summaryrefslogtreecommitdiff
path: root/regress/usr.bin
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2020-01-07 16:08:09 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2020-01-07 16:08:09 +0000
commiteba10a8dc6158fc5963cd17146c002fd31764d23 (patch)
tree604c46e36c8bf675fbe5009253e2fad1b4283a3a /regress/usr.bin
parent5af9dc94f569d10d4e66b511f9391274f24ef752 (diff)
Add netcat tests with TLS client certificate.
Diffstat (limited to 'regress/usr.bin')
-rw-r--r--regress/usr.bin/nc/Makefile253
1 files changed, 245 insertions, 8 deletions
diff --git a/regress/usr.bin/nc/Makefile b/regress/usr.bin/nc/Makefile
index e902f928582..15fa53d7fae 100644
--- a/regress/usr.bin/nc/Makefile
+++ b/regress/usr.bin/nc/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.1 2020/01/06 22:36:57 bluhm Exp $
+# $OpenBSD: Makefile,v 1.2 2020/01/07 16:08:08 bluhm Exp $
# Copyright (c) 2020 Alexander Bluhm <bluhm@openbsd.org>
#
@@ -33,8 +33,8 @@ cleanup:
REGRESS_TARGETS =
-SERVER_NC = echo greeting | ${NC}
-CLIENT_NC = echo command | ${NC}
+SERVER_NC = rm -f server.err; echo greeting | ${NC}
+CLIENT_NC = rm -f client.err; echo command | ${NC}
SERVER_BG = 2>&1 >server.out | tee server.err &
CLIENT_BG = 2>&1 >client.out | tee client.err &
SERVER_LOG = >server.out 2>server.err
@@ -56,7 +56,12 @@ BIND_WAIT = \
CONNECT_WAIT = \
let timeout=`date +%s`+5; \
- until grep -q 'Connection to ' client.err; \
+ until grep -q 'Connection to .* succeeded' client.err; \
+ do [[ `date +%s` -lt $$timeout ]] || exit 1; done
+
+TLS_WAIT = \
+ let timeout=`date +%s`+5; \
+ until grep -q 'Cert Hash:' client.err; \
do [[ `date +%s` -lt $$timeout ]] || exit 1; done
TRANSFER_WAIT = \
@@ -199,11 +204,13 @@ run-tls: 127.0.0.1.crt
${PORT_GET}
${CLIENT_NC} -c -R 127.0.0.1.crt -n -v 127.0.0.1 ${PORT} ${CLIENT_BG}
${CONNECT_WAIT}
+ ${TLS_WAIT}
${TRANSFER_WAIT}
grep '^greeting$$' client.out
grep '^command$$' server.out
grep 'Listening on 127.0.0.1 ' server.err
grep 'Connection received on 127.0.0.1 ' server.err
+ # XXX success message should be issued after TLS handshake
grep 'Connection to 127.0.0.1 .* succeeded!' client.err
grep 'Subject: .*/OU=server/CN=127.0.0.1' client.err
grep 'Issuer: .*/OU=server/CN=127.0.0.1' client.err
@@ -216,6 +223,7 @@ run-tls6: 1.crt
${PORT_GET}
${CLIENT_NC} -c -R 1.crt -n -v ::1 ${PORT} ${CLIENT_BG}
${CONNECT_WAIT}
+ ${TLS_WAIT}
${TRANSFER_WAIT}
grep '^greeting$$' client.out
grep '^command$$' server.out
@@ -234,6 +242,7 @@ run-tls-localhost: server.crt ca.crt
${PORT_GET}
${CLIENT_NC} -c -R ca.crt -v localhost ${PORT} ${CLIENT_BG}
${CONNECT_WAIT}
+ ${TLS_WAIT}
${TRANSFER_WAIT}
grep '^greeting$$' client.out
grep '^command$$' server.out
@@ -250,11 +259,14 @@ run-tls-bad-ca: server.crt fake-ca.crt
${SERVER_BG}
${LISTEN_WAIT}
${PORT_GET}
+ # the client uses the wrong root ca to verify the server cert
! ${NC} -c -R fake-ca.crt -v localhost ${PORT} ${CLIENT_LOG}
${CONNECT_WAIT}
grep 'Listening on localhost ' server.err
grep 'Connection received on localhost ' server.err
grep 'certificate signature failure' client.err
+ ! grep '^greeting$$' client.out
+ ! grep '^command$$' server.out
REGRESS_TARGETS += run-tls-name
run-tls-name: server.crt ca.crt
@@ -266,6 +278,7 @@ run-tls-name: server.crt ca.crt
${CLIENT_NC} -c -e localhost -R ca.crt -n -v 127.0.0.1 ${PORT} \
${CLIENT_BG}
${CONNECT_WAIT}
+ ${TLS_WAIT}
${TRANSFER_WAIT}
grep '^greeting$$' client.out
grep '^command$$' server.out
@@ -275,16 +288,35 @@ run-tls-name: server.crt ca.crt
grep 'Subject: .*/OU=server/CN=localhost' client.err
grep 'Issuer: .*/OU=ca/CN=root' client.err
+REGRESS_TARGETS += run-tls-bad-name
+run-tls-bad-name: server.crt ca.crt
+ @echo '======== $@ ========'
+ ${SERVER_NC} -c -C server.crt -K server.key -n -v -l 127.0.0.1 0 \
+ ${SERVER_BG}
+ ${LISTEN_WAIT}
+ ${PORT_GET}
+ # the common name in server.crt is localhost, not 127.0.0.1
+ ! ${NC} -c -e 127.0.0.1 -R ca.crt -n -v 127.0.0.1 ${PORT} ${CLIENT_LOG}
+ ${CONNECT_WAIT}
+ grep 'Listening on 127.0.0.1 ' server.err
+ grep 'Connection received on 127.0.0.1 ' server.err
+ grep 'Connection to 127.0.0.1 .* succeeded!' client.err
+ grep "name \`127.0.0.1\' not present in server certificate" client.err
+ ! grep '^greeting$$' client.out
+ ! grep '^command$$' server.out
+
REGRESS_TARGETS += run-tls-hash
-run-tls-hash: server.crt server.hash ca.crt
+run-tls-hash: server.crt ca.crt server.hash
@echo '======== $@ ========'
${SERVER_NC} -c -C server.crt -K server.key -v -l localhost 0 \
${SERVER_BG}
${LISTEN_WAIT}
${PORT_GET}
- ${CLIENT_NC} -c -R ca.crt -H `cat server.hash` -v localhost ${PORT} \
+ # check that the server presents certificate with correct hash
+ ${CLIENT_NC} -c -H `cat server.hash` -R ca.crt -v localhost ${PORT} \
${CLIENT_BG}
${CONNECT_WAIT}
+ ${TLS_WAIT}
${TRANSFER_WAIT}
grep '^greeting$$' client.out
grep '^command$$' server.out
@@ -295,6 +327,211 @@ run-tls-hash: server.crt server.hash ca.crt
grep 'Issuer: .*/OU=ca/CN=root' client.err
grep 'Cert Hash: SHA256:' client.err
+REGRESS_TARGETS += run-tls-bad-hash
+run-tls-bad-hash: server.crt ca.crt ca.hash
+ @echo '======== $@ ========'
+ ${SERVER_NC} -c -C server.crt -K server.key -v -l localhost 0 \
+ ${SERVER_BG}
+ ${LISTEN_WAIT}
+ ${PORT_GET}
+ # server presents certificate with server.hash, ca.hash is wrong
+ ! ${NC} -c -H `cat ca.hash` -R ca.crt -v localhost ${PORT} \
+ ${CLIENT_LOG}
+ ${CONNECT_WAIT}
+ ${TLS_WAIT}
+ grep 'Listening on localhost ' server.err
+ grep 'Connection received on localhost ' server.err
+ grep 'Connection to localhost .* succeeded!' client.err
+ grep 'peer certificate is not SHA256:' client.err
+ ! grep '^greeting$$' client.out
+ ! grep '^command$$' server.out
+
+# TLS client certificate
+
+REGRESS_TARGETS += run-tls-client
+run-tls-client: client.crt server.crt ca.crt
+ @echo '======== $@ ========'
+ # use client certificate and validate at server
+ ${SERVER_NC} -c -R ca.crt -C server.crt -K server.key -v -l \
+ localhost 0 ${SERVER_BG}
+ ${LISTEN_WAIT}
+ ${PORT_GET}
+ ${CLIENT_NC} -c -R ca.crt -C client.crt -K client.key -v \
+ localhost ${PORT} ${CLIENT_BG}
+ ${CONNECT_WAIT}
+ ${TLS_WAIT}
+ ${TRANSFER_WAIT}
+ grep '^greeting$$' client.out
+ grep '^command$$' server.out
+ grep 'Listening on localhost ' server.err
+ grep 'Connection received on localhost ' server.err
+ grep 'Connection to localhost .* succeeded!' client.err
+ grep 'Subject: .*/OU=server/CN=localhost' client.err
+ grep 'Issuer: .*/OU=ca/CN=root' client.err
+ grep 'Subject: .*/OU=client/CN=localhost' server.err
+ grep 'Issuer: .*/OU=ca/CN=root' server.err
+
+REGRESS_TARGETS += run-tls-bad-client
+run-tls-bad-client: client.crt server.crt ca.crt
+ @echo '======== $@ ========'
+ # require client certificate at server
+ ${SERVER_NC} -c -T clientcert -R ca.crt -C server.crt -K server.key \
+ -v -l localhost 0 ${SERVER_BG}
+ ${LISTEN_WAIT}
+ ${PORT_GET}
+ # client does not provide certificate
+ ${CLIENT_NC} -c -R ca.crt -v localhost ${PORT} ${CLIENT_BG}
+ ${CONNECT_WAIT}
+ ${TLS_WAIT}
+ grep 'Listening on localhost ' server.err
+ grep 'Connection received on localhost ' server.err
+ grep 'Connection to localhost .* succeeded!' client.err
+ grep 'Subject: .*/OU=server/CN=localhost' client.err
+ grep 'Issuer: .*/OU=ca/CN=root' client.err
+ grep 'No client certificate provided' server.err
+ ! grep '^greeting$$' client.out
+ ! grep '^command$$' server.out
+
+REGRESS_TARGETS += run-tls-client-bad-ca
+run-tls-client-bad-ca: client.crt server.crt ca.crt
+ @echo '======== $@ ========'
+ # the server uses the wrong root ca to verify the client cert
+ ${SERVER_NC} -c -R fake-ca.crt -C server.crt -K server.key -v -l \
+ localhost 0 ${SERVER_BG}
+ ${LISTEN_WAIT}
+ ${PORT_GET}
+ ! ${NC} -c -R ca.crt -C client.crt -K client.key -v \
+ localhost ${PORT} ${CLIENT_LOG}
+ ${CONNECT_WAIT}
+ grep 'Listening on localhost ' server.err
+ grep 'Connection received on localhost ' server.err
+ grep 'Connection to localhost .* succeeded!' client.err
+ # XXX no specific error message for bogus ca
+ grep 'CRYPTO_internal:block type is not 01' server.err
+ ! grep '^greeting$$' client.out
+ ! grep '^command$$' server.out
+
+REGRESS_TARGETS += run-tls-client-name
+run-tls-client-name: client.crt server.crt ca.crt
+ @echo '======== $@ ========'
+ # check client certificate name at server
+ ${SERVER_NC} -c -e localhost -R ca.crt -C server.crt -K server.key \
+ -n -v -l 127.0.0.1 0 ${SERVER_BG}
+ ${LISTEN_WAIT}
+ ${PORT_GET}
+ ${CLIENT_NC} -4 -c -R ca.crt -C client.crt -K client.key -v \
+ localhost ${PORT} ${CLIENT_BG}
+ ${CONNECT_WAIT}
+ ${TLS_WAIT}
+ ${TRANSFER_WAIT}
+ grep '^greeting$$' client.out
+ grep '^command$$' server.out
+ grep 'Listening on 127.0.0.1 ' server.err
+ grep 'Connection received on 127.0.0.1 ' server.err
+ grep 'Connection to localhost .* succeeded!' client.err
+ grep 'Subject: .*/OU=server/CN=localhost' client.err
+ grep 'Issuer: .*/OU=ca/CN=root' client.err
+ grep 'Subject: .*/OU=client/CN=localhost' server.err
+ grep 'Issuer: .*/OU=ca/CN=root' server.err
+
+REGRESS_TARGETS += run-tls-client-bad-name
+run-tls-client-bad-name: client.crt server.crt ca.crt
+ @echo '======== $@ ========'
+ # client certificate is for localhost, check with 127.0.0.1 should fail
+ ${SERVER_NC} -c -e 127.0.0.1 -R ca.crt -C server.crt -K server.key \
+ -n -v -l 127.0.0.1 0 ${SERVER_BG}
+ ${LISTEN_WAIT}
+ ${PORT_GET}
+ # client does not see any problem, TLS handshake works, wait for exit
+ ${CLIENT_NC} -4 -c -R ca.crt -C client.crt -K client.key -v \
+ localhost ${PORT} ${CLIENT_BG}
+ ${CONNECT_WAIT}
+ ${TLS_WAIT}
+ grep 'Listening on 127.0.0.1 ' server.err
+ grep 'Connection received on 127.0.0.1 ' server.err
+ grep 'Connection to localhost .* succeeded!' client.err
+ grep 'Subject: .*/OU=server/CN=localhost' client.err
+ grep 'Issuer: .*/OU=ca/CN=root' client.err
+ grep 'Subject: .*/OU=client/CN=localhost' server.err
+ grep 'Issuer: .*/OU=ca/CN=root' server.err
+ grep 'name (127.0.0.1) not found in client cert' server.err
+ ! grep '^greeting$$' client.out
+ ! grep '^command$$' server.out
+
+REGRESS_TARGETS += run-tls-client-hash
+run-tls-client-hash: client.crt server.crt ca.crt client.hash
+ @echo '======== $@ ========'
+ # check client certificate hash at server
+ ${SERVER_NC} -c -H `cat client.hash` -R ca.crt \
+ -C server.crt -K server.key -v -l localhost 0 ${SERVER_BG}
+ ${LISTEN_WAIT}
+ ${PORT_GET}
+ ${CLIENT_NC} -c -R ca.crt -C client.crt -K client.key -v \
+ localhost ${PORT} ${CLIENT_BG}
+ ${CONNECT_WAIT}
+ ${TLS_WAIT}
+ ${TRANSFER_WAIT}
+ grep '^greeting$$' client.out
+ grep '^command$$' server.out
+ grep 'Listening on localhost ' server.err
+ grep 'Connection received on localhost ' server.err
+ grep 'Connection to localhost .* succeeded!' client.err
+ grep 'Subject: .*/OU=server/CN=localhost' client.err
+ grep 'Issuer: .*/OU=ca/CN=root' client.err
+ grep 'Subject: .*/OU=client/CN=localhost' server.err
+ grep 'Issuer: .*/OU=ca/CN=root' server.err
+
+# XXX This test is broken, server does not check the client's cert hash
+REGRESS_EXPECTED_FAILURES += run-tls-client-bad-hash
+
+REGRESS_TARGETS += run-tls-client-bad-hash
+run-tls-client-bad-hash: client.crt server.crt ca.crt ca.hash
+ @echo '======== $@ ========'
+ # client presents certificate with client.hash, ca.hash is wrong
+ ${SERVER_NC} -c -H `cat ca.hash` -R ca.crt \
+ -C server.crt -K server.key -v -l localhost 0 ${SERVER_BG}
+ ${LISTEN_WAIT}
+ ${PORT_GET}
+ # client does not see any problem, TLS handshake works, wait for exit
+ ${CLIENT_NC} -c -R ca.crt -C client.crt -K client.key -v \
+ localhost ${PORT} ${CLIENT_BG}
+ ${CONNECT_WAIT}
+ ${TLS_WAIT}
+ grep 'Listening on localhost ' server.err
+ grep 'Connection received on localhost ' server.err
+ grep 'Connection to localhost .* succeeded!' client.err
+ grep 'Subject: .*/OU=server/CN=localhost' client.err
+ grep 'Issuer: .*/OU=ca/CN=root' client.err
+ grep 'Subject: .*/OU=client/CN=localhost' server.err
+ grep 'Issuer: .*/OU=ca/CN=root' server.err
+ grep 'peer certificate is not SHA256:' server.err
+ ! grep '^greeting$$' client.out
+ ! grep '^command$$' server.out
+
+REGRESS_TARGETS += run-tls-client-no-hash
+run-tls-client-no-hash: client.crt server.crt ca.crt client.hash
+ @echo '======== $@ ========'
+ # check client certificate hash at server if available
+ ${SERVER_NC} -c -H `cat client.hash` -R ca.crt \
+ -C server.crt -K server.key -v -l localhost 0 ${SERVER_BG}
+ ${LISTEN_WAIT}
+ ${PORT_GET}
+ # client provides no certificate
+ ${CLIENT_NC} -c -R ca.crt -v localhost ${PORT} ${CLIENT_BG}
+ ${CONNECT_WAIT}
+ ${TLS_WAIT}
+ ${TRANSFER_WAIT}
+ # client certificate and hash is optional, transfer is successful
+ grep '^greeting$$' client.out
+ grep '^command$$' server.out
+ grep 'Listening on localhost ' server.err
+ grep 'Connection received on localhost ' server.err
+ grep 'Connection to localhost .* succeeded!' client.err
+ grep 'Subject: .*/OU=server/CN=localhost' client.err
+ grep 'Issuer: .*/OU=ca/CN=root' client.err
+ # non existing hash is not checked
+ ! grep 'Cert Hash: SHA256:' server.err
+
### UDP ####
REGRESS_TARGETS += run-udp
@@ -456,7 +693,7 @@ run-unix-dgram-clientsock:
### create certificates for TLS
CLEANFILES += {127.0.0.1,1}.{crt,key} \
- ca.{crt,key,srl} fake-ca.{crt,key} \
+ ca.{crt,key,srl,hash} fake-ca.{crt,key,hash} \
{client,server}.{req,crt,key,hash}
127.0.0.1.crt:
@@ -483,7 +720,7 @@ client.crt server.crt: ca.crt ${@:R}.req
openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \
-req -in ${@:R}.req -out $@
-client.hash server.hash: ${@:R}.crt
+client.hash server.hash ca.hash: ${@:R}.crt
openssl x509 -in ${@:R}.crt -outform der | sha256 | sed s/^/SHA256:/ >$@
.include <bsd.regress.mk>