📄 ssl.c
字号:
{ return accept_signed_cert("altname1.cert");}/* tests for multiple altNames. */static int two_subject_altname(void){ return accept_signed_cert("altname2.cert");}static int two_subject_altname2(void){ return accept_signed_cert("altname3.cert");}/* Test that a subject altname with *only* an eMail entry is * ignored, and the commonName is used instead. */static int notdns_altname(void){ return accept_signed_cert("altname4.cert");}static int ipaddr_altname(void){ return accept_signed_cert_for_hostname("altname5.cert", "127.0.0.1");}/* test that the *most specific* commonName attribute is used. */static int multi_commonName(void){ return accept_signed_cert("twocn.cert");}/* regression test for neon <= 0.23.4 where if commonName was the first * RDN in the subject DN, it was ignored. */static int commonName_first(void){ return accept_signed_cert("cnfirst.cert");}static int check_dname(const ne_ssl_dname *dn, const char *expected, const char *which){ char *dname; ONV(dn == NULL, ("certificate %s dname was NULL", which)); dname = ne_ssl_readable_dname(dn); NE_DEBUG(NE_DBG_SSL, "Got dname `%s', expecting `%s'\n", dname, expected); ONV(strcmp(dname, expected), ("certificate %s dname was `%s' not `%s'", which, dname, expected)); ne_free(dname); return 0;}/* Check that the readable subject issuer dnames of 'cert' match * 'subject' and 'issuer' (if non-NULL). */static int check_cert_dnames(const ne_ssl_certificate *cert, const char *subject, const char *issuer){ ONN("no server certificate presented", cert == NULL); CALL(check_dname(ne_ssl_cert_subject(cert), subject, "subject")); return issuer ? check_dname(ne_ssl_cert_issuer(cert), issuer, "issuer") : OK;}/* Verify callback which checks that the certificate presented has the * predetermined subject and issuer DN (as per makekeys.sh). */static int check_cert(void *userdata, int fs, const ne_ssl_certificate *cert){ int *ret = userdata; if (check_cert_dnames(cert, SERVER_DNAME, CACERT_DNAME) == FAIL) *ret = -1; else *ret = 1; return 0;}/* Check that certificate attributes are passed correctly. */static int parse_cert(void){ ne_session *sess = DEFSESS; int ret = 0; struct ssl_server_args args = {SERVER_CERT, 0}; /* don't give a CA cert; should force the verify callback to be * used. */ CALL(any_ssl_request(sess, ssl_server, &args, NULL, check_cert, &ret)); ne_session_destroy(sess); ONN("cert verification never called", ret == 0); if (ret == -1) return FAIL; return OK;}/* Check the certificate chain presented against known dnames. */static int check_chain(void *userdata, int fs, const ne_ssl_certificate *cert){ int *ret = userdata; if (check_cert_dnames(cert, SERVER_DNAME, CACERT_DNAME) == FAIL) { *ret = -1; return 0; } cert = ne_ssl_cert_signedby(cert); if (cert == NULL) { t_context("no CA cert in chain"); *ret = -1; return 0; } if (check_cert_dnames(cert, CACERT_DNAME, CACERT_DNAME) == FAIL) { *ret = -1; return 0; } *ret = 1; return 0;}/* Check that certificate attributes are passed correctly. */static int parse_chain(void){ ne_session *sess = DEFSESS; int ret = 0; struct ssl_server_args args = {SERVER_CERT, 0}; args.ca_list = "ca/cert.pem"; /* don't give a CA cert; should force the verify callback to be * used. */ CALL(any_ssl_request(sess, ssl_server, &args, NULL, check_chain, &ret)); ne_session_destroy(sess); ONN("cert verification never called", ret == 0); if (ret == -1) return FAIL; return OK;}static int count_vfy(void *userdata, int fs, const ne_ssl_certificate *c){ int *count = userdata; (*count)++; return 0;}static int no_verify(void){ ne_session *sess = DEFSESS; int count = 0; struct ssl_server_args args = {SERVER_CERT, 0}; CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, count_vfy, &count)); ONN("verify callback called unnecessarily", count != 0); ne_session_destroy(sess); return OK;}static int cache_verify(void){ ne_session *sess = DEFSESS; int ret, count = 0; struct ssl_server_args args = {SERVER_CERT, 0}; /* force verify cert. */ ret = any_ssl_request(sess, ssl_server, &args, NULL, count_vfy, &count); CALL(spawn_server(7777, ssl_server, &args)); ret = any_request(sess, "/foo2"); CALL(await_server()); ONV(count != 1, ("verify callback result not cached: called %d times", count)); ne_session_destroy(sess); return OK;}/* Copy failures into *userdata, and fail verification. */static int get_failures(void *userdata, int fs, const ne_ssl_certificate *c){ int *out = userdata; *out = fs; return -1;}/* Helper function: run a request using the given self-signed server * certificate, and expect the request to fail with the given * verification failure flags. */static int fail_ssl_request(char *cert, char *cacert, const char *msg, int failures){ ne_session *sess = DEFSESS; int gotf = 0, ret; ret = any_ssl_request(sess, fail_serve, cert, cacert, get_failures, &gotf); ONV(gotf == 0, ("no error in verification callback; request failed: %s", ne_get_error(sess))); ONV(gotf & ~NE_SSL_FAILMASK, ("verification flags %x outside mask %x", gotf, NE_SSL_FAILMASK)); /* check the failure flags were as expected. */ ONV(failures != gotf, ("verification flags were %d not %d", gotf, failures)); /* and check that the request was failed too. */ ONV(ret == NE_OK, ("%s", msg)); ne_session_destroy(sess); return OK;}/* Note that the certs used for fail_* are all self-signed, so the * cert is passed as CA cert and server cert to fail_ssl_request. *//* Check that a certificate with the incorrect commonName attribute is * flagged as such. */static int fail_wrongCN(void){ return fail_ssl_request("wrongcn.pem", "wrongcn.pem", "certificate with incorrect CN was accepted", NE_SSL_IDMISMATCH);}/* Check that an expired certificate is flagged as such. */static int fail_expired(void){ char *c = ne_concat(srcdir, "/expired.pem", NULL); CALL(fail_ssl_request(c, c, "expired certificate was accepted", NE_SSL_EXPIRED)); ne_free(c); return OK;}static int fail_notvalid(void){ char *c = ne_concat(srcdir, "/notvalid.pem", NULL); CALL(fail_ssl_request(c, c, "not yet valid certificate was accepted", NE_SSL_NOTYETVALID)); ne_free(c); return OK; }/* Check that a server cert with a random issuer and self-signed cert * fail with UNTRUSTED. */static int fail_untrusted_ca(void){ return fail_ssl_request("server.cert", NULL, "untrusted CA.", NE_SSL_UNTRUSTED);}static int fail_self_signed(void){ return fail_ssl_request("ssigned.pem", NULL, "self-signed cert", NE_SSL_UNTRUSTED);}/* Test for failure when a server cert is presented which has no * commonName (and no alt names either). */static int fail_missing_CN(void){ ne_session *sess = DEFSESS; ONN("accepted server cert with missing commonName", any_ssl_request(sess, fail_serve, "missingcn.cert", SERVER_CERT, NULL, NULL) == NE_OK); ONV(strstr(ne_get_error(sess), "missing commonName") == NULL, ("unexpected session error `%s'", ne_get_error(sess))); ne_session_destroy(sess); return OK;} /* Test that the SSL session is cached across connections. */static int session_cache(void){ struct ssl_server_args args = {0}; ne_session *sess = ne_session_create("https", "localhost", 7777); args.cert = SERVER_CERT; args.cache = 1; ne_ssl_trust_cert(sess, def_ca_cert); /* have spawned server listen for several connections. */ CALL(spawn_server_repeat(7777, ssl_server, &args, 4)); ONREQ(any_request(sess, "/req1")); ONREQ(any_request(sess, "/req2")); ne_session_destroy(sess); /* server should still be waiting for connections: if not, * something went wrong. */ ONN("error from child", dead_server()); /* now get rid of it. */ reap_server(); return OK;}/* Callback for client_cert_provider; takes a c. cert as userdata and * registers it. */static void ccert_provider(void *userdata, ne_session *sess, const ne_ssl_dname *const *dns, int dncount){ const ne_ssl_client_cert *cc = userdata; ne_ssl_set_clicert(sess, cc);}/* Test that the on-demand client cert provider callback is used. */static int client_cert_provided(void){ ne_session *sess = DEFSESS; ne_ssl_client_cert *cc; struct ssl_server_args args = {SERVER_CERT, NULL}; args.require_cc = 1; cc = ne_ssl_clicert_read("client.p12"); ONN("could not load client.p12", cc == NULL); ONN("could not decrypt client.p12", ne_ssl_clicert_decrypt(cc, "foobar")); ne_ssl_provide_clicert(sess, ccert_provider, cc); CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL)); ne_session_destroy(sess); ne_ssl_clicert_free(cc); return OK;}static void cc_check_dnames(void *userdata, ne_session *sess, const ne_ssl_dname *const *dns, int dncount){ int n, *ret = userdata; static const char *expected[4] = { "First Random CA, CAs Ltd., Lincoln, Lincolnshire, GB", "Second Random CA, CAs Ltd., Falmouth, Cornwall, GB", "Third Random CA, CAs Ltd., Ipswich, Suffolk, GB", "Fourth Random CA, CAs Ltd., Norwich, Norfolk, GB" }; ne_ssl_set_clicert(sess, def_cli_cert); if (dncount != 4) { t_context("dname count was %d not 4", dncount); *ret = -1; return; } for (n = 0; n < 4; n++) { char which[5]; sprintf(which, "%d", n); if (check_dname(dns[n], expected[n], which) == FAIL) { *ret = -1; return; } } *ret = 1;}/* Test for the list of acceptable dnames sent to the client. */static int cc_provided_dnames(void){ int check = 0; ne_session *sess = DEFSESS; struct ssl_server_args args = {SERVER_CERT, NULL}; args.require_cc = 1; args.send_ca = "calist.pem"; PRECOND(def_cli_cert); ne_ssl_provide_clicert(sess, cc_check_dnames, &check); CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL)); ne_session_destroy(sess); ONN("provider function not called", check == 0); return (check == -1) ? FAIL : OK;}/* Tests use of a client certificate. */static int client_cert_pkcs12(void){ ne_session *sess = DEFSESS; struct ssl_server_args args = {SERVER_CERT, NULL}; args.require_cc = 1; PRECOND(def_cli_cert); ne_ssl_set_clicert(sess, def_cli_cert); CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL)); ne_session_destroy(sess); return OK;}/* Tests use of an unencrypted client certificate. */static int ccert_unencrypted(void){ ne_session *sess = DEFSESS; ne_ssl_client_cert *ccert; struct ssl_server_args args = {SERVER_CERT, NULL}; args.require_cc = 1; ccert = ne_ssl_clicert_read("unclient.p12"); ONN("unclient.p12 was encrypted", ne_ssl_clicert_encrypted(ccert)); ne_ssl_set_clicert(sess, ccert); CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL)); ne_ssl_clicert_free(ccert); ne_session_destroy(sess); return OK;}/* non-zero if a server auth header was received */static int got_server_auth; /* Utility function which accepts the 'tunnel' header. */static void tunnel_header(char *value){ got_server_auth = 1;}/* Server which acts as a proxy accepting a CONNECT request. */static int serve_tunnel(ne_socket *sock, void *ud){ struct ssl_server_args *args = ud; /* check for a server auth function */ want_header = "Authorization"; got_header = tunnel_header; got_server_auth = 0; /* give the plaintext tunnel reply, acting as the proxy */ CALL(discard_request(sock)); if (got_server_auth) { SEND_STRING(sock, "HTTP/1.1 500 Leaked Server Auth Creds\r\n" "Content-Length: 0\r\n" "Server: serve_tunnel\r\n\r\n"); return 0; } else { SEND_STRING(sock, "HTTP/1.1 200 OK\r\nServer: serve_tunnel\r\n\r\n"); return ssl_server(sock, args); }}/* neon versions <= 0.21.2 segfault here because ne_sock_close would * be called twice on the socket after the server cert verification * fails. */static int fail_tunnel(void){ ne_session *sess = ne_session_create("https", "example.com", 443); struct ssl_server_args args = {SERVER_CERT, NULL}; ne_session_proxy(sess, "localhost", 7777); ONN("server cert verification didn't fail", any_ssl_request(sess, serve_tunnel, &args, CA_CERT, NULL, NULL) != NE_ERROR); ne_session_destroy(sess); return OK;}static int proxy_tunnel(void){ ne_session *sess = ne_session_create("https", "localhost", 443); struct ssl_server_args args = {SERVER_CERT, NULL}; ne_session_proxy(sess, "localhost", 7777); /* CA cert is trusted, so no verify callback should be needed. */ CALL(any_ssl_request(sess, serve_tunnel, &args, CA_CERT, NULL, NULL)); ne_session_destroy(sess); return OK;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -