258 lines
8.2 KiB
C
258 lines
8.2 KiB
C
// testHttps.c -- exercises calogHttp's TLS certificate verification. An in-test HTTPS server
|
|
// runs on loopback with a freshly generated SELF-SIGNED certificate (not chained to any trusted
|
|
// CA). A default httpGet must therefore REJECT it (verification on), while an httpRequest with
|
|
// insecure=true must ACCEPT it (verification off). Proves both the default-secure behavior and
|
|
// the documented opt-out.
|
|
|
|
#define _GNU_SOURCE
|
|
|
|
#include "calog.h"
|
|
#include "calogHttp.h"
|
|
|
|
#include <arpa/inet.h>
|
|
#include <netinet/in.h>
|
|
#include <pthread.h>
|
|
#include <stdatomic.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <sys/socket.h>
|
|
#include <time.h>
|
|
#include <unistd.h>
|
|
|
|
#include <openssl/evp.h>
|
|
#include <openssl/pem.h>
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/x509.h>
|
|
|
|
#define CHECK(cond, msg) checkImpl((cond), (msg), __FILE__, __LINE__)
|
|
|
|
#define PUMP_LIMIT 4000
|
|
#define RESULT_SLOTS 8
|
|
|
|
static CalogT *calog = NULL;
|
|
static _Atomic int64_t results[RESULT_SLOTS];
|
|
static _Atomic int32_t doneCount = 0;
|
|
static _Atomic int32_t errorCount = 0;
|
|
static int32_t testsRun = 0;
|
|
static int32_t testsFailed = 0;
|
|
static int gListenFd = -1;
|
|
|
|
static void checkImpl(bool condition, const char *message, const char *file, int32_t line);
|
|
static EVP_PKEY *makeSelfSigned(X509 **certOut);
|
|
static int32_t nativeDone(CalogValueT *args, int32_t argCount, CalogValueT *result, void *userData);
|
|
static int32_t nativeReport(CalogValueT *args, int32_t argCount, CalogValueT *result, void *userData);
|
|
static void onError(uint64_t contextId, const char *message, void *userData);
|
|
static void pumpUntilDone(int32_t target);
|
|
static void *serverThread(void *arg);
|
|
|
|
|
|
static void checkImpl(bool condition, const char *message, const char *file, int32_t line) {
|
|
testsRun++;
|
|
if (!condition) {
|
|
testsFailed++;
|
|
printf("FAIL %s:%d %s\n", file, line, message);
|
|
}
|
|
}
|
|
|
|
|
|
static EVP_PKEY *makeSelfSigned(X509 **certOut) {
|
|
EVP_PKEY *pkey;
|
|
X509 *cert;
|
|
|
|
pkey = EVP_RSA_gen(2048);
|
|
if (pkey == NULL) {
|
|
return NULL;
|
|
}
|
|
cert = X509_new();
|
|
if (cert == NULL) {
|
|
EVP_PKEY_free(pkey);
|
|
return NULL;
|
|
}
|
|
X509_set_version(cert, 2);
|
|
ASN1_INTEGER_set(X509_get_serialNumber(cert), 1);
|
|
X509_gmtime_adj(X509_getm_notBefore(cert), 0);
|
|
X509_gmtime_adj(X509_getm_notAfter(cert), 3600);
|
|
X509_set_pubkey(cert, pkey);
|
|
X509_NAME_add_entry_by_txt(X509_get_subject_name(cert), "CN", MBSTRING_ASC, (const unsigned char *)"127.0.0.1", -1, -1, 0);
|
|
X509_set_issuer_name(cert, X509_get_subject_name(cert));
|
|
if (X509_sign(cert, pkey, EVP_sha256()) == 0) {
|
|
X509_free(cert);
|
|
EVP_PKEY_free(pkey);
|
|
return NULL;
|
|
}
|
|
*certOut = cert;
|
|
return pkey;
|
|
}
|
|
|
|
|
|
static int32_t nativeDone(CalogValueT *args, int32_t argCount, CalogValueT *result, void *userData) {
|
|
(void)args;
|
|
(void)argCount;
|
|
(void)userData;
|
|
atomic_fetch_add(&doneCount, 1);
|
|
calogValueNil(result);
|
|
return calogOkE;
|
|
}
|
|
|
|
|
|
static int32_t nativeReport(CalogValueT *args, int32_t argCount, CalogValueT *result, void *userData) {
|
|
(void)userData;
|
|
calogValueNil(result);
|
|
if (argCount != 2 || args[0].type != calogIntE) {
|
|
return calogFail(result, calogErrArgE, "report expects (tag, value)");
|
|
}
|
|
if (args[0].as.i < 0 || args[0].as.i >= RESULT_SLOTS) {
|
|
return calogFail(result, calogErrArgE, "report: tag out of range");
|
|
}
|
|
atomic_store(&results[args[0].as.i], (args[1].type == calogIntE) ? args[1].as.i : (int64_t)args[1].as.r);
|
|
return calogOkE;
|
|
}
|
|
|
|
|
|
static void onError(uint64_t contextId, const char *message, void *userData) {
|
|
(void)contextId;
|
|
(void)userData;
|
|
fprintf(stderr, " [script error] %s\n", (message != NULL) ? message : "(null)");
|
|
atomic_fetch_add(&errorCount, 1);
|
|
}
|
|
|
|
|
|
static void pumpUntilDone(int32_t target) {
|
|
struct timespec ts = { 0, 500000 };
|
|
int i;
|
|
|
|
for (i = 0; i < PUMP_LIMIT; i++) {
|
|
calogPump(calog);
|
|
if (atomic_load(&doneCount) >= target) {
|
|
calogPump(calog);
|
|
return;
|
|
}
|
|
nanosleep(&ts, NULL);
|
|
}
|
|
}
|
|
|
|
|
|
static void *serverThread(void *arg) {
|
|
static const char response[] = "HTTP/1.1 200 OK\r\nContent-Length: 5\r\n\r\nhello";
|
|
SSL_CTX *ctx;
|
|
EVP_PKEY *pkey;
|
|
X509 *cert;
|
|
int n;
|
|
|
|
(void)arg;
|
|
cert = NULL;
|
|
pkey = makeSelfSigned(&cert);
|
|
if (pkey == NULL) {
|
|
return NULL;
|
|
}
|
|
ctx = SSL_CTX_new(TLS_server_method());
|
|
if (ctx == NULL) {
|
|
X509_free(cert);
|
|
EVP_PKEY_free(pkey);
|
|
return NULL;
|
|
}
|
|
SSL_CTX_use_certificate(ctx, cert);
|
|
SSL_CTX_use_PrivateKey(ctx, pkey);
|
|
// Two connections: the first (default verify) has its handshake aborted by the client when
|
|
// it rejects the untrusted cert; the second (insecure=true) completes and gets the reply.
|
|
for (n = 0; n < 2; n++) {
|
|
SSL *ssl;
|
|
int cfd;
|
|
cfd = accept(gListenFd, NULL, NULL);
|
|
if (cfd < 0) {
|
|
break;
|
|
}
|
|
ssl = SSL_new(ctx);
|
|
SSL_set_fd(ssl, cfd);
|
|
if (SSL_accept(ssl) == 1) {
|
|
char buf[1024];
|
|
(void)SSL_read(ssl, buf, sizeof(buf));
|
|
(void)SSL_write(ssl, response, (int)(sizeof(response) - 1));
|
|
SSL_shutdown(ssl);
|
|
}
|
|
SSL_free(ssl);
|
|
close(cfd);
|
|
}
|
|
SSL_CTX_free(ctx);
|
|
X509_free(cert);
|
|
EVP_PKEY_free(pkey);
|
|
return NULL;
|
|
}
|
|
|
|
|
|
int main(void) {
|
|
CalogContextT *ctx;
|
|
pthread_t server;
|
|
struct sockaddr_in addr;
|
|
socklen_t addrLen;
|
|
char script[512];
|
|
int port;
|
|
int yes;
|
|
int32_t i;
|
|
|
|
calog = calogCreate();
|
|
if (calog == NULL) {
|
|
printf("calog create failed\n");
|
|
return 1;
|
|
}
|
|
calogSetErrorHandler(calog, onError, NULL);
|
|
calogRegister(calog, "report", nativeReport, NULL);
|
|
calogRegister(calog, "done", nativeDone, NULL);
|
|
calogHttpRegister(calog);
|
|
for (i = 0; i < RESULT_SLOTS; i++) {
|
|
atomic_store(&results[i], -1);
|
|
}
|
|
|
|
gListenFd = socket(AF_INET, SOCK_STREAM, 0);
|
|
if (gListenFd < 0) {
|
|
printf("socket failed\n");
|
|
return 1;
|
|
}
|
|
yes = 1;
|
|
setsockopt(gListenFd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes));
|
|
memset(&addr, 0, sizeof(addr));
|
|
addr.sin_family = AF_INET;
|
|
addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
|
|
addr.sin_port = 0;
|
|
if (bind(gListenFd, (struct sockaddr *)&addr, sizeof(addr)) != 0 || listen(gListenFd, 4) != 0) {
|
|
printf("bind/listen failed\n");
|
|
return 1;
|
|
}
|
|
addrLen = sizeof(addr);
|
|
if (getsockname(gListenFd, (struct sockaddr *)&addr, &addrLen) != 0) {
|
|
printf("getsockname failed\n");
|
|
return 1;
|
|
}
|
|
port = (int)ntohs(addr.sin_port);
|
|
pthread_create(&server, NULL, serverThread, NULL);
|
|
|
|
snprintf(script, sizeof(script),
|
|
"local ok = pcall(function() return httpGet('https://127.0.0.1:%d/') end)\n"
|
|
"report(1, ok and 0 or 1)\n" // 1, a self-signed cert is rejected by default
|
|
"local r = httpRequest({url = 'https://127.0.0.1:%d/', insecure = true})\n"
|
|
"report(2, r.status)\n" // 200, insecure skips verification
|
|
"report(3, r.body == 'hello' and 1 or 0)\n" // 1, body over TLS
|
|
"done()", port, port);
|
|
|
|
ctx = calogContextOpen(calog, &calogLuaEngine);
|
|
calogContextEval(ctx, script);
|
|
pumpUntilDone(1);
|
|
|
|
pthread_join(server, NULL);
|
|
close(gListenFd);
|
|
|
|
CHECK(atomic_load(&results[1]) == 1, "httpGet rejects an untrusted self-signed certificate by default");
|
|
CHECK(atomic_load(&results[2]) == 200, "httpRequest with insecure=true completes the TLS request");
|
|
CHECK(atomic_load(&results[3]) == 1, "the body is delivered over TLS when verification is skipped");
|
|
CHECK(atomic_load(&errorCount) == 0, "no uncaught errors");
|
|
|
|
calogContextClose(ctx);
|
|
calogDestroy(calog);
|
|
|
|
printf("\n%d checks, %d failed\n", testsRun, testsFailed);
|
|
fflush(stdout);
|
|
if (testsFailed != 0) {
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|