def test_ssl_null_byte(self):
'''Test a null-byte CN cert (CVE-2009-3490)'''
srvkey_pem = 'ssl/badguy.key'
srvcert_pem = 'ssl/badguy-nul-cn.crt'
# We need to add www.bank.com to the hosts file, of wget dies while
# validating the cert's CN before the NUL byte check
testlib.config_replace(self.hosts_file, "127.0.0.1 www.bank.com", True)
self._prepare_ssl(srvkey_pem, srvcert_pem)
# modern wget now returns 5 on ssl validation errors
if self.lsb_release['Release'] <= 9.10:
expected = 1
else:
expected = 5
# Make sure wget detected the NUL byte
self._test_url_wget(
"https://www.bank.com/",
"ERROR: certificate common name is invalid (contains a NUL character)",
expected=expected)
# Let's try an SSL page without validating the self-signed cert
test_str = testlib_httpd.create_html_page(self.html_page)
self._test_url_wget("https://www.bank.com/" + \
os.path.basename(self.html_page), test_str, extra_opts=['--no-check-certificate'])
def test_http(self):
'''Test http'''
self._test_url_wget("http://localhost/")
test_str = testlib_httpd.create_html_page(self.html_page)
self._test_url_wget("http://localhost/" + \
os.path.basename(self.html_page), test_str)
def test_ssl(self):
'''Test https'''
(tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem,
cacert_pem) = testlib_ssl.gen_ssl()
self._prepare_ssl(srvkey_pem, srvcert_pem)
testlib.recursive_rm(tmpdir)
# modern wget now returns 5 on ssl validation errors
if self.lsb_release['Release'] <= 9.10:
expected = 1
else:
expected = 5
# Cert is self-signed, make sure wget says so
if self.lsb_release['Release'] <= 8.04:
error_str = 'ERROR: Certificate verification error for localhost'
else:
error_str = "ERROR: cannot verify localhost's certificate"
self._test_url_wget("https://localhost/", error_str, expected=expected)
# Let's try an SSL page without validating the self-signed cert
test_str = testlib_httpd.create_html_page(self.html_page)
self._test_url_wget("https://localhost/" + \
os.path.basename(self.html_page), test_str, extra_opts=['--no-check-certificate'])
def test_cve_2010_2253(self):
'''Test CVE-2010-2253'''
self._enable_mod("php5")
test_str = testlib_httpd.create_html_page(self.html_page)
bad_filename = ".blah.txt"
bad_file_path = os.path.join(self.tempdir, bad_filename)
script = '''<?php
$file = "%s";
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\\"%s\\";");
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($file));
readfile($file);
exit;
?>
''' % (self.html_page, bad_filename)
testlib.create_fill(self.php5_content_dispo, script)
# See if it actually downloaded the file
self._test_url_lwp("http://localhost/" + \
os.path.basename(self.php5_content_dispo), expected=1)
# Make sure it didn't use the bad filename
error = "Found the %s file." % bad_file_path
self.assertFalse(os.path.exists(bad_file_path), error)
def test_ssl_null_byte(self):
'''Test a null-byte CN cert (CVE-2009-3490)'''
srvkey_pem = 'ssl/badguy.key'
srvcert_pem = 'ssl/badguy-nul-cn.crt'
srv_ca = 'ssl/ca.crt'
ca = os.path.join(self.tempdir, os.path.basename(srv_ca))
shutil.copy(srv_ca, ca)
# We need to add www.bank.com to the hosts file, or w3m errors while
# validating the cert's CN before the NUL byte check
testlib.config_replace(self.hosts_file, "127.0.0.1 www.bank.com", True)
test_str = testlib_httpd.create_html_page(self.html_page)
self._prepare_ssl(srvkey_pem, srvcert_pem)
cmdline = "w3m -dump -o ssl_ca_file=" + ca + " https://www.bank.com/" + \
os.path.basename(self.html_page)
# Make sure w3m detected the NUL byte
child = pexpect.spawn(cmdline)
time.sleep(1.0)
child.expect(".*Bad cert ident.*", timeout=2)
child.sendline('y')
time.sleep(1.0)
child.kill(0)
def test_aab_http(self):
'''Test http'''
self._test_url("http://localhost:8000/")
test_str = testlib_httpd.create_html_page(self.html_page)
self._test_url("http://localhost:8000/" + \
os.path.basename(self.html_page), test_str)
self._test_url("http://localhost:8000/cgi-bin/mailman/listinfo/mailman",
"About Mailman")
def test_aab_http(self):
'''Test http'''
self._test_url("http://localhost:8000/")
test_str = testlib_httpd.create_html_page(self.html_page)
self._test_url("http://localhost:8000/" + \
os.path.basename(self.html_page), test_str)
self._test_url("http://localhost:8000/cgi-bin/mailman/listinfo/mailman",
"About Mailman")
def test_ssl(self):
'''Test https'''
tmpdir, pem = testlib_ssl.gen_pem()
os.rename(pem, self.ssl_pem)
testlib.recursive_rm(tmpdir)
self._enable_mod("ssl")
self._test_url("https://localhost/")
test_str = testlib_httpd.create_html_page(self.html_page)
self._test_url("https://localhost/" + \
os.path.basename(self.html_page), test_str)
def test_ssl(self):
'''Test https'''
(tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem,
cacert_pem) = testlib_ssl.gen_ssl()
self._prepare_ssl(srvkey_pem, srvcert_pem)
testlib.recursive_rm(tmpdir)
self._test_url_lftp("https://localhost/")
test_str = testlib_httpd.create_html_page(self.html_page)
self._test_url_lftp("https://localhost/" + \
os.path.basename(self.html_page), test_str)
def test_ssl(self):
'''Test https (self signed with ca cert)'''
(tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem, cacert_pem) = testlib_ssl.gen_ssl()
self._prepare_ssl(srvkey_pem, srvcert_pem)
ca = os.path.join(self.tempdir, os.path.basename(cacert_pem))
shutil.copy(cacert_pem, ca)
testlib.recursive_rm(tmpdir)
# We need to add server to the hosts file, or w3m errors while
# validating the cert's CN before the NUL byte check
testlib.config_replace(self.hosts_file, "127.0.0.1 server", True)
#cmdline = "w3m -dump -o ssl_ca_file=" + ca + " https://localhost"
test_str = testlib_httpd.create_html_page(self.html_page)
self._w3m_cmd("https://server/" + \
os.path.basename(self.html_page), test_str, extra_args=['-o', 'ssl_ca_file=' + ca])
def test_update_ca_certificates_usr(self):
'''Test update-ca-certificates for local CA (/usr)'''
self.local_ca = "/usr/share/ca-certificates/testlib.crt"
# Create a CA, update /etc/hosts and create a test page
(tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem,
cacert_pem) = testlib_ssl.gen_ssl()
self._prepare_ssl(srvkey_pem, srvcert_pem)
testlib.config_replace(self.hosts_file, "127.0.0.1 server", True)
test_str = testlib_httpd.create_html_page(self.html_page)
# First, try to access the self-signed server
self._w3m_cmd("https://server/" + \
os.path.basename(self.html_page), test_str, verify=False)
self._w3m_cmd("https://server/" + \
os.path.basename(self.html_page), "unable to get local issuer certificate")
# Next, install the local CA
shutil.copy(cacert_pem, self.local_ca)
testlib.config_replace(self.ca_certificates_conf,
os.path.basename(self.local_ca) + '\n', True)
testlib.recursive_rm(tmpdir)
rc, report = testlib.cmd(['update-ca-certificates'])
expected = 0
result = 'Got exit code %d, expected %d\n' % (rc, expected)
self.assertEquals(expected, rc, result + report)
# Now try to access it
self._w3m_cmd("https://server/" + \
os.path.basename(self.html_page), test_str)
# Next, remove the installed CA
testlib.config_restore(self.ca_certificates_conf)
os.unlink(self.local_ca)
rc, report = testlib.cmd(['update-ca-certificates'])
expected = 0
result = 'Got exit code %d, expected %d\n' % (rc, expected)
self.assertEquals(expected, rc, result + report)
# Last, try to access the self-signed server again
self._w3m_cmd("https://server/" + \
os.path.basename(self.html_page), test_str, verify=False)
self._w3m_cmd("https://server/" + \
os.path.basename(self.html_page), "unable to get local issuer certificate")
def test_https(self):
'''Test https'''
(tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem,
cacert_pem) = testlib_ssl.gen_ssl()
shutil.copy(srvkey_pem, self.ssl_key)
shutil.copy(srvcert_pem, self.ssl_crt)
testlib.recursive_rm(tmpdir)
testlib.config_replace(self.default_vhost, '''
server {
listen 443;
server_name localhost;
root %s;
index index.html index.htm index.nginx-debian.html;
ssl on;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/ =404;
}
}
''' % self.document_root, append=True)
self.daemon.restart()
self._test_url("https://localhost/", "Welcome to nginx")
test_str = testlib_httpd.create_html_page(self.html_page)
self._test_url("https://localhost/" + \
os.path.basename(self.html_page), test_str)
def test_ssl_no_verify(self):
'''Test https (self signed/no ca cert)'''
(tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem, cacert_pem) = testlib_ssl.gen_ssl()
self._prepare_ssl(srvkey_pem, srvcert_pem)
ca = os.path.join(self.tempdir, os.path.basename(cacert_pem))
shutil.copy(cacert_pem, ca)
testlib.recursive_rm(tmpdir)
# We need to add server to the hosts file, or w3m errors while
# validating the cert's CN before the NUL byte check
testlib.config_replace(self.hosts_file, "127.0.0.1 server", True)
test_str = testlib_httpd.create_html_page(self.html_page)
cmdline = "w3m -dump https://server/" + os.path.basename(self.html_page)
child = pexpect.spawn(cmdline)
time.sleep(1.0)
child.expect(".*unable to get local issuer certificate.*", timeout=2)
child.sendline('y')
time.sleep(1.0)
child.kill(0)
def test_cve_2010_2251_2(self):
'''Test CVE-2010-2251, part 2'''
# This test makes sure filenames suggested by the server via a
# Content-Disposition header are ignored, unless the new
# xfer:auto-rename option is used.
self._enable_mod("php5")
test_str = testlib_httpd.create_html_page(self.html_page)
bad_filename = "blah.txt"
bad_file_path = os.path.join(self.tempdir, bad_filename)
good_filename = os.path.basename(self.php5_content_dispo)
good_file_path = os.path.join(self.tempdir, good_filename)
specified_filename = "specified"
specified_file_path = os.path.join(self.tempdir, specified_filename)
script = '''<?php
$file = "%s";
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\\"%s\\";");
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($file));
readfile($file);
exit;
?>
''' % (self.html_page, bad_filename)
testlib.create_fill(self.php5_content_dispo, script)
self._download_file_lftp_get1("http://localhost/" + good_filename,
directory=self.tempdir)
error = "Found the %s file." % bad_file_path
self.assertFalse(os.path.exists(bad_file_path), error)
error = "Didn't find the %s file." % good_file_path
self.assertTrue(os.path.exists(good_file_path), error)
# Clean up before the next test
if os.path.exists(bad_file_path):
os.unlink(bad_file_path)
if os.path.exists(good_file_path):
os.unlink(good_file_path)
if self.lsb_release['Release'] > 6.06:
# Attempt to download the file with the new option
self._download_file_lftp_get1(
"http://localhost/" + good_filename,
directory=self.tempdir,
extra_cmd='set xfer:auto-rename yes;')
error = "Found the %s file." % good_file_path
self.assertFalse(os.path.exists(good_file_path), error)
error = "Didn't find the %s file." % bad_file_path
self.assertTrue(os.path.exists(bad_file_path), error)
# Clean up before the next test
if os.path.exists(bad_file_path):
os.unlink(bad_file_path)
if os.path.exists(good_file_path):
os.unlink(good_file_path)
# Attempt to download the file with a specified filename
self._download_file_lftp_get1("http://localhost/" + good_filename,
directory=self.tempdir,
extra_opts='-o ' + specified_filename)
error = "Found the %s file." % bad_file_path
self.assertFalse(os.path.exists(bad_file_path), error)
error = "Found the %s file." % good_file_path
self.assertFalse(os.path.exists(good_file_path), error)
error = "Didn't find the %s file." % specified_file_path
self.assertTrue(os.path.exists(specified_file_path), error)
