int main(int argc, char **argv)
{
OSStatus err;
int arg;
char fullFileBase[100];
SSLProtocol negVersion;
SSLCipherSuite negCipher;
CFArrayRef peerCerts = NULL;
char *argp;
otSocket listenSock;
CFArrayRef serverCerts = nil; // required
CFArrayRef encryptCerts = nil; // optional
SecKeychainRef serverKc = nil;
SecKeychainRef encryptKc = nil;
/* user-spec'd parameters */
char *hostName = DEFAULT_HOST;
unsigned short portNum = DEFAULT_PORT;
CSSM_BOOL allowExpired = CSSM_FALSE;
CSSM_BOOL allowAnyRoot = CSSM_FALSE;
char *fileBase = NULL;
CSSM_BOOL displayRxData = CSSM_FALSE;
CSSM_BOOL displayCerts = CSSM_FALSE;
char cipherRestrict = '\0';
SSLProtocol attemptProt = kTLSProtocol1;
CSSM_BOOL protXOnly = CSSM_FALSE; // kSSLProtocol3Only,
// kTLSProtocol1Only
CSSM_BOOL quiet = CSSM_FALSE;
CSSM_BOOL resumableEnable = CSSM_TRUE;
CSSM_BOOL pause = CSSM_FALSE;
char *keyChainName = NULL;
char *encryptKeyChainName = NULL;
CSSM_BOOL loop = CSSM_FALSE;
SSLAuthenticate authenticate = kNeverAuthenticate;
for(arg=1; arg<argc; arg++) {
argp = argv[arg];
switch(argp[0]) {
case 'H':
hostName = &argp[2];
break;
case 'P':
portNum = atoi(&argp[2]);
break;
case 'k':
keyChainName = &argp[2];
break;
case 'E':
encryptKeyChainName = &argp[2];
break;
case 'e':
allowExpired = CSSM_TRUE;
break;
case 'r':
allowAnyRoot = CSSM_TRUE;
break;
case 'd':
displayRxData = CSSM_TRUE;
break;
case 'c':
displayCerts = CSSM_TRUE;
break;
case 'f':
fileBase = &argp[2];
break;
case 'C':
cipherRestrict = argp[2];
break;
case '2':
attemptProt = kSSLProtocol2;
break;
case '3':
attemptProt = kSSLProtocol3;
break;
case 't':
attemptProt = kTLSProtocol1;
break;
case 'o':
protXOnly = CSSM_TRUE;
break;
case 'R':
resumableEnable = CSSM_FALSE;
break;
case 'a':
if(argp[1] != '=') {
usage(argv);
}
switch(argp[2]) {
case 'a': authenticate = kAlwaysAuthenticate; break;
case 'n': authenticate = kNeverAuthenticate; break;
case 't': authenticate = kTryAuthenticate; break;
default: usage(argv);
}
break;
case 'p':
pause = CSSM_TRUE;
break;
case 'q':
quiet = CSSM_TRUE;
break;
case 'l':
loop = CSSM_TRUE;
break;
default:
usage(argv);
}
}
/* get server cert and optional encryption cert as CFArrayRef */
serverCerts = getSslCerts(keyChainName, CSSM_FALSE, &serverKc);
if(serverCerts == nil) {
exit(1);
}
if(encryptKeyChainName) {
encryptCerts = getSslCerts(encryptKeyChainName, CSSM_TRUE, &encryptKc);
if(encryptCerts == nil) {
exit(1);
}
}
/* one-time only server port setup */
err = ListenForClients(portNum, &listenSock);
if(err) {
printf("ListenForClients returned %d; aborting\n", err);
exit(1);
}
do {
err = sslServe(listenSock,
attemptProt,
hostName,
serverCerts,
encryptCerts,
allowExpired,
allowAnyRoot,
cipherRestrict,
authenticate,
resumableEnable,
quiet,
pause,
&negVersion,
&negCipher,
&peerCerts);
if(!quiet) {
showSSLResult(attemptProt,
err,
negVersion,
negCipher,
peerCerts,
displayCerts,
fileBase ? fullFileBase : NULL);
}
freePeerCerts(peerCerts);
} while(loop);
endpointShutdown(listenSock);
parseCertShutdown();
if(serverKc) {
CFRelease(serverKc);
}
if(encryptKc) {
CFRelease(encryptKc);
}
return 0;
}
/*
* params->lock is held for us by runSession() - we use it as a semapahore by
* unlocking it when we've created a port to listen on.
* This is generally run from a thread via sslRunSession() and
* sslServerThread() in sslAppUtils.cpp.
*/
OSStatus sslAppServe(
SslAppTestParams *params)
{
otSocket listenSock = 0;
otSocket acceptSock = 0;
PeerSpec peerId;
OSStatus ortn;
SSLContextRef ctx = NULL;
SecKeychainRef serverKc = nil;
CFArrayRef serverCerts = nil;
sslThrDebug("Server", "starting");
params->negVersion = kSSLProtocolUnknown;
params->negCipher = SSL_NULL_WITH_NULL_NULL;
params->ortn = noHardwareErr;
/* set up a socket on which to listen */
for(unsigned retry=0; retry<BIND_RETRIES; retry++) {
ortn = ListenForClients(params->port, params->nonBlocking,
&listenSock);
switch(ortn) {
case errSecSuccess:
break;
case errSecOpWr:
/* port already in use - try another */
params->port++;
if(params->verbose || THREADING_DEBUG) {
printf("...retrying ListenForClients at port %d\n",
params->port);
}
break;
default:
break;
}
if(ortn != errSecOpWr) {
break;
}
}
/* let main thread know a socket is ready */
if(pthread_mutex_lock(¶ms->pthreadMutex)) {
printf("***Error acquiring server lock; aborting.\n");
return -1;
}
params->serverReady = true;
if(pthread_cond_broadcast(¶ms->pthreadCond)) {
printf("***Error waking main thread; aborting.\n");
return -1;
}
if(pthread_mutex_unlock(¶ms->pthreadMutex)) {
printf("***Error acquiring server lock; aborting.\n");
return -1;
}
if(ortn) {
printf("ListenForClients returned %d; aborting\n", (int)ortn);
return ortn;
}
/* wait for a connection */
if(params->verbose) {
printf("Waiting for client connection...");
fflush(stdout);
}
ortn = AcceptClientConnection(listenSock, &acceptSock, &peerId);
if(ortn) {
printf("AcceptClientConnection returned %d; aborting\n", (int)ortn);
return ortn;
}
/*
* Set up a SecureTransport session.
*/
ortn = SSLNewContext(true, &ctx);
if(ortn) {
printSslErrStr("SSLNewContext", ortn);
goto cleanup;
}
ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
if(ortn) {
printSslErrStr("SSLSetIOFuncs", ortn);
goto cleanup;
}
ortn = SSLSetConnection(ctx, (SSLConnectionRef)acceptSock);
if(ortn) {
printSslErrStr("SSLSetConnection", ortn);
goto cleanup;
}
if(params->anchorFile) {
ortn = sslAddTrustedRoot(ctx, params->anchorFile,
params->replaceAnchors);
if(ortn) {
goto cleanup;
}
}
if(params->myCertKcName != NULL) {
/* if not, better be trying anonymous diff-hellman... :-) */
serverCerts = getSslCerts(params->myCertKcName, false, false, NULL,
&serverKc);
if(serverCerts == nil) {
exit(1);
}
if(params->password) {
ortn = SecKeychainUnlock(serverKc, strlen(params->password),
(void *)params->password, true);
if(ortn) {
printf("SecKeychainUnlock returned %d\n", (int)ortn);
/* oh well */
}
}
if(params->idIsTrustedRoot) {
/* assume this is a root we want to implicitly trust */
ortn = addIdentityAsTrustedRoot(ctx, serverCerts);
if(ortn) {
goto cleanup;
}
}
ortn = SSLSetCertificate(ctx, serverCerts);
if(ortn) {
printSslErrStr("SSLSetCertificate", ortn);
goto cleanup;
}
}
if(params->disableCertVerify) {
ortn = SSLSetEnableCertVerify(ctx, false);
if(ortn) {
printSslErrStr("SSLSetEnableCertVerify", ortn);
goto cleanup;
}
}
ortn = sslSetProtocols(ctx, params->acceptedProts, params->tryVersion);
if(ortn) {
goto cleanup;
}
if(params->resumeEnable) {
ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
if(ortn) {
printSslErrStr("SSLSetPeerID", ortn);
goto cleanup;
}
}
if(params->ciphers != NULL) {
ortn = sslSetEnabledCiphers(ctx, params->ciphers);
if(ortn) {
goto cleanup;
}
}
if(params->authenticate != kNeverAuthenticate) {
ortn = SSLSetClientSideAuthenticate(ctx, params->authenticate);
if(ortn) {
printSslErrStr("SSLSetClientSideAuthenticate", ortn);
goto cleanup;
}
}
if(params->dhParams) {
#if JAGUAR_BUILD
printf("***Diffie-Hellman not supported in this config.\n");
#else
ortn = SSLSetDiffieHellmanParams(ctx, params->dhParams,
params->dhParamsLen);
if(ortn) {
printSslErrStr("SSLSetDiffieHellmanParams", ortn);
goto cleanup;
}
#endif
}
/* Perform SSL/TLS handshake */
do {
ortn = SSLHandshake(ctx);
if((ortn == errSSLWouldBlock) && !params->silent) {
/* keep UI responsive */
sslOutputDot();
}
} while (ortn == errSSLWouldBlock);
SSLGetClientCertificateState(ctx, ¶ms->certState);
SSLGetNegotiatedCipher(ctx, ¶ms->negCipher);
SSLGetNegotiatedProtocolVersion(ctx, ¶ms->negVersion);
if(params->verbose) {
printf("\n");
}
if(ortn) {
goto cleanup;
}
/* wait for one complete line */
char readBuf[READBUF_LEN];
size_t length;
while(ortn == errSecSuccess) {
length = READBUF_LEN;
ortn = SSLRead(ctx, readBuf, length, &length);
if (ortn == errSSLWouldBlock) {
/* keep trying */
ortn = errSecSuccess;
continue;
}
if(length == 0) {
/* keep trying */
continue;
}
/* poor person's line completion scan */
for(unsigned i=0; i<length; i++) {
if((readBuf[i] == '\n') || (readBuf[i] == '\r')) {
goto serverResp;
}
}
}
serverResp:
/* send out canned response */
ortn = SSLWrite(ctx, SERVER_MESSAGE, strlen(SERVER_MESSAGE), &length);
if(ortn) {
printSslErrStr("SSLWrite", ortn);
}
cleanup:
/*
* always do close, even on error - to flush outgoing write queue
*/
if(ctx) {
OSStatus cerr = SSLClose(ctx);
if(ortn == errSecSuccess) {
ortn = cerr;
}
}
if(acceptSock) {
while(!params->clientDone && !params->serverAbort) {
usleep(100);
}
endpointShutdown(acceptSock);
}
if(listenSock) {
endpointShutdown(listenSock);
}
if(ctx) {
SSLDisposeContext(ctx);
}
params->ortn = ortn;
sslThrDebug("Server", "done");
return ortn;
}
int main(int argc, char **argv)
{
OSStatus err;
int arg;
char fullFileBase[100];
SSLProtocol negVersion;
SSLCipherSuite negCipher;
Boolean sessionWasResumed;
unsigned char sessionID[MAX_SESSION_ID_LENGTH];
size_t sessionIDLength;
CFArrayRef peerCerts = NULL;
char *argp;
otSocket listenSock;
CFArrayRef serverCerts = nil; // required
CFArrayRef encryptCerts = nil; // optional
SecKeychainRef serverKc = nil;
SecKeychainRef encryptKc = nil;
int loopNum;
int errCount = 0;
SSLClientCertificateState certState; // obtained from sslServe
/* user-spec'd parameters */
unsigned short portNum = DEFAULT_PORT;
bool allowExpired = false;
bool allowAnyRoot = false;
char *fileBase = NULL;
bool displayCerts = false;
char cipherRestrict = '\0';
SSLProtocol attemptProt = kTLSProtocol1;
bool protXOnly = false; // kSSLProtocol3Only,
// kTLSProtocol1Only
char *acceptedProts = NULL; // "23t" ==> SSLSetProtocolVersionEnabled
bool quiet = false;
bool resumableEnable = true;
bool pause = false;
char *keyChainName = NULL;
char *encryptKeyChainName = NULL;
int loops = 1;
SSLAuthenticate authenticate = kNeverAuthenticate;
bool nonBlocking = false;
bool allowExpiredRoot = false;
bool disableCertVerify = false;
char *anchorFile = NULL;
bool replaceAnchors = false;
bool vfyCertState = false;
SSLClientCertificateState expectCertState = kSSLClientCertNone;
char *password = NULL;
char *dhParamsFile = NULL;
unsigned char *dhParams = NULL;
unsigned dhParamsLen = 0;
bool doIdSearch = false;
bool completeCertChain = false;
uint32_t sessionCacheTimeout = 0;
bool disableAnonCiphers = false;
CFMutableArrayRef acceptableDNList = NULL;
for(arg=1; arg<argc; arg++) {
argp = argv[arg];
switch(argp[0]) {
case 'P':
portNum = atoi(&argp[2]);
break;
case 'k':
keyChainName = &argp[2];
break;
case 'y':
encryptKeyChainName = &argp[2];
break;
case 'e':
allowExpired = true;
break;
case 'E':
allowExpiredRoot = true;
break;
case 'x':
disableCertVerify = true;
break;
case 'a':
if(++arg == argc) {
/* requires another arg */
usage(argv);
}
anchorFile = argv[arg];
break;
case 'A':
if(++arg == argc) {
/* requires another arg */
usage(argv);
}
anchorFile = argv[arg];
replaceAnchors = true;
break;
case 'T':
if(argp[1] != '=') {
usage(argv);
}
vfyCertState = true;
switch(argp[2]) {
case 'n':
expectCertState = kSSLClientCertNone;
break;
case 'r':
expectCertState = kSSLClientCertRequested;
break;
case 's':
expectCertState = kSSLClientCertSent;
break;
case 'j':
expectCertState = kSSLClientCertRejected;
break;
default:
usage(argv);
}
break;
case 'r':
allowAnyRoot = true;
break;
case 'd':
break;
case 'c':
displayCerts = true;
break;
case 'f':
fileBase = &argp[2];
break;
case 'C':
cipherRestrict = argp[2];
break;
case '2':
attemptProt = kSSLProtocol2;
break;
case '3':
attemptProt = kSSLProtocol3;
break;
case 't':
attemptProt = kTLSProtocol1;
break;
case 'o':
protXOnly = true;
break;
case 'g':
if(argp[1] != '=') {
usage(argv);
}
acceptedProts = &argp[2];
break;
case 'R':
resumableEnable = false;
break;
case 'b':
nonBlocking = true;
break;
case 'u':
if(argp[1] != '=') {
usage(argv);
}
switch(argp[2]) {
case 'a': authenticate = kAlwaysAuthenticate; break;
case 'n': authenticate = kNeverAuthenticate; break;
case 't': authenticate = kTryAuthenticate; break;
default: usage(argv);
}
break;
case 'D':
if(++arg == argc) {
/* requires another arg */
usage(argv);
}
dhParamsFile = argv[arg];
break;
case 'z':
password = &argp[2];
break;
case 'H':
doIdSearch = true;
break;
case 'M':
completeCertChain = true;
break;
case 'i':
sessionCacheTimeout = atoi(&argp[2]);
break;
case '4':
disableAnonCiphers = true;
break;
case 'p':
pause = true;
break;
case 'q':
quiet = true;
break;
#if 0
case 'U':
if(++arg == argc) {
/* requires another arg */
usage(argv);
}
if(cspReadFile(argv[arg], &caCert, &caCertLen)) {
printf("***Error reading file %s. Aborting.\n", argv[arg]);
exit(1);
}
if(acceptableDNList == NULL) {
acceptableDNList = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
}
certData.Data = caCert;
certData.Length = caCertLen;
ortn = SecCertificateCreateFromData(&certData,
CSSM_CERT_X_509v3,
CSSM_CERT_ENCODING_DER,
&secCert);
if(ortn) {
cssmPerror("SecCertificateCreateFromData", ortn);
exit(1);
}
CFArrayAppendValue(acceptableDNList, secCert);
CFRelease(secCert);
break;
#endif
case 'l':
if(argp[1] == '\0') {
/* no loop count --> loop forever */
loops = 0;
break;
}
else if(argp[1] != '=') {
usage(argv);
}
loops = atoi(&argp[2]);
break;
default:
usage(argv);
}
}
#if NO_SERVER
# if DEBUG
securityd_init(NULL);
# endif
#endif
/* get server cert and optional encryption cert as CFArrayRef */
if(keyChainName) {
serverCerts = getSslCerts(keyChainName, false, completeCertChain,
anchorFile, &serverKc);
if(serverCerts == nil) {
exit(1);
}
}
else
#if 0
if(doIdSearch) {
OSStatus ortn = sslIdentityPicker(NULL, anchorFile, true, NULL, &serverCerts);
if(ortn) {
printf("***IdentitySearch failure; aborting.\n");
exit(1);
}
}
if(password) {
OSStatus ortn = SecKeychainUnlock(serverKc, strlen(password), password, true);
if(ortn) {
printf("SecKeychainUnlock returned %d\n", (int)ortn);
/* oh well */
}
}
if(encryptKeyChainName) {
encryptCerts = getSslCerts(encryptKeyChainName, true, completeCertChain,
anchorFile, &encryptKc);
if(encryptCerts == nil) {
exit(1);
}
}
#else
(void) doIdSearch;
(void) encryptKeyChainName;
#endif
if(protXOnly) {
switch(attemptProt) {
case kTLSProtocol1:
attemptProt = kTLSProtocol1Only;
break;
case kSSLProtocol3:
attemptProt = kSSLProtocol3Only;
break;
default:
break;
}
}
#if 0
if(dhParamsFile) {
int r = cspReadFile(dhParamsFile, &dhParams, &dhParamsLen);
if(r) {
printf("***Error reading diffie-hellman params from %s; aborting\n",
dhParamsFile);
}
}
#else
(void) dhParamsFile;
#endif
/* one-time only server port setup */
err = ListenForClients(portNum, nonBlocking, &listenSock);
if(err) {
printf("ListenForClients returned %d; aborting\n", (int)err);
exit(1);
}
for(loopNum=1; ; loopNum++) {
err = sslServe(listenSock,
portNum,
attemptProt,
acceptedProts,
serverCerts,
password,
encryptCerts,
allowExpired,
allowAnyRoot,
allowExpiredRoot,
disableCertVerify,
anchorFile,
replaceAnchors,
cipherRestrict,
authenticate,
dhParams,
dhParamsLen,
acceptableDNList,
resumableEnable,
sessionCacheTimeout,
disableAnonCiphers,
quiet,
pause,
&negVersion,
&negCipher,
&certState,
&sessionWasResumed,
sessionID,
&sessionIDLength,
&peerCerts,
argv);
if(err) {
errCount++;
}
if(!quiet) {
SSLProtocol tryProt = attemptProt;
showSSLResult(tryProt,
acceptedProts,
err,
negVersion,
negCipher,
sessionWasResumed,
sessionID,
sessionIDLength,
peerCerts,
displayCerts,
certState,
fileBase ? fullFileBase : NULL);
}
errCount += verifyClientCertState(vfyCertState, expectCertState,
certState);
freePeerCerts(peerCerts);
if(loops && (loopNum == loops)) {
break;
}
};
endpointShutdown(listenSock);
if(serverKc) {
CFRelease(serverKc);
}
if(encryptKc) {
CFRelease(encryptKc);
}
return errCount;
}
int main(int argc, char **argv)
{
/* user-spec'd variables */
const char *kcName = DEFAULT_KC;
unsigned xferSize = XFERSIZE_DEF;
int port = PORT_DEF;
const char *hostName = HOST_DEF;
SSLCipherSuite cipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA;
SSLProtocol prot = kTLSProtocol1Only;
char password[200];
bool clientAuthEnable = false;
bool isServer = false;
unsigned bufSize = BUFSIZE;
bool diffieHellman = false;
int nonBlocking = 0;
if(argc < 2) {
usage(argv);
}
password[0] = 0;
switch(argv[1][0]) {
case 's':
isServer = true;
break;
case 'c':
isServer = false;
break;
default:
usage(argv);
}
extern int optind;
extern char *optarg;
int arg;
optind = 2;
while ((arg = getopt(argc, argv, "h:p:k:x:c:v:w:b:aB")) != -1) {
switch (arg) {
case 'h':
hostName = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'k':
kcName = optarg;
break;
case 'x':
xferSize = atoi(optarg);
break;
case 'c':
if(!isServer) {
printf("***Specify cipherSuite on server side.\n");
exit(1);
}
switch(optarg[0]) {
case 'r':
cipherSuite = SSL_RSA_WITH_RC4_128_SHA;
break;
case 'd':
cipherSuite = SSL_RSA_WITH_DES_CBC_SHA;
break;
case 'D':
cipherSuite = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
break;
case 'h':
cipherSuite = SSL_DH_anon_WITH_RC4_128_MD5;
diffieHellman = true;
break;
case 'H':
cipherSuite = SSL_DHE_DSS_WITH_DES_CBC_SHA;
diffieHellman = true;
break;
case 'A':
cipherSuite = TLS_RSA_WITH_AES_256_CBC_SHA;
break;
default:
usage(argv);
}
break;
case 'v':
if(!isServer) {
printf("***Specify protocol on server side.\n");
exit(1);
}
switch(optarg[0]) {
case 't':
prot = kTLSProtocol1Only;
break;
case '2':
prot = kSSLProtocol2;
break;
case '3':
prot = kSSLProtocol3Only;
break;
default:
usage(argv);
}
break;
case 'w':
strcpy(password, optarg);
break;
case 'b':
bufSize = atoi(optarg);
break;
case 'a':
clientAuthEnable = true;
break;
case 'B':
nonBlocking = 1;
break;
default:
usage(argv);
}
}
/* per-transfer buffer - make it random for server */
char *buf = (char *)malloc(bufSize);
if(isServer) {
Security::DevRandomGenerator rng;
rng.random(buf, bufSize);
}
/* gather Diffie-Hellman params from cwd */
unsigned char *dhParams = NULL;
unsigned dhParamsLen = 0;
if(diffieHellman && isServer) {
if(readFile(DH_PARAM_FILE, &dhParams, &dhParamsLen)) {
printf("***Error reading Diffie-Hellman Params. Prepare to "
"wait for a minute during SSL handshake.\n");
}
}
/*
* Open keychain; both sides use the same one.
*/
OSStatus ortn;
SecKeychainRef certKc = NULL;
CFAbsoluteTime kcOpenStart = CFAbsoluteTimeGetCurrent();
ortn = SecKeychainOpen(kcName, &certKc);
if(ortn) {
printf("Error opening keychain %s (%d); aborting.\n",
kcName, (int)ortn);
exit(1);
}
if(password[0]) {
ortn = SecKeychainUnlock(certKc, strlen(password), password, true);
if(ortn) {
printf("SecKeychainUnlock returned %d\n", (int)ortn);
/* oh well */
}
}
CFAbsoluteTime kcOpenEnd = CFAbsoluteTimeGetCurrent();
otSocket peerSock = 0;
otSocket listenSock = 0; // for server only
PeerSpec peerId;
if(isServer) {
printf("...listening for client connection on port %d\n", port);
ortn = ListenForClients(port, nonBlocking, &listenSock);
if(ortn) {
printf("...error establishing a listen socket. Aborting.\n");
exit(1);
}
ortn = AcceptClientConnection(listenSock, &peerSock, &peerId);
if(ortn) {
printf("...error listening for connection. Aborting.\n");
exit(1);
}
}
else {
printf("...connecting to host %s at port %d\n", hostName, port);
ortn = MakeServerConnection(hostName, port, nonBlocking, &peerSock,
&peerId);
if(ortn) {
printf("...error connecting to server %s. Aborting.\n",
hostName);
exit(1);
}
}
/* start timing SSL setup */
CFAbsoluteTime setupStart = CFAbsoluteTimeGetCurrent();
SSLContextRef ctx;
ortn = SSLNewContext(isServer, &ctx);
if(ortn) {
printSslErrStr("SSLNewContext", ortn);
exit(1);
}
ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
if(ortn) {
printSslErrStr("SSLSetIOFuncs", ortn);
exit(1);
}
ortn = SSLSetConnection(ctx, (SSLConnectionRef)peerSock);
if(ortn) {
printSslErrStr("SSLSetConnection", ortn);
exit(1);
}
ortn = SSLSetPeerDomainName(ctx, hostName, strlen(hostName) + 1);
if(ortn) {
printSslErrStr("SSLSetPeerDomainName", ortn);
exit(1);
}
/*
* Server/client specific setup.
*
* Client uses the same keychain as server, but it uses it for
* sslAddTrustedRoots() instead of getSslCerts() and
* SSLSetCertificate().
*/
CFArrayRef myCerts = NULL;
if(clientAuthEnable || isServer) {
myCerts = sslKcRefToCertArray(certKc, CSSM_FALSE, CSSM_FALSE, NULL, NULL);
if(myCerts == NULL) {
exit(1);
}
ortn = addIdentityAsTrustedRoot(ctx, myCerts);
if(ortn) {
exit(1);
}
ortn = SSLSetCertificate(ctx, myCerts);
if(ortn) {
printSslErrStr("SSLSetCertificate", ortn);
exit(1);
}
}
if(isServer) {
SSLAuthenticate auth;
if(clientAuthEnable) {
auth = kAlwaysAuthenticate;
}
else {
auth = kNeverAuthenticate;
}
ortn = SSLSetClientSideAuthenticate(ctx, auth);
if(ortn) {
printSslErrStr("SSLSetClientSideAuthenticate", ortn);
exit(1);
}
ortn = SSLSetEnabledCiphers(ctx, &cipherSuite, 1);
if(ortn) {
printSslErrStr("SSLSetEnabledCiphers", ortn);
exit(1);
}
ortn = SSLSetProtocolVersion(ctx, prot);
if(ortn) {
printSslErrStr("SSLSetProtocolVersion", ortn);
exit(1);
}
if(dhParams != NULL) {
ortn = SSLSetDiffieHellmanParams(ctx, dhParams, dhParamsLen);
if(ortn) {
printSslErrStr("SSLSetDiffieHellmanParams", ortn);
exit(1);
}
}
}
else {
/* client setup */
if(!clientAuthEnable) {
/* We're not presenting a cert; trust the server certs */
bool foundOne;
ortn = sslAddTrustedRoots(ctx, certKc, &foundOne);
if(ortn) {
printSslErrStr("sslAddTrustedRoots", ortn);
exit(1);
}
}
}
/*
* Context setup complete. Start timing handshake.
*/
CFAbsoluteTime hshakeStart = CFAbsoluteTimeGetCurrent();
do {
ortn = SSLHandshake(ctx);
} while (ortn == errSSLWouldBlock);
if(ortn) {
printSslErrStr("SSLHandshake", ortn);
exit(1);
}
CFAbsoluteTime hshakeEnd = CFAbsoluteTimeGetCurrent();
/* snag these before data xfer possibly shuts down connection */
SSLProtocol negVersion;
SSLCipherSuite negCipher;
SSLClientCertificateState certState; // RETURNED
SSLGetNegotiatedCipher(ctx, &negCipher);
SSLGetNegotiatedProtocolVersion(ctx, &negVersion);
SSLGetClientCertificateState(ctx, &certState);
/* server sends xferSize bytes to client and shuts down */
size_t bytesMoved;
CFAbsoluteTime dataStart = CFAbsoluteTimeGetCurrent();
size_t totalMoved = 0;
if(isServer) {
size_t bytesToGo = xferSize;
bool done = false;
do {
size_t thisMove = bufSize;
if(thisMove > bytesToGo) {
thisMove = bytesToGo;
}
ortn = SSLWrite(ctx, buf, thisMove, &bytesMoved);
switch(ortn) {
case noErr:
case errSSLWouldBlock:
break;
default:
done = true;
break;
}
bytesToGo -= bytesMoved;
totalMoved += bytesMoved;
if(bytesToGo == 0) {
done = true;
}
} while(!done);
if(ortn != noErr) {
printSslErrStr("SSLWrite", ortn);
exit(1);
}
}
else {
/* client reads until error or errSSLClosedGraceful */
bool done = false;
do {
ortn = SSLRead(ctx, buf, bufSize, &bytesMoved);
switch(ortn) {
case errSSLClosedGraceful:
done = true;
break;
case noErr:
case errSSLWouldBlock:
break;
default:
done = true;
break;
}
totalMoved += bytesMoved;
} while(!done);
if(ortn != errSSLClosedGraceful) {
printSslErrStr("SSLRead", ortn);
exit(1);
}
}
/* shut down channel */
ortn = SSLClose(ctx);
if(ortn) {
printSslErrStr("SSLCLose", ortn);
exit(1);
}
CFAbsoluteTime dataEnd = CFAbsoluteTimeGetCurrent();
/* how'd we do? */
printf("SSL version : %s\n",
sslGetProtocolVersionString(negVersion));
printf("CipherSuite : %s\n",
sslGetCipherSuiteString(negCipher));
printf("Client Cert State : %s\n",
sslGetClientCertStateString(certState));
if(password[0]) {
printf("keychain open/unlock : ");
}
else {
printf("keychain open : ");
}
printf("%f s\n", kcOpenEnd - kcOpenStart);
printf("SSLContext setup : %f s\n", hshakeStart - setupStart);
printf("SSL Handshake : %f s\n", hshakeEnd - hshakeStart);
printf("Data Transfer : %u bytes in %f s\n", (unsigned)totalMoved,
dataEnd - dataStart);
printf(" : %.1f Kbytes/s\n",
totalMoved / (dataEnd - dataStart) / 1024.0);
return 0;
}