From 7f666b4467ae5f530e904675df3f28886f4202fa Mon Sep 17 00:00:00 2001 From: "Schanzenbach, Martin" Date: Fri, 25 Jan 2019 20:52:55 +0100 Subject: [PATCH] Fix #5514; Add test for GNS Proxy and DANE; Fix TLS connections on ports != 443 through proxy --- src/gns/Makefile.am | 11 +- src/gns/gnunet-gns-proxy-setup-ca | 45 ++-- src/gns/gnunet-gns-proxy.c | 62 ++--- src/gns/test_gns_proxy.c | 402 ++++++++++++++++++------------ src/gns/test_gns_proxy.conf | 28 +-- src/gns/test_proxy.sh | 53 ++++ 6 files changed, 369 insertions(+), 232 deletions(-) create mode 100755 src/gns/test_proxy.sh diff --git a/src/gns/Makefile.am b/src/gns/Makefile.am index e0497b11e..1abc57d57 100644 --- a/src/gns/Makefile.am +++ b/src/gns/Makefile.am @@ -155,6 +155,12 @@ if HAVE_GNUTLS_DANE gnunet_gns_proxy_LDADD += -lgnutls-dane endif +test_gns_proxy_SOURCES = \ + test_gns_proxy.c +test_gns_proxy_LDADD = -lmicrohttpd $(LIB_GNURL) -lgnutls \ + $(top_builddir)/src/util/libgnunetutil.la \ + $(GN_LIBINTL) + gnunet_gns_helper_service_w32_SOURCES = \ gnunet-gns-helper-service-w32.c gnunet_gns_helper_service_w32_LDADD = \ @@ -232,6 +238,8 @@ libgnunet_plugin_block_gns_la_LIBADD = \ libgnunet_plugin_block_gns_la_LDFLAGS = \ $(GN_PLUGIN_LDFLAGS) +check_PROGRAMS = \ + test_gns_proxy check_SCRIPTS = \ test_gns_lookup.sh \ @@ -248,7 +256,8 @@ check_SCRIPTS = \ test_gns_rel_expiration.sh\ test_gns_soa_lookup.sh\ test_gns_revocation.sh\ - test_gns_cname_lookup.sh + test_gns_cname_lookup.sh \ + test_proxy.sh if ENABLE_TEST_RUN if HAVE_SQLITE diff --git a/src/gns/gnunet-gns-proxy-setup-ca b/src/gns/gnunet-gns-proxy-setup-ca index 52f4b012b..7c1d58dc2 100644 --- a/src/gns/gnunet-gns-proxy-setup-ca +++ b/src/gns/gnunet-gns-proxy-setup-ca @@ -5,12 +5,6 @@ # TODO: We should sed the real paths to the binaries involved here. -if ! which certutil > /dev/null -then - echo "'certutil' command not found. Please install it." - exit 1 -fi - if ! which openssl > /dev/null then echo "'openssl' command not found. Please install it." @@ -50,24 +44,29 @@ openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO echo "Making private key available to gnunet-gns-proxy" cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM -echo "Importing CA into browsers" -for f in ~/.mozilla/firefox/*.*/ -do - if [ -d $f ]; then - echo "Importing CA info Firefox at $f" -# delete old certificate (if any) - certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null -# add new certificate - certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT - fi -done +if ! which certutil > /dev/null +then + echo "'certutil' command not found. Not importing into browsers." +else + echo "Importing CA into browsers" + for f in ~/.mozilla/firefox/*.*/ + do + if [ -d $f ]; then + echo "Importing CA info Firefox at $f" + # delete old certificate (if any) + certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null + # add new certificate + certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT + fi + done -if [ -d ~/.pki/nssdb/ ]; then - echo "Importing CA into Chrome at ~/.pki/nssdb/" -# delete old certificate (if any) - certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null -# add new certificate - certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT + if [ -d ~/.pki/nssdb/ ]; then + echo "Importing CA into Chrome at ~/.pki/nssdb/" + # delete old certificate (if any) + certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null + # add new certificate + certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT + fi fi echo "Cleaning up." diff --git a/src/gns/gnunet-gns-proxy.c b/src/gns/gnunet-gns-proxy.c index 7e0dec722..385524a18 100644 --- a/src/gns/gnunet-gns-proxy.c +++ b/src/gns/gnunet-gns-proxy.c @@ -641,6 +641,11 @@ struct Socks5Request */ int is_gns; + /** + * This is (probably) a TLS connection + */ + int is_tls; + /** * Did we suspend MHD processing? */ @@ -1138,7 +1143,8 @@ curl_check_hdr (void *buffer, "Receiving HTTP response header from CURL\n"); /* first, check TLS certificate */ if ( (GNUNET_YES != s5r->ssl_checked) && - (HTTPS_PORT == s5r->port)) + (GNUNET_YES == s5r->is_tls)) + //(HTTPS_PORT == s5r->port)) { if (GNUNET_OK != check_ssl_certificate (s5r)) return 0; @@ -1237,7 +1243,7 @@ curl_check_hdr (void *buffer, char *leho_host; GNUNET_asprintf (&leho_host, - (HTTPS_PORT != s5r->port) + (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port) ? "http://%s" : "https://%s", s5r->leho); @@ -1247,7 +1253,7 @@ curl_check_hdr (void *buffer, { GNUNET_asprintf (&new_location, "%s%s%s", - (HTTPS_PORT != s5r->port) + (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port) ? "http://" : "https://", s5r->domain, @@ -1262,7 +1268,7 @@ curl_check_hdr (void *buffer, char *leho_host; GNUNET_asprintf (&leho_host, - (HTTPS_PORT != s5r->port) + (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port) ? "http://%s" : "https://%s", s5r->leho); @@ -1272,7 +1278,7 @@ curl_check_hdr (void *buffer, { GNUNET_asprintf (&new_location, "%s%s", - (HTTPS_PORT != s5r->port) + (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port) ? "http://" : "https://", s5r->domain); @@ -1923,7 +1929,7 @@ create_response (void *cls, if (s5r->is_gns) { GNUNET_asprintf (&curlurl, - (HTTPS_PORT != s5r->port) + (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port) ? "http://%s:%d%s" : "https://%s:%d%s", (NULL != s5r->leho) @@ -1935,7 +1941,7 @@ create_response (void *cls, else { GNUNET_asprintf (&curlurl, - (HTTPS_PORT != s5r->port) + (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port) ? "http://%s:%d%s" : "https://%s:%d%s", s5r->domain, @@ -2109,7 +2115,7 @@ create_response (void *cls, CURL_HTTP_VERSION_NONE); } - if (HTTPS_PORT == s5r->port) + if (GNUNET_YES == s5r->is_tls) //(HTTPS_PORT == s5r->port) { curl_easy_setopt (s5r->curl, CURLOPT_USE_SSL, @@ -2828,29 +2834,25 @@ setup_data_transfer (struct Socks5Request *s5r) socklen_t len; char *domain; - switch (s5r->port) + if (GNUNET_YES == s5r->is_tls) { - case HTTPS_PORT: - GNUNET_asprintf (&domain, - "%s", - s5r->domain); - hd = lookup_ssl_httpd (domain); - if (NULL == hd) - { - GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - _("Failed to start HTTPS server for `%s'\n"), - s5r->domain); - cleanup_s5r (s5r); - GNUNET_free (domain); - return; - } - break; - case HTTP_PORT: - default: + GNUNET_asprintf (&domain, + "%s", + s5r->domain); + hd = lookup_ssl_httpd (domain); + if (NULL == hd) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + _("Failed to start HTTPS server for `%s'\n"), + s5r->domain); + cleanup_s5r (s5r); + GNUNET_free (domain); + return; + } + } else { domain = NULL; GNUNET_assert (NULL != httpd); hd = httpd; - break; } fd = GNUNET_NETWORK_get_fd (s5r->sock); addr = GNUNET_NETWORK_get_addr (s5r->sock); @@ -3102,6 +3104,7 @@ handle_gns_result (void *cls, GNUNET_break (0); /* MAX_DANES too small */ break; } + s5r->is_tls = GNUNET_YES; /* This should be TLS */ s5r->dane_data_len[s5r->num_danes] = r->data_size - sizeof (struct GNUNET_GNSRECORD_BoxRecord); s5r->dane_data[s5r->num_danes] @@ -3293,12 +3296,13 @@ do_s5r_read (void *cls) s5r->domain = GNUNET_strndup (dom_name, *dom_len); GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, - "Requested connection is to http%s://%s:%d\n", - (HTTPS_PORT == s5r->port) ? "s" : "", + "Requested connection is to %s:%d\n", + //(HTTPS_PORT == s5r->port) ? "s" : "", s5r->domain, ntohs (*port)); s5r->state = SOCKS5_RESOLVING; s5r->port = ntohs (*port); + s5r->is_tls = (HTTPS_PORT == s5r->port) ? GNUNET_YES : GNUNET_NO; s5r->gns_lookup = GNUNET_GNS_lookup_with_tld (gns_handle, s5r->domain, GNUNET_DNSPARSER_TYPE_A, diff --git a/src/gns/test_gns_proxy.c b/src/gns/test_gns_proxy.c index ea61a89d5..75fe95617 100644 --- a/src/gns/test_gns_proxy.c +++ b/src/gns/test_gns_proxy.c @@ -30,13 +30,15 @@ #include #endif #include -#include "gnunet_namestore_service.h" -#include "gnunet_gns_service.h" -#include "gnunet_testing_lib.h" -#include "gnunet_os_lib.h" +#include "gnunet_util_lib.h" +#include "gnutls/x509.h" -#define PORT 8080 -#define TEST_DOMAIN "www.gnu" +/** + * Largest allowed size for a PEM certificate. + */ +#define MAX_PEM_SIZE (10 * 1024) + +#define TEST_DOMAIN "www.test" #define TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 300) @@ -45,7 +47,6 @@ */ static int global_ret; -static struct GNUNET_NAMESTORE_Handle *namestore; static struct MHD_Daemon *mhd; @@ -61,7 +62,15 @@ static char *url; static struct GNUNET_OS_Process *proxy_proc; -static char* tmp_cfgfile; +static char* cafile_opt; + +static char* cafile_srv; + +static uint16_t port; + +static gnutls_x509_crt_t proxy_cert; + +static gnutls_x509_privkey_t proxy_key; struct CBC { @@ -71,6 +80,101 @@ struct CBC static struct CBC cbc; +/** + * Read file in filename + * + * @param filename file to read + * @param size pointer where filesize is stored + * @return NULL on error + */ +static void* +load_file (const char* filename, + unsigned int* size) +{ + void *buffer; + uint64_t fsize; + + if (GNUNET_OK != + GNUNET_DISK_file_size (filename, + &fsize, + GNUNET_YES, + GNUNET_YES)) + return NULL; + if (fsize > MAX_PEM_SIZE) + return NULL; + *size = (unsigned int) fsize; + buffer = GNUNET_malloc (*size); + if (fsize != + GNUNET_DISK_fn_read (filename, + buffer, + (size_t) fsize)) + { + GNUNET_free (buffer); + return NULL; + } + return buffer; +} + +/** + * Load PEM key from file + * + * @param key where to store the data + * @param keyfile path to the PEM file + * @return #GNUNET_OK on success + */ +static int +load_key_from_file (gnutls_x509_privkey_t key, + const char* keyfile) +{ + gnutls_datum_t key_data; + int ret; + + key_data.data = load_file (keyfile, + &key_data.size); + if (NULL == key_data.data) + return GNUNET_SYSERR; + ret = gnutls_x509_privkey_import (key, &key_data, + GNUTLS_X509_FMT_PEM); + if (GNUTLS_E_SUCCESS != ret) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + _("Unable to import private key from file `%s'\n"), + keyfile); + } + GNUNET_free_non_null (key_data.data); + return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK; +} + +/** + * Load cert from file + * + * @param crt struct to store data in + * @param certfile path to pem file + * @return #GNUNET_OK on success + */ +static int +load_cert_from_file (gnutls_x509_crt_t crt, + const char* certfile) +{ + gnutls_datum_t cert_data; + int ret; + + cert_data.data = load_file (certfile, + &cert_data.size); + if (NULL == cert_data.data) + return GNUNET_SYSERR; + ret = gnutls_x509_crt_import (crt, + &cert_data, + GNUTLS_X509_FMT_PEM); + if (GNUTLS_E_SUCCESS != ret) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + _("Unable to import certificate from `%s'\n"), + certfile); + } + GNUNET_free_non_null (cert_data.data); + return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK; +} static size_t copy_buffer (void *ptr, size_t size, size_t nmemb, void *ctx) @@ -112,8 +216,11 @@ mhd_ahc (void *cls, MHD_RESPMEM_MUST_COPY); ret = MHD_queue_response (connection, MHD_HTTP_OK, response); MHD_destroy_response (response); - if (ret == MHD_NO) + if (ret == MHD_NO) { + global_ret = 1; abort (); + } + global_ret = 0; return ret; } @@ -138,13 +245,6 @@ do_shutdown () } GNUNET_free_non_null (url); - if (NULL != tmp_cfgfile) - { - if (0 != remove (tmp_cfgfile)) - GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING, "remove", tmp_cfgfile); - GNUNET_free (tmp_cfgfile); - tmp_cfgfile = NULL; - } if (NULL != proxy_proc) { (void) GNUNET_OS_process_kill (proxy_proc, SIGKILL); @@ -198,12 +298,12 @@ curl_main () { if (msg->data.result != CURLE_OK) { - fprintf (stderr, - "%s failed at %s:%d: `%s'\n", - "curl_multi_perform", - __FILE__, - __LINE__, curl_easy_strerror (msg->data.result)); - global_ret = 1; + fprintf (stderr, + "%s failed at %s:%d: `%s'\n", + "curl_multi_perform", + __FILE__, + __LINE__, curl_easy_strerror (msg->data.result)); + global_ret = 1; } } curl_multi_remove_handle (multi, curl); @@ -232,17 +332,17 @@ curl_main () else delay = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS, (unsigned int) timeout); GNUNET_NETWORK_fdset_copy_native (&nrs, - &rs, - max + 1); + &rs, + max + 1); GNUNET_NETWORK_fdset_copy_native (&nws, - &ws, - max + 1); + &ws, + max + 1); curl_task_id = GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT, - delay, - &nrs, - &nws, - &curl_task, - NULL); + delay, + &nrs, + &nws, + &curl_task, + NULL); } @@ -250,33 +350,30 @@ static void start_curl (void *cls) { GNUNET_asprintf (&url, - "http://%s:%d/hello_world", - TEST_DOMAIN, PORT); + "https://%s:%d/hello_world", + TEST_DOMAIN, port); curl = curl_easy_init (); curl_easy_setopt (curl, CURLOPT_URL, url); + //curl_easy_setopt (curl, CURLOPT_URL, "https://127.0.0.1:8443/hello_world"); curl_easy_setopt (curl, CURLOPT_WRITEFUNCTION, ©_buffer); curl_easy_setopt (curl, CURLOPT_WRITEDATA, &cbc); curl_easy_setopt (curl, CURLOPT_FAILONERROR, 1); curl_easy_setopt (curl, CURLOPT_TIMEOUT, 150L); curl_easy_setopt (curl, CURLOPT_CONNECTTIMEOUT, 15L); curl_easy_setopt (curl, CURLOPT_NOSIGNAL, 1); + curl_easy_setopt (curl, CURLOPT_CAINFO, cafile_opt); + //curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0L); + //curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0L); curl_easy_setopt (curl, CURLOPT_PROXY, "socks5h://127.0.0.1:7777"); multi = curl_multi_init (); GNUNET_assert (multi != NULL); GNUNET_assert (CURLM_OK == curl_multi_add_handle (multi, curl)); - GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Beginning HTTP download from `%s'\n", url); + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Beginning HTTP download from `%s'\n", url); curl_main (); } -static void -disco_ns (void* cls) -{ - GNUNET_NAMESTORE_disconnect (namestore); -} - - /** * Callback invoked from the namestore service once record is * created. @@ -290,24 +387,11 @@ disco_ns (void* cls) * specified target peer; NULL on error */ static void -commence_testing (void *cls, - int32_t success, - const char *emsg) +commence_testing (void *cls) { - GNUNET_SCHEDULER_add_now (&disco_ns, NULL); - - if ( (emsg != NULL) && (GNUNET_YES != success) ) - { - fprintf (stderr, - "NS failed to create record %s\n", - emsg); - GNUNET_SCHEDULER_shutdown (); - return; - } - curl_task_id = - GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS, - &start_curl, NULL); + GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS, + &start_curl, NULL); } @@ -345,139 +429,135 @@ mhd_main () FD_ZERO (&es); max_fd = -1; GNUNET_assert (MHD_YES == - MHD_get_fdset (mhd, &rs, &ws, &es, &max_fd)); + MHD_get_fdset (mhd, &rs, &ws, &es, &max_fd)); if (MHD_YES == MHD_get_timeout (mhd, &timeout)) delay = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS, - (unsigned int) timeout); + (unsigned int) timeout); else delay = GNUNET_TIME_UNIT_FOREVER_REL; GNUNET_NETWORK_fdset_copy_native (&nrs, - &rs, - max_fd + 1); + &rs, + max_fd + 1); GNUNET_NETWORK_fdset_copy_native (&nws, - &ws, - max_fd + 1); + &ws, + max_fd + 1); mhd_task_id = GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT, - delay, - &nrs, - &nws, - &mhd_task, - NULL); + delay, + &nrs, + &nws, + &mhd_task, + NULL); } + +/** + * Main function that will be run + * + * @param cls closure + * @param args remaining command-line arguments + * @param cfgfile name of the configuration file used (for saving, can be NULL!) + * @param c configuration + */ static void run (void *cls, - const struct GNUNET_CONFIGURATION_Handle *cfg, - struct GNUNET_TESTING_Peer *peer) + char *const *args, + const char *cfgfile, + const struct GNUNET_CONFIGURATION_Handle *c) { - enum MHD_FLAG flags; - struct GNUNET_CRYPTO_EcdsaPrivateKey *host_key; - struct GNUNET_GNSRECORD_Data rd; - char *zone_keyfile; - - namestore = GNUNET_NAMESTORE_connect (cfg); - GNUNET_assert (NULL != namestore); - flags = MHD_USE_DEBUG; - mhd = MHD_start_daemon (flags, - PORT, - NULL, NULL, - &mhd_ahc, NULL, - MHD_OPTION_END); - GNUNET_assert (NULL != mhd); - mhd_main (); - - tmp_cfgfile = GNUNET_DISK_mktemp ("test_gns_proxy_tmp.conf"); - if (NULL == tmp_cfgfile) - { - GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - "Failed to create tmp cfg!\n"); - do_shutdown (); - return; - } - - if (GNUNET_OK != GNUNET_CONFIGURATION_write ((struct GNUNET_CONFIGURATION_Handle *)cfg, - tmp_cfgfile)) + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Using `%s' as CA\n", + cafile_srv); + char cert[MAX_PEM_SIZE]; + char key[MAX_PEM_SIZE]; + size_t key_buf_size; + size_t cert_buf_size; + + gnutls_global_init (); + gnutls_x509_crt_init (&proxy_cert); + gnutls_x509_privkey_init (&proxy_key); + + if ( (GNUNET_OK != + load_cert_from_file (proxy_cert, + cafile_srv)) || + (GNUNET_OK != + load_key_from_file (proxy_key, + cafile_srv)) ) { GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - "Failed to write tmp cfg\n"); - do_shutdown (); - return; - } - - proxy_proc = GNUNET_OS_start_process (GNUNET_NO, - GNUNET_OS_INHERIT_STD_ALL, - NULL, - NULL, - NULL, - "gnunet-gns-proxy", - "gnunet-gns-proxy", - "-c", tmp_cfgfile, NULL); - - if (NULL == proxy_proc) - { - GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - "Unable to start proxy\n"); - do_shutdown (); - return; - } - - if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (cfg, "gns", - "ZONEKEY", - &zone_keyfile)) - { - GNUNET_log(GNUNET_ERROR_TYPE_ERROR, "Failed to get key from cfg\n"); + _("Failed to load X.509 key and certificate from `%s'\n"), + cafile_srv); + gnutls_x509_crt_deinit (proxy_cert); + gnutls_x509_privkey_deinit (proxy_key); + gnutls_global_deinit (); return; } + GNUNET_SCHEDULER_add_shutdown (&do_shutdown, + NULL); + key_buf_size = sizeof (key); + cert_buf_size = sizeof (cert); + gnutls_x509_crt_export (proxy_cert, + GNUTLS_X509_FMT_PEM, + cert, + &cert_buf_size); + gnutls_x509_privkey_export (proxy_key, + GNUTLS_X509_FMT_PEM, + key, + &key_buf_size); + mhd = MHD_start_daemon (MHD_USE_DEBUG | MHD_USE_SSL | MHD_ALLOW_SUSPEND_RESUME, port, + NULL, NULL, + &mhd_ahc, NULL, + MHD_OPTION_HTTPS_MEM_KEY, key, + MHD_OPTION_HTTPS_MEM_CERT, cert, + MHD_OPTION_END); + GNUNET_assert (NULL != mhd); + mhd_main (); - host_key = GNUNET_CRYPTO_ecdsa_key_create_from_file (zone_keyfile); - rd.expiration_time = GNUNET_TIME_UNIT_FOREVER_ABS.abs_value_us; - GNUNET_assert (GNUNET_OK == GNUNET_GNSRECORD_string_to_value (GNUNET_DNSPARSER_TYPE_A, - "127.0.0.1", - (void**)&rd.data, - &rd.data_size)); - rd.record_type = GNUNET_DNSPARSER_TYPE_A; - - GNUNET_NAMESTORE_record_create (namestore, - host_key, - "www", - &rd, - &commence_testing, - NULL); - - GNUNET_free ((void**)rd.data); - GNUNET_free (zone_keyfile); - GNUNET_free (host_key); + GNUNET_SCHEDULER_add_now (&commence_testing, + NULL); } int main (int argc, char *const *argv) { - char *binary; - - if (GNUNET_SYSERR == GNUNET_OS_check_helper_binary ("gnunet-gns-proxy", GNUNET_NO, NULL)) - { - fprintf (stderr, "Proxy binary not in PATH... skipping!\n"); - return 0; - } - binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-dns"); - if (GNUNET_YES != GNUNET_OS_check_helper_binary (binary, GNUNET_YES, NULL)) // TODO: once we have a windows-testcase, add test parameters here - { - fprintf (stderr, "DNS helper binary has wrong permissions... skipping!\n"); - GNUNET_free (binary); - return 0; - } - GNUNET_free (binary); + struct GNUNET_GETOPT_CommandLineOption options[] = { + GNUNET_GETOPT_option_uint16 ('p', + "port", + NULL, + gettext_noop ("listen on specified port (default: 7777)"), + &port), + GNUNET_GETOPT_option_string ('A', + "curlcert", + NULL, + gettext_noop ("pem file to use as CA"), + &cafile_opt), + GNUNET_GETOPT_option_string ('S', + "servercert", + NULL, + gettext_noop ("pem file to use for the server"), + &cafile_srv), + + GNUNET_GETOPT_OPTION_END + }; if (0 != curl_global_init (CURL_GLOBAL_WIN32)) { fprintf (stderr, "failed to initialize curl\n"); return 2; } - if (0 != GNUNET_TESTING_peer_run ("test-gnunet-gns-proxy", - "test_gns_proxy.conf", - &run, NULL)) + if (GNUNET_OK != + GNUNET_STRINGS_get_utf8_args (argc, argv, + &argc, &argv)) + return 2; + GNUNET_log_setup ("gnunet-gns-proxy-test", + "WARNING", + NULL); + if (GNUNET_OK != GNUNET_PROGRAM_run (argc, argv, + "gnunet-gns-proxy-test", + _("GNUnet GNS proxy test"), + options, + &run, NULL)) return 1; - GNUNET_DISK_directory_remove ("/tmp/gnunet-test-gns-proxy"); + GNUNET_free_non_null ((char *) argv); return global_ret; } diff --git a/src/gns/test_gns_proxy.conf b/src/gns/test_gns_proxy.conf index 51edd5a0c..3b21f1d90 100644 --- a/src/gns/test_gns_proxy.conf +++ b/src/gns/test_gns_proxy.conf @@ -1,30 +1,22 @@ -[PATHS] -GNUNET_TEST_HOME = $GNUNET_TMP/gnunet-test-gns-proxy/ +@INLINE@ test_gns_defaults.conf [transport] PLUGINS = tcp -[arm] -PORT = 0 -ALLOW_SHUTDOWN = YES - -[testing] -WEAKRANDOM = YES -HOSTKEYSFILE = ${DATADIR}/testing_hostkeys.dat - [gns] +# PREFIX = valgrind --leak-check=full --track-origins=yes START_ON_DEMAND = YES -ZONEKEY = $GNUNET_TEST_HOME/.zonekey -HIJACK_DNS = YES +AUTO_IMPORT_PKEY = YES +MAX_PARALLEL_BACKGROUND_QUERIES = 10 +DEFAULT_LOOKUP_TIMEOUT = 15 s +RECORD_PUT_INTERVAL = 1 h +ZONE_PUBLISH_TIME_WINDOW = 1 h +DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0 + [gns-proxy] -PROXY_CACERT = proxy/test_cert.pem +PROXY_CACERT = /tmp/proxy_cacert.pem PROXY_UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-gns-proxy.sock [namestore] START_ON_DEMAND = YES - -[dns] -PROVIDE_EXIT = NO -#DNS_EXIT = 8.8.8.8 -#PREFIX = valgrind --leak-check=full diff --git a/src/gns/test_proxy.sh b/src/gns/test_proxy.sh new file mode 100755 index 000000000..c960d4df9 --- /dev/null +++ b/src/gns/test_proxy.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +TEST_DOMAIN="www.test" + +gnunet-arm -s -c test_gns_proxy.conf +gnunet-gns-proxy-setup-ca -c test_gns_proxy.conf + +openssl genrsa -des3 -passout pass:xxxx -out server.pass.key 2048 +openssl rsa -passin pass:xxxx -in server.pass.key -out local.key +rm server.pass.key +openssl req -new -key local.key -out server.csr \ + -subj "/C=DE/O=GNUnet/OU=GNS/CN=test.local" +openssl x509 -req -days 1 -in server.csr -signkey local.key -out local.crt +openssl x509 -in local.crt -out local.der -outform DER +HEXCERT=`xxd -p local.der | tr -d '\n'` +#echo "This is the certificate the server does not use: $HEXCERT" +OLDBOXVALUE="6 8443 52 3 0 0 $HEXCERT" + + +openssl req -new -key local.key -out server.csr \ + -subj "/C=DE/O=GNUnet/OU=GNS/CN=test.local" +openssl x509 -req -days 1 -in server.csr -signkey local.key -out local.crt +openssl x509 -in local.crt -out local.der -outform DER +HEXCERT=`xxd -p local.der | tr -d '\n'` +#echo "This is the certificate the server does use: $HEXCERT" +BOXVALUE="6 8443 52 3 0 0 $HEXCERT" + +cat local.crt > /tmp/server_cacert.pem +cat local.key >> /tmp/server_cacert.pem + +gnunet-identity -C test -c test_gns_proxy.conf +gnunet-namestore -p -z test -a -n www -t A -V 127.0.0.1 -e never -c test_gns_proxy.conf +gnunet-namestore -p -z test -a -n www -t LEHO -V "test.local" -e never -c test_gns_proxy.conf +gnunet-namestore -p -z test -a -n www -t BOX -V "$OLDBOXVALUE" -e never -c test_gns_proxy.conf +gnunet-namestore -p -z test -a -n www -t BOX -V "$BOXVALUE" -e never -c test_gns_proxy.conf + +gnunet-arm -i gns-proxy -c test_gns_proxy.conf + +#gnurl --socks5-hostname 127.0.0.1:7777 https://www.test -v --cacert /tmp/proxy_cacert.pem +./test_gns_proxy -A /tmp/proxy_cacert.pem -S /tmp/server_cacert.pem -p 8443 -c test_gns_proxy.conf + +RES=$? + +rm /tmp/proxy_cacert.pem +rm /tmp/server_cacert.pem + +gnunet-arm -e test_gns_proxy.conf + +if test $RES != 0 +then + echo "Failed" + exit 1 +fi -- 2.25.1