# Copyright (C) 2019-2020 all contributors
# License: AGPL-3.0+
use strict;
use warnings;
use Test::More;
use Socket qw(SOCK_STREAM IPPROTO_TCP SOL_SOCKET);
use PublicInbox::TestCommon;
# IO::Poll and Net::NNTP are part of the standard library, but
# distros may split them off...
require_mods(qw(DBD::SQLite IO::Socket::SSL Net::NNTP IO::Poll));
Net::NNTP->can('starttls') or
plan skip_all => 'Net::NNTP does not support TLS';
IO::Socket::SSL->VERSION(2.007) or
plan skip_all => 'IO::Socket::SSL <2.007 not supported by Net::NNTP';
my $cert = 'certs/server-cert.pem';
my $key = 'certs/server-key.pem';
unless (-r $key && -r $cert) {
plan skip_all =>
"certs/ missing for $0, run $^X ./create-certs.perl in certs/";
}
use_ok 'PublicInbox::TLS';
use_ok 'IO::Socket::SSL';
require PublicInbox::InboxWritable;
require PublicInbox::MIME;
require PublicInbox::SearchIdx;
our $need_zlib;
eval { require Compress::Raw::Zlib } or
$need_zlib = 'Compress::Raw::Zlib missing';
my $version = 2; # v2 needs newer git
require_git('2.6') if $version >= 2;
my ($tmpdir, $for_destroy) = tmpdir();
my $err = "$tmpdir/stderr.log";
my $out = "$tmpdir/stdout.log";
my $inboxdir = "$tmpdir";
my $pi_config = "$tmpdir/pi_config";
my $group = 'test-nntpd-tls';
my $addr = $group . '@example.com';
my $starttls = tcp_server();
my $nntps = tcp_server();
my $ibx = PublicInbox::Inbox->new({
inboxdir => $inboxdir,
name => 'nntpd-tls',
version => $version,
-primary_address => $addr,
indexlevel => 'basic',
});
$ibx = PublicInbox::InboxWritable->new($ibx, {nproc=>1});
$ibx->init_inbox(0);
{
open my $fh, '>', $pi_config or die "open: $!\n";
print $fh <importer(0);
my $mime = PublicInbox::MIME->new(do {
open my $fh, '<', 't/data/0001.patch' or die;
local $/;
<$fh>
});
ok($im->add($mime), 'message added');
$im->done;
if ($version == 1) {
my $s = PublicInbox::SearchIdx->new($ibx, 1);
$s->index_sync;
}
}
my $nntps_addr = $nntps->sockhost . ':' . $nntps->sockport;
my $starttls_addr = $starttls->sockhost . ':' . $starttls->sockport;
my $env = { PI_CONFIG => $pi_config };
my $td;
for my $args (
[ "--cert=$cert", "--key=$key",
"-lnntps://$nntps_addr",
"-lnntp://$starttls_addr" ],
) {
for ($out, $err) {
open my $fh, '>', $_ or die "truncate: $!";
}
my $cmd = [ '-nntpd', '-W0', @$args, "--stdout=$out", "--stderr=$err" ];
$td = start_script($cmd, $env, { 3 => $starttls, 4 => $nntps });
my %o = (
SSL_hostname => 'server.local',
SSL_verifycn_name => 'server.local',
SSL_verify_mode => SSL_VERIFY_PEER(),
SSL_ca_file => 'certs/test-ca.pem',
);
my $expect = { $group => [qw(1 1 n)] };
# start negotiating a slow TLS connection
my $slow = tcp_connect($nntps, Blocking => 0);
$slow = IO::Socket::SSL->start_SSL($slow, SSL_startHandshake => 0, %o);
my $slow_done = $slow->connect_SSL;
my @poll;
if ($slow_done) {
diag('W: connect_SSL early OK, slow client test invalid');
use PublicInbox::Syscall qw(EPOLLIN EPOLLOUT);
@poll = (fileno($slow), EPOLLIN | EPOLLOUT);
} else {
@poll = (fileno($slow), PublicInbox::TLS::epollbit());
}
# we should call connect_SSL much later...
# NNTPS
my $c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
my $list = $c->list;
is_deeply($list, $expect, 'NNTPS LIST works');
unlike(get_capa($c), qr/\bSTARTTLS\r\n/,
'STARTTLS not advertised for NNTPS');
is($c->command('QUIT')->response(), Net::Cmd::CMD_OK(), 'QUIT works');
is(0, sysread($c, my $buf, 1), 'got EOF after QUIT');
# STARTTLS
$c = Net::NNTP->new($starttls_addr, %o);
$list = $c->list;
is_deeply($list, $expect, 'plain LIST works');
ok($c->starttls, 'STARTTLS succeeds');
is($c->code, 382, 'got 382 for STARTTLS');
$list = $c->list;
is_deeply($list, $expect, 'LIST works after STARTTLS');
unlike(get_capa($c), qr/\bSTARTTLS\r\n/,
'STARTTLS not advertised after STARTTLS');
# Net::NNTP won't let us do dumb things, but we need to test
# dumb things, so use Net::Cmd directly:
my $n = $c->command('STARTTLS')->response();
is($n, Net::Cmd::CMD_ERROR(), 'error attempting STARTTLS again');
is($c->code, 502, '502 according to RFC 4642 sec#2.2.1');
# STARTTLS with bad hostname
$o{SSL_hostname} = $o{SSL_verifycn_name} = 'server.invalid';
$c = Net::NNTP->new($starttls_addr, %o);
like(get_capa($c), qr/\bSTARTTLS\r\n/, 'STARTTLS advertised');
$list = $c->list;
is_deeply($list, $expect, 'plain LIST works again');
ok(!$c->starttls, 'STARTTLS fails with bad hostname');
$c = Net::NNTP->new($starttls_addr, %o);
$list = $c->list;
is_deeply($list, $expect, 'not broken after bad negotiation');
# NNTPS with bad hostname
$c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
is($c, undef, 'NNTPS fails with bad hostname');
$o{SSL_hostname} = $o{SSL_verifycn_name} = 'server.local';
$c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
ok($c, 'NNTPS succeeds again with valid hostname');
# slow TLS connection did not block the other fast clients while
# connecting, finish it off:
until ($slow_done) {
IO::Poll::_poll(-1, @poll);
$slow_done = $slow->connect_SSL and last;
@poll = (fileno($slow), PublicInbox::TLS::epollbit());
}
$slow->blocking(1);
ok(sysread($slow, my $greet, 4096) > 0, 'slow got greeting');
like($greet, qr/\A201 /, 'got expected greeting');
is(syswrite($slow, "QUIT\r\n"), 6, 'slow wrote QUIT');
ok(sysread($slow, my $end, 4096) > 0, 'got EOF');
is(sysread($slow, my $eof, 4096), 0, 'got EOF');
$slow = undef;
SKIP: {
skip 'TCP_DEFER_ACCEPT is Linux-only', 2 if $^O ne 'linux';
my $var = eval { Socket::TCP_DEFER_ACCEPT() } // 9;
defined(my $x = getsockopt($nntps, IPPROTO_TCP, $var)) or die;
ok(unpack('i', $x) > 0, 'TCP_DEFER_ACCEPT set on NNTPS');
defined($x = getsockopt($starttls, IPPROTO_TCP, $var)) or die;
is(unpack('i', $x), 0, 'TCP_DEFER_ACCEPT is 0 on plain NNTP');
};
SKIP: {
skip 'SO_ACCEPTFILTER is FreeBSD-only', 2 if $^O ne 'freebsd';
if (system('kldstat -m accf_data >/dev/null')) {
skip 'accf_data not loaded? kldload accf_data', 2;
}
require PublicInbox::Daemon;
my $var = PublicInbox::Daemon::SO_ACCEPTFILTER();
my $x = getsockopt($nntps, SOL_SOCKET, $var);
like($x, qr/\Adataready\0+\z/, 'got dataready accf for NNTPS');
$x = getsockopt($starttls, IPPROTO_TCP, $var);
is($x, undef, 'no BSD accept filter for plain NNTP');
};
$c = undef;
$td->kill;
$td->join;
is($?, 0, 'no error in exited process');
my $eout = eval {
open my $fh, '<', $err or die "open $err failed: $!";
local $/;
<$fh>;
};
unlike($eout, qr/wide/i, 'no Wide character warnings');
}
done_testing();
sub get_capa {
my ($sock) = @_;
syswrite($sock, "CAPABILITIES\r\n");
my $capa = '';
do {
my $r = sysread($sock, $capa, 8192, length($capa));
die "unexpected: $!" unless defined($r);
die 'unexpected EOF' if $r == 0;
} until $capa =~ /\.\r\n\z/;
my $deflate_capa = qr/\r\nCOMPRESS DEFLATE\r\n/;
if ($need_zlib) {
unlike($capa, $deflate_capa,
'COMPRESS DEFLATE NOT advertised '.$need_zlib);
} else {
like($capa, $deflate_capa, 'COMPRESS DEFLATE advertised');
}
$capa;
}
1;