projects / project / luci.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge pull request #278 from nmav/ocserv
[project/luci.git] / libs / nixio / axTLS / ssl / test / ssltest.c
1 /*
2 * Copyright (c) 2007, Cameron Rich
3 *
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * * Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * * Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 * * Neither the name of the axTLS project nor the names of its contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
22 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 /*
32 * The testing of the crypto and ssl stuff goes here. Keeps the individual code
33 * modules from being uncluttered with test code.
34 *
35 * This is test code - I make no apologies for the quality!
36 */
37
38 #include <stdio.h>
39 #include <stdlib.h>
40 #include <signal.h>
41 #include <string.h>
42 #include <errno.h>
43 #include <sys/stat.h>
44 #include <fcntl.h>
45
46 #ifndef WIN32
47 #include <pthread.h>
48 #endif
49
50 #include "ssl.h"
51
52 #define DEFAULT_CERT "../ssl/test/axTLS.x509_512.cer"
53 #define DEFAULT_KEY "../ssl/test/axTLS.key_512"
54 //#define DEFAULT_SVR_OPTION SSL_DISPLAY_BYTES|SSL_DISPLAY_STATES
55 #define DEFAULT_SVR_OPTION 0
56 #define DEFAULT_CLNT_OPTION 0
57 //#define DEFAULT_CLNT_OPTION SSL_DISPLAY_BYTES|SSL_DISPLAY_STATES
58
59 static int g_port = 19001;
60
61 /**************************************************************************
62 * AES tests
63 *
64 * Run through a couple of the RFC3602 tests to verify that AES is correct.
65 **************************************************************************/
66 #define TEST1_SIZE 16
67 #define TEST2_SIZE 32
68
69 static int AES_test(BI_CTX *bi_ctx)
70 {
71 AES_CTX aes_key;
72 int res = 1;
73 uint8_t key[TEST1_SIZE];
74 uint8_t iv[TEST1_SIZE];
75
76 {
77 /*
78 Case #1: Encrypting 16 bytes (1 block) using AES-CBC
79 Key : 0x06a9214036b8a15b512e03d534120006
80 IV : 0x3dafba429d9eb430b422da802c9fac41
81 Plaintext : "Single block msg"
82 Ciphertext: 0xe353779c1079aeb82708942dbe77181a
83
84 */
85 char *in_str = "Single block msg";
86 uint8_t ct[TEST1_SIZE];
87 uint8_t enc_data[TEST1_SIZE];
88 uint8_t dec_data[TEST1_SIZE];
89
90 bigint *key_bi = bi_str_import(
91 bi_ctx, "06A9214036B8A15B512E03D534120006");
92 bigint *iv_bi = bi_str_import(
93 bi_ctx, "3DAFBA429D9EB430B422DA802C9FAC41");
94 bigint *ct_bi = bi_str_import(
95 bi_ctx, "E353779C1079AEB82708942DBE77181A");
96 bi_export(bi_ctx, key_bi, key, TEST1_SIZE);
97 bi_export(bi_ctx, iv_bi, iv, TEST1_SIZE);
98 bi_export(bi_ctx, ct_bi, ct, TEST1_SIZE);
99
100 AES_set_key(&aes_key, key, iv, AES_MODE_128);
101 AES_cbc_encrypt(&aes_key, (const uint8_t *)in_str,
102 enc_data, sizeof(enc_data));
103 if (memcmp(enc_data, ct, sizeof(ct)))
104 {
105 printf("Error: AES ENCRYPT #1 failed\n");
106 goto end;
107 }
108
109 AES_set_key(&aes_key, key, iv, AES_MODE_128);
110 AES_convert_key(&aes_key);
111 AES_cbc_decrypt(&aes_key, enc_data, dec_data, sizeof(enc_data));
112
113 if (memcmp(dec_data, in_str, sizeof(dec_data)))
114 {
115 printf("Error: AES DECRYPT #1 failed\n");
116 goto end;
117 }
118 }
119
120 {
121 /*
122 Case #2: Encrypting 32 bytes (2 blocks) using AES-CBC
123 Key : 0xc286696d887c9aa0611bbb3e2025a45a
124 IV : 0x562e17996d093d28ddb3ba695a2e6f58
125 Plaintext : 0x000102030405060708090a0b0c0d0e0f
126 101112131415161718191a1b1c1d1e1f
127 Ciphertext: 0xd296cd94c2cccf8a3a863028b5e1dc0a
128 7586602d253cfff91b8266bea6d61ab1
129 */
130 uint8_t in_data[TEST2_SIZE];
131 uint8_t ct[TEST2_SIZE];
132 uint8_t enc_data[TEST2_SIZE];
133 uint8_t dec_data[TEST2_SIZE];
134
135 bigint *in_bi = bi_str_import(bi_ctx,
136 "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F");
137 bigint *key_bi = bi_str_import(
138 bi_ctx, "C286696D887C9AA0611BBB3E2025A45A");
139 bigint *iv_bi = bi_str_import(
140 bi_ctx, "562E17996D093D28DDB3BA695A2E6F58");
141 bigint *ct_bi = bi_str_import(bi_ctx,
142 "D296CD94C2CCCF8A3A863028B5E1DC0A7586602D253CFFF91B8266BEA6D61AB1");
143 bi_export(bi_ctx, in_bi, in_data, TEST2_SIZE);
144 bi_export(bi_ctx, key_bi, key, TEST1_SIZE);
145 bi_export(bi_ctx, iv_bi, iv, TEST1_SIZE);
146 bi_export(bi_ctx, ct_bi, ct, TEST2_SIZE);
147
148 AES_set_key(&aes_key, key, iv, AES_MODE_128);
149 AES_cbc_encrypt(&aes_key, (const uint8_t *)in_data,
150 enc_data, sizeof(enc_data));
151
152 if (memcmp(enc_data, ct, sizeof(ct)))
153 {
154 printf("Error: ENCRYPT #2 failed\n");
155 goto end;
156 }
157
158 AES_set_key(&aes_key, key, iv, AES_MODE_128);
159 AES_convert_key(&aes_key);
160 AES_cbc_decrypt(&aes_key, enc_data, dec_data, sizeof(enc_data));
161 if (memcmp(dec_data, in_data, sizeof(dec_data)))
162 {
163 printf("Error: DECRYPT #2 failed\n");
164 goto end;
165 }
166 }
167
168 res = 0;
169 printf("All AES tests passed\n");
170
171 end:
172 return res;
173 }
174
175 /**************************************************************************
176 * RC4 tests
177 *
178 * ARC4 tests vectors from OpenSSL (crypto/rc4/rc4test.c)
179 **************************************************************************/
180 static const uint8_t keys[7][30]=
181 {
182 {8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
183 {8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
184 {8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
185 {4,0xef,0x01,0x23,0x45},
186 {8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
187 {4,0xef,0x01,0x23,0x45},
188 };
189
190 static const uint8_t data_len[7]={8,8,8,20,28,10};
191 static uint8_t data[7][30]=
192 {
193 {0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xff},
194 {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
195 {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
196 {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
197 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
198 0x00,0x00,0x00,0x00,0xff},
199 {0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0,
200 0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0,
201 0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0,
202 0x12,0x34,0x56,0x78,0xff},
203 {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
204 {0},
205 };
206
207 static const uint8_t output[7][30]=
208 {
209 {0x75,0xb7,0x87,0x80,0x99,0xe0,0xc5,0x96,0x00},
210 {0x74,0x94,0xc2,0xe7,0x10,0x4b,0x08,0x79,0x00},
211 {0xde,0x18,0x89,0x41,0xa3,0x37,0x5d,0x3a,0x00},
212 {0xd6,0xa1,0x41,0xa7,0xec,0x3c,0x38,0xdf,
213 0xbd,0x61,0x5a,0x11,0x62,0xe1,0xc7,0xba,
214 0x36,0xb6,0x78,0x58,0x00},
215 {0x66,0xa0,0x94,0x9f,0x8a,0xf7,0xd6,0x89,
216 0x1f,0x7f,0x83,0x2b,0xa8,0x33,0xc0,0x0c,
217 0x89,0x2e,0xbe,0x30,0x14,0x3c,0xe2,0x87,
218 0x40,0x01,0x1e,0xcf,0x00},
219 {0xd6,0xa1,0x41,0xa7,0xec,0x3c,0x38,0xdf,0xbd,0x61,0x00},
220 {0},
221 };
222
223 static int RC4_test(BI_CTX *bi_ctx)
224 {
225 int i, res = 1;
226 RC4_CTX s;
227
228 for (i = 0; i < 6; i++)
229 {
230 RC4_setup(&s, &keys[i][1], keys[i][0]);
231 RC4_crypt(&s, data[i], data[i], data_len[i]);
232
233 if (memcmp(data[i], output[i], data_len[i]))
234 {
235 printf("Error: RC4 CRYPT #%d failed\n", i);
236 goto end;
237 }
238 }
239
240 res = 0;
241 printf("All RC4 tests passed\n");
242
243 end:
244 return res;
245 }
246
247 /**************************************************************************
248 * SHA1 tests
249 *
250 * Run through a couple of the RFC3174 tests to verify that SHA1 is correct.
251 **************************************************************************/
252 static int SHA1_test(BI_CTX *bi_ctx)
253 {
254 SHA1_CTX ctx;
255 uint8_t ct[SHA1_SIZE];
256 uint8_t digest[SHA1_SIZE];
257 int res = 1;
258
259 {
260 const char *in_str = "abc";
261 bigint *ct_bi = bi_str_import(bi_ctx,
262 "A9993E364706816ABA3E25717850C26C9CD0D89D");
263 bi_export(bi_ctx, ct_bi, ct, SHA1_SIZE);
264
265 SHA1_Init(&ctx);
266 SHA1_Update(&ctx, (const uint8_t *)in_str, strlen(in_str));
267 SHA1_Final(digest, &ctx);
268
269 if (memcmp(digest, ct, sizeof(ct)))
270 {
271 printf("Error: SHA1 #1 failed\n");
272 goto end;
273 }
274 }
275
276 {
277 const char *in_str =
278 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
279 bigint *ct_bi = bi_str_import(bi_ctx,
280 "84983E441C3BD26EBAAE4AA1F95129E5E54670F1");
281 bi_export(bi_ctx, ct_bi, ct, SHA1_SIZE);
282
283 SHA1_Init(&ctx);
284 SHA1_Update(&ctx, (const uint8_t *)in_str, strlen(in_str));
285 SHA1_Final(digest, &ctx);
286
287 if (memcmp(digest, ct, sizeof(ct)))
288 {
289 printf("Error: SHA1 #2 failed\n");
290 goto end;
291 }
292 }
293
294 res = 0;
295 printf("All SHA1 tests passed\n");
296
297 end:
298 return res;
299 }
300
301 /**************************************************************************
302 * MD5 tests
303 *
304 * Run through a couple of the RFC1321 tests to verify that MD5 is correct.
305 **************************************************************************/
306 static int MD5_test(BI_CTX *bi_ctx)
307 {
308 MD5_CTX ctx;
309 uint8_t ct[MD5_SIZE];
310 uint8_t digest[MD5_SIZE];
311 int res = 1;
312
313 {
314 const char *in_str = "abc";
315 bigint *ct_bi = bi_str_import(bi_ctx,
316 "900150983CD24FB0D6963F7D28E17F72");
317 bi_export(bi_ctx, ct_bi, ct, MD5_SIZE);
318
319 MD5_Init(&ctx);
320 MD5_Update(&ctx, (const uint8_t *)in_str, strlen(in_str));
321 MD5_Final(digest, &ctx);
322
323 if (memcmp(digest, ct, sizeof(ct)))
324 {
325 printf("Error: MD5 #1 failed\n");
326 goto end;
327 }
328 }
329
330 {
331 const char *in_str =
332 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
333 bigint *ct_bi = bi_str_import(
334 bi_ctx, "D174AB98D277D9F5A5611C2C9F419D9F");
335 bi_export(bi_ctx, ct_bi, ct, MD5_SIZE);
336
337 MD5_Init(&ctx);
338 MD5_Update(&ctx, (const uint8_t *)in_str, strlen(in_str));
339 MD5_Final(digest, &ctx);
340
341 if (memcmp(digest, ct, sizeof(ct)))
342 {
343 printf("Error: MD5 #2 failed\n");
344 goto end;
345 }
346 }
347 res = 0;
348 printf("All MD5 tests passed\n");
349
350 end:
351 return res;
352 }
353
354 /**************************************************************************
355 * HMAC tests
356 *
357 * Run through a couple of the RFC2202 tests to verify that HMAC is correct.
358 **************************************************************************/
359 static int HMAC_test(BI_CTX *bi_ctx)
360 {
361 uint8_t key[SHA1_SIZE];
362 uint8_t ct[SHA1_SIZE];
363 uint8_t dgst[SHA1_SIZE];
364 int res = 1;
365 const char *key_str;
366
367 const char *data_str = "Hi There";
368 bigint *key_bi = bi_str_import(bi_ctx, "0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B");
369 bigint *ct_bi = bi_str_import(bi_ctx, "9294727A3638BB1C13F48EF8158BFC9D");
370 bi_export(bi_ctx, key_bi, key, MD5_SIZE);
371 bi_export(bi_ctx, ct_bi, ct, MD5_SIZE);
372 hmac_md5((const uint8_t *)data_str, 8, key, MD5_SIZE, dgst);
373 if (memcmp(dgst, ct, MD5_SIZE))
374 {
375 printf("HMAC MD5 #1 failed\n");
376 goto end;
377 }
378
379 data_str = "what do ya want for nothing?";
380 key_str = "Jefe";
381 ct_bi = bi_str_import(bi_ctx, "750C783E6AB0B503EAA86E310A5DB738");
382 bi_export(bi_ctx, ct_bi, ct, MD5_SIZE);
383 hmac_md5((const uint8_t *)data_str, 28, (const uint8_t *)key_str, 4, dgst);
384 if (memcmp(dgst, ct, MD5_SIZE))
385 {
386 printf("HMAC MD5 #2 failed\n");
387 goto end;
388 }
389
390 data_str = "Hi There";
391 key_bi = bi_str_import(bi_ctx, "0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B");
392 bi_export(bi_ctx, key_bi, key, SHA1_SIZE);
393 ct_bi = bi_str_import(bi_ctx, "B617318655057264E28BC0B6FB378C8EF146BE00");
394 bi_export(bi_ctx, ct_bi, ct, SHA1_SIZE);
395
396 hmac_sha1((const uint8_t *)data_str, 8,
397 (const uint8_t *)key, SHA1_SIZE, dgst);
398 if (memcmp(dgst, ct, SHA1_SIZE))
399 {
400 printf("HMAC SHA1 #1 failed\n");
401 goto end;
402 }
403
404 data_str = "what do ya want for nothing?";
405 key_str = "Jefe";
406 ct_bi = bi_str_import(bi_ctx, "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79");
407 bi_export(bi_ctx, ct_bi, ct, SHA1_SIZE);
408
409 hmac_sha1((const uint8_t *)data_str, 28, (const uint8_t *)key_str, 5, dgst);
410 if (memcmp(dgst, ct, SHA1_SIZE))
411 {
412 printf("HMAC SHA1 failed\n");
413 exit(1);
414 }
415
416 res = 0;
417 printf("All HMAC tests passed\n");
418
419 end:
420 return res;
421 }
422
423 /**************************************************************************
424 * BIGINT tests
425 *
426 **************************************************************************/
427 static int BIGINT_test(BI_CTX *ctx)
428 {
429 int res = 1;
430 bigint *bi_data, *bi_exp, *bi_res;
431 const char *expnt, *plaintext, *mod;
432 uint8_t compare[MAX_KEY_BYTE_SIZE];
433
434 /**
435 * 512 bit key
436 */
437 plaintext = /* 64 byte number */
438 "01aaaaaaaaaabbbbbbbbbbbbbbbccccccccccccccdddddddddddddeeeeeeeeee";
439
440 mod = "C30773C8ABE09FCC279EE0E5343370DE"
441 "8B2FFDB6059271E3005A7CEEF0D35E0A"
442 "1F9915D95E63560836CC2EB2C289270D"
443 "BCAE8CAF6F5E907FC2759EE220071E1B";
444
445 expnt = "A1E556CD1738E10DF539E35101334E97"
446 "BE8D391C57A5C89A7AD9A2EA2ACA1B3D"
447 "F3140F5091CC535CBAA47CEC4159EE1F"
448 "B6A3661AFF1AB758426EAB158452A9B9";
449
450 bi_data = bi_import(ctx, (uint8_t *)plaintext, strlen(plaintext));
451 bi_exp = int_to_bi(ctx, 0x10001);
452 bi_set_mod(ctx, bi_str_import(ctx, mod), 0);
453 bi_res = bi_mod_power(ctx, bi_data, bi_exp);
454
455 bi_data = bi_res; /* resuse again - see if we get the original */
456
457 bi_exp = bi_str_import(ctx, expnt);
458 bi_res = bi_mod_power(ctx, bi_data, bi_exp);
459 bi_free_mod(ctx, 0);
460
461 bi_export(ctx, bi_res, compare, 64);
462 if (memcmp(plaintext, compare, 64) != 0)
463 goto end;
464
465 printf("All BIGINT tests passed\n");
466 res = 0;
467
468 end:
469 return res;
470 }
471
472 /**************************************************************************
473 * RSA tests
474 *
475 * Use the results from openssl to verify PKCS1 etc
476 **************************************************************************/
477 static int RSA_test(void)
478 {
479 int res = 1;
480 const char *plaintext = /* 128 byte hex number */
481 "1aaaaaaaaaabbbbbbbbbbbbbbbccccccccccccccdddddddddddddeeeeeeeeee2"
482 "1aaaaaaaaaabbbbbbbbbbbbbbbccccccccccccccdddddddddddddeeeeeeeee2\012";
483 uint8_t enc_data[128], dec_data[128];
484 RSA_CTX *rsa_ctx = NULL;
485 BI_CTX *bi_ctx;
486 bigint *plaintext_bi;
487 bigint *enc_data_bi, *dec_data_bi;
488 uint8_t enc_data2[128], dec_data2[128];
489 int size;
490 int len;
491 uint8_t *buf;
492
493 /* extract the private key elements */
494 len = get_file("../ssl/test/axTLS.key_1024", &buf);
495 if (asn1_get_private_key(buf, len, &rsa_ctx) < 0)
496 {
497 goto end;
498 }
499
500 free(buf);
501 bi_ctx = rsa_ctx->bi_ctx;
502 plaintext_bi = bi_import(bi_ctx,
503 (const uint8_t *)plaintext, strlen(plaintext));
504
505 /* basic rsa encrypt */
506 enc_data_bi = RSA_public(rsa_ctx, plaintext_bi);
507 bi_export(bi_ctx, bi_copy(enc_data_bi), enc_data, sizeof(enc_data));
508
509 /* basic rsa decrypt */
510 dec_data_bi = RSA_private(rsa_ctx, enc_data_bi);
511 bi_export(bi_ctx, dec_data_bi, dec_data, sizeof(dec_data));
512
513 if (memcmp(dec_data, plaintext, strlen(plaintext)))
514 {
515 printf("Error: DECRYPT #1 failed\n");
516 goto end;
517 }
518
519 RSA_encrypt(rsa_ctx, (const uint8_t *)"abc", 3, enc_data2, 0);
520 size = RSA_decrypt(rsa_ctx, enc_data2, dec_data2, 1);
521 if (memcmp("abc", dec_data2, 3))
522 {
523 printf("Error: ENCRYPT/DECRYPT #2 failed\n");
524 goto end;
525 }
526
527 RSA_free(rsa_ctx);
528 res = 0;
529 printf("All RSA tests passed\n");
530
531 end:
532 return res;
533 }
534
535 /**************************************************************************
536 * Cert Testing
537 *
538 **************************************************************************/
539 static int cert_tests(void)
540 {
541 int res = -1, len;
542 X509_CTX *x509_ctx;
543 SSL_CTX *ssl_ctx;
544 uint8_t *buf;
545
546 /* check a bunch of 3rd party certificates */
547 ssl_ctx = ssl_ctx_new(0, 0);
548 len = get_file("../ssl/test/microsoft.x509_ca", &buf);
549 if ((res = add_cert_auth(ssl_ctx, buf, len)) < 0)
550 {
551 printf("Cert #1\n");
552 ssl_display_error(res);
553 goto bad_cert;
554 }
555
556 ssl_ctx_free(ssl_ctx);
557 free(buf);
558
559 ssl_ctx = ssl_ctx_new(0, 0);
560 len = get_file("../ssl/test/thawte.x509_ca", &buf);
561 if ((res = add_cert_auth(ssl_ctx, buf, len)) < 0)
562 {
563 printf("Cert #2\n");
564 ssl_display_error(res);
565 goto bad_cert;
566 }
567
568 ssl_ctx_free(ssl_ctx);
569 free(buf);
570
571 ssl_ctx = ssl_ctx_new(0, 0);
572 len = get_file("../ssl/test/deutsche_telecom.x509_ca", &buf);
573 if ((res = add_cert_auth(ssl_ctx, buf, len)) < 0)
574 {
575 printf("Cert #3\n");
576 ssl_display_error(res);
577 goto bad_cert;
578 }
579
580 ssl_ctx_free(ssl_ctx);
581 free(buf);
582
583 ssl_ctx = ssl_ctx_new(0, 0);
584 len = get_file("../ssl/test/equifax.x509_ca", &buf);
585 if ((res = add_cert_auth(ssl_ctx, buf, len)) < 0)
586 {
587 printf("Cert #4\n");
588 ssl_display_error(res);
589 goto bad_cert;
590 }
591
592 ssl_ctx_free(ssl_ctx);
593 free(buf);
594
595 ssl_ctx = ssl_ctx_new(0, 0);
596 len = get_file("../ssl/test/gnutls.cer", &buf);
597 if ((res = add_cert(ssl_ctx, buf, len)) < 0)
598 {
599 printf("Cert #5\n");
600 ssl_display_error(res);
601 goto bad_cert;
602 }
603
604 ssl_ctx_free(ssl_ctx);
605 free(buf);
606
607 ssl_ctx = ssl_ctx_new(0, 0);
608 len = get_file("../ssl/test/socgen.cer", &buf);
609 if ((res = add_cert(ssl_ctx, buf, len)) < 0)
610 {
611 printf("Cert #6\n");
612 ssl_display_error(res);
613 goto bad_cert;
614 }
615
616 ssl_ctx_free(ssl_ctx);
617 free(buf);
618
619 ssl_ctx = ssl_ctx_new(0, 0);
620 len = get_file("../ssl/test/verisign.x509_ca", &buf);
621 if ((res = add_cert_auth(ssl_ctx, buf, len)) <0)
622 {
623 printf("Cert #7\n");
624 ssl_display_error(res);
625 goto bad_cert;
626 }
627
628 ssl_ctx_free(ssl_ctx);
629 free(buf);
630
631 if (get_file("../ssl/test/verisign.x509_my_cert", &buf) < 0 ||
632 x509_new(buf, &len, &x509_ctx))
633 {
634 printf("Cert #8\n");
635 ssl_display_error(res);
636 goto bad_cert;
637 }
638
639 x509_free(x509_ctx);
640 free(buf);
641
642 ssl_ctx = ssl_ctx_new(0, 0);
643 if ((res = ssl_obj_load(ssl_ctx,
644 SSL_OBJ_X509_CERT, "../ssl/test/ms_iis.cer", NULL)) != SSL_OK)
645 {
646 ssl_display_error(res);
647 goto bad_cert;
648 }
649
650 ssl_ctx_free(ssl_ctx);
651 res = 0; /* all ok */
652 printf("All Certificate tests passed\n");
653
654 bad_cert:
655 if (res)
656 printf("Error: A certificate test failed\n");
657 return res;
658 }
659
660 /**
661 * init a server socket.
662 */
663 static int server_socket_init(int *port)
664 {
665 struct sockaddr_in serv_addr;
666 int server_fd;
667 char yes = 1;
668
669 /* Create socket for incoming connections */
670 if ((server_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
671 {
672 return -1;
673 }
674
675 setsockopt(server_fd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes));
676
677 go_again:
678 /* Construct local address structure */
679 memset(&serv_addr, 0, sizeof(serv_addr)); /* Zero out structure */
680 serv_addr.sin_family = AF_INET; /* Internet address family */
681 serv_addr.sin_addr.s_addr = htonl(INADDR_ANY); /* Any incoming interface */
682 serv_addr.sin_port = htons(*port); /* Local port */
683
684 /* Bind to the local address */
685 if (bind(server_fd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0)
686 {
687 (*port)++;
688 goto go_again;
689 }
690 /* Mark the socket so it will listen for incoming connections */
691 if (listen(server_fd, 3000) < 0)
692 {
693 return -1;
694 }
695
696 return server_fd;
697 }
698
699 /**
700 * init a client socket.
701 */
702 static int client_socket_init(uint16_t port)
703 {
704 struct sockaddr_in address;
705 int client_fd;
706
707 address.sin_family = AF_INET;
708 address.sin_port = htons(port);
709 address.sin_addr.s_addr = inet_addr("127.0.0.1");
710 client_fd = socket(AF_INET, SOCK_STREAM, 0);
711 if (connect(client_fd, (struct sockaddr *)&address, sizeof(address)) < 0)
712 {
713 perror("socket");
714 SOCKET_CLOSE(client_fd);
715 client_fd = -1;
716 }
717
718 return client_fd;
719 }
720
721 /**************************************************************************
722 * SSL Server Testing
723 *
724 **************************************************************************/
725 typedef struct
726 {
727 /* not used as yet */
728 int dummy;
729 } SVR_CTX;
730
731 typedef struct
732 {
733 const char *testname;
734 const char *openssl_option;
735 } client_t;
736
737 static void do_client(client_t *clnt)
738 {
739 char openssl_buf[2048];
740
741 /* make sure the main thread goes first */
742 sleep(0);
743
744 /* show the session ids in the reconnect test */
745 if (strcmp(clnt->testname, "Session Reuse") == 0)
746 {
747 sprintf(openssl_buf, "echo \"hello client\" | openssl s_client "
748 "-connect localhost:%d %s 2>&1 | grep \"Session-ID:\"",
749 g_port, clnt->openssl_option);
750 }
751 else
752 {
753 sprintf(openssl_buf, "echo \"hello client\" | openssl s_client "
754 #ifdef WIN32
755 "-connect localhost:%d -quiet %s",
756 #else
757 "-connect localhost:%d -quiet %s > /dev/null 2>&1",
758 #endif
759 g_port, clnt->openssl_option);
760 }
761
762 system(openssl_buf);
763 }
764
765 static int SSL_server_test(
766 const char *testname,
767 const char *openssl_option,
768 const char *device_cert,
769 const char *product_cert,
770 const char *private_key,
771 const char *ca_cert,
772 const char *password,
773 int axtls_option)
774 {
775 int server_fd, ret = 0;
776 SSL_CTX *ssl_ctx = NULL;
777 struct sockaddr_in client_addr;
778 uint8_t *read_buf;
779 socklen_t clnt_len = sizeof(client_addr);
780 client_t client_data;
781 #ifndef WIN32
782 pthread_t thread;
783 #endif
784 g_port++;
785
786 client_data.testname = testname;
787 client_data.openssl_option = openssl_option;
788
789 if ((server_fd = server_socket_init(&g_port)) < 0)
790 goto error;
791
792 if (private_key)
793 {
794 axtls_option |= SSL_NO_DEFAULT_KEY;
795 }
796
797 if ((ssl_ctx = ssl_ctx_new(axtls_option, SSL_DEFAULT_SVR_SESS)) == NULL)
798 {
799 ret = SSL_ERROR_INVALID_KEY;
800 goto error;
801 }
802
803 if (private_key)
804 {
805 int obj_type = SSL_OBJ_RSA_KEY;
806
807 if (strstr(private_key, ".p8"))
808 obj_type = SSL_OBJ_PKCS8;
809 else if (strstr(private_key, ".p12"))
810 obj_type = SSL_OBJ_PKCS12;
811
812 if (ssl_obj_load(ssl_ctx, obj_type, private_key, password))
813 {
814 ret = SSL_ERROR_INVALID_KEY;
815 goto error;
816 }
817 }
818
819 if (device_cert) /* test chaining */
820 {
821 if ((ret = ssl_obj_load(ssl_ctx,
822 SSL_OBJ_X509_CERT, device_cert, NULL)) != SSL_OK)
823 goto error;
824 }
825
826 if (product_cert) /* test chaining */
827 {
828 if ((ret = ssl_obj_load(ssl_ctx,
829 SSL_OBJ_X509_CERT, product_cert, NULL)) != SSL_OK)
830 goto error;
831 }
832
833 if (ca_cert) /* test adding certificate authorities */
834 {
835 if ((ret = ssl_obj_load(ssl_ctx,
836 SSL_OBJ_X509_CACERT, ca_cert, NULL)) != SSL_OK)
837 goto error;
838 }
839
840 #ifndef WIN32
841 pthread_create(&thread, NULL,
842 (void *(*)(void *))do_client, (void *)&client_data);
843 pthread_detach(thread);
844 #else
845 CreateThread(NULL, 1024, (LPTHREAD_START_ROUTINE)do_client,
846 (LPVOID)&client_data, 0, NULL);
847 #endif
848
849 for (;;)
850 {
851 int client_fd, size = 0;
852 SSL *ssl;
853
854 /* Wait for a client to connect */
855 if ((client_fd = accept(server_fd,
856 (struct sockaddr *)&client_addr, &clnt_len)) < 0)
857 {
858 ret = SSL_ERROR_SOCK_SETUP_FAILURE;
859 goto error;
860 }
861
862 /* we are ready to go */
863 ssl = ssl_server_new(ssl_ctx, client_fd);
864 while ((size = ssl_read(ssl, &read_buf)) == SSL_OK);
865 SOCKET_CLOSE(client_fd);
866
867 if (size < SSL_OK) /* got some alert or something nasty */
868 {
869 ret = size;
870
871 if (ret == SSL_ERROR_CONN_LOST)
872 {
873 ret = SSL_OK;
874 continue;
875 }
876
877 break; /* we've got a problem */
878 }
879 else /* looks more promising */
880 {
881 if (strstr("hello client", (char *)read_buf) == NULL)
882 {
883 printf("SSL server test \"%s\" passed\n", testname);
884 TTY_FLUSH();
885 ret = 0;
886 break;
887 }
888 }
889
890 ssl_free(ssl);
891 }
892
893 SOCKET_CLOSE(server_fd);
894
895 error:
896 ssl_ctx_free(ssl_ctx);
897 return ret;
898 }
899
900 int SSL_server_tests(void)
901 {
902 int ret = -1;
903 struct stat stat_buf;
904 SVR_CTX svr_test_ctx;
905 memset(&svr_test_ctx, 0, sizeof(SVR_CTX));
906
907 printf("### starting server tests\n"); TTY_FLUSH();
908
909 /* Go through the algorithms */
910
911 /*
912 * TLS1 client hello
913 */
914 if ((ret = SSL_server_test("TLSv1", "-cipher RC4-SHA -tls1",
915 NULL, NULL, NULL, NULL, NULL, DEFAULT_SVR_OPTION)))
916 goto cleanup;
917
918 /*
919 * AES128-SHA
920 */
921 if ((ret = SSL_server_test("AES256-SHA", "-cipher AES128-SHA",
922 DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL,
923 DEFAULT_SVR_OPTION)))
924 goto cleanup;
925
926 /*
927 * AES256-SHA
928 */
929 if ((ret = SSL_server_test("AES256-SHA", "-cipher AES128-SHA",
930 DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL,
931 DEFAULT_SVR_OPTION)))
932 goto cleanup;
933
934 /*
935 * RC4-SHA
936 */
937 if ((ret = SSL_server_test("RC4-SHA", "-cipher RC4-SHA",
938 DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL,
939 DEFAULT_SVR_OPTION)))
940 goto cleanup;
941
942 /*
943 * RC4-MD5
944 */
945 if ((ret = SSL_server_test("RC4-MD5", "-cipher RC4-MD5",
946 DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL,
947 DEFAULT_SVR_OPTION)))
948 goto cleanup;
949
950 /*
951 * Session Reuse
952 * all the session id's should match for session resumption.
953 */
954 if ((ret = SSL_server_test("Session Reuse",
955 "-cipher RC4-SHA -reconnect",
956 DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL,
957 DEFAULT_SVR_OPTION)))
958 goto cleanup;
959
960 /*
961 * 512 bit RSA key
962 */
963 if ((ret = SSL_server_test("512 bit key", "-cipher RC4-SHA",
964 "../ssl/test/axTLS.x509_512.cer", NULL,
965 "../ssl/test/axTLS.key_512",
966 NULL, NULL, DEFAULT_SVR_OPTION)))
967 goto cleanup;
968
969 /*
970 * 1024 bit RSA key (check certificate chaining)
971 */
972 if ((ret = SSL_server_test("1024 bit key",
973 "-cipher RC4-SHA",
974 "../ssl/test/axTLS.x509_device.cer",
975 "../ssl/test/axTLS.x509_512.cer",
976 "../ssl/test/axTLS.device_key",
977 NULL, NULL, DEFAULT_SVR_OPTION)))
978 goto cleanup;
979
980 /*
981 * 2048 bit RSA key
982 */
983 if ((ret = SSL_server_test("2048 bit key",
984 "-cipher RC4-SHA",
985 "../ssl/test/axTLS.x509_2048.cer", NULL,
986 "../ssl/test/axTLS.key_2048",
987 NULL, NULL, DEFAULT_SVR_OPTION)))
988 goto cleanup;
989
990 /*
991 * 4096 bit RSA key
992 */
993 if ((ret = SSL_server_test("4096 bit key",
994 "-cipher RC4-SHA",
995 "../ssl/test/axTLS.x509_4096.cer", NULL,
996 "../ssl/test/axTLS.key_4096",
997 NULL, NULL, DEFAULT_SVR_OPTION)))
998 goto cleanup;
999
1000 /*
1001 * Client Verification
1002 */
1003 if ((ret = SSL_server_test("Client Verification",
1004 "-cipher RC4-SHA -tls1 "
1005 "-cert ../ssl/test/axTLS.x509_2048.pem "
1006 "-key ../ssl/test/axTLS.key_2048.pem ",
1007 NULL, NULL, NULL,
1008 "../ssl/test/axTLS.ca_x509.cer", NULL,
1009 DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)))
1010 goto cleanup;
1011
1012 /* this test should fail */
1013 if (stat("../ssl/test/axTLS.x509_bad_before.pem", &stat_buf) >= 0)
1014 {
1015 if ((ret = SSL_server_test("Error: Bad Before Cert",
1016 "-cipher RC4-SHA -tls1 "
1017 "-cert ../ssl/test/axTLS.x509_bad_before.pem "
1018 "-key ../ssl/test/axTLS.key_512.pem ",
1019 NULL, NULL, NULL,
1020 "../ssl/test/axTLS.ca_x509.cer", NULL,
1021 DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)) !=
1022 SSL_X509_ERROR(X509_VFY_ERROR_NOT_YET_VALID))
1023 goto cleanup;
1024
1025 printf("SSL server test \"%s\" passed\n", "Bad Before Cert");
1026 TTY_FLUSH();
1027 ret = 0; /* is ok */
1028 }
1029
1030 /* this test should fail */
1031 if ((ret = SSL_server_test("Error: Bad After Cert",
1032 "-cipher RC4-SHA -tls1 "
1033 "-cert ../ssl/test/axTLS.x509_bad_after.pem "
1034 "-key ../ssl/test/axTLS.key_512.pem ",
1035 NULL, NULL, NULL,
1036 "../ssl/test/axTLS.ca_x509.cer", NULL,
1037 DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)) !=
1038 SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED))
1039 goto cleanup;
1040
1041 printf("SSL server test \"%s\" passed\n", "Bad After Cert");
1042 TTY_FLUSH();
1043
1044 /*
1045 * No trusted cert
1046 */
1047 if ((ret = SSL_server_test("Error: No trusted certificate",
1048 "-cipher RC4-SHA -tls1 "
1049 "-cert ../ssl/test/axTLS.x509_512.pem "
1050 "-key ../ssl/test/axTLS.key_512.pem ",
1051 NULL, NULL, NULL,
1052 NULL, NULL,
1053 DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)) !=
1054 SSL_X509_ERROR(X509_VFY_ERROR_NO_TRUSTED_CERT))
1055 goto cleanup;
1056
1057 printf("SSL server test \"%s\" passed\n", "No trusted certificate");
1058 TTY_FLUSH();
1059
1060 /*
1061 * Self-signed (from the server)
1062 */
1063 if ((ret = SSL_server_test("Error: Self-signed certificate (from server)",
1064 "-cipher RC4-SHA -tls1 "
1065 "-cert ../ssl/test/axTLS.x509_512.pem "
1066 "-key ../ssl/test/axTLS.key_512.pem "
1067 "-CAfile ../ssl/test/axTLS.ca_x509.pem ",
1068 NULL, NULL, NULL,
1069 NULL, NULL,
1070 DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)) !=
1071 SSL_X509_ERROR(X509_VFY_ERROR_SELF_SIGNED))
1072 goto cleanup;
1073
1074 printf("SSL server test \"%s\" passed\n",
1075 "Self-signed certificate (from server)");
1076 TTY_FLUSH();
1077
1078 /*
1079 * Self-signed (from the client)
1080 */
1081 if ((ret = SSL_server_test("Self-signed certificate (from client)",
1082 "-cipher RC4-SHA -tls1 "
1083 "-cert ../ssl/test/axTLS.x509_512.pem "
1084 "-key ../ssl/test/axTLS.key_512.pem ",
1085 NULL, NULL, NULL,
1086 "../ssl/test/axTLS.ca_x509.cer",
1087 NULL,
1088 DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)))
1089 goto cleanup;
1090
1091 /*
1092 * Key in PEM format
1093 */
1094 if ((ret = SSL_server_test("Key in PEM format",
1095 "-cipher RC4-SHA",
1096 "../ssl/test/axTLS.x509_512.cer", NULL,
1097 "../ssl/test/axTLS.key_512.pem", NULL,
1098 NULL, DEFAULT_SVR_OPTION)))
1099 goto cleanup;
1100
1101 /*
1102 * Cert in PEM format
1103 */
1104 if ((ret = SSL_server_test("Cert in PEM format",
1105 "-cipher RC4-SHA",
1106 "../ssl/test/axTLS.x509_512.pem", NULL,
1107 "../ssl/test/axTLS.key_512.pem", NULL,
1108 NULL, DEFAULT_SVR_OPTION)))
1109 goto cleanup;
1110
1111 /*
1112 * Cert chain in PEM format
1113 */
1114 if ((ret = SSL_server_test("Cert chain in PEM format",
1115 "-cipher RC4-SHA",
1116 "../ssl/test/axTLS.x509_device.pem",
1117 NULL, "../ssl/test/axTLS.device_key.pem",
1118 "../ssl/test/axTLS.ca_x509.pem", NULL, DEFAULT_SVR_OPTION)))
1119 goto cleanup;
1120
1121 /*
1122 * AES128 Encrypted key
1123 */
1124 if ((ret = SSL_server_test("AES128 encrypted key",
1125 "-cipher RC4-SHA",
1126 "../ssl/test/axTLS.x509_aes128.pem", NULL,
1127 "../ssl/test/axTLS.key_aes128.pem",
1128 NULL, "abcd", DEFAULT_SVR_OPTION)))
1129 goto cleanup;
1130
1131 /*
1132 * AES256 Encrypted key
1133 */
1134 if ((ret = SSL_server_test("AES256 encrypted key",
1135 "-cipher RC4-SHA",
1136 "../ssl/test/axTLS.x509_aes256.pem", NULL,
1137 "../ssl/test/axTLS.key_aes256.pem",
1138 NULL, "abcd", DEFAULT_SVR_OPTION)))
1139 goto cleanup;
1140
1141 /*
1142 * AES128 Encrypted invalid key
1143 */
1144 if ((ret = SSL_server_test("AES128 encrypted invalid key",
1145 "-cipher RC4-SHA",
1146 "../ssl/test/axTLS.x509_aes128.pem", NULL,
1147 "../ssl/test/axTLS.key_aes128.pem",
1148 NULL, "xyz", DEFAULT_SVR_OPTION)) != SSL_ERROR_INVALID_KEY)
1149 goto cleanup;
1150
1151 printf("SSL server test \"%s\" passed\n", "AES128 encrypted invalid key");
1152 TTY_FLUSH();
1153
1154 /*
1155 * PKCS#8 key (encrypted)
1156 */
1157 if ((ret = SSL_server_test("pkcs#8 encrypted", "-cipher RC4-SHA",
1158 DEFAULT_CERT, NULL, "../ssl/test/axTLS.encrypted.p8",
1159 NULL, "abcd", DEFAULT_SVR_OPTION)))
1160 goto cleanup;
1161
1162 /*
1163 * PKCS#8 key (unencrypted)
1164 */
1165 if ((ret = SSL_server_test("pkcs#8 unencrypted", "-cipher RC4-SHA",
1166 DEFAULT_CERT, NULL, "../ssl/test/axTLS.unencrypted.p8",
1167 NULL, NULL, DEFAULT_SVR_OPTION)))
1168 goto cleanup;
1169
1170 /*
1171 * PKCS#12 key/certificate
1172 */
1173 if ((ret = SSL_server_test("pkcs#12 with CA", "-cipher RC4-SHA",
1174 NULL, NULL, "../ssl/test/axTLS.withCA.p12",
1175 NULL, "abcd", DEFAULT_SVR_OPTION)))
1176 goto cleanup;
1177
1178 if ((ret = SSL_server_test("pkcs#12 no CA", "-cipher RC4-SHA",
1179 DEFAULT_CERT, NULL, "../ssl/test/axTLS.withoutCA.p12",
1180 NULL, "abcd", DEFAULT_SVR_OPTION)))
1181 goto cleanup;
1182
1183 ret = 0;
1184
1185 cleanup:
1186 if (ret)
1187 {
1188 printf("Error: A server test failed\n");
1189 ssl_display_error(ret);
1190 exit(1);
1191 }
1192 else
1193 {
1194 printf("All server tests passed\n"); TTY_FLUSH();
1195 }
1196
1197 return ret;
1198 }
1199
1200 /**************************************************************************
1201 * SSL Client Testing
1202 *
1203 **************************************************************************/
1204 typedef struct
1205 {
1206 uint8_t session_id[SSL_SESSION_ID_SIZE];
1207 #ifndef WIN32
1208 pthread_t server_thread;
1209 #endif
1210 int start_server;
1211 int stop_server;
1212 int do_reneg;
1213 } CLNT_SESSION_RESUME_CTX;
1214
1215 typedef struct
1216 {
1217 const char *testname;
1218 const char *openssl_option;
1219 } server_t;
1220
1221 static void do_server(server_t *svr)
1222 {
1223 char openssl_buf[2048];
1224 #ifndef WIN32
1225 pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
1226 #endif
1227 sprintf(openssl_buf, "openssl s_server -tls1 "
1228 "-accept %d -quiet %s ", g_port, svr->openssl_option);
1229 system(openssl_buf);
1230 }
1231
1232 static int SSL_client_test(
1233 const char *test,
1234 SSL_CTX **ssl_ctx,
1235 const char *openssl_option,
1236 CLNT_SESSION_RESUME_CTX *sess_resume,
1237 uint32_t client_options,
1238 const char *private_key,
1239 const char *password,
1240 const char *cert)
1241 {
1242 server_t server_data;
1243 SSL *ssl = NULL;
1244 int client_fd = -1;
1245 uint8_t *session_id = NULL;
1246 int ret = 1;
1247 #ifndef WIN32
1248 pthread_t thread;
1249 #endif
1250
1251 if (sess_resume == NULL || sess_resume->start_server)
1252 {
1253 g_port++;
1254 server_data.openssl_option = openssl_option;
1255
1256 #ifndef WIN32
1257 pthread_create(&thread, NULL,
1258 (void *(*)(void *))do_server, (void *)&server_data);
1259 pthread_detach(thread);
1260 #else
1261 CreateThread(NULL, 1024, (LPTHREAD_START_ROUTINE)do_server,
1262 (LPVOID)&server_data, 0, NULL);
1263 #endif
1264 }
1265
1266 usleep(200000); /* allow server to start */
1267
1268 if (*ssl_ctx == NULL)
1269 {
1270 if (private_key)
1271 {
1272 client_options |= SSL_NO_DEFAULT_KEY;
1273 }
1274
1275 if ((*ssl_ctx = ssl_ctx_new(
1276 client_options, SSL_DEFAULT_CLNT_SESS)) == NULL)
1277 {
1278 ret = SSL_ERROR_INVALID_KEY;
1279 goto client_test_exit;
1280 }
1281
1282 if (private_key)
1283 {
1284 int obj_type = SSL_OBJ_RSA_KEY;
1285
1286 if (strstr(private_key, ".p8"))
1287 obj_type = SSL_OBJ_PKCS8;
1288 else if (strstr(private_key, ".p12"))
1289 obj_type = SSL_OBJ_PKCS12;
1290
1291 if (ssl_obj_load(*ssl_ctx, obj_type, private_key, password))
1292 {
1293 ret = SSL_ERROR_INVALID_KEY;
1294 goto client_test_exit;
1295 }
1296 }
1297
1298 if (cert)
1299 {
1300 if ((ret = ssl_obj_load(*ssl_ctx,
1301 SSL_OBJ_X509_CERT, cert, NULL)) != SSL_OK)
1302 {
1303 printf("could not add cert %s (%d)\n", cert, ret);
1304 TTY_FLUSH();
1305 goto client_test_exit;
1306 }
1307 }
1308
1309 if (ssl_obj_load(*ssl_ctx, SSL_OBJ_X509_CACERT,
1310 "../ssl/test/axTLS.ca_x509.cer", NULL))
1311 {
1312 printf("could not add cert auth\n"); TTY_FLUSH();
1313 goto client_test_exit;
1314 }
1315 }
1316
1317 if (sess_resume && !sess_resume->start_server)
1318 {
1319 session_id = sess_resume->session_id;
1320 }
1321
1322 if ((client_fd = client_socket_init(g_port)) < 0)
1323 {
1324 printf("could not start socket on %d\n", g_port); TTY_FLUSH();
1325 goto client_test_exit;
1326 }
1327
1328 ssl = ssl_client_new(*ssl_ctx, client_fd, session_id, sizeof(session_id));
1329
1330 /* check the return status */
1331 if ((ret = ssl_handshake_status(ssl)))
1332 goto client_test_exit;
1333
1334 /* renegotiate client */
1335 if (sess_resume && sess_resume->do_reneg)
1336 {
1337 if (ssl_renegotiate(ssl) < 0)
1338 goto client_test_exit;
1339 }
1340
1341 if (sess_resume)
1342 {
1343 memcpy(sess_resume->session_id,
1344 ssl_get_session_id(ssl), SSL_SESSION_ID_SIZE);
1345 }
1346
1347 if (IS_SET_SSL_FLAG(SSL_SERVER_VERIFY_LATER) &&
1348 (ret = ssl_verify_cert(ssl)))
1349 {
1350 goto client_test_exit;
1351 }
1352
1353 ssl_write(ssl, (uint8_t *)"hello world\n", 13);
1354 if (sess_resume)
1355 {
1356 const uint8_t *sess_id = ssl_get_session_id(ssl);
1357 int i;
1358
1359 printf(" Session-ID: ");
1360 for (i = 0; i < SSL_SESSION_ID_SIZE; i++)
1361 {
1362 printf("%02X", sess_id[i]);
1363 }
1364 printf("\n");
1365 TTY_FLUSH();
1366 }
1367
1368 ret = 0;
1369
1370 client_test_exit:
1371 ssl_free(ssl);
1372 SOCKET_CLOSE(client_fd);
1373 usleep(200000); /* allow openssl to say something */
1374
1375 if (sess_resume)
1376 {
1377 if (sess_resume->stop_server)
1378 {
1379 ssl_ctx_free(*ssl_ctx);
1380 *ssl_ctx = NULL;
1381 #ifndef WIN32
1382 pthread_cancel(sess_resume->server_thread);
1383 #endif
1384 }
1385 else if (sess_resume->start_server)
1386 {
1387 #ifndef WIN32
1388 sess_resume->server_thread = thread;
1389 #endif
1390 }
1391 }
1392 else
1393 {
1394 ssl_ctx_free(*ssl_ctx);
1395 *ssl_ctx = NULL;
1396 #ifndef WIN32
1397 pthread_cancel(thread);
1398 #endif
1399 }
1400
1401 if (ret == 0)
1402 {
1403 printf("SSL client test \"%s\" passed\n", test);
1404 TTY_FLUSH();
1405 }
1406
1407 return ret;
1408 }
1409
1410 int SSL_client_tests(void)
1411 {
1412 int ret = -1;
1413 SSL_CTX *ssl_ctx = NULL;
1414 CLNT_SESSION_RESUME_CTX sess_resume;
1415 memset(&sess_resume, 0, sizeof(CLNT_SESSION_RESUME_CTX));
1416
1417 sess_resume.start_server = 1;
1418 printf("### starting client tests\n");
1419
1420 if ((ret = SSL_client_test("512 bit key",
1421 &ssl_ctx,
1422 "-cert ../ssl/test/axTLS.x509_512.pem "
1423 "-key ../ssl/test/axTLS.key_512.pem", &sess_resume,
1424 DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
1425 goto cleanup;
1426
1427 /* all the session id's should match for session resumption */
1428 sess_resume.start_server = 0;
1429 if ((ret = SSL_client_test("Client session resumption #1",
1430 &ssl_ctx, NULL, &sess_resume,
1431 DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
1432 goto cleanup;
1433
1434 sess_resume.do_reneg = 1;
1435 if ((ret = SSL_client_test("Client renegotiation",
1436 &ssl_ctx, NULL, &sess_resume,
1437 DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
1438 goto cleanup;
1439 sess_resume.do_reneg = 0;
1440
1441 sess_resume.stop_server = 1;
1442 if ((ret = SSL_client_test("Client session resumption #2",
1443 &ssl_ctx, NULL, &sess_resume,
1444 DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
1445 goto cleanup;
1446
1447 if ((ret = SSL_client_test("1024 bit key",
1448 &ssl_ctx,
1449 "-cert ../ssl/test/axTLS.x509_1024.pem "
1450 "-key ../ssl/test/axTLS.key_1024.pem", NULL,
1451 DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
1452 goto cleanup;
1453
1454 if ((ret = SSL_client_test("2048 bit key",
1455 &ssl_ctx,
1456 "-cert ../ssl/test/axTLS.x509_2048.pem "
1457 "-key ../ssl/test/axTLS.key_2048.pem", NULL,
1458 DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
1459 goto cleanup;
1460
1461 if ((ret = SSL_client_test("4096 bit key",
1462 &ssl_ctx,
1463 "-cert ../ssl/test/axTLS.x509_4096.pem "
1464 "-key ../ssl/test/axTLS.key_4096.pem", NULL,
1465 DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
1466 goto cleanup;
1467
1468 if ((ret = SSL_client_test("Server cert chaining",
1469 &ssl_ctx,
1470 "-cert ../ssl/test/axTLS.x509_device.pem "
1471 "-key ../ssl/test/axTLS.device_key.pem "
1472 "-CAfile ../ssl/test/axTLS.x509_512.pem ", NULL,
1473 DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
1474 goto cleanup;
1475
1476 /* Check the server can verify the client */
1477 if ((ret = SSL_client_test("Client peer authentication",
1478 &ssl_ctx,
1479 "-cert ../ssl/test/axTLS.x509_2048.pem "
1480 "-key ../ssl/test/axTLS.key_2048.pem "
1481 "-CAfile ../ssl/test/axTLS.ca_x509.pem "
1482 "-verify 1 ", NULL, DEFAULT_CLNT_OPTION,
1483 "../ssl/test/axTLS.key_1024", NULL,
1484 "../ssl/test/axTLS.x509_1024.cer")))
1485 goto cleanup;
1486
1487 /* Should get an "ERROR" from openssl (as the handshake fails as soon as
1488 * the certificate verification fails) */
1489 if ((ret = SSL_client_test("Error: Expired cert (verify now)",
1490 &ssl_ctx,
1491 "-cert ../ssl/test/axTLS.x509_bad_after.pem "
1492 "-key ../ssl/test/axTLS.key_512.pem", NULL,
1493 DEFAULT_CLNT_OPTION, NULL, NULL, NULL)) !=
1494 SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED))
1495 {
1496 printf("*** Error: %d\n", ret);
1497 goto cleanup;
1498 }
1499
1500 printf("SSL client test \"Expired cert (verify now)\" passed\n");
1501
1502 /* There is no "ERROR" from openssl */
1503 if ((ret = SSL_client_test("Error: Expired cert (verify later)",
1504 &ssl_ctx,
1505 "-cert ../ssl/test/axTLS.x509_bad_after.pem "
1506 "-key ../ssl/test/axTLS.key_512.pem", NULL,
1507 DEFAULT_CLNT_OPTION|SSL_SERVER_VERIFY_LATER, NULL,
1508 NULL, NULL)) != SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED))
1509 {
1510 printf("*** Error: %d\n", ret);
1511 goto cleanup;
1512 }
1513
1514 printf("SSL client test \"Expired cert (verify later)\" passed\n");
1515 ret = 0;
1516
1517 cleanup:
1518 if (ret)
1519 {
1520 ssl_display_error(ret);
1521 printf("Error: A client test failed\n");
1522 exit(1);
1523 }
1524 else
1525 {
1526 printf("All client tests passed\n"); TTY_FLUSH();
1527 }
1528
1529 return ret;
1530 }
1531
1532 /**************************************************************************
1533 * SSL Basic Testing (test a big packet handshake)
1534 *
1535 **************************************************************************/
1536 static uint8_t basic_buf[256*1024];
1537
1538 static void do_basic(void)
1539 {
1540 int client_fd;
1541 SSL *ssl_clnt;
1542 SSL_CTX *ssl_clnt_ctx = ssl_ctx_new(
1543 DEFAULT_CLNT_OPTION, SSL_DEFAULT_CLNT_SESS);
1544 usleep(200000); /* allow server to start */
1545
1546 if ((client_fd = client_socket_init(g_port)) < 0)
1547 goto error;
1548
1549 if (ssl_obj_load(ssl_clnt_ctx, SSL_OBJ_X509_CACERT,
1550 "../ssl/test/axTLS.ca_x509.cer", NULL))
1551 goto error;
1552
1553 ssl_clnt = ssl_client_new(ssl_clnt_ctx, client_fd, NULL, 0);
1554
1555 /* check the return status */
1556 if (ssl_handshake_status(ssl_clnt) < 0)
1557 {
1558 printf("YA YA\n");
1559 ssl_display_error(ssl_handshake_status(ssl_clnt));
1560 goto error;
1561 }
1562
1563 ssl_write(ssl_clnt, basic_buf, sizeof(basic_buf));
1564 ssl_free(ssl_clnt);
1565
1566 error:
1567 ssl_ctx_free(ssl_clnt_ctx);
1568 SOCKET_CLOSE(client_fd);
1569
1570 /* exit this thread */
1571 }
1572
1573 static int SSL_basic_test(void)
1574 {
1575 int server_fd, client_fd, ret = 0, size = 0, offset = 0;
1576 SSL_CTX *ssl_svr_ctx = NULL;
1577 struct sockaddr_in client_addr;
1578 uint8_t *read_buf;
1579 socklen_t clnt_len = sizeof(client_addr);
1580 SSL *ssl_svr;
1581 #ifndef WIN32
1582 pthread_t thread;
1583 #endif
1584 memset(basic_buf, 0xA5, sizeof(basic_buf)/2);
1585 memset(&basic_buf[sizeof(basic_buf)/2], 0x5A, sizeof(basic_buf)/2);
1586
1587 if ((server_fd = server_socket_init(&g_port)) < 0)
1588 goto error;
1589
1590 ssl_svr_ctx = ssl_ctx_new(DEFAULT_SVR_OPTION, SSL_DEFAULT_SVR_SESS);
1591
1592 #ifndef WIN32
1593 pthread_create(&thread, NULL,
1594 (void *(*)(void *))do_basic, NULL);
1595 pthread_detach(thread);
1596 #else
1597 CreateThread(NULL, 1024, (LPTHREAD_START_ROUTINE)do_basic, NULL, 0, NULL);
1598 #endif
1599
1600 /* Wait for a client to connect */
1601 if ((client_fd = accept(server_fd,
1602 (struct sockaddr *) &client_addr, &clnt_len)) < 0)
1603 {
1604 ret = SSL_ERROR_SOCK_SETUP_FAILURE;
1605 goto error;
1606 }
1607
1608 /* we are ready to go */
1609 ssl_svr = ssl_server_new(ssl_svr_ctx, client_fd);
1610
1611 do
1612 {
1613 while ((size = ssl_read(ssl_svr, &read_buf)) == SSL_OK);
1614
1615 if (size < SSL_OK) /* got some alert or something nasty */
1616 {
1617 printf("Server ");
1618 ssl_display_error(size);
1619 ret = size;
1620 break;
1621 }
1622 else /* looks more promising */
1623 {
1624 if (memcmp(read_buf, &basic_buf[offset], size) != 0)
1625 {
1626 ret = SSL_NOT_OK;
1627 break;
1628 }
1629 }
1630
1631 offset += size;
1632 } while (offset < sizeof(basic_buf));
1633
1634 printf(ret == SSL_OK && offset == sizeof(basic_buf) ?
1635 "SSL basic test passed\n" :
1636 "SSL basic test failed\n");
1637 TTY_FLUSH();
1638
1639 ssl_free(ssl_svr);
1640 SOCKET_CLOSE(server_fd);
1641 SOCKET_CLOSE(client_fd);
1642
1643 error:
1644 ssl_ctx_free(ssl_svr_ctx);
1645 return ret;
1646 }
1647
1648 #if !defined(WIN32) && defined(CONFIG_SSL_CTX_MUTEXING)
1649 /**************************************************************************
1650 * Multi-Threading Tests
1651 *
1652 **************************************************************************/
1653 #define NUM_THREADS 100
1654
1655 typedef struct
1656 {
1657 SSL_CTX *ssl_clnt_ctx;
1658 int port;
1659 int thread_id;
1660 } multi_t;
1661
1662 void do_multi_clnt(multi_t *multi_data)
1663 {
1664 int res = 1, client_fd, i;
1665 SSL *ssl = NULL;
1666 char tmp[5];
1667
1668 if ((client_fd = client_socket_init(multi_data->port)) < 0)
1669 goto client_test_exit;
1670
1671 sleep(1);
1672 ssl = ssl_client_new(multi_data->ssl_clnt_ctx, client_fd, NULL, 0);
1673
1674 if ((res = ssl_handshake_status(ssl)))
1675 {
1676 printf("Client ");
1677 ssl_display_error(res);
1678 goto client_test_exit;
1679 }
1680
1681 sprintf(tmp, "%d\n", multi_data->thread_id);
1682 for (i = 0; i < 10; i++)
1683 ssl_write(ssl, (uint8_t *)tmp, strlen(tmp)+1);
1684
1685 client_test_exit:
1686 ssl_free(ssl);
1687 SOCKET_CLOSE(client_fd);
1688 free(multi_data);
1689 }
1690
1691 void do_multi_svr(SSL *ssl)
1692 {
1693 uint8_t *read_buf;
1694 int *res_ptr = malloc(sizeof(int));
1695 int res;
1696
1697 for (;;)
1698 {
1699 res = ssl_read(ssl, &read_buf);
1700
1701 /* kill the client */
1702 if (res != SSL_OK)
1703 {
1704 if (res == SSL_ERROR_CONN_LOST)
1705 {
1706 SOCKET_CLOSE(ssl->client_fd);
1707 ssl_free(ssl);
1708 break;
1709 }
1710 else if (res > 0)
1711 {
1712 /* do nothing */
1713 }
1714 else /* some problem */
1715 {
1716 printf("Server ");
1717 ssl_display_error(res);
1718 goto error;
1719 }
1720 }
1721 }
1722
1723 res = SSL_OK;
1724 error:
1725 *res_ptr = res;
1726 pthread_exit(res_ptr);
1727 }
1728
1729 int multi_thread_test(void)
1730 {
1731 int server_fd = -1;
1732 SSL_CTX *ssl_server_ctx;
1733 SSL_CTX *ssl_clnt_ctx;
1734 pthread_t clnt_threads[NUM_THREADS];
1735 pthread_t svr_threads[NUM_THREADS];
1736 int i, res = 0;
1737 struct sockaddr_in client_addr;
1738 socklen_t clnt_len = sizeof(client_addr);
1739
1740 printf("Do multi-threading test (takes a minute)\n");
1741
1742 ssl_server_ctx = ssl_ctx_new(DEFAULT_SVR_OPTION, SSL_DEFAULT_SVR_SESS);
1743 ssl_clnt_ctx = ssl_ctx_new(DEFAULT_CLNT_OPTION, SSL_DEFAULT_CLNT_SESS);
1744
1745 if (ssl_obj_load(ssl_clnt_ctx, SSL_OBJ_X509_CACERT,
1746 "../ssl/test/axTLS.ca_x509.cer", NULL))
1747 goto error;
1748
1749 if ((server_fd = server_socket_init(&g_port)) < 0)
1750 goto error;
1751
1752 for (i = 0; i < NUM_THREADS; i++)
1753 {
1754 multi_t *multi_data = (multi_t *)malloc(sizeof(multi_t));
1755 multi_data->ssl_clnt_ctx = ssl_clnt_ctx;
1756 multi_data->port = g_port;
1757 multi_data->thread_id = i+1;
1758 pthread_create(&clnt_threads[i], NULL,
1759 (void *(*)(void *))do_multi_clnt, (void *)multi_data);
1760 pthread_detach(clnt_threads[i]);
1761 }
1762
1763 for (i = 0; i < NUM_THREADS; i++)
1764 {
1765 SSL *ssl_svr;
1766 int client_fd = accept(server_fd,
1767 (struct sockaddr *)&client_addr, &clnt_len);
1768
1769 if (client_fd < 0)
1770 goto error;
1771
1772 ssl_svr = ssl_server_new(ssl_server_ctx, client_fd);
1773
1774 pthread_create(&svr_threads[i], NULL,
1775 (void *(*)(void *))do_multi_svr, (void *)ssl_svr);
1776 }
1777
1778 /* make sure we've run all of the threads */
1779 for (i = 0; i < NUM_THREADS; i++)
1780 {
1781 void *thread_res;
1782 pthread_join(svr_threads[i], &thread_res);
1783
1784 if (*((int *)thread_res) != 0)
1785 res = 1;
1786
1787 free(thread_res);
1788 }
1789
1790 if (res)
1791 goto error;
1792
1793 printf("Multi-thread test passed (%d)\n", NUM_THREADS);
1794 error:
1795 ssl_ctx_free(ssl_server_ctx);
1796 ssl_ctx_free(ssl_clnt_ctx);
1797 SOCKET_CLOSE(server_fd);
1798 return res;
1799 }
1800 #endif /* !defined(WIN32) && defined(CONFIG_SSL_CTX_MUTEXING) */
1801
1802 /**************************************************************************
1803 * Header issue
1804 *
1805 **************************************************************************/
1806 static void do_header_issue(void)
1807 {
1808 char axtls_buf[2048];
1809 #ifndef WIN32
1810 pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
1811 #endif
1812 sprintf(axtls_buf, "./axssl s_client -connect localhost:%d", g_port);
1813 system(axtls_buf);
1814 }
1815
1816 static int header_issue(void)
1817 {
1818 FILE *f = fopen("../ssl/test/header_issue.dat", "r");
1819 int server_fd = -1, client_fd = -1, ret = 1;
1820 uint8_t buf[2048];
1821 int size = 0;
1822 struct sockaddr_in client_addr;
1823 socklen_t clnt_len = sizeof(client_addr);
1824 #ifndef WIN32
1825 pthread_t thread;
1826 #endif
1827
1828 if (f == NULL || (server_fd = server_socket_init(&g_port)) < 0)
1829 goto error;
1830
1831 #ifndef WIN32
1832 pthread_create(&thread, NULL,
1833 (void *(*)(void *))do_header_issue, NULL);
1834 pthread_detach(thread);
1835 #else
1836 CreateThread(NULL, 1024, (LPTHREAD_START_ROUTINE)do_header_issue,
1837 NULL, 0, NULL);
1838 #endif
1839 if ((client_fd = accept(server_fd,
1840 (struct sockaddr *) &client_addr, &clnt_len)) < 0)
1841 {
1842 ret = SSL_ERROR_SOCK_SETUP_FAILURE;
1843 goto error;
1844 }
1845
1846 size = fread(buf, 1, sizeof(buf), f);
1847 SOCKET_WRITE(client_fd, buf, size);
1848 usleep(200000);
1849
1850 ret = 0;
1851 error:
1852 fclose(f);
1853 SOCKET_CLOSE(client_fd);
1854 SOCKET_CLOSE(server_fd);
1855 TTY_FLUSH();
1856 system("killall axssl");
1857 return ret;
1858 }
1859
1860 /**************************************************************************
1861 * main()
1862 *
1863 **************************************************************************/
1864 int main(int argc, char *argv[])
1865 {
1866 int ret = 1;
1867 BI_CTX *bi_ctx;
1868 int fd;
1869
1870 #ifdef WIN32
1871 WSADATA wsaData;
1872 WORD wVersionRequested = MAKEWORD(2, 2);
1873 WSAStartup(wVersionRequested, &wsaData);
1874 fd = _open("test_result.txt", O_WRONLY|O_TEMPORARY|O_CREAT, _S_IWRITE);
1875 dup2(fd, 2); /* write stderr to this file */
1876 #else
1877 fd = open("/dev/null", O_WRONLY); /* write stderr to /dev/null */
1878 signal(SIGPIPE, SIG_IGN); /* ignore pipe errors */
1879 dup2(fd, 2);
1880 #endif
1881
1882 /* can't do testing in this mode */
1883 #if defined CONFIG_SSL_GENERATE_X509_CERT
1884 printf("Error: Must compile with default key/certificates\n");
1885 exit(1);
1886 #endif
1887
1888 bi_ctx = bi_initialize();
1889
1890 if (AES_test(bi_ctx))
1891 {
1892 printf("AES tests failed\n");
1893 goto cleanup;
1894 }
1895 TTY_FLUSH();
1896
1897 if (RC4_test(bi_ctx))
1898 {
1899 printf("RC4 tests failed\n");
1900 goto cleanup;
1901 }
1902 TTY_FLUSH();
1903
1904 if (MD5_test(bi_ctx))
1905 {
1906 printf("MD5 tests failed\n");
1907 goto cleanup;
1908 }
1909 TTY_FLUSH();
1910
1911 if (SHA1_test(bi_ctx))
1912 {
1913 printf("SHA1 tests failed\n");
1914 goto cleanup;
1915 }
1916 TTY_FLUSH();
1917
1918 if (HMAC_test(bi_ctx))
1919 {
1920 printf("HMAC tests failed\n");
1921 goto cleanup;
1922 }
1923 TTY_FLUSH();
1924
1925 if (BIGINT_test(bi_ctx))
1926 {
1927 printf("BigInt tests failed!\n");
1928 goto cleanup;
1929 }
1930 TTY_FLUSH();
1931
1932 bi_terminate(bi_ctx);
1933
1934 if (RSA_test())
1935 {
1936 printf("RSA tests failed\n");
1937 goto cleanup;
1938 }
1939 TTY_FLUSH();
1940
1941 if (cert_tests())
1942 {
1943 printf("CERT tests failed\n");
1944 goto cleanup;
1945 }
1946 TTY_FLUSH();
1947
1948 #if !defined(WIN32) && defined(CONFIG_SSL_CTX_MUTEXING)
1949 if (multi_thread_test())
1950 goto cleanup;
1951 #endif
1952
1953 if (SSL_basic_test())
1954 goto cleanup;
1955
1956 system("sh ../ssl/test/killopenssl.sh");
1957
1958 if (SSL_client_tests())
1959 goto cleanup;
1960
1961 system("sh ../ssl/test/killopenssl.sh");
1962
1963 if (SSL_server_tests())
1964 goto cleanup;
1965
1966 system("sh ../ssl/test/killopenssl.sh");
1967
1968 if (header_issue())
1969 {
1970 printf("Header tests failed\n"); TTY_FLUSH();
1971 goto cleanup;
1972 }
1973
1974 ret = 0; /* all ok */
1975 printf("**** ALL TESTS PASSED ****\n"); TTY_FLUSH();
1976 cleanup:
1977
1978 if (ret)
1979 printf("Error: Some tests failed!\n");
1980
1981 close(fd);
1982 return ret;
1983 }
Lua Configuration Interface (mirror)