elks-enhanced - XT-Emporium

File editor

#!/bin/sh

set -eu

SCRIPT_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
MFS=${MFS:-"$SCRIPT_DIR/elks/tools/bin/mfs"}
IMAGE=${IMAGE:-"$SCRIPT_DIR/image/fd2880-minix.img"}
WORKDIR=${WORKDIR:-$(mktemp -d /tmp/elks-bearssl.XXXXXX)}
GUEST_IP=${GUEST_IP:-10.0.2.15}
GATEWAY_IP=${GATEWAY_IP:-10.0.2.2}
NETMASK=${NETMASK:-255.255.255.0}
ROUNDS=${ROUNDS:-5}
WAIT_SECS=${WAIT_SECS:-$((ROUNDS * 15 + 30))}

QEMU_PID=
QEMU_LOG=
SERVER_PID=
SERVER_LOG=
TLS_PORT=

usage()
{
	echo "Usage: $0"
	exit 1
}

require_bearssl_tree()
{
	if [ ! -f "$SCRIPT_DIR/extapps/bearssl/Makefile.elks" ]; then
		echo "BearSSL extapp tree not found at $SCRIPT_DIR/extapps/bearssl" >&2
		echo "Run ./buildext.sh bearssl first." >&2
		exit 1
	fi
	if [ ! -x "$SCRIPT_DIR/extapps/bearssl/tlsget" ]; then
		echo "BearSSL ELKS binary not built at $SCRIPT_DIR/extapps/bearssl/tlsget" >&2
		echo "Run ./buildext.sh bearssl first." >&2
		exit 1
	fi
}

find_qemu()
{
	if [ -n "${QEMU:-}" ]; then
		printf '%s\n' "$QEMU"
		return
	fi
	for bin in qemu-system-i386 qemu-system-x86_64; do
		if command -v "$bin" >/dev/null 2>&1; then
			command -v "$bin"
			return
		fi
	done
	echo "QEMU system emulator not found" >&2
	exit 1
}

QEMU_BIN=$(find_qemu)

cleanup()
{
	if [ -n "${SERVER_PID:-}" ]; then
		kill "$SERVER_PID" >/dev/null 2>&1 || true
		wait "$SERVER_PID" 2>/dev/null || true
		SERVER_PID=
	fi
	if [ -n "${QEMU_PID:-}" ]; then
		kill "$QEMU_PID" >/dev/null 2>&1 || true
		wait "$QEMU_PID" 2>/dev/null || true
		QEMU_PID=
	fi
}

trap cleanup EXIT INT TERM

stop_qemu()
{
	if [ -n "${QEMU_PID:-}" ]; then
		kill "$QEMU_PID" >/dev/null 2>&1 || true
		wait "$QEMU_PID" 2>/dev/null || true
		QEMU_PID=
	fi
}

require_host_tools()
{
	if ! command -v python3 >/dev/null 2>&1; then
		echo "python3 not found" >&2
		exit 1
	fi
	if [ ! -x "$MFS" ]; then
		echo "mfs tool not found at $MFS" >&2
		exit 1
	fi
	if [ ! -f "$IMAGE" ]; then
		echo "image not found at $IMAGE" >&2
		exit 1
	fi
	require_bearssl_tree
}

pick_port()
{
	TLS_PORT=$(python3 - <<'PY'
import socket

with socket.socket() as sock:
    sock.bind(("127.0.0.1", 0))
    print(sock.getsockname()[1])
PY
)
}

build_host_server()
{
	chainfile=$WORKDIR/server-chain.pem
	cat \
		"$SCRIPT_DIR/extapps/bearssl/samples/cert-ee-ec.pem" \
		"$SCRIPT_DIR/extapps/bearssl/samples/cert-ica-ec.pem" >"$chainfile"

	cat >"$WORKDIR/server.py" <<'EOF'
import http.server
import ssl
import sys

BODY = b"<html>\r\n<body>\r\n<p>Test!</p>\r\n</body>\r\n</html>\r\n"

class Handler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-Type", "text/html; charset=iso-8859-1")
        self.send_header("Content-Length", str(len(BODY)))
        self.send_header("Connection", "close")
        self.end_headers()
        self.wfile.write(BODY)

    def log_message(self, fmt, *args):
        sys.stderr.write("%s - - [%s] %s\n" % (
            self.address_string(),
            self.log_date_time_string(),
            fmt % args,
        ))

port = int(sys.argv[1])
certfile = sys.argv[2]
keyfile = sys.argv[3]
httpd = http.server.HTTPServer(("0.0.0.0", port), Handler)
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ctx.load_cert_chain(certfile=certfile, keyfile=keyfile)
ctx.minimum_version = ssl.TLSVersion.TLSv1_2
ctx.maximum_version = ssl.TLSVersion.TLSv1_2
ctx.options |= ssl.OP_NO_TICKET
ctx.num_tickets = 0
ctx.set_ciphers("ECDHE-ECDSA-CHACHA20-POLY1305")
httpd.socket = ctx.wrap_socket(httpd.socket, server_side=True)
httpd.serve_forever()
EOF
}

start_server()
{
	SERVER_LOG=$WORKDIR/server.log
	pick_port
	python3 -u "$WORKDIR/server.py" "$TLS_PORT" \
		"$WORKDIR/server-chain.pem" \
		"$SCRIPT_DIR/extapps/bearssl/samples/key-ee-ec.pem" >"$SERVER_LOG" 2>&1 &
	SERVER_PID=$!
	sleep 1
}

render_rc()
{
	rcfile=$1

	cat >"$rcfile" <<EOF
exec > /boot.log 2>&1
umask 022
export PATH=/bin
export UIP_TRACE=/tmp/uip.trace
clock -s -u
uip -b -p ne0 $GUEST_IP $GATEWAY_IP $NETMASK || exit 1
sleep 2
EOF

	round=1
	while [ "$round" -le "$ROUNDS" ]; do
		cat >>"$rcfile" <<EOF
tlsget -n localhost 10.0.2.2 $TLS_PORT / > /tls.$round.out 2>&1
echo \$? > /tls.$round.status
sync
EOF
		round=$((round + 1))
	done

	cat >>"$rcfile" <<'EOF'
sleep 20
EOF
}

prepare_image()
{
	base_image=$1
	out_image=$2
	rcfile=$WORKDIR/rc.sys
	tlsget_bin=$SCRIPT_DIR/extapps/bearssl/tlsget

	cp "$base_image" "$out_image"
	render_rc "$rcfile"
	"$MFS" "$out_image" rm /etc/rc.sys >/dev/null 2>&1 || true
	"$MFS" "$out_image" cp "$rcfile" /etc/rc.sys
	if [ -x "$tlsget_bin" ]; then
		"$MFS" "$out_image" rm /bin/tlsget >/dev/null 2>&1 || true
		"$MFS" "$out_image" cp "$tlsget_bin" /bin/tlsget
	fi
}

start_qemu()
{
	image_file=$1
	log_file=$2

	QEMU_LOG=$log_file
	"$QEMU_BIN" \
		-nodefaults \
		-machine isapc \
		-cpu 486,tsc \
		-m 8M \
		-rtc base=utc \
		-display none \
		-monitor none \
		-serial none \
		-drive file="$image_file",if=floppy,format=raw \
		-boot a \
		-netdev user,id=mynet \
		-device ne2k_isa,irq=12,netdev=mynet >"$QEMU_LOG" 2>&1 &
	QEMU_PID=$!
}

extract_guest_file()
{
	image_file=$1
	guest_path=$2
	host_path=$3

	if "$MFS" -f "$image_file" cat "$guest_path" >"$host_path" 2>/dev/null; then
		return 0
	fi
	: >"$host_path"
	return 1
}

wait_for_guest_file()
{
	image_file=$1
	guest_path=$2
	remaining=$WAIT_SECS

	while [ "$remaining" -gt 0 ]; do
		if "$MFS" -f "$image_file" cat "$guest_path" >/dev/null 2>&1; then
			return 0
		fi
		sleep 1
		remaining=$((remaining - 1))
	done
	return 1
}

validate_results()
{
	outdir=$1

	round=1
	while [ "$round" -le "$ROUNDS" ]; do
		if ! grep -q '^0$' "$outdir/tls.$round.status"; then
			echo "tlsget round $round failed" >&2
			return 1
		fi
		if ! grep -q 'HTTP/1.0 200 OK' "$outdir/tls.$round.out"; then
			echo "tlsget round $round missing HTTP status" >&2
			return 1
		fi
		if ! grep -q '<p>Test!</p>' "$outdir/tls.$round.out"; then
			echo "tlsget round $round missing response body" >&2
			return 1
		fi
		round=$((round + 1))
	done

	count=$(grep -c 'GET / HTTP/1.0' "$outdir/server.log" || true)
	if [ "$count" -lt "$ROUNDS" ]; then
		echo "BearSSL server accepted only $count TLS sessions" >&2
		return 1
	fi
	return 0
}

main()
{
	image_file=$WORKDIR/test.img
	log_file=$WORKDIR/qemu.log

	if [ "$#" -ne 0 ]; then
		usage
	fi

	require_host_tools
	build_host_server
	start_server
	prepare_image "$IMAGE" "$image_file"
	start_qemu "$image_file" "$log_file"

	if ! wait_for_guest_file "$image_file" "/tls.$ROUNDS.status"; then
		echo "timeout waiting for tlsget results" >&2
		exit 1
	fi
	sleep 5
	stop_qemu

	extract_guest_file "$image_file" /boot.log "$WORKDIR/boot.log" || true
	extract_guest_file "$image_file" /tmp/uip.trace "$WORKDIR/uip.trace" || true

	round=1
	while [ "$round" -le "$ROUNDS" ]; do
		extract_guest_file "$image_file" "/tls.$round.out" "$WORKDIR/tls.$round.out" || true
		extract_guest_file "$image_file" "/tls.$round.status" "$WORKDIR/tls.$round.status" || true
		round=$((round + 1))
	done
	validate_results "$WORKDIR"

	echo "BearSSL TLS smoke passed ($ROUNDS rounds). Artifacts: $WORKDIR"
}

main "$@"
Commit message
This repository is read-only for this account.
Repository snapshot

Current branch
master
Visibility
public
Your access
Read
Remote
Configured
File activity

View file history