diff options
Diffstat (limited to 'src/testcurl/https/test_tls_options.c')
-rw-r--r-- | src/testcurl/https/test_tls_options.c | 186 |
1 files changed, 186 insertions, 0 deletions
diff --git a/src/testcurl/https/test_tls_options.c b/src/testcurl/https/test_tls_options.c new file mode 100644 index 00000000..1c604daf --- /dev/null +++ b/src/testcurl/https/test_tls_options.c | |||
@@ -0,0 +1,186 @@ | |||
1 | /* | ||
2 | This file is part of libmicrohttpd | ||
3 | (C) 2007, 2010 Christian Grothoff | ||
4 | |||
5 | libmicrohttpd is free software; you can redistribute it and/or modify | ||
6 | it under the terms of the GNU General Public License as published | ||
7 | by the Free Software Foundation; either version 2, or (at your | ||
8 | option) any later version. | ||
9 | |||
10 | libmicrohttpd is distributed in the hope that it will be useful, but | ||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU General Public License | ||
16 | along with libmicrohttpd; see the file COPYING. If not, write to the | ||
17 | Free Software Foundation, Inc., 59 Temple Place - Suite 330, | ||
18 | Boston, MA 02111-1307, USA. | ||
19 | */ | ||
20 | |||
21 | /** | ||
22 | * @file tls_daemon_options_test.c | ||
23 | * @brief Testcase for libmicrohttpd HTTPS GET operations | ||
24 | * @author Sagie Amir | ||
25 | */ | ||
26 | |||
27 | #include "platform.h" | ||
28 | #include "microhttpd.h" | ||
29 | #include <sys/stat.h> | ||
30 | #include <limits.h> | ||
31 | #include <gcrypt.h> | ||
32 | #include "tls_test_common.h" | ||
33 | |||
34 | extern const char srv_key_pem[]; | ||
35 | extern const char srv_self_signed_cert_pem[]; | ||
36 | |||
37 | int curl_check_version (const char *req_version, ...); | ||
38 | |||
39 | /** | ||
40 | * test server refuses to negotiate connections with unsupported protocol versions | ||
41 | * | ||
42 | */ | ||
43 | static int | ||
44 | test_unmatching_ssl_version (void * cls, const char *cipher_suite, | ||
45 | int curl_req_ssl_version) | ||
46 | { | ||
47 | struct CBC cbc; | ||
48 | if (NULL == (cbc.buf = malloc (sizeof (char) * 256))) | ||
49 | { | ||
50 | fprintf (stderr, "Error: failed to allocate: %s\n", | ||
51 | strerror (errno)); | ||
52 | return -1; | ||
53 | } | ||
54 | cbc.size = 256; | ||
55 | cbc.pos = 0; | ||
56 | |||
57 | char url[255]; | ||
58 | if (gen_test_file_url (url, DEAMON_TEST_PORT)) | ||
59 | { | ||
60 | free (cbc.buf); | ||
61 | fprintf (stderr, "Internal error in gen_test_file_url\n"); | ||
62 | return -1; | ||
63 | } | ||
64 | |||
65 | /* assert daemon *rejected* request */ | ||
66 | if (CURLE_OK == | ||
67 | send_curl_req (url, &cbc, cipher_suite, curl_req_ssl_version)) | ||
68 | { | ||
69 | free (cbc.buf); | ||
70 | fprintf (stderr, "cURL failed to reject request despite SSL version missmatch!\n"); | ||
71 | return -1; | ||
72 | } | ||
73 | |||
74 | free (cbc.buf); | ||
75 | return 0; | ||
76 | } | ||
77 | |||
78 | /* setup a temporary transfer test file */ | ||
79 | int | ||
80 | main (int argc, char *const *argv) | ||
81 | { | ||
82 | unsigned int errorCount = 0; | ||
83 | |||
84 | int daemon_flags = | ||
85 | MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | MHD_USE_DEBUG; | ||
86 | gcry_control (GCRYCTL_DISABLE_SECMEM, 0); | ||
87 | gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); | ||
88 | if (curl_check_version (MHD_REQ_CURL_VERSION)) | ||
89 | { | ||
90 | return 0; | ||
91 | } | ||
92 | |||
93 | if (0 != curl_global_init (CURL_GLOBAL_ALL)) | ||
94 | { | ||
95 | fprintf (stderr, "Error: %s\n", strerror (errno)); | ||
96 | return 0; | ||
97 | } | ||
98 | |||
99 | const char *aes128_sha = "AES128-SHA"; | ||
100 | const char *aes256_sha = "AES256-SHA"; | ||
101 | if (curl_uses_nss_ssl() == 0) | ||
102 | { | ||
103 | aes128_sha = "rsa_aes_128_sha"; | ||
104 | aes256_sha = "rsa_aes_256_sha"; | ||
105 | } | ||
106 | |||
107 | |||
108 | if (0 != | ||
109 | test_wrap ("TLS1.0-AES-SHA1", | ||
110 | &test_https_transfer, NULL, daemon_flags, | ||
111 | aes128_sha, | ||
112 | CURL_SSLVERSION_TLSv1, | ||
113 | MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, | ||
114 | MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem, | ||
115 | MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL", | ||
116 | MHD_OPTION_END)) | ||
117 | { | ||
118 | fprintf (stderr, "TLS1.0-AES-SHA1 test failed\n"); | ||
119 | errorCount++; | ||
120 | } | ||
121 | #if 0 | ||
122 | /* this used to work, but somehow no longer. gnutls issue? */ | ||
123 | if (0 != | ||
124 | test_wrap ("SSL3.0-AES256-SHA1", | ||
125 | &test_https_transfer, NULL, daemon_flags, | ||
126 | aes256_sha, | ||
127 | CURL_SSLVERSION_SSLv3, | ||
128 | MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, | ||
129 | MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem, | ||
130 | MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL", | ||
131 | MHD_OPTION_END)) | ||
132 | { | ||
133 | fprintf (stderr, "SSL3.0-AES256-SHA1 test failed\n"); | ||
134 | errorCount++; | ||
135 | } | ||
136 | if (0 != | ||
137 | test_wrap ("SSL3.0-AES-SHA1", | ||
138 | &test_https_transfer, NULL, daemon_flags, | ||
139 | aes128_sha, | ||
140 | CURL_SSLVERSION_SSLv3, | ||
141 | MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, | ||
142 | MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem, | ||
143 | MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL", | ||
144 | MHD_OPTION_END)) | ||
145 | { | ||
146 | fprintf (stderr, "SSL3.0-AES-SHA1 test failed\n"); | ||
147 | errorCount++; | ||
148 | } | ||
149 | #endif | ||
150 | |||
151 | |||
152 | #if 0 | ||
153 | /* manual inspection of the handshake suggests that CURL will | ||
154 | request TLSv1, we send back "SSL3" and CURL takes it *despite* | ||
155 | being configured to speak SSL3-only. Notably, the other way | ||
156 | round (have curl request SSL3, respond with TLSv1 only) | ||
157 | is properly refused by CURL. Either way, this does NOT seem | ||
158 | to be a bug in MHD/gnuTLS but rather in CURL; hence this | ||
159 | test is commented out here... */ | ||
160 | errorCount += | ||
161 | test_wrap ("unmatching version: SSL3 vs. TLS", &test_unmatching_ssl_version, | ||
162 | NULL, daemon_flags, "AES256-SHA", CURL_SSLVERSION_TLSv1, | ||
163 | MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, | ||
164 | MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem, | ||
165 | MHD_OPTION_CIPHER_ALGORITHM, "SSL3", MHD_OPTION_END); | ||
166 | #endif | ||
167 | |||
168 | fprintf (stderr, | ||
169 | "The following handshake should fail (and print an error message)...\n"); | ||
170 | if (0 != | ||
171 | test_wrap ("TLS1.0 vs SSL3", | ||
172 | &test_unmatching_ssl_version, NULL, daemon_flags, | ||
173 | aes256_sha, | ||
174 | CURL_SSLVERSION_SSLv3, | ||
175 | MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, | ||
176 | MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem, | ||
177 | MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL", | ||
178 | MHD_OPTION_END)) | ||
179 | { | ||
180 | fprintf (stderr, "TLS1.0 vs SSL3 test failed\n"); | ||
181 | errorCount++; | ||
182 | } | ||
183 | curl_global_cleanup (); | ||
184 | |||
185 | return errorCount != 0; | ||
186 | } | ||