blob: b70729c2b4edec33b03ef47a6d78fbb0c6795504 [file] [log] [blame]
Jim Kingb0b710a2015-07-28 13:31:27 -04001/*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19
20#define BOOST_TEST_MODULE SecurityTest
Konrad Grochowskie9bdb412015-09-25 20:17:36 +020021#include <boost/test/unit_test.hpp>
Jim Kingb0b710a2015-07-28 13:31:27 -040022#include <boost/filesystem.hpp>
23#include <boost/foreach.hpp>
24#include <boost/format.hpp>
Jim Kingb0b710a2015-07-28 13:31:27 -040025#include <boost/thread.hpp>
cyy316723a2019-01-05 16:35:14 +080026#include <memory>
Jim Kingb0b710a2015-07-28 13:31:27 -040027#include <thrift/transport/TSSLServerSocket.h>
28#include <thrift/transport/TSSLSocket.h>
29#include <thrift/transport/TTransport.h>
Jim Kingb0b710a2015-07-28 13:31:27 -040030#include <vector>
John Sirois9ed45e92016-02-11 11:53:05 -070031#ifdef __linux__
Jim Kingb0b710a2015-07-28 13:31:27 -040032#include <signal.h>
33#endif
34
35using apache::thrift::transport::TSSLServerSocket;
36using apache::thrift::transport::TServerTransport;
37using apache::thrift::transport::TSSLSocket;
38using apache::thrift::transport::TSSLSocketFactory;
39using apache::thrift::transport::TTransport;
40using apache::thrift::transport::TTransportException;
41using apache::thrift::transport::TTransportFactory;
42
cyy316723a2019-01-05 16:35:14 +080043using std::bind;
44using std::shared_ptr;
James E. King, III82ae9572017-08-05 12:23:54 -040045
Jim Kingb0b710a2015-07-28 13:31:27 -040046boost::filesystem::path keyDir;
47boost::filesystem::path certFile(const std::string& filename)
48{
49 return keyDir / filename;
50}
51boost::mutex gMutex;
52
53struct GlobalFixture
54{
55 GlobalFixture()
56 {
57 using namespace boost::unit_test::framework;
James E. King, III82ae9572017-08-05 12:23:54 -040058 for (int i = 0; i < master_test_suite().argc; ++i)
59 {
60 BOOST_TEST_MESSAGE(boost::format("argv[%1%] = \"%2%\"") % i % master_test_suite().argv[i]);
61 }
Jim Kingb0b710a2015-07-28 13:31:27 -040062
John Sirois9ed45e92016-02-11 11:53:05 -070063 #ifdef __linux__
James E. King, III82ae9572017-08-05 12:23:54 -040064 // OpenSSL calls send() without MSG_NOSIGPIPE so writing to a socket that has
65 // disconnected can cause a SIGPIPE signal...
66 signal(SIGPIPE, SIG_IGN);
Jim Kingb0b710a2015-07-28 13:31:27 -040067 #endif
68
James E. King, III82ae9572017-08-05 12:23:54 -040069 TSSLSocketFactory::setManualOpenSSLInitialization(true);
70 apache::thrift::transport::initializeOpenSSL();
Jim Kingb0b710a2015-07-28 13:31:27 -040071
James E. King, III82ae9572017-08-05 12:23:54 -040072 keyDir = boost::filesystem::current_path().parent_path().parent_path().parent_path() / "test" / "keys";
73 if (!boost::filesystem::exists(certFile("server.crt")))
74 {
75 keyDir = boost::filesystem::path(master_test_suite().argv[master_test_suite().argc - 1]);
76 if (!boost::filesystem::exists(certFile("server.crt")))
77 {
78 throw std::invalid_argument("The last argument to this test must be the directory containing the test certificate(s).");
79 }
80 }
Jim Kingb0b710a2015-07-28 13:31:27 -040081 }
82
83 virtual ~GlobalFixture()
84 {
James E. King, III82ae9572017-08-05 12:23:54 -040085 apache::thrift::transport::cleanupOpenSSL();
John Sirois9ed45e92016-02-11 11:53:05 -070086#ifdef __linux__
James E. King, III82ae9572017-08-05 12:23:54 -040087 signal(SIGPIPE, SIG_DFL);
Jim Kingb0b710a2015-07-28 13:31:27 -040088#endif
Jim Kingb0b710a2015-07-28 13:31:27 -040089 }
90};
91
Konrad Grochowskie9bdb412015-09-25 20:17:36 +020092#if (BOOST_VERSION >= 105900)
93BOOST_GLOBAL_FIXTURE(GlobalFixture);
94#else
Jim Kingb0b710a2015-07-28 13:31:27 -040095BOOST_GLOBAL_FIXTURE(GlobalFixture)
Konrad Grochowskie9bdb412015-09-25 20:17:36 +020096#endif
Jim Kingb0b710a2015-07-28 13:31:27 -040097
John Sirois9f0d9612016-02-12 16:15:43 -070098struct SecurityFixture
Jim Kingb0b710a2015-07-28 13:31:27 -040099{
100 void server(apache::thrift::transport::SSLProtocol protocol)
101 {
102 try
103 {
104 boost::mutex::scoped_lock lock(mMutex);
105
James E. King, III82ae9572017-08-05 12:23:54 -0400106 shared_ptr<TSSLSocketFactory> pServerSocketFactory;
107 shared_ptr<TSSLServerSocket> pServerSocket;
Jim Kingb0b710a2015-07-28 13:31:27 -0400108
109 pServerSocketFactory.reset(new TSSLSocketFactory(static_cast<apache::thrift::transport::SSLProtocol>(protocol)));
110 pServerSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
Antonio Di Monaco796667b2016-01-04 23:05:19 +0100111 pServerSocketFactory->loadCertificate(certFile("server.crt").string().c_str());
112 pServerSocketFactory->loadPrivateKey(certFile("server.key").string().c_str());
Jim Kingb0b710a2015-07-28 13:31:27 -0400113 pServerSocketFactory->server(true);
John Sirois9f0d9612016-02-12 16:15:43 -0700114 pServerSocket.reset(new TSSLServerSocket("localhost", 0, pServerSocketFactory));
James E. King, III82ae9572017-08-05 12:23:54 -0400115 shared_ptr<TTransport> connectedClient;
Jim Kingb0b710a2015-07-28 13:31:27 -0400116
117 try
118 {
119 pServerSocket->listen();
John Sirois9f0d9612016-02-12 16:15:43 -0700120 mPort = pServerSocket->getPort();
Jim Kingb0b710a2015-07-28 13:31:27 -0400121 mCVar.notify_one();
122 lock.unlock();
123
124 connectedClient = pServerSocket->accept();
125 uint8_t buf[2];
126 buf[0] = 'O';
127 buf[1] = 'K';
128 connectedClient->write(&buf[0], 2);
129 connectedClient->flush();
130 }
131
132 catch (apache::thrift::transport::TTransportException& ex)
133 {
134 boost::mutex::scoped_lock lock(gMutex);
Konrad Grochowskie9bdb412015-09-25 20:17:36 +0200135 BOOST_TEST_MESSAGE(boost::format("SRV %1% Exception: %2%") % boost::this_thread::get_id() % ex.what());
Jim Kingb0b710a2015-07-28 13:31:27 -0400136 }
137
138 if (connectedClient)
139 {
140 connectedClient->close();
141 connectedClient.reset();
142 }
143
144 pServerSocket->close();
145 pServerSocket.reset();
146 }
147 catch (std::exception& ex)
148 {
149 BOOST_FAIL(boost::format("%1%: %2%") % typeid(ex).name() % ex.what());
150 }
151 }
152
153 void client(apache::thrift::transport::SSLProtocol protocol)
154 {
155 try
156 {
James E. King, III82ae9572017-08-05 12:23:54 -0400157 shared_ptr<TSSLSocketFactory> pClientSocketFactory;
158 shared_ptr<TSSLSocket> pClientSocket;
Jim Kingb0b710a2015-07-28 13:31:27 -0400159
160 try
161 {
162 pClientSocketFactory.reset(new TSSLSocketFactory(static_cast<apache::thrift::transport::SSLProtocol>(protocol)));
163 pClientSocketFactory->authenticate(true);
Antonio Di Monaco796667b2016-01-04 23:05:19 +0100164 pClientSocketFactory->loadCertificate(certFile("client.crt").string().c_str());
165 pClientSocketFactory->loadPrivateKey(certFile("client.key").string().c_str());
166 pClientSocketFactory->loadTrustedCertificates(certFile("CA.pem").string().c_str());
John Sirois9f0d9612016-02-12 16:15:43 -0700167 pClientSocket = pClientSocketFactory->createSocket("localhost", mPort);
Jim Kingb0b710a2015-07-28 13:31:27 -0400168 pClientSocket->open();
169
170 uint8_t buf[3];
171 buf[0] = 0;
172 buf[1] = 0;
173 BOOST_CHECK_EQUAL(2, pClientSocket->read(&buf[0], 2));
174 BOOST_CHECK_EQUAL(0, memcmp(&buf[0], "OK", 2));
175 mConnected = true;
176 }
177 catch (apache::thrift::transport::TTransportException& ex)
178 {
179 boost::mutex::scoped_lock lock(gMutex);
Konrad Grochowskie9bdb412015-09-25 20:17:36 +0200180 BOOST_TEST_MESSAGE(boost::format("CLI %1% Exception: %2%") % boost::this_thread::get_id() % ex.what());
Jim Kingb0b710a2015-07-28 13:31:27 -0400181 }
182
183 if (pClientSocket)
184 {
185 pClientSocket->close();
186 pClientSocket.reset();
187 }
188 }
189 catch (std::exception& ex)
190 {
191 BOOST_FAIL(boost::format("%1%: %2%") % typeid(ex).name() % ex.what());
192 }
193 }
194
195 static const char *protocol2str(size_t protocol)
196 {
197 static const char *strings[apache::thrift::transport::LATEST + 1] =
198 {
199 "SSLTLS",
200 "SSLv2",
201 "SSLv3",
202 "TLSv1_0",
203 "TLSv1_1",
204 "TLSv1_2"
205 };
206 return strings[protocol];
207 }
208
209 boost::mutex mMutex;
210 boost::condition_variable mCVar;
John Sirois9f0d9612016-02-12 16:15:43 -0700211 int mPort;
Jim Kingb0b710a2015-07-28 13:31:27 -0400212 bool mConnected;
213};
214
215BOOST_FIXTURE_TEST_SUITE(BOOST_TEST_MODULE, SecurityFixture)
216
217BOOST_AUTO_TEST_CASE(ssl_security_matrix)
218{
219 try
220 {
221 // matrix of connection success between client and server with different SSLProtocol selections
Marco Schroeter016dbac2019-08-21 16:13:23 +0200222 static_assert(apache::thrift::transport::LATEST == 5, "Mismatch in assumed number of ssl protocols");
Jim Kingb0b710a2015-07-28 13:31:27 -0400223 bool matrix[apache::thrift::transport::LATEST + 1][apache::thrift::transport::LATEST + 1] =
224 {
225 // server = SSLTLS SSLv2 SSLv3 TLSv1_0 TLSv1_1 TLSv1_2
226 // client
227 /* SSLTLS */ { true, false, false, true, true, true },
228 /* SSLv2 */ { false, false, false, false, false, false },
229 /* SSLv3 */ { false, false, true, false, false, false },
230 /* TLSv1_0 */ { true, false, false, true, false, false },
231 /* TLSv1_1 */ { true, false, false, false, true, false },
232 /* TLSv1_2 */ { true, false, false, false, false, true }
233 };
234
235 for (size_t si = 0; si <= apache::thrift::transport::LATEST; ++si)
236 {
237 for (size_t ci = 0; ci <= apache::thrift::transport::LATEST; ++ci)
238 {
239 if (si == 1 || ci == 1)
240 {
241 // Skip all SSLv2 cases - protocol not supported
242 continue;
243 }
244
Nobuaki Sukegawab8192602016-03-13 08:55:38 +0900245#ifdef OPENSSL_NO_SSL3
246 if (si == 2 || ci == 2)
247 {
248 // Skip all SSLv3 cases - protocol not supported
249 continue;
250 }
251#endif
252
Jim Kingb0b710a2015-07-28 13:31:27 -0400253 boost::mutex::scoped_lock lock(mMutex);
254
Konrad Grochowskie9bdb412015-09-25 20:17:36 +0200255 BOOST_TEST_MESSAGE(boost::format("TEST: Server = %1%, Client = %2%")
Jim Kingb0b710a2015-07-28 13:31:27 -0400256 % protocol2str(si) % protocol2str(ci));
257
258 mConnected = false;
James E. King, III533405e2017-10-28 18:25:45 -0400259 // thread_group manages the thread lifetime - ignore the return value of create_thread
Jim Kingb0b710a2015-07-28 13:31:27 -0400260 boost::thread_group threads;
James E. King, III533405e2017-10-28 18:25:45 -0400261 (void)threads.create_thread(bind(&SecurityFixture::server, this, static_cast<apache::thrift::transport::SSLProtocol>(si)));
Jim Kingb0b710a2015-07-28 13:31:27 -0400262 mCVar.wait(lock); // wait for listen() to succeed
263 lock.unlock();
James E. King, III533405e2017-10-28 18:25:45 -0400264 (void)threads.create_thread(bind(&SecurityFixture::client, this, static_cast<apache::thrift::transport::SSLProtocol>(ci)));
Jim Kingb0b710a2015-07-28 13:31:27 -0400265 threads.join_all();
266
267 BOOST_CHECK_MESSAGE(mConnected == matrix[ci][si],
268 boost::format(" Server = %1%, Client = %2% expected mConnected == %3% but was %4%")
269 % protocol2str(si) % protocol2str(ci) % matrix[ci][si] % mConnected);
270 }
271 }
272 }
273 catch (std::exception& ex)
274 {
275 BOOST_FAIL(boost::format("%1%: %2%") % typeid(ex).name() % ex.what());
276 }
277}
278
279BOOST_AUTO_TEST_SUITE_END()