fixes #1005 TLS 1.3 support

This introduces support for an external wolfSSL plugin, and generally creates the framework for pluggable TLS implementations. The wolfSSL engine is provided via an external module (git submodule), available either under a GPLv3 license or a commercial license.
author: Garrett D'Amore <garrett@damore.org> 2020-02-08 12:46:47 -0800
committer: Garrett D'Amore <garrett@damore.org> 2020-02-23 17:06:58 -0800
commit: ee0b44406d2b658886760ea08c0af12781ab7e3a (patch)
tree: 674d2d31df7a62c367c161261c942e96f7909166 /tests
parent: 56bcc0310c4710bb21802719566926c2ccd2262a (diff)
download: nng-ee0b44406d2b658886760ea08c0af12781ab7e3a.tar.gz
nng-ee0b44406d2b658886760ea08c0af12781ab7e3a.tar.bz2
nng-ee0b44406d2b658886760ea08c0af12781ab7e3a.zip
3 files changed, 90 insertions, 88 deletions
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 3690a4aa..e258d3ad 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -153,7 +153,7 @@ add_nng_test(scalability 20 ON)
 add_nng_test(set_recvmaxsize 2)
 add_nng_test1(stats 5 NNG_ENABLE_STATS)
 add_nng_test(synch 5)
-add_nng_test1(tls 60 NNG_TRANSPORT_TLS)
+add_nng_test(tls 60)
 add_nng_test(tcpsupp 10)
 add_nng_test(tcp 180)
 add_nng_test(tcp6 60)
@@ -161,7 +161,7 @@ add_nng_test(transport 5)
 add_nng_test(udp 5)
 add_nng_test(url 5)
 add_nng_test(ws 30)
-add_nng_test1(wss 30 NNG_TRANSPORT_WSS)
+add_nng_test(wss 30)
 add_nng_test1(zt 60 NNG_TRANSPORT_ZEROTIER)
 
 add_nng_test(bus 5)
diff --git a/tests/tls.c b/tests/tls.c
index 6dfcaf01..59525089 100644
--- a/tests/tls.c
+++ b/tests/tls.c
@@ -1,6 +1,6 @@
 //
 // Copyright 2018 Capitar IT Group BV <info@capitar.com>
-// Copyright 2018 Staysail Systems, Inc. <info@staysail.tech>
+// Copyright 2020 Staysail Systems, Inc. <info@staysail.tech>
 //
 // This software is supplied under the terms of the MIT License, a
 // copy of which should be located in the distribution where this
@@ -29,78 +29,38 @@
 //
 // Generated using openssl:
 //
-// % openssl rsa -genkey -out key.key
+// % openssl ecparam -name secp224r1 -genkey -out  key.key
 // % openssl req -new -key key.key -out cert.csr -sha256
 // % openssl x509 -req -in cert.csr -days 36500 -out cert.crt
 //    -signkey key.key -sha256
 //
-// Relevant metadata:
+// Secp224r1 chosen as a least common denominator recommended by NIST-800.
 //
-// Certificate:
-//    Data:
-//        Version: 1 (0x0)
-//        Serial Number: 17127835813110005400 (0xedb24becc3a2be98)
-//    Signature Algorithm: sha256WithRSAEncryption
-//        Issuer: C=US, ST=CA, L=San Diego, O=nanomsg.org, CN=localhost
-//        Validity
-//            Not Before: Jan 11 22:34:35 2018 GMT
-//            Not After : Dec 18 22:34:35 2117 GMT
-//        Subject: C=US, ST=CA, L=San Diego, O=nanomsg.org, CN=localhost
-//        Subject Public Key Info:
-//            Public Key Algorithm: rsaEncryption
-//                Public-Key: (2048 bit)
 //
 
 static const char cert[] =
     "-----BEGIN CERTIFICATE-----\n"
-    "MIIDLjCCAhYCCQDtskvsw6K+mDANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJV\n"
-    "UzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNhbiBEaWVnbzEUMBIGA1UECgwLbmFu\n"
-    "b21zZy5vcmcxEjAQBgNVBAMMCWxvY2FsaG9zdDAgFw0xODAxMTEyMjM0MzVaGA8y\n"
-    "MTE3MTIxODIyMzQzNVowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYD\n"
-    "VQQHDAlTYW4gRGllZ28xFDASBgNVBAoMC25hbm9tc2cub3JnMRIwEAYDVQQDDAls\n"
-    "b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMvoHdEnfO\n"
-    "hmG3PTj6YC5qz6N5hgmcwf4EZkor4+R1Q5hDOKqOknWmVuGBD5mA61ObK76vycIT\n"
-    "Tp+H+vKvfgunySZrlyYg8IbgoDbvVgj9RF8xFHdN0PVeqnkBCsCzLtSu6TP8PSgI\n"
-    "SKiRMH0NUSakWqCPEc2E1r1CKdOpa7av/Na30LPsuKFcAUhu7QiVYfER86ktrO8G\n"
-    "F2PeVy44Q8RkiLw8uhU0bpAflqkR1KCjOLajw1eL3C+Io75Io8qUOLxWc3LH0hl3\n"
-    "oEI0jWu7JYlRAw/O7xm4pcGTwy5L8Odz4a7ZTAmuapFRarGOIcDg8Yr0tllRd1mH\n"
-    "1T4Z2Wv7Rs0tAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIfUXK7UonrYAOrlXUHH\n"
-    "gfHNdOXMzQP2Ms6Sxov+1tCTfgsYE65Mggo7hRJUqmKpstpbdRBVXhTyht/xjyTz\n"
-    "5sMjoeCyv1tXOHpLTfD3LBXwYZwsFdoLS1UHhD3qiYjCyyY2LWa6S786CtlcbCvu\n"
-    "Uij2q8zJ4WFrNqAzxZtsTfg16/6JRFw9zpVSCNlHqCxNQxzWucbmUFTiWn9rnc/N\n"
-    "r7utG4JsDPZbEI6QS43R7gGLDF7s0ftWKqzlQiZEtuDQh2p7Uejbft8XmZd/VuV/\n"
-    "dFMXOO1rleU0lWAJcXWOWHH3er0fivu2ISL8fRjjikYvhRGxtkwC0kPDa2Ntzgd3\n"
-    "Hsg=\n"
+    "MIIBzDCCAXkCCQCNJMf8eYUHxTAKBggqhkjOPQQDAjB2MQswCQYDVQQGEwJVUzEL\n"
+    "MAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNhbiBEaWVnbzEUMBIGA1UECgwLbmFub21z\n"
+    "Zy5vcmcxHDAaBgNVBAsME1NhbXBsZSBDZXJ0aWZpY2F0ZXMxEjAQBgNVBAMMCWxv\n"
+    "Y2FsaG9zdDAgFw0yMDAyMjMxODMwMDZaGA8yMTIwMDEzMDE4MzAwNlowdjELMAkG\n"
+    "A1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTYW4gRGllZ28xFDASBgNV\n"
+    "BAoMC25hbm9tc2cub3JnMRwwGgYDVQQLDBNTYW1wbGUgQ2VydGlmaWNhdGVzMRIw\n"
+    "EAYDVQQDDAlsb2NhbGhvc3QwTjAQBgcqhkjOPQIBBgUrgQQAIQM6AAS9hA5gYo10\n"
+    "jx+gzJdzYbxHzigJYXawdHtyoAud/TT/dUCt0ycpOzTMiO3CoDNxep+/mkmgxjfp\n"
+    "ujAKBggqhkjOPQQDAgNBADA+Ah0A9b+GcfbhzzmI2NcYb4auE6XTYJPkPzHt6Adi\n"
+    "fwIdAMJO2LEr6WHH6JGLlishVqjF78TtkuB5t+kzneQ=\n"
     "-----END CERTIFICATE-----\n";
 
 static const char key[] =
-    "-----BEGIN RSA PRIVATE KEY-----\n"
-    "MIIEpQIBAAKCAQEAzL6B3RJ3zoZhtz04+mAuas+jeYYJnMH+BGZKK+PkdUOYQziq\n"
-    "jpJ1plbhgQ+ZgOtTmyu+r8nCE06fh/ryr34Lp8kma5cmIPCG4KA271YI/URfMRR3\n"
-    "TdD1Xqp5AQrAsy7Urukz/D0oCEiokTB9DVEmpFqgjxHNhNa9QinTqWu2r/zWt9Cz\n"
-    "7LihXAFIbu0IlWHxEfOpLazvBhdj3lcuOEPEZIi8PLoVNG6QH5apEdSgozi2o8NX\n"
-    "i9wviKO+SKPKlDi8VnNyx9IZd6BCNI1ruyWJUQMPzu8ZuKXBk8MuS/Dnc+Gu2UwJ\n"
-    "rmqRUWqxjiHA4PGK9LZZUXdZh9U+Gdlr+0bNLQIDAQABAoIBAC82HqvjfkzZH98o\n"
-    "9uKFGy72AjQbfEvxT6mkDKZiPmPr2khl4K5Ph2F71zPzbOoVWYoGZEoUs/PPxWmN\n"
-    "rDhbUES4VWupxtkBnZheWUyHAjukcG7Y0UnYTTwvAwgCerzWp6RNkfcwAvMmDfis\n"
-    "vak8dTSg0TUsXb+r5KhFDNGcTNv3f7R0cJmaZ/t9FT7SerXf1LW7itvTjRor8/ZK\n"
-    "KPwT4oklp1o6RFXSenn/e2e3rAjI+TEwJA3Zp5dqO/M/AhaZKVaxL4voDVdVVkT+\n"
-    "LHJWVhjLY5ilPkmPWqmZ2reTaF+gGSSjAQ+t/ahGWFqEdWIz9UoXhBBOd1ibeyvd\n"
-    "Kyxp1QECgYEA8KcDkmwPrhqFlQe/U+Md27OhrQ4cecLCa6EVLsCXN1bFyCi3NSo2\n"
-    "o5zFCC699KOL0ZwSmYlaQP4xjnqv4Gsa0s3uL7tqOJR2UuEtGK/MPMluGHVaWsGt\n"
-    "zbnWH3xgsvvsxdt6hInFhcABLDupW336tJ8EcH7mOKoIP+azwF4kPiUCgYEA2c09\n"
-    "zJBUW6SZXhgJ5vgENYc+UwDT7pfhIWZaRL+wXnwSoa7igodTKJtQp/KfFBJK4RA0\n"
-    "prvwj4Wr/1ScaboR2hYZApbqXU5zkEkjC1hHIbg1fBe0EcnhP7ojMXrk6B5ed+Lq\n"
-    "OVdYhUuvtdL/perelmbTJLnb8S214+tzVyg7EGkCgYEA6JLwX8zxpnhZSztOjBr9\n"
-    "2zuSb7YojQBNd0kZOLLGMaQ5xwSactYWMi8rOIo76Lc6RFxKmXnl8NP5PtKRMRkx\n"
-    "tjNxE05UDNRmOhkGxUn433JoZVjc9sMhXqZQKuPAbJoOLPW9RWQEsgtq1r3eId7x\n"
-    "sSfRWYs6od6p1F/4rlwNOMUCgYEAtJmqf+DCAoe3IL3gICRSISy28k7CbZqE9JQR\n"
-    "j+Y/Uemh7W29pyydOROoysq1PAh7DKrKbeNzcx8NYxh+5nCC8wrVzD7lsV8nFmJ+\n"
-    "655UxVIhD3f8Oa/j1lr7acEU5KCiBtkjDU8vOMBsv+FpWOQrlB1JQa/X/+G+bHLF\n"
-    "XmUerNkCgYEAv7R8vIKgJ1f69imgHdB31kue3wnOO/6NlfY3GTcaZcTdChY8SZ5B\n"
-    "xits8xog0VcaxXhWlfO0hyCnZ9YRQbyDu0qp5eBU2p3qcE01x4ljJBZUOTweG06N\n"
-    "cL9dYcwse5FhNMjrQ/OKv6B38SIXpoKQUtjgkaMtmpK8cXX1eqEMNkM=\n"
-    "-----END RSA PRIVATE KEY-----\n";
+    "-----BEGIN EC PARAMETERS-----\n"
+    "gUrgQQAIQ==\n"
+    "-----END EC PARAMETERS-----\n"
+    "-----BEGIN EC PRIVATE KEY-----\n"
+    "MGgCAQEEHChK068x8MWcBzhpO7qANvW4iTo7E0yzMYFXGn+gBwYFK4EEACGhPAM6\n"
+    "AAS9hA5gYo10jx+gzJdzYbxHzigJYXawdHtyoAud/TT/dUCt0ycpOzTMiO3CoDNx\n"
+    "ep+/mkmgxjfpug==\n"
+    "-----END EC PRIVATE KEY-----\n";
 
 static int
 check_props_v4(nng_msg *msg)
@@ -146,7 +106,7 @@ check_props_v4(nng_msg *msg)
 }
 
 static int
-init_dialer_tls(nng_dialer d)
+init_dialer_tls_ex(nng_dialer d, bool own_cert)
 {
 	nng_tls_config *cfg;
 	int             rv;
@@ -159,10 +119,18 @@ init_dialer_tls(nng_dialer d)
 		goto out;
 	}
 
-	if ((rv = nng_tls_config_server_name(cfg, "127.0.0.1")) != 0) {
+	if ((rv = nng_tls_config_server_name(cfg, "localhost")) != 0) {
 		goto out;
 	}
-	nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_NONE);
+	nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_REQUIRED);
+
+	if (own_cert) {
+		if ((rv = nng_tls_config_own_cert(cfg, cert, key, NULL)) !=
+		    0) {
+			goto out;
+		}
+	}
+
 	rv = nng_dialer_setopt_ptr(d, NNG_OPT_TLS_CONFIG, cfg);
 
 out:
@@ -171,7 +139,13 @@ out:
 }
 
 static int
-init_listener_tls(nng_listener l)
+init_dialer_tls(nng_dialer d)
+{
+	return (init_dialer_tls_ex(d, false));
+}
+
+static int
+init_listener_tls_ex(nng_listener l, int auth_mode)
 {
 	nng_tls_config *cfg;
 	int             rv;
@@ -185,12 +159,31 @@ init_listener_tls(nng_listener l)
 	if ((rv = nng_listener_setopt_ptr(l, NNG_OPT_TLS_CONFIG, cfg)) != 0) {
 		goto out;
 	}
+	switch (auth_mode) {
+	case NNG_TLS_AUTH_MODE_REQUIRED:
+	case NNG_TLS_AUTH_MODE_OPTIONAL:
+		if ((rv = nng_tls_config_ca_chain(cfg, cert, NULL)) != 0) {
+			goto out;
+		}
+		break;
+	default:
+		break;
+	}
+	if ((rv = nng_tls_config_auth_mode(cfg, auth_mode)) != 0) {
+		goto out;
+	}
 out:
 	nng_tls_config_free(cfg);
 	return (0);
 }
 
 static int
+init_listener_tls(nng_listener l)
+{
+	return (init_listener_tls_ex(l, NNG_TLS_AUTH_MODE_NONE));
+}
+
+static int
 init_dialer_tls_file(nng_dialer d)
 {
 	int   rv;
@@ -265,6 +258,10 @@ init_listener_tls_file(nng_listener l)
 TestMain("TLS Transport", {
 	static trantest tt;
 
+	if (strcmp(nng_tls_engine_name(), "none") == 0) {
+		Skip("TLS not enabled");
+	}
+
 	tt.dialer_init   = init_dialer_tls;
 	tt.listener_init = init_listener_tls;
 	tt.tmpl          = "tls+tcp://127.0.0.1:%u";
@@ -314,7 +311,7 @@ TestMain("TLS Transport", {
 		So(nng_dialer_start(d, 0) == 0);
 	});
 
-	Convey("We can bind to port zero", {
+	SkipConvey("We can bind to port zero", {
 		nng_socket   s1;
 		nng_socket   s2;
 		nng_listener l;
@@ -389,7 +386,7 @@ TestMain("TLS Transport", {
 		So(nng_dialer_start(d, 0) == 0);
 	});
 
-	Convey("Botched local interfaces fail resonably", {
+	Convey("Botched local interfaces fail reasonably", {
 		nng_socket s1;
 
 		So(nng_pair_open(&s1) == 0);
@@ -407,15 +404,13 @@ TestMain("TLS Transport", {
 		    NNG_EADDRINVAL);
 	});
 
-#if 0
-// We really need to have pipe start/negotiate as one of the key steps during
-// connect establish.  Until that happens, we cannot verify the peer.
-// See bug #208.
-	Convey("Verify works", {
+	// We really need to have pipe start/negotiate as one of the key steps
+	// during connect establish.  Until that happens, we cannot verify the
+	// peer. See bug #208.
+	SkipConvey("Verify works", {
 		nng_socket   s1;
 		nng_socket   s2;
 		nng_listener l;
-		char *       buf;
 		size_t       sz;
 		char         addr[NNG_MAXADDRLEN];
 
@@ -438,11 +433,10 @@ TestMain("TLS Transport", {
 
 		So(nng_dial(s2, addr, NULL, 0) == NNG_EPEERAUTH);
 	});
-#endif
 
 	Convey("No verify works", {
-		nng_socket   s1;
-		nng_socket   s2;
+		nng_socket   s1; // server
+		nng_socket   s2; // client
 		nng_listener l;
 		char         addr[NNG_MAXADDRLEN];
 		nng_msg *    msg;
@@ -459,6 +453,8 @@ TestMain("TLS Transport", {
 		trantest_next_address(addr, "tls+tcp://*:%u");
 		So(nng_listener_create(&l, s1, addr) == 0);
 		So(init_listener_tls_file(l) == 0);
+		So(nng_listener_setopt_int(l, NNG_OPT_TLS_AUTH_MODE,
+		       NNG_TLS_AUTH_MODE_OPTIONAL) == 0);
 		So(nng_listener_start(l, 0) == 0);
 		nng_msleep(100);
 
@@ -467,14 +463,12 @@ TestMain("TLS Transport", {
 		So(nng_setopt_ms(s2, NNG_OPT_RECVTIMEO, 200) == 0);
 		So(nng_dialer_create(&d, s2, addr) == 0);
 		So(init_dialer_tls_file(d) == 0);
-		So(nng_dialer_setopt_int(d, NNG_OPT_TLS_AUTH_MODE,
-		       NNG_TLS_AUTH_MODE_OPTIONAL) == 0);
 		So(nng_dialer_setopt_string(
-		       d, NNG_OPT_TLS_SERVER_NAME, "example.com") == 0);
+		       d, NNG_OPT_TLS_SERVER_NAME, "localhost") == 0);
 		So(nng_dialer_start(d, 0) == 0);
 
-		So(nng_send(s1, "hello", 6, 0) == 0);
-		So(nng_recvmsg(s2, &msg, 0) == 0);
+		So(nng_send(s2, "hello", 6, 0) == 0);
+		So(nng_recvmsg(s1, &msg, 0) == 0);
 		So(msg != NULL);
 		So(nng_msg_len(msg) == 6);
 		So(strcmp(nng_msg_body(msg), "hello") == 0);
@@ -503,20 +497,24 @@ TestMain("TLS Transport", {
 		});
 		trantest_next_address(addr, "tls+tcp4://*:%u");
 		So(nng_listener_create(&l, s1, addr) == 0);
-		So(init_listener_tls_file(l) == 0);
+		So(init_listener_tls_ex(l, NNG_TLS_AUTH_MODE_REQUIRED) == 0);
 		So(nng_listener_start(l, 0) == 0);
+
 		nng_msleep(100);
 
 		// reset port back one
 		trantest_prev_address(addr, "tls+tcp4://localhost:%u");
 		So(nng_dialer_create(&d, s2, addr) == 0);
-		So(init_dialer_tls_file(d) == 0);
+		So(init_dialer_tls_ex(d, true) == 0);
+
 		So(nng_setopt_ms(s2, NNG_OPT_RECVTIMEO, 200) == 0);
 		So(nng_dialer_start(d, 0) == 0);
 		nng_msleep(100);
 
-		So(nng_send(s1, "hello", 6, 0) == 0);
-		So(nng_recvmsg(s2, &msg, 0) == 0);
+		// send from the server to the client-- the client always
+		// verifies the server.
+		So(nng_send(s2, "hello", 6, 0) == 0);
+		So(nng_recvmsg(s1, &msg, 0) == 0);
 		So(msg != NULL);
 		So(nng_msg_len(msg) == 6);
 		So(strcmp(nng_msg_body(msg), "hello") == 0);
diff --git a/tests/wss.c b/tests/wss.c
index 78601066..ca33a542 100644
--- a/tests/wss.c
+++ b/tests/wss.c
@@ -1,5 +1,5 @@
 //
-// Copyright 2018 Staysail Systems, Inc. <info@staysail.tech>
+// Copyright 2020 Staysail Systems, Inc. <info@staysail.tech>
 // Copyright 2018 Capitar IT Group BV <info@capitar.com>
 //
 // This software is supplied under the terms of the MIT License, a
@@ -235,6 +235,10 @@ out:
 TestMain("WebSocket Secure (TLS) Transport", {
 	static trantest tt;
 
+	if (strcmp(nng_tls_engine_name(), "none") == 0) {
+		Skip("TLS not enabled");
+	}
+
 	tt.dialer_init   = init_dialer_wss;
 	tt.listener_init = init_listener_wss;
 	tt.tmpl          = "wss://localhost:%u/test";
author	Garrett D'Amore <garrett@damore.org>	2020-02-08 12:46:47 -0800
committer	Garrett D'Amore <garrett@damore.org>	2020-02-23 17:06:58 -0800
commit	ee0b44406d2b658886760ea08c0af12781ab7e3a (patch)
tree	674d2d31df7a62c367c161261c942e96f7909166 /tests
parent	56bcc0310c4710bb21802719566926c2ccd2262a (diff)
download	nng-ee0b44406d2b658886760ea08c0af12781ab7e3a.tar.gz nng-ee0b44406d2b658886760ea08c0af12781ab7e3a.tar.bz2 nng-ee0b44406d2b658886760ea08c0af12781ab7e3a.zip