1 # Copyright (C) 2019 all contributors <meta@public-inbox.org>
2 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
6 use File::Temp qw(tempdir);
7 use Socket qw(SOCK_STREAM IPPROTO_TCP SOL_SOCKET);
8 # IO::Poll and Net::NNTP are part of the standard library, but
9 # distros may split them off...
10 foreach my $mod (qw(DBD::SQLite IO::Socket::SSL Net::NNTP IO::Poll)) {
12 plan skip_all => "$mod missing for $0" if $@;
14 Net::NNTP->can('starttls') or
15 plan skip_all => 'Net::NNTP does not support TLS';
16 IO::Socket::SSL->VERSION(2.007) or
17 plan skip_all => 'IO::Socket::SSL <2.007 not supported by Net::NNTP';
19 my $cert = 'certs/server-cert.pem';
20 my $key = 'certs/server-key.pem';
21 unless (-r $key && -r $cert) {
23 "certs/ missing for $0, run ./create-certs.perl in certs/";
26 use_ok 'PublicInbox::TLS';
27 use_ok 'IO::Socket::SSL';
28 require './t/common.perl';
29 require PublicInbox::InboxWritable;
30 require PublicInbox::MIME;
31 require PublicInbox::SearchIdx;
33 eval { require Compress::Raw::Zlib } or
34 $need_zlib = 'Compress::Raw::Zlib missing';
35 my $version = 2; # v2 needs newer git
36 require_git('2.6') if $version >= 2;
37 my $tmpdir = tempdir('pi-nntpd-tls-XXXXXX', TMPDIR => 1, CLEANUP => 1);
38 my $err = "$tmpdir/stderr.log";
39 my $out = "$tmpdir/stdout.log";
40 my $mainrepo = "$tmpdir";
41 my $pi_config = "$tmpdir/pi_config";
42 my $group = 'test-nntpd-tls';
43 my $addr = $group . '@example.com';
44 my $nntpd = 'blib/script/public-inbox-nntpd';
45 my $starttls = tcp_server();
46 my $nntps = tcp_server();
49 foreach ($pid, $tail_pid) {
50 kill 'TERM', $_ if defined $_;
54 my $ibx = PublicInbox::Inbox->new({
55 mainrepo => $mainrepo,
58 -primary_address => $addr,
59 indexlevel => 'basic',
61 $ibx = PublicInbox::InboxWritable->new($ibx, {nproc=>1});
64 open my $fh, '>', $pi_config or die "open: $!\n";
66 [publicinbox "nntpd-tls"]
73 close $fh or die "close: $!\n";
77 my $im = $ibx->importer(0);
78 my $mime = PublicInbox::MIME->new(do {
79 open my $fh, '<', 't/data/0001.patch' or die;
83 ok($im->add($mime), 'message added');
86 my $s = PublicInbox::SearchIdx->new($ibx, 1);
91 my $nntps_addr = $nntps->sockhost . ':' . $nntps->sockport;
92 my $starttls_addr = $starttls->sockhost . ':' . $starttls->sockport;
93 my $env = { PI_CONFIG => $pi_config };
96 [ "--cert=$cert", "--key=$key",
97 "-lnntps://$nntps_addr",
98 "-lnntp://$starttls_addr" ],
101 open my $fh, '>', $_ or die "truncate: $!";
103 if (my $tail_cmd = $ENV{TAIL}) { # don't assume GNU tail
105 if (defined $tail_pid && $tail_pid == 0) {
106 exec(split(' ', $tail_cmd), $out, $err);
109 my $cmd = [ $nntpd, '-W0', @$args, "--stdout=$out", "--stderr=$err" ];
110 $pid = spawn_listener($env, $cmd, [ $starttls, $nntps ]);
112 SSL_hostname => 'server.local',
113 SSL_verifycn_name => 'server.local',
114 SSL_verify_mode => SSL_VERIFY_PEER(),
115 SSL_ca_file => 'certs/test-ca.pem',
117 my $expect = { $group => [qw(1 1 n)] };
119 # start negotiating a slow TLS connection
120 my $slow = IO::Socket::INET->new(
122 PeerAddr => $nntps_addr,
126 $slow = IO::Socket::SSL->start_SSL($slow, SSL_startHandshake => 0, %o);
127 my $slow_done = $slow->connect_SSL;
128 diag('W: connect_SSL early OK, slow client test invalid') if $slow_done;
129 my @poll = (fileno($slow), PublicInbox::TLS::epollbit());
130 # we should call connect_SSL much later...
133 my $c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
135 is_deeply($list, $expect, 'NNTPS LIST works');
136 unlike(get_capa($c), qr/\bSTARTTLS\r\n/,
137 'STARTTLS not advertised for NNTPS');
138 is($c->command('QUIT')->response(), Net::Cmd::CMD_OK(), 'QUIT works');
139 is(0, sysread($c, my $buf, 1), 'got EOF after QUIT');
142 $c = Net::NNTP->new($starttls_addr, %o);
144 is_deeply($list, $expect, 'plain LIST works');
145 ok($c->starttls, 'STARTTLS succeeds');
146 is($c->code, 382, 'got 382 for STARTTLS');
148 is_deeply($list, $expect, 'LIST works after STARTTLS');
149 unlike(get_capa($c), qr/\bSTARTTLS\r\n/,
150 'STARTTLS not advertised after STARTTLS');
152 # Net::NNTP won't let us do dumb things, but we need to test
153 # dumb things, so use Net::Cmd directly:
154 my $n = $c->command('STARTTLS')->response();
155 is($n, Net::Cmd::CMD_ERROR(), 'error attempting STARTTLS again');
156 is($c->code, 502, '502 according to RFC 4642 sec#2.2.1');
158 # STARTTLS with bad hostname
159 $o{SSL_hostname} = $o{SSL_verifycn_name} = 'server.invalid';
160 $c = Net::NNTP->new($starttls_addr, %o);
161 like(get_capa($c), qr/\bSTARTTLS\r\n/, 'STARTTLS advertised');
163 is_deeply($list, $expect, 'plain LIST works again');
164 ok(!$c->starttls, 'STARTTLS fails with bad hostname');
165 $c = Net::NNTP->new($starttls_addr, %o);
167 is_deeply($list, $expect, 'not broken after bad negotiation');
169 # NNTPS with bad hostname
170 $c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
171 is($c, undef, 'NNTPS fails with bad hostname');
172 $o{SSL_hostname} = $o{SSL_verifycn_name} = 'server.local';
173 $c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
174 ok($c, 'NNTPS succeeds again with valid hostname');
176 # slow TLS connection did not block the other fast clients while
177 # connecting, finish it off:
179 IO::Poll::_poll(-1, @poll);
180 $slow_done = $slow->connect_SSL and last;
181 @poll = (fileno($slow), PublicInbox::TLS::epollbit());
184 ok(sysread($slow, my $greet, 4096) > 0, 'slow got greeting');
185 like($greet, qr/\A201 /, 'got expected greeting');
186 is(syswrite($slow, "QUIT\r\n"), 6, 'slow wrote QUIT');
187 ok(sysread($slow, my $end, 4096) > 0, 'got EOF');
188 is(sysread($slow, my $eof, 4096), 0, 'got EOF');
192 skip 'TCP_DEFER_ACCEPT is Linux-only', 2 if $^O ne 'linux';
193 my $var = Socket::TCP_DEFER_ACCEPT();
194 defined(my $x = getsockopt($nntps, IPPROTO_TCP, $var)) or die;
195 ok(unpack('i', $x) > 0, 'TCP_DEFER_ACCEPT set on NNTPS');
196 defined($x = getsockopt($starttls, IPPROTO_TCP, $var)) or die;
197 is(unpack('i', $x), 0, 'TCP_DEFER_ACCEPT is 0 on plain NNTP');
200 skip 'SO_ACCEPTFILTER is FreeBSD-only', 2 if $^O ne 'freebsd';
201 if (system('kldstat -m accf_data >/dev/null')) {
202 skip 'accf_data not loaded? kldload accf_data', 2;
204 require PublicInbox::Daemon;
205 my $var = PublicInbox::Daemon::SO_ACCEPTFILTER();
206 my $x = getsockopt($nntps, SOL_SOCKET, $var);
207 like($x, qr/\Adataready\0+\z/, 'got dataready accf for NNTPS');
208 $x = getsockopt($starttls, IPPROTO_TCP, $var);
209 is($x, undef, 'no BSD accept filter for plain NNTP');
214 is($pid, waitpid($pid, 0), 'nntpd exited successfully');
215 is($?, 0, 'no error in exited process');
218 open my $fh, '<', $err or die "open $err failed: $!";
222 unlike($eout, qr/wide/i, 'no Wide character warnings');
223 if (defined $tail_pid) {
224 kill 'TERM', $tail_pid;
225 waitpid($tail_pid, 0);
233 syswrite($sock, "CAPABILITIES\r\n");
236 my $r = sysread($sock, $capa, 8192, length($capa));
237 die "unexpected: $!" unless defined($r);
238 die 'unexpected EOF' if $r == 0;
239 } until $capa =~ /\.\r\n\z/;
241 my $deflate_capa = qr/\r\nCOMPRESS DEFLATE\r\n/;
243 unlike($capa, $deflate_capa,
244 'COMPRESS DEFLATE NOT advertised '.$need_zlib);
246 like($capa, $deflate_capa, 'COMPRESS DEFLATE advertised');