int main(int argc, char **argv)
{
struct s2n_connection *conn;
BEGIN_TEST();
EXPECT_NULL(conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(setenv("S2N_ENABLE_CLIENT_MODE", "1", 0));
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(s2n_connection_free(conn));
END_TEST();
}
void mock_client(int writefd, int readfd)
{
char buffer[0xffff];
struct s2n_connection *conn;
int more;
/* Give the server a chance to listen */
sleep(1);
conn = s2n_connection_new(S2N_CLIENT);
s2n_connection_set_read_fd(conn, readfd);
s2n_connection_set_write_fd(conn, writefd);
s2n_negotiate(conn, &more);
for (int i = 1; i < 0xffff; i += 100) {
for (int j = 0; j < i; j++) {
buffer[j] = 33;
}
s2n_send(conn, buffer, i, &more);
}
s2n_shutdown(conn, &more);
s2n_connection_free(conn);
/* Give the server a chance to a void a sigpipe */
sleep(1);
_exit(0);
}
int main(int argc, char **argv)
{
struct s2n_connection *conn;
uint8_t mac_key[] = "sample mac key";
uint8_t aes128_key[] = "123456789012345";
struct s2n_blob aes128 = {.data = aes128_key,.size = sizeof(aes128_key) };
uint8_t random_data[S2N_LARGE_RECORD_LENGTH + 1];
struct s2n_blob r = {.data = random_data, .size = sizeof(random_data)};
BEGIN_TEST();
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_get_urandom_data(&r));
/* Peer and we are in sync */
conn->server = &conn->secure;
conn->client = &conn->secure;
/* test the AES128 cipher with a SHA1 hash */
conn->secure.cipher_suite->cipher = &s2n_aes128;
conn->secure.cipher_suite->hmac_alg = S2N_HMAC_SHA1;
EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->get_encryption_key(&conn->secure.server_key, &aes128));
EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->get_decryption_key(&conn->secure.client_key, &aes128));
EXPECT_SUCCESS(s2n_hmac_init(&conn->secure.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
EXPECT_SUCCESS(s2n_hmac_init(&conn->secure.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
conn->actual_protocol_version = S2N_TLS11;
/* Align the record size, then subtract 20 bytes for the HMAC, 16 bytes for the explicit IV, and one byte
* for the padding length byte.
*/
int small_aligned_payload = S2N_SMALL_FRAGMENT_LENGTH - (S2N_SMALL_FRAGMENT_LENGTH % 16) - 20 - 16 - 1;
int large_aligned_payload = S2N_LARGE_FRAGMENT_LENGTH - (S2N_LARGE_FRAGMENT_LENGTH % 16) - 20 - 16 - 1;
int bytes_written;
/* Check the default: small record */
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out));
EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &r));
EXPECT_EQUAL(bytes_written, small_aligned_payload);
/* Check explicitly small records */
EXPECT_SUCCESS(s2n_connection_prefer_low_latency(conn));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out));
EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &r));
EXPECT_EQUAL(bytes_written, small_aligned_payload);
/* Check explicitly large records */
EXPECT_SUCCESS(s2n_connection_prefer_throughput(conn));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out));
EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &r));
EXPECT_EQUAL(bytes_written, large_aligned_payload);
/* Clean up */
EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->destroy_key(&conn->secure.server_key));
EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->destroy_key(&conn->secure.client_key));
EXPECT_SUCCESS(s2n_connection_free(conn));
EXPECT_SUCCESS(s2n_hmac_init(&conn->secure.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
END_TEST();
}
int mock_client(int writefd, int readfd, uint8_t *expected_data, uint32_t size)
{
uint8_t *buffer = malloc(size);
uint8_t *ptr = buffer;
struct s2n_connection *conn;
struct s2n_config *config;
s2n_blocked_status blocked;
int result = 0;
/* Give the server a chance to listen */
sleep(1);
conn = s2n_connection_new(S2N_CLIENT);
config = s2n_config_new();
s2n_connection_set_config(conn, config);
s2n_connection_set_read_fd(conn, readfd);
s2n_connection_set_write_fd(conn, writefd);
result = s2n_negotiate(conn, &blocked);
if (result < 0) {
_exit(1);
}
/* Receive 10MB of data */
uint32_t remaining = size;
while(remaining) {
int r = s2n_recv(conn, ptr, remaining, &blocked);
if (r < 0) {
continue;
}
remaining -= r;
ptr += r;
}
int shutdown_rc= -1;
do {
shutdown_rc = s2n_shutdown(conn, &blocked);
} while(shutdown_rc != 0);
for (int i = 0; i < size; i++) {
if (buffer[i] != expected_data[i]) {
_exit(1);
}
}
free(buffer);
s2n_connection_free(conn);
/* Give the server a chance to a void a sigpipe */
sleep(1);
_exit(0);
}
int mock_client(int writefd, int readfd, const char **protocols, int count, const char *expected)
{
char buffer[0xffff];
struct s2n_connection *conn;
struct s2n_config *config;
s2n_blocked_status blocked;
int result = 0;
/* Give the server a chance to listen */
sleep(1);
conn = s2n_connection_new(S2N_CLIENT);
config = s2n_config_new();
s2n_config_set_protocol_preferences(config, protocols, count);
s2n_connection_set_config(conn, config);
s2n_connection_set_read_fd(conn, readfd);
s2n_connection_set_write_fd(conn, writefd);
result = s2n_negotiate(conn, &blocked);
if (result < 0) {
result = 1;
}
const char *got = s2n_get_application_protocol(conn);
if ((got != NULL && expected == NULL) ||
(got == NULL && expected != NULL) ||
(got != NULL && expected != NULL && strcmp(expected, got) != 0)) {
result = 2;
}
for (int i = 1; i < 0xffff; i += 100) {
for (int j = 0; j < i; j++) {
buffer[j] = 33;
}
s2n_send(conn, buffer, i, &blocked);
}
s2n_connection_free(conn);
/* Give the server a chance to a void a sigpipe */
sleep(1);
_exit(result);
}
void mock_client(int writefd, int readfd)
{
char buffer[0xffff];
struct s2n_connection *conn;
struct s2n_config *cconfig;
s2n_blocked_status blocked;
/* Give the server a chance to listen */
sleep(1);
conn = s2n_connection_new(S2N_CLIENT);
conn->server_protocol_version = S2N_TLS12;
conn->client_protocol_version = S2N_TLS12;
conn->actual_protocol_version = S2N_TLS12;
cconfig = s2n_config_new();
s2n_config_disable_session_tickets(cconfig);
s2n_connection_set_config(conn, cconfig);
s2n_connection_set_read_fd(conn, readfd);
s2n_connection_set_write_fd(conn, writefd);
s2n_negotiate(conn, &blocked);
for (int i = 1; i < 0xffff; i += 100) {
for (int j = 0; j < i; j++) {
buffer[j] = 33;
}
s2n_send(conn, buffer, i, &blocked);
}
int shutdown_rc = -1;
while(shutdown_rc != 0) {
shutdown_rc = s2n_shutdown(conn, &blocked);
}
s2n_connection_free(conn);
/* Give the server a chance to a void a sigpipe */
sleep(1);
_exit(0);
}
int main(int argc, char **argv)
{
struct s2n_config *server_config;
struct s2n_cipher_preferences *default_cipher_preferences;
BEGIN_TEST();
EXPECT_SUCCESS(setenv("S2N_ENABLE_CLIENT_MODE", "1", 0));
EXPECT_SUCCESS(setenv("S2N_DONT_MLOCK", "1", 0));
EXPECT_SUCCESS(s2n_init());
EXPECT_NOT_NULL(server_config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(server_config, certificate, private_key));
EXPECT_SUCCESS(s2n_config_add_dhparams(server_config, dhparams));
EXPECT_NOT_NULL(default_cipher_preferences = server_config->cipher_preferences);
/* Verify that a handshake succeeds for every cipher in the default list. */
for (int cipher_idx = 0; cipher_idx < default_cipher_preferences->count; cipher_idx++) {
struct s2n_cipher_preferences server_cipher_preferences;
struct s2n_connection *client_conn;
struct s2n_connection *server_conn;
int client_more;
int server_more;
int server_to_client[2];
int client_to_server[2];
/* Craft a cipher preference with a cipher_idx cipher
NOTE: Its safe to use memcpy as the address of server_cipher_preferences
will never be NULL */
memcpy(&server_cipher_preferences, default_cipher_preferences, sizeof(server_cipher_preferences));
server_cipher_preferences.count = 1;
server_cipher_preferences.wire_format = default_cipher_preferences->wire_format + cipher_idx * S2N_TLS_CIPHER_SUITE_LEN;
server_config->cipher_preferences = &server_cipher_preferences;
/* Create nonblocking pipes */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
for (int i = 0; i < 2; i++) {
EXPECT_NOT_EQUAL(fcntl(server_to_client[i], F_SETFL, fcntl(server_to_client[i], F_GETFL) | O_NONBLOCK), -1);
EXPECT_NOT_EQUAL(fcntl(client_to_server[i], F_SETFL, fcntl(client_to_server[i], F_GETFL) | O_NONBLOCK), -1);
}
EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(s2n_connection_set_read_fd(client_conn, server_to_client[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(client_conn, client_to_server[1]));
EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_connection_set_read_fd(server_conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(server_conn, server_to_client[1]));
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
do {
int ret;
ret = s2n_negotiate(client_conn, &client_more);
EXPECT_TRUE(ret == 0 || (client_more && errno == EAGAIN));
ret = s2n_negotiate(server_conn, &server_more);
EXPECT_TRUE(ret == 0 || (server_more && errno == EAGAIN));
} while (client_more || server_more);
EXPECT_SUCCESS(s2n_shutdown(client_conn, &client_more));
EXPECT_SUCCESS(s2n_connection_free(client_conn));
EXPECT_SUCCESS(s2n_shutdown(server_conn, &server_more));
EXPECT_SUCCESS(s2n_connection_free(server_conn));
for (int i = 0; i < 2; i++) {
EXPECT_SUCCESS(close(server_to_client[i]));
EXPECT_SUCCESS(close(client_to_server[i]));
}
}
EXPECT_SUCCESS(s2n_config_free(server_config));
END_TEST();
return 0;
}
int main(int argc, char **argv)
{
BEGIN_TEST();
EXPECT_SUCCESS(setenv("S2N_ENABLE_CLIENT_MODE", "1", 0));
EXPECT_SUCCESS(setenv("S2N_DONT_MLOCK", "1", 0));
EXPECT_SUCCESS(s2n_init());
/* Client doens't use the server name extension. */
{
struct s2n_connection *client_conn;
struct s2n_connection *server_conn;
struct s2n_config *server_config;
s2n_blocked_status client_blocked;
s2n_blocked_status server_blocked;
int server_to_client[2];
int client_to_server[2];
/* Create nonblocking pipes */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
for (int i = 0; i < 2; i++) {
EXPECT_NOT_EQUAL(fcntl(server_to_client[i], F_SETFL, fcntl(server_to_client[i], F_GETFL) | O_NONBLOCK), -1);
EXPECT_NOT_EQUAL(fcntl(client_to_server[i], F_SETFL, fcntl(client_to_server[i], F_GETFL) | O_NONBLOCK), -1);
}
EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(s2n_connection_set_read_fd(client_conn, server_to_client[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(client_conn, client_to_server[1]));
EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_connection_set_read_fd(server_conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(server_conn, server_to_client[1]));
EXPECT_NOT_NULL(server_config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(server_config, certificate, private_key));
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
do {
int ret;
ret = s2n_negotiate(client_conn, &client_blocked);
EXPECT_TRUE(ret == 0 || (client_blocked && errno == EAGAIN));
ret = s2n_negotiate(server_conn, &server_blocked);
EXPECT_TRUE(ret == 0 || (server_blocked && errno == EAGAIN));
} while (client_blocked || server_blocked);
/* Verify that the server didn't receive the server name. */
EXPECT_NULL(s2n_get_server_name(server_conn));
EXPECT_SUCCESS(s2n_shutdown(client_conn, &client_blocked));
EXPECT_SUCCESS(s2n_connection_free(client_conn));
EXPECT_SUCCESS(s2n_shutdown(server_conn, &server_blocked));
EXPECT_SUCCESS(s2n_connection_free(server_conn));
EXPECT_SUCCESS(s2n_config_free(server_config));
for (int i = 0; i < 2; i++) {
EXPECT_SUCCESS(close(server_to_client[i]));
EXPECT_SUCCESS(close(client_to_server[i]));
}
}
/* Client uses the server name extension. */
{
struct s2n_connection *client_conn;
struct s2n_connection *server_conn;
struct s2n_config *server_config;
s2n_blocked_status client_blocked;
s2n_blocked_status server_blocked;
int server_to_client[2];
int client_to_server[2];
const char *sent_server_name = "awesome.amazonaws.com";
const char *received_server_name;
/* Create nonblocking pipes */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
for (int i = 0; i < 2; i++) {
EXPECT_NOT_EQUAL(fcntl(server_to_client[i], F_SETFL, fcntl(server_to_client[i], F_GETFL) | O_NONBLOCK), -1);
EXPECT_NOT_EQUAL(fcntl(client_to_server[i], F_SETFL, fcntl(client_to_server[i], F_GETFL) | O_NONBLOCK), -1);
}
EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(s2n_connection_set_read_fd(client_conn, server_to_client[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(client_conn, client_to_server[1]));
/* Set the server name */
EXPECT_SUCCESS(s2n_set_server_name(client_conn, sent_server_name));
EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_connection_set_read_fd(server_conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(server_conn, server_to_client[1]));
EXPECT_NOT_NULL(server_config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(server_config, certificate, private_key));
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
do {
int ret;
ret = s2n_negotiate(client_conn, &client_blocked);
EXPECT_TRUE(ret == 0 || (client_blocked && errno == EAGAIN));
ret = s2n_negotiate(server_conn, &server_blocked);
EXPECT_TRUE(ret == 0 || (server_blocked && errno == EAGAIN));
} while (client_blocked || server_blocked);
/* Verify that the server name was received intact. */
EXPECT_NOT_NULL(received_server_name = s2n_get_server_name(server_conn));
EXPECT_EQUAL(strlen(received_server_name), strlen(sent_server_name));
EXPECT_BYTEARRAY_EQUAL(received_server_name, sent_server_name, strlen(received_server_name));
EXPECT_SUCCESS(s2n_shutdown(client_conn, &client_blocked));
EXPECT_SUCCESS(s2n_connection_free(client_conn));
EXPECT_SUCCESS(s2n_shutdown(server_conn, &server_blocked));
EXPECT_SUCCESS(s2n_connection_free(server_conn));
EXPECT_SUCCESS(s2n_config_free(server_config));
for (int i = 0; i < 2; i++) {
EXPECT_SUCCESS(close(server_to_client[i]));
EXPECT_SUCCESS(close(client_to_server[i]));
}
}
/* Client sends multiple server names. */
{
struct s2n_connection *server_conn;
struct s2n_config *server_config;
s2n_blocked_status server_blocked;
int server_to_client[2];
int client_to_server[2];
const char *sent_server_name = "svr";
const char *received_server_name;
uint8_t client_extensions[] = {
/* Extension type TLS_EXTENSION_SERVER_NAME */
0x00, 0x00,
/* Extension size */
0x00, 0x0C,
/* All server names len */
0x00, 0x0A,
/* First server name type - host name */
0x00,
/* First server name len */
0x00, 0x03,
/* First server name, matches sent_server_name */
's', 'v', 'r',
/* Second server name type - host name */
0x00,
/* Second server name len */
0x00, 0x01,
/* Second server name */
0xFF,
};
int client_extensions_len = sizeof(client_extensions);
uint8_t client_hello_message[] = {
/* Protocol version TLS 1.2 */
0x03, 0x03,
/* Client random */
ZERO_TO_THIRTY_ONE,
/* SessionID len - 32 bytes */
0x20,
/* Session ID */
ZERO_TO_THIRTY_ONE,
/* Cipher suites len */
0x00, 0x02,
/* Cipher suite - TLS_RSA_WITH_AES_128_CBC_SHA256 */
0x00, 0x3C,
/* Compression methods len */
0x01,
/* Compression method - none */
0x00,
/* Extensions len */
(client_extensions_len >> 8) & 0xff, (client_extensions_len & 0xff),
};
int body_len = sizeof(client_hello_message) + client_extensions_len;
uint8_t message_header[] = {
/* Handshake message type CLIENT HELLO */
0x01,
/* Body len */
(body_len >> 16) & 0xff, (body_len >> 8) & 0xff, (body_len & 0xff),
};
int message_len = sizeof(message_header) + body_len;
uint8_t record_header[] = {
/* Record type HANDSHAKE */
0x16,
/* Protocol version TLS 1.2 */
0x03, 0x03,
/* Message len */
(message_len >> 8) & 0xff, (message_len & 0xff),
};
/* Create nonblocking pipes */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
for (int i = 0; i < 2; i++) {
EXPECT_NOT_EQUAL(fcntl(server_to_client[i], F_SETFL, fcntl(server_to_client[i], F_GETFL) | O_NONBLOCK), -1);
EXPECT_NOT_EQUAL(fcntl(client_to_server[i], F_SETFL, fcntl(client_to_server[i], F_GETFL) | O_NONBLOCK), -1);
}
EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_connection_set_read_fd(server_conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(server_conn, server_to_client[1]));
EXPECT_NOT_NULL(server_config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(server_config, certificate, private_key));
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
/* Send the client hello */
EXPECT_EQUAL(write(client_to_server[1], record_header, sizeof(record_header)), sizeof(record_header));
EXPECT_EQUAL(write(client_to_server[1], message_header, sizeof(message_header)), sizeof(message_header));
EXPECT_EQUAL(write(client_to_server[1], client_hello_message, sizeof(client_hello_message)), sizeof(client_hello_message));
EXPECT_EQUAL(write(client_to_server[1], client_extensions, sizeof(client_extensions)), sizeof(client_extensions));
/* Verify that the CLIENT HELLO is accepted */
s2n_negotiate(server_conn, &server_blocked);
EXPECT_EQUAL(server_blocked, 1);
EXPECT_EQUAL(server_conn->handshake.state, CLIENT_KEY);
/* Verify that the server name was received intact. */
EXPECT_NOT_NULL(received_server_name = s2n_get_server_name(server_conn));
EXPECT_EQUAL(strlen(received_server_name), strlen(sent_server_name));
EXPECT_BYTEARRAY_EQUAL(received_server_name, sent_server_name, strlen(received_server_name));
EXPECT_SUCCESS(s2n_shutdown(server_conn, &server_blocked));
EXPECT_SUCCESS(s2n_connection_free(server_conn));
EXPECT_SUCCESS(s2n_config_free(server_config));
for (int i = 0; i < 2; i++) {
EXPECT_SUCCESS(close(server_to_client[i]));
EXPECT_SUCCESS(close(client_to_server[i]));
}
}
/* Client doesn't use the OCSP extension. */
{
struct s2n_connection *client_conn;
struct s2n_connection *server_conn;
struct s2n_config *server_config;
s2n_blocked_status client_blocked;
s2n_blocked_status server_blocked;
int server_to_client[2];
int client_to_server[2];
uint32_t length;
/* Create nonblocking pipes */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
for (int i = 0; i < 2; i++) {
EXPECT_NOT_EQUAL(fcntl(server_to_client[i], F_SETFL, fcntl(server_to_client[i], F_GETFL) | O_NONBLOCK), -1);
EXPECT_NOT_EQUAL(fcntl(client_to_server[i], F_SETFL, fcntl(client_to_server[i], F_GETFL) | O_NONBLOCK), -1);
}
EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(s2n_connection_set_read_fd(client_conn, server_to_client[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(client_conn, client_to_server[1]));
EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_connection_set_read_fd(server_conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(server_conn, server_to_client[1]));
EXPECT_NOT_NULL(server_config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_with_status(server_config, certificate, private_key, server_ocsp_status, sizeof(server_ocsp_status)));
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
do {
int ret;
ret = s2n_negotiate(client_conn, &client_blocked);
EXPECT_TRUE(ret == 0 || client_blocked);
ret = s2n_negotiate(server_conn, &server_blocked);
EXPECT_TRUE(ret == 0 || server_blocked);
} while (client_blocked || server_blocked);
/* Verify that the client didn't receive an OCSP response. */
EXPECT_NULL(s2n_connection_get_ocsp_response(client_conn, &length));
EXPECT_EQUAL(length, 0);
EXPECT_SUCCESS(s2n_shutdown(client_conn, &client_blocked));
EXPECT_SUCCESS(s2n_connection_free(client_conn));
EXPECT_SUCCESS(s2n_shutdown(server_conn, &server_blocked));
EXPECT_SUCCESS(s2n_connection_free(server_conn));
EXPECT_SUCCESS(s2n_config_free(server_config));
for (int i = 0; i < 2; i++) {
EXPECT_SUCCESS(close(server_to_client[i]));
EXPECT_SUCCESS(close(client_to_server[i]));
}
}
/* Server doesn't support the OCSP extension. */
{
struct s2n_connection *client_conn;
struct s2n_connection *server_conn;
struct s2n_config *server_config;
struct s2n_config *client_config;
s2n_blocked_status client_blocked;
s2n_blocked_status server_blocked;
int server_to_client[2];
int client_to_server[2];
uint32_t length;
/* Create nonblocking pipes */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
for (int i = 0; i < 2; i++) {
EXPECT_NOT_EQUAL(fcntl(server_to_client[i], F_SETFL, fcntl(server_to_client[i], F_GETFL) | O_NONBLOCK), -1);
EXPECT_NOT_EQUAL(fcntl(client_to_server[i], F_SETFL, fcntl(client_to_server[i], F_GETFL) | O_NONBLOCK), -1);
}
EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(s2n_connection_set_read_fd(client_conn, server_to_client[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(client_conn, client_to_server[1]));
EXPECT_NOT_NULL(client_config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_set_status_request_type(client_config, S2N_STATUS_REQUEST_OCSP));
EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_connection_set_read_fd(server_conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(server_conn, server_to_client[1]));
EXPECT_NOT_NULL(server_config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(server_config, certificate, private_key));
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
do {
int ret;
ret = s2n_negotiate(client_conn, &client_blocked);
EXPECT_TRUE(ret == 0 || client_blocked);
ret = s2n_negotiate(server_conn, &server_blocked);
EXPECT_TRUE(ret == 0 || server_blocked);
} while (client_blocked || server_blocked);
/* Verify that the client didn't receive an OCSP response. */
EXPECT_NULL(s2n_connection_get_ocsp_response(client_conn, &length));
EXPECT_EQUAL(length, 0);
EXPECT_SUCCESS(s2n_shutdown(client_conn, &client_blocked));
EXPECT_SUCCESS(s2n_connection_free(client_conn));
EXPECT_SUCCESS(s2n_shutdown(server_conn, &server_blocked));
EXPECT_SUCCESS(s2n_connection_free(server_conn));
EXPECT_SUCCESS(s2n_config_free(server_config));
EXPECT_SUCCESS(s2n_config_free(client_config));
for (int i = 0; i < 2; i++) {
EXPECT_SUCCESS(close(server_to_client[i]));
EXPECT_SUCCESS(close(client_to_server[i]));
}
}
/* Server and client support the OCSP extension. */
{
struct s2n_connection *client_conn;
struct s2n_connection *server_conn;
struct s2n_config *server_config;
struct s2n_config *client_config;
s2n_blocked_status client_blocked;
s2n_blocked_status server_blocked;
int server_to_client[2];
int client_to_server[2];
uint32_t length;
/* Create nonblocking pipes */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
for (int i = 0; i < 2; i++) {
EXPECT_NOT_EQUAL(fcntl(server_to_client[i], F_SETFL, fcntl(server_to_client[i], F_GETFL) | O_NONBLOCK), -1);
EXPECT_NOT_EQUAL(fcntl(client_to_server[i], F_SETFL, fcntl(client_to_server[i], F_GETFL) | O_NONBLOCK), -1);
}
EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(s2n_connection_set_read_fd(client_conn, server_to_client[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(client_conn, client_to_server[1]));
EXPECT_NOT_NULL(client_config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_set_status_request_type(client_config, S2N_STATUS_REQUEST_OCSP));
EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_connection_set_read_fd(server_conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(server_conn, server_to_client[1]));
EXPECT_NOT_NULL(server_config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_with_status(server_config, certificate, private_key, server_ocsp_status, sizeof(server_ocsp_status)));
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
do {
int ret;
ret = s2n_negotiate(client_conn, &client_blocked);
EXPECT_TRUE(ret == 0 || client_blocked);
ret = s2n_negotiate(server_conn, &server_blocked);
EXPECT_TRUE(ret == 0 || server_blocked);
} while (client_blocked || server_blocked);
/* Verify that the client didn't receive an OCSP response. */
EXPECT_NULL(s2n_connection_get_ocsp_response(client_conn, &length));
EXPECT_EQUAL(length, 0);
EXPECT_SUCCESS(s2n_shutdown(client_conn, &client_blocked));
EXPECT_SUCCESS(s2n_connection_free(client_conn));
EXPECT_SUCCESS(s2n_shutdown(server_conn, &server_blocked));
EXPECT_SUCCESS(s2n_connection_free(server_conn));
EXPECT_SUCCESS(s2n_config_free(server_config));
EXPECT_SUCCESS(s2n_config_free(client_config));
for (int i = 0; i < 2; i++) {
EXPECT_SUCCESS(close(server_to_client[i]));
EXPECT_SUCCESS(close(client_to_server[i]));
}
}
END_TEST();
return 0;
}
int main(int argc, char **argv)
{
struct s2n_connection *conn;
uint8_t random_data[S2N_DEFAULT_FRAGMENT_LENGTH + 1];
uint8_t mac_key[] = "sample mac key";
uint8_t aes128_key[] = "123456789012345";
uint8_t aes256_key[] = "1234567890123456789012345678901";
struct s2n_blob aes128 = {.data = aes128_key,.size = sizeof(aes128_key) };
struct s2n_blob aes256 = {.data = aes256_key,.size = sizeof(aes256_key) };
struct s2n_blob r = {.data = random_data, .size = sizeof(random_data)};
BEGIN_TEST();
EXPECT_SUCCESS(s2n_init());
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_get_urandom_data(&r));
/* Peer and we are in sync */
conn->server = &conn->active;
conn->client = &conn->active;
/* test the AES128 cipher with a SHA1 hash */
conn->active.cipher_suite->cipher = &s2n_aes128_gcm;
conn->active.cipher_suite->hmac_alg = S2N_HMAC_SHA1;
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_encryption_key(&conn->active.server_key, &aes128));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_decryption_key(&conn->active.client_key, &aes128));
EXPECT_SUCCESS(s2n_hmac_init(&conn->active.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
EXPECT_SUCCESS(s2n_hmac_init(&conn->active.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
conn->actual_protocol_version = S2N_TLS12;
int max_fragment = S2N_DEFAULT_FRAGMENT_LENGTH;
for (int i = 0; i <= max_fragment + 1; i++) {
struct s2n_blob in = {.data = random_data,.size = i };
int bytes_written;
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out));
EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &in));
static const int overhead = 20 /* TLS header */
+ 8 /* IV */
+ 16; /* TAG */
if (i < max_fragment - overhead) {
EXPECT_EQUAL(bytes_written, i);
} else {
EXPECT_EQUAL(bytes_written, max_fragment - overhead);
}
uint16_t predicted_length = bytes_written + 20;
predicted_length += conn->active.cipher_suite->cipher->io.aead.record_iv_size;
predicted_length += conn->active.cipher_suite->cipher->io.aead.tag_size;
EXPECT_EQUAL(conn->out.blob.data[0], TLS_APPLICATION_DATA);
EXPECT_EQUAL(conn->out.blob.data[1], 3);
EXPECT_EQUAL(conn->out.blob.data[2], 3);
EXPECT_EQUAL(conn->out.blob.data[3], (predicted_length >> 8) & 0xff);
EXPECT_EQUAL(conn->out.blob.data[4], predicted_length & 0xff);
/* The data should be encrypted */
if (bytes_written > 10) {
EXPECT_NOT_EQUAL(memcmp(conn->out.blob.data + 5, random_data, bytes_written), 0);
}
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
/* Let's decrypt it */
uint8_t content_type;
uint16_t fragment_length;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_SUCCESS(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_EQUAL(fragment_length, predicted_length);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
/* Now lets corrupt some data and ensure the tests pass */
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
/* Tamper the protocol version in the header, and ensure decryption fails, as we use this in the AAD */
conn->in.blob.data[2] = 2;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
/* Tamper with the IV and ensure decryption fails */
for (int j = 0; j < S2N_TLS_GCM_IV_LEN; j++) {
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
conn->in.blob.data[5 + j] ++;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
/* Tamper with the TAG and ensure decryption fails */
for (int j = 0; j < S2N_TLS_GCM_TAG_LEN; j++) {
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
conn->in.blob.data[conn->in.blob.size - j - 1] ++;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
/* Tamper w ith the cipher text and ensure decryption fails */
for (int j = S2N_TLS_GCM_IV_LEN; j < conn->in.blob.size - S2N_TLS_GCM_TAG_LEN; j++) {
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
conn->in.blob.data[5 + j] ++;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
}
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.server_key));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.client_key));
EXPECT_SUCCESS(s2n_connection_free(conn));
/* test the AES256 cipher with a SHA1 hash */
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
conn->active.cipher_suite->cipher = &s2n_aes256_gcm;
conn->active.cipher_suite->hmac_alg = S2N_HMAC_SHA1;
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_encryption_key(&conn->active.server_key, &aes256));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_decryption_key(&conn->active.client_key, &aes256));
EXPECT_SUCCESS(s2n_hmac_init(&conn->active.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
EXPECT_SUCCESS(s2n_hmac_init(&conn->active.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
conn->actual_protocol_version = S2N_TLS12;
for (int i = 0; i <= max_fragment + 1; i++) {
struct s2n_blob in = {.data = random_data,.size = i };
int bytes_written;
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out));
EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &in));
static const int overhead = 20 /* TLS header */
+ 8 /* IV */
+ 16; /* TAG */
if (i < max_fragment - overhead) {
EXPECT_EQUAL(bytes_written, i);
} else {
EXPECT_EQUAL(bytes_written, max_fragment - overhead);
}
uint16_t predicted_length = bytes_written + 20;
predicted_length += conn->active.cipher_suite->cipher->io.aead.record_iv_size;
predicted_length += conn->active.cipher_suite->cipher->io.aead.tag_size;
EXPECT_EQUAL(conn->out.blob.data[0], TLS_APPLICATION_DATA);
EXPECT_EQUAL(conn->out.blob.data[1], 3);
EXPECT_EQUAL(conn->out.blob.data[2], 3);
EXPECT_EQUAL(conn->out.blob.data[3], (predicted_length >> 8) & 0xff);
EXPECT_EQUAL(conn->out.blob.data[4], predicted_length & 0xff);
/* The data should be encrypted */
if (bytes_written > 10) {
EXPECT_NOT_EQUAL(memcmp(conn->out.blob.data + 5, random_data, bytes_written), 0);
}
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
/* Let's decrypt it */
uint8_t content_type;
uint16_t fragment_length;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_SUCCESS(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_EQUAL(fragment_length, predicted_length);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
/* Now lets corrupt some data and ensure the tests pass */
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
/* Tamper the protocol version in the header, and ensure decryption fails, as we use this in the AAD */
conn->in.blob.data[2] = 2;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
/* Tamper with the IV and ensure decryption fails */
for (int j = 0; j < S2N_TLS_GCM_IV_LEN; j++) {
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
conn->in.blob.data[5 + j] ++;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
/* Tamper with the TAG and ensure decryption fails */
for (int j = 0; j < S2N_TLS_GCM_TAG_LEN; j++) {
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
conn->in.blob.data[conn->in.blob.size - j - 1] ++;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
/* Tamper w ith the cipher text and ensure decryption fails */
for (int j = S2N_TLS_GCM_IV_LEN; j < conn->in.blob.size - S2N_TLS_GCM_TAG_LEN; j++) {
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
conn->in.blob.data[5 + j] ++;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
}
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.server_key));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.client_key));
EXPECT_SUCCESS(s2n_connection_free(conn));
END_TEST();
}
int main(int argc, char *const *argv)
{
struct addrinfo hints, *ai_list, *ai;
int r, sockfd = 0;
ssize_t session_state_length = 0;
uint8_t *session_state = NULL;
/* Optional args */
const char *alpn_protocols = NULL;
const char *server_name = NULL;
const char *ca_file = NULL;
const char *ca_dir = NULL;
uint16_t mfl_value = 0;
uint8_t insecure = 0;
int reconnect = 0;
uint8_t session_ticket = 1;
s2n_status_request_type type = S2N_STATUS_REQUEST_NONE;
uint32_t dyn_rec_threshold = 0;
uint8_t dyn_rec_timeout = 0;
/* required args */
const char *cipher_prefs = "default";
const char *host = NULL;
struct verify_data unsafe_verify_data;
const char *port = "443";
int echo_input = 0;
int use_corked_io = 0;
static struct option long_options[] = {
{"alpn", required_argument, 0, 'a'},
{"ciphers", required_argument, 0, 'c'},
{"echo", required_argument, 0, 'e'},
{"help", no_argument, 0, 'h'},
{"name", required_argument, 0, 'n'},
{"status", no_argument, 0, 's'},
{"mfl", required_argument, 0, 'm'},
{"ca-file", required_argument, 0, 'f'},
{"ca-dir", required_argument, 0, 'd'},
{"insecure", no_argument, 0, 'i'},
{"reconnect", no_argument, 0, 'r'},
{"no-session-ticket", no_argument, 0, 'T'},
{"dynamic", required_argument, 0, 'D'},
{"timeout", required_argument, 0, 't'},
{"corked-io", no_argument, 0, 'C'},
};
while (1) {
int option_index = 0;
int c = getopt_long(argc, argv, "a:c:ehn:sf:d:D:t:irTC", long_options, &option_index);
if (c == -1) {
break;
}
switch (c) {
case 'a':
alpn_protocols = optarg;
break;
case 'C':
use_corked_io = 1;
break;
case 'c':
cipher_prefs = optarg;
break;
case 'e':
echo_input = 1;
break;
case 'h':
usage();
break;
case 'n':
server_name = optarg;
break;
case 's':
type = S2N_STATUS_REQUEST_OCSP;
break;
case 'm':
mfl_value = (uint16_t) atoi(optarg);
break;
case 'f':
ca_file = optarg;
break;
case 'd':
ca_dir = optarg;
break;
case 'i':
insecure = 1;
break;
case 'r':
reconnect = 5;
break;
case 'T':
session_ticket = 0;
break;
case 't':
dyn_rec_timeout = (uint8_t) MIN(255, atoi(optarg));
break;
case 'D':
dyn_rec_threshold = strtoul(optarg, 0, 10);
if (errno == ERANGE) {
dyn_rec_threshold = 0;
}
break;
case '?':
default:
usage();
break;
}
}
if (optind < argc) {
host = argv[optind++];
}
if (optind < argc) {
port = argv[optind++];
}
if (!host) {
usage();
}
if (!server_name) {
server_name = host;
}
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if (signal(SIGPIPE, SIG_IGN) == SIG_ERR) {
fprintf(stderr, "Error disabling SIGPIPE\n");
exit(1);
}
GUARD_EXIT(s2n_init(), "Error running s2n_init()");
if ((r = getaddrinfo(host, port, &hints, &ai_list)) != 0) {
fprintf(stderr, "error: %s\n", gai_strerror(r));
exit(1);
}
do {
int connected = 0;
for (ai = ai_list; ai != NULL; ai = ai->ai_next) {
if ((sockfd = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol)) == -1) {
continue;
}
if (connect(sockfd, ai->ai_addr, ai->ai_addrlen) == -1) {
close(sockfd);
continue;
}
connected = 1;
/* connect() succeeded */
break;
}
if (connected == 0) {
fprintf(stderr, "Failed to connect to %s:%s\n", host, port);
exit(1);
}
struct s2n_config *config = s2n_config_new();
setup_s2n_config(config, cipher_prefs, type, &unsafe_verify_data, host, alpn_protocols, mfl_value);
if (ca_file || ca_dir) {
if (s2n_config_set_verification_ca_location(config, ca_file, ca_dir) < 0) {
print_s2n_error("Error setting CA file for trust store.");
}
}
else if (insecure) {
GUARD_EXIT(s2n_config_disable_x509_verification(config), "Error disabling X.509 validation");
}
if (session_ticket) {
GUARD_EXIT(s2n_config_set_session_tickets_onoff(config, 1), "Error enabling session tickets");
}
struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT);
if (conn == NULL) {
print_s2n_error("Error getting new connection");
exit(1);
}
GUARD_EXIT(s2n_connection_set_config(conn, config), "Error setting configuration");
GUARD_EXIT(s2n_set_server_name(conn, server_name), "Error setting server name");
GUARD_EXIT(s2n_connection_set_fd(conn, sockfd) , "Error setting file descriptor");
if (use_corked_io) {
GUARD_EXIT(s2n_connection_use_corked_io(conn), "Error setting corked io");
}
/* Update session state in connection if exists */
if (session_state_length > 0) {
GUARD_EXIT(s2n_connection_set_session(conn, session_state, session_state_length), "Error setting session state in connection");
}
/* See echo.c */
int ret = negotiate(conn);
if (ret != 0) {
/* Error is printed in negotiate */
return -1;
}
printf("Connected to %s:%s\n", host, port);
/* Save session state from connection if reconnect is enabled */
if (reconnect > 0) {
if (!session_ticket && s2n_connection_get_session_id_length(conn) <= 0) {
printf("Endpoint sent empty session id so cannot resume session\n");
exit(1);
}
free(session_state);
session_state_length = s2n_connection_get_session_length(conn);
session_state = calloc(session_state_length, sizeof(uint8_t));
if (s2n_connection_get_session(conn, session_state, session_state_length) != session_state_length) {
print_s2n_error("Error getting serialized session state");
exit(1);
}
}
if (dyn_rec_threshold > 0 && dyn_rec_timeout > 0) {
s2n_connection_set_dynamic_record_threshold(conn, dyn_rec_threshold, dyn_rec_timeout);
}
if (echo_input == 1) {
echo(conn, sockfd);
}
s2n_blocked_status blocked;
s2n_shutdown(conn, &blocked);
GUARD_EXIT(s2n_connection_free(conn), "Error freeing connection");
GUARD_EXIT(s2n_config_free(config), "Error freeing configuration");
close(sockfd);
reconnect--;
} while (reconnect >= 0);
GUARD_EXIT(s2n_cleanup(), "Error running s2n_cleanup()");
free(session_state);
freeaddrinfo(ai_list);
return 0;
}
int main(int argc, char * const *argv)
{
struct addrinfo hints, *ai_list, *ai;
int r, sockfd = 0;
/* Optional args */
const char *alpn_protocols = NULL;
const char *server_name = NULL;
s2n_status_request_type type = S2N_STATUS_REQUEST_NONE;
/* required args */
const char *host = NULL;
const char *port = "443";
static struct option long_options[] = {
{ "alpn", required_argument, 0, 'a' },
{ "help", no_argument, 0, 'h' },
{ "name", required_argument, 0, 'n' },
{ "status", no_argument, 0, 's' },
};
while (1) {
int option_index = 0;
int c = getopt_long (argc, argv, "a:hn:s", long_options, &option_index);
if (c == -1) {
break;
}
switch (c) {
case 'a':
alpn_protocols = optarg;
break;
case 'h':
usage();
break;
case 'n':
server_name = optarg;
break;
case 's':
type = S2N_STATUS_REQUEST_OCSP;
break;
case '?':
default:
usage();
break;
}
}
if (optind < argc) {
host = argv[optind++];
}
if (optind < argc) {
port = argv[optind++];
}
if (!host) {
usage();
}
if (!server_name) {
server_name = host;
}
if (memset(&hints, 0, sizeof(hints)) != &hints) {
fprintf(stderr, "memset error: %s\n", strerror(errno));
exit(1);
}
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if (signal(SIGPIPE, SIG_IGN) == SIG_ERR) {
fprintf(stderr, "Error disabling SIGPIPE\n");
exit(1);
}
if ((r = getaddrinfo(host, port, &hints, &ai_list)) != 0) {
fprintf(stderr, "error: %s\n", gai_strerror(r));
exit(1);
}
int connected = 0;
for (ai = ai_list; ai != NULL; ai = ai->ai_next) {
if ((sockfd = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol)) == -1) {
continue;
}
if (connect(sockfd, ai->ai_addr, ai->ai_addrlen) == -1) {
close(sockfd);
continue;
}
connected = 1;
/* connect() succeeded */
break;
}
freeaddrinfo(ai_list);
if (connected == 0) {
fprintf(stderr, "Failed to connect to %s:%s\n", argv[1], port);
close(sockfd);
exit(1);
}
const char *error;
if (s2n_init(&error) < 0) {
fprintf(stderr, "Error running s2n_init(): '%s'\n", s2n_strerror(s2n_errno, "EN"));
}
struct s2n_config *config = s2n_config_new();
if (config == NULL) {
fprintf(stderr, "Error getting new config: '%s'\n", s2n_strerror(s2n_errno, "EN"));
exit(1);
}
if (s2n_config_set_status_request_type(config, type) < 0) {
fprintf(stderr, "Error setting status request type: '%s'\n", s2n_strerror(s2n_errno, "EN"));
exit(1);
}
if (alpn_protocols) {
/* Count the number of commas, this tells us how many protocols there
are in the list */
const char *ptr = alpn_protocols;
int protocol_count = 1;
while (*ptr) {
if (*ptr == ',') {
protocol_count++;
}
ptr++;
}
char **protocols = malloc(sizeof(char *) * protocol_count);
if (!protocols) {
fprintf(stderr, "Error allocating memory\n");
exit(1);
}
const char *next = alpn_protocols;
int index = 0;
int length = 0;
ptr = alpn_protocols;
while (*ptr) {
if (*ptr == ',') {
protocols[index] = malloc(length + 1);
if (!protocols[index]) {
fprintf(stderr, "Error allocating memory\n");
exit(1);
}
memcpy(protocols[index], next, length);
protocols[index][length] = '\0';
length = 0;
index++;
ptr++;
next = ptr;
} else {
length++;
ptr++;
}
}
if (ptr != next) {
protocols[index] = malloc(length + 1);
if (!protocols[index]) {
fprintf(stderr, "Error allocating memory\n");
exit(1);
}
memcpy(protocols[index], next, length);
protocols[index][length] = '\0';
}
if (s2n_config_set_protocol_preferences(config, (const char * const *)protocols, protocol_count) < 0) {
fprintf(stderr, "Failed to set protocol preferences: '%s'\n", s2n_strerror(s2n_errno, "EN"));
exit(1);
}
while(protocol_count) {
protocol_count--;
free(protocols[protocol_count]);
}
free(protocols);
}
struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT);
if (conn == NULL) {
fprintf(stderr, "Error getting new connection: '%s'\n", s2n_strerror(s2n_errno, "EN"));
exit(1);
}
printf("Connected to %s:%s\n", host, port);
if (s2n_connection_set_config(conn, config) < 0) {
fprintf(stderr, "Error setting configuration: '%s'\n", s2n_strerror(s2n_errno, "EN"));
exit(1);
}
if (s2n_set_server_name(conn, server_name) < 0) {
fprintf(stderr, "Error setting server name: '%s'\n", s2n_strerror(s2n_errno, "EN"));
exit(1);
}
if (s2n_connection_set_fd(conn, sockfd) < 0) {
fprintf(stderr, "Error setting file descriptor: '%s'\n", s2n_strerror(s2n_errno, "EN"));
exit(1);
}
/* See echo.c */
echo(conn, sockfd);
if (s2n_connection_free(conn) < 0) {
fprintf(stderr, "Error freeing connection: '%s'\n", s2n_strerror(s2n_errno, "EN"));
exit(1);
}
if (s2n_config_free(config) < 0) {
fprintf(stderr, "Error freeing configuration: '%s'\n", s2n_strerror(s2n_errno, "EN"));
exit(1);
}
if (s2n_cleanup(&error) < 0) {
fprintf(stderr, "Error running s2n_cleanup(): '%s'\n", s2n_strerror(s2n_errno, "EN"));
}
return 0;
}
int main(int argc, char **argv)
{
struct s2n_connection *conn;
struct s2n_config *config;
int status;
pid_t pid;
int server_to_client[2];
int client_to_server[2];
BEGIN_TEST();
EXPECT_SUCCESS(setenv("S2N_ENABLE_CLIENT_MODE", "1", 0));
/* Create a pipe */
EXPECT_SUCCESS(s2n_init());
for (int is_dh_key_exchange = 0; is_dh_key_exchange <= 1; is_dh_key_exchange++) {
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
/* Create a child process */
pid = fork();
if (pid == 0) {
/* This is the child process, close the read end of the pipe */
EXPECT_SUCCESS(close(client_to_server[0]));
EXPECT_SUCCESS(close(server_to_client[1]));
/* Write the fragmented hello message */
mock_client(client_to_server[1], server_to_client[0]);
}
/* This is the parent */
EXPECT_SUCCESS(close(client_to_server[1]));
EXPECT_SUCCESS(close(server_to_client[0]));
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_NOT_NULL(config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(config, certificate, private_key));
if (is_dh_key_exchange) {
EXPECT_SUCCESS(s2n_config_add_dhparams(config, dhparams));
}
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
/* Set up the connection to read from the fd */
EXPECT_SUCCESS(s2n_connection_set_read_fd(conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(conn, server_to_client[1]));
/* Negotiate the handshake. */
EXPECT_SUCCESS(s2n_negotiate(conn, &status));
char buffer[0xffff];
for (int i = 1; i < 0xffff; i += 100) {
char * ptr = buffer;
int bytes_read = 0;
int size = i;
do {
EXPECT_SUCCESS(bytes_read = s2n_recv(conn, ptr, size, &status));
size -= bytes_read;
ptr += bytes_read;
} while(size);
for (int j = 0; j < i; j++) {
EXPECT_EQUAL(buffer[j], 33);
}
}
/* Verify that read() returns EOF */
EXPECT_SUCCESS(s2n_recv(conn, buffer, 1, &status));
EXPECT_SUCCESS(s2n_shutdown(conn, &status));
EXPECT_SUCCESS(s2n_connection_free(conn));
EXPECT_SUCCESS(s2n_config_free(config));
/* Clean up */
EXPECT_EQUAL(waitpid(-1, &status, 0), pid);
EXPECT_EQUAL(status, 0);
}
END_TEST();
return 0;
}
int main(int argc, char **argv)
{
if(argc != 2)
{
fprintf(stderr,"usage: %s hostname\n", argv[0]);
return 1;
}
signal(SIGINT, sigint_handler);
printf("Looking up addresses for %s ...\n", argv[1]);
struct addrinfo hints;
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC; // AF_INET or AF_INET6 to force version
hints.ai_socktype = SOCK_STREAM;
struct addrinfo *dnsres;
int status_1 = getaddrinfo(argv[1], PORT, &hints, &dnsres);
if(status_1 != 0)
{
fprintf(stderr, "dns lookup failed: %s\n", gai_strerror(status_1));
return 2;
}
print_addrinfo(dnsres);
printf("Connecting to %s ...\n", "the server");
int sockfd = socket(dnsres->ai_family, dnsres->ai_socktype, dnsres->ai_protocol);
if(connect(sockfd, dnsres->ai_addr, dnsres->ai_addrlen) != 0)
{
perror("connect");
return 3;
}
printf("Connected.\n");
freeaddrinfo(dnsres); // frees the memory that was dynamically allocated for the linked lists by getaddrinfo
s2n_init();
struct s2n_config *config = s2n_config_new();
s2n_status_request_type type = S2N_STATUS_REQUEST_NONE;
s2n_config_set_status_request_type(config, type);
struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT);
s2n_connection_set_config(conn, config);
s2n_connection_set_fd(conn, sockfd);
s2n_blocked_status blocked;
do {
if (s2n_negotiate(conn, &blocked) < 0) {
fprintf(stderr, "Failed to negotiate: '%s' %d\n", s2n_strerror(s2n_errno, "EN"), s2n_connection_get_alert(conn));
exit(1);
}
} while (blocked);
int client_hello_version;
int client_protocol_version;
int server_protocol_version;
int actual_protocol_version;
if ((client_hello_version = s2n_connection_get_client_hello_version(conn)) < 0) {
fprintf(stderr, "Could not get client hello version\n");
exit(1);
}
if ((client_protocol_version = s2n_connection_get_client_protocol_version(conn)) < 0) {
fprintf(stderr, "Could not get client protocol version\n");
exit(1);
}
if ((server_protocol_version = s2n_connection_get_server_protocol_version(conn)) < 0) {
fprintf(stderr, "Could not get server protocol version\n");
exit(1);
}
if ((actual_protocol_version = s2n_connection_get_actual_protocol_version(conn)) < 0) {
fprintf(stderr, "Could not get actual protocol version\n");
exit(1);
}
printf("Client hello version: %d\n", client_hello_version);
printf("Client protocol version: %d\n", client_protocol_version);
printf("Server protocol version: %d\n", server_protocol_version);
printf("Actual protocol version: %d\n", actual_protocol_version);
if (s2n_get_server_name(conn)) {
printf("Server name: %s\n", s2n_get_server_name(conn));
}
if (s2n_get_application_protocol(conn)) {
printf("Application protocol: %s\n", s2n_get_application_protocol(conn));
}
uint32_t length;
const uint8_t *status = s2n_connection_get_ocsp_response(conn, &length);
if (status && length > 0) {
fprintf(stderr, "OCSP response received, length %d\n", length);
}
printf("Cipher negotiated: %s\n", s2n_connection_get_cipher(conn));
char buf[BUFFERSIZE + 1];
int bytes_read, bytes_written;
// Make sure stdin is a terminal.
if (!isatty(STDIN_FILENO))
{
fprintf(stderr, "Not a terminal.\n");
exit(EXIT_FAILURE);
}
// Save the terminal attributes so we can restore them later.
tcgetattr(STDIN_FILENO, &saved_attributes);
atexit(reset_input_mode);
// Set the funny terminal modes.
struct termios tattr;
tcgetattr(STDIN_FILENO, &tattr);
tattr.c_lflag &= ~(ICANON | ECHO); // Clear ICANON and ECHO.
tattr.c_cc[VMIN] = 1;
tattr.c_cc[VTIME] = 0;
tcsetattr(STDIN_FILENO, TCSAFLUSH, &tattr);
fd_set master, readfds;
FD_ZERO(&master);
FD_SET(STDIN_FILENO, &master);
FD_SET(sockfd, &master);
for(;;)
{
readfds = master;
select(sockfd + 1, &readfds, NULL, NULL, NULL);
if(FD_ISSET(STDIN_FILENO, &readfds))
{
bytes_read = read(STDIN_FILENO, buf, BUFFERSIZE);
if(bytes_read < 1) break;
char *buf_ptr = buf;
int bytes_available = bytes_read;
do
{
bytes_written = s2n_send(conn, buf_ptr, bytes_available, &blocked);
if(bytes_written < 0) break;
bytes_available -= bytes_written;
buf_ptr += bytes_written;
} while(bytes_available || blocked);
}
if(FD_ISSET(sockfd, &readfds))
{
do
{
bytes_read = s2n_recv(conn, buf, BUFFERSIZE, &blocked);
if(bytes_read < 1) break;
write(STDOUT_FILENO, buf, bytes_read);
} while(blocked);
}
//if(nbytes != mbytes) printf("nbytes [%d] != mbytes [%d] \n", nbytes, mbytes);
}
close(sockfd);
s2n_connection_free(conn);
s2n_config_free(config);
s2n_cleanup();
printf("\nBYE!\n");
return 0;
}
int main(int argc, char **argv)
{
uint8_t data[10000000];
uint8_t *ptr = data;
struct s2n_connection *conn;
struct s2n_config *config;
s2n_blocked_status blocked;
int status;
pid_t pid;
int server_to_client[2];
int client_to_server[2];
struct s2n_blob blob = {.data = data, .size = sizeof(data)};
BEGIN_TEST();
EXPECT_SUCCESS(setenv("S2N_ENABLE_CLIENT_MODE", "1", 0));
EXPECT_NOT_NULL(config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(config, certificate, private_key));
EXPECT_SUCCESS(s2n_config_add_dhparams(config, dhparams));
/* Get some random data to send/receive */
EXPECT_SUCCESS(s2n_get_urandom_data(&blob));
/* Create a pipe */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
/* Create a child process */
pid = fork();
if (pid == 0) {
/* This is the child process, close the read end of the pipe */
EXPECT_SUCCESS(close(client_to_server[0]));
EXPECT_SUCCESS(close(server_to_client[1]));
/* Run the client */
mock_client(client_to_server[1], server_to_client[0], data, sizeof(data));
}
/* This is the parent */
EXPECT_SUCCESS(close(client_to_server[1]));
EXPECT_SUCCESS(close(server_to_client[0]));
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
/* Set up the connection to read from the fd */
EXPECT_SUCCESS(s2n_connection_set_read_fd(conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(conn, server_to_client[1]));
/* Negotiate the handshake. */
EXPECT_SUCCESS(s2n_negotiate(conn, &blocked));
/* Pause the child process by sending it SIGSTP */
EXPECT_SUCCESS(kill(pid, SIGSTOP));
/* Make our pipes non-blocking */
EXPECT_NOT_EQUAL(fcntl(client_to_server[0], F_SETFL, fcntl(client_to_server[0], F_GETFL) | O_NONBLOCK), -1);
EXPECT_NOT_EQUAL(fcntl(server_to_client[1], F_SETFL, fcntl(server_to_client[1], F_GETFL) | O_NONBLOCK), -1);
/* Try to all 10MB of data, should be enough to fill PIPEBUF, so
we'll get blocked at some point */
uint32_t remaining = sizeof(data);
while (remaining) {
int r = s2n_send(conn, ptr, remaining, &blocked);
if (r < 0) {
if (blocked) {
/* We reached a blocked state */
break;
}
continue;
}
remaining -= r;
ptr += r;
}
/* Remaining shouldn't have progressed at all */
EXPECT_EQUAL(remaining, sizeof(data));
/* Wake the child process by sending it SIGCONT */
EXPECT_SUCCESS(kill(pid, SIGCONT));
/* Make our sockets blocking again */
EXPECT_NOT_EQUAL(fcntl(client_to_server[0], F_SETFL, fcntl(client_to_server[0], F_GETFL) ^ O_NONBLOCK), -1);
EXPECT_NOT_EQUAL(fcntl(server_to_client[1], F_SETFL, fcntl(server_to_client[1], F_GETFL) ^ O_NONBLOCK), -1);
/* Actually send the remaining data */
while (remaining) {
int r = s2n_send(conn, ptr, remaining, &blocked);
if (r < 0) {
continue;
}
remaining -= r;
ptr += r;
}
EXPECT_SUCCESS(s2n_shutdown(conn, &blocked));
EXPECT_SUCCESS(s2n_connection_free(conn));
/* Clean up */
EXPECT_EQUAL(waitpid(-1, &status, 0), pid);
EXPECT_EQUAL(status, 0);
EXPECT_SUCCESS(s2n_config_free(config));
END_TEST();
return 0;
}
int main(int argc, char **argv)
{
struct s2n_stuffer certificate_in, certificate_out;
struct s2n_stuffer dhparams_in, dhparams_out;
struct s2n_stuffer rsa_key_in, rsa_key_out;
struct s2n_blob b;
BEGIN_TEST();
EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_in, sizeof(certificate)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_out, sizeof(certificate)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&dhparams_in, sizeof(dhparams)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&dhparams_out, sizeof(dhparams)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&rsa_key_in, sizeof(private_key)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&rsa_key_out, sizeof(private_key)));
b.data = certificate;
b.size = sizeof(certificate);
EXPECT_SUCCESS(s2n_stuffer_write(&certificate_in, &b));
b.data = private_key;
b.size = sizeof(private_key);
EXPECT_SUCCESS(s2n_stuffer_write(&rsa_key_in, &b));
b.data = dhparams;
b.size = sizeof(dhparams);
EXPECT_SUCCESS(s2n_stuffer_write(&dhparams_in, &b));
EXPECT_SUCCESS(s2n_stuffer_certificate_from_pem(&certificate_in, &certificate_out));
EXPECT_SUCCESS(s2n_stuffer_rsa_private_key_from_pem(&rsa_key_in, &rsa_key_out));
EXPECT_SUCCESS(s2n_stuffer_dhparams_from_pem(&dhparams_in, &dhparams_out));
struct s2n_rsa_private_key priv_key;
struct s2n_rsa_public_key pub_key;
b.size = s2n_stuffer_data_available(&certificate_out);
b.data = s2n_stuffer_raw_read(&certificate_out, b.size);
EXPECT_SUCCESS(s2n_asn1der_to_rsa_public_key(&pub_key, &b));
b.size = s2n_stuffer_data_available(&rsa_key_out);
b.data = s2n_stuffer_raw_read(&rsa_key_out, b.size);
EXPECT_SUCCESS(s2n_asn1der_to_rsa_private_key(&priv_key, &b));
EXPECT_SUCCESS(s2n_rsa_keys_match(&pub_key, &priv_key));
struct s2n_connection *conn;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(conn->config, (char *)chain, (char *)private_key));
struct s2n_dh_params dh_params;
b.size = s2n_stuffer_data_available(&dhparams_out);
b.data = s2n_stuffer_raw_read(&dhparams_out, b.size);
EXPECT_SUCCESS(s2n_pkcs3_to_dh_params(&dh_params, &b));
EXPECT_SUCCESS(s2n_config_add_dhparams(conn->config, (char *)dhparams));
/* Try signing and verification with RSA */
uint8_t inputpad[] = "Hello world!";
struct s2n_blob signature;
struct s2n_hash_state tls10_one, tls10_two, tls12_one, tls12_two;
EXPECT_SUCCESS(s2n_hash_init(&tls10_one, S2N_HASH_MD5_SHA1));
EXPECT_SUCCESS(s2n_hash_init(&tls10_two, S2N_HASH_MD5_SHA1));
EXPECT_SUCCESS(s2n_hash_init(&tls12_one, S2N_HASH_SHA1));
EXPECT_SUCCESS(s2n_hash_init(&tls12_two, S2N_HASH_SHA1));
EXPECT_SUCCESS(s2n_alloc(&signature, s2n_rsa_public_encrypted_size(&pub_key)));
EXPECT_SUCCESS(s2n_hash_update(&tls10_one, inputpad, sizeof(inputpad)));
EXPECT_SUCCESS(s2n_hash_update(&tls10_two, inputpad, sizeof(inputpad)));
EXPECT_SUCCESS(s2n_rsa_sign(&priv_key, &tls10_one, &signature));
EXPECT_SUCCESS(s2n_rsa_verify(&pub_key, &tls10_two, &signature));
EXPECT_SUCCESS(s2n_hash_update(&tls12_one, inputpad, sizeof(inputpad)));
EXPECT_SUCCESS(s2n_hash_update(&tls12_two, inputpad, sizeof(inputpad)));
EXPECT_SUCCESS(s2n_rsa_sign(&priv_key, &tls12_one, &signature));
EXPECT_SUCCESS(s2n_rsa_verify(&pub_key, &tls12_two, &signature));
EXPECT_SUCCESS(s2n_dh_params_free(&dh_params));
EXPECT_SUCCESS(s2n_rsa_private_key_free(&priv_key));
EXPECT_SUCCESS(s2n_rsa_public_key_free(&pub_key));
EXPECT_SUCCESS(s2n_config_free_dhparams(conn->config));
EXPECT_SUCCESS(s2n_config_free_cert_chain_and_key(conn->config));
EXPECT_SUCCESS(s2n_connection_free(conn));
EXPECT_SUCCESS(s2n_free(&signature));
EXPECT_SUCCESS(s2n_stuffer_free(&certificate_in));
EXPECT_SUCCESS(s2n_stuffer_free(&certificate_out));
EXPECT_SUCCESS(s2n_stuffer_free(&dhparams_in));
EXPECT_SUCCESS(s2n_stuffer_free(&dhparams_out));
EXPECT_SUCCESS(s2n_stuffer_free(&rsa_key_in));
EXPECT_SUCCESS(s2n_stuffer_free(&rsa_key_out));
END_TEST();
}
int main(int argc, char **argv)
{
struct s2n_connection *conn;
struct s2n_config *config;
s2n_blocked_status blocked;
int status;
pid_t pid;
int server_to_client[2];
int client_to_server[2];
BEGIN_TEST();
EXPECT_SUCCESS(setenv("S2N_ENABLE_CLIENT_MODE", "1", 0));
for (int cert = 0; cert < SUPPORTED_CERTIFICATE_FORMATS; cert++) {
for (int is_dh_key_exchange = 0; is_dh_key_exchange <= 1; is_dh_key_exchange++) {
/* Create a pipe */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
/* Create a child process */
pid = fork();
if (pid == 0) {
/* This is the child process, close the read end of the pipe */
EXPECT_SUCCESS(close(client_to_server[0]));
EXPECT_SUCCESS(close(server_to_client[1]));
/* Write the fragmented hello message */
mock_client(client_to_server[1], server_to_client[0]);
}
/* This is the parent */
EXPECT_SUCCESS(close(client_to_server[1]));
EXPECT_SUCCESS(close(server_to_client[0]));
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
conn->server_protocol_version = S2N_TLS12;
conn->client_protocol_version = S2N_TLS12;
conn->actual_protocol_version = S2N_TLS12;
EXPECT_NOT_NULL(config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(config, certificates[cert], private_keys[cert]));
if (is_dh_key_exchange) {
EXPECT_SUCCESS(s2n_config_add_dhparams(config, dhparams));
}
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
/* Set up the connection to read from the fd */
EXPECT_SUCCESS(s2n_connection_set_read_fd(conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(conn, server_to_client[1]));
/* Negotiate the handshake. */
EXPECT_SUCCESS(s2n_negotiate(conn, &blocked));
char buffer[0xffff];
for (int i = 1; i < 0xffff; i += 100) {
char * ptr = buffer;
int size = i;
do {
int bytes_read = 0;
EXPECT_SUCCESS(bytes_read = s2n_recv(conn, ptr, size, &blocked));
size -= bytes_read;
ptr += bytes_read;
} while(size);
for (int j = 0; j < i; j++) {
EXPECT_EQUAL(buffer[j], 33);
}
}
int shutdown_rc = -1;
do {
shutdown_rc = s2n_shutdown(conn, &blocked);
EXPECT_TRUE(shutdown_rc == 0 || (errno == EAGAIN && blocked));
} while(shutdown_rc != 0);
EXPECT_SUCCESS(s2n_connection_free(conn));
EXPECT_SUCCESS(s2n_config_free(config));
/* Clean up */
EXPECT_EQUAL(waitpid(-1, &status, 0), pid);
EXPECT_EQUAL(status, 0);
}
}
END_TEST();
return 0;
}
int main(int argc, char **argv) {
BEGIN_TEST();
EXPECT_SUCCESS(setenv("S2N_ENABLE_CLIENT_MODE", "1", 0));
/* Part 1 setup a client and server connection with everything they need for a key exchange */
struct s2n_connection *client_conn, *server_conn;
EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
struct s2n_config *server_config, *client_config;
client_config = s2n_fetch_unsafe_client_testing_config();
GUARD(s2n_connection_set_config(client_conn, client_config));
/* Part 1.1 setup server's keypair and the give the client the certificate */
char *cert_chain;
char *private_key;
char *client_chain;
EXPECT_NOT_NULL(cert_chain = malloc(S2N_MAX_TEST_PEM_SIZE));
EXPECT_NOT_NULL(private_key = malloc(S2N_MAX_TEST_PEM_SIZE));
EXPECT_NOT_NULL(client_chain = malloc(S2N_MAX_TEST_PEM_SIZE));
EXPECT_NOT_NULL(server_config = s2n_config_new());
EXPECT_SUCCESS(s2n_read_test_pem(S2N_RSA_2048_PKCS1_CERT_CHAIN, cert_chain, S2N_MAX_TEST_PEM_SIZE));
EXPECT_SUCCESS(s2n_read_test_pem(S2N_RSA_2048_PKCS1_KEY, private_key, S2N_MAX_TEST_PEM_SIZE));
EXPECT_SUCCESS(s2n_read_test_pem(S2N_RSA_2048_PKCS1_LEAF_CERT, client_chain, S2N_MAX_TEST_PEM_SIZE));
struct s2n_cert_chain_and_key *chain_and_key;
EXPECT_NOT_NULL(chain_and_key = s2n_cert_chain_and_key_new());
EXPECT_SUCCESS(s2n_cert_chain_and_key_load_pem(chain_and_key, cert_chain, private_key));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
GUARD(s2n_set_signature_hash_pair_from_preference_list(server_conn, &server_conn->handshake_params.client_sig_hash_algs, &server_conn->secure.conn_hash_alg, &server_conn->secure.conn_sig_alg));
DEFER_CLEANUP(struct s2n_stuffer certificate_in = {{0}}, s2n_stuffer_free);
EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_in, S2N_MAX_TEST_PEM_SIZE));
DEFER_CLEANUP(struct s2n_stuffer certificate_out = {{0}}, s2n_stuffer_free);
EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_out, S2N_MAX_TEST_PEM_SIZE));
struct s2n_blob temp_blob;
temp_blob.data = (uint8_t *) client_chain;
temp_blob.size = strlen(client_chain) + 1;
EXPECT_SUCCESS(s2n_stuffer_write(&certificate_in, &temp_blob));
EXPECT_SUCCESS(s2n_stuffer_certificate_from_pem(&certificate_in, &certificate_out));
temp_blob.size = s2n_stuffer_data_available(&certificate_out);
temp_blob.data = s2n_stuffer_raw_read(&certificate_out, temp_blob.size);
s2n_cert_type cert_type;
EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&client_conn->secure.server_public_key, &cert_type, &temp_blob));
server_conn->handshake_params.our_chain_and_key = chain_and_key;
EXPECT_SUCCESS(setup_connection(server_conn));
EXPECT_SUCCESS(setup_connection(client_conn));
#if S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND
/* Read the seed from the RSP_FILE and create the DRBG for the test. Since the seed is the same (and prediction
* resistance is off) all calls to generate random data will return the same sequence. Thus the server always
* generates the same ECDHE point and KEM public key, the client does the same. */
FILE *kat_file = fopen(RSP_FILE_NAME, "r");
EXPECT_NOT_NULL(kat_file);
EXPECT_SUCCESS(s2n_alloc(&kat_entropy_blob, 48));
EXPECT_SUCCESS(ReadHex(kat_file, kat_entropy_blob.data, 48, "seed = "));
struct s2n_drbg drbg = {.entropy_generator = &s2n_entropy_generator};
s2n_stack_blob(personalization_string, 32, 32);
EXPECT_SUCCESS(s2n_drbg_instantiate(&drbg, &personalization_string, S2N_DANGEROUS_AES_256_CTR_NO_DF_NO_PR));
EXPECT_SUCCESS(s2n_set_private_drbg_for_test(drbg));
#endif
/* Part 2 server sends key first */
EXPECT_SUCCESS(s2n_server_key_send(server_conn));
/* Part 2.1 verify the results as best we can */
EXPECT_EQUAL(server_conn->handshake.io.write_cursor, SERVER_KEY_MESSAGE_LENGTH);
struct s2n_blob server_key_message = {.size = SERVER_KEY_MESSAGE_LENGTH, .data = s2n_stuffer_raw_read(&server_conn->handshake.io, SERVER_KEY_MESSAGE_LENGTH)};
#if S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND
/* Part 2.1.1 if we're running in known answer mode check the server's key exchange message matches the expected value */
uint8_t expected_server_key_message[SERVER_KEY_MESSAGE_LENGTH];
EXPECT_SUCCESS(ReadHex(kat_file, expected_server_key_message, SERVER_KEY_MESSAGE_LENGTH, "expected_server_key_exchange = "));
EXPECT_BYTEARRAY_EQUAL(expected_server_key_message, server_key_message.data, SERVER_KEY_MESSAGE_LENGTH);
#endif
/* Part 2.2 copy server's message to the client's stuffer */
s2n_stuffer_write(&client_conn->handshake.io, &server_key_message);
/* Part 3 client recvs the server's key and sends the client key exchange message */
EXPECT_SUCCESS(s2n_server_key_recv(client_conn));
EXPECT_SUCCESS(s2n_client_key_send(client_conn));
/* Part 3.1 verify the results as best we can */
EXPECT_EQUAL(client_conn->handshake.io.write_cursor - client_conn->handshake.io.read_cursor, CLIENT_KEY_MESSAGE_LENGTH);
struct s2n_blob client_key_message = {.size = CLIENT_KEY_MESSAGE_LENGTH, .data = s2n_stuffer_raw_read(&client_conn->handshake.io, CLIENT_KEY_MESSAGE_LENGTH)};
#if S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND
/* Part 3.1.1 if we're running in known answer mode check the client's key exchange message matches the expected value */
uint8_t expected_client_key_message[CLIENT_KEY_MESSAGE_LENGTH];
EXPECT_SUCCESS(ReadHex(kat_file, expected_client_key_message, CLIENT_KEY_MESSAGE_LENGTH, "expected_client_key_exchange = "));
EXPECT_BYTEARRAY_EQUAL(expected_client_key_message, client_key_message.data, CLIENT_KEY_MESSAGE_LENGTH);
#endif
/* Part 3.2 copy the client's message back to the server's stuffer */
s2n_stuffer_write(&server_conn->handshake.io, &client_key_message);
/* Part 4 server receives the client's message */
EXPECT_SUCCESS(s2n_client_key_recv(server_conn));
/* Part 4.1 verify results as best we can, the client and server should at least have the same master secret */
EXPECT_BYTEARRAY_EQUAL(server_conn->secure.master_secret, client_conn->secure.master_secret, S2N_TLS_SECRET_LEN);
#if S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND
/* Part 4.1.1 if we're running in known answer mode check that both the client and server got the expected master secret
* from the RSP_FILE */
uint8_t expected_master_secret[S2N_TLS_SECRET_LEN];
EXPECT_SUCCESS(ReadHex(kat_file, expected_master_secret, S2N_TLS_SECRET_LEN, "expected_master_secret = "));
EXPECT_BYTEARRAY_EQUAL(expected_master_secret, client_conn->secure.master_secret, S2N_TLS_SECRET_LEN);
EXPECT_BYTEARRAY_EQUAL(expected_master_secret, server_conn->secure.master_secret, S2N_TLS_SECRET_LEN);
#endif
EXPECT_SUCCESS(s2n_cert_chain_and_key_free(chain_and_key));
EXPECT_SUCCESS(s2n_connection_free(client_conn));
EXPECT_SUCCESS(s2n_connection_free(server_conn));
EXPECT_SUCCESS(s2n_config_free(server_config));
free(cert_chain);
free(client_chain);
free(private_key);
#if S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND
/* Extra cleanup needed for the known answer test */
fclose(kat_file);
#endif
END_TEST();
}
int main(int argc, char **argv)
{
struct s2n_connection *conn;
uint8_t mac_key[] = "sample mac key";
uint8_t rc4_key[] = "123456789012345";
struct s2n_blob key_iv = {.data = rc4_key,.size = sizeof(rc4_key) };
uint8_t random_data[S2N_SMALL_FRAGMENT_LENGTH + 1];
struct s2n_blob r = {.data = random_data, .size = sizeof(random_data)};
BEGIN_TEST();
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_get_urandom_data(&r));
/* Peer and we are in sync */
conn->server = &conn->active;
/* test the RC4 cipher with a SHA1 hash */
conn->active.cipher_suite->cipher = &s2n_rc4;
conn->active.cipher_suite->hmac_alg = S2N_HMAC_SHA1;
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->init(&conn->active.server_key));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->init(&conn->active.client_key));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_decryption_key(&conn->active.client_key, &key_iv));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_encryption_key(&conn->active.server_key, &key_iv));
EXPECT_SUCCESS(s2n_hmac_init(&conn->active.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
EXPECT_SUCCESS(s2n_hmac_init(&conn->active.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
conn->actual_protocol_version = S2N_TLS11;
for (int i = 0; i <= S2N_SMALL_FRAGMENT_LENGTH + 1; i++) {
struct s2n_blob in = {.data = random_data,.size = i };
int bytes_written;
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out));
EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &in));
if (i <= S2N_SMALL_FRAGMENT_LENGTH - 20) {
EXPECT_EQUAL(bytes_written, i);
} else {
EXPECT_EQUAL(bytes_written, S2N_SMALL_FRAGMENT_LENGTH - 20);
}
uint16_t predicted_length = bytes_written + 20;
EXPECT_EQUAL(conn->out.blob.data[0], TLS_APPLICATION_DATA);
EXPECT_EQUAL(conn->out.blob.data[1], 3);
EXPECT_EQUAL(conn->out.blob.data[2], 2);
EXPECT_EQUAL(conn->out.blob.data[3], (predicted_length >> 8) & 0xff);
EXPECT_EQUAL(conn->out.blob.data[4], predicted_length & 0xff);
/* The data should be encrypted */
if (bytes_written > 10) {
EXPECT_NOT_EQUAL(memcmp(conn->out.blob.data + 5, random_data, bytes_written), 0);
}
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5))
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)))
/* Check that the data looks right */
EXPECT_EQUAL(bytes_written + 20, s2n_stuffer_data_available(&conn->in));
/* Let's decrypt it */
uint8_t content_type;
uint16_t fragment_length;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_SUCCESS(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_EQUAL(fragment_length, predicted_length);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.server_key));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.client_key));
EXPECT_SUCCESS(s2n_connection_free(conn));
END_TEST();
}
int main(int argc, char **argv)
{
char buffer[0xffff];
struct s2n_connection *conn;
struct s2n_config *config;
s2n_blocked_status blocked;
int status;
pid_t pid;
int server_to_client[2];
int client_to_server[2];
const char *protocols[] = { "http/1.1", "spdy/3.1" };
const char *mismatch_protocols[] = { "spdy/2" };
BEGIN_TEST();
EXPECT_SUCCESS(setenv("S2N_ENABLE_CLIENT_MODE", "1", 0));
EXPECT_NOT_NULL(config = s2n_config_new());
EXPECT_SUCCESS(s2n_config_set_protocol_preferences(config, protocols, 2));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(config, certificate, private_key));
EXPECT_SUCCESS(s2n_config_add_dhparams(config, dhparams));
/** Test no client ALPN request */
/* Create a pipe */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
/* Create a child process */
pid = fork();
if (pid == 0) {
/* This is the child process, close the read end of the pipe */
EXPECT_SUCCESS(close(client_to_server[0]));
EXPECT_SUCCESS(close(server_to_client[1]));
/* Send the client hello with no ALPN extensions, and validate we didn't
* negotiate an application protocol */
mock_client(client_to_server[1], server_to_client[0], NULL, 0, NULL);
}
/* This is the parent */
EXPECT_SUCCESS(close(client_to_server[1]));
EXPECT_SUCCESS(close(server_to_client[0]));
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
/* Set up the connection to read from the fd */
EXPECT_SUCCESS(s2n_connection_set_read_fd(conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(conn, server_to_client[1]));
/* Negotiate the handshake. */
EXPECT_SUCCESS(s2n_negotiate(conn, &blocked));
/* Expect NULL negotiated protocol */
EXPECT_EQUAL(s2n_get_application_protocol(conn), NULL);
for (int i = 1; i < 0xffff; i += 100) {
char * ptr = buffer;
int bytes_read = 0;
int size = i;
do {
EXPECT_SUCCESS(bytes_read = s2n_recv(conn, ptr, size, &blocked));
size -= bytes_read;
ptr += bytes_read;
} while(size);
for (int j = 0; j < i; j++) {
EXPECT_EQUAL(buffer[j], 33);
}
}
EXPECT_SUCCESS(s2n_shutdown(conn, &blocked));
EXPECT_SUCCESS(s2n_connection_free(conn));
/* Clean up */
EXPECT_EQUAL(waitpid(-1, &status, 0), pid);
EXPECT_EQUAL(status, 0);
/* Test a matching ALPN request */
/* Create a pipe */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
/* Create a child process */
pid = fork();
if (pid == 0) {
/* This is the child process, close the read end of the pipe */
EXPECT_SUCCESS(close(client_to_server[0]));
EXPECT_SUCCESS(close(server_to_client[1]));
/* Clients ALPN preferences match our preferences, so we pick the
* most preffered server one */
mock_client(client_to_server[1], server_to_client[0], protocols, 2, protocols[0]);
}
/* This is the parent */
EXPECT_SUCCESS(close(client_to_server[1]));
EXPECT_SUCCESS(close(server_to_client[0]));
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
/* Set up the connection to read from the fd */
EXPECT_SUCCESS(s2n_connection_set_read_fd(conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(conn, server_to_client[1]));
/* Negotiate the handshake. */
EXPECT_SUCCESS(s2n_negotiate(conn, &blocked));
/* Expect our most prefered negotiated protocol */
EXPECT_STRING_EQUAL(s2n_get_application_protocol(conn), protocols[0]);
for (int i = 1; i < 0xffff; i += 100) {
char * ptr = buffer;
int bytes_read = 0;
int size = i;
do {
EXPECT_SUCCESS(bytes_read = s2n_recv(conn, ptr, size, &blocked));
size -= bytes_read;
ptr += bytes_read;
} while(size);
for (int j = 0; j < i; j++) {
EXPECT_EQUAL(buffer[j], 33);
}
}
EXPECT_SUCCESS(s2n_shutdown(conn, &blocked));
EXPECT_SUCCESS(s2n_connection_free(conn));
/* Clean up */
EXPECT_EQUAL(waitpid(-1, &status, 0), pid);
EXPECT_EQUAL(status, 0);
/* Test a lower prefered matching ALPN request */
/* Create a pipe */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
/* Create a child process */
pid = fork();
if (pid == 0) {
/* This is the child process, close the read end of the pipe */
EXPECT_SUCCESS(close(client_to_server[0]));
EXPECT_SUCCESS(close(server_to_client[1]));
/* Client only advertises our second choice, so we should negotiate it */
mock_client(client_to_server[1], server_to_client[0], &protocols[1], 1, protocols[1]);
}
/* This is the parent */
EXPECT_SUCCESS(close(client_to_server[1]));
EXPECT_SUCCESS(close(server_to_client[0]));
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
/* Set up the connection to read from the fd */
EXPECT_SUCCESS(s2n_connection_set_read_fd(conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(conn, server_to_client[1]));
/* Negotiate the handshake. */
EXPECT_SUCCESS(s2n_negotiate(conn, &blocked));
for (int i = 1; i < 0xffff; i += 100) {
char * ptr = buffer;
int bytes_read = 0;
int size = i;
do {
EXPECT_SUCCESS(bytes_read = s2n_recv(conn, ptr, size, &blocked));
size -= bytes_read;
ptr += bytes_read;
} while(size);
for (int j = 0; j < i; j++) {
EXPECT_EQUAL(buffer[j], 33);
}
}
/* Expect our least prefered negotiated protocol */
EXPECT_STRING_EQUAL(s2n_get_application_protocol(conn), protocols[1]);
EXPECT_SUCCESS(s2n_shutdown(conn, &blocked));
EXPECT_SUCCESS(s2n_connection_free(conn));
/* Clean up */
EXPECT_EQUAL(waitpid(-1, &status, 0), pid);
EXPECT_EQUAL(status, 0);
/* Test a non-matching ALPN request */
/* Create a pipe */
EXPECT_SUCCESS(pipe(server_to_client));
EXPECT_SUCCESS(pipe(client_to_server));
/* Create a child process */
pid = fork();
if (pid == 0) {
/* This is the child process, close the read end of the pipe */
EXPECT_SUCCESS(close(client_to_server[0]));
EXPECT_SUCCESS(close(server_to_client[1]));
/* Client doesn't support any of our protocols, so we shouldn't complete
* the handshake */
mock_client(client_to_server[1], server_to_client[0], mismatch_protocols, 1, NULL);
}
/* This is the parent */
EXPECT_SUCCESS(close(client_to_server[1]));
EXPECT_SUCCESS(close(server_to_client[0]));
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
/* Set up the connection to read from the fd */
EXPECT_SUCCESS(s2n_connection_set_read_fd(conn, client_to_server[0]));
EXPECT_SUCCESS(s2n_connection_set_write_fd(conn, server_to_client[1]));
/* s2n_negotiate will fail, which ordinarily would delay with a sleep.
* Remove the sleep and fake the delay with a mock time routine */
EXPECT_SUCCESS(s2n_connection_set_blinding(conn, S2N_SELF_SERVICE_BLINDING));
EXPECT_SUCCESS(s2n_config_set_nanoseconds_since_epoch_callback(config, mock_nanoseconds_since_epoch, NULL));
/* Negotiate the handshake. */
EXPECT_FAILURE(s2n_negotiate(conn, &blocked));
/* Expect NULL negotiated protocol */
EXPECT_EQUAL(s2n_get_application_protocol(conn), NULL);
EXPECT_SUCCESS(s2n_shutdown(conn, &blocked));
EXPECT_SUCCESS(s2n_connection_free(conn));
/* Close the pipes */
EXPECT_SUCCESS(close(client_to_server[0]));
EXPECT_SUCCESS(close(server_to_client[1]));
/* Clean up */
EXPECT_EQUAL(waitpid(-1, &status, 0), pid);
EXPECT_NOT_EQUAL(status, 0);
EXPECT_SUCCESS(s2n_config_free(config));
END_TEST();
return 0;
}
