summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2024-10-28 19:57:03 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2024-10-28 19:57:03 +0000
commit56598142ac968990279c18f7e0f65e4d8d96a96c (patch)
tree2bf927a6f402b9ed2bff957e455e2fd85d7aa3af
parent9c8257350f691b5ea6ead6f91b3c3cc11a2be7bf (diff)
relayd: add regress coverage for client certs
From Sören Tempel
-rw-r--r--regress/usr.sbin/relayd/Client.pm15
-rw-r--r--regress/usr.sbin/relayd/Makefile20
-rw-r--r--regress/usr.sbin/relayd/Relayd.pm5
3 files changed, 36 insertions, 4 deletions
diff --git a/regress/usr.sbin/relayd/Client.pm b/regress/usr.sbin/relayd/Client.pm
index 4edf4cb5bbe..7aaa0401e2f 100644
--- a/regress/usr.sbin/relayd/Client.pm
+++ b/regress/usr.sbin/relayd/Client.pm
@@ -1,4 +1,4 @@
-# $OpenBSD: Client.pm,v 1.14 2021/12/22 11:50:28 bluhm Exp $
+# $OpenBSD: Client.pm,v 1.15 2024/10/28 19:57:02 tb Exp $
# Copyright (c) 2010-2021 Alexander Bluhm <bluhm@openbsd.org>
#
@@ -58,6 +58,11 @@ sub child {
PeerAddr => $self->{connectaddr},
PeerPort => $self->{connectport},
SSL_verify_mode => SSL_VERIFY_NONE,
+ SSL_use_cert => $self->{offertlscert} ? 1 : 0,
+ SSL_cert_file => $self->{offertlscert} ?
+ "client.crt" : "",
+ SSL_key_file => $self->{offertlscert} ?
+ "client.key" : "",
) or die ref($self), " $iosocket socket connect failed: $!,$SSL_ERROR";
if ($self->{sndbuf}) {
setsockopt($cs, SOL_SOCKET, SO_SNDBUF,
@@ -89,6 +94,14 @@ sub child {
print STDERR "ssl cipher: ",$cs->get_cipher(),"\n";
print STDERR "ssl peer certificate:\n",
$cs->dump_peer_certificate();
+
+ if ($self->{offertlscert}) {
+ print STDERR "ssl client certificate:\n";
+ print STDERR "Subject Name: ",
+ "${\$cs->sock_certificate('subject')}\n";
+ print STDERR "Issuer Name: ",
+ "${\$cs->sock_certificate('issuer')}\n";
+ }
}
*STDIN = *STDOUT = $self->{cs} = $cs;
diff --git a/regress/usr.sbin/relayd/Makefile b/regress/usr.sbin/relayd/Makefile
index 885fd1a8406..3c58e44c2c8 100644
--- a/regress/usr.sbin/relayd/Makefile
+++ b/regress/usr.sbin/relayd/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.21 2021/12/30 20:51:34 dv Exp $
+# $OpenBSD: Makefile,v 1.22 2024/10/28 19:57:02 tb Exp $
# The following ports must be installed for the regression tests:
# p5-Socket6 Perl defines relating to AF_INET6 sockets
@@ -92,7 +92,23 @@ server.req:
server.crt: ca.crt server.req
openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in server.req -out server.crt
-${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server.crt
+client-ca.crt:
+ openssl req -batch -new \
+ -subj /L=OpenBSD/O=relayd-regress/OU=client-ca/CN=root/ \
+ -nodes -newkey rsa -keyout client-ca.key -x509 \
+ -out client-ca.crt
+
+client.req:
+ openssl req -batch -new \
+ -subj /L=OpenBSD/O=relayd-regress/OU=client/CN=localhost/ \
+ -nodes -newkey rsa -keyout client.key \
+ -out client.req
+
+client.crt: client-ca.crt client.req
+ openssl x509 -CAcreateserial -CAkey client-ca.key -CA client-ca.crt \
+ -req -in client.req -out client.crt
+
+${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server.crt client.crt
.if empty (REMOTE_SSH)
${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: 127.0.0.1.crt
.else
diff --git a/regress/usr.sbin/relayd/Relayd.pm b/regress/usr.sbin/relayd/Relayd.pm
index 6b5d0e299d0..2a6aa926d16 100644
--- a/regress/usr.sbin/relayd/Relayd.pm
+++ b/regress/usr.sbin/relayd/Relayd.pm
@@ -1,4 +1,4 @@
-# $OpenBSD: Relayd.pm,v 1.19 2021/10/12 05:42:39 anton Exp $
+# $OpenBSD: Relayd.pm,v 1.20 2024/10/28 19:57:02 tb Exp $
# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org>
#
@@ -85,6 +85,9 @@ sub new {
print $fh "\n\ttls ca cert ca.crt";
print $fh "\n\ttls ca key ca.key password ''";
}
+ if ($self->{verifyclient}) {
+ print $fh "\n\ttls client ca client-ca.crt";
+ }
# substitute variables in config file
foreach (@protocol) {
s/(\$[a-z]+)/$1/eeg;