|
 |
1a2827 |
From 6b05dc28e94e90ab4852c9977d7fbe66fec6cd48 Mon Sep 17 00:00:00 2001
|
|
|
1a2827 |
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
|
1a2827 |
Date: Fri, 8 Feb 2019 14:50:32 +0100
|
|
|
1a2827 |
Subject: [PATCH] Test client performs Post-Handshake-Authentication
|
|
|
1a2827 |
MIME-Version: 1.0
|
|
|
1a2827 |
Content-Type: text/plain; charset=UTF-8
|
|
|
1a2827 |
Content-Transfer-Encoding: 8bit
|
|
|
1a2827 |
|
|
|
1a2827 |
This test uses openssl tool because PHA is not yet supported by
|
|
|
1a2827 |
IO::Socket::SSL's server implementation. The openssl tool uses a fixed
|
|
|
1a2827 |
port. So the test can fail.
|
|
|
1a2827 |
|
|
|
1a2827 |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
1a2827 |
---
|
|
|
1a2827 |
MANIFEST | 1 +
|
|
|
1a2827 |
t/pha_client.t | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
1a2827 |
2 files changed, 91 insertions(+)
|
|
|
1a2827 |
create mode 100755 t/pha_client.t
|
|
|
1a2827 |
|
|
|
1a2827 |
diff --git a/MANIFEST b/MANIFEST
|
|
|
1a2827 |
index 20cddb6..2b8328d 100644
|
|
|
1a2827 |
--- a/MANIFEST
|
|
|
1a2827 |
+++ b/MANIFEST
|
|
|
1a2827 |
@@ -57,6 +57,7 @@ t/mitm.t
|
|
|
1a2827 |
t/multiple-cert-rsa-ecc.t
|
|
|
1a2827 |
t/nonblock.t
|
|
|
1a2827 |
t/npn.t
|
|
|
1a2827 |
+t/pha_client.t
|
|
|
1a2827 |
t/plain_upgrade_downgrade.t
|
|
|
1a2827 |
t/protocol_version.t
|
|
|
1a2827 |
t/public_suffix_lib_encode_idn.t
|
|
|
1a2827 |
diff --git a/t/pha_client.t b/t/pha_client.t
|
|
|
1a2827 |
new file mode 100755
|
|
|
1a2827 |
index 0000000..2413588
|
|
|
1a2827 |
--- /dev/null
|
|
|
1a2827 |
+++ b/t/pha_client.t
|
|
|
1a2827 |
@@ -0,0 +1,90 @@
|
|
|
1a2827 |
+#!/usr/bin/perl
|
|
|
1a2827 |
+use strict;
|
|
|
1a2827 |
+use warnings;
|
|
|
1a2827 |
+use Test::More;
|
|
|
1a2827 |
+use IPC::Run ();
|
|
|
1a2827 |
+use IO::Socket::SSL ();
|
|
|
1a2827 |
+use Net::SSLeay ();
|
|
|
1a2827 |
+use IO::Select ();
|
|
|
1a2827 |
+
|
|
|
1a2827 |
+if (system('openssl', 'version')) {
|
|
|
1a2827 |
+ plan skip_all => 'openssl tool is not available';
|
|
|
1a2827 |
+} elsif (!defined &Net::SSLeay::CTX_set_post_handshake_auth) {
|
|
|
1a2827 |
+ plan skip_all => 'Net::SSLeay does not expose PHA';
|
|
|
1a2827 |
+} else {
|
|
|
1a2827 |
+ plan tests => 5;
|
|
|
1a2827 |
+}
|
|
|
1a2827 |
+
|
|
|
1a2827 |
+my $port = 2000;
|
|
|
1a2827 |
+my $ca_cert = 'certs/test-ca.pem';
|
|
|
1a2827 |
+
|
|
|
1a2827 |
+diag 'Starting a server';
|
|
|
1a2827 |
+my ($server, $input, $stdout, $stderr);
|
|
|
1a2827 |
+eval {
|
|
|
1a2827 |
+ $server = IPC::Run::start(['openssl', 's_server', '-port', $port,
|
|
|
1a2827 |
+ '-Verify', '1',
|
|
|
1a2827 |
+ '-cert', 'certs/server-wildcard.pem',
|
|
|
1a2827 |
+ '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert],
|
|
|
1a2827 |
+ \$input, \$stdout, \$stderr);
|
|
|
1a2827 |
+ # subsequent \undef does not work
|
|
|
1a2827 |
+ # <https://github.com/toddr/IPC-Run/issues/124>
|
|
|
1a2827 |
+};
|
|
|
1a2827 |
+if (!$server or $@) {
|
|
|
1a2827 |
+ BAIL_OUT("Could not start a server: $@");
|
|
|
1a2827 |
+}
|
|
|
1a2827 |
+# openssl s_server does not return a non-zero exit code in case of bind(2) failure.
|
|
|
1a2827 |
+while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; }
|
|
|
1a2827 |
+if ($stderr =~ /unable to bind socket/) {
|
|
|
1a2827 |
+ $server->kill_kill;
|
|
|
1a2827 |
+ BAIL_OUT("Could not start a server: $stderr");
|
|
|
1a2827 |
+}
|
|
|
1a2827 |
+ok($server, 'Server started');
|
|
|
1a2827 |
+
|
|
|
1a2827 |
+my $client = IO::Socket::SSL->new(
|
|
|
1a2827 |
+ PeerHost => 'localhost',
|
|
|
1a2827 |
+ PeerPort => $port,
|
|
|
1a2827 |
+ SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER,
|
|
|
1a2827 |
+ SSL_verifycn_scheme => 'www',
|
|
|
1a2827 |
+ SSL_verifycn_name => 'www.server.local',
|
|
|
1a2827 |
+ SSL_ca_file => $ca_cert,
|
|
|
1a2827 |
+ SSL_key_file => 'certs/client-key.pem',
|
|
|
1a2827 |
+ SSL_cert_file => 'certs/client-cert.pem'
|
|
|
1a2827 |
+);
|
|
|
1a2827 |
+ok($client, 'Client connected');
|
|
|
1a2827 |
+
|
|
|
1a2827 |
+SKIP: {
|
|
|
1a2827 |
+ skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2
|
|
|
1a2827 |
+ unless $client;
|
|
|
1a2827 |
+ $client->blocking(0);
|
|
|
1a2827 |
+
|
|
|
1a2827 |
+ SKIP: {
|
|
|
1a2827 |
+ # Ask openssl s_server for PHA request and wait for the result.
|
|
|
1a2827 |
+ $input .= "c\n";
|
|
|
1a2827 |
+ while ($server->pumpable &&
|
|
|
1a2827 |
+ $stderr !~ /SSL_verify_client_post_handshake/ &&
|
|
|
1a2827 |
+ $stdout !~ /SSL_do_handshake -> 1/
|
|
|
1a2827 |
+ ) {
|
|
|
1a2827 |
+ # Push the PHA command to the server and read outputs.
|
|
|
1a2827 |
+ $server->pump;
|
|
|
1a2827 |
+
|
|
|
1a2827 |
+ # Client also must perform I/O to process the PHA request.
|
|
|
1a2827 |
+ my $select = IO::Select->new($client);
|
|
|
1a2827 |
+ while ($select->can_read(1)) { # 1 second time-out because of
|
|
|
1a2827 |
+ # blocking IPC::Run
|
|
|
1a2827 |
+ my $retval = $client->read(my $buf, 1);
|
|
|
1a2827 |
+ if (defined $buf and $buf eq 'c') {
|
|
|
1a2827 |
+ skip 'openssl tool does not support PHA command', 1;
|
|
|
1a2827 |
+ }
|
|
|
1a2827 |
+ }
|
|
|
1a2827 |
+ }
|
|
|
1a2827 |
+ ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA');
|
|
|
1a2827 |
+ }
|
|
|
1a2827 |
+
|
|
|
1a2827 |
+ ok($client->close, 'Client disconnected');
|
|
|
1a2827 |
+}
|
|
|
1a2827 |
+
|
|
|
1a2827 |
+eval {
|
|
|
1a2827 |
+ $server->kill_kill;
|
|
|
1a2827 |
+};
|
|
|
1a2827 |
+ok(!$@, 'Server terminated');
|
|
|
1a2827 |
+
|
|
|
1a2827 |
--
|
|
|
1a2827 |
2.20.1
|
|
|
1a2827 |
|