static void test_fingerprint(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* both server & client with cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"peer-sha1=ssl/ca2_client2.crt.sha1",
"peer-sha256=ssl/ca2_client2.crt.sha256",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1,
"host=server1.com",
"peer-sha1=ssl/ca1_server1.crt.sha1",
"peer-sha256=ssl/ca1_server1.crt.sha256",
NULL), "OK");
str_check(run_case(client, server), "OK");
/* client without cert */
str_check(create_worker(&server, true, SERVER1, CA1,
"peer-sha1=ssl/ca2_client2.crt.sha1",
"peer-sha256=ssl/ca2_client2.crt.sha256",
NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "C:write!=3 - S:FP-sha1-fail");
end:;
}
struct eap_sm *eap_sm_init(void *eapol_ctx, struct eapol_callbacks *eapol_cb,
void *msg_ctx, struct eap_config *conf)
{
struct eap_sm *sm;
struct tls_config tlsconf;
sm = malloc(sizeof(*sm));
if (sm == NULL)
return NULL;
memset(sm, 0, sizeof(*sm));
sm->eapol_ctx = eapol_ctx;
sm->eapol_cb = eapol_cb;
sm->msg_ctx = msg_ctx;
sm->ClientTimeout = 60;
memset(&tlsconf, 0, sizeof(tlsconf));
tlsconf.opensc_engine_path = conf->opensc_engine_path;
tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path;
tlsconf.pkcs11_module_path = conf->pkcs11_module_path;
sm->ssl_ctx = tls_init(&tlsconf);
if (sm->ssl_ctx == NULL) {
wpa_printf(MSG_WARNING, "SSL: Failed to initialize TLS "
"context.");
free(sm);
return NULL;
}
return sm;
}
static void test_verify(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* default: client checks server cert, succeeds */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* default: client checks server cert, fails due to bad ca */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA2, "host=example.com", NULL), "OK");
str_check(run_case(client, server), "C:certificate verify failed - S:tlsv1 alert unknown ca");
/* default: client checks server cert, fails due to bad hostname */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=example2.com", NULL), "OK");
str_check(run_case(client, server), "C:name `example2.com' not present in server certificate");
#if 0
/* client: aggressive close */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "aggressive-close=1", "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "S:bad pkt: res=-1 err=read failed: EOF,S:close error: res=-1 err=shutdown failed: Broken pipe");
/* server: aggressive close */
str_check(create_worker(&server, true, SERVER1, "aggressive-close=1", NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "C:write failed: Broken pipe,C:close error: res=-1 err=shutdown failed: Success");
#endif
end:;
}
void
connection_init_tls()
{
tls_init();
CurrentConnectionState.TlsConfiguration = tls_config_new();
CurrentConnectionState.ServerContext = tls_server();
CurrentConnectionState.ClientContext = tls_client();
tls_config_set_key_file(CurrentConnectionState.TlsConfiguration,
CurrentConnectionState.PrivateKey);
tls_config_set_cert_file(CurrentConnectionState.TlsConfiguration,
CurrentConnectionState.CertificateFile);
tls_config_insecure_noverifycert(CurrentConnectionState.TlsConfiguration);
if(tls_configure(CurrentConnectionState.ServerContext,
CurrentConnectionState.TlsConfiguration) != 0)
{
printf("%s\n", tls_error(CurrentConnectionState.ServerContext));
}
if(tls_configure(CurrentConnectionState.ClientContext,
CurrentConnectionState.TlsConfiguration) != 0)
{
printf("%s\n", tls_error(CurrentConnectionState.ClientContext));
}
}
int main(void)
{
struct AATree aatree;
struct CBTree *cbtree;
struct md5_ctx md5;
struct Heap *heap;
char buf[128];
static_assert(sizeof(int) >= 4, "unsupported int size");
heap = heap_create(heap_is_better, NULL, NULL);
heap_top(heap);
aatree_init(&aatree, NULL, NULL);
cbtree = cbtree_create(NULL, NULL, NULL, NULL);
cbtree_destroy(cbtree);
daemonize(NULL, false);
hash_lookup3("foo", 3);
if (!event_init())
log_debug("test");
if (!parse_ini_file("foo", NULL, NULL))
log_debug("test");
log_stats("1");
file_size("foo");
md5_reset(&md5);
strlcpy(buf, "foo", sizeof(buf));
printf("xmalloc: %p\n", xmalloc(128));
if (0) die("0");
csrandom();
tls_init();
return 0;
}
static void test_fingerprint(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* both server & client with cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"verify-client=1",
"peer-sha1=ssl/ca2_client2.crt.sha1",
"peer-sha256=ssl/ca2_client2.crt.sha256",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1,
"host=server1.com",
"peer-sha1=ssl/ca1_server1.crt.sha1",
"peer-sha256=ssl/ca1_server1.crt.sha256",
NULL), "OK");
str_check(run_case(client, server), "OK");
/* client without cert */
str_check(create_worker(&server, true, SERVER1, CA1,
"verify-client=1",
"peer-sha1=ssl/ca2_client2.crt.sha1",
"peer-sha256=ssl/ca2_client2.crt.sha256",
NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_any2(run_case(client, server),
"C:sslv3 alert handshake failure - S:peer did not return a certificate",
"C:sslv3 alert handshake failure,C:shutdown while in init - S:peer did not return a certificate");
end:;
}
int main(int argc, char *argv[]) {
static struct WSAData wsa_state;
TCHAR *c, stunnel_exe_path[MAX_PATH];
tls_init(); /* initialize thread-local storage */
/* set current working directory and engine path */
GetModuleFileName(0, stunnel_exe_path, MAX_PATH);
c=_tcsrchr(stunnel_exe_path, TEXT('\\')); /* last backslash */
if(c) /* found */
c[1]=TEXT('\0'); /* truncate program name */
#ifndef _WIN32_WCE
if(!SetCurrentDirectory(stunnel_exe_path)) {
/* log to stderr, as s_log() is not initialized */
_ftprintf(stderr, TEXT("Cannot set directory to %s"),
stunnel_exe_path);
return 1;
}
#endif
_tputenv(str_tprintf(TEXT("OPENSSL_ENGINES=%s"), stunnel_exe_path));
if(WSAStartup(MAKEWORD(1, 1), &wsa_state))
return 1;
resolver_init();
main_init();
if(!main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
daemon_loop();
main_cleanup();
return 0;
}
int
main(int argc, const char *argv[])
{
assert(tls_init() == 0);
return EXIT_SUCCESS;
}
static void test_clientcert(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* ok: server checks server cert */
str_check(create_worker(&server, true, SERVER1, CA2, NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* fail: server rejects invalid cert */
str_check(create_worker(&server, true, SERVER1, CA1, NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "C:tlsv1 alert unknown ca - S:handshake failure");
/* noverifycert: server allow invalid cert */
str_check(create_worker(&server, true, SERVER1, CA1, "noverifycert=1", NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* allow client without cert */
str_check(create_worker(&server, true, SERVER1, CA2, NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
end:;
}
int authsrv_init(struct hostapd_data *hapd)
{
#ifdef EAP_TLS_FUNCS
if (hapd->conf->eap_server &&
(hapd->conf->ca_cert || hapd->conf->server_cert ||
hapd->conf->dh_file)) {
struct tls_connection_params params;
hapd->ssl_ctx = tls_init(NULL);
if (hapd->ssl_ctx == NULL) {
wpa_printf(MSG_ERROR, "Failed to initialize TLS");
authsrv_deinit(hapd);
return -1;
}
os_memset(¶ms, 0, sizeof(params));
params.ca_cert = hapd->conf->ca_cert;
params.client_cert = hapd->conf->server_cert;
params.private_key = hapd->conf->private_key;
params.private_key_passwd = hapd->conf->private_key_passwd;
params.dh_file = hapd->conf->dh_file;
if (tls_global_set_params(hapd->ssl_ctx, ¶ms)) {
wpa_printf(MSG_ERROR, "Failed to set TLS parameters");
authsrv_deinit(hapd);
return -1;
}
if (tls_global_set_verify(hapd->ssl_ctx,
hapd->conf->check_crl)) {
wpa_printf(MSG_ERROR, "Failed to enable check_crl");
authsrv_deinit(hapd);
return -1;
}
}
#endif /* EAP_TLS_FUNCS */
#ifdef EAP_SIM_DB
if (hapd->conf->eap_sim_db) {
hapd->eap_sim_db_priv =
eap_sim_db_init(hapd->conf->eap_sim_db,
hostapd_sim_db_cb, hapd);
if (hapd->eap_sim_db_priv == NULL) {
wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM "
"database interface");
authsrv_deinit(hapd);
return -1;
}
}
#endif /* EAP_SIM_DB */
#ifdef RADIUS_SERVER
if (hapd->conf->radius_server_clients &&
hostapd_setup_radius_srv(hapd))
return -1;
#endif /* RADIUS_SERVER */
return 0;
}
int main(void)
{
tls_client_t client = {0};
const char *gnutls_ver = NULL;
time_t start = 0;
time_t end = 0;
int ret = 0;
int i = 0;
/* initialise signal handling */
set_signal();
coap_log_set_level(COAP_LOG_DEBUG);
gnutls_ver = gnutls_check_version(NULL);
if (gnutls_ver == NULL)
{
coap_log_error("Unable to determine GnuTLS version");
return EXIT_FAILURE;
}
coap_log_info("GnuTLS version: %s", gnutls_ver);
ret = tls_init();
if (ret != SOCK_OK)
{
coap_log_error("%s", sock_strerror(ret));
return EXIT_FAILURE;
}
ret = tls_client_create(&client, TRUST_FILE_NAME, CERT_FILE_NAME, KEY_FILE_NAME);
if (ret != SOCK_OK)
{
coap_log_error("%s", sock_strerror(ret));
tls_deinit();
return EXIT_FAILURE;
}
for (i = 0; i < NUM_ITER; i++)
{
start = time(NULL);
ret = client_run(&client);
end = time(NULL);
if (ret != SOCK_OK)
{
coap_log_error("%s", sock_strerror(ret));
tls_client_destroy(&client);
tls_deinit();
return EXIT_FAILURE;
}
coap_log_info("Result: %s", sock_strerror(ret));
coap_log_debug("Time: %d sec", (int)(end - start));
coap_log_debug("Sleeping for %d seconds...", DELAY);
sleep(DELAY);
}
tls_client_destroy(&client);
tls_deinit();
return EXIT_SUCCESS;
}
struct tls_config *
tls_config_new(void)
{
if (tls_init() == -1)
return (NULL);
return tls_config_new_internal();
}
/*
* Called once (from main) to initialize STM infrastructure.
*/
_CALLCONV void
stm_init(void)
{
#if CM == CM_MODULAR
char *s;
#endif /* CM == CM_MODULAR */
#ifdef SIGNAL_HANDLER
struct sigaction act;
#endif /* SIGNAL_HANDLER */
PRINT_DEBUG("==> stm_init()\n");
if (_tinystm.initialized)
return;
PRINT_DEBUG("\tsizeof(word)=%d\n", (int)sizeof(stm_word_t));
PRINT_DEBUG("\tVERSION_MAX=0x%lx\n", (unsigned long)VERSION_MAX);
COMPILE_TIME_ASSERT(sizeof(stm_word_t) == sizeof(void *));
COMPILE_TIME_ASSERT(sizeof(stm_word_t) == sizeof(atomic_t));
#ifdef EPOCH_GC
gc_init(stm_get_clock);
#endif /* EPOCH_GC */
#if CM == CM_MODULAR
s = getenv(VR_THRESHOLD);
if (s != NULL)
_tinystm.vr_threshold = (int)strtol(s, NULL, 10);
else
_tinystm.vr_threshold = VR_THRESHOLD_DEFAULT;
PRINT_DEBUG("\tVR_THRESHOLD=%d\n", _tinystm.vr_threshold);
#endif /* CM == CM_MODULAR */
/* Set locks and clock but should be already to 0 */
memset((void *)_tinystm.locks, 0, LOCK_ARRAY_SIZE * sizeof(stm_word_t));
CLOCK = 0;
stm_quiesce_init();
tls_init();
#ifdef SIGNAL_HANDLER
if (getenv(NO_SIGNAL_HANDLER) == NULL) {
/* Catch signals for non-faulting load */
act.sa_handler = signal_catcher;
act.sa_flags = 0;
sigemptyset(&act.sa_mask);
if (sigaction(SIGBUS, &act, NULL) < 0 || sigaction(SIGSEGV, &act, NULL) < 0) {
perror("sigaction");
exit(1);
}
}
#endif /* SIGNAL_HANDLER */
_tinystm.initialized = 1;
}
int main(int argc, char *argv[])
{
struct tls_config *conf;
struct tls *ctx;
struct tls_cert_info *cert;
int res;
const char *host;
if (argc < 2)
errx(1, "give host as arg\n");
host = argv[1];
res = tls_init();
if (res < 0)
errx(1, "tls_init");
conf = tls_config_new();
if (!conf)
errx(1, "tls_config_new");
tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL);
tls_config_set_ciphers(conf, "fast");
ctx = tls_client();
if (!ctx)
errx(1, "tls_client");
res = tls_configure(ctx, conf);
if (res < 0)
errx(1, "tls_configure: %s", tls_error(ctx));
res = tls_connect(ctx, host, "443");
if (res < 0)
errx(1, "tls_connect: %s", tls_error(ctx));
printf("connect ok\n");
res = tls_get_peer_cert(ctx, &cert);
if (res < 0)
errx(1, "tls_get_peer_cert: %s", tls_error(ctx));
tls_close(ctx);
tls_free(ctx);
tls_config_free(conf);
printf(" CN='%s'\n", cert->subject.common_name);
printf(" C='%s'\n", cert->subject.country_name);
printf(" ST='%s'\n", cert->subject.state_or_province_name);
printf(" L='%s'\n", cert->subject.locality_name);
printf(" S='%s'\n", cert->subject.street_address);
printf(" O='%s'\n", cert->subject.organization_name);
printf(" OU='%s'\n", cert->subject.organizational_unit_name);
tls_cert_free(cert);
return 0;
}
static void init_subsystems()
{
shared_init();
heap_init();
signal_init();
process_init();
tls_init();
vfs_init();
dbt_init();
}
void server() {
// load Config File and Settings
fprintf(stdout, "Starting fidistat Server...\n");
openlog("fidistat-server", LOG_PID, LOG_DAEMON);
syslog(LOG_INFO, "Started Fidistat Server");
struct pidfh *pfh = daemon_start('s');
// Handle Signals
signal(SIGTERM, handleSigterm_S);
signal(SIGCHLD, handleChild);
// Open Socket
initConf();
tls_init();
struct tls* ctx = tls_server();
int sock = initTLS_S(ctx);
sckt = sock;
int connfd, pid;
listen(sock, 10);
// Destroy Config
destroyConf();
while(!term) {
connfd = accept(sock, (struct sockaddr*) NULL, NULL);
if (term) {
break;
}
pid = fork();
if (pid < 0) {
syslog(LOG_ERR, "forking new Worker failed");
} else if (pid == 0) {
close(sock);
syslog(LOG_INFO, "New incoming connection");
worker(connfd, ctx);
syslog(LOG_INFO, "Closing connection");
exit(0);
} else {
close(connfd);
}
}
syslog(LOG_INFO, "Shutting down Server");
close(sock);
tls_close(ctx);
tls_free(ctx);
tls_config_free(tlsServer_conf);
pidfile_remove(pfh);
syslog(LOG_INFO, "Stopped Fidistat Server");
closelog();
exit(0);
}
int main(int argc, char* argv[]) { /* execution begins here 8-) */
int retval;
#ifdef M_MMAP_THRESHOLD
mallopt(M_MMAP_THRESHOLD, 4096);
#endif
tls_init(); /* initialize thread-local storage */
retval=main_unix(argc, argv);
main_cleanup();
return retval;
}
static void test_cipher_nego(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* server key is EC:secp384r1 - ECDHE-ECDSA */
str_check(create_worker(&server, true, "show=ciphers", SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1,
"ciphers=AESGCM",
"host=server1.com",
NULL), "OK");
str_any3(run_case(client, server),
"TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384/ECDH=secp384r1",
"TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384/ECDH=X25519",
"TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384");
/* server key is RSA - ECDHE-RSA */
str_check(create_worker(&server, true, "show=ciphers", SERVER2, NULL), "OK");
str_check(create_worker(&client, false, CA2,
"ciphers=AESGCM",
"host=server2.com",
NULL), "OK");
str_any3(run_case(client, server),
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=prime256v1",
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=X25519",
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384");
/* server key is RSA - DHE-RSA */
str_check(create_worker(&server, true, SERVER2,
"show=ciphers",
"dheparams=auto",
NULL), "OK");
str_check(create_worker(&client, false, CA2,
"ciphers=EDH+AESGCM",
"host=server2.com",
NULL), "OK");
str_check(run_case(client, server), "TLSv1.2/DHE-RSA-AES256-GCM-SHA384/DH=2048");
/* server key is RSA - ECDHE-RSA */
str_check(create_worker(&server, true, SERVER2,
"show=ciphers",
NULL), "OK");
str_check(create_worker(&client, false, CA2,
"ciphers=EECDH+AES",
"host=server2.com",
NULL), "OK");
str_any3(run_case(client, server),
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=prime256v1",
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=X25519",
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384");
end:;
}
static void test_set_mem(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* both server & client with cert */
str_check(create_worker(&server, true, "mem=1", SERVER1, CA2, NULL), "OK");
str_check(create_worker(&client, false, "mem=1", CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
end:;
}
int mutt_ssl_socket_setup (CONNECTION* conn)
{
if (tls_init() < 0)
return -1;
conn->conn_open = tls_socket_open;
conn->conn_read = tls_socket_read;
conn->conn_write = tls_socket_write;
conn->conn_close = tls_socket_close;
conn->conn_poll = raw_socket_poll;
return 0;
}
/**
* mutt_ssl_socket_setup - Set up SSL socket mulitplexor
* @param conn Connection to a server
* @retval 0 Success
* @retval -1 Error
*/
int mutt_ssl_socket_setup(struct Connection *conn)
{
if (tls_init() < 0)
return -1;
conn->conn_open = tls_socket_open;
conn->conn_read = tls_socket_read;
conn->conn_write = tls_socket_write;
conn->conn_close = tls_socket_close;
conn->conn_poll = raw_socket_poll;
return 0;
}
/**
* mutt_ssl_starttls - Set up TLS multiplexor
* @param conn Connection to a server
* @retval 0 Success
* @retval -1 Error
*/
int mutt_ssl_starttls(struct Connection *conn)
{
if (tls_init() < 0)
return -1;
if (tls_negotiate(conn) < 0)
return -1;
conn->conn_read = tls_socket_read;
conn->conn_write = tls_socket_write;
conn->conn_close = tls_starttls_close;
return 0;
}
int mutt_ssl_starttls (CONNECTION* conn)
{
if (tls_init() < 0)
return -1;
if (tls_negotiate (conn) < 0)
return -1;
conn->conn_read = tls_socket_read;
conn->conn_write = tls_socket_write;
conn->conn_close = tls_starttls_close;
return 0;
}
int
ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
{
Sockbuf *sb;
char *host;
void *ssl;
if ( !conn )
return LDAP_PARAM_ERROR;
sb = conn->lconn_sb;
if( srv ) {
host = srv->lud_host;
} else {
host = conn->lconn_server->lud_host;
}
/* avoid NULL host */
if( host == NULL ) {
host = "localhost";
}
(void) tls_init( tls_imp );
/*
* Fortunately, the lib uses blocking io...
*/
if ( ldap_int_tls_connect( ld, conn ) < 0 ) {
ld->ld_errno = LDAP_CONNECT_ERROR;
return (ld->ld_errno);
}
ssl = ldap_pvt_tls_sb_ctx( sb );
assert( ssl != NULL );
/*
* compare host with name(s) in certificate
*/
if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
if (ld->ld_errno != LDAP_SUCCESS) {
return ld->ld_errno;
}
}
return LDAP_SUCCESS;
}
static void test_clientcert(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* ok: server checks client cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"verify-client=1",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* fail: server rejects invalid cert */
str_check(create_worker(&server, true, SERVER1, CA1,
"verify-client=1",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_any3(run_case(client, server),
"C:tlsv1 alert unknown ca - S:no certificate returned",
"C:tlsv1 alert unknown ca,C:shutdown while in init - S:certificate verify failed",
"C:tlsv1 alert unknown ca - S:certificate verify failed");
/* noverifycert: server allow invalid cert */
str_check(create_worker(&server, true, SERVER1, CA1,
"noverifycert=1",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* verify-client: don't allow client without cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"verify-client=1",
NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_any2(run_case(client, server),
"C:sslv3 alert handshake failure - S:peer did not return a certificate",
"C:sslv3 alert handshake failure,C:shutdown while in init - S:peer did not return a certificate");
/* verify-client-optional: allow client without cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"verify-client-optional=1",
NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
end:;
}
static void test_cert_info(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* server shows client cert */
str_check(create_worker(&server, true, "show=peer-cert", SERVER1, CA2,
"peer-sha1=ssl/ca2_client2.crt.sha1",
"peer-sha256=ssl/ca2_client2.crt.sha256",
"verify-client=1",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1,
"host=server1.com",
"peer-sha1=ssl/ca1_server1.crt.sha1",
"peer-sha256=ssl/ca1_server1.crt.sha256",
NULL), "OK");
str_check(run_case(client, server),
"Subject: /CN=client2/C=XX/ST=State2/L=City2/O=Org2"
" Issuer: /CN=TestCA2"
" Serial: 1387724136048036785122419970010419099185643835502"
" NotBefore: 2010-01-01T08:05:00Z"
" NotAfter: 2060-12-31T23:55:00Z");
/* client shows server cert - utf8 */
str_check(create_worker(&server, true, COMPLEX1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "show=peer-cert", "host=complex1.com", NULL), "OK");
str_check(run_case(client, server),
"Subject: /CN=complex1.com/ST=様々な論争を引き起こしてきた。/L=Kõzzä"
" Issuer: /CN=TestCA1/C=AA/ST=State1/L=City1/O=Org1"
" Serial: 1113692385315072860785465640275941003895485612482"
" NotBefore: 2010-01-01T08:05:00Z"
" NotAfter: 2060-12-31T23:55:00Z");
/* client shows server cert - t61/bmp */
str_check(create_worker(&server, true, COMPLEX2, NULL), "OK");
str_check(create_worker(&client, false, CA2, "show=peer-cert", "host=complex2.com", NULL), "OK");
str_check(run_case(client, server),
"Subject: /CN=complex2.com/ST=様々な論争を引き起こしてきた。/L=Kõzzä"
" Issuer: /CN=TestCA2"
" Serial: 344032136906054686761742495217219742691739762030"
" NotBefore: 2010-01-01T08:05:00Z"
" NotAfter: 2060-12-31T23:55:00Z");
end:;
}
static void test_noverifyname(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* noverifyname: client checks server cert, ignore bad hostname */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=example2.com",
"noverifyname=1",
NULL), "OK");
str_check(run_case(client, server), "OK");
/* noverifyname: client checks server cert, ignore NULL hostname */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "noverifyname=1", NULL), "OK");
str_check(run_case(client, server), "OK");
end:;
}
int main(int const argc, char const *const *const argv) {
// Depending on how async_pool and async_fs are configured, we might be
// using our own thread pool heavily or not. However, at the minimum,
// uv_getaddrinfo uses the libuv thread pool, and it blocks on the
// network, so don't set this number too low.
if(!getenv("UV_THREADPOOL_SIZE")) putenv((char *)"UV_THREADPOOL_SIZE=4");
raiserlimit();
async_init();
int rc = tls_init();
if(rc < 0) {
alogf("TLS initialization error: %s\n", strerror(errno));
return 1;
}
if(2 != argc || '-' == argv[1][0]) {
alogf("Usage:\n\t" "%s repo\n", argv[0]);
return 1;
}
path = argv[1];
// Even our init code wants to use async I/O.
async_spawn(STACK_DEFAULT, init, NULL);
uv_run(async_loop, UV_RUN_DEFAULT);
async_spawn(STACK_DEFAULT, term, NULL);
uv_run(async_loop, UV_RUN_DEFAULT);
// cleanup is separate from term because connections might
// still be active.
async_spawn(STACK_DEFAULT, cleanup, NULL);
uv_run(async_loop, UV_RUN_DEFAULT);
async_destroy();
// TODO: Windows?
if(sig) raise(sig);
return 0;
}
static int eap_example_server_init_tls(rlm_eap_t *inst)
{
struct tls_config tconf;
os_memset(&tconf, 0, sizeof(tconf));
inst->tls_ctx = tls_init(&tconf);
if (inst->tls_ctx == NULL)
return -1;
if (tls_global_set_params(inst->tls_ctx, &inst->tparams)) {
radlog(L_ERR, "rlm_eap2: Failed to set TLS parameters");
return -1;
}
if (tls_global_set_verify(inst->tls_ctx, 0)) {
radlog(L_ERR, "rlm_eap2: Failed to set check_crl");
return -1;
}
return 0;
}
static void test_noverifycert(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* noverifycert: client ignores cert */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA2,
"host=server1.com",
"noverifycert=1",
NULL), "OK");
str_check(run_case(client, server), "OK");
/* noverifycert: client ignores cert, but checks hostname */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA2,
"host=server2.com",
"noverifycert=1",
NULL), "OK");
str_check(run_case(client, server), "C:name `server2.com' not present in server certificate");
/* noverifycert: client ignores both cert, hostname */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA2,
"host=server2.com",
"noverifycert=1",
"noverifyname=1",
NULL), "OK");
str_check(run_case(client, server), "OK");
/* noverifycert: client ignores both cert, hostname (=NULL) */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA2,
"noverifycert=1",
"noverifyname=1",
NULL), "OK");
str_check(run_case(client, server), "OK");
end:;
}
