/* TODO rm test_fd */ int test_unmatching_ssl_version (void * cls, char *cipher_suite, int curl_req_ssl_version) { struct CBC cbc; if (NULL == (cbc.buf = malloc (sizeof (char) * 256))) { fprintf (stderr, "Error: failed to allocate: %s\n", strerror (errno)); return -1; } cbc.size = 256; cbc.pos = 0; char url[255]; if (gen_test_file_url (url, DEAMON_TEST_PORT)) { free (cbc.buf); return -1; } /* assert daemon *rejected* request */ if (CURLE_OK == send_curl_req (url, &cbc, cipher_suite, curl_req_ssl_version)) { free (cbc.buf); return -1; } free (cbc.buf); return 0; }
/** * test HTTPS file transfer */ int test_https_transfer (void *cls, char *cipher_suite, int proto_version) { int len; int ret = 0; struct CBC cbc; char url[255]; len = strlen (test_data); if (NULL == (cbc.buf = malloc (sizeof (char) * len))) { fprintf (stderr, MHD_E_MEM); return -1; } cbc.size = len; cbc.pos = 0; if (gen_test_file_url (url, DEAMON_TEST_PORT)) { ret = -1; goto cleanup; } if (CURLE_OK != send_curl_req (url, &cbc, cipher_suite, proto_version)) { ret = -1; goto cleanup; } /* compare test file & daemon responce */ if ( (len != strlen (test_data)) || (memcmp (cbc.buf, test_data, len) != 0) ) { fprintf (stderr, "Error: local file & received file differ.\n"); ret = -1; } cleanup: free (cbc.buf); return ret; }
/** * test HTTPS file transfer * @param test_fd: file to attempt transferring */ int test_https_transfer (FILE * test_fd, char *cipher_suite, int proto_version) { int len, ret = 0; struct CBC cbc; char url[255]; struct stat statb; /* used to memcmp local copy & deamon supplied copy */ unsigned char *mem_test_file_local; if (0 != stat (TEST_FILE_NAME, &statb)) { fprintf (stderr, "Failed to stat `%s': %s\n", TEST_FILE_NAME, strerror(errno)); return -1; } len = statb.st_size; cbc.buf = NULL; if (NULL == (mem_test_file_local = malloc (len))) { fprintf (stderr, MHD_E_MEM); ret = -1; goto cleanup; } fseek (test_fd, 0, SEEK_SET); if (fread (mem_test_file_local, sizeof (char), len, test_fd) != len) { fprintf (stderr, "Error: failed to read test file. %s\n", strerror (errno)); ret = -1; goto cleanup; } if (NULL == (cbc.buf = malloc (sizeof (char) * len))) { fprintf (stderr, MHD_E_MEM); ret = -1; goto cleanup; } cbc.size = len; cbc.pos = 0; if (gen_test_file_url (url, DEAMON_TEST_PORT)) { ret = -1; goto cleanup; } if (CURLE_OK != send_curl_req (url, &cbc, cipher_suite, proto_version)) { ret = -1; goto cleanup; } /* compare test file & daemon responce */ if (memcmp (cbc.buf, mem_test_file_local, len) != 0) { fprintf (stderr, "Error: local file & received file differ.\n"); ret = -1; } cleanup: free (mem_test_file_local); if (cbc.buf != NULL) free (cbc.buf); return ret; }
/** * Test daemon response to TLS client hello requests containing extensions * * @param session * @param exten_t - the type of extension being appended to client hello request * @param ext_count - the number of consecutive extension replicas inserted into request * @param ext_length - the length of each appended extension * @return 0 on successful test completion, -1 otherwise */ static int test_hello_extension (gnutls_session_t session, extensions_t exten_t, int ext_count, int ext_length) { int i, ret = 0, pos = 0; MHD_socket sd; int exten_data_len, ciphersuite_len, datalen; struct sockaddr_in sa; char url[255]; opaque *data = NULL; uint8_t session_id_len = 0; opaque rnd[TLS_RANDOM_SIZE]; opaque extdata[MAX_EXT_DATA_LENGTH]; /* single, null compression */ unsigned char comp[] = { 0x01, 0x00 }; struct CBC cbc; sd = -1; memset (&cbc, 0, sizeof (struct CBC)); if (NULL == (cbc.buf = malloc (sizeof (char) * 256))) { fprintf (stderr, MHD_E_MEM); ret = -1; goto cleanup; } cbc.size = 256; sd = socket (AF_INET, SOCK_STREAM, 0); if (sd == -1) { fprintf(stderr, "Failed to create socket: %s\n", strerror(errno)); free (cbc.buf); return -1; } memset (&sa, '\0', sizeof (struct sockaddr_in)); sa.sin_family = AF_INET; sa.sin_port = htons (DEAMON_TEST_PORT); sa.sin_addr.s_addr = htonl (INADDR_LOOPBACK); enum MHD_GNUTLS_Protocol hver; /* init hash functions */ session->internals.handshake_mac_handle_md5 = MHD_gtls_hash_init (MHD_GNUTLS_MAC_MD5); session->internals.handshake_mac_handle_sha = MHD_gtls_hash_init (MHD_GNUTLS_MAC_SHA1); /* version = 2 , random = [4 for unix time + 28 for random bytes] */ datalen = 2 /* version */ + TLS_RANDOM_SIZE + (session_id_len + 1); data = MHD_gnutls_malloc (datalen); if (data == NULL) { free (cbc.buf); return -1; } hver = MHD_gtls_version_max (session); data[pos++] = MHD_gtls_version_get_major (hver); data[pos++] = MHD_gtls_version_get_minor (hver); /* Set the version we advertise as maximum (RSA uses it). */ set_adv_version (session, MHD_gtls_version_get_major (hver), MHD_gtls_version_get_minor (hver)); session->security_parameters.version = hver; session->security_parameters.timestamp = time (NULL); /* generate session client random */ memset (session->security_parameters.client_random, 0, TLS_RANDOM_SIZE); gnutls_write_uint32 (time (NULL), rnd); if (GC_OK != MHD_gc_nonce ((char *) &rnd[4], TLS_RANDOM_SIZE - 4)) abort (); memcpy (session->security_parameters.client_random, rnd, TLS_RANDOM_SIZE); memcpy (&data[pos], rnd, TLS_RANDOM_SIZE); pos += TLS_RANDOM_SIZE; /* Copy the Session ID */ data[pos++] = session_id_len; /* * len = ciphersuite data + 2 bytes ciphersuite length \ * 1 byte compression length + 1 byte compression data + \ * 2 bytes extension length, extensions data */ ciphersuite_len = MHD__gnutls_copy_ciphersuites (session, extdata, sizeof (extdata)); exten_data_len = ext_count * (2 + 2 + ext_length); datalen += ciphersuite_len + 2 + 2 + exten_data_len; data = MHD_gtls_realloc_fast (data, datalen); memcpy (&data[pos], extdata, sizeof (ciphersuite_len)); pos += ciphersuite_len; /* set compression */ memcpy (&data[pos], comp, sizeof (comp)); pos += 2; /* set extensions length = 2 type bytes + 2 length bytes + extension length */ gnutls_write_uint16 (exten_data_len, &data[pos]); pos += 2; for (i = 0; i < ext_count; ++i) { /* write extension type */ gnutls_write_uint16 (exten_t, &data[pos]); pos += 2; gnutls_write_uint16 (ext_length, &data[pos]); pos += 2; /* we might want to generate random data here */ memset (&data[pos], 0, ext_length); pos += ext_length; } if (connect (sd, &sa, sizeof (struct sockaddr_in)) < 0) { fprintf (stderr, "%s\n", MHD_E_FAILED_TO_CONNECT); ret = -1; goto cleanup; } gnutls_transport_set_ptr (session, (MHD_gnutls_transport_ptr_t) (long) sd); if (gen_test_file_url (url, DEAMON_TEST_PORT)) { ret = -1; goto cleanup; } /* this should crash the server */ ret = gnutls_send_handshake (session, data, datalen, GNUTLS_HANDSHAKE_CLIENT_HELLO); /* advance to STATE2 */ session->internals.handshake_state = STATE2; ret = gnutls_handshake (session); ret = gnutls_bye (session, GNUTLS_SHUT_WR); gnutls_free (data); /* make sure daemon is still functioning */ if (CURLE_OK != send_curl_req (url, &cbc, "AES128-SHA", MHD_GNUTLS_PROTOCOL_TLS1_2)) { ret = -1; goto cleanup; } cleanup: if (-1 != sd) MHD_socket_close_ (sd); gnutls_free (cbc.buf); return ret; }
/* * test HTTPS transfer */ int test_daemon_get (void *cls, char *cipher_suite, int proto_version, int port, int ver_peer) { CURL *c; struct CBC cbc; CURLcode errornum; char url[255]; size_t len; len = strlen (test_data); if (NULL == (cbc.buf = malloc (sizeof (char) * len))) { fprintf (stderr, MHD_E_MEM); return -1; } cbc.size = len; cbc.pos = 0; /* construct url - this might use doc_path */ gen_test_file_url (url, port); c = curl_easy_init (); #if DEBUG_HTTPS_TEST curl_easy_setopt (c, CURLOPT_VERBOSE, 1); #endif curl_easy_setopt (c, CURLOPT_URL, url); curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); curl_easy_setopt (c, CURLOPT_TIMEOUT, 10L); curl_easy_setopt (c, CURLOPT_CONNECTTIMEOUT, 10L); curl_easy_setopt (c, CURLOPT_WRITEFUNCTION, ©Buffer); curl_easy_setopt (c, CURLOPT_FILE, &cbc); /* TLS options */ curl_easy_setopt (c, CURLOPT_SSLVERSION, proto_version); curl_easy_setopt (c, CURLOPT_SSL_CIPHER_LIST, cipher_suite); /* perform peer authentication */ /* TODO merge into send_curl_req */ curl_easy_setopt (c, CURLOPT_SSL_VERIFYPEER, ver_peer); curl_easy_setopt (c, CURLOPT_CAINFO, ca_cert_file_name); curl_easy_setopt (c, CURLOPT_SSL_VERIFYHOST, 0); curl_easy_setopt (c, CURLOPT_FAILONERROR, 1); /* NOTE: use of CONNECTTIMEOUT without also setting NOSIGNAL results in really weird crashes on my system! */ curl_easy_setopt (c, CURLOPT_NOSIGNAL, 1); if (CURLE_OK != (errornum = curl_easy_perform (c))) { fprintf (stderr, "curl_easy_perform failed: `%s'\n", curl_easy_strerror (errornum)); curl_easy_cleanup (c); free (cbc.buf); return errornum; } curl_easy_cleanup (c); if (memcmp (cbc.buf, test_data, len) != 0) { fprintf (stderr, "Error: local file & received file differ.\n"); free (cbc.buf); return -1; } free (cbc.buf); return 0; }
/* * negotiate a secure connection with server & query negotiated security parameters */ static int test_query_session () { CURL *c; struct CBC cbc; CURLcode errornum; char url[256]; if (NULL == (cbc.buf = malloc (sizeof (char) * 255))) return 16; cbc.size = 255; cbc.pos = 0; gen_test_file_url (url, DEAMON_TEST_PORT); /* setup test */ d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | MHD_USE_DEBUG, DEAMON_TEST_PORT, NULL, NULL, &query_session_ahc, NULL, MHD_OPTION_HTTPS_PRIORITIES, "NORMAL:-AES-128-CBC", MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem, MHD_OPTION_END); if (d == NULL) return 2; char *aes256_sha = "AES256-SHA"; if (curl_uses_nss_ssl() == 0) { aes256_sha = "rsa_aes_256_sha"; } c = curl_easy_init (); #if DEBUG_HTTPS_TEST curl_easy_setopt (c, CURLOPT_VERBOSE, 1); #endif curl_easy_setopt (c, CURLOPT_URL, url); curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1); curl_easy_setopt (c, CURLOPT_TIMEOUT, 10L); curl_easy_setopt (c, CURLOPT_CONNECTTIMEOUT, 10L); curl_easy_setopt (c, CURLOPT_WRITEFUNCTION, ©Buffer); curl_easy_setopt (c, CURLOPT_FILE, &cbc); /* TLS options */ curl_easy_setopt (c, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3); curl_easy_setopt (c, CURLOPT_SSL_CIPHER_LIST, aes256_sha); /* currently skip any peer authentication */ curl_easy_setopt (c, CURLOPT_SSL_VERIFYPEER, 0); curl_easy_setopt (c, CURLOPT_SSL_VERIFYHOST, 0); curl_easy_setopt (c, CURLOPT_FAILONERROR, 1); // NOTE: use of CONNECTTIMEOUT without also // setting NOSIGNAL results in really weird // crashes on my system! curl_easy_setopt (c, CURLOPT_NOSIGNAL, 1); if (CURLE_OK != (errornum = curl_easy_perform (c))) { fprintf (stderr, "curl_easy_perform failed: `%s'\n", curl_easy_strerror (errornum)); MHD_stop_daemon (d); curl_easy_cleanup (c); free (cbc.buf); return -1; } MHD_stop_daemon (d); curl_easy_cleanup (c); free (cbc.buf); return 0; }