Plan 9 from Bell Labs’s /usr/web/sources/contrib/mospak/tls-modern-client/tools/test.rc

Copyright © 2021 Plan 9 Foundation.
Distributed under the MIT License.
Download the Plan 9 distribution. 


#!/bin/rc
# test.rc — tls-modern-client self-test.
#
# Run after build.rc + reboot.  Nine probes against real servers
# exercise the features the series adds; six expect success, three
# expect a specific rejection from the verification path.  Probe
# byte counts will vary as live sites change their content.
#
# Self-contained: hget only, scratch in /tmp, no privileges needed.
# Run from rio.

body=/tmp/tls-modern-test.body.$pid
errf=/tmp/tls-modern-test.err.$pid
nok=0
nbad=0

fn cleanup { rm -f $body $errf }
fn sigint  { cleanup; exit interrupted }
fn sigterm { cleanup; exit interrupted }
fn sighup  { cleanup; exit interrupted }

# ok: expect hget to succeed.  Body size confirms a real response.
fn ok{
	tag=$1; url=$2
	if(hget -o $body $url >[2]/dev/null){
		size=`{wc -c <$body | awk '{print $1}'}
		echo '    [ok]  '$tag'  ('$"size' bytes)'
		nok=`{echo $nok | awk '{print $1+1}'}
	}
	if not {
		echo '    [BAD] '$tag'  hget failed, expected success'
		nbad=`{echo $nbad | awk '{print $1+1}'}
	}
	rm -f $body
}

# reject: expect hget to fail with a specific error string.  `want` is
# a substring we look for in the first line of captured stderr; this
# distinguishes "rejected for the reason we want" from "rejected for
# some unrelated network hiccup".
fn reject{
	tag=$1; url=$2; want=$3
	if(hget -o $body $url >$errf >[2=1]){
		echo '    [BAD] '$tag'  unexpected success; verification not active?'
		nbad=`{echo $nbad | awk '{print $1+1}'}
	}
	if not {
		got=`{sed 1q <$errf}
		# grep handles multi-word $want as a single pattern; rc's
		# `~ ... *$want*` would word-split the glob on spaces.
		if(grep $"want $errf >/dev/null >[2]/dev/null){
			echo '    [ok]  '$tag'  correctly rejected: '$"got
			nok=`{echo $nok | awk '{print $1+1}'}
		}
		if not {
			echo '    [BAD] '$tag'  rejected for wrong reason: '$"got
			nbad=`{echo $nbad | awk '{print $1+1}'}
		}
	}
	rm -f $body $errf
}

echo '=== tls-modern-client self-test ==='
echo

echo '[1/9] plain-HTTP baseline'
ok     'example.com          ' 'http://example.com/'
echo '[2/9] RSA cert, SNI, AES-GCM'
ok     'www.google.com       ' 'https://www.google.com/'
echo '[3/9] ECDSA cert, NIST curve'
ok     'github.com           ' 'https://github.com/'
echo '[4/9] ECDSA cert, SNI-gated'
ok     'blog.cloudflare.com  ' 'https://blog.cloudflare.com/'
echo '[5/9] common site cross-check'
ok     'en.wikipedia.org     ' 'https://en.wikipedia.org/wiki/Main_Page'
echo '[6/9] negotiated-cipher echo'
ok     'www.howsmyssl.com    ' 'https://www.howsmyssl.com/a/check'
echo '[7/9] chain verification rejects'
reject 'self-signed.badssl   ' 'https://self-signed.badssl.com/' 'no trust anchor'
echo '[8/9] hostname-match rejects'
reject 'wrong.host.badssl    ' 'https://wrong.host.badssl.com/' 'hostname'
echo '[9/9] validity-window rejects'
reject 'expired.badssl       ' 'https://expired.badssl.com/' 'expired'
echo

echo '--- tls conversations (negotiated cipher/curve per session) ---'
for(conv in `{ls '#a/tls' >[2]/dev/null})
	if(! ~ $conv clone encalgs hashalgs)
		if(test -f '#a/tls/'^$conv^/status){
			echo '['^$conv^']'
			cat '#a/tls/'^$conv^/status
		}
echo

echo '=== summary ==='
echo '    ok:  '$nok' / 9'
echo '    bad: '$nbad
cleanup
if(~ $nbad 0){
	echo 'tls-modern-client verified.'
	exit ''
}
echo 'unexpected results above.  check the kernel/userspace build and network.'
exit fail

Bell Labs OSI certified Powered by Plan 9

(Return to Plan 9 Home Page)

Copyright © 2021 Plan 9 Foundation. All Rights Reserved.
Comments to webmaster@9p.io.