/* TODO rm test_fd */
int
test_unmatching_ssl_version (void * cls, char *cipher_suite,
int curl_req_ssl_version)
{
struct CBC cbc;
if (NULL == (cbc.buf = malloc (sizeof (char) * 256)))
{
fprintf (stderr, "Error: failed to allocate: %s\n",
strerror (errno));
return -1;
}
cbc.size = 256;
cbc.pos = 0;
char url[255];
if (gen_test_file_url (url, DEAMON_TEST_PORT))
{
free (cbc.buf);
return -1;
}
/* assert daemon *rejected* request */
if (CURLE_OK ==
send_curl_req (url, &cbc, cipher_suite, curl_req_ssl_version))
{
free (cbc.buf);
return -1;
}
free (cbc.buf);
return 0;
}
/**
* test HTTPS file transfer
*/
int
test_https_transfer (void *cls, char *cipher_suite, int proto_version)
{
int len;
int ret = 0;
struct CBC cbc;
char url[255];
len = strlen (test_data);
if (NULL == (cbc.buf = malloc (sizeof (char) * len)))
{
fprintf (stderr, MHD_E_MEM);
return -1;
}
cbc.size = len;
cbc.pos = 0;
if (gen_test_file_url (url, DEAMON_TEST_PORT))
{
ret = -1;
goto cleanup;
}
if (CURLE_OK != send_curl_req (url, &cbc, cipher_suite, proto_version))
{
ret = -1;
goto cleanup;
}
/* compare test file & daemon responce */
if ( (len != strlen (test_data)) ||
(memcmp (cbc.buf,
test_data,
len) != 0) )
{
fprintf (stderr, "Error: local file & received file differ.\n");
ret = -1;
}
cleanup:
free (cbc.buf);
return ret;
}
/**
* test HTTPS file transfer
* @param test_fd: file to attempt transferring
*/
int
test_https_transfer (FILE * test_fd, char *cipher_suite, int proto_version)
{
int len, ret = 0;
struct CBC cbc;
char url[255];
struct stat statb;
/* used to memcmp local copy & deamon supplied copy */
unsigned char *mem_test_file_local;
if (0 != stat (TEST_FILE_NAME, &statb))
{
fprintf (stderr, "Failed to stat `%s': %s\n",
TEST_FILE_NAME, strerror(errno));
return -1;
}
len = statb.st_size;
cbc.buf = NULL;
if (NULL == (mem_test_file_local = malloc (len)))
{
fprintf (stderr, MHD_E_MEM);
ret = -1;
goto cleanup;
}
fseek (test_fd, 0, SEEK_SET);
if (fread (mem_test_file_local, sizeof (char), len, test_fd) != len)
{
fprintf (stderr, "Error: failed to read test file. %s\n",
strerror (errno));
ret = -1;
goto cleanup;
}
if (NULL == (cbc.buf = malloc (sizeof (char) * len)))
{
fprintf (stderr, MHD_E_MEM);
ret = -1;
goto cleanup;
}
cbc.size = len;
cbc.pos = 0;
if (gen_test_file_url (url, DEAMON_TEST_PORT))
{
ret = -1;
goto cleanup;
}
if (CURLE_OK != send_curl_req (url, &cbc, cipher_suite, proto_version))
{
ret = -1;
goto cleanup;
}
/* compare test file & daemon responce */
if (memcmp (cbc.buf, mem_test_file_local, len) != 0)
{
fprintf (stderr, "Error: local file & received file differ.\n");
ret = -1;
}
cleanup:
free (mem_test_file_local);
if (cbc.buf != NULL)
free (cbc.buf);
return ret;
}
/**
* Test daemon response to TLS client hello requests containing extensions
*
* @param session
* @param exten_t - the type of extension being appended to client hello request
* @param ext_count - the number of consecutive extension replicas inserted into request
* @param ext_length - the length of each appended extension
* @return 0 on successful test completion, -1 otherwise
*/
static int
test_hello_extension (gnutls_session_t session, extensions_t exten_t,
int ext_count, int ext_length)
{
int i, ret = 0, pos = 0;
MHD_socket sd;
int exten_data_len, ciphersuite_len, datalen;
struct sockaddr_in sa;
char url[255];
opaque *data = NULL;
uint8_t session_id_len = 0;
opaque rnd[TLS_RANDOM_SIZE];
opaque extdata[MAX_EXT_DATA_LENGTH];
/* single, null compression */
unsigned char comp[] = { 0x01, 0x00 };
struct CBC cbc;
sd = -1;
memset (&cbc, 0, sizeof (struct CBC));
if (NULL == (cbc.buf = malloc (sizeof (char) * 256)))
{
fprintf (stderr, MHD_E_MEM);
ret = -1;
goto cleanup;
}
cbc.size = 256;
sd = socket (AF_INET, SOCK_STREAM, 0);
if (sd == -1)
{
fprintf(stderr, "Failed to create socket: %s\n", strerror(errno));
free (cbc.buf);
return -1;
}
memset (&sa, '\0', sizeof (struct sockaddr_in));
sa.sin_family = AF_INET;
sa.sin_port = htons (DEAMON_TEST_PORT);
sa.sin_addr.s_addr = htonl (INADDR_LOOPBACK);
enum MHD_GNUTLS_Protocol hver;
/* init hash functions */
session->internals.handshake_mac_handle_md5 =
MHD_gtls_hash_init (MHD_GNUTLS_MAC_MD5);
session->internals.handshake_mac_handle_sha =
MHD_gtls_hash_init (MHD_GNUTLS_MAC_SHA1);
/* version = 2 , random = [4 for unix time + 28 for random bytes] */
datalen = 2 /* version */ + TLS_RANDOM_SIZE + (session_id_len + 1);
data = MHD_gnutls_malloc (datalen);
if (data == NULL)
{
free (cbc.buf);
return -1;
}
hver = MHD_gtls_version_max (session);
data[pos++] = MHD_gtls_version_get_major (hver);
data[pos++] = MHD_gtls_version_get_minor (hver);
/* Set the version we advertise as maximum (RSA uses it). */
set_adv_version (session, MHD_gtls_version_get_major (hver),
MHD_gtls_version_get_minor (hver));
session->security_parameters.version = hver;
session->security_parameters.timestamp = time (NULL);
/* generate session client random */
memset (session->security_parameters.client_random, 0, TLS_RANDOM_SIZE);
gnutls_write_uint32 (time (NULL), rnd);
if (GC_OK != MHD_gc_nonce ((char *) &rnd[4], TLS_RANDOM_SIZE - 4)) abort ();
memcpy (session->security_parameters.client_random, rnd, TLS_RANDOM_SIZE);
memcpy (&data[pos], rnd, TLS_RANDOM_SIZE);
pos += TLS_RANDOM_SIZE;
/* Copy the Session ID */
data[pos++] = session_id_len;
/*
* len = ciphersuite data + 2 bytes ciphersuite length \
* 1 byte compression length + 1 byte compression data + \
* 2 bytes extension length, extensions data
*/
ciphersuite_len = MHD__gnutls_copy_ciphersuites (session, extdata,
sizeof (extdata));
exten_data_len = ext_count * (2 + 2 + ext_length);
datalen += ciphersuite_len + 2 + 2 + exten_data_len;
data = MHD_gtls_realloc_fast (data, datalen);
memcpy (&data[pos], extdata, sizeof (ciphersuite_len));
pos += ciphersuite_len;
/* set compression */
memcpy (&data[pos], comp, sizeof (comp));
pos += 2;
/* set extensions length = 2 type bytes + 2 length bytes + extension length */
gnutls_write_uint16 (exten_data_len, &data[pos]);
pos += 2;
for (i = 0; i < ext_count; ++i)
{
/* write extension type */
gnutls_write_uint16 (exten_t, &data[pos]);
pos += 2;
gnutls_write_uint16 (ext_length, &data[pos]);
pos += 2;
/* we might want to generate random data here */
memset (&data[pos], 0, ext_length);
pos += ext_length;
}
if (connect (sd, &sa, sizeof (struct sockaddr_in)) < 0)
{
fprintf (stderr, "%s\n", MHD_E_FAILED_TO_CONNECT);
ret = -1;
goto cleanup;
}
gnutls_transport_set_ptr (session, (MHD_gnutls_transport_ptr_t) (long) sd);
if (gen_test_file_url (url, DEAMON_TEST_PORT))
{
ret = -1;
goto cleanup;
}
/* this should crash the server */
ret = gnutls_send_handshake (session, data, datalen,
GNUTLS_HANDSHAKE_CLIENT_HELLO);
/* advance to STATE2 */
session->internals.handshake_state = STATE2;
ret = gnutls_handshake (session);
ret = gnutls_bye (session, GNUTLS_SHUT_WR);
gnutls_free (data);
/* make sure daemon is still functioning */
if (CURLE_OK != send_curl_req (url, &cbc, "AES128-SHA",
MHD_GNUTLS_PROTOCOL_TLS1_2))
{
ret = -1;
goto cleanup;
}
cleanup:
if (-1 != sd)
MHD_socket_close_ (sd);
gnutls_free (cbc.buf);
return ret;
}
/*
* test HTTPS transfer
*/
int
test_daemon_get (void *cls, char *cipher_suite, int proto_version,
int port,
int ver_peer)
{
CURL *c;
struct CBC cbc;
CURLcode errornum;
char url[255];
size_t len;
len = strlen (test_data);
if (NULL == (cbc.buf = malloc (sizeof (char) * len)))
{
fprintf (stderr, MHD_E_MEM);
return -1;
}
cbc.size = len;
cbc.pos = 0;
/* construct url - this might use doc_path */
gen_test_file_url (url, port);
c = curl_easy_init ();
#if DEBUG_HTTPS_TEST
curl_easy_setopt (c, CURLOPT_VERBOSE, 1);
#endif
curl_easy_setopt (c, CURLOPT_URL, url);
curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
curl_easy_setopt (c, CURLOPT_TIMEOUT, 10L);
curl_easy_setopt (c, CURLOPT_CONNECTTIMEOUT, 10L);
curl_easy_setopt (c, CURLOPT_WRITEFUNCTION, ©Buffer);
curl_easy_setopt (c, CURLOPT_FILE, &cbc);
/* TLS options */
curl_easy_setopt (c, CURLOPT_SSLVERSION, proto_version);
curl_easy_setopt (c, CURLOPT_SSL_CIPHER_LIST, cipher_suite);
/* perform peer authentication */
/* TODO merge into send_curl_req */
curl_easy_setopt (c, CURLOPT_SSL_VERIFYPEER, ver_peer);
curl_easy_setopt (c, CURLOPT_CAINFO, ca_cert_file_name);
curl_easy_setopt (c, CURLOPT_SSL_VERIFYHOST, 0);
curl_easy_setopt (c, CURLOPT_FAILONERROR, 1);
/* NOTE: use of CONNECTTIMEOUT without also
setting NOSIGNAL results in really weird
crashes on my system! */
curl_easy_setopt (c, CURLOPT_NOSIGNAL, 1);
if (CURLE_OK != (errornum = curl_easy_perform (c)))
{
fprintf (stderr, "curl_easy_perform failed: `%s'\n",
curl_easy_strerror (errornum));
curl_easy_cleanup (c);
free (cbc.buf);
return errornum;
}
curl_easy_cleanup (c);
if (memcmp (cbc.buf, test_data, len) != 0)
{
fprintf (stderr, "Error: local file & received file differ.\n");
free (cbc.buf);
return -1;
}
free (cbc.buf);
return 0;
}
/*
* negotiate a secure connection with server & query negotiated security parameters
*/
static int
test_query_session ()
{
CURL *c;
struct CBC cbc;
CURLcode errornum;
char url[256];
if (NULL == (cbc.buf = malloc (sizeof (char) * 255)))
return 16;
cbc.size = 255;
cbc.pos = 0;
gen_test_file_url (url, DEAMON_TEST_PORT);
/* setup test */
d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL |
MHD_USE_DEBUG, DEAMON_TEST_PORT,
NULL, NULL, &query_session_ahc, NULL,
MHD_OPTION_HTTPS_PRIORITIES, "NORMAL:-AES-128-CBC",
MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
MHD_OPTION_END);
if (d == NULL)
return 2;
char *aes256_sha = "AES256-SHA";
if (curl_uses_nss_ssl() == 0)
{
aes256_sha = "rsa_aes_256_sha";
}
c = curl_easy_init ();
#if DEBUG_HTTPS_TEST
curl_easy_setopt (c, CURLOPT_VERBOSE, 1);
#endif
curl_easy_setopt (c, CURLOPT_URL, url);
curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
curl_easy_setopt (c, CURLOPT_TIMEOUT, 10L);
curl_easy_setopt (c, CURLOPT_CONNECTTIMEOUT, 10L);
curl_easy_setopt (c, CURLOPT_WRITEFUNCTION, ©Buffer);
curl_easy_setopt (c, CURLOPT_FILE, &cbc);
/* TLS options */
curl_easy_setopt (c, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
curl_easy_setopt (c, CURLOPT_SSL_CIPHER_LIST, aes256_sha);
/* currently skip any peer authentication */
curl_easy_setopt (c, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt (c, CURLOPT_SSL_VERIFYHOST, 0);
curl_easy_setopt (c, CURLOPT_FAILONERROR, 1);
// NOTE: use of CONNECTTIMEOUT without also
// setting NOSIGNAL results in really weird
// crashes on my system!
curl_easy_setopt (c, CURLOPT_NOSIGNAL, 1);
if (CURLE_OK != (errornum = curl_easy_perform (c)))
{
fprintf (stderr, "curl_easy_perform failed: `%s'\n",
curl_easy_strerror (errornum));
MHD_stop_daemon (d);
curl_easy_cleanup (c);
free (cbc.buf);
return -1;
}
MHD_stop_daemon (d);
curl_easy_cleanup (c);
free (cbc.buf);
return 0;
}
