diff options
author | dl.meetei <dl.meetei> | 2014-07-15 18:43:39 +0000 |
---|---|---|
committer | dl.meetei <dl.meetei> | 2014-07-15 18:43:39 +0000 |
commit | 4d2476a38fe55006982e981f6c4e40aa0816df3e (patch) | |
tree | 6c8ae9af752be8ae4a610d3dc8ac1c6fcc1f9dbe | |
parent | 3c5742a7cfbe3b1a02a8eb4225e83b207e9dfb45 (diff) | |
download | tog-pegasus-4d2476a38fe55006982e981f6c4e40aa0816df3e.zip tog-pegasus-4d2476a38fe55006982e981f6c4e40aa0816df3e.tar.gz tog-pegasus-4d2476a38fe55006982e981f6c4e40aa0816df3e.tar.xz |
BUG#: 9743
TITLE: [SSL]pegasus will not be NIST 800-131a compliant
DESCRIPTION:
-rw-r--r-- | TestMakefile | 25 | ||||
-rw-r--r-- | src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp | 132 | ||||
-rw-r--r-- | src/Pegasus/Common/SSLContext.cpp | 11 | ||||
-rw-r--r-- | src/Pegasus/Makefile | 1 | ||||
-rw-r--r-- | src/Pegasus/Server/tests/TLSv_1_2_Support/Makefile | 52 | ||||
-rw-r--r-- | src/Pegasus/Server/tests/TLSv_1_2_Support/TestTLSv1_2_Support.cpp | 171 | ||||
-rw-r--r-- | src/Pegasus/msg/Server/pegasusServer_en.txt | 7 |
7 files changed, 266 insertions, 133 deletions
diff --git a/TestMakefile b/TestMakefile index f42074e..97d33a9 100644 --- a/TestMakefile +++ b/TestMakefile @@ -313,6 +313,7 @@ endif $(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_ExportClientSSL_TS1 $(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_Cimserver_Availability $(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_sslCipherSuiteTests + $(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_TLSv1_2_tests ifeq ($(PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER),true) $(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_Cmpi_Sub endif @@ -724,7 +725,7 @@ endif ## ############################################################################ -SSL_CIPHER_SUITE_TEST_CONFIG_OPTIONS= enableHttpsConnection=true sslCipherSuite=HIGH +SSL_CIPHER_SUITE_TEST_CONFIG_OPTIONS= enableHttpsConnection=true sslCipherSuite=HIGH SSL_CIPHER_SUITE_TEST_CMDS= \ $(MAKE)@@--directory \ $(PEGASUS_ROOT)/src/Pegasus/Client/tests/SSLCipherVerification/ \ @@ -826,6 +827,28 @@ endif ############################################################################### +############################################################################### +## TLS v 1.2 support test as per NIST 800-131a +## +## Configuration Options: enableHttpsConnection=true sslCipherSuite = TLSv1.2 +## +############################################################################### +TLS_1_2_SUPPORT_CONFIG = enableHttpsConnection=true sslCipherSuite=TLSv1.2 +TLSv1_2_support_tests = \ + $(MAKE)@@--directory=$(PEGASUS_ROOT)/src/Pegasus/Server/tests/TLSv_1_2_Support@@-f@@Makefile@@test_TLSv1_2 + +ifdef PEGASUS_HAS_SSL +run_TLSv1_2_tests: + $(MAKE) -f $(PEGASUS_ROOT)/TestMakefile runTestSuite \ + CIMSERVER_CONFIG_OPTIONS="$(TLS_1_2_SUPPORT_CONFIG)" \ + TESTSUITE_CMDS="$(TLSv1_2_support_tests)" +else +run_TLSv1_2_tests: FORCE + @ $(ECHO) "+++++ PEGASUS_HAS_SSL not defined: Skipping TLSv 1.2 support tests" +endif + +############################################################################### + ############################################################################### ## idleConnectionTimeout Test Suite 1: uses ChunkingStressProvider Tests diff --git a/src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp b/src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp index 981c8c1..80ee508 100644 --- a/src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp +++ b/src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp @@ -50,7 +50,6 @@ const CIMNamespaceName NAMESPACE = CIMNamespaceName("root/cimv2"); */ #ifdef PEGASUS_HAS_SSL - void _SslCipherTest(String &host , Uint32 &port, String &randPath) { @@ -115,138 +114,10 @@ void _SslCipherTest(String &host , Uint32 &port, String &randPath) } +#endif -void _SslCipherAndPrtocolTest(String &host , Uint32 &port, String &randPath) -{ - - String trustStorePath; - String certPath; - String keyPath; - String cipherSuite = "LOW"; - Boolean sslCompatibility = false; - AutoPtr<CIMClient> cc(new CIMClient); - - try - { - AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath, - certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite, - sslCompatibility)); - - if (sslContext.get()) - { - cc->connect (host, port, *sslContext, "", ""); - // - //Unreachable when server is started with correct versions - //Otherwise it informs that server is not started properly - // - PEGASUS_TEST_ASSERT( 0 && - (bool)"cimserver not started with sslCipherSuite=HIGH"); - } - } - catch(Exception &e) - { - cout << "SSLCipherTest Expected exception: "<< e.getMessage() << endl; - cout << "Test passed. Connecting with cipher list " << cipherSuite - << " and protocol TLS1.2 failed " << endl; - } - - cipherSuite = "LOW"; - sslCompatibility = true; - try - { - AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath, - certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite, - sslCompatibility)); - - if (sslContext.get()) - { - cc->connect (host, port, *sslContext, "", ""); - // - //Unreachable when server is started with correct versions - //Otherwise it informs that server is not started properly - // - PEGASUS_TEST_ASSERT( 0 && - (bool)"cimserver not started with sslCipherSuite=HIGH"); - } - } - catch(Exception &e) - { - cout << "SSLCipherTest Expected exception: "<< e.getMessage() << endl; - cout << "Test passed. Connecting with cipher list " << cipherSuite - << " and protocol SSLv3 and TLSv1 failed " << endl; - } - - - - - cipherSuite = "HIGH"; - sslCompatibility = false; - - try - { - - AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath, - certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite, - sslCompatibility)); - if (sslContext.get()) - { - cc->connect (host, port, *sslContext, "", ""); - // - // Do a generic call. We have to do this call to test whether or - // not we get 401'ed. - // - CIMClass cimClass = cc->getClass(CIMNamespaceName("root/cimv2"), - CIMName ("CIM_ManagedElement"), true, false, false, - CIMPropertyList()); - cc->disconnect(); - } - } - catch(Exception &e) - { - cerr << "SSLCipherTest Error: "<< e.getMessage() << endl; - PEGASUS_TEST_ASSERT(0); - } - - cout << "Test passed. Connecting with cipher list " << cipherSuite - << " and TLS1.2" << endl; - - cipherSuite = "HIGH"; - sslCompatibility = true; - - try - { - - AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath, - certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite, - sslCompatibility)); - if (sslContext.get()) - { - cc->connect (host, port, *sslContext, "", ""); - // - // Do a generic call. We have to do this call to test whether or - // not we get 401'ed. - // - CIMClass cimClass = cc->getClass(CIMNamespaceName("root/cimv2"), - CIMName ("CIM_ManagedElement"), true, false, false, - CIMPropertyList()); - cc->disconnect(); - } - } - catch(Exception &e) - { - cerr << "SSLCipherTest Error: "<< e.getMessage() << endl; - PEGASUS_TEST_ASSERT(0); - } - - cout << "Test passed. Connecting with cipher list " << cipherSuite - << " and protocol SSLv3 and TLSv1" << endl; - - - -} -#endif int main() { @@ -265,7 +136,6 @@ int main() # endif _SslCipherTest(host , port, randPath); - _SslCipherAndPrtocolTest( host , port, randPath); cout << "+++++ passed all tests" << endl; diff --git a/src/Pegasus/Common/SSLContext.cpp b/src/Pegasus/Common/SSLContext.cpp index ff0397b..78e531e 100644 --- a/src/Pegasus/Common/SSLContext.cpp +++ b/src/Pegasus/Common/SSLContext.cpp @@ -540,7 +540,7 @@ SSLContextRep::SSLContextRep( // If a truststore and/or peer verification function is specified, // enable peer verification // - _verifyPeer = (trustStore != String::EMPTY || verifyCert != NULL); + _verifyPeer = (trustStore.size() != 0 || verifyCert != NULL); _randomInit(randomFile); @@ -733,9 +733,18 @@ SSL_CTX* SSLContextRep::_makeSSLContext() // TLS v1.0, TLSv1.1) options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_SSLv3; +#else + PEG_METHOD_EXIT(); + MessageLoaderParms parms( + " Common.SSLContext.TLS_1_2_PROTO_NOT_SUPPORTED", + "TLSv1.2 protocol support is not detected on this system. " + " To run in less secured mode, set sslBackwardCompatibility=true" + " in planned config file and start cimserver."); + throw SSLException(parms); #endif } + // sslv2 is off permanently even if sslCompatibility is true options |= SSL_OP_NO_SSLv2; SSL_CTX_set_options(sslContext, options); diff --git a/src/Pegasus/Makefile b/src/Pegasus/Makefile index 26303b9..6072553 100644 --- a/src/Pegasus/Makefile +++ b/src/Pegasus/Makefile @@ -230,6 +230,7 @@ endif TEST_DIRS += \ Server/tests \ Server/tests/InterfaceRestriction \ + Server/tests/TLSv_1_2_Support \ Handler/CIMxmlIndicationHandler/tests/Destination \ Handler/FileURIHandler/tests diff --git a/src/Pegasus/Server/tests/TLSv_1_2_Support/Makefile b/src/Pegasus/Server/tests/TLSv_1_2_Support/Makefile new file mode 100644 index 0000000..ed9dbc7 --- /dev/null +++ b/src/Pegasus/Server/tests/TLSv_1_2_Support/Makefile @@ -0,0 +1,52 @@ +#//%LICENSE//////////////////////////////////////////////////////////////// +#// +#// Licensed to The Open Group (TOG) under one or more contributor license +#// agreements. Refer to the OpenPegasusNOTICE.txt file distributed with +#// this work for additional information regarding copyright ownership. +#// Each contributor licenses this file to you under the OpenPegasus Open +#// Source License; you may not use this file except in compliance with the +#// License. +#// +#// Permission is hereby granted, free of charge, to any person obtaining a +#// copy of this software and associated documentation files (the "Software"), +#// to deal in the Software without restriction, including without limitation +#// the rights to use, copy, modify, merge, publish, distribute, sublicense, +#// and/or sell copies of the Software, and to permit persons to whom the +#// Software is furnished to do so, subject to the following conditions: +#// +#// The above copyright notice and this permission notice shall be included +#// in all copies or substantial portions of the Software. +#// +#// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +#// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +#// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +#// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +#// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +#// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +#// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +#// +#////////////////////////////////////////////////////////////////////////// +ROOT = ../../../../.. + +DIR = Pegasus/Server/tests/TLSv_1_2_Support + +include $(ROOT)/mak/config.mak + +include ../libraries.mak + +LOCAL_DEFINES = -DPEGASUS_INTERNALONLY + +PROGRAM = TestTLSv1_2_Support + +SOURCES = TestTLSv1_2_Support.cpp + +include $(ROOT)/mak/program.mak + + +tests: + +test_TLSv1_2: + $(PROGRAM) + +poststarttests: + diff --git a/src/Pegasus/Server/tests/TLSv_1_2_Support/TestTLSv1_2_Support.cpp b/src/Pegasus/Server/tests/TLSv_1_2_Support/TestTLSv1_2_Support.cpp new file mode 100644 index 0000000..990a7c7 --- /dev/null +++ b/src/Pegasus/Server/tests/TLSv_1_2_Support/TestTLSv1_2_Support.cpp @@ -0,0 +1,171 @@ +//%LICENSE//////////////////////////////////////////////////////////////// +// +// Licensed to The Open Group (TOG) under one or more contributor license +// agreements. Refer to the OpenPegasusNOTICE.txt file distributed with +// this work for additional information regarding copyright ownership. +// Each contributor licenses this file to you under the OpenPegasus Open +// Source License; you may not use this file except in compliance with the +// License. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the "Software"), +// to deal in the Software without restriction, including without limitation +// the rights to use, copy, modify, merge, publish, distribute, sublicense, +// and/or sell copies of the Software, and to permit persons to whom the +// Software is furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +// +////////////////////////////////////////////////////////////////////////// + +#include <Pegasus/Common/Config.h> +#include <Pegasus/Common/PegasusAssert.h> +#include <Pegasus/Client/CIMClient.h> +#include <Pegasus/Common/Constants.h> +#include <Pegasus/Common/System.h> +#include <Pegasus/Common/FileSystem.h> +#include <Pegasus/Common/AutoPtr.h> + + +#include <openssl/tls1.h> + +PEGASUS_USING_PEGASUS; +PEGASUS_USING_STD; + +const CIMNamespaceName NAMESPACE = CIMNamespaceName("root/cimv2"); + +/* + * This tests the TLSv1.2 support in pegasus + * + * The cimserver must be configured as following to test this: + * + * enableHttpsConnection=true and sslCipherSuite = TLSv1.2 + * + */ + +#ifdef PEGASUS_HAS_SSL + +void _testTLS1_2_support(String &host , Uint32 &port, String &randPath) +{ + +//A rudimentary way to detect TLS1_2 support on openSSL and hence on pegasus +#ifdef TLS1_2_VERSION + + String trustStorePath; + String certPath; + String keyPath; + String cipherSuite = "SSLv3"; + Boolean sslCompatibility = false; + AutoPtr<CIMClient> cc(new CIMClient); + + try + { + AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath, + certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite, + sslCompatibility)); + + if (sslContext.get()) + { + cc->connect (host, port, *sslContext, "", ""); + // + //Unreachable when server is started with correct versions + //Otherwise it informs that server is not started properly + // + PEGASUS_TEST_ASSERT( 0 && + (bool)"cimserver not started with sslCipherSuite=TLSv1.2"); + } + } + catch(CannotConnectException &e) + { + cout << "SSLCipherTest Expected exception: "<< e.getMessage() << endl; + cout << "Test passed: Connecting with cipher list: " << cipherSuite + << " and TLS1.2 as expected" << endl; + } + catch(Exception &e) + { + cerr << "SSLCipherTest Failed: "<< e.getMessage() << endl; + PEGASUS_TEST_ASSERT(0 && (bool)"Got unexpected Exception, Aborting"); + } + + + cipherSuite = "TLSv1.2"; + try + { + + AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath, + certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite, + sslCompatibility)); + if (sslContext.get()) + { + cc->connect (host, port, *sslContext, "", ""); + // + // Do a generic call. We have to do this call to test whether or + // not we get 401'ed. + // + CIMClass cimClass = cc->getClass(CIMNamespaceName("root/cimv2"), + CIMName ("CIM_ManagedElement"), true, false, false, + CIMPropertyList()); + cc->disconnect(); + } + } + catch(Exception &e) + { + cerr << "SSLCipherTest Error: "<< e.getMessage() << endl; + PEGASUS_TEST_ASSERT(0); + } + + cout << "Test passed: Connecting with cipher list: " << cipherSuite + << " and TLS1.2" << endl; +#else + //Hacks to stop unused param warning while compiling + PEGASUS_TEST_ASSERT( host == host); + PEGASUS_TEST_ASSERT( port == port); + PEGASUS_TEST_ASSERT( randPath == randPath); + + cout << "TLSv1.2 is not supported on this build of pegasus. Upgrade openssl" + << " skipping TLSv1.2 support tests" << endl; +#endif +} + +#endif + +int main() +{ + +#ifdef PEGASUS_HAS_SSL + String host = System::getHostName(); + Uint32 port = System::lookupPort( + WBEM_HTTPS_SERVICE_NAME, WBEM_DEFAULT_HTTPS_PORT); + + String randPath; +# ifdef PEGASUS_SSL_RANDOMFILE + const char* pegasusHome = getenv("PEGASUS_HOME"); + randPath = FileSystem::getAbsolutePath( + pegasusHome, PEGASUS_SSLCLIENT_RANDOMFILE); +# endif + + _testTLS1_2_support( host , port, randPath); + + cout << "+++++ passed all tests" << endl; + + return 0; + +#endif + + // + // This returns a false positive result. + // But we should never get here since this test is only run if + // PEGASUS_HAS_SSL is defined. + // + + return 0; +} diff --git a/src/Pegasus/msg/Server/pegasusServer_en.txt b/src/Pegasus/msg/Server/pegasusServer_en.txt index 09fba54..32a60c5 100644 --- a/src/Pegasus/msg/Server/pegasusServer_en.txt +++ b/src/Pegasus/msg/Server/pegasusServer_en.txt @@ -3564,6 +3564,13 @@ en:table { */ Common.SSLContext.COULD_NOT_ACCESS_SERVER_CERTIFICATE:string {"PGS09212: Could not access server certificate in {0}."} + /** + * @note PGS09213: + * Do not translate 'sslBackwardCompatibility=true' since it is a configuration setting + */ + Common.SSLContext.TLS_1_2_PROTO_NOT_SUPPORTED:string {"PGS09213: TLSv1.2 protocol support is not detected on this system. To run in less secured mode, set sslBackwardCompatibility=true in planned config file and start cimserver."} + + // ========================================================== // Messages for TraceFileHandler // Please use message prefix "PGS09400" |