Home | History | Annotate | Download | only in https 
      1 /*
      2   This file is part of libmicrohttpd
      3   Copyright (C) 2007, 2010 Christian Grothoff
      4 
      5   libmicrohttpd is free software; you can redistribute it and/or modify
      6   it under the terms of the GNU General Public License as published
      7   by the Free Software Foundation; either version 2, or (at your
      8   option) any later version.
      9 
     10   libmicrohttpd is distributed in the hope that it will be useful, but
     11   WITHOUT ANY WARRANTY; without even the implied warranty of
     12   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     13   General Public License for more details.
     14 
     15   You should have received a copy of the GNU General Public License
     16   along with libmicrohttpd; see the file COPYING.  If not, write to the
     17   Free Software Foundation, Inc., 59 Temple Place - Suite 330,
     18   Boston, MA 02111-1307, USA.
     19 */
     20 
     21 /**
     22  * @file tls_daemon_options_test.c
     23  * @brief  Testcase for libmicrohttpd HTTPS GET operations
     24  * @author Sagie Amir
     25  */
     26 
     27 #include "platform.h"
     28 #include "microhttpd.h"
     29 #include <sys/stat.h>
     30 #include <limits.h>
     31 #include <gcrypt.h>
     32 #include "tls_test_common.h"
     33 
     34 extern const char srv_key_pem[];
     35 extern const char srv_self_signed_cert_pem[];
     36 
     37 int curl_check_version (const char *req_version, ...);
     38 
     39 /**
     40  * test server refuses to negotiate connections with unsupported protocol versions
     41  *
     42  */
     43 static int
     44 test_unmatching_ssl_version (void * cls, const char *cipher_suite,
     45                              int curl_req_ssl_version)
     46 {
     47   struct CBC cbc;
     48   if (NULL == (cbc.buf = malloc (sizeof (char) * 256)))
     49     {
     50       fprintf (stderr, "Error: failed to allocate: %s\n",
     51                strerror (errno));
     52       return -1;
     53     }
     54   cbc.size = 256;
     55   cbc.pos = 0;
     56 
     57   char url[255];
     58   if (gen_test_file_url (url, DEAMON_TEST_PORT))
     59     {
     60       free (cbc.buf);
     61       fprintf (stderr, "Internal error in gen_test_file_url\n");
     62       return -1;
     63     }
     64 
     65   /* assert daemon *rejected* request */
     66   if (CURLE_OK ==
     67       send_curl_req (url, &cbc, cipher_suite, curl_req_ssl_version))
     68     {
     69       free (cbc.buf);
     70       fprintf (stderr, "cURL failed to reject request despite SSL version missmatch!\n");
     71       return -1;
     72     }
     73 
     74   free (cbc.buf);
     75   return 0;
     76 }
     77 
     78 
     79 /* setup a temporary transfer test file */
     80 int
     81 main (int argc, char *const *argv)
     82 {
     83   unsigned int errorCount = 0;
     84   const char *ssl_version;
     85   int daemon_flags =
     86     MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | MHD_USE_DEBUG;
     87 
     88   gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
     89   gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
     90 #ifdef GCRYCTL_INITIALIZATION_FINISHED
     91   gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
     92 #endif
     93  if (curl_check_version (MHD_REQ_CURL_VERSION))
     94     {
     95       return 0;
     96     }
     97   ssl_version = curl_version_info (CURLVERSION_NOW)->ssl_version;
     98   if (NULL == ssl_version)
     99   {
    100     fprintf (stderr, "Curl does not support SSL.  Cannot run the test.\n");
    101     return 0;
    102   }
    103   if (0 != strncmp (ssl_version, "GnuTLS", 6))
    104   {
    105     fprintf (stderr, "This test can be run only with libcurl-gnutls.\n");
    106     return 0;
    107   }
    108 
    109   if (0 != curl_global_init (CURL_GLOBAL_ALL))
    110     {
    111       fprintf (stderr, "Error: %s\n", strerror (errno));
    112       return 0;
    113     }
    114 
    115   const char *aes128_sha = "AES128-SHA";
    116   const char *aes256_sha = "AES256-SHA";
    117   if (curl_uses_nss_ssl() == 0)
    118     {
    119       aes128_sha = "rsa_aes_128_sha";
    120       aes256_sha = "rsa_aes_256_sha";
    121     }
    122 
    123 
    124   if (0 !=
    125     test_wrap ("TLS1.0-AES-SHA1",
    126 	       &test_https_transfer, NULL, daemon_flags,
    127 	       aes128_sha,
    128 	       CURL_SSLVERSION_TLSv1,
    129 	       MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
    130 	       MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
    131 	       MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
    132 	       MHD_OPTION_END))
    133     {
    134       fprintf (stderr, "TLS1.0-AES-SHA1 test failed\n");
    135       errorCount++;
    136     }
    137   fprintf (stderr,
    138 	   "The following handshake should fail (and print an error message)...\n");
    139   if (0 !=
    140     test_wrap ("TLS1.0 vs SSL3",
    141 	       &test_unmatching_ssl_version, NULL, daemon_flags,
    142 	       aes256_sha,
    143 	       CURL_SSLVERSION_SSLv3,
    144 	       MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
    145 	       MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
    146 	       MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
    147 	       MHD_OPTION_END))
    148     {
    149       fprintf (stderr, "TLS1.0 vs SSL3 test failed\n");
    150       errorCount++;
    151     }
    152   curl_global_cleanup ();
    153 
    154   return errorCount != 0;
    155 }
    156