The Tor Browser / annotate

security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp@b8a032363ba2 (annotated)

security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4
michael@0 5 #include "TLSServer.h"
michael@0 6
michael@0 7 #include <stdio.h>
michael@0 8 #include "ScopedNSSTypes.h"
michael@0 9 #include "nspr.h"
michael@0 10 #include "nss.h"
michael@0 11 #include "plarenas.h"
michael@0 12 #include "prenv.h"
michael@0 13 #include "prerror.h"
michael@0 14 #include "prnetdb.h"
michael@0 15 #include "prtime.h"
michael@0 16 #include "ssl.h"
michael@0 17
michael@0 18 namespace mozilla { namespace test {
michael@0 19
michael@0 20 static const uint16_t LISTEN_PORT = 8443;
michael@0 21
michael@0 22 DebugLevel gDebugLevel = DEBUG_ERRORS;
michael@0 23 uint16_t gCallbackPort = 0;
michael@0 24
michael@0 25 const char DEFAULT_CERT_NICKNAME[] = "localhostAndExampleCom";
michael@0 26
michael@0 27 struct Connection
michael@0 28 {
michael@0 29 PRFileDesc *mSocket;
michael@0 30 char mByte;
michael@0 31
michael@0 32 Connection(PRFileDesc *aSocket);
michael@0 33 ~Connection();
michael@0 34 };
michael@0 35
michael@0 36 Connection::Connection(PRFileDesc *aSocket)
michael@0 37 : mSocket(aSocket)
michael@0 38 , mByte(0)
michael@0 39 {}
michael@0 40
michael@0 41 Connection::~Connection()
michael@0 42 {
michael@0 43 if (mSocket) {
michael@0 44 PR_Close(mSocket);
michael@0 45 }
michael@0 46 }
michael@0 47
michael@0 48 void
michael@0 49 PrintPRError(const char *aPrefix)
michael@0 50 {
michael@0 51 const char *err = PR_ErrorToName(PR_GetError());
michael@0 52 if (err) {
michael@0 53 if (gDebugLevel >= DEBUG_ERRORS) {
michael@0 54 fprintf(stderr, "%s: %s\n", aPrefix, err);
michael@0 55 }
michael@0 56 } else {
michael@0 57 if (gDebugLevel >= DEBUG_ERRORS) {
michael@0 58 fprintf(stderr, "%s\n", aPrefix);
michael@0 59 }
michael@0 60 }
michael@0 61 }
michael@0 62
michael@0 63 nsresult
michael@0 64 SendAll(PRFileDesc *aSocket, const char *aData, size_t aDataLen)
michael@0 65 {
michael@0 66 if (gDebugLevel >= DEBUG_VERBOSE) {
michael@0 67 fprintf(stderr, "sending '%s'\n", aData);
michael@0 68 }
michael@0 69
michael@0 70 while (aDataLen > 0) {
michael@0 71 int32_t bytesSent = PR_Send(aSocket, aData, aDataLen, 0,
michael@0 72 PR_INTERVAL_NO_TIMEOUT);
michael@0 73 if (bytesSent == -1) {
michael@0 74 PrintPRError("PR_Send failed");
michael@0 75 return NS_ERROR_FAILURE;
michael@0 76 }
michael@0 77
michael@0 78 aDataLen -= bytesSent;
michael@0 79 aData += bytesSent;
michael@0 80 }
michael@0 81
michael@0 82 return NS_OK;
michael@0 83 }
michael@0 84
michael@0 85 nsresult
michael@0 86 ReplyToRequest(Connection *aConn)
michael@0 87 {
michael@0 88 // For debugging purposes, SendAll can print out what it's sending.
michael@0 89 // So, any strings we give to it to send need to be null-terminated.
michael@0 90 char buf[2] = { aConn->mByte, 0 };
michael@0 91 return SendAll(aConn->mSocket, buf, 1);
michael@0 92 }
michael@0 93
michael@0 94 nsresult
michael@0 95 SetupTLS(Connection *aConn, PRFileDesc *aModelSocket)
michael@0 96 {
michael@0 97 PRFileDesc *sslSocket = SSL_ImportFD(aModelSocket, aConn->mSocket);
michael@0 98 if (!sslSocket) {
michael@0 99 PrintPRError("SSL_ImportFD failed");
michael@0 100 return NS_ERROR_FAILURE;
michael@0 101 }
michael@0 102 aConn->mSocket = sslSocket;
michael@0 103
michael@0 104 SSL_OptionSet(sslSocket, SSL_SECURITY, true);
michael@0 105 SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, false);
michael@0 106 SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_SERVER, true);
michael@0 107
michael@0 108 SSL_ResetHandshake(sslSocket, /* asServer */ 1);
michael@0 109
michael@0 110 return NS_OK;
michael@0 111 }
michael@0 112
michael@0 113 nsresult
michael@0 114 ReadRequest(Connection *aConn)
michael@0 115 {
michael@0 116 int32_t bytesRead = PR_Recv(aConn->mSocket, &aConn->mByte, 1, 0,
michael@0 117 PR_INTERVAL_NO_TIMEOUT);
michael@0 118 if (bytesRead < 0) {
michael@0 119 PrintPRError("PR_Recv failed");
michael@0 120 return NS_ERROR_FAILURE;
michael@0 121 } else if (bytesRead == 0) {
michael@0 122 PR_SetError(PR_IO_ERROR, 0);
michael@0 123 PrintPRError("PR_Recv EOF in ReadRequest");
michael@0 124 return NS_ERROR_FAILURE;
michael@0 125 } else {
michael@0 126 if (gDebugLevel >= DEBUG_VERBOSE) {
michael@0 127 fprintf(stderr, "read '0x%hhx'\n", aConn->mByte);
michael@0 128 }
michael@0 129 }
michael@0 130 return NS_OK;
michael@0 131 }
michael@0 132
michael@0 133 void
michael@0 134 HandleConnection(PRFileDesc *aSocket, PRFileDesc *aModelSocket)
michael@0 135 {
michael@0 136 Connection conn(aSocket);
michael@0 137 nsresult rv = SetupTLS(&conn, aModelSocket);
michael@0 138 if (NS_FAILED(rv)) {
michael@0 139 PR_SetError(PR_INVALID_STATE_ERROR, 0);
michael@0 140 PrintPRError("PR_Recv failed");
michael@0 141 exit(1);
michael@0 142 }
michael@0 143
michael@0 144 // TODO: On tests that are expected to fail (e.g. due to a revoked
michael@0 145 // certificate), the client will close the connection wtihout sending us the
michael@0 146 // request byte. In those cases, we should keep going. But, in the cases
michael@0 147 // where the connection is supposed to suceed, we should verify that we
michael@0 148 // successfully receive the request and send the response.
michael@0 149 rv = ReadRequest(&conn);
michael@0 150 if (NS_SUCCEEDED(rv)) {
michael@0 151 rv = ReplyToRequest(&conn);
michael@0 152 }
michael@0 153 }
michael@0 154
michael@0 155 // returns 0 on success, non-zero on error
michael@0 156 int
michael@0 157 DoCallback()
michael@0 158 {
michael@0 159 ScopedPRFileDesc socket(PR_NewTCPSocket());
michael@0 160 if (!socket) {
michael@0 161 PrintPRError("PR_NewTCPSocket failed");
michael@0 162 return 1;
michael@0 163 }
michael@0 164
michael@0 165 PRNetAddr addr;
michael@0 166 PR_InitializeNetAddr(PR_IpAddrLoopback, gCallbackPort, &addr);
michael@0 167 if (PR_Connect(socket, &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) {
michael@0 168 PrintPRError("PR_Connect failed");
michael@0 169 return 1;
michael@0 170 }
michael@0 171
michael@0 172 const char *request = "GET / HTTP/1.0\r\n\r\n";
michael@0 173 SendAll(socket, request, strlen(request));
michael@0 174 char buf[4096];
michael@0 175 memset(buf, 0, sizeof(buf));
michael@0 176 int32_t bytesRead = PR_Recv(socket, buf, sizeof(buf) - 1, 0,
michael@0 177 PR_INTERVAL_NO_TIMEOUT);
michael@0 178 if (bytesRead < 0) {
michael@0 179 PrintPRError("PR_Recv failed 1");
michael@0 180 return 1;
michael@0 181 }
michael@0 182 if (bytesRead == 0) {
michael@0 183 fprintf(stderr, "PR_Recv eof 1\n");
michael@0 184 return 1;
michael@0 185 }
michael@0 186 fprintf(stderr, "%s\n", buf);
michael@0 187 return 0;
michael@0 188 }
michael@0 189
michael@0 190 SECStatus
michael@0 191 ConfigSecureServerWithNamedCert(PRFileDesc *fd, const char *certName,
michael@0 192 /*optional*/ ScopedCERTCertificate *certOut,
michael@0 193 /*optional*/ SSLKEAType *keaOut)
michael@0 194 {
michael@0 195 ScopedCERTCertificate cert(PK11_FindCertFromNickname(certName, nullptr));
michael@0 196 if (!cert) {
michael@0 197 PrintPRError("PK11_FindCertFromNickname failed");
michael@0 198 return SECFailure;
michael@0 199 }
michael@0 200
michael@0 201 ScopedSECKEYPrivateKey key(PK11_FindKeyByAnyCert(cert, nullptr));
michael@0 202 if (!key) {
michael@0 203 PrintPRError("PK11_FindKeyByAnyCert failed");
michael@0 204 return SECFailure;
michael@0 205 }
michael@0 206
michael@0 207 SSLKEAType certKEA = NSS_FindCertKEAType(cert);
michael@0 208
michael@0 209 if (SSL_ConfigSecureServer(fd, cert, key, certKEA) != SECSuccess) {
michael@0 210 PrintPRError("SSL_ConfigSecureServer failed");
michael@0 211 return SECFailure;
michael@0 212 }
michael@0 213
michael@0 214 if (certOut) {
michael@0 215 *certOut = cert.forget();
michael@0 216 }
michael@0 217
michael@0 218 if (keaOut) {
michael@0 219 *keaOut = certKEA;
michael@0 220 }
michael@0 221
michael@0 222 return SECSuccess;
michael@0 223 }
michael@0 224
michael@0 225 int
michael@0 226 StartServer(const char *nssCertDBDir, SSLSNISocketConfig sniSocketConfig,
michael@0 227 void *sniSocketConfigArg)
michael@0 228 {
michael@0 229 const char *debugLevel = PR_GetEnv("MOZ_TLS_SERVER_DEBUG_LEVEL");
michael@0 230 if (debugLevel) {
michael@0 231 int level = atoi(debugLevel);
michael@0 232 switch (level) {
michael@0 233 case DEBUG_ERRORS: gDebugLevel = DEBUG_ERRORS; break;
michael@0 234 case DEBUG_WARNINGS: gDebugLevel = DEBUG_WARNINGS; break;
michael@0 235 case DEBUG_VERBOSE: gDebugLevel = DEBUG_VERBOSE; break;
michael@0 236 default:
michael@0 237 PrintPRError("invalid MOZ_TLS_SERVER_DEBUG_LEVEL");
michael@0 238 return 1;
michael@0 239 }
michael@0 240 }
michael@0 241
michael@0 242 const char *callbackPort = PR_GetEnv("MOZ_TLS_SERVER_CALLBACK_PORT");
michael@0 243 if (callbackPort) {
michael@0 244 gCallbackPort = atoi(callbackPort);
michael@0 245 }
michael@0 246
michael@0 247 if (NSS_Init(nssCertDBDir) != SECSuccess) {
michael@0 248 PrintPRError("NSS_Init failed");
michael@0 249 return 1;
michael@0 250 }
michael@0 251
michael@0 252 if (NSS_SetDomesticPolicy() != SECSuccess) {
michael@0 253 PrintPRError("NSS_SetDomesticPolicy failed");
michael@0 254 return 1;
michael@0 255 }
michael@0 256
michael@0 257 if (SSL_ConfigServerSessionIDCache(0, 0, 0, nullptr) != SECSuccess) {
michael@0 258 PrintPRError("SSL_ConfigServerSessionIDCache failed");
michael@0 259 return 1;
michael@0 260 }
michael@0 261
michael@0 262 ScopedPRFileDesc serverSocket(PR_NewTCPSocket());
michael@0 263 if (!serverSocket) {
michael@0 264 PrintPRError("PR_NewTCPSocket failed");
michael@0 265 return 1;
michael@0 266 }
michael@0 267
michael@0 268 PRSocketOptionData socketOption;
michael@0 269 socketOption.option = PR_SockOpt_Reuseaddr;
michael@0 270 socketOption.value.reuse_addr = true;
michael@0 271 PR_SetSocketOption(serverSocket, &socketOption);
michael@0 272
michael@0 273 PRNetAddr serverAddr;
michael@0 274 PR_InitializeNetAddr(PR_IpAddrLoopback, LISTEN_PORT, &serverAddr);
michael@0 275 if (PR_Bind(serverSocket, &serverAddr) != PR_SUCCESS) {
michael@0 276 PrintPRError("PR_Bind failed");
michael@0 277 return 1;
michael@0 278 }
michael@0 279
michael@0 280 if (PR_Listen(serverSocket, 1) != PR_SUCCESS) {
michael@0 281 PrintPRError("PR_Listen failed");
michael@0 282 return 1;
michael@0 283 }
michael@0 284
michael@0 285 ScopedPRFileDesc rawModelSocket(PR_NewTCPSocket());
michael@0 286 if (!rawModelSocket) {
michael@0 287 PrintPRError("PR_NewTCPSocket failed for rawModelSocket");
michael@0 288 return 1;
michael@0 289 }
michael@0 290
michael@0 291 ScopedPRFileDesc modelSocket(SSL_ImportFD(nullptr, rawModelSocket.forget()));
michael@0 292 if (!modelSocket) {
michael@0 293 PrintPRError("SSL_ImportFD of rawModelSocket failed");
michael@0 294 return 1;
michael@0 295 }
michael@0 296
michael@0 297 if (SECSuccess != SSL_SNISocketConfigHook(modelSocket, sniSocketConfig,
michael@0 298 sniSocketConfigArg)) {
michael@0 299 PrintPRError("SSL_SNISocketConfigHook failed");
michael@0 300 return 1;
michael@0 301 }
michael@0 302
michael@0 303 // We have to configure the server with a certificate, but it's not one
michael@0 304 // we're actually going to end up using. In the SNI callback, we pick
michael@0 305 // the right certificate for the connection.
michael@0 306 if (SECSuccess != ConfigSecureServerWithNamedCert(modelSocket,
michael@0 307 DEFAULT_CERT_NICKNAME,
michael@0 308 nullptr, nullptr)) {
michael@0 309 return 1;
michael@0 310 }
michael@0 311
michael@0 312 if (gCallbackPort != 0) {
michael@0 313 if (DoCallback()) {
michael@0 314 return 1;
michael@0 315 }
michael@0 316 }
michael@0 317
michael@0 318 while (true) {
michael@0 319 PRNetAddr clientAddr;
michael@0 320 PRFileDesc *clientSocket = PR_Accept(serverSocket, &clientAddr,
michael@0 321 PR_INTERVAL_NO_TIMEOUT);
michael@0 322 HandleConnection(clientSocket, modelSocket);
michael@0 323 }
michael@0 324
michael@0 325 return 0;
michael@0 326 }
michael@0 327
michael@0 328 } } // namespace mozilla::test

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial