2 # Copyright (C) 2019-2021 all contributors <meta@public-inbox.org>
3 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
6 use PublicInbox::TestCommon;
7 use Socket qw(SOCK_STREAM IPPROTO_TCP SOL_SOCKET);
8 # IO::Poll and Net::NNTP are part of the standard library, but
9 # distros may split them off...
10 require_mods(qw(DBD::SQLite IO::Socket::SSL Net::NNTP IO::Poll));
11 Net::NNTP->can('starttls') or
12 plan skip_all => 'Net::NNTP does not support TLS';
14 my $cert = 'certs/server-cert.pem';
15 my $key = 'certs/server-key.pem';
16 unless (-r $key && -r $cert) {
18 "certs/ missing for $0, run $^X ./create-certs.perl in certs/";
21 use_ok 'PublicInbox::TLS';
22 use_ok 'IO::Socket::SSL';
24 eval { require Compress::Raw::Zlib } or
25 $need_zlib = 'Compress::Raw::Zlib missing';
26 my $version = 2; # v2 needs newer git
27 require_git('2.6') if $version >= 2;
28 my ($tmpdir, $for_destroy) = tmpdir();
29 my $err = "$tmpdir/stderr.log";
30 my $out = "$tmpdir/stdout.log";
31 my $group = 'test-nntpd-tls';
32 my $addr = $group . '@example.com';
33 my $starttls = tcp_server();
34 my $nntps = tcp_server();
36 my $ibx = create_inbox "v$version", version => $version, indexlevel => 'basic',
39 $pi_config = "$ibx->{inboxdir}/pi_config";
40 open my $fh, '>', $pi_config or BAIL_OUT "open: $!";
41 print $fh <<EOF or BAIL_OUT;
42 [publicinbox "nntpd-tls"]
43 inboxdir = $ibx->{inboxdir}
48 close $fh or BAIL_OUT "close: $!";
49 $im->add(eml_load 't/data/0001.patch') or BAIL_OUT;
51 $pi_config //= "$ibx->{inboxdir}/pi_config";
53 my $nntps_addr = tcp_host_port($nntps);
54 my $starttls_addr = tcp_host_port($starttls);
55 my $env = { PI_CONFIG => $pi_config };
59 [ "--cert=$cert", "--key=$key",
60 "-lnntps://$nntps_addr",
61 "-lnntp://$starttls_addr" ],
64 open my $fh, '>', $_ or die "truncate: $!";
66 my $cmd = [ '-nntpd', '-W0', @$args, "--stdout=$out", "--stderr=$err" ];
67 $td = start_script($cmd, $env, { 3 => $starttls, 4 => $nntps });
69 SSL_hostname => 'server.local',
70 SSL_verifycn_name => 'server.local',
71 SSL_verify_mode => SSL_VERIFY_PEER(),
72 SSL_ca_file => 'certs/test-ca.pem',
74 my $expect = { $group => [qw(1 1 n)] };
76 # start negotiating a slow TLS connection
77 my $slow = tcp_connect($nntps, Blocking => 0);
78 $slow = IO::Socket::SSL->start_SSL($slow, SSL_startHandshake => 0, %o);
79 my $slow_done = $slow->connect_SSL;
82 diag('W: connect_SSL early OK, slow client test invalid');
83 use PublicInbox::Syscall qw(EPOLLIN EPOLLOUT);
84 @poll = (fileno($slow), EPOLLIN | EPOLLOUT);
86 @poll = (fileno($slow), PublicInbox::TLS::epollbit());
88 # we should call connect_SSL much later...
91 my $c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
93 is_deeply($list, $expect, 'NNTPS LIST works');
94 unlike(get_capa($c), qr/\bSTARTTLS\r\n/,
95 'STARTTLS not advertised for NNTPS');
96 is($c->command('QUIT')->response(), Net::Cmd::CMD_OK(), 'QUIT works');
97 is(0, sysread($c, my $buf, 1), 'got EOF after QUIT');
100 $c = Net::NNTP->new($starttls_addr, %o);
102 is_deeply($list, $expect, 'plain LIST works');
103 ok($c->starttls, 'STARTTLS succeeds');
104 is($c->code, 382, 'got 382 for STARTTLS');
106 is_deeply($list, $expect, 'LIST works after STARTTLS');
107 unlike(get_capa($c), qr/\bSTARTTLS\r\n/,
108 'STARTTLS not advertised after STARTTLS');
110 # Net::NNTP won't let us do dumb things, but we need to test
111 # dumb things, so use Net::Cmd directly:
112 my $n = $c->command('STARTTLS')->response();
113 is($n, Net::Cmd::CMD_ERROR(), 'error attempting STARTTLS again');
114 is($c->code, 502, '502 according to RFC 4642 sec#2.2.1');
116 # STARTTLS with bad hostname
117 $o{SSL_hostname} = $o{SSL_verifycn_name} = 'server.invalid';
118 $c = Net::NNTP->new($starttls_addr, %o);
119 like(get_capa($c), qr/\bSTARTTLS\r\n/, 'STARTTLS advertised');
121 is_deeply($list, $expect, 'plain LIST works again');
122 ok(!$c->starttls, 'STARTTLS fails with bad hostname');
123 $c = Net::NNTP->new($starttls_addr, %o);
125 is_deeply($list, $expect, 'not broken after bad negotiation');
127 # NNTPS with bad hostname
128 $c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
129 is($c, undef, 'NNTPS fails with bad hostname');
130 $o{SSL_hostname} = $o{SSL_verifycn_name} = 'server.local';
131 $c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
132 ok($c, 'NNTPS succeeds again with valid hostname');
134 # slow TLS connection did not block the other fast clients while
135 # connecting, finish it off:
137 IO::Poll::_poll(-1, @poll);
138 $slow_done = $slow->connect_SSL and last;
139 @poll = (fileno($slow), PublicInbox::TLS::epollbit());
142 ok(sysread($slow, my $greet, 4096) > 0, 'slow got greeting');
143 like($greet, qr/\A201 /, 'got expected greeting');
144 is(syswrite($slow, "QUIT\r\n"), 6, 'slow wrote QUIT');
145 ok(sysread($slow, my $end, 4096) > 0, 'got EOF');
146 is(sysread($slow, my $eof, 4096), 0, 'got EOF');
150 lei_ok qw(ls-mail-source), "nntp://$starttls_addr",
151 \'STARTTLS not used by default';
152 ok(!lei(qw(ls-mail-source -c nntp.starttls=true),
153 "nntp://$starttls_addr"), 'STARTTLS verify fails');
154 like $lei_err, qr/STARTTLS requested/,
155 'STARTTLS noted in stderr';
159 skip 'TCP_DEFER_ACCEPT is Linux-only', 2 if $^O ne 'linux';
160 my $var = eval { Socket::TCP_DEFER_ACCEPT() } // 9;
161 defined(my $x = getsockopt($nntps, IPPROTO_TCP, $var)) or die;
162 ok(unpack('i', $x) > 0, 'TCP_DEFER_ACCEPT set on NNTPS');
163 defined($x = getsockopt($starttls, IPPROTO_TCP, $var)) or die;
164 is(unpack('i', $x), 0, 'TCP_DEFER_ACCEPT is 0 on plain NNTP');
167 skip 'SO_ACCEPTFILTER is FreeBSD-only', 2 if $^O ne 'freebsd';
168 if (system('kldstat -m accf_data >/dev/null')) {
169 skip 'accf_data not loaded? kldload accf_data', 2;
171 require PublicInbox::Daemon;
172 my $x = getsockopt($nntps, SOL_SOCKET,
173 $PublicInbox::Daemon::SO_ACCEPTFILTER);
174 like($x, qr/\Adataready\0+\z/, 'got dataready accf for NNTPS');
175 $x = getsockopt($starttls, IPPROTO_TCP,
176 $PublicInbox::Daemon::SO_ACCEPTFILTER);
177 is($x, undef, 'no BSD accept filter for plain NNTP');
183 is($?, 0, 'no error in exited process');
185 open my $fh, '<', $err or die "open $err failed: $!";
189 unlike($eout, qr/wide/i, 'no Wide character warnings');
195 syswrite($sock, "CAPABILITIES\r\n");
198 my $r = sysread($sock, $capa, 8192, length($capa));
199 die "unexpected: $!" unless defined($r);
200 die 'unexpected EOF' if $r == 0;
201 } until $capa =~ /\.\r\n\z/;
203 my $deflate_capa = qr/\r\nCOMPRESS DEFLATE\r\n/;
205 unlike($capa, $deflate_capa,
206 'COMPRESS DEFLATE NOT advertised '.$need_zlib);
208 like($capa, $deflate_capa, 'COMPRESS DEFLATE advertised');