blob: 65ec8b6a26a319e451dff237e869765ca514992c [file] [log] [blame]
Mario Emmenlauer0f14e2f2019-10-15 11:25:10 +02001/*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19
20#define BOOST_TEST_MODULE SecurityFromBufferTest
21#include <boost/filesystem.hpp>
22#include <boost/foreach.hpp>
23#include <boost/format.hpp>
24#include <boost/test/unit_test.hpp>
25#include <boost/thread.hpp>
26#include <stdexcept>
27#include <fstream>
28#include <memory>
Tobias Mayer0d95b8c2023-03-10 09:02:38 +010029#include <openssl/opensslv.h>
Mario Emmenlauer0f14e2f2019-10-15 11:25:10 +020030#include <thrift/transport/TSSLServerSocket.h>
31#include <thrift/transport/TSSLSocket.h>
32#include <thrift/transport/TTransport.h>
33#include <vector>
Mario Emmenlauer29b083e2018-07-05 14:09:27 +020034#ifdef HAVE_SIGNAL_H
Mario Emmenlauer0f14e2f2019-10-15 11:25:10 +020035#include <signal.h>
36#endif
37
38using apache::thrift::transport::TServerTransport;
39using apache::thrift::transport::TSSLServerSocket;
40using apache::thrift::transport::TSSLSocket;
41using apache::thrift::transport::TSSLSocketFactory;
42using apache::thrift::transport::TTransport;
43using apache::thrift::transport::TTransportException;
44using apache::thrift::transport::TTransportFactory;
45
46using std::bind;
47using std::shared_ptr;
48
49boost::filesystem::path keyDir;
50boost::filesystem::path certFile(const std::string& filename) {
51 return keyDir / filename;
52}
53std::string certString(const std::string& filename) {
54 std::ifstream ifs(certFile(filename).string());
55 if(!ifs.is_open() || !ifs.good()) {
56 throw(std::runtime_error("Failed to open key file " + filename + " for reading"));
57 }
58 std::stringstream buffer;
59 buffer << ifs.rdbuf();
60 return buffer.str();
61}
62boost::mutex gMutex;
63
64struct GlobalFixture {
65 GlobalFixture() {
66 using namespace boost::unit_test::framework;
67 for (int i = 0; i < master_test_suite().argc; ++i) {
68 BOOST_TEST_MESSAGE(boost::format("argv[%1%] = \"%2%\"") % i % master_test_suite().argv[i]);
69 }
70
71#ifdef __linux__
72 // OpenSSL calls send() without MSG_NOSIGPIPE so writing to a socket that has
73 // disconnected can cause a SIGPIPE signal...
74 signal(SIGPIPE, SIG_IGN);
75#endif
76
77 TSSLSocketFactory::setManualOpenSSLInitialization(true);
78 apache::thrift::transport::initializeOpenSSL();
79
80 keyDir = boost::filesystem::current_path().parent_path().parent_path().parent_path() / "test" / "keys";
81 if (!boost::filesystem::exists(certFile("server.crt"))) {
82 keyDir = boost::filesystem::path(master_test_suite().argv[master_test_suite().argc - 1]);
83 if (!boost::filesystem::exists(certFile("server.crt"))) {
84 throw std::invalid_argument("The last argument to this test must be the directory containing the test certificate(s).");
85 }
86 }
87 }
88
89 virtual ~GlobalFixture() {
90 apache::thrift::transport::cleanupOpenSSL();
91#ifdef __linux__
92 signal(SIGPIPE, SIG_DFL);
93#endif
94 }
95};
96
97#if (BOOST_VERSION >= 105900)
98BOOST_GLOBAL_FIXTURE(GlobalFixture);
99#else
100BOOST_GLOBAL_FIXTURE(GlobalFixture)
101#endif
102
103struct SecurityFromBufferFixture {
104 void server(apache::thrift::transport::SSLProtocol protocol) {
105 try {
106 boost::mutex::scoped_lock lock(mMutex);
107
108 shared_ptr<TSSLSocketFactory> pServerSocketFactory;
109 shared_ptr<TSSLServerSocket> pServerSocket;
110
111 pServerSocketFactory.reset(new TSSLSocketFactory(static_cast<apache::thrift::transport::SSLProtocol>(protocol)));
112 pServerSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
113 pServerSocketFactory->loadCertificateFromBuffer(certString("server.crt").c_str());
114 pServerSocketFactory->loadPrivateKeyFromBuffer(certString("server.key").c_str());
115 pServerSocketFactory->server(true);
116 pServerSocket.reset(new TSSLServerSocket("localhost", 0, pServerSocketFactory));
117 shared_ptr<TTransport> connectedClient;
118
119 try {
120 pServerSocket->listen();
121 mPort = pServerSocket->getPort();
122 mCVar.notify_one();
123 lock.unlock();
124
125 connectedClient = pServerSocket->accept();
126 uint8_t buf[2];
127 buf[0] = 'O';
128 buf[1] = 'K';
129 connectedClient->write(&buf[0], 2);
130 connectedClient->flush();
131 }
132
133 catch (apache::thrift::transport::TTransportException& ex) {
134 boost::mutex::scoped_lock lock(gMutex);
135 BOOST_TEST_MESSAGE(boost::format("SRV %1% Exception: %2%") % boost::this_thread::get_id() % ex.what());
136 }
137
138 if (connectedClient) {
139 connectedClient->close();
140 connectedClient.reset();
141 }
142
143 pServerSocket->close();
144 pServerSocket.reset();
145 } catch (std::exception& ex) {
146 BOOST_FAIL(boost::format("%1%: %2%") % typeid(ex).name() % ex.what());
147 }
148 }
149
150 void client(apache::thrift::transport::SSLProtocol protocol) {
151 try {
152 shared_ptr<TSSLSocketFactory> pClientSocketFactory;
153 shared_ptr<TSSLSocket> pClientSocket;
154
155 try {
156 pClientSocketFactory.reset(new TSSLSocketFactory(static_cast<apache::thrift::transport::SSLProtocol>(protocol)));
157 pClientSocketFactory->authenticate(true);
158 pClientSocketFactory->loadCertificateFromBuffer(certString("client.crt").c_str());
159 pClientSocketFactory->loadPrivateKeyFromBuffer(certString("client.key").c_str());
160 pClientSocketFactory->loadTrustedCertificatesFromBuffer(certString("CA.pem").c_str());
161 pClientSocket = pClientSocketFactory->createSocket("localhost", mPort);
162 pClientSocket->open();
163
164 uint8_t buf[3];
165 buf[0] = 0;
166 buf[1] = 0;
167 BOOST_CHECK_EQUAL(2, pClientSocket->read(&buf[0], 2));
168 BOOST_CHECK_EQUAL(0, memcmp(&buf[0], "OK", 2));
169 mConnected = true;
170 } catch (apache::thrift::transport::TTransportException& ex) {
171 boost::mutex::scoped_lock lock(gMutex);
172 BOOST_TEST_MESSAGE(boost::format("CLI %1% Exception: %2%") % boost::this_thread::get_id() % ex.what());
173 }
174
175 if (pClientSocket) {
176 pClientSocket->close();
177 pClientSocket.reset();
178 }
179 } catch (std::exception& ex) {
180 BOOST_FAIL(boost::format("%1%: %2%") % typeid(ex).name() % ex.what());
181 }
182 }
183
184 static const char* protocol2str(size_t protocol) {
185 static const char* strings[apache::thrift::transport::LATEST + 1]
186 = {"SSLTLS", "SSLv2", "SSLv3", "TLSv1_0", "TLSv1_1", "TLSv1_2"};
187 return strings[protocol];
188 }
189
190 boost::mutex mMutex;
191 boost::condition_variable mCVar;
192 int mPort;
193 bool mConnected;
194};
195
196BOOST_FIXTURE_TEST_SUITE(BOOST_TEST_MODULE, SecurityFromBufferFixture)
197
198BOOST_AUTO_TEST_CASE(ssl_security_matrix) {
199 try {
200 // matrix of connection success between client and server with different SSLProtocol selections
201 static_assert(apache::thrift::transport::LATEST == 5, "Mismatch in assumed number of ssl protocols");
Mario Emmenlauer5f87b832023-10-09 14:42:27 +0200202 bool ossl1 = (OPENSSL_VERSION_NUMBER < 0x30000000L);
Mario Emmenlauer0f14e2f2019-10-15 11:25:10 +0200203 bool matrix[apache::thrift::transport::LATEST + 1][apache::thrift::transport::LATEST + 1] =
204 {
205 // server = SSLTLS SSLv2 SSLv3 TLSv1_0 TLSv1_1 TLSv1_2
206 // client
Tobias Mayer05604e22023-02-18 14:50:15 +0100207 /* SSLTLS */ { true, false, false, ossl1, ossl1, true },
Mario Emmenlauer0f14e2f2019-10-15 11:25:10 +0200208 /* SSLv2 */ { false, false, false, false, false, false },
209 /* SSLv3 */ { false, false, true, false, false, false },
Tobias Mayer05604e22023-02-18 14:50:15 +0100210 /* TLSv1_0 */ { ossl1, false, false, ossl1, false, false },
211 /* TLSv1_1 */ { ossl1, false, false, false, ossl1, false },
Mario Emmenlauer0f14e2f2019-10-15 11:25:10 +0200212 /* TLSv1_2 */ { true, false, false, false, false, true }
213 };
214
215 for (size_t si = 0; si <= apache::thrift::transport::LATEST; ++si) {
216 for (size_t ci = 0; ci <= apache::thrift::transport::LATEST; ++ci) {
217 if (si == 1 || ci == 1) {
218 // Skip all SSLv2 cases - protocol not supported
219 continue;
220 }
221
222#ifdef OPENSSL_NO_SSL3
223 if (si == 2 || ci == 2) {
224 // Skip all SSLv3 cases - protocol not supported
225 continue;
226 }
227#endif
228
229 boost::mutex::scoped_lock lock(mMutex);
230
231 BOOST_TEST_MESSAGE(boost::format("TEST: Server = %1%, Client = %2%") % protocol2str(si)
232 % protocol2str(ci));
233
234 mConnected = false;
235 // thread_group manages the thread lifetime - ignore the return value of create_thread
236 boost::thread_group threads;
237 (void)threads.create_thread(bind(&SecurityFromBufferFixture::server, this,
238 static_cast<apache::thrift::transport::SSLProtocol>(si)));
239 mCVar.wait(lock); // wait for listen() to succeed
240 lock.unlock();
241 (void)threads.create_thread(bind(&SecurityFromBufferFixture::client, this,
242 static_cast<apache::thrift::transport::SSLProtocol>(ci)));
243 threads.join_all();
244
245 BOOST_CHECK_MESSAGE(mConnected == matrix[ci][si],
246 boost::format(" Server = %1%, Client = %2% expected mConnected == %3% but was %4%")
247 % protocol2str(si) % protocol2str(ci) % matrix[ci][si] % mConnected);
248 }
249 }
250 } catch (std::exception& ex) {
251 BOOST_FAIL(boost::format("%1%: %2%") % typeid(ex).name() % ex.what());
252 }
253}
254
255BOOST_AUTO_TEST_SUITE_END()