diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2020-01-07 16:08:09 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2020-01-07 16:08:09 +0000 |
commit | eba10a8dc6158fc5963cd17146c002fd31764d23 (patch) | |
tree | 604c46e36c8bf675fbe5009253e2fad1b4283a3a /regress/usr.bin | |
parent | 5af9dc94f569d10d4e66b511f9391274f24ef752 (diff) |
Add netcat tests with TLS client certificate.
Diffstat (limited to 'regress/usr.bin')
-rw-r--r-- | regress/usr.bin/nc/Makefile | 253 |
1 files changed, 245 insertions, 8 deletions
diff --git a/regress/usr.bin/nc/Makefile b/regress/usr.bin/nc/Makefile index e902f928582..15fa53d7fae 100644 --- a/regress/usr.bin/nc/Makefile +++ b/regress/usr.bin/nc/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.1 2020/01/06 22:36:57 bluhm Exp $ +# $OpenBSD: Makefile,v 1.2 2020/01/07 16:08:08 bluhm Exp $ # Copyright (c) 2020 Alexander Bluhm <bluhm@openbsd.org> # @@ -33,8 +33,8 @@ cleanup: REGRESS_TARGETS = -SERVER_NC = echo greeting | ${NC} -CLIENT_NC = echo command | ${NC} +SERVER_NC = rm -f server.err; echo greeting | ${NC} +CLIENT_NC = rm -f client.err; echo command | ${NC} SERVER_BG = 2>&1 >server.out | tee server.err & CLIENT_BG = 2>&1 >client.out | tee client.err & SERVER_LOG = >server.out 2>server.err @@ -56,7 +56,12 @@ BIND_WAIT = \ CONNECT_WAIT = \ let timeout=`date +%s`+5; \ - until grep -q 'Connection to ' client.err; \ + until grep -q 'Connection to .* succeeded' client.err; \ + do [[ `date +%s` -lt $$timeout ]] || exit 1; done + +TLS_WAIT = \ + let timeout=`date +%s`+5; \ + until grep -q 'Cert Hash:' client.err; \ do [[ `date +%s` -lt $$timeout ]] || exit 1; done TRANSFER_WAIT = \ @@ -199,11 +204,13 @@ run-tls: 127.0.0.1.crt ${PORT_GET} ${CLIENT_NC} -c -R 127.0.0.1.crt -n -v 127.0.0.1 ${PORT} ${CLIENT_BG} ${CONNECT_WAIT} + ${TLS_WAIT} ${TRANSFER_WAIT} grep '^greeting$$' client.out grep '^command$$' server.out grep 'Listening on 127.0.0.1 ' server.err grep 'Connection received on 127.0.0.1 ' server.err + # XXX success message should be issued after TLS handshake grep 'Connection to 127.0.0.1 .* succeeded!' client.err grep 'Subject: .*/OU=server/CN=127.0.0.1' client.err grep 'Issuer: .*/OU=server/CN=127.0.0.1' client.err @@ -216,6 +223,7 @@ run-tls6: 1.crt ${PORT_GET} ${CLIENT_NC} -c -R 1.crt -n -v ::1 ${PORT} ${CLIENT_BG} ${CONNECT_WAIT} + ${TLS_WAIT} ${TRANSFER_WAIT} grep '^greeting$$' client.out grep '^command$$' server.out @@ -234,6 +242,7 @@ run-tls-localhost: server.crt ca.crt ${PORT_GET} ${CLIENT_NC} -c -R ca.crt -v localhost ${PORT} ${CLIENT_BG} ${CONNECT_WAIT} + ${TLS_WAIT} ${TRANSFER_WAIT} grep '^greeting$$' client.out grep '^command$$' server.out @@ -250,11 +259,14 @@ run-tls-bad-ca: server.crt fake-ca.crt ${SERVER_BG} ${LISTEN_WAIT} ${PORT_GET} + # the client uses the wrong root ca to verify the server cert ! ${NC} -c -R fake-ca.crt -v localhost ${PORT} ${CLIENT_LOG} ${CONNECT_WAIT} grep 'Listening on localhost ' server.err grep 'Connection received on localhost ' server.err grep 'certificate signature failure' client.err + ! grep '^greeting$$' client.out + ! grep '^command$$' server.out REGRESS_TARGETS += run-tls-name run-tls-name: server.crt ca.crt @@ -266,6 +278,7 @@ run-tls-name: server.crt ca.crt ${CLIENT_NC} -c -e localhost -R ca.crt -n -v 127.0.0.1 ${PORT} \ ${CLIENT_BG} ${CONNECT_WAIT} + ${TLS_WAIT} ${TRANSFER_WAIT} grep '^greeting$$' client.out grep '^command$$' server.out @@ -275,16 +288,35 @@ run-tls-name: server.crt ca.crt grep 'Subject: .*/OU=server/CN=localhost' client.err grep 'Issuer: .*/OU=ca/CN=root' client.err +REGRESS_TARGETS += run-tls-bad-name +run-tls-bad-name: server.crt ca.crt + @echo '======== $@ ========' + ${SERVER_NC} -c -C server.crt -K server.key -n -v -l 127.0.0.1 0 \ + ${SERVER_BG} + ${LISTEN_WAIT} + ${PORT_GET} + # the common name in server.crt is localhost, not 127.0.0.1 + ! ${NC} -c -e 127.0.0.1 -R ca.crt -n -v 127.0.0.1 ${PORT} ${CLIENT_LOG} + ${CONNECT_WAIT} + grep 'Listening on 127.0.0.1 ' server.err + grep 'Connection received on 127.0.0.1 ' server.err + grep 'Connection to 127.0.0.1 .* succeeded!' client.err + grep "name \`127.0.0.1\' not present in server certificate" client.err + ! grep '^greeting$$' client.out + ! grep '^command$$' server.out + REGRESS_TARGETS += run-tls-hash -run-tls-hash: server.crt server.hash ca.crt +run-tls-hash: server.crt ca.crt server.hash @echo '======== $@ ========' ${SERVER_NC} -c -C server.crt -K server.key -v -l localhost 0 \ ${SERVER_BG} ${LISTEN_WAIT} ${PORT_GET} - ${CLIENT_NC} -c -R ca.crt -H `cat server.hash` -v localhost ${PORT} \ + # check that the server presents certificate with correct hash + ${CLIENT_NC} -c -H `cat server.hash` -R ca.crt -v localhost ${PORT} \ ${CLIENT_BG} ${CONNECT_WAIT} + ${TLS_WAIT} ${TRANSFER_WAIT} grep '^greeting$$' client.out grep '^command$$' server.out @@ -295,6 +327,211 @@ run-tls-hash: server.crt server.hash ca.crt grep 'Issuer: .*/OU=ca/CN=root' client.err grep 'Cert Hash: SHA256:' client.err +REGRESS_TARGETS += run-tls-bad-hash +run-tls-bad-hash: server.crt ca.crt ca.hash + @echo '======== $@ ========' + ${SERVER_NC} -c -C server.crt -K server.key -v -l localhost 0 \ + ${SERVER_BG} + ${LISTEN_WAIT} + ${PORT_GET} + # server presents certificate with server.hash, ca.hash is wrong + ! ${NC} -c -H `cat ca.hash` -R ca.crt -v localhost ${PORT} \ + ${CLIENT_LOG} + ${CONNECT_WAIT} + ${TLS_WAIT} + grep 'Listening on localhost ' server.err + grep 'Connection received on localhost ' server.err + grep 'Connection to localhost .* succeeded!' client.err + grep 'peer certificate is not SHA256:' client.err + ! grep '^greeting$$' client.out + ! grep '^command$$' server.out + +# TLS client certificate + +REGRESS_TARGETS += run-tls-client +run-tls-client: client.crt server.crt ca.crt + @echo '======== $@ ========' + # use client certificate and validate at server + ${SERVER_NC} -c -R ca.crt -C server.crt -K server.key -v -l \ + localhost 0 ${SERVER_BG} + ${LISTEN_WAIT} + ${PORT_GET} + ${CLIENT_NC} -c -R ca.crt -C client.crt -K client.key -v \ + localhost ${PORT} ${CLIENT_BG} + ${CONNECT_WAIT} + ${TLS_WAIT} + ${TRANSFER_WAIT} + grep '^greeting$$' client.out + grep '^command$$' server.out + grep 'Listening on localhost ' server.err + grep 'Connection received on localhost ' server.err + grep 'Connection to localhost .* succeeded!' client.err + grep 'Subject: .*/OU=server/CN=localhost' client.err + grep 'Issuer: .*/OU=ca/CN=root' client.err + grep 'Subject: .*/OU=client/CN=localhost' server.err + grep 'Issuer: .*/OU=ca/CN=root' server.err + +REGRESS_TARGETS += run-tls-bad-client +run-tls-bad-client: client.crt server.crt ca.crt + @echo '======== $@ ========' + # require client certificate at server + ${SERVER_NC} -c -T clientcert -R ca.crt -C server.crt -K server.key \ + -v -l localhost 0 ${SERVER_BG} + ${LISTEN_WAIT} + ${PORT_GET} + # client does not provide certificate + ${CLIENT_NC} -c -R ca.crt -v localhost ${PORT} ${CLIENT_BG} + ${CONNECT_WAIT} + ${TLS_WAIT} + grep 'Listening on localhost ' server.err + grep 'Connection received on localhost ' server.err + grep 'Connection to localhost .* succeeded!' client.err + grep 'Subject: .*/OU=server/CN=localhost' client.err + grep 'Issuer: .*/OU=ca/CN=root' client.err + grep 'No client certificate provided' server.err + ! grep '^greeting$$' client.out + ! grep '^command$$' server.out + +REGRESS_TARGETS += run-tls-client-bad-ca +run-tls-client-bad-ca: client.crt server.crt ca.crt + @echo '======== $@ ========' + # the server uses the wrong root ca to verify the client cert + ${SERVER_NC} -c -R fake-ca.crt -C server.crt -K server.key -v -l \ + localhost 0 ${SERVER_BG} + ${LISTEN_WAIT} + ${PORT_GET} + ! ${NC} -c -R ca.crt -C client.crt -K client.key -v \ + localhost ${PORT} ${CLIENT_LOG} + ${CONNECT_WAIT} + grep 'Listening on localhost ' server.err + grep 'Connection received on localhost ' server.err + grep 'Connection to localhost .* succeeded!' client.err + # XXX no specific error message for bogus ca + grep 'CRYPTO_internal:block type is not 01' server.err + ! grep '^greeting$$' client.out + ! grep '^command$$' server.out + +REGRESS_TARGETS += run-tls-client-name +run-tls-client-name: client.crt server.crt ca.crt + @echo '======== $@ ========' + # check client certificate name at server + ${SERVER_NC} -c -e localhost -R ca.crt -C server.crt -K server.key \ + -n -v -l 127.0.0.1 0 ${SERVER_BG} + ${LISTEN_WAIT} + ${PORT_GET} + ${CLIENT_NC} -4 -c -R ca.crt -C client.crt -K client.key -v \ + localhost ${PORT} ${CLIENT_BG} + ${CONNECT_WAIT} + ${TLS_WAIT} + ${TRANSFER_WAIT} + grep '^greeting$$' client.out + grep '^command$$' server.out + grep 'Listening on 127.0.0.1 ' server.err + grep 'Connection received on 127.0.0.1 ' server.err + grep 'Connection to localhost .* succeeded!' client.err + grep 'Subject: .*/OU=server/CN=localhost' client.err + grep 'Issuer: .*/OU=ca/CN=root' client.err + grep 'Subject: .*/OU=client/CN=localhost' server.err + grep 'Issuer: .*/OU=ca/CN=root' server.err + +REGRESS_TARGETS += run-tls-client-bad-name +run-tls-client-bad-name: client.crt server.crt ca.crt + @echo '======== $@ ========' + # client certificate is for localhost, check with 127.0.0.1 should fail + ${SERVER_NC} -c -e 127.0.0.1 -R ca.crt -C server.crt -K server.key \ + -n -v -l 127.0.0.1 0 ${SERVER_BG} + ${LISTEN_WAIT} + ${PORT_GET} + # client does not see any problem, TLS handshake works, wait for exit + ${CLIENT_NC} -4 -c -R ca.crt -C client.crt -K client.key -v \ + localhost ${PORT} ${CLIENT_BG} + ${CONNECT_WAIT} + ${TLS_WAIT} + grep 'Listening on 127.0.0.1 ' server.err + grep 'Connection received on 127.0.0.1 ' server.err + grep 'Connection to localhost .* succeeded!' client.err + grep 'Subject: .*/OU=server/CN=localhost' client.err + grep 'Issuer: .*/OU=ca/CN=root' client.err + grep 'Subject: .*/OU=client/CN=localhost' server.err + grep 'Issuer: .*/OU=ca/CN=root' server.err + grep 'name (127.0.0.1) not found in client cert' server.err + ! grep '^greeting$$' client.out + ! grep '^command$$' server.out + +REGRESS_TARGETS += run-tls-client-hash +run-tls-client-hash: client.crt server.crt ca.crt client.hash + @echo '======== $@ ========' + # check client certificate hash at server + ${SERVER_NC} -c -H `cat client.hash` -R ca.crt \ + -C server.crt -K server.key -v -l localhost 0 ${SERVER_BG} + ${LISTEN_WAIT} + ${PORT_GET} + ${CLIENT_NC} -c -R ca.crt -C client.crt -K client.key -v \ + localhost ${PORT} ${CLIENT_BG} + ${CONNECT_WAIT} + ${TLS_WAIT} + ${TRANSFER_WAIT} + grep '^greeting$$' client.out + grep '^command$$' server.out + grep 'Listening on localhost ' server.err + grep 'Connection received on localhost ' server.err + grep 'Connection to localhost .* succeeded!' client.err + grep 'Subject: .*/OU=server/CN=localhost' client.err + grep 'Issuer: .*/OU=ca/CN=root' client.err + grep 'Subject: .*/OU=client/CN=localhost' server.err + grep 'Issuer: .*/OU=ca/CN=root' server.err + +# XXX This test is broken, server does not check the client's cert hash +REGRESS_EXPECTED_FAILURES += run-tls-client-bad-hash + +REGRESS_TARGETS += run-tls-client-bad-hash +run-tls-client-bad-hash: client.crt server.crt ca.crt ca.hash + @echo '======== $@ ========' + # client presents certificate with client.hash, ca.hash is wrong + ${SERVER_NC} -c -H `cat ca.hash` -R ca.crt \ + -C server.crt -K server.key -v -l localhost 0 ${SERVER_BG} + ${LISTEN_WAIT} + ${PORT_GET} + # client does not see any problem, TLS handshake works, wait for exit + ${CLIENT_NC} -c -R ca.crt -C client.crt -K client.key -v \ + localhost ${PORT} ${CLIENT_BG} + ${CONNECT_WAIT} + ${TLS_WAIT} + grep 'Listening on localhost ' server.err + grep 'Connection received on localhost ' server.err + grep 'Connection to localhost .* succeeded!' client.err + grep 'Subject: .*/OU=server/CN=localhost' client.err + grep 'Issuer: .*/OU=ca/CN=root' client.err + grep 'Subject: .*/OU=client/CN=localhost' server.err + grep 'Issuer: .*/OU=ca/CN=root' server.err + grep 'peer certificate is not SHA256:' server.err + ! grep '^greeting$$' client.out + ! grep '^command$$' server.out + +REGRESS_TARGETS += run-tls-client-no-hash +run-tls-client-no-hash: client.crt server.crt ca.crt client.hash + @echo '======== $@ ========' + # check client certificate hash at server if available + ${SERVER_NC} -c -H `cat client.hash` -R ca.crt \ + -C server.crt -K server.key -v -l localhost 0 ${SERVER_BG} + ${LISTEN_WAIT} + ${PORT_GET} + # client provides no certificate + ${CLIENT_NC} -c -R ca.crt -v localhost ${PORT} ${CLIENT_BG} + ${CONNECT_WAIT} + ${TLS_WAIT} + ${TRANSFER_WAIT} + # client certificate and hash is optional, transfer is successful + grep '^greeting$$' client.out + grep '^command$$' server.out + grep 'Listening on localhost ' server.err + grep 'Connection received on localhost ' server.err + grep 'Connection to localhost .* succeeded!' client.err + grep 'Subject: .*/OU=server/CN=localhost' client.err + grep 'Issuer: .*/OU=ca/CN=root' client.err + # non existing hash is not checked + ! grep 'Cert Hash: SHA256:' server.err + ### UDP #### REGRESS_TARGETS += run-udp @@ -456,7 +693,7 @@ run-unix-dgram-clientsock: ### create certificates for TLS CLEANFILES += {127.0.0.1,1}.{crt,key} \ - ca.{crt,key,srl} fake-ca.{crt,key} \ + ca.{crt,key,srl,hash} fake-ca.{crt,key,hash} \ {client,server}.{req,crt,key,hash} 127.0.0.1.crt: @@ -483,7 +720,7 @@ client.crt server.crt: ca.crt ${@:R}.req openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \ -req -in ${@:R}.req -out $@ -client.hash server.hash: ${@:R}.crt +client.hash server.hash ca.hash: ${@:R}.crt openssl x509 -in ${@:R}.crt -outform der | sha256 | sed s/^/SHA256:/ >$@ .include <bsd.regress.mk> |