1 files changed, 186 insertions, 0 deletions
diff --git a/src/testcurl/https/test_tls_options.c b/src/testcurl/https/test_tls_options.c
new file mode 100644
index 00000000..1c604daf
--- /dev/null
+++ b/src/testcurl/https/test_tls_options.c
@@ -0,0 +1,186 @@
+/*
+  This file is part of libmicrohttpd
+  (C) 2007, 2010 Christian Grothoff
+  
+  libmicrohttpd is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 2, or (at your
+  option) any later version.
+  
+  libmicrohttpd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+  
+  You should have received a copy of the GNU General Public License
+  along with libmicrohttpd; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+*/
+/**
+ * @file tls_daemon_options_test.c
+ * @brief  Testcase for libmicrohttpd HTTPS GET operations
+ * @author Sagie Amir
+ */
+#include "platform.h"
+#include "microhttpd.h"
+#include <sys/stat.h>
+#include <limits.h>
+#include <gcrypt.h>
+#include "tls_test_common.h"
+extern const char srv_key_pem[];
+extern const char srv_self_signed_cert_pem[];
+int curl_check_version (const char *req_version, ...);
+/**
+ * test server refuses to negotiate connections with unsupported protocol versions
+ *
+ */
+static int
+test_unmatching_ssl_version (void * cls, const char *cipher_suite,
+                             int curl_req_ssl_version)
+{
+  struct CBC cbc;
+  if (NULL == (cbc.buf = malloc (sizeof (char) * 256)))
+    {
+      fprintf (stderr, "Error: failed to allocate: %s\n",
+               strerror (errno));
+      return -1;
+    }
+  cbc.size = 256;
+  cbc.pos = 0;
+  char url[255];
+  if (gen_test_file_url (url, DEAMON_TEST_PORT))
+    {
+      free (cbc.buf);
+      fprintf (stderr, "Internal error in gen_test_file_url\n");
+      return -1;
+    }
+  /* assert daemon *rejected* request */
+  if (CURLE_OK ==
+      send_curl_req (url, &cbc, cipher_suite, curl_req_ssl_version))
+    {
+      free (cbc.buf);
+      fprintf (stderr, "cURL failed to reject request despite SSL version missmatch!\n");
+      return -1;
+    }
+  free (cbc.buf);
+  return 0;
+}
+/* setup a temporary transfer test file */
+int
+main (int argc, char *const *argv)
+{
+  unsigned int errorCount = 0;
+  int daemon_flags =
+    MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | MHD_USE_DEBUG;
+  gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
+  gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+  if (curl_check_version (MHD_REQ_CURL_VERSION))
+    {
+      return 0;
+    }
+  if (0 != curl_global_init (CURL_GLOBAL_ALL))
+    {
+      fprintf (stderr, "Error: %s\n", strerror (errno));
+      return 0; 
+    }
+  const char *aes128_sha = "AES128-SHA";
+  const char *aes256_sha = "AES256-SHA";
+  if (curl_uses_nss_ssl() == 0)
+    {
+      aes128_sha = "rsa_aes_128_sha";
+      aes256_sha = "rsa_aes_256_sha";
+    }
+  
+  if (0 != 
+    test_wrap ("TLS1.0-AES-SHA1",
+               &test_https_transfer, NULL, daemon_flags,
+               aes128_sha,
+               CURL_SSLVERSION_TLSv1,
+               MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
+               MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
+               MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
+               MHD_OPTION_END))
+    {
+      fprintf (stderr, "TLS1.0-AES-SHA1 test failed\n");
+      errorCount++;
+    }
+#if 0
+  /* this used to work, but somehow no longer.  gnutls issue? */
+  if (0 != 
+      test_wrap ("SSL3.0-AES256-SHA1", 
+                 &test_https_transfer, NULL, daemon_flags,
+                 aes256_sha,
+                 CURL_SSLVERSION_SSLv3,
+                 MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
+                 MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
+                 MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
+               MHD_OPTION_END))
+    {
+      fprintf (stderr, "SSL3.0-AES256-SHA1 test failed\n");
+      errorCount++;
+    }
+  if (0 !=
+      test_wrap ("SSL3.0-AES-SHA1",
+                 &test_https_transfer, NULL, daemon_flags,
+                 aes128_sha,
+                 CURL_SSLVERSION_SSLv3,
+                 MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
+                 MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
+                 MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
+                 MHD_OPTION_END))
+    {
+      fprintf (stderr, "SSL3.0-AES-SHA1 test failed\n");
+      errorCount++;
+    }
+#endif
+#if 0
+  /* manual inspection of the handshake suggests that CURL will
+     request TLSv1, we send back "SSL3" and CURL takes it *despite*
+     being configured to speak SSL3-only.  Notably, the other way
+     round (have curl request SSL3, respond with TLSv1 only)
+     is properly refused by CURL.  Either way, this does NOT seem
+     to be a bug in MHD/gnuTLS but rather in CURL; hence this
+     test is commented out here... */
+  errorCount +=
+    test_wrap ("unmatching version: SSL3 vs. TLS", &test_unmatching_ssl_version,
+               NULL, daemon_flags, "AES256-SHA", CURL_SSLVERSION_TLSv1,
+               MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
+               MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
+               MHD_OPTION_CIPHER_ALGORITHM, "SSL3", MHD_OPTION_END);
+#endif
+  fprintf (stderr,
+           "The following handshake should fail (and print an error message)...\n");
+  if (0 !=
+    test_wrap ("TLS1.0 vs SSL3",
+               &test_unmatching_ssl_version, NULL, daemon_flags,
+               aes256_sha,
+               CURL_SSLVERSION_SSLv3,
+               MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
+               MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
+               MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
+               MHD_OPTION_END))
+    {
+      fprintf (stderr, "TLS1.0 vs SSL3 test failed\n");
+      errorCount++;
+    }
+  curl_global_cleanup ();
+  return errorCount != 0;
+}

diff --git a/src/testcurl/https/test_tls_options.c b/src/testcurl/https/test_tls_options.c new file mode 100644 index 00000000..1c604daf --- /dev/null +++ b/src/testcurl/https/test_tls_options.c
@@ -0,0 +1,186 @@
	1	/*
	2	This file is part of libmicrohttpd
	3	(C) 2007, 2010 Christian Grothoff
	4
	5	libmicrohttpd is free software; you can redistribute it and/or modify
	6	it under the terms of the GNU General Public License as published
	7	by the Free Software Foundation; either version 2, or (at your
	8	option) any later version.
	9
	10	libmicrohttpd is distributed in the hope that it will be useful, but
	11	WITHOUT ANY WARRANTY; without even the implied warranty of
	12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	13	General Public License for more details.
	14
	15	You should have received a copy of the GNU General Public License
	16	along with libmicrohttpd; see the file COPYING. If not, write to the
	17	Free Software Foundation, Inc., 59 Temple Place - Suite 330,
	18	Boston, MA 02111-1307, USA.
	19	*/
	20
	21	/**
	22	* @file tls_daemon_options_test.c
	23	* @brief Testcase for libmicrohttpd HTTPS GET operations
	24	* @author Sagie Amir
	25	*/
	26
	27	#include "platform.h"
	28	#include "microhttpd.h"
	29	#include <sys/stat.h>
	30	#include <limits.h>
	31	#include <gcrypt.h>
	32	#include "tls_test_common.h"
	33
	34	extern const char srv_key_pem[];
	35	extern const char srv_self_signed_cert_pem[];
	36
	37	int curl_check_version (const char *req_version, ...);
	38
	39	/**
	40	* test server refuses to negotiate connections with unsupported protocol versions
	41	*
	42	*/
	43	static int
	44	test_unmatching_ssl_version (void * cls, const char *cipher_suite,
	45	int curl_req_ssl_version)
	46	{
	47	struct CBC cbc;
	48	if (NULL == (cbc.buf = malloc (sizeof (char) * 256)))
	49	{
	50	fprintf (stderr, "Error: failed to allocate: %s\n",
	51	strerror (errno));
	52	return -1;
	53	}
	54	cbc.size = 256;
	55	cbc.pos = 0;
	56
	57	char url[255];
	58	if (gen_test_file_url (url, DEAMON_TEST_PORT))
	59	{
	60	free (cbc.buf);
	61	fprintf (stderr, "Internal error in gen_test_file_url\n");
	62	return -1;
	63	}
	64
	65	/* assert daemon rejected request */
	66	if (CURLE_OK ==
	67	send_curl_req (url, &cbc, cipher_suite, curl_req_ssl_version))
	68	{
	69	free (cbc.buf);
	70	fprintf (stderr, "cURL failed to reject request despite SSL version missmatch!\n");
	71	return -1;
	72	}
	73
	74	free (cbc.buf);
	75	return 0;
	76	}
	77
	78	/* setup a temporary transfer test file */
	79	int
	80	main (int argc, char const argv)
	81	{
	82	unsigned int errorCount = 0;
	83
	84	int daemon_flags =
	85	MHD_USE_THREAD_PER_CONNECTION \| MHD_USE_SSL \| MHD_USE_DEBUG;
	86	gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
	87	gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
	88	if (curl_check_version (MHD_REQ_CURL_VERSION))
	89	{
	90	return 0;
	91	}
	92
	93	if (0 != curl_global_init (CURL_GLOBAL_ALL))
	94	{
	95	fprintf (stderr, "Error: %s\n", strerror (errno));
	96	return 0;
	97	}
	98
	99	const char *aes128_sha = "AES128-SHA";
	100	const char *aes256_sha = "AES256-SHA";
	101	if (curl_uses_nss_ssl() == 0)
	102	{
	103	aes128_sha = "rsa_aes_128_sha";
	104	aes256_sha = "rsa_aes_256_sha";
	105	}
	106
	107
	108	if (0 !=
	109	test_wrap ("TLS1.0-AES-SHA1",
	110	&test_https_transfer, NULL, daemon_flags,
	111	aes128_sha,
	112	CURL_SSLVERSION_TLSv1,
	113	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
	114	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
	115	MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
	116	MHD_OPTION_END))
	117	{
	118	fprintf (stderr, "TLS1.0-AES-SHA1 test failed\n");
	119	errorCount++;
	120	}
	121	#if 0
	122	/* this used to work, but somehow no longer. gnutls issue? */
	123	if (0 !=
	124	test_wrap ("SSL3.0-AES256-SHA1",
	125	&test_https_transfer, NULL, daemon_flags,
	126	aes256_sha,
	127	CURL_SSLVERSION_SSLv3,
	128	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
	129	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
	130	MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
	131	MHD_OPTION_END))
	132	{
	133	fprintf (stderr, "SSL3.0-AES256-SHA1 test failed\n");
	134	errorCount++;
	135	}
	136	if (0 !=
	137	test_wrap ("SSL3.0-AES-SHA1",
	138	&test_https_transfer, NULL, daemon_flags,
	139	aes128_sha,
	140	CURL_SSLVERSION_SSLv3,
	141	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
	142	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
	143	MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
	144	MHD_OPTION_END))
	145	{
	146	fprintf (stderr, "SSL3.0-AES-SHA1 test failed\n");
	147	errorCount++;
	148	}
	149	#endif
	150
	151
	152	#if 0
	153	/* manual inspection of the handshake suggests that CURL will
	154	request TLSv1, we send back "SSL3" and CURL takes it despite
	155	being configured to speak SSL3-only. Notably, the other way
	156	round (have curl request SSL3, respond with TLSv1 only)
	157	is properly refused by CURL. Either way, this does NOT seem
	158	to be a bug in MHD/gnuTLS but rather in CURL; hence this
	159	test is commented out here... */
	160	errorCount +=
	161	test_wrap ("unmatching version: SSL3 vs. TLS", &test_unmatching_ssl_version,
	162	NULL, daemon_flags, "AES256-SHA", CURL_SSLVERSION_TLSv1,
	163	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
	164	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
	165	MHD_OPTION_CIPHER_ALGORITHM, "SSL3", MHD_OPTION_END);
	166	#endif
	167
	168	fprintf (stderr,
	169	"The following handshake should fail (and print an error message)...\n");
	170	if (0 !=
	171	test_wrap ("TLS1.0 vs SSL3",
	172	&test_unmatching_ssl_version, NULL, daemon_flags,
	173	aes256_sha,
	174	CURL_SSLVERSION_SSLv3,
	175	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
	176	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
	177	MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
	178	MHD_OPTION_END))
	179	{
	180	fprintf (stderr, "TLS1.0 vs SSL3 test failed\n");
	181	errorCount++;
	182	}
	183	curl_global_cleanup ();
	184
	185	return errorCount != 0;
	186	}