 } 95 96 static X509 * 97 getcert(void) 98 { 99 /* Dummy code to make a quick-and-dirty valid certificate with 100 OpenSSL. Don't copy this code into your own program! It does a 101 number of things in a stupid and insecure way. */ 102 X509 *x509 = NULL; 103 X509_NAME *name = NULL; 104 EVP_PKEY *key = getkey(); 105 int nid; 106 time_t now = time(NULL); 107 108 tt_assert(key); 109 110 x509 = X509_new(); 111 tt_assert(x509); 112 tt_assert(0 != X509_set_version(x509, 2)); 113 tt_assert(0 != ASN1_INTEGER_set(X509_get_serialNumber(x509), 114 (long)now)); 115 116 name = X509_NAME_new(); 117 tt_assert(name); 118 nid = OBJ_txt2nid("commonName"); 119 tt_assert(NID_undef != nid); 120 tt_assert(0 != X509_NAME_add_entry_by_NID( 121 name, nid, MBSTRING_ASC, (unsigned char*)"example.com", 122 -1, -1, 0)); 123 124 X509_set_subject_name(x509, name); 125 X509_set_issuer_name(x509, name); 126 127 X509_time_adj(X509_get_notBefore(x509), 0, &now); 128 now += 3600; 129 X509_time_adj(X509_get_notAfter(x509), 0, &now); 130 X509_set_pubkey(x509, key); 131 tt_assert(0 != X509_sign(x509, key, EVP_sha1())); 132 133 return x509; 134 end: 135 X509_free(x509); 136 return NULL; 137 } 138 139 static int disable_tls_11_and_12 = 0; 140 static SSL_CTX *the_ssl_ctx = NULL; 141 142 static SSL_CTX * 143 get_ssl_ctx(void) 144 { 145 if (the_ssl_ctx) 146 return the_ssl_ctx; 147 the_ssl_ctx = SSL_CTX_new(SSLv23_method()); 148 if (!the_ssl_ctx) 149 return NULL; 150 if (disable_tls_11_and_12) { 151 #ifdef SSL_OP_NO_TLSv1_2 152 SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_2); 153 #endif 154 #ifdef SSL_OP_NO_TLSv1_1 155 SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_1); 156 #endif 157 } 158 return the_ssl_ctx; 159 } 160 161 static void 162 init_ssl(void) 163 { 164 SSL_library_init(); 165 ERR_load_crypto_strings(); 166 SSL_load_error_strings(); 167 OpenSSL_add_all_algorithms(); 168 if (SSLeay() != OPENSSL_VERSION_NUMBER) { 169 TT_DECLARE("WARN", ("Version mismatch for openssl: compiled with %lx but running with %lx", (unsigned long)OPENSSL_VERSION_NUMBER, (unsigned long) SSLeay())); 170 } 171 } 172 173 /* ==================== 174 Here's a simple test: we read a number from the input, increment it, and 175 reply, until we get to 1001. 176 */ 177 178 static int test_is_done = 0; 179 static int n_connected = 0; 180 static int got_close = 0; 181 static int got_error = 0; 182 static int renegotiate_at = -1; 183 static int stop_when_connected = 0; 184 static int pending_connect_events = 0; 185 static struct event_base *exit_base = NULL; 186 187 static void 188 respond_to_number(struct bufferevent *bev, void *ctx) 189 { 190 struct evbuffer *b = bufferevent_get_input(bev); 191 char *line; 192 int n; 193 line = evbuffer_readln(b, NULL, EVBUFFER_EOL_LF); 194 if (! line) 195 return; 196 n = atoi(line); 197 if (n <= 0) 198 TT_FAIL(("Bad number: %s", line)); 199 TT_BLATHER(("The number was %d", n)); 200 if (n == 1001) { 201 ++test_is_done; 202 bufferevent_free(bev); /* Should trigger close on other side. */ 203 return; 204 } 205 if (!strcmp(ctx, "client") && n == renegotiate_at) { 206 SSL_renegotiate(bufferevent_openssl_get_ssl(bev)); 207 } 208 ++n; 209 evbuffer_add_printf(bufferevent_get_output(bev), 210 "%d\n", n); 211 TT_BLATHER(("Done reading; now writing.")); 212 bufferevent_enable(bev, EV_WRITE); 213 bufferevent_disable(bev, EV_READ); 214 } 215 216 static void 217 done_writing_cb(struct bufferevent *bev, void *ctx) 218 { 219 struct evbuffer *b = bufferevent_get_output(bev); 220 if (evbuffer_get_length(b)) 221 return; 222 TT_BLATHER(("Done writing.")); 223 bufferevent_disable(bev, EV_WRITE); 224 bufferevent_enable(bev, EV_READ); 225 } 226 227 static void 228 eventcb(struct bufferevent *bev, short what, void *ctx) 229 { 230 TT_BLATHER(("Got event %d", (int)what)); 231 if (what & BEV_EVENT_CONNECTED) { 232 SSL *ssl; 233 X509 *peer_cert; 234 ++n_connected; 235 ssl = bufferevent_openssl_get_ssl(bev); 236 tt_assert(ssl); 237 peer_cert = SSL_get_peer_certificate(ssl); 238 if (0==strcmp(ctx, "server")) { 239 tt_assert(peer_cert == NULL); 240 } else { 241 tt_assert(peer_cert != NULL); 242 } 243 if (stop_when_connected) { 244 if (--pending_connect_events == 0) 245 event_base_loopexit(exit_base, NULL); 246 } 247 } else if (what & BEV_EVENT_EOF) { 248 TT_BLATHER(("Got a good EOF")); 249 ++got_close; 250 bufferevent_free(bev); 251 } else if (what & BEV_EVENT_ERROR) { 252 TT_BLATHER(("Got an error.")); 253 ++got_error; 254 bufferevent_free(bev); 255 } 256 end: 257 ; 258 } 259 260 static void 261 open_ssl_bufevs(struct bufferevent **bev1_out, struct bufferevent **bev2_out, 262 struct event_base *base, int is_open, int flags, SSL *ssl1, SSL *ssl2, 263 evutil_socket_t *fd_pair, struct bufferevent **underlying_pair) 264 { 265 int state1 = is_open ? BUFFEREVENT_SSL_OPEN :BUFFEREVENT_SSL_CONNECTING; 266 int state2 = is_open ? BUFFEREVENT_SSL_OPEN :BUFFEREVENT_SSL_ACCEPTING; 267 if (fd_pair) { 268 *bev1_out = bufferevent_openssl_socket_new( 269 base, fd_pair[0], ssl1, state1, flags); 270 *bev2_out = bufferevent_openssl_socket_new( 271 base, fd_pair[1], ssl2, state2, flags); 272 } else { 273 *bev1_out = bufferevent_openssl_filter_new( 274 base, underlying_pair[0], ssl1, state1, flags); 275 *bev2_out = bufferevent_openssl_filter_new( 276 base, underlying_pair[1], ssl2, state2, flags); 277 278 } 279 bufferevent_setcb(*bev1_out, respond_to_number, done_writing_cb, 280 eventcb, (void*)"client"); 281 bufferevent_setcb(*bev2_out, respond_to_number, done_writing_cb, 282 eventcb, (void*)"server"); 283 } 284 285 static void 286 regress_bufferevent_openssl(void *arg) 287 { 288 struct basic_test_data *data = arg; 289 290 struct bufferevent *bev1, *bev2; 291 SSL *ssl1, *ssl2; 292 X509 *cert = getcert(); 293 EVP_PKEY *key = getkey(); 294 const int start_open = strstr((char*)data->setup_data, "open")!=NULL; 295 const int filter = strstr((char*)data->setup_data, "filter")!=NULL; 296 int flags = BEV_OPT_DEFER_CALLBACKS; 297 struct bufferevent *bev_ll[2] = { NULL, NULL }; 298 evutil_socket_t *fd_pair = NULL; 299 300 tt_assert(cert); 301 tt_assert(key); 302 303 init_ssl(); 304 305 if (strstr((char*)data->setup_data, "renegotiate")) { 306 if (SSLeay() >= 0x10001000 && 307 SSLeay() < 0x1000104f) { 308 /* 1.0.1 up to 1.0.1c has a bug where TLS1.1 and 1.2 309 * can't renegotiate with themselves. Disable. */ 310 disable_tls_11_and_12 = 1; 311 } 312 renegotiate_at = 600; 313 } 314 315 ssl1 = SSL_new(get_ssl_ctx()); 316 ssl2 = SSL_new(get_ssl_ctx()); 317 318 SSL_use_certificate(ssl2, cert); 319 SSL_use_PrivateKey(ssl2, key); 320 321 if (! start_open) 322 flags |= BEV_OPT_CLOSE_ON_FREE; 323 324 if (!filter) { 325 tt_assert(strstr((char*)data->setup_data, "socketpair")); 326 fd_pair = data->pair; 327 } else { 328 bev_ll[0] = bufferevent_socket_new(data->base, data->pair[0], 329 BEV_OPT_CLOSE_ON_FREE); 330 bev_ll[1] = bufferevent_socket_new(data->base, data->pair[1], 331 BEV_OPT_CLOSE_ON_FREE); 332 } 333 334 open_ssl_bufevs(&bev1, &bev2, data->base, 0, flags, ssl1, ssl2, 335 fd_pair, bev_ll); 336 337 if (!filter) { 338 tt_int_op(bufferevent_getfd(bev1), ==, data->pair[0]); 339 } else { 340 tt_ptr_op(bufferevent_get_underlying(bev1), ==, bev_ll[0]); 341 } 342 343 if (start_open) { 344 pending_connect_events = 2; 345 stop_when_connected = 1; 346 exit_base = data->base; 347 event_base_dispatch(data->base); 348 /* Okay, now the renegotiation is done. Make new 349 * bufferevents to test opening in BUFFEREVENT_SSL_OPEN */ 350 flags |= BEV_OPT_CLOSE_ON_FREE; 351 bufferevent_free(bev1); 352 bufferevent_free(bev2); 353 bev1 = bev2 = NULL; 354 open_ssl_bufevs(&bev1, &bev2, data->base, 1, flags, ssl1, ssl2, 355 fd_pair, bev_ll); 356 } 357 358 bufferevent_enable(bev1, EV_READ|EV_WRITE); 359 bufferevent_enable(bev2, EV_READ|EV_WRITE); 360 361 evbuffer_add_printf(bufferevent_get_output(bev1), "1\n"); 362 363 event_base_dispatch(data->base); 364 365 tt_assert(test_is_done == 1); 366 tt_assert(n_connected == 2); 367 368 /* We don't handle shutdown properly yet. 369 tt_int_op(got_close, ==, 1); 370 tt_int_op(got_error, ==, 0); 371 */ 372 end: 373 return; 374 } 375 376 static void 377 acceptcb(struct evconnlistener *listener, evutil_socket_t fd, 378 struct sockaddr *addr, int socklen, void *arg) 379 { 380 struct basic_test_data *data = arg; 381 struct bufferevent *bev; 382 SSL *ssl = SSL_new(get_ssl_ctx()); 383 384 SSL_use_certificate(ssl, getcert()); 385 SSL_use_PrivateKey(ssl, getkey()); 386 387 bev = bufferevent_openssl_socket_new( 388 data->base, 389 fd, 390 ssl, 391 BUFFEREVENT_SSL_ACCEPTING, 392 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS); 393 394 bufferevent_setcb(bev, respond_to_number, NULL, eventcb, 395 (void*)"server"); 396 397 bufferevent_enable(bev, EV_READ|EV_WRITE); 398 399 /* Only accept once, then disable ourself. */ 400 evconnlistener_disable(listener); 401 } 402 403 static void 404 regress_bufferevent_openssl_connect(void *arg) 405 { 406 struct basic_test_data *data = arg; 407 408 struct event_base *base = data->base; 409 410 struct evconnlistener *listener; 411 struct bufferevent *bev; 412 struct sockaddr_in sin; 413 struct sockaddr_storage ss; 414 ev_socklen_t slen; 415 416 init_ssl(); 417 418 memset(&sin, 0, sizeof(sin)); 419 sin.sin_family = AF_INET; 420 sin.sin_addr.s_addr = htonl(0x7f000001); 421 422 memset(&ss, 0, sizeof(ss)); 423 slen = sizeof(ss); 424 425 listener = evconnlistener_new_bind(base, acceptcb, data, 426 LEV_OPT_CLOSE_ON_FREE|LEV_OPT_REUSEABLE, 427 -1, (struct sockaddr *)&sin, sizeof(sin)); 428 429 tt_assert(listener); 430 tt_assert(evconnlistener_get_fd(listener) >= 0); 431 432 bev = bufferevent_openssl_socket_new( 433 data->base, -1, SSL_new(get_ssl_ctx()), 434 BUFFEREVENT_SSL_CONNECTING, 435 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS); 436 tt_assert(bev); 437 438 bufferevent_setcb(bev, respond_to_number, NULL, eventcb, 439 (void*)"client"); 440 441 tt_assert(getsockname(evconnlistener_get_fd(listener), 442 (struct sockaddr*)&ss, &slen) == 0); 443 tt_assert(slen == sizeof(struct sockaddr_in)); 444 tt_int_op(((struct sockaddr*)&ss)->sa_family, ==, AF_INET); 445 tt_int_op(((struct sockaddr*)&ss)->sa_family, ==, AF_INET); 446 447 tt_assert(0 == 448 bufferevent_socket_connect(bev, (struct sockaddr*)&ss, slen)); 449 evbuffer_add_printf(bufferevent_get_output(bev), "1\n"); 450 bufferevent_enable(bev, EV_READ|EV_WRITE); 451 452 event_base_dispatch(base); 453 end: 454 ; 455 } 456 457 struct testcase_t ssl_testcases[] = { 458 459 { "bufferevent_socketpair", regress_bufferevent_openssl, TT_ISOLATED, 460 &basic_setup, (void*)"socketpair" }, 461 { "bufferevent_filter", regress_bufferevent_openssl, 462 TT_ISOLATED, 463 &basic_setup, (void*)"filter" }, 464 { "bufferevent_renegotiate_socketpair", regress_bufferevent_openssl, 465 TT_ISOLATED, 466 &basic_setup, (void*)"socketpair renegotiate" }, 467 { "bufferevent_renegotiate_filter", regress_bufferevent_openssl, 468 TT_ISOLATED, 469 &basic_setup, (void*)"filter renegotiate" }, 470 { "bufferevent_socketpair_startopen", regress_bufferevent_openssl, 471 TT_ISOLATED, &basic_setup, (void*)"socketpair open" }, 472 { "bufferevent_filter_startopen", regress_bufferevent_openssl, 473 TT_ISOLATED, &basic_setup, (void*)"filter open" }, 474 475 { "bufferevent_connect", regress_bufferevent_openssl_connect, 476 TT_FORK|TT_NEED_BASE, &basic_setup, NULL }, 477 478 END_OF_TESTCASES, 479 }; 480
Indexes created Thu Mar 26 00:23:24 UTC 2026