diff options
author | Joel Sing <jsing@cvs.openbsd.org> | 2017-01-12 15:50:17 +0000 |
---|---|---|
committer | Joel Sing <jsing@cvs.openbsd.org> | 2017-01-12 15:50:17 +0000 |
commit | 21ee63efccd37cdac39ff30332160cb72e609e3a (patch) | |
tree | 77eb97dfd782cd96f8775552b1a69d8cedebe57d | |
parent | 4b97d16f4355cfe6ec7e41d5c0f4c90270683016 (diff) |
Add regress tests for libtls, which currently cover handshakes and closes
using callbacks, file descriptors and sockets.
-rw-r--r-- | regress/lib/libtls/Makefile | 3 | ||||
-rw-r--r-- | regress/lib/libtls/tls/Makefile | 19 | ||||
-rw-r--r-- | regress/lib/libtls/tls/tlstest.c | 335 |
3 files changed, 356 insertions, 1 deletions
diff --git a/regress/lib/libtls/Makefile b/regress/lib/libtls/Makefile index 153be799659..22464cd559a 100644 --- a/regress/lib/libtls/Makefile +++ b/regress/lib/libtls/Makefile @@ -1,7 +1,8 @@ -# $OpenBSD: Makefile,v 1.2 2014/11/01 11:55:27 jsing Exp $ +# $OpenBSD: Makefile,v 1.3 2017/01/12 15:50:16 jsing Exp $ SUBDIR= \ gotls \ + tls \ verify install: diff --git a/regress/lib/libtls/tls/Makefile b/regress/lib/libtls/tls/Makefile new file mode 100644 index 00000000000..61285faab10 --- /dev/null +++ b/regress/lib/libtls/tls/Makefile @@ -0,0 +1,19 @@ +# $OpenBSD: Makefile,v 1.1 2017/01/12 15:50:16 jsing Exp $ + +PROG= tlstest +LDADD= -lcrypto -lssl -ltls +DPADD= ${LIBCRYPTO} ${LIBSSL} ${LIBTLS} + +WARNINGS= Yes +CFLAGS+= -Werror + +REGRESS_TARGETS= \ + regress-tlstest + +regress-tlstest: ${PROG} + ./tlstest \ + ${.CURDIR}/../../libssl/certs/server.pem \ + ${.CURDIR}/../../libssl/certs/server.pem \ + ${.CURDIR}/../../libssl/certs/ca.pem + +.include <bsd.regress.mk> diff --git a/regress/lib/libtls/tls/tlstest.c b/regress/lib/libtls/tls/tlstest.c new file mode 100644 index 00000000000..da94edafbb9 --- /dev/null +++ b/regress/lib/libtls/tls/tlstest.c @@ -0,0 +1,335 @@ +/* $OpenBSD: tlstest.c,v 1.1 2017/01/12 15:50:16 jsing Exp $ */ +/* + * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <sys/socket.h> + +#include <err.h> +#include <fcntl.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +#include <tls.h> + +#define CIRCULAR_BUFFER_SIZE 512 + +unsigned char client_buffer[CIRCULAR_BUFFER_SIZE]; +unsigned char *client_readptr, *client_writeptr; + +unsigned char server_buffer[CIRCULAR_BUFFER_SIZE]; +unsigned char *server_readptr, *server_writeptr; + +int debug = 0; + +static void +circular_init(void) +{ + client_readptr = client_writeptr = client_buffer; + server_readptr = server_writeptr = server_buffer; +} + +static ssize_t +circular_read(char *name, unsigned char *buf, size_t bufsize, + unsigned char **readptr, unsigned char *writeptr, + unsigned char *outbuf, size_t outlen) +{ + unsigned char *nextptr = *readptr; + size_t n = 0; + + while (n < outlen) { + if (nextptr == writeptr) + break; + *outbuf++ = *nextptr++; + if ((size_t)(nextptr - buf) >= bufsize) + nextptr = buf; + *readptr = nextptr; + n++; + } + + if (debug && n > 0) + fprintf(stderr, "%s buffer: read %zi bytes\n", name, n); + + return (n > 0 ? (ssize_t)n : TLS_WANT_POLLIN); +} + +static ssize_t +circular_write(char *name, unsigned char *buf, size_t bufsize, + unsigned char *readptr, unsigned char **writeptr, + const unsigned char *inbuf, size_t inlen) +{ + unsigned char *nextptr = *writeptr; + unsigned char *prevptr; + size_t n = 0; + + while (n < inlen) { + prevptr = nextptr++; + if ((size_t)(nextptr - buf) >= bufsize) + nextptr = buf; + if (nextptr == readptr) + break; + *prevptr = *inbuf++; + *writeptr = nextptr; + n++; + } + + if (debug && n > 0) + fprintf(stderr, "%s buffer: wrote %zi bytes\n", name, n); + + return (n > 0 ? (ssize_t)n : TLS_WANT_POLLOUT); +} + +static ssize_t +client_read(struct tls *ctx, void *buf, size_t buflen, void *cb_arg) +{ + return circular_read("client", client_buffer, sizeof(client_buffer), + &client_readptr, client_writeptr, buf, buflen); +} + +static ssize_t +client_write(struct tls *ctx, const void *buf, size_t buflen, void *cb_arg) +{ + return circular_write("server", server_buffer, sizeof(server_buffer), + server_readptr, &server_writeptr, buf, buflen); +} + +static ssize_t +server_read(struct tls *ctx, void *buf, size_t buflen, void *cb_arg) +{ + return circular_read("server", server_buffer, sizeof(server_buffer), + &server_readptr, server_writeptr, buf, buflen); +} + +static ssize_t +server_write(struct tls *ctx, const void *buf, size_t buflen, void *cb_arg) +{ + return circular_write("client", client_buffer, sizeof(client_buffer), + client_readptr, &client_writeptr, buf, buflen); +} + +static int +do_tls_handshake(char *name, struct tls *ctx) +{ + int rv; + + rv = tls_handshake(ctx); + if (rv == 0) + return (1); + if (rv == TLS_WANT_POLLIN || rv == TLS_WANT_POLLOUT) + return (0); + + errx(1, "%s handshake failed: %s", name, tls_error(ctx)); +} + +static int +do_tls_close(char *name, struct tls *ctx) +{ + int rv; + + rv = tls_close(ctx); + if (rv == 0) + return (1); + if (rv == TLS_WANT_POLLIN || rv == TLS_WANT_POLLOUT) + return (0); + + errx(1, "%s close failed: %s", name, tls_error(ctx)); +} + +static int +do_client_server_test(char *desc, struct tls *client, struct tls *server_cctx) +{ + int i, client_done, server_done; + + i = client_done = server_done = 0; + do { + if (client_done == 0) + client_done = do_tls_handshake("client", client); + if (server_done == 0) + server_done = do_tls_handshake("server", server_cctx); + } while (i++ < 100 && (client_done == 0 || server_done == 0)); + + if (client_done == 0 || server_done == 0) { + printf("FAIL: %s TLS handshake did not complete\n", desc); + return (1); + } + printf("INFO: %s TLS handshake completed successfully\n", desc); + + /* XXX - Do some reads and writes... */ + + i = client_done = server_done = 0; + do { + if (client_done == 0) + client_done = do_tls_close("client", client); + if (server_done == 0) + server_done = do_tls_close("server", server_cctx); + } while (i++ < 100 && (client_done == 0 || server_done == 0)); + + if (client_done == 0 || server_done == 0) { + printf("FAIL: %s TLS close did not complete\n", desc); + return (1); + } + printf("INFO: %s TLS close completed successfully\n", desc); + + return (0); +} + +static int +test_tls_cbs(struct tls *client, struct tls *server) +{ + struct tls *server_cctx; + int failure; + + circular_init(); + + if (tls_accept_cbs(server, &server_cctx, server_read, server_write, + NULL) == -1) + errx(1, "failed to accept: %s", tls_error(server)); + + if (tls_connect_cbs(client, client_read, client_write, NULL, + "test") == -1) + errx(1, "failed to connect: %s", tls_error(client)); + + failure = do_client_server_test("callback", client, server_cctx); + + tls_free(server_cctx); + + return (failure); +} + +static int +test_tls_fds(struct tls *client, struct tls *server) +{ + struct tls *server_cctx; + int cfds[2], sfds[2]; + int failure; + + if (pipe2(cfds, O_NONBLOCK) == -1) + err(1, "failed to create pipe"); + if (pipe2(sfds, O_NONBLOCK) == -1) + err(1, "failed to create pipe"); + + if (tls_accept_fds(server, &server_cctx, sfds[0], cfds[1]) == -1) + errx(1, "failed to accept: %s", tls_error(server)); + + if (tls_connect_fds(client, cfds[0], sfds[1], "test") == -1) + errx(1, "failed to connect: %s", tls_error(client)); + + failure = do_client_server_test("file descriptor", client, server_cctx); + + tls_free(server_cctx); + + close(cfds[0]); + close(cfds[1]); + close(sfds[0]); + close(sfds[1]); + + return (failure); +} + +static int +test_tls_socket(struct tls *client, struct tls *server) +{ + struct tls *server_cctx; + int failure; + int sv[2]; + + if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK, PF_UNSPEC, + sv) == -1) + err(1, "failed to create socketpair"); + + if (tls_accept_socket(server, &server_cctx, sv[0]) == -1) + errx(1, "failed to accept: %s", tls_error(server)); + + if (tls_connect_socket(client, sv[1], "test") == -1) + errx(1, "failed to connect: %s", tls_error(client)); + + failure = do_client_server_test("socket", client, server_cctx); + + tls_free(server_cctx); + + close(sv[0]); + close(sv[1]); + + return (failure); +} + +int +main(int argc, char **argv) +{ + struct tls_config *client_cfg, *server_cfg; + struct tls *client, *server; + int failure = 0; + + if (argc != 4) { + fprintf(stderr, "usage: %s keyfile certfile cafile\n", + argv[0]); + return (1); + } + + if (tls_init() == -1) + errx(1, "failed to initialise tls"); + + if ((client = tls_client()) == NULL) + errx(1, "failed to create tls client"); + if ((client_cfg = tls_config_new()) == NULL) + errx(1, "failed to create tls client config"); + tls_config_insecure_noverifyname(client_cfg); + if (tls_config_set_ca_file(client_cfg, argv[3])) + errx(1, "failed to set ca: %s", tls_config_error(client_cfg)); + + if ((server = tls_server()) == NULL) + errx(1, "failed to create tls server"); + if ((server_cfg = tls_config_new()) == NULL) + errx(1, "failed to create tls server config"); + if (tls_config_set_keypair_file(server_cfg, argv[1], argv[2]) == -1) + errx(1, "failed to set keypair: %s", + tls_config_error(server_cfg)); + + tls_reset(client); + if (tls_configure(client, client_cfg) == -1) + errx(1, "failed to configure client: %s", tls_error(client)); + tls_reset(server); + if (tls_configure(server, server_cfg) == -1) + errx(1, "failed to configure server: %s", tls_error(server)); + + failure |= test_tls_cbs(client, server); + + tls_reset(client); + if (tls_configure(client, client_cfg) == -1) + errx(1, "failed to configure client: %s", tls_error(client)); + tls_reset(server); + if (tls_configure(server, server_cfg) == -1) + errx(1, "failed to configure server: %s", tls_error(server)); + + failure |= test_tls_fds(client, server); + + tls_reset(client); + if (tls_configure(client, client_cfg) == -1) + errx(1, "failed to configure client: %s", tls_error(client)); + tls_reset(server); + if (tls_configure(server, server_cfg) == -1) + errx(1, "failed to configure server: %s", tls_error(server)); + + failure |= test_tls_socket(client, server); + + tls_free(client); + tls_free(server); + + tls_config_free(client_cfg); + tls_config_free(server_cfg); + + return (failure); +} |