1 /*****************************************************************************
2  * tls.c: Transport Layer Security module test
3  *****************************************************************************
4  * Copyright © 2016 Rémi Denis-Courmont
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU Lesser General Public License as published by
8  * the Free Software Foundation; either version 2.1 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public License
17  * along with this program; if not, write to the Free Software Foundation,
18  * Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
19  *****************************************************************************/
20 
21 #ifdef HAVE_CONFIG_H
22 # include "config.h"
23 #endif
24 
25 #undef NDEBUG
26 #include <assert.h>
27 #include <errno.h>
28 #include <stdlib.h>
29 #include <string.h>
30 
31 #include <sys/types.h>
32 #include <sys/socket.h>
33 #include <poll.h>
34 
35 #include <vlc_common.h>
36 #include <vlc_modules.h>
37 #include <vlc_tls.h>
38 #include "../../../lib/libvlc_internal.h"
39 
40 #include <vlc/vlc.h>
41 
42 static vlc_tls_creds_t *server_creds;
43 static vlc_tls_creds_t *client_creds;
44 
tls_echo(void * data)45 static void *tls_echo(void *data)
46 {
47     vlc_tls_t *tls = data;
48     struct pollfd ufd;
49     ssize_t val;
50     char buf[256];
51 
52     ufd.fd = vlc_tls_GetFD(tls);
53 
54     while ((val = vlc_tls_SessionHandshake(server_creds, tls)) > 0)
55     {
56         switch (val)
57         {
58             case 1:  ufd.events = POLLIN;  break;
59             case 2:  ufd.events = POLLOUT; break;
60             default: vlc_assert_unreachable();
61         }
62         poll(&ufd, 1, -1);
63     }
64 
65     if (val < 0)
66         goto error;
67 
68     while ((val = vlc_tls_Read(tls, buf, sizeof (buf), false)) > 0)
69         if (vlc_tls_Write(tls, buf, val) < val)
70             goto error;
71 
72     if (val < 0 || vlc_tls_Shutdown(tls, false))
73         goto error;
74 
75     vlc_tls_Close(tls);
76     return tls;
77 error:
78     vlc_tls_Close(tls);
79     return NULL;
80 }
81 
securepair(vlc_thread_t * th,const char * const salpnv[],const char * const calpnv[],char ** restrict alp)82 static vlc_tls_t *securepair(vlc_thread_t *th,
83                              const char *const salpnv[],
84                              const char *const calpnv[],
85                              char **restrict alp)
86 {
87     vlc_tls_t *socks[2];
88     vlc_tls_t *server, *client;
89     int val;
90 
91     val = vlc_tls_SocketPair(PF_LOCAL, 0, socks);
92     assert(val == 0);
93 
94     server = vlc_tls_ServerSessionCreate(server_creds, socks[0], salpnv);
95     assert(server != NULL);
96 
97     val = vlc_clone(th, tls_echo, server, VLC_THREAD_PRIORITY_LOW);
98     assert(val == 0);
99 
100     client = vlc_tls_ClientSessionCreate(client_creds, socks[1],
101                                          "localhost", "vlc-tls-test",
102                                          calpnv, alp);
103     if (client == NULL)
104     {
105         vlc_tls_SessionDelete(socks[1]);
106         vlc_join(*th, NULL);
107         return NULL;
108     }
109     return client;
110 }
111 
112 #define CERTDIR SRCDIR "/samples/certs"
113 #define CERTFILE CERTDIR "/certkey.pem"
114 
115 static const char *const test_cert_argv[] = {
116     "--no-gnutls-system-trust", "--gnutls-dir-trust=" CERTDIR, NULL };
117 static const char *const alpn[] = { "foo", "bar", NULL };
118 static const char *const alpn_bad[] = { "baz", NULL };
119 
main(void)120 int main(void)
121 {
122     libvlc_instance_t *vlc;
123     vlc_object_t *obj;
124     vlc_thread_t th;
125     void *p;
126     vlc_tls_t *tls;
127     char *alp;
128     int val;
129 
130     setenv("VLC_PLUGIN_PATH", "../modules", 1);
131 
132     /*** Tests with normal certs database - server cert not acceptable. ***/
133     vlc = libvlc_new(0, NULL);
134     assert(vlc != NULL);
135     obj = VLC_OBJECT(vlc->p_libvlc_int);
136 
137     server_creds = vlc_tls_ServerCreate(obj, SRCDIR"/nonexistent", NULL);
138     assert(server_creds == NULL);
139     server_creds = vlc_tls_ServerCreate(obj, SRCDIR"/samples/empty.voc", NULL);
140     assert(server_creds == NULL);
141     server_creds = vlc_tls_ServerCreate(obj, CERTFILE, SRCDIR"/nonexistent");
142     assert(server_creds == NULL);
143     server_creds = vlc_tls_ServerCreate(obj, CERTFILE, NULL);
144     if (server_creds == NULL)
145     {
146         libvlc_release(vlc);
147         return 77;
148     }
149     vlc_tls_Delete(server_creds);
150 
151     server_creds = vlc_tls_ServerCreate(obj, CERTFILE, CERTFILE);
152     assert(server_creds != NULL);
153     client_creds = vlc_tls_ClientCreate(obj);
154     assert(client_creds != NULL);
155 
156     /* Test unknown certificate */
157     tls = securepair(&th, alpn, alpn, &alp);
158     assert(tls == NULL);
159     tls = securepair(&th, alpn, alpn, NULL);
160     assert(tls == NULL);
161 
162     vlc_tls_Delete(client_creds);
163     vlc_tls_Delete(server_creds);
164     libvlc_release(vlc);
165 
166     /*** Tests with test certs database - server cert accepted. ***/
167     vlc = libvlc_new(ARRAY_SIZE(test_cert_argv) - 1, test_cert_argv);
168     if (vlc == NULL)
169     {
170         libvlc_release(vlc);
171         return 77;
172     }
173     obj = VLC_OBJECT(vlc->p_libvlc_int);
174 
175     server_creds = vlc_tls_ServerCreate(obj, CERTFILE, NULL);
176     assert(server_creds != NULL);
177     client_creds = vlc_tls_ClientCreate(obj);
178     assert(client_creds != NULL);
179 
180     /* Test known certificate */
181     tls = securepair(&th, alpn, alpn, &alp);
182     assert(tls != NULL);
183     assert(alp != NULL);
184     assert(strcmp(alp, alpn[0]) == 0);
185     free(alp);
186 
187     /* Do some I/O */
188     char buf[12];
189     struct iovec iov;
190 
191     iov.iov_base = buf;
192     iov.iov_len = sizeof (buf);
193     val = tls->readv(tls, &iov, 1);
194     assert(val == -1 && errno == EAGAIN);
195 
196     val = vlc_tls_Write(tls, "Hello ", 6);
197     assert(val == 6);
198     val = vlc_tls_Write(tls, "world!", 6);
199     assert(val == 6);
200 
201     val = vlc_tls_Read(tls, buf, sizeof (buf), true);
202     assert(val == 12);
203     assert(!memcmp(buf, "Hello world!", 12));
204 
205     val = vlc_tls_Shutdown(tls, false);
206     assert(val == 0);
207     vlc_join(th, &p);
208     assert(p != NULL);
209     val = vlc_tls_Read(tls, buf, sizeof (buf), false);
210     assert(val == 0);
211     vlc_tls_Close(tls);
212 
213     /* Test known certificate, ignore ALPN result */
214     tls = securepair(&th, alpn, alpn, NULL);
215     assert(tls != NULL);
216 
217     /* Do a lot of I/O, test congestion handling */
218     static unsigned char data[16184];
219     size_t bytes = 0;
220     unsigned seed = 0;
221 
222     iov.iov_base = data;
223     iov.iov_len = sizeof (data);
224 
225     do
226     {
227         for (size_t i = 0; i < sizeof (data); i++)
228             data[i] = rand_r(&seed);
229         bytes += sizeof (data);
230     }
231     while ((val = tls->writev(tls, &iov, 1)) == sizeof (data));
232 
233     bytes -= sizeof (data);
234     if (val > 0)
235         bytes += val;
236 
237     fprintf(stderr, "Sent %zu bytes.\n", bytes);
238     seed = 0;
239 
240     while (bytes > 0)
241     {
242         unsigned char c = rand_r(&seed);
243 
244         val = vlc_tls_Read(tls, buf, 1, false);
245         assert(val == 1);
246         assert(c == (unsigned char)buf[0]);
247         bytes--;
248     }
249 
250     vlc_tls_Close(tls);
251     vlc_join(th, NULL);
252 
253     /* Test known certificate, no ALPN */
254     tls = securepair(&th, alpn, NULL, &alp);
255     assert(tls != NULL);
256     assert(alp == NULL);
257     vlc_tls_Close(tls);
258     vlc_join(th, NULL);
259 
260     tls = securepair(&th, NULL, alpn, NULL);
261     assert(tls != NULL);
262     assert(alp == NULL);
263     vlc_tls_Close(tls);
264     vlc_join(th, NULL);
265 
266     /* Test ALPN combinations */
267     tls = securepair(&th, alpn, alpn + 1, &alp);
268     assert(tls != NULL);
269     assert(alp != NULL);
270     assert(strcmp(alp, alpn[1]) == 0);
271     free(alp);
272     vlc_tls_Close(tls);
273     vlc_join(th, NULL);
274 
275     tls = securepair(&th, alpn + 1, alpn, &alp);
276     assert(tls != NULL);
277     assert(alp != NULL);
278     assert(strcmp(alp, alpn[1]) == 0);
279     free(alp);
280     vlc_tls_Close(tls);
281     vlc_join(th, NULL);
282 
283     /* Test ALPN mismatch */
284     tls = securepair(&th, alpn, alpn_bad, &alp);
285     assert(tls != NULL);
286     assert(alp == NULL); /* currently, ALPN is marked optional in hello */
287     vlc_tls_Close(tls);
288     vlc_join(th, NULL);
289 
290     vlc_tls_Delete(client_creds);
291     vlc_tls_Delete(server_creds);
292     libvlc_release(vlc);
293 
294     return 0;
295 }
296