diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/CMakeLists.txt | 4 | ||||
| -rw-r--r-- | tests/tls.c | 168 | ||||
| -rw-r--r-- | tests/wss.c | 6 |
3 files changed, 90 insertions, 88 deletions
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 3690a4aa..e258d3ad 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -153,7 +153,7 @@ add_nng_test(scalability 20 ON) add_nng_test(set_recvmaxsize 2) add_nng_test1(stats 5 NNG_ENABLE_STATS) add_nng_test(synch 5) -add_nng_test1(tls 60 NNG_TRANSPORT_TLS) +add_nng_test(tls 60) add_nng_test(tcpsupp 10) add_nng_test(tcp 180) add_nng_test(tcp6 60) @@ -161,7 +161,7 @@ add_nng_test(transport 5) add_nng_test(udp 5) add_nng_test(url 5) add_nng_test(ws 30) -add_nng_test1(wss 30 NNG_TRANSPORT_WSS) +add_nng_test(wss 30) add_nng_test1(zt 60 NNG_TRANSPORT_ZEROTIER) add_nng_test(bus 5) diff --git a/tests/tls.c b/tests/tls.c index 6dfcaf01..59525089 100644 --- a/tests/tls.c +++ b/tests/tls.c @@ -1,6 +1,6 @@ // // Copyright 2018 Capitar IT Group BV <info@capitar.com> -// Copyright 2018 Staysail Systems, Inc. <info@staysail.tech> +// Copyright 2020 Staysail Systems, Inc. <info@staysail.tech> // // This software is supplied under the terms of the MIT License, a // copy of which should be located in the distribution where this @@ -29,78 +29,38 @@ // // Generated using openssl: // -// % openssl rsa -genkey -out key.key +// % openssl ecparam -name secp224r1 -genkey -out key.key // % openssl req -new -key key.key -out cert.csr -sha256 // % openssl x509 -req -in cert.csr -days 36500 -out cert.crt // -signkey key.key -sha256 // -// Relevant metadata: +// Secp224r1 chosen as a least common denominator recommended by NIST-800. // -// Certificate: -// Data: -// Version: 1 (0x0) -// Serial Number: 17127835813110005400 (0xedb24becc3a2be98) -// Signature Algorithm: sha256WithRSAEncryption -// Issuer: C=US, ST=CA, L=San Diego, O=nanomsg.org, CN=localhost -// Validity -// Not Before: Jan 11 22:34:35 2018 GMT -// Not After : Dec 18 22:34:35 2117 GMT -// Subject: C=US, ST=CA, L=San Diego, O=nanomsg.org, CN=localhost -// Subject Public Key Info: -// Public Key Algorithm: rsaEncryption -// Public-Key: (2048 bit) // static const char cert[] = "-----BEGIN CERTIFICATE-----\n" - "MIIDLjCCAhYCCQDtskvsw6K+mDANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJV\n" - "UzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNhbiBEaWVnbzEUMBIGA1UECgwLbmFu\n" - "b21zZy5vcmcxEjAQBgNVBAMMCWxvY2FsaG9zdDAgFw0xODAxMTEyMjM0MzVaGA8y\n" - "MTE3MTIxODIyMzQzNVowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYD\n" - "VQQHDAlTYW4gRGllZ28xFDASBgNVBAoMC25hbm9tc2cub3JnMRIwEAYDVQQDDAls\n" - "b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMvoHdEnfO\n" - "hmG3PTj6YC5qz6N5hgmcwf4EZkor4+R1Q5hDOKqOknWmVuGBD5mA61ObK76vycIT\n" - "Tp+H+vKvfgunySZrlyYg8IbgoDbvVgj9RF8xFHdN0PVeqnkBCsCzLtSu6TP8PSgI\n" - "SKiRMH0NUSakWqCPEc2E1r1CKdOpa7av/Na30LPsuKFcAUhu7QiVYfER86ktrO8G\n" - "F2PeVy44Q8RkiLw8uhU0bpAflqkR1KCjOLajw1eL3C+Io75Io8qUOLxWc3LH0hl3\n" - "oEI0jWu7JYlRAw/O7xm4pcGTwy5L8Odz4a7ZTAmuapFRarGOIcDg8Yr0tllRd1mH\n" - "1T4Z2Wv7Rs0tAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIfUXK7UonrYAOrlXUHH\n" - "gfHNdOXMzQP2Ms6Sxov+1tCTfgsYE65Mggo7hRJUqmKpstpbdRBVXhTyht/xjyTz\n" - "5sMjoeCyv1tXOHpLTfD3LBXwYZwsFdoLS1UHhD3qiYjCyyY2LWa6S786CtlcbCvu\n" - "Uij2q8zJ4WFrNqAzxZtsTfg16/6JRFw9zpVSCNlHqCxNQxzWucbmUFTiWn9rnc/N\n" - "r7utG4JsDPZbEI6QS43R7gGLDF7s0ftWKqzlQiZEtuDQh2p7Uejbft8XmZd/VuV/\n" - "dFMXOO1rleU0lWAJcXWOWHH3er0fivu2ISL8fRjjikYvhRGxtkwC0kPDa2Ntzgd3\n" - "Hsg=\n" + "MIIBzDCCAXkCCQCNJMf8eYUHxTAKBggqhkjOPQQDAjB2MQswCQYDVQQGEwJVUzEL\n" + "MAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNhbiBEaWVnbzEUMBIGA1UECgwLbmFub21z\n" + "Zy5vcmcxHDAaBgNVBAsME1NhbXBsZSBDZXJ0aWZpY2F0ZXMxEjAQBgNVBAMMCWxv\n" + "Y2FsaG9zdDAgFw0yMDAyMjMxODMwMDZaGA8yMTIwMDEzMDE4MzAwNlowdjELMAkG\n" + "A1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTYW4gRGllZ28xFDASBgNV\n" + "BAoMC25hbm9tc2cub3JnMRwwGgYDVQQLDBNTYW1wbGUgQ2VydGlmaWNhdGVzMRIw\n" + "EAYDVQQDDAlsb2NhbGhvc3QwTjAQBgcqhkjOPQIBBgUrgQQAIQM6AAS9hA5gYo10\n" + "jx+gzJdzYbxHzigJYXawdHtyoAud/TT/dUCt0ycpOzTMiO3CoDNxep+/mkmgxjfp\n" + "ujAKBggqhkjOPQQDAgNBADA+Ah0A9b+GcfbhzzmI2NcYb4auE6XTYJPkPzHt6Adi\n" + "fwIdAMJO2LEr6WHH6JGLlishVqjF78TtkuB5t+kzneQ=\n" "-----END CERTIFICATE-----\n"; static const char key[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIIEpQIBAAKCAQEAzL6B3RJ3zoZhtz04+mAuas+jeYYJnMH+BGZKK+PkdUOYQziq\n" - "jpJ1plbhgQ+ZgOtTmyu+r8nCE06fh/ryr34Lp8kma5cmIPCG4KA271YI/URfMRR3\n" - "TdD1Xqp5AQrAsy7Urukz/D0oCEiokTB9DVEmpFqgjxHNhNa9QinTqWu2r/zWt9Cz\n" - "7LihXAFIbu0IlWHxEfOpLazvBhdj3lcuOEPEZIi8PLoVNG6QH5apEdSgozi2o8NX\n" - "i9wviKO+SKPKlDi8VnNyx9IZd6BCNI1ruyWJUQMPzu8ZuKXBk8MuS/Dnc+Gu2UwJ\n" - "rmqRUWqxjiHA4PGK9LZZUXdZh9U+Gdlr+0bNLQIDAQABAoIBAC82HqvjfkzZH98o\n" - "9uKFGy72AjQbfEvxT6mkDKZiPmPr2khl4K5Ph2F71zPzbOoVWYoGZEoUs/PPxWmN\n" - "rDhbUES4VWupxtkBnZheWUyHAjukcG7Y0UnYTTwvAwgCerzWp6RNkfcwAvMmDfis\n" - "vak8dTSg0TUsXb+r5KhFDNGcTNv3f7R0cJmaZ/t9FT7SerXf1LW7itvTjRor8/ZK\n" - "KPwT4oklp1o6RFXSenn/e2e3rAjI+TEwJA3Zp5dqO/M/AhaZKVaxL4voDVdVVkT+\n" - "LHJWVhjLY5ilPkmPWqmZ2reTaF+gGSSjAQ+t/ahGWFqEdWIz9UoXhBBOd1ibeyvd\n" - "Kyxp1QECgYEA8KcDkmwPrhqFlQe/U+Md27OhrQ4cecLCa6EVLsCXN1bFyCi3NSo2\n" - "o5zFCC699KOL0ZwSmYlaQP4xjnqv4Gsa0s3uL7tqOJR2UuEtGK/MPMluGHVaWsGt\n" - "zbnWH3xgsvvsxdt6hInFhcABLDupW336tJ8EcH7mOKoIP+azwF4kPiUCgYEA2c09\n" - "zJBUW6SZXhgJ5vgENYc+UwDT7pfhIWZaRL+wXnwSoa7igodTKJtQp/KfFBJK4RA0\n" - "prvwj4Wr/1ScaboR2hYZApbqXU5zkEkjC1hHIbg1fBe0EcnhP7ojMXrk6B5ed+Lq\n" - "OVdYhUuvtdL/perelmbTJLnb8S214+tzVyg7EGkCgYEA6JLwX8zxpnhZSztOjBr9\n" - "2zuSb7YojQBNd0kZOLLGMaQ5xwSactYWMi8rOIo76Lc6RFxKmXnl8NP5PtKRMRkx\n" - "tjNxE05UDNRmOhkGxUn433JoZVjc9sMhXqZQKuPAbJoOLPW9RWQEsgtq1r3eId7x\n" - "sSfRWYs6od6p1F/4rlwNOMUCgYEAtJmqf+DCAoe3IL3gICRSISy28k7CbZqE9JQR\n" - "j+Y/Uemh7W29pyydOROoysq1PAh7DKrKbeNzcx8NYxh+5nCC8wrVzD7lsV8nFmJ+\n" - "655UxVIhD3f8Oa/j1lr7acEU5KCiBtkjDU8vOMBsv+FpWOQrlB1JQa/X/+G+bHLF\n" - "XmUerNkCgYEAv7R8vIKgJ1f69imgHdB31kue3wnOO/6NlfY3GTcaZcTdChY8SZ5B\n" - "xits8xog0VcaxXhWlfO0hyCnZ9YRQbyDu0qp5eBU2p3qcE01x4ljJBZUOTweG06N\n" - "cL9dYcwse5FhNMjrQ/OKv6B38SIXpoKQUtjgkaMtmpK8cXX1eqEMNkM=\n" - "-----END RSA PRIVATE KEY-----\n"; + "-----BEGIN EC PARAMETERS-----\n" + "gUrgQQAIQ==\n" + "-----END EC PARAMETERS-----\n" + "-----BEGIN EC PRIVATE KEY-----\n" + "MGgCAQEEHChK068x8MWcBzhpO7qANvW4iTo7E0yzMYFXGn+gBwYFK4EEACGhPAM6\n" + "AAS9hA5gYo10jx+gzJdzYbxHzigJYXawdHtyoAud/TT/dUCt0ycpOzTMiO3CoDNx\n" + "ep+/mkmgxjfpug==\n" + "-----END EC PRIVATE KEY-----\n"; static int check_props_v4(nng_msg *msg) @@ -146,7 +106,7 @@ check_props_v4(nng_msg *msg) } static int -init_dialer_tls(nng_dialer d) +init_dialer_tls_ex(nng_dialer d, bool own_cert) { nng_tls_config *cfg; int rv; @@ -159,10 +119,18 @@ init_dialer_tls(nng_dialer d) goto out; } - if ((rv = nng_tls_config_server_name(cfg, "127.0.0.1")) != 0) { + if ((rv = nng_tls_config_server_name(cfg, "localhost")) != 0) { goto out; } - nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_NONE); + nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_REQUIRED); + + if (own_cert) { + if ((rv = nng_tls_config_own_cert(cfg, cert, key, NULL)) != + 0) { + goto out; + } + } + rv = nng_dialer_setopt_ptr(d, NNG_OPT_TLS_CONFIG, cfg); out: @@ -171,7 +139,13 @@ out: } static int -init_listener_tls(nng_listener l) +init_dialer_tls(nng_dialer d) +{ + return (init_dialer_tls_ex(d, false)); +} + +static int +init_listener_tls_ex(nng_listener l, int auth_mode) { nng_tls_config *cfg; int rv; @@ -185,12 +159,31 @@ init_listener_tls(nng_listener l) if ((rv = nng_listener_setopt_ptr(l, NNG_OPT_TLS_CONFIG, cfg)) != 0) { goto out; } + switch (auth_mode) { + case NNG_TLS_AUTH_MODE_REQUIRED: + case NNG_TLS_AUTH_MODE_OPTIONAL: + if ((rv = nng_tls_config_ca_chain(cfg, cert, NULL)) != 0) { + goto out; + } + break; + default: + break; + } + if ((rv = nng_tls_config_auth_mode(cfg, auth_mode)) != 0) { + goto out; + } out: nng_tls_config_free(cfg); return (0); } static int +init_listener_tls(nng_listener l) +{ + return (init_listener_tls_ex(l, NNG_TLS_AUTH_MODE_NONE)); +} + +static int init_dialer_tls_file(nng_dialer d) { int rv; @@ -265,6 +258,10 @@ init_listener_tls_file(nng_listener l) TestMain("TLS Transport", { static trantest tt; + if (strcmp(nng_tls_engine_name(), "none") == 0) { + Skip("TLS not enabled"); + } + tt.dialer_init = init_dialer_tls; tt.listener_init = init_listener_tls; tt.tmpl = "tls+tcp://127.0.0.1:%u"; @@ -314,7 +311,7 @@ TestMain("TLS Transport", { So(nng_dialer_start(d, 0) == 0); }); - Convey("We can bind to port zero", { + SkipConvey("We can bind to port zero", { nng_socket s1; nng_socket s2; nng_listener l; @@ -389,7 +386,7 @@ TestMain("TLS Transport", { So(nng_dialer_start(d, 0) == 0); }); - Convey("Botched local interfaces fail resonably", { + Convey("Botched local interfaces fail reasonably", { nng_socket s1; So(nng_pair_open(&s1) == 0); @@ -407,15 +404,13 @@ TestMain("TLS Transport", { NNG_EADDRINVAL); }); -#if 0 -// We really need to have pipe start/negotiate as one of the key steps during -// connect establish. Until that happens, we cannot verify the peer. -// See bug #208. - Convey("Verify works", { + // We really need to have pipe start/negotiate as one of the key steps + // during connect establish. Until that happens, we cannot verify the + // peer. See bug #208. + SkipConvey("Verify works", { nng_socket s1; nng_socket s2; nng_listener l; - char * buf; size_t sz; char addr[NNG_MAXADDRLEN]; @@ -438,11 +433,10 @@ TestMain("TLS Transport", { So(nng_dial(s2, addr, NULL, 0) == NNG_EPEERAUTH); }); -#endif Convey("No verify works", { - nng_socket s1; - nng_socket s2; + nng_socket s1; // server + nng_socket s2; // client nng_listener l; char addr[NNG_MAXADDRLEN]; nng_msg * msg; @@ -459,6 +453,8 @@ TestMain("TLS Transport", { trantest_next_address(addr, "tls+tcp://*:%u"); So(nng_listener_create(&l, s1, addr) == 0); So(init_listener_tls_file(l) == 0); + So(nng_listener_setopt_int(l, NNG_OPT_TLS_AUTH_MODE, + NNG_TLS_AUTH_MODE_OPTIONAL) == 0); So(nng_listener_start(l, 0) == 0); nng_msleep(100); @@ -467,14 +463,12 @@ TestMain("TLS Transport", { So(nng_setopt_ms(s2, NNG_OPT_RECVTIMEO, 200) == 0); So(nng_dialer_create(&d, s2, addr) == 0); So(init_dialer_tls_file(d) == 0); - So(nng_dialer_setopt_int(d, NNG_OPT_TLS_AUTH_MODE, - NNG_TLS_AUTH_MODE_OPTIONAL) == 0); So(nng_dialer_setopt_string( - d, NNG_OPT_TLS_SERVER_NAME, "example.com") == 0); + d, NNG_OPT_TLS_SERVER_NAME, "localhost") == 0); So(nng_dialer_start(d, 0) == 0); - So(nng_send(s1, "hello", 6, 0) == 0); - So(nng_recvmsg(s2, &msg, 0) == 0); + So(nng_send(s2, "hello", 6, 0) == 0); + So(nng_recvmsg(s1, &msg, 0) == 0); So(msg != NULL); So(nng_msg_len(msg) == 6); So(strcmp(nng_msg_body(msg), "hello") == 0); @@ -503,20 +497,24 @@ TestMain("TLS Transport", { }); trantest_next_address(addr, "tls+tcp4://*:%u"); So(nng_listener_create(&l, s1, addr) == 0); - So(init_listener_tls_file(l) == 0); + So(init_listener_tls_ex(l, NNG_TLS_AUTH_MODE_REQUIRED) == 0); So(nng_listener_start(l, 0) == 0); + nng_msleep(100); // reset port back one trantest_prev_address(addr, "tls+tcp4://localhost:%u"); So(nng_dialer_create(&d, s2, addr) == 0); - So(init_dialer_tls_file(d) == 0); + So(init_dialer_tls_ex(d, true) == 0); + So(nng_setopt_ms(s2, NNG_OPT_RECVTIMEO, 200) == 0); So(nng_dialer_start(d, 0) == 0); nng_msleep(100); - So(nng_send(s1, "hello", 6, 0) == 0); - So(nng_recvmsg(s2, &msg, 0) == 0); + // send from the server to the client-- the client always + // verifies the server. + So(nng_send(s2, "hello", 6, 0) == 0); + So(nng_recvmsg(s1, &msg, 0) == 0); So(msg != NULL); So(nng_msg_len(msg) == 6); So(strcmp(nng_msg_body(msg), "hello") == 0); diff --git a/tests/wss.c b/tests/wss.c index 78601066..ca33a542 100644 --- a/tests/wss.c +++ b/tests/wss.c @@ -1,5 +1,5 @@ // -// Copyright 2018 Staysail Systems, Inc. <info@staysail.tech> +// Copyright 2020 Staysail Systems, Inc. <info@staysail.tech> // Copyright 2018 Capitar IT Group BV <info@capitar.com> // // This software is supplied under the terms of the MIT License, a @@ -235,6 +235,10 @@ out: TestMain("WebSocket Secure (TLS) Transport", { static trantest tt; + if (strcmp(nng_tls_engine_name(), "none") == 0) { + Skip("TLS not enabled"); + } + tt.dialer_init = init_dialer_wss; tt.listener_init = init_listener_wss; tt.tmpl = "wss://localhost:%u/test"; |