/
zOMGdev
/
glusterfs
GigaCode
beta
ОбзорЦентр заботыВойти

glusterfs

Форк
0
Ветки: 49Коммиты: 16797Теги: 580
glusterfs
/tests
/features
/
ssl-ciphers.t 
257 строк · 8.5 Кб
1
#!/bin/bash
2


3
. $(dirname $0)/../include.rc
4
. $(dirname $0)/../volume.rc
5


6
brick_port() {
7
        $CLI --xml volume status $1 | sed -n '/.*<port>\([0-9]*\).*/s//\1/p'
8
}
9


10
wait_mount() {
11
	i=1
12
	while [ $i -lt $CONFIG_UPDATE_TIMEOUT ] ; do
13
		sleep 1
14
		i=$(( $i + 1 ))
15
		mounted=`mount|awk -v m=$1 '
16
				BEGIN {r = "N";}
17
				($3 == m) {r = "Y"; exit;}
18
				END {print r;}
19
		'`
20
		if [ "x${mounted}" = "xY" ] ; then
21
			ls $M0 2>/dev/null || continue
22
			break;
23
		fi
24
	done
25


26
	if [ "x${mounted}" = "xY" ] ; then
27
		ls $M0 2>/dev/null || mounted="N"
28
	fi
29


30
	echo $mounted
31
}
32


33
openssl_connect() {
34
	ssl_opt="-verify 3 -verify_return_error -CAfile $SSL_CA"
35
	ssl_opt="$ssl_opt -crl_check_all -CApath $TMPDIR"
36
        cmd="echo "" | openssl s_client $ssl_opt $@ 2>/dev/null"
37
        CIPHER=$(eval $cmd | awk -F "Cipher is" '{print $2}' | tr -d '[:space:]' | awk -F " " '{print $1}')
38
	if [ "x${CIPHER}" = "x" -o "x${CIPHER}" = "x0000" -o "x${CIPHER}" = "x(NONE)" ] ; then
39
		echo "N"
40
	else
41
		echo "Y"
42
	fi
43
}
44


45
#Validate the cipher to pass EXPECT test case before call openssl_connect
46
check_cipher() {
47
       cmd="echo "" | openssl s_client $@ 2> /dev/null"
48
       cipher=$(eval $cmd |awk -F "Cipher is" '{print $2}' | tr -d '[:space:]' | awk -F " " '{print $1}')
49
       if [ "x${cipher}" = "x" -o "x${cipher}" = "x0000" -o "x${cipher}" = "x(NONE)" ] ; then
50
                echo "N"
51
        else
52
                echo "Y"
53
       fi
54
}
55


56
cleanup;
57
mkdir -p $B0
58
mkdir -p $M0
59


60
TMPDIR=`mktemp -d /tmp/${0##*/}.XXXXXX`
61
TEST test -d $TMPDIR
62


63
SSL_KEY=$TMPDIR/self.key
64
SSL_CSR=$TMPDIR/self.csr
65
SSL_CERT=$TMPDIR/self.crt
66
SSL_CA=$TMPDIR/ca.crt
67
SSL_CFG=$TMPDIR/openssl.cnf
68
SSL_CRL=$TMPDIR/crl.pem
69


70
sed "s|@TMPDIR@|${TMPDIR}|" `pwd`/`dirname $0`/openssl.cnf.in > $SSL_CFG
71


72
TEST glusterd
73
TEST pidof glusterd
74
TEST $CLI volume info;
75


76
TEST openssl genrsa -out $SSL_KEY 2048 2>/dev/null
77
TEST openssl req -config $SSL_CFG -new -key $SSL_KEY -x509 \
78
                  -subj /CN=CA -out $SSL_CA
79
TEST openssl req -config $SSL_CFG -new -key $SSL_KEY \
80
                  -subj /CN=$H0 -out $SSL_CSR
81


82
echo "01" > $TMPDIR/serial
83
TEST touch $TMPDIR/index.txt $TMPDIR/index.txx.attr
84
TEST mkdir -p $TMPDIR/certs $TMPDIR/newcerts $TMPDIR/crl
85
TEST openssl ca -batch -config $SSL_CFG -in $SSL_CSR -out $SSL_CERT 2>&1
86


87
touch $SSL_CRL
88
CRLHASH=`openssl x509 -hash -fingerprint -noout -in $SSL_CA|sed -n '1s/$/.r0/p'`
89
ln -sf $SSL_CRL $TMPDIR/$CRLHASH
90
TEST openssl ca -config $SSL_CFG -gencrl -out $SSL_CRL 2>&1
91


92


93
TEST $CLI volume create $V0 $H0:$B0/1
94
TEST $CLI volume set $V0 server.ssl on
95
TEST $CLI volume set $V0 client.ssl on
96
TEST $CLI volume set $V0 ssl.private-key $SSL_KEY
97
TEST $CLI volume set $V0 ssl.own-cert $SSL_CERT
98
TEST $CLI volume set $V0 ssl.ca-list $SSL_CA
99
TEST $CLI volume start $V0
100
EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
101


102
BRICK_PORT=`brick_port $V0`
103


104
# Test we can connect
105
EXPECT "Y" openssl_connect -connect $H0:$BRICK_PORT
106


107
# Test SSLv2 protocol fails
108
EXPECT "N" openssl_connect -ssl2 -connect $H0:$BRICK_PORT
109


110
# Test SSLv3 protocol fails
111
EXPECT "N" openssl_connect -ssl3 -connect $H0:$BRICK_PORT
112


113
TLS10="$(openssl_connect -tls1 -connect $H0:$BRICK_PORT)"
114
TLS11="$(openssl_connect -tls1_1 -connect $H0:$BRICK_PORT)"
115
TLS12="$(openssl_connect -tls1_2 -connect $H0:$BRICK_PORT)"
116
TLS13="$(openssl_connect -tls1_3 -connect $H0:$BRICK_PORT)"
117


118
# TLS support depends on openssl version.
119
#
120
#   TLS v1.0 requires openssl v0.9.6 or higher
121
#   TLS v1.1 requires openssl v1.0.1 or higher
122
#   TLS v1.2 requires openssl v1.0.1 or higher
123
#   TLS v1.3 requires openssl v1.1.1 or higher
124
#
125
# If TLS is supported by the current version of openssl, at least one of the
126
# protocols should connect successfully. Otherwise all connections should fail.
127


128
if [[ "$(openssl version | awk '{ print $2; }')" < "0.9.6" ]]; then
129
    supp="^NNNN$"
130
else
131
    supp="Y"
132
fi
133


134
EXPECT "${supp}" echo "${TLS10}${TLS11}${TLS12}${TLS13}"
135


136
# Test a HIGH CBC cipher
137
cph=`check_cipher -cipher AES256-SHA -connect $H0:$BRICK_PORT`
138
EXPECT "$cph" openssl_connect -cipher AES256-SHA -connect $H0:$BRICK_PORT
139


140
# Test EECDH
141
cph=`check_cipher -cipher EECDH -connect $H0:$BRICK_PORT`
142
EXPECT "$cph" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT
143


144
# test MD5 fails
145
cph=`check_cipher -cipher DES-CBC3-MD5 -connect $H0:$BRICK_PORT`
146
EXPECT "$cph" openssl_connect -cipher DES-CBC3-MD5 -connect $H0:$BRICK_PORT
147


148
# test RC4 fails
149
cph=`check_cipher -cipher RC4-SHA -connect $H0:$BRICK_PORT`
150
EXPECT "$cph" openssl_connect -cipher RC4-SHA -connect $H0:$BRICK_PORT
151


152
# test eNULL fails
153
cph=`check_cipher -cipher NULL-SHA256 -connect $H0:$BRICK_PORT`
154
EXPECT "$cph" openssl_connect -cipher NULL-SHA256 -connect $H0:$BRICK_PORT
155


156
# test SHA2
157
cph=`check_cipher -cipher AES256-SHA256 -connect $H0:$BRICK_PORT`
158
EXPECT "$cph" openssl_connect -cipher AES256-SHA256 -connect $H0:$BRICK_PORT
159


160
# test GCM
161
cph=`check_cipher -cipher AES256-GCM-SHA384 -connect $H0:$BRICK_PORT`
162
EXPECT "$cph" openssl_connect -cipher AES256-GCM-SHA384 -connect $H0:$BRICK_PORT
163


164
# Test DH fails without DH params
165
cph=`check_cipher -cipher EDH -connect $H0:$BRICK_PORT`
166
EXPECT "$cph" openssl_connect -cipher EDH -connect $H0:$BRICK_PORT
167


168
# Test DH with DH params
169
TEST $CLI volume set $V0 ssl.dh-param `pwd`/`dirname $0`/dh1024.pem
170
EXPECT "`pwd`/`dirname $0`/dh1024.pem" volume_option $V0 ssl.dh-param
171
TEST $CLI volume stop $V0
172
TEST $CLI volume start $V0
173
EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
174
BRICK_PORT=`brick_port $V0`
175
EXPECT "Y" openssl_connect -cipher EDH -connect $H0:$BRICK_PORT
176


177
# Test the cipher-list option
178
TEST $CLI volume set $V0 ssl.cipher-list AES256-SHA
179
EXPECT AES256-SHA volume_option $V0 ssl.cipher-list
180
TEST $CLI volume stop $V0
181
TEST $CLI volume start $V0
182
EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
183
BRICK_PORT=`brick_port $V0`
184
cph=`check_cipher -cipher AES256-SHA -connect $H0:$BRICK_PORT`
185
EXPECT "$cph" openssl_connect -cipher AES256-SHA -connect $H0:$BRICK_PORT
186
cph=`check_cipher -cipher AES128-SHA -connect $H0:$BRICK_PORT`
187
EXPECT "$cph" openssl_connect -cipher AES128-SHA -connect $H0:$BRICK_PORT
188


189
# Test the ec-curve option
190
TEST $CLI volume set $V0 ssl.cipher-list EECDH:EDH:!TLSv1
191
EXPECT EECDH:EDH:!TLSv1 volume_option $V0 ssl.cipher-list
192
TEST $CLI volume stop $V0
193
TEST $CLI volume start $V0
194
EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
195
BRICK_PORT=`brick_port $V0`
196
cph=`check_cipher -cipher AES256-SHA -connect $H0:$BRICK_PORT`
197
EXPECT "$cph" openssl_connect -cipher AES256-SHA -connect $H0:$BRICK_PORT
198
cph=`check_cipher -cipher EECDH -connect $H0:$BRICK_PORT`
199
EXPECT "$cph" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT
200


201
TEST $CLI volume set $V0 ssl.ec-curve invalid
202
EXPECT invalid volume_option $V0 ssl.ec-curve
203
TEST $CLI volume stop $V0
204
TEST $CLI volume start $V0
205
EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
206
BRICK_PORT=`brick_port $V0`
207
cph=`check_cipher -cipher EECDH -connect $H0:$BRICK_PORT`
208
EXPECT "$cph" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT
209


210
TEST $CLI volume set $V0 ssl.ec-curve secp521r1
211
EXPECT secp521r1 volume_option $V0 ssl.ec-curve
212
TEST $CLI volume stop $V0
213
TEST $CLI volume start $V0
214
EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
215
BRICK_PORT=`brick_port $V0`
216
EXPECT "Y" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT
217


218
# test revocation
219
TEST $CLI volume set $V0 ssl.crl-path $TMPDIR
220
EXPECT $TMPDIR volume_option $V0 ssl.crl-path
221
$GFS --volfile-id=$V0 --volfile-server=$H0 $M0
222
EXPECT "Y" wait_mount $M0
223
TEST_FILE=`mktemp $M0/${0##*/}.XXXXXX`
224
TEST test -f $TEST_FILE
225
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0
226


227
TEST openssl ca -batch -config $SSL_CFG -revoke $SSL_CERT 2>&1
228
TEST openssl ca -config $SSL_CFG -gencrl -out $SSL_CRL 2>&1
229


230
# Failed once revoked
231
# Although client fails to mount without restarting the server after crl-path
232
# is set when no actual crl file is found on the client, it would also fail
233
# when server is restarted for the same reason. Since the socket initialization
234
# code is the same for client and server, the crl verification flags need to
235
# be turned off for the client to avoid SSL searching for CRLs in the
236
# ssl.crl-path. If no CRL files are found in the ssl.crl-path, SSL fails the
237
# connect() attempt on the client.
238
TEST $CLI volume stop $V0
239
TEST $CLI volume start $V0
240
$GFS --volfile-id=$V0 --volfile-server=$H0 $M0
241
EXPECT "N" wait_mount $M0
242
TEST ! test -f $TEST_FILE
243
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0
244


245
# Succeed with CRL disabled
246
TEST $CLI volume stop $V0
247
TEST $CLI volume set $V0 ssl.crl-path NULL
248
EXPECT NULL volume_option $V0 ssl.crl-path
249
TEST $CLI volume start $V0
250
$GFS --volfile-id=$V0 --volfile-server=$H0 $M0
251
EXPECT "Y" wait_mount $M0
252
TEST test -f $TEST_FILE
253


254
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0
255


256
rm -rf $TMPDIR
257
cleanup;
258

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.