diff options
| author | Quinn Slack <sqs@cs.stanford.edu> | 2011-01-19 20:35:02 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2011-01-19 20:35:02 +0100 |
| commit | 59cf93ccdbaa5e866f9de6b2d9b1ae5cee84863f (patch) | |
| tree | b0a40c875954b842a9bf50f409d571de04507044 /tests | |
| parent | 4f13340ab8be7baa0fe6210bb3a19b8994875fd8 (diff) | |
TLS-SRP: support added when using GnuTLS
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/FILEFORMAT | 1 | ||||
| -rw-r--r-- | tests/certs/srp-verifier-conf | 3 | ||||
| -rw-r--r-- | tests/certs/srp-verifier-db | 2 | ||||
| -rw-r--r-- | tests/data/Makefile.am | 2 | ||||
| -rw-r--r-- | tests/data/test320 | 95 | ||||
| -rw-r--r-- | tests/data/test321 | 33 | ||||
| -rw-r--r-- | tests/data/test322 | 33 | ||||
| -rw-r--r-- | tests/data/test323 | 33 | ||||
| -rw-r--r-- | tests/data/test324 | 33 | ||||
| -rwxr-xr-x | tests/runtests.pl | 200 | ||||
| -rw-r--r-- | tests/serverhelp.pm | 2 | ||||
| -rw-r--r-- | tests/sshhelp.pm | 9 |
12 files changed, 439 insertions, 7 deletions
diff --git a/tests/FILEFORMAT b/tests/FILEFORMAT index f4565d32e..05d622f33 100644 --- a/tests/FILEFORMAT +++ b/tests/FILEFORMAT @@ -158,6 +158,7 @@ rtsp-ipv6 imap pop3 smtp +http+tls-srp Give only one per line. This subsection is mandatory. </server> diff --git a/tests/certs/srp-verifier-conf b/tests/certs/srp-verifier-conf new file mode 100644 index 000000000..67825ceab --- /dev/null +++ b/tests/certs/srp-verifier-conf @@ -0,0 +1,3 @@ +1:Ewl2hcjiutMd3Fu2lgFnUXWSc67TVyy2vwYCKoS9MLsrdJVT9RgWTCuEqWJrfB6uE3LsE9GkOlaZabS7M29sj5TnzUqOLJMjiwEzArfiLr9WbMRANlF68N5AVLcPWvNx6Zjl3m5Scp0BzJBz9TkgfhzKJZ.WtP3Mv/67I/0wmRZ:2 +2:dUyyhxav9tgnyIg65wHxkzkb7VIPh4o0lkwfOKiPp4rVJrzLRYVBtb76gKlaO7ef5LYGEw3G.4E0jbMxcYBetDy2YdpiP/3GWJInoBbvYHIRO9uBuxgsFKTKWu7RnR7yTau/IrFTdQ4LY/q.AvoCzMxV0PKvD9Odso/LFIItn8PbTov3VMn/ZEH2SqhtpBUkWtmcIkEflhX/YY/fkBKfBbe27/zUaKUUZEUYZ2H2nlCL60.JIPeZJSzsu/xHDVcx:2 +3:2iQzj1CagQc/5ctbuJYLWlhtAsPHc7xWVyCPAKFRLWKADpASkqe9djWPFWTNTdeJtL8nAhImCn3Sr/IAdQ1FrGw0WvQUstPx3FO9KNcXOwisOQ1VlL.gheAHYfbYyBaxXL.NcJx9TUwgWDT0hRzFzqSrdGGTN3FgSTA1v4QnHtEygNj3eZ.u0MThqWUaDiP87nqha7XnT66bkTCkQ8.7T8L4KZjIImrNrUftedTTBi.WCi.zlrBxDuOM0da0JbUkQlXqvp0yvJAPpC11nxmmZOAbQOywZGmu9nhZNuwTlxjfIro0FOdthaDTuZRL9VL7MRPUDo/DQEyW.d4H.UIlzp:2 diff --git a/tests/certs/srp-verifier-db b/tests/certs/srp-verifier-db new file mode 100644 index 000000000..2f851a342 --- /dev/null +++ b/tests/certs/srp-verifier-db @@ -0,0 +1,2 @@ +jsmith:34fPk7u.w3R/M1k2sQ9F.04GZqLKAsqDn44CHGu7ML0M8VWwu1p79OLxi6jRhSNdSM46Kx9GRVyJLXz7eok53..A6X5p3NdnMSYX8WwYrDmuseHDr.eua7gjd04S4EoY4ZuKix2.WGAsMTwk86AmTvcqyzqsH7GDhGOHEhjP5zs:lTjBBoK04K9vTKiL10rI/:1 +alice:3IIP1g1HDTN6VEUr8DUkMleocoC1cpuFZnmunDaGhMyIsw8LAwCc7ZapWaC66gZSyis4ezSuCqvhsJdwdc.0es2UrH6PBkBQflcQDuC.dEpjhWgAcH2Dw.2qU.E0ApQzLkcKOjXMQ2R6jMBL14kEUPjjHS3aa16yB.Afj3bNPdf:1JxU4GkweUEii6.b0grkzU:1 diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index 701b32415..6f4e77a6b 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -69,7 +69,7 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46 \ test569 test570 test571 test572 test804 test805 test806 test807 test573 \ test313 test1115 test578 test579 test1116 test1200 test1201 test1202 \ test1203 test1117 test1118 test1119 test1120 test1300 test1301 test1302 \ - test1303 + test1303 test320 test321 test322 test323 test324 filecheck: @mkdir test-place; \ diff --git a/tests/data/test320 b/tests/data/test320 new file mode 100644 index 000000000..bfef00cb2 --- /dev/null +++ b/tests/data/test320 @@ -0,0 +1,95 @@ +<testcase> +<info> +<keywords> +HTTPS +HTTP GET +TLS-SRP +</keywords> +</info> + +# Server-side +<reply> +<data nocheck="yes"> +HTTP/1.0 200 OK
+Content-type: text/html
+
+ +<HTML><BODY> +<CENTER><H1>This is <a href="http://www.gnu.org/software/gnutls">GNUTLS</a></H1></CENTER> + + +<p>Session ID: <i>003030000100000001000000000000000030330001000000B062410001000000</i></p> +<h5>If your browser supports session resuming, then you should see the same session ID, when you press the <b>reload</b> button.</h5> +<p>Connected as user 'jsmith'.</p> +<P> +<TABLE border=1><TR><TD>Protocol version:</TD><TD>TLS1.2</TD></TR> +<TR><TD>Key Exchange:</TD><TD>SRP</TD></TR> +<TR><TD>Compression</TD><TD>NULL</TD></TR> +<TR><TD>Cipher</TD><TD>AES-128-CBC</TD></TR> +<TR><TD>MAC</TD><TD>SHA1</TD></TR> +<TR><TD>Ciphersuite</TD><TD>SRP_SHA_AES_128_CBC_SHA1</TD></TR></p></TABLE> +<hr><P>Your HTTP header was:<PRE>User-Agent: curl/7.21.4-DEV (x86_64-apple-darwin10.5.0) libcurl/7.21.4-DEV GnuTLS/2.10.4 zlib/1.2.5 libidn/1.19
+Host: localhost:9011
+Accept: */*
+
+</PRE></P> +</BODY></HTML> + +</data> +</reply> + +# Client-side +<client> +<server> +http+tls-srp +</server> +<features> +TLS-SRP +</features> + <name> +simple TLS-SRP HTTPS GET, check user in response + </name> +<command> +--insecure --tlsauthtype SRP --tlsuser jsmith --tlspassword abc https://%HOSTIP:%HTTPTLSSRPPORT +</command> +</client> + +# Verify data after the test has been "shot" +<verify> +<protocol> +</protocol> +<file name="log/curl320.out" mode="text"> +HTTP/1.0 200 OK
+Content-type: text/html
+
+ +<HTML><BODY> +<CENTER><H1>This is <a href="http://www.gnu.org/software/gnutls">GNUTLS</a></H1></CENTER> + + + +<h5>If your browser supports session resuming, then you should see the same session ID, when you press the <b>reload</b> button.</h5> +<p>Connected as user 'jsmith'.</p> +<P> +<TABLE border=1><TR><TD> +<TR><TD>Key Exchange:</TD><TD>SRP</TD></TR> +<TR><TD>Compression</TD><TD>NULL</TD></TR> +<TR><TD>Cipher</TD><TD>AES-128-CBC</TD></TR> +<TR><TD>MAC</TD><TD>SHA1</TD></TR> +<TR><TD>Ciphersuite</TD><TD>SRP_SHA_AES_128_CBC_SHA1</TD></TR></p></TABLE> + +Host: %HOSTIP:%HTTPTLSSRPPORT
+Accept: */*
+
+</PRE></P> +</BODY></HTML> + +</file> +<stripfile> +s/^<p>Session ID:.*// +s/^<hr><P>Your HTTP header was:.*// +s/Protocol version:.*// +</stripfile> +</verify> + +</testcase> diff --git a/tests/data/test321 b/tests/data/test321 new file mode 100644 index 000000000..84c19bc85 --- /dev/null +++ b/tests/data/test321 @@ -0,0 +1,33 @@ +<testcase> +<info> +<keywords> +HTTPS +TLS-SRP +FAILURE +</keywords> +</info> + +# Client-side +<client> +<server> +http+tls-srp +</server> +<features> +TLS-SRP +</features> + <name> +TLS-SRP with bad username and password + </name> +<command> +--insecure --tlsauthtype SRP --tlsuser baduser --tlspassword badpass https://%HOSTIP:%HTTPTLSSRPPORT +</command> +</client> + +# Verify data after the test has been "shot" +<verify> +<errorcode> +35 +</errorcode> +</verify> + +</testcase> diff --git a/tests/data/test322 b/tests/data/test322 new file mode 100644 index 000000000..f44deb54b --- /dev/null +++ b/tests/data/test322 @@ -0,0 +1,33 @@ +<testcase> +<info> +<keywords> +HTTPS +TLS-SRP +FAILURE +</keywords> +</info> + +# Client-side +<client> +<server> +http+tls-srp +</server> +<features> +TLS-SRP +</features> + <name> +TLS-SRP with bad password + </name> +<command> +--insecure --tlsauthtype SRP --tlsuser jsmith --tlspassword badpass https://%HOSTIP:%HTTPTLSSRPPORT +</command> +</client> + +# Verify data after the test has been "shot" +<verify> +<errorcode> +35 +</errorcode> +</verify> + +</testcase> diff --git a/tests/data/test323 b/tests/data/test323 new file mode 100644 index 000000000..6439b4d43 --- /dev/null +++ b/tests/data/test323 @@ -0,0 +1,33 @@ +<testcase> +<info> +<keywords> +HTTPS +TLS-SRP +FAILURE +</keywords> +</info> + +# Client-side +<client> +<server> +https +</server> +<features> +TLS-SRP +</features> + <name> +TLS-SRP to non-TLS-SRP server + </name> +<command> +--insecure --tlsauthtype SRP --tlsuser jsmith --tlspassword badpass https://%HOSTIP:%HTTPSPORT/want/323 +</command> +</client> + +# Verify data after the test has been "shot" +<verify> +<errorcode> +35 +</errorcode> +</verify> + +</testcase> diff --git a/tests/data/test324 b/tests/data/test324 new file mode 100644 index 000000000..df150ab3c --- /dev/null +++ b/tests/data/test324 @@ -0,0 +1,33 @@ +<testcase> +<info> +<keywords> +HTTPS +TLS-SRP +FAILURE +</keywords> +</info> + +# Client-side +<client> +<server> +http+tls-srp +</server> +<features> +TLS-SRP +</features> + <name> +TLS-SRP with server cert checking + </name> +<command> # no --insecure +--tlsauthtype SRP --tlsuser jsmith --tlspassword abc https://%HOSTIP:%HTTPTLSSRPPORT/want/323 +</command> +</client> + +# Verify data after the test has been "shot" +<verify> +<errorcode> +51 +</errorcode> +</verify> + +</testcase> diff --git a/tests/runtests.pl b/tests/runtests.pl index 9f4430694..15461d63d 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl @@ -100,6 +100,7 @@ use sshhelp qw( find_sshd find_ssh find_sftp + find_gnutls_serv sshversioninfo ); @@ -135,6 +136,7 @@ my $RTSPPORT; # RTSP my $RTSP6PORT; # RTSP IPv6 server port my $GOPHERPORT; # Gopher my $GOPHER6PORT; # Gopher IPv6 server port +my $HTTPTLSSRPPORT; # TLS-SRP HTTP port my $srcdir = $ENV{'srcdir'} || '.'; my $CURL="../src/curl".exe_ext(); # what curl executable to run on the tests @@ -202,6 +204,7 @@ my $has_libz; # set if libcurl is built with libz support my $has_getrlimit; # set if system has getrlimit() my $has_ntlm; # set if libcurl is built with NTLM support my $has_charconv;# set if libcurl is built with CharConv support +my $has_tls_srp; # set if libcurl is built with TLS-SRP support my $has_openssl; # built with a lib using an OpenSSL-like API my $has_gnutls; # built with GnuTLS @@ -334,7 +337,7 @@ sub init_serverpidfile_hash { } } } - for my $proto (('tftp', 'sftp', 'socks', 'ssh', 'rtsp', 'gopher')) { + for my $proto (('tftp', 'sftp', 'socks', 'ssh', 'rtsp', 'gopher', 'http+tls-srp')) { for my $ipvnum ((4, 6)) { for my $idnum ((1, 2)) { my $serv = servername_id($proto, $ipvnum, $idnum); @@ -957,6 +960,81 @@ sub verifysftp { return $verified; } +####################################################################### +# Verify that the TLS-SRP HTTP server that runs on $ip, $port is our server. +# This also implies that we can speak with it, as there might be occasions when +# the server runs fine but we cannot talk to it ("Failed to connect to ::1: +# Can't assign requested address" # + +sub verifyhttptlssrp { + my ($proto, $ipvnum, $idnum, $ip, $port) = @_; + my $server = servername_id($proto, $ipvnum, $idnum); + my $pidfile = server_pidfilename($proto, $ipvnum, $idnum); + my $pid = 0; + my $bonus=""; + + my $verifyout = "$LOGDIR/". + servername_canon($proto, $ipvnum, $idnum) .'_verify.out'; + unlink($verifyout) if(-f $verifyout); + + my $verifylog = "$LOGDIR/". + servername_canon($proto, $ipvnum, $idnum) .'_verify.log'; + unlink($verifylog) if(-f $verifylog); + + my $flags = "--max-time $server_response_maxtime "; + $flags .= "--output $verifyout "; + $flags .= "--verbose "; + $flags .= "--globoff "; + $flags .= "--insecure "; + $flags .= "--tlsauthtype SRP --tlsuser jsmith --tlspassword abc "; + $flags .= "\"https://$ip:$port/verifiedserver\""; + + my $cmd = "$VCURL $flags 2>$verifylog"; + + # verify if our/any server is running on this port + logmsg "RUN: $cmd\n" if($verbose); + my $res = runclient($cmd); + + $res >>= 8; # rotate the result + if($res & 128) { + logmsg "RUN: curl command died with a coredump\n"; + return -1; + } + + if($res && $verbose) { + logmsg "RUN: curl command returned $res\n"; + if(open(FILE, "<$verifylog")) { + while(my $string = <FILE>) { + logmsg "RUN: $string" if($string !~ /^([ \t]*)$/); + } + close(FILE); + } + } + + my $data; + if(open(FILE, "<$verifyout")) { + while(my $string = <FILE>) { + $data .= $string; + } + close(FILE); + } + + if($data && ($data =~ /GNUTLS/) && open(FILE, "<$pidfile")) { + $pid=0+<FILE>; + close(FILE); + return $pid; + } + elsif($res == 6) { + # curl: (6) Couldn't resolve host '::1' + logmsg "RUN: failed to resolve host (https://$ip:$port/verifiedserver)\n"; + return -1; + } + elsif($data || ($res && ($res != 7))) { + logmsg "RUN: Unknown server on our $server port: $port ($res)\n"; + return -1; + } + return $pid; +} ####################################################################### # STUB for verifying socks @@ -1001,7 +1079,8 @@ my %protofunc = ('http' => \&verifyhttp, 'tftp' => \&verifyftp, 'ssh' => \&verifyssh, 'socks' => \&verifysocks, - 'gopher' => \&verifyhttp); + 'gopher' => \&verifyhttp, + 'http+tls-srp' => \&verifyhttptlssrp); sub verifyserver { my ($proto, $ipvnum, $idnum, $ip, $port) = @_; @@ -1192,6 +1271,87 @@ sub runhttpsserver { } ####################################################################### +# start the TLS-SRP HTTP server +# +sub runhttptlssrpserver { + my ($verbose) = @_; + my $proto = "http+tls-srp"; + my $ip = $HOSTIP; + my $port = $HTTPTLSSRPPORT; + my $ipvnum = 4; + my $idnum = 1; + my $server; + my $srvrname; + my $pidfile; + my $logfile; + my $flags = ""; + + $server = servername_id($proto, $ipvnum, $idnum); + + $pidfile = $serverpidfile{$server}; + + # don't retry if the server doesn't work + if ($doesntrun{$pidfile}) { + return (0,0); + } + + my $pid = processexists($pidfile); + if($pid > 0) { + stopserver($server, "$pid"); + } + unlink($pidfile) if(-f $pidfile); + + $srvrname = servername_str($proto, $ipvnum, $idnum); + + $logfile = server_logfilename($LOGDIR, $proto, $ipvnum, $idnum); + + $flags .= "--fork " if($forkserver); + $flags .= "--http "; + $flags .= "-d 1 " if($debugprotocol); + $flags .= "--port $port "; + $flags .= "--srppasswd certs/srp-verifier-db --srppasswdconf certs/srp-verifier-conf "; + $flags .=" >log/gnutls.out 2>&1"; + + # Find gnutls-serv + my $gnutlsserv = find_gnutls_serv(); + if(!$gnutlsserv) { + logmsg "RUN: cannot find gnutls-serv\n"; + return (0,0); + } + my $cmd = "$gnutlsserv $flags"; + my ($httptlssrppid, $pid2) = startnew($cmd, $pidfile, 1, 1); + + if($httptlssrppid <= 0 || !kill(0, $httptlssrppid)) { + # it is NOT alive + logmsg "RUN: failed to start the $srvrname server\n"; + stopserver($server, "$pid2"); + displaylogs($testnumcheck); + $doesntrun{$pidfile} = 1; + return (0,0); + } + + # Server is up. Verify that we can speak to it. + my $pid3 = verifyserver($proto, $ipvnum, $idnum, $ip, $port); + if(!$pid3) { + logmsg "RUN: $srvrname server failed verification\n"; + # failed to talk to it properly. Kill the server and return failure + stopserver($server, "$httptlssrppid $pid2"); + displaylogs($testnumcheck); + $doesntrun{$pidfile} = 1; + return (0,0); + } + $pid2 = $pid3; + + if($verbose) { + logmsg "RUN: $srvrname server is now running PID $httptlssrppid\n"; + } + + sleep(1); + + return ($httptlssrppid, $pid2); +} + +####################################################################### # start the pingpong server (FTP, POP3, IMAP, SMTP) # sub runpingpongserver { @@ -1967,6 +2127,13 @@ sub checksystem { # compiled in because the <features> test will fail. push @protocols, map($_ . "-ipv6", @protocols); + # Hack - we need a different, non-stunnel server to test HTTP + # TLS-SRP, but we don't want to add HTTP+TLS-SRP as a protocol + # throughout curl + if ($has_gnutls) { + push @protocols, ('http+tls-srp'); + } + # 'none' is used in test cases to mean no server push @protocols, ('none'); } @@ -2008,6 +2175,10 @@ sub checksystem { # CharConv enabled $has_charconv=1; } + if($feat =~ /TLS-SRP/i) { + # TLS-SRP enabled + $has_tls_srp=1; + } } } if(!$curl) { @@ -2171,6 +2342,7 @@ sub subVariables { $$thing =~ s/%RTSP6PORT/$RTSP6PORT/g; $$thing =~ s/%GOPHERPORT/$GOPHERPORT/g; $$thing =~ s/%GOPHER6PORT/$GOPHER6PORT/g; + $$thing =~ s/%HTTPTLSSRPPORT/$HTTPTLSSRPPORT/g; # The purpose of FTPTIME2 and FTPTIME3 is to provide times that can be # used for time-out tests and that whould work on most hosts as these @@ -2354,6 +2526,11 @@ sub singletest { next; } } + elsif($f eq "TLS-SRP") { + if($has_tls_srp) { + next; + } + } elsif($f eq "socks") { next; } @@ -3257,7 +3434,7 @@ sub startservers { for(@what) { my (@whatlist) = split(/\s+/,$_); my $what = lc($whatlist[0]); - $what =~ s/[^a-z0-9-]//g; + $what =~ s/[^a-z0-9-+]//g; my $certfile; if($what =~ /^(ftp|http|imap|pop3|smtp)s(.*)$/) { @@ -3432,6 +3609,20 @@ sub startservers { $run{'https'}="$pid $pid2"; } } + elsif($what eq "http+tls-srp") { + if(!$has_gnutls) { + return "no GnuTLS"; + } + if(!$run{'http+tls-srp'}) { + ($pid, $pid2) = runhttptlssrpserver($verbose); + if($pid <= 0) { + return "failed starting HTTP+TLS-SRP server (gnutls-serv)"; + } + logmsg sprintf("* pid http+tls-srp => %d %d\n", $pid, $pid2) + if($verbose); + $run{'http+tls-srp'}="$pid $pid2"; + } + } elsif($what eq "tftp") { if(!$run{'tftp'}) { ($pid, $pid2) = runtftpserver("", $verbose); @@ -3522,7 +3713,7 @@ sub serverfortest { my $proto = lc($_); chomp $proto; $proto =~ s/\s.*//g; # take first word - if (! grep /^$proto$/, @protocols) { + if (! grep /^\Q$proto\E$/, @protocols) { if (substr($proto,0,5) ne "socks") { return "curl lacks $proto support"; } @@ -3905,6 +4096,7 @@ $RTSPPORT = $base++; $RTSP6PORT = $base++; $GOPHERPORT =$base++; $GOPHER6PORT=$base++; +$HTTPTLSSRPPORT=$base++; ####################################################################### # clear and create logging directory: diff --git a/tests/serverhelp.pm b/tests/serverhelp.pm index 34b155d0e..faaeebfd0 100644 --- a/tests/serverhelp.pm +++ b/tests/serverhelp.pm @@ -96,7 +96,7 @@ sub servername_str { $proto = uc($proto) if($proto); die "unsupported protocol: $proto" unless($proto && - ($proto =~ /^(((FTP|HTTP|IMAP|POP3|SMTP)S?)|(TFTP|SFTP|SOCKS|SSH|RTSP|GOPHER))$/)); + ($proto =~ /^(((FTP|HTTP|IMAP|POP3|SMTP)S?)|(TFTP|SFTP|SOCKS|SSH|RTSP|GOPHER|HTTP\+TLS-SRP))$/)); $ipver = (not $ipver) ? 'ipv4' : lc($ipver); die "unsupported IP version: $ipver" unless($ipver && diff --git a/tests/sshhelp.pm b/tests/sshhelp.pm index 18de9d3ec..493cbfed8 100644 --- a/tests/sshhelp.pm +++ b/tests/sshhelp.pm @@ -5,7 +5,7 @@ # | (__| |_| | _ <| |___ # \___|\___/|_| \_\_____| # -# Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al. +# Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms @@ -95,6 +95,7 @@ use vars qw( find_sftpsrv find_sftp find_sshkeygen + find_gnutls_serv logmsg sshversioninfo ); @@ -290,6 +291,12 @@ sub find_sfile { return find_file($filename, @spath); } +#*************************************************************************** +# Find gnutls-serv and return canonical filename +# +sub find_gnutls_serv { + return find_file("gnutls-serv", split(':', $ENV{PATH})); +} #*************************************************************************** # Find ssh daemon and return canonical filename |