diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2024-10-28 19:57:03 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2024-10-28 19:57:03 +0000 |
commit | 56598142ac968990279c18f7e0f65e4d8d96a96c (patch) | |
tree | 2bf927a6f402b9ed2bff957e455e2fd85d7aa3af | |
parent | 9c8257350f691b5ea6ead6f91b3c3cc11a2be7bf (diff) |
relayd: add regress coverage for client certs
From Sören Tempel
-rw-r--r-- | regress/usr.sbin/relayd/Client.pm | 15 | ||||
-rw-r--r-- | regress/usr.sbin/relayd/Makefile | 20 | ||||
-rw-r--r-- | regress/usr.sbin/relayd/Relayd.pm | 5 |
3 files changed, 36 insertions, 4 deletions
diff --git a/regress/usr.sbin/relayd/Client.pm b/regress/usr.sbin/relayd/Client.pm index 4edf4cb5bbe..7aaa0401e2f 100644 --- a/regress/usr.sbin/relayd/Client.pm +++ b/regress/usr.sbin/relayd/Client.pm @@ -1,4 +1,4 @@ -# $OpenBSD: Client.pm,v 1.14 2021/12/22 11:50:28 bluhm Exp $ +# $OpenBSD: Client.pm,v 1.15 2024/10/28 19:57:02 tb Exp $ # Copyright (c) 2010-2021 Alexander Bluhm <bluhm@openbsd.org> # @@ -58,6 +58,11 @@ sub child { PeerAddr => $self->{connectaddr}, PeerPort => $self->{connectport}, SSL_verify_mode => SSL_VERIFY_NONE, + SSL_use_cert => $self->{offertlscert} ? 1 : 0, + SSL_cert_file => $self->{offertlscert} ? + "client.crt" : "", + SSL_key_file => $self->{offertlscert} ? + "client.key" : "", ) or die ref($self), " $iosocket socket connect failed: $!,$SSL_ERROR"; if ($self->{sndbuf}) { setsockopt($cs, SOL_SOCKET, SO_SNDBUF, @@ -89,6 +94,14 @@ sub child { print STDERR "ssl cipher: ",$cs->get_cipher(),"\n"; print STDERR "ssl peer certificate:\n", $cs->dump_peer_certificate(); + + if ($self->{offertlscert}) { + print STDERR "ssl client certificate:\n"; + print STDERR "Subject Name: ", + "${\$cs->sock_certificate('subject')}\n"; + print STDERR "Issuer Name: ", + "${\$cs->sock_certificate('issuer')}\n"; + } } *STDIN = *STDOUT = $self->{cs} = $cs; diff --git a/regress/usr.sbin/relayd/Makefile b/regress/usr.sbin/relayd/Makefile index 885fd1a8406..3c58e44c2c8 100644 --- a/regress/usr.sbin/relayd/Makefile +++ b/regress/usr.sbin/relayd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.21 2021/12/30 20:51:34 dv Exp $ +# $OpenBSD: Makefile,v 1.22 2024/10/28 19:57:02 tb Exp $ # The following ports must be installed for the regression tests: # p5-Socket6 Perl defines relating to AF_INET6 sockets @@ -92,7 +92,23 @@ server.req: server.crt: ca.crt server.req openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in server.req -out server.crt -${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server.crt +client-ca.crt: + openssl req -batch -new \ + -subj /L=OpenBSD/O=relayd-regress/OU=client-ca/CN=root/ \ + -nodes -newkey rsa -keyout client-ca.key -x509 \ + -out client-ca.crt + +client.req: + openssl req -batch -new \ + -subj /L=OpenBSD/O=relayd-regress/OU=client/CN=localhost/ \ + -nodes -newkey rsa -keyout client.key \ + -out client.req + +client.crt: client-ca.crt client.req + openssl x509 -CAcreateserial -CAkey client-ca.key -CA client-ca.crt \ + -req -in client.req -out client.crt + +${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server.crt client.crt .if empty (REMOTE_SSH) ${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: 127.0.0.1.crt .else diff --git a/regress/usr.sbin/relayd/Relayd.pm b/regress/usr.sbin/relayd/Relayd.pm index 6b5d0e299d0..2a6aa926d16 100644 --- a/regress/usr.sbin/relayd/Relayd.pm +++ b/regress/usr.sbin/relayd/Relayd.pm @@ -1,4 +1,4 @@ -# $OpenBSD: Relayd.pm,v 1.19 2021/10/12 05:42:39 anton Exp $ +# $OpenBSD: Relayd.pm,v 1.20 2024/10/28 19:57:02 tb Exp $ # Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org> # @@ -85,6 +85,9 @@ sub new { print $fh "\n\ttls ca cert ca.crt"; print $fh "\n\ttls ca key ca.key password ''"; } + if ($self->{verifyclient}) { + print $fh "\n\ttls client ca client-ca.crt"; + } # substitute variables in config file foreach (@protocol) { s/(\$[a-z]+)/$1/eeg; |