1 files changed, 155 insertions, 0 deletions
diff --git a/src/testcurl/https/test_tls_options.c b/src/testcurl/https/test_tls_options.c
new file mode 100644
index 00000000..7dd01a72
--- /dev/null
+++ b/src/testcurl/https/test_tls_options.c
@@ -0,0 +1,155 @@
+/*
+  This file is part of libmicrohttpd
+  Copyright (C) 2007, 2010 Christian Grothoff
+  
+  libmicrohttpd is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 2, or (at your
+  option) any later version.
+  
+  libmicrohttpd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+  
+  You should have received a copy of the GNU General Public License
+  along with libmicrohttpd; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+*/
+
+/**
+ * @file tls_daemon_options_test.c
+ * @brief  Testcase for libmicrohttpd HTTPS GET operations
+ * @author Sagie Amir
+ */
+
+#include "platform.h"
+#include "microhttpd.h"
+#include <sys/stat.h>
+#include <limits.h>
+#include <gcrypt.h>
+#include "tls_test_common.h"
+
+extern const char srv_key_pem[];
+extern const char srv_self_signed_cert_pem[];
+
+int curl_check_version (const char *req_version, ...);
+
+/**
+ * test server refuses to negotiate connections with unsupported protocol versions
+ *
+ */
+static int
+test_unmatching_ssl_version (void * cls, const char *cipher_suite,
+                             int curl_req_ssl_version)
+{
+  struct CBC cbc;
+  if (NULL == (cbc.buf = malloc (sizeof (char) * 256)))
+    {
+      fprintf (stderr, "Error: failed to allocate: %s\n",
+               strerror (errno));
+      return -1;
+    }
+  cbc.size = 256;
+  cbc.pos = 0;
+
+  char url[255];
+  if (gen_test_file_url (url, DEAMON_TEST_PORT))
+    {
+      free (cbc.buf);
+      fprintf (stderr, "Internal error in gen_test_file_url\n");
+      return -1;
+    }
+
+  /* assert daemon *rejected* request */
+  if (CURLE_OK ==
+      send_curl_req (url, &cbc, cipher_suite, curl_req_ssl_version))
+    {
+      free (cbc.buf);
+      fprintf (stderr, "cURL failed to reject request despite SSL version missmatch!\n");
+      return -1;
+    }
+
+  free (cbc.buf);
+  return 0;
+}
+
+
+/* setup a temporary transfer test file */
+int
+main (int argc, char *const *argv)
+{
+  unsigned int errorCount = 0;
+  const char *ssl_version;
+  int daemon_flags =
+    MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | MHD_USE_DEBUG;
+
+  gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
+  gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+#ifdef GCRYCTL_INITIALIZATION_FINISHED
+  gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+#endif
+ if (curl_check_version (MHD_REQ_CURL_VERSION))
+    {
+      return 0;
+    }
+  ssl_version = curl_version_info (CURLVERSION_NOW)->ssl_version;
+  if (NULL == ssl_version)
+  {
+    fprintf (stderr, "Curl does not support SSL.  Cannot run the test.\n");
+    return 0;
+  }
+  if (0 != strncmp (ssl_version, "GnuTLS", 6))
+  {
+    fprintf (stderr, "This test can be run only with libcurl-gnutls.\n");
+    return 0;
+  }
+
+  if (0 != curl_global_init (CURL_GLOBAL_ALL))
+    {
+      fprintf (stderr, "Error: %s\n", strerror (errno));
+      return 0; 
+    }
+
+  const char *aes128_sha = "AES128-SHA";
+  const char *aes256_sha = "AES256-SHA";
+  if (curl_uses_nss_ssl() == 0)
+    {
+      aes128_sha = "rsa_aes_128_sha";
+      aes256_sha = "rsa_aes_256_sha";
+    }
+  
+
+  if (0 != 
+    test_wrap ("TLS1.0-AES-SHA1",
+	       &test_https_transfer, NULL, daemon_flags,
+	       aes128_sha,
+	       CURL_SSLVERSION_TLSv1,
+	       MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
+	       MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
+	       MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
+	       MHD_OPTION_END))
+    {
+      fprintf (stderr, "TLS1.0-AES-SHA1 test failed\n");
+      errorCount++;
+    }
+  fprintf (stderr,
+	   "The following handshake should fail (and print an error message)...\n");
+  if (0 !=
+    test_wrap ("TLS1.0 vs SSL3",
+	       &test_unmatching_ssl_version, NULL, daemon_flags,
+	       aes256_sha,
+	       CURL_SSLVERSION_SSLv3,
+	       MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
+	       MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
+	       MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
+	       MHD_OPTION_END))
+    {
+      fprintf (stderr, "TLS1.0 vs SSL3 test failed\n");
+      errorCount++;
+    }
+  curl_global_cleanup ();
+
+  return errorCount != 0;
+}