summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordl.meetei <dl.meetei>2014-07-15 18:43:39 +0000
committerdl.meetei <dl.meetei>2014-07-15 18:43:39 +0000
commit4d2476a38fe55006982e981f6c4e40aa0816df3e (patch)
tree6c8ae9af752be8ae4a610d3dc8ac1c6fcc1f9dbe
parent3c5742a7cfbe3b1a02a8eb4225e83b207e9dfb45 (diff)
downloadtog-pegasus-4d2476a38fe55006982e981f6c4e40aa0816df3e.zip
tog-pegasus-4d2476a38fe55006982e981f6c4e40aa0816df3e.tar.gz
tog-pegasus-4d2476a38fe55006982e981f6c4e40aa0816df3e.tar.xz
BUG#: 9743
TITLE: [SSL]pegasus will not be NIST 800-131a compliant DESCRIPTION:
-rw-r--r--TestMakefile25
-rw-r--r--src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp132
-rw-r--r--src/Pegasus/Common/SSLContext.cpp11
-rw-r--r--src/Pegasus/Makefile1
-rw-r--r--src/Pegasus/Server/tests/TLSv_1_2_Support/Makefile52
-rw-r--r--src/Pegasus/Server/tests/TLSv_1_2_Support/TestTLSv1_2_Support.cpp171
-rw-r--r--src/Pegasus/msg/Server/pegasusServer_en.txt7
7 files changed, 266 insertions, 133 deletions
diff --git a/TestMakefile b/TestMakefile
index f42074e..97d33a9 100644
--- a/TestMakefile
+++ b/TestMakefile
@@ -313,6 +313,7 @@ endif
$(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_ExportClientSSL_TS1
$(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_Cimserver_Availability
$(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_sslCipherSuiteTests
+ $(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_TLSv1_2_tests
ifeq ($(PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER),true)
$(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_Cmpi_Sub
endif
@@ -724,7 +725,7 @@ endif
##
############################################################################
-SSL_CIPHER_SUITE_TEST_CONFIG_OPTIONS= enableHttpsConnection=true sslCipherSuite=HIGH
+SSL_CIPHER_SUITE_TEST_CONFIG_OPTIONS= enableHttpsConnection=true sslCipherSuite=HIGH
SSL_CIPHER_SUITE_TEST_CMDS= \
$(MAKE)@@--directory \
$(PEGASUS_ROOT)/src/Pegasus/Client/tests/SSLCipherVerification/ \
@@ -826,6 +827,28 @@ endif
###############################################################################
+###############################################################################
+## TLS v 1.2 support test as per NIST 800-131a
+##
+## Configuration Options: enableHttpsConnection=true sslCipherSuite = TLSv1.2
+##
+###############################################################################
+TLS_1_2_SUPPORT_CONFIG = enableHttpsConnection=true sslCipherSuite=TLSv1.2
+TLSv1_2_support_tests = \
+ $(MAKE)@@--directory=$(PEGASUS_ROOT)/src/Pegasus/Server/tests/TLSv_1_2_Support@@-f@@Makefile@@test_TLSv1_2
+
+ifdef PEGASUS_HAS_SSL
+run_TLSv1_2_tests:
+ $(MAKE) -f $(PEGASUS_ROOT)/TestMakefile runTestSuite \
+ CIMSERVER_CONFIG_OPTIONS="$(TLS_1_2_SUPPORT_CONFIG)" \
+ TESTSUITE_CMDS="$(TLSv1_2_support_tests)"
+else
+run_TLSv1_2_tests: FORCE
+ @ $(ECHO) "+++++ PEGASUS_HAS_SSL not defined: Skipping TLSv 1.2 support tests"
+endif
+
+###############################################################################
+
###############################################################################
## idleConnectionTimeout Test Suite 1: uses ChunkingStressProvider Tests
diff --git a/src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp b/src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp
index 981c8c1..80ee508 100644
--- a/src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp
+++ b/src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp
@@ -50,7 +50,6 @@ const CIMNamespaceName NAMESPACE = CIMNamespaceName("root/cimv2");
*/
#ifdef PEGASUS_HAS_SSL
-
void _SslCipherTest(String &host , Uint32 &port, String &randPath)
{
@@ -115,138 +114,10 @@ void _SslCipherTest(String &host , Uint32 &port, String &randPath)
}
+#endif
-void _SslCipherAndPrtocolTest(String &host , Uint32 &port, String &randPath)
-{
-
- String trustStorePath;
- String certPath;
- String keyPath;
- String cipherSuite = "LOW";
- Boolean sslCompatibility = false;
- AutoPtr<CIMClient> cc(new CIMClient);
-
- try
- {
- AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath,
- certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite,
- sslCompatibility));
-
- if (sslContext.get())
- {
- cc->connect (host, port, *sslContext, "", "");
- //
- //Unreachable when server is started with correct versions
- //Otherwise it informs that server is not started properly
- //
- PEGASUS_TEST_ASSERT( 0 &&
- (bool)"cimserver not started with sslCipherSuite=HIGH");
- }
- }
- catch(Exception &e)
- {
- cout << "SSLCipherTest Expected exception: "<< e.getMessage() << endl;
- cout << "Test passed. Connecting with cipher list " << cipherSuite
- << " and protocol TLS1.2 failed " << endl;
- }
-
- cipherSuite = "LOW";
- sslCompatibility = true;
- try
- {
- AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath,
- certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite,
- sslCompatibility));
-
- if (sslContext.get())
- {
- cc->connect (host, port, *sslContext, "", "");
- //
- //Unreachable when server is started with correct versions
- //Otherwise it informs that server is not started properly
- //
- PEGASUS_TEST_ASSERT( 0 &&
- (bool)"cimserver not started with sslCipherSuite=HIGH");
- }
- }
- catch(Exception &e)
- {
- cout << "SSLCipherTest Expected exception: "<< e.getMessage() << endl;
- cout << "Test passed. Connecting with cipher list " << cipherSuite
- << " and protocol SSLv3 and TLSv1 failed " << endl;
- }
-
-
-
-
- cipherSuite = "HIGH";
- sslCompatibility = false;
-
- try
- {
-
- AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath,
- certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite,
- sslCompatibility));
- if (sslContext.get())
- {
- cc->connect (host, port, *sslContext, "", "");
- //
- // Do a generic call. We have to do this call to test whether or
- // not we get 401'ed.
- //
- CIMClass cimClass = cc->getClass(CIMNamespaceName("root/cimv2"),
- CIMName ("CIM_ManagedElement"), true, false, false,
- CIMPropertyList());
- cc->disconnect();
- }
- }
- catch(Exception &e)
- {
- cerr << "SSLCipherTest Error: "<< e.getMessage() << endl;
- PEGASUS_TEST_ASSERT(0);
- }
-
- cout << "Test passed. Connecting with cipher list " << cipherSuite
- << " and TLS1.2" << endl;
-
- cipherSuite = "HIGH";
- sslCompatibility = true;
-
- try
- {
-
- AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath,
- certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite,
- sslCompatibility));
- if (sslContext.get())
- {
- cc->connect (host, port, *sslContext, "", "");
- //
- // Do a generic call. We have to do this call to test whether or
- // not we get 401'ed.
- //
- CIMClass cimClass = cc->getClass(CIMNamespaceName("root/cimv2"),
- CIMName ("CIM_ManagedElement"), true, false, false,
- CIMPropertyList());
- cc->disconnect();
- }
- }
- catch(Exception &e)
- {
- cerr << "SSLCipherTest Error: "<< e.getMessage() << endl;
- PEGASUS_TEST_ASSERT(0);
- }
-
- cout << "Test passed. Connecting with cipher list " << cipherSuite
- << " and protocol SSLv3 and TLSv1" << endl;
-
-
-
-}
-#endif
int main()
{
@@ -265,7 +136,6 @@ int main()
# endif
_SslCipherTest(host , port, randPath);
- _SslCipherAndPrtocolTest( host , port, randPath);
cout << "+++++ passed all tests" << endl;
diff --git a/src/Pegasus/Common/SSLContext.cpp b/src/Pegasus/Common/SSLContext.cpp
index ff0397b..78e531e 100644
--- a/src/Pegasus/Common/SSLContext.cpp
+++ b/src/Pegasus/Common/SSLContext.cpp
@@ -540,7 +540,7 @@ SSLContextRep::SSLContextRep(
// If a truststore and/or peer verification function is specified,
// enable peer verification
//
- _verifyPeer = (trustStore != String::EMPTY || verifyCert != NULL);
+ _verifyPeer = (trustStore.size() != 0 || verifyCert != NULL);
_randomInit(randomFile);
@@ -733,9 +733,18 @@ SSL_CTX* SSLContextRep::_makeSSLContext()
// TLS v1.0, TLSv1.1)
options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_SSLv3;
+#else
+ PEG_METHOD_EXIT();
+ MessageLoaderParms parms(
+ " Common.SSLContext.TLS_1_2_PROTO_NOT_SUPPORTED",
+ "TLSv1.2 protocol support is not detected on this system. "
+ " To run in less secured mode, set sslBackwardCompatibility=true"
+ " in planned config file and start cimserver.");
+ throw SSLException(parms);
#endif
}
+ // sslv2 is off permanently even if sslCompatibility is true
options |= SSL_OP_NO_SSLv2;
SSL_CTX_set_options(sslContext, options);
diff --git a/src/Pegasus/Makefile b/src/Pegasus/Makefile
index 26303b9..6072553 100644
--- a/src/Pegasus/Makefile
+++ b/src/Pegasus/Makefile
@@ -230,6 +230,7 @@ endif
TEST_DIRS += \
Server/tests \
Server/tests/InterfaceRestriction \
+ Server/tests/TLSv_1_2_Support \
Handler/CIMxmlIndicationHandler/tests/Destination \
Handler/FileURIHandler/tests
diff --git a/src/Pegasus/Server/tests/TLSv_1_2_Support/Makefile b/src/Pegasus/Server/tests/TLSv_1_2_Support/Makefile
new file mode 100644
index 0000000..ed9dbc7
--- /dev/null
+++ b/src/Pegasus/Server/tests/TLSv_1_2_Support/Makefile
@@ -0,0 +1,52 @@
+#//%LICENSE////////////////////////////////////////////////////////////////
+#//
+#// Licensed to The Open Group (TOG) under one or more contributor license
+#// agreements. Refer to the OpenPegasusNOTICE.txt file distributed with
+#// this work for additional information regarding copyright ownership.
+#// Each contributor licenses this file to you under the OpenPegasus Open
+#// Source License; you may not use this file except in compliance with the
+#// License.
+#//
+#// Permission is hereby granted, free of charge, to any person obtaining a
+#// copy of this software and associated documentation files (the "Software"),
+#// to deal in the Software without restriction, including without limitation
+#// the rights to use, copy, modify, merge, publish, distribute, sublicense,
+#// and/or sell copies of the Software, and to permit persons to whom the
+#// Software is furnished to do so, subject to the following conditions:
+#//
+#// The above copyright notice and this permission notice shall be included
+#// in all copies or substantial portions of the Software.
+#//
+#// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+#// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+#// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+#// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+#// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+#// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+#// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#//
+#//////////////////////////////////////////////////////////////////////////
+ROOT = ../../../../..
+
+DIR = Pegasus/Server/tests/TLSv_1_2_Support
+
+include $(ROOT)/mak/config.mak
+
+include ../libraries.mak
+
+LOCAL_DEFINES = -DPEGASUS_INTERNALONLY
+
+PROGRAM = TestTLSv1_2_Support
+
+SOURCES = TestTLSv1_2_Support.cpp
+
+include $(ROOT)/mak/program.mak
+
+
+tests:
+
+test_TLSv1_2:
+ $(PROGRAM)
+
+poststarttests:
+
diff --git a/src/Pegasus/Server/tests/TLSv_1_2_Support/TestTLSv1_2_Support.cpp b/src/Pegasus/Server/tests/TLSv_1_2_Support/TestTLSv1_2_Support.cpp
new file mode 100644
index 0000000..990a7c7
--- /dev/null
+++ b/src/Pegasus/Server/tests/TLSv_1_2_Support/TestTLSv1_2_Support.cpp
@@ -0,0 +1,171 @@
+//%LICENSE////////////////////////////////////////////////////////////////
+//
+// Licensed to The Open Group (TOG) under one or more contributor license
+// agreements. Refer to the OpenPegasusNOTICE.txt file distributed with
+// this work for additional information regarding copyright ownership.
+// Each contributor licenses this file to you under the OpenPegasus Open
+// Source License; you may not use this file except in compliance with the
+// License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the "Software"),
+// to deal in the Software without restriction, including without limitation
+// the rights to use, copy, modify, merge, publish, distribute, sublicense,
+// and/or sell copies of the Software, and to permit persons to whom the
+// Software is furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included
+// in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+//////////////////////////////////////////////////////////////////////////
+
+#include <Pegasus/Common/Config.h>
+#include <Pegasus/Common/PegasusAssert.h>
+#include <Pegasus/Client/CIMClient.h>
+#include <Pegasus/Common/Constants.h>
+#include <Pegasus/Common/System.h>
+#include <Pegasus/Common/FileSystem.h>
+#include <Pegasus/Common/AutoPtr.h>
+
+
+#include <openssl/tls1.h>
+
+PEGASUS_USING_PEGASUS;
+PEGASUS_USING_STD;
+
+const CIMNamespaceName NAMESPACE = CIMNamespaceName("root/cimv2");
+
+/*
+ * This tests the TLSv1.2 support in pegasus
+ *
+ * The cimserver must be configured as following to test this:
+ *
+ * enableHttpsConnection=true and sslCipherSuite = TLSv1.2
+ *
+ */
+
+#ifdef PEGASUS_HAS_SSL
+
+void _testTLS1_2_support(String &host , Uint32 &port, String &randPath)
+{
+
+//A rudimentary way to detect TLS1_2 support on openSSL and hence on pegasus
+#ifdef TLS1_2_VERSION
+
+ String trustStorePath;
+ String certPath;
+ String keyPath;
+ String cipherSuite = "SSLv3";
+ Boolean sslCompatibility = false;
+ AutoPtr<CIMClient> cc(new CIMClient);
+
+ try
+ {
+ AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath,
+ certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite,
+ sslCompatibility));
+
+ if (sslContext.get())
+ {
+ cc->connect (host, port, *sslContext, "", "");
+ //
+ //Unreachable when server is started with correct versions
+ //Otherwise it informs that server is not started properly
+ //
+ PEGASUS_TEST_ASSERT( 0 &&
+ (bool)"cimserver not started with sslCipherSuite=TLSv1.2");
+ }
+ }
+ catch(CannotConnectException &e)
+ {
+ cout << "SSLCipherTest Expected exception: "<< e.getMessage() << endl;
+ cout << "Test passed: Connecting with cipher list: " << cipherSuite
+ << " and TLS1.2 as expected" << endl;
+ }
+ catch(Exception &e)
+ {
+ cerr << "SSLCipherTest Failed: "<< e.getMessage() << endl;
+ PEGASUS_TEST_ASSERT(0 && (bool)"Got unexpected Exception, Aborting");
+ }
+
+
+ cipherSuite = "TLSv1.2";
+ try
+ {
+
+ AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath,
+ certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite,
+ sslCompatibility));
+ if (sslContext.get())
+ {
+ cc->connect (host, port, *sslContext, "", "");
+ //
+ // Do a generic call. We have to do this call to test whether or
+ // not we get 401'ed.
+ //
+ CIMClass cimClass = cc->getClass(CIMNamespaceName("root/cimv2"),
+ CIMName ("CIM_ManagedElement"), true, false, false,
+ CIMPropertyList());
+ cc->disconnect();
+ }
+ }
+ catch(Exception &e)
+ {
+ cerr << "SSLCipherTest Error: "<< e.getMessage() << endl;
+ PEGASUS_TEST_ASSERT(0);
+ }
+
+ cout << "Test passed: Connecting with cipher list: " << cipherSuite
+ << " and TLS1.2" << endl;
+#else
+ //Hacks to stop unused param warning while compiling
+ PEGASUS_TEST_ASSERT( host == host);
+ PEGASUS_TEST_ASSERT( port == port);
+ PEGASUS_TEST_ASSERT( randPath == randPath);
+
+ cout << "TLSv1.2 is not supported on this build of pegasus. Upgrade openssl"
+ << " skipping TLSv1.2 support tests" << endl;
+#endif
+}
+
+#endif
+
+int main()
+{
+
+#ifdef PEGASUS_HAS_SSL
+ String host = System::getHostName();
+ Uint32 port = System::lookupPort(
+ WBEM_HTTPS_SERVICE_NAME, WBEM_DEFAULT_HTTPS_PORT);
+
+ String randPath;
+# ifdef PEGASUS_SSL_RANDOMFILE
+ const char* pegasusHome = getenv("PEGASUS_HOME");
+ randPath = FileSystem::getAbsolutePath(
+ pegasusHome, PEGASUS_SSLCLIENT_RANDOMFILE);
+# endif
+
+ _testTLS1_2_support( host , port, randPath);
+
+ cout << "+++++ passed all tests" << endl;
+
+ return 0;
+
+#endif
+
+ //
+ // This returns a false positive result.
+ // But we should never get here since this test is only run if
+ // PEGASUS_HAS_SSL is defined.
+ //
+
+ return 0;
+}
diff --git a/src/Pegasus/msg/Server/pegasusServer_en.txt b/src/Pegasus/msg/Server/pegasusServer_en.txt
index 09fba54..32a60c5 100644
--- a/src/Pegasus/msg/Server/pegasusServer_en.txt
+++ b/src/Pegasus/msg/Server/pegasusServer_en.txt
@@ -3564,6 +3564,13 @@ en:table {
*/
Common.SSLContext.COULD_NOT_ACCESS_SERVER_CERTIFICATE:string {"PGS09212: Could not access server certificate in {0}."}
+ /**
+ * @note PGS09213:
+ * Do not translate 'sslBackwardCompatibility=true' since it is a configuration setting
+ */
+ Common.SSLContext.TLS_1_2_PROTO_NOT_SUPPORTED:string {"PGS09213: TLSv1.2 protocol support is not detected on this system. To run in less secured mode, set sslBackwardCompatibility=true in planned config file and start cimserver."}
+
+
// ==========================================================
// Messages for TraceFileHandler
// Please use message prefix "PGS09400"