mirror of
https://repo.or.cz/socat.git
synced 2025-07-26 12:02:58 +00:00
Check OpenSSL peers commonName+subjectAltName; new option openssl-commonname
This commit is contained in:
Gerhard Rieger
parent
05afec429d
commit
2f40a439cb
13 changed files with 535 additions and 195 deletions
161
test.sh
161
test.sh
|
|
@ -70,8 +70,8 @@ else
|
|||
fi
|
||||
MCINTERFACE=lo # !!! Linux only
|
||||
#LOCALHOST=192.168.58.1
|
||||
#LOCALHOST=localhost
|
||||
LOCALHOST=127.0.0.1
|
||||
LOCALHOST=localhost
|
||||
#LOCALHOST=127.0.0.1
|
||||
LOCALHOST6=[::1]
|
||||
#PROTO=$(awk '{print($2);}' /etc/protocols |sort -n |tail -n 1)
|
||||
#PROTO=$(($PROTO+1))
|
||||
|
|
@ -79,10 +79,24 @@ PROTO=$((144+RANDOM/2048))
|
|||
PORT=12002
|
||||
SOURCEPORT=2002
|
||||
TESTCERT_CONF=testcert.conf
|
||||
TESTCERT_SUBJECT="/C=XY"
|
||||
TESTCERT_ISSUER="/C=XY"
|
||||
TESTCERT6_CONF=testcert6.conf
|
||||
# keep these values consistent with testcert.conf
|
||||
TESTCERT_COMMONNAME="$LOCALHOST"
|
||||
TESTCERT_COUNTRYNAME="$(grep ^countryName= testcert.conf)"; TESTCERT_COUNTRYNAME="${TESTCERT_COUNTRYNAME##*=}"
|
||||
TESTCERT_LOCALITYNAME="$(grep ^L= testcert.conf)"; TESTCERT_LOCALITYNAME="${TESTCERT_LOCALITYNAME##*=}"
|
||||
TESTCERT_ORGANIZATIONALUNITNAME="$(grep ^OU= testcert.conf)"; TESTCERT_ORGANIZATIONALUNITNAME="${TESTCERT_ORGANIZATIONALUNITNAME##*=}"
|
||||
TESTCERT_ORGANIZATIONNAME="$(grep ^O= testcert.conf)"; TESTCERT_ORGANIZATIONNAME="${TESTCERT_ORGANIZATIONNAME##*=}"
|
||||
TESTCERT_SUBJECT="C = XY, CN = localhost, O = dest-unreach, OU = socat, L = Lunar Base"
|
||||
TESTCERT_ISSUER="C = XY, CN = localhost, O = dest-unreach, OU = socat, L = Lunar Base"
|
||||
CAT=cat
|
||||
OD_C="od -c"
|
||||
|
||||
# clean up from previous runs
|
||||
rm -f testcli.{crt,key,pem}
|
||||
rm -f testsrv.{crt,key,pem}
|
||||
rm -f testcli6.{crt,key,pem}
|
||||
rm -f testsrv6.{crt,key,pem}
|
||||
|
||||
# precision sleep; takes seconds with fractional part
|
||||
psleep () {
|
||||
local T="$1"
|
||||
|
|
@ -1578,7 +1592,6 @@ testecho () {
|
|||
listFAIL="$listFAIL $N"
|
||||
fi
|
||||
fi # NUMCOND
|
||||
#set +vx
|
||||
}
|
||||
|
||||
# test if call to od and throughput of data works - with graceful shutdown and
|
||||
|
|
@ -2221,6 +2234,17 @@ gentestdsacert () {
|
|||
cat $name-dsa.pem $name-dh.pem $name.key $name.crt >$name.pem
|
||||
}
|
||||
|
||||
gentestcert6 () {
|
||||
local name="$1"
|
||||
if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi
|
||||
cat $TESTCERT_CONF |
|
||||
{ echo "# automatically generated by $0"; cat; } |
|
||||
sed 's/\(commonName\s*=\s*\).*/\1[::1]/' >$TESTCERT6_CONF
|
||||
openssl genrsa $OPENSSL_RAND -out $name.key 768 >/dev/null 2>&1
|
||||
openssl req -new -config $TESTCERT6_CONF -key $name.key -x509 -out $name.crt -days 3653 >/dev/null 2>&1
|
||||
cat $name.key $name.crt >$name.pem
|
||||
}
|
||||
|
||||
|
||||
NAME=UNISTDIO
|
||||
case "$TESTS " in
|
||||
|
|
@ -4018,7 +4042,7 @@ TESTKEYW=${TESTADDR%%:*}
|
|||
# does our address implementation support halfclose?
|
||||
NAME=${NAMEKEYW}_HALFCLOSE
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%socket%*|*%halfclose%*|*%$NAME%*)
|
||||
*%$N%*|*%functions%*|*%$FEAT%*|*%socket%*|*%halfclose%*|*%$NAME%*)
|
||||
TEST="$NAME: $TESTKEYW half close"
|
||||
# have a "peer" socat "peer" that executes "$OD_C" and see if EOF on the
|
||||
# connecting socat brings the result of od
|
||||
|
|
@ -5043,7 +5067,7 @@ N=$((N+1))
|
|||
#!
|
||||
NAME=OUTBOUNDIN
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%proxy%*|*%$NAME%*)
|
||||
*%$N%*|*%functions%*|*%openssl%*|*%proxy%*|*%$NAME%*)
|
||||
TEST="$NAME: gender changer via SSL through HTTP proxy, oneshot"
|
||||
if ! eval $NUMCOND; then :;
|
||||
elif ! feat=$(testaddrs openssl proxy); then
|
||||
|
|
@ -5129,7 +5153,7 @@ PORT=$((RANDOM+16184))
|
|||
#!
|
||||
NAME=INTRANETRIPPER
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%proxy%*|*%$NAME%*)
|
||||
*%$N%*|*%functions%*|*%openssl%*|*%proxy%*|*%$NAME%*)
|
||||
TEST="$NAME: gender changer via SSL through HTTP proxy, daemons"
|
||||
if ! eval $NUMCOND; then :;
|
||||
elif ! feat=$(testaddrs openssl proxy); then
|
||||
|
|
@ -5257,7 +5281,6 @@ testserversec () {
|
|||
local stat result
|
||||
|
||||
$PRINTF "test $F_n %s... " $N "$title"
|
||||
#set -vx
|
||||
# first: without security
|
||||
# start server
|
||||
$TRACE $SOCAT $opts "$arg1,$secopt0" echo 2>"${te}1" &
|
||||
|
|
@ -5327,8 +5350,7 @@ testserversec () {
|
|||
da="test$N.2 $(date) $RANDOM"
|
||||
(echo "$da"; sleep $T) |$TRACE $SOCAT $opts - "$arg2" >"$tf" 2>"${te}4"
|
||||
stat=$?
|
||||
kill $spid
|
||||
#kill $spid 2>/dev/null
|
||||
kill $spid 2>/dev/null
|
||||
#set +vx
|
||||
#killall $TRACE $SOCAT 2>/dev/null
|
||||
if [ "$stat" != 0 ]; then
|
||||
|
|
@ -5683,7 +5705,7 @@ elif ! testaddrs openssl >/dev/null; then
|
|||
numCANT=$((numCANT+1))
|
||||
else
|
||||
gentestcert testsrv
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip4,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv.crt,key=testsrv.key" "" "range=$SECONDADDR/32" "ssl:127.0.0.1:$PORT,cafile=testsrv.crt,$SOCAT_EGD" 4 tcp $PORT -1
|
||||
testserversec "$N" "$TEST" "$opts -s" "SSL-L:$PORT,pf=ip4,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv.crt,key=testsrv.key" "" "range=$SECONDADDR/32" "SSL:$LOCALHOST:$PORT,cafile=testsrv.crt,$SOCAT_EGD" 4 tcp $PORT -1
|
||||
fi ;; # NUMCOND, feats
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
|
|
@ -5699,7 +5721,7 @@ elif ! testaddrs openssl >/dev/null; then
|
|||
numCANT=$((numCANT+1))
|
||||
else
|
||||
gentestcert testsrv
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip4,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv.crt,key=testsrv.key" "" "sp=$PORT" "ssl:127.0.0.1:$PORT,cafile=testsrv.crt,$SOCAT_EGD" 4 tcp $PORT -1
|
||||
testserversec "$N" "$TEST" "$opts -s" "SSL-L:$PORT,pf=ip4,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv.crt,key=testsrv.key" "" "sp=$PORT" "SSL:$LOCALHOST:$PORT,cafile=testsrv.crt,$SOCAT_EGD" 4 tcp $PORT -1
|
||||
fi ;; # NUMCOND, feats
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
|
|
@ -5715,7 +5737,7 @@ elif ! testaddrs openssl >/dev/null; then
|
|||
numCANT=$((numCANT+1))
|
||||
else
|
||||
gentestcert testsrv
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip4,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv.crt,key=testsrv.key" "" "lowport" "ssl:127.0.0.1:$PORT,cafile=testsrv.crt,$SOCAT_EGD" 4 tcp $PORT -1
|
||||
testserversec "$N" "$TEST" "$opts -s" "SSL-L:$PORT,pf=ip4,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv.crt,key=testsrv.key" "" "lowport" "SSL:$LOCALHOST:$PORT,cafile=testsrv.crt,$SOCAT_EGD" 4 tcp $PORT -1
|
||||
fi ;; # NUMCOND, feats
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
|
|
@ -5735,7 +5757,7 @@ ha="$td/hosts.allow"
|
|||
hd="$td/hosts.deny"
|
||||
$ECHO "socat: $SECONDADDR" >"$ha"
|
||||
$ECHO "ALL: ALL" >"$hd"
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip4,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv.crt,key=testsrv.key" "" "tcpwrap-etc=$td" "ssl:127.0.0.1:$PORT,cafile=testsrv.crt,$SOCAT_EGD" 4 tcp $PORT -1
|
||||
testserversec "$N" "$TEST" "$opts -s" "SSL-L:$PORT,pf=ip4,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv.crt,key=testsrv.key" "" "tcpwrap-etc=$td" "SSL:$LOCALHOST:$PORT,cafile=testsrv.crt,$SOCAT_EGD" 4 tcp $PORT -1
|
||||
fi ;; # NUMCOND, feats
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
|
|
@ -5752,7 +5774,7 @@ elif ! testaddrs openssl >/dev/null; then
|
|||
else
|
||||
gentestcert testsrv
|
||||
gentestcert testcli
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip4,reuseaddr,fork,retry=1,$SOCAT_EGD,verify,cert=testsrv.crt,key=testsrv.key" "cafile=testcli.crt" "cafile=testsrv.crt" "ssl:127.0.0.1:$PORT,cafile=testsrv.crt,cert=testcli.pem,$SOCAT_EGD" 4 tcp $PORT -1
|
||||
testserversec "$N" "$TEST" "$opts -s" "SSL-L:$PORT,pf=ip4,reuseaddr,fork,retry=1,$SOCAT_EGD,verify,cert=testsrv.crt,key=testsrv.key" "cafile=testcli.crt" "cafile=testsrv.crt" "SSL:$LOCALHOST:$PORT,cafile=testsrv.crt,cert=testcli.pem,$SOCAT_EGD" 4 tcp $PORT -1
|
||||
fi ;; # NUMCOND, feats
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
|
|
@ -5788,8 +5810,8 @@ elif ! feat=$(testaddrs tcp ip6) || ! runsip6 >/dev/null; then
|
|||
$PRINTF "test $F_n $TEST... ${YELLOW}TCP6 not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
else
|
||||
gentestcert testsrv
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip6,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv.crt,key=testsrv.key" "" "range=[::2/128]" "ssl:[::1]:$PORT,cafile=testsrv.crt,$SOCAT_EGD" 6 tcp $PORT -1
|
||||
gentestcert6 testsrv6
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip6,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv6.crt,key=testsrv6.key" "" "range=[::2/128]" "ssl:[::1]:$PORT,cafile=testsrv6.crt,$SOCAT_EGD" 6 tcp $PORT -1
|
||||
fi ;; # NUMCOND, feats
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
|
|
@ -5807,8 +5829,8 @@ elif ! feat=$(testaddrs tcp ip6) || ! runsip6 >/dev/null; then
|
|||
$PRINTF "test $F_n $TEST... ${YELLOW}TCP6 not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
else
|
||||
gentestcert testsrv
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip6,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv.crt,key=testsrv.key" "" "sp=$PORT" "ssl:[::1]:$PORT,cafile=testsrv.crt,$SOCAT_EGD" 6 tcp $PORT -1
|
||||
gentestcert6 testsrv6
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip6,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv6.crt,key=testsrv6.key" "" "sp=$PORT" "ssl:[::1]:$PORT,cafile=testsrv6.crt,$SOCAT_EGD" 6 tcp $PORT -1
|
||||
fi ;; # NUMCOND, feats
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
|
|
@ -5826,8 +5848,8 @@ elif ! feat=$(testaddrs tcp ip6) || ! runsip6 >/dev/null; then
|
|||
$PRINTF "test $F_n $TEST... ${YELLOW}TCP6 not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
else
|
||||
gentestcert testsrv
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip6,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv.crt,key=testsrv.key" "" "lowport" "ssl:[::1]:$PORT,cafile=testsrv.crt,$SOCAT_EGD" 6 tcp $PORT -1
|
||||
gentestcert6 testsrv6
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip6,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv6.crt,key=testsrv6.key" "" "lowport" "ssl:[::1]:$PORT,cafile=testsrv6.crt,$SOCAT_EGD" 6 tcp $PORT -1
|
||||
fi ;; # NUMCOND, feats
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
|
|
@ -5842,18 +5864,66 @@ elif ! feat=$(testaddrs ip6 tcp libwrap openssl) || ! runsip6 >/dev/null; then
|
|||
$PRINTF "test $F_n $TEST... ${YELLOW}$feat not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
else
|
||||
gentestcert testsrv
|
||||
gentestcert6 testsrv6
|
||||
ha="$td/hosts.allow"
|
||||
hd="$td/hosts.deny"
|
||||
$ECHO "socat: [::2]" >"$ha"
|
||||
$ECHO "ALL: ALL" >"$hd"
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip6,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv.crt,key=testsrv.key" "" "tcpwrap-etc=$td" "ssl:[::1]:$PORT,cafile=testsrv.crt,$SOCAT_EGD" 6 tcp $PORT -1
|
||||
testserversec "$N" "$TEST" "$opts -s" "ssl-l:$PORT,pf=ip6,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv6.crt,key=testsrv6.key" "" "tcpwrap-etc=$td" "ssl:[::1]:$PORT,cafile=testsrv6.crt,$SOCAT_EGD" 6 tcp $PORT -1
|
||||
fi ;; # NUMCOND, feats
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
N=$((N+1))
|
||||
|
||||
|
||||
# test security with the openssl-commonname option on client side
|
||||
NAME=OPENSSL_CN_CLIENT_SECURITY
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%security%*|*%openssl%*|*%tcp%*|*%tcp4%*|*%ip4%*|*%$NAME%*)
|
||||
TEST="$NAME: security of client openssl-commonname option"
|
||||
# connect using non matching server name/address with commonname
|
||||
# options, this should succeed. Then without this option, should fail
|
||||
if ! eval $NUMCOND; then :;
|
||||
elif ! testaddrs openssl >/dev/null; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
elif ! testaddrs listen tcp ip4 >/dev/null || ! runsip4 >/dev/null; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
else
|
||||
gentestcert testsrv
|
||||
gentestcert testcli
|
||||
testserversec "$N" "$TEST" "$opts" "SSL:127.0.0.1:$PORT,fork,retry=2,verify,cafile=testsrv.crt" "commonname=$LOCALHOST" "" "SSL-L:$PORT,pf=ip4,reuseaddr,cert=testsrv.crt,key=testsrv.key,verify=0" 4 tcp "" 0
|
||||
fi ;; # testaddrs, NUMCOND
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
N=$((N+1))
|
||||
|
||||
# test security with the openssl-commonname option on server side
|
||||
NAME=OPENSSL_CN_SERVER_SECURITY
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%security%*|*%openssl%*|*%tcp%*|*%tcp4%*|*%ip4%*|*%$NAME%*)
|
||||
TEST="$NAME: security of server openssl-commonname option"
|
||||
# connect using with client certificate to server, this should succeed.
|
||||
# Then use the server with a non matching openssl-commonname option,
|
||||
# this must fail
|
||||
if ! eval $NUMCOND; then :;
|
||||
elif ! testaddrs openssl >/dev/null; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
elif ! testaddrs listen tcp ip4 >/dev/null || ! runsip4 >/dev/null; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
else
|
||||
gentestcert testsrv
|
||||
gentestcert testcli
|
||||
testserversec "$N" "$TEST" "$opts" "SSL-L:$PORT,pf=ip4,reuseaddr,cert=testsrv.crt,key=testsrv.key,cafile=testcli.crt" "" "commonname=onlyyou" "SSL:$LOCALHOST:$PORT,verify=0,cafile=testsrv.crt,cert=testcli.crt,key=testcli.key" 4 tcp "" 0
|
||||
fi ;; # testaddrs, NUMCOND
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
N=$((N+1))
|
||||
|
||||
|
||||
NAME=OPENSSL_FIPS_SECURITY
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%security%*|*%openssl%*|*%fips%*|*%tcp%*|*%tcp4%*|*%ip4%*|*%$NAME%*)
|
||||
|
|
@ -6138,7 +6208,7 @@ N=$((N+1))
|
|||
|
||||
NAME=OPENSSLLISTENDSA
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%$NAME%*)
|
||||
*%$N%*|*%functions%*|*%openssl%*|*%$NAME%*)
|
||||
TEST="$NAME: openssl listen with DSA certificate"
|
||||
if ! eval $NUMCOND; then :;
|
||||
elif ! testaddrs openssl >/dev/null; then
|
||||
|
|
@ -6438,7 +6508,6 @@ SCTP4 $LOCALHOST PORT
|
|||
SCTP6 $LOCALHOST6 PORT
|
||||
UNIX FILE ,
|
||||
"
|
||||
#set +vx
|
||||
|
||||
|
||||
NAME=UNIXTOSTREAM
|
||||
|
|
@ -8965,7 +9034,7 @@ NAME=OPENSSLREAD
|
|||
# keeps there and is not transferred by socat until the socket indicates more
|
||||
# data or EOF.
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%$NAME%*)
|
||||
*%$N%*|*%functions%*|*%openssl%*|*%$NAME%*)
|
||||
TEST="$NAME: socat handles data buffered by openssl"
|
||||
#idea: have a socat process (server) that gets an SSL block that is larger than
|
||||
# socat transfer block size; keep the socket connection open and kill the
|
||||
|
|
@ -9862,10 +9931,10 @@ N=$((N+1))
|
|||
#set +xv
|
||||
#
|
||||
done <<<"
|
||||
TCP4 TCP $LOCALHOST $SECONDADDR $PORT $((PORT+1))
|
||||
TCP4 TCP 127.0.0.1 $SECONDADDR $PORT $((PORT+1))
|
||||
TCP6 IP6 [0000:0000:0000:0000:0000:0000:0000:0001] [0000:0000:0000:0000:0000:0000:0000:0001] $((PORT+2)) $((PORT+3))
|
||||
UDP6 IP6 [0000:0000:0000:0000:0000:0000:0000:0001] [0000:0000:0000:0000:0000:0000:0000:0001] $((PORT+6)) $((PORT+7))
|
||||
SCTP4 SCTP $LOCALHOST $SECONDADDR $((PORT+8)) $((PORT+9))
|
||||
SCTP4 SCTP 127.0.0.1 $SECONDADDR $((PORT+8)) $((PORT+9))
|
||||
SCTP6 SCTP [0000:0000:0000:0000:0000:0000:0000:0001] [0000:0000:0000:0000:0000:0000:0000:0001] $((PORT+10)) $((PORT+11))
|
||||
UNIX UNIX $td/test\$N.server $td/test\$N.client , ,
|
||||
"
|
||||
|
|
@ -11352,7 +11421,7 @@ N=$((N+1))
|
|||
# Linux) with "Invalid argument".
|
||||
NAME=OPENSSL_CONNECT_BIND
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%bugs%*|*%socket%*|*%ssl%*|*%$NAME%*)
|
||||
*%$N%*|*%functions%*|*%openssl%*|*%bugs%*|*%socket%*|*%ssl%*|*%$NAME%*)
|
||||
TEST="$NAME: test OPENSSL-CONNECT with bind option"
|
||||
# have a simple SSL server that just echoes data.
|
||||
# connect with socat using OPENSSL-CONNECT with bind, send data and check if the
|
||||
|
|
@ -11451,17 +11520,15 @@ PORT=$((PORT+1))
|
|||
N=$((N+1))
|
||||
|
||||
|
||||
#set -xv
|
||||
# test: OPENSSL sets of environment variables with important values of peer certificate
|
||||
unset SOCAT_OPENSSL_X509_SUBJECT SOCAT_OPENSSL_X509_ISSUER
|
||||
while read SSLDIST MODE MODULE FIELD VALUE TESTADDRESS PEERADDRESS; do
|
||||
if [ -z "$SSLDIST" ] || [[ "$SSLDIST" == \#* ]]; then continue; fi
|
||||
while read ssldist MODE MODULE FIELD TESTADDRESS PEERADDRESS VALUE; do
|
||||
if [ -z "$ssldist" ] || [[ "$ssldist" == \#* ]]; then continue; fi
|
||||
#
|
||||
test_proto="$(echo "$KEYW" |tr A-Z a-z)"
|
||||
SSLDIST=${ssldist^^*}
|
||||
NAME="ENV_${SSLDIST}_${MODE}_${MODULE}_${FIELD}"
|
||||
case "$TESTS" in
|
||||
*%functions%*|*%ip4%*|*%ipapp%*|*%tcp%*|*%$SSLDIST%*|*%envvar%*|*%$NAME%*)
|
||||
TEST="$NAME: $SSLDIST generates environment variable SOCAT_${SSLDIST}_${MODULE}_${FIELD} with correct value"
|
||||
*%$N%*|*%functions%*|*%ip4%*|*%ipapp%*|*%tcp%*|*%$ssldist%*|*%envvar%*|*%$NAME%*)
|
||||
TEST="$NAME: $SSLDIST sets env SOCAT_${SSLDIST}_${MODULE}_${FIELD}"
|
||||
# have a server accepting a connection and invoking some shell code. The shell
|
||||
# code extracts and prints the SOCAT related environment vars.
|
||||
# outside code then checks if the environment contains the variables correctly
|
||||
|
|
@ -11475,7 +11542,6 @@ tf="$td/test$N.stdout"
|
|||
te="$td/test$N.stderr"
|
||||
gentestcert testsrv
|
||||
gentestcert testcli
|
||||
#CMD0="$SOCAT $opts -u ${SSLDIST}-LISTEN:$PORT,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1 system:\"echo SOCAT_${SSLDIST}_${MODULE}_${FIELD}=\\\$SOCAT_${SSLDIST}_${MODULE}_${FIELD}; sleep 1\""
|
||||
test_proto=tcp4
|
||||
case "$MODE" in
|
||||
SERVER)
|
||||
|
|
@ -11510,7 +11576,8 @@ if [ $rc1 != 0 ]; then
|
|||
echo "$CMD1"
|
||||
cat "${te}1"
|
||||
numCANT=$((numCANT+1))
|
||||
elif [ "$(grep SOCAT_${SSLDIST}_${MODULE}_${FIELD} "${tf}" |sed -e 's/^[^=]*=//' |sed -e "s/[\"']//g")" = "$VALUE" ]; then
|
||||
elif effval="$(grep SOCAT_${SSLDIST}_${MODULE}_${FIELD} "${tf}" |sed -e 's/^[^=]*=//' |sed -e "s/[\"']//g")";
|
||||
[ "$effval" = "$VALUE" ]; then
|
||||
$PRINTF "$OK\n"
|
||||
if [ "$debug" ]; then
|
||||
echo "$CMD0 &"
|
||||
|
|
@ -11521,6 +11588,7 @@ elif [ "$(grep SOCAT_${SSLDIST}_${MODULE}_${FIELD} "${tf}" |sed -e 's/^[^=]*=//'
|
|||
numOK=$((numOK+1))
|
||||
else
|
||||
$PRINTF "$FAILED\n"
|
||||
echo "expected \"$VALUE\", got \"$effval\"" >&2
|
||||
echo "$CMD0 &"
|
||||
cat "${te}0"
|
||||
echo "$CMD1"
|
||||
|
|
@ -11532,15 +11600,18 @@ fi # NUMCOND, feats
|
|||
;;
|
||||
esac
|
||||
N=$((N+1))
|
||||
#set +xv
|
||||
#
|
||||
done <<<"
|
||||
OPENSSL SERVER X509 SUBJECT $TESTCERT_SUBJECT OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1 OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1
|
||||
OPENSSL SERVER X509 ISSUER $TESTCERT_ISSUER OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1 OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1
|
||||
OPENSSL CLIENT X509 SUBJECT $TESTCERT_SUBJECT OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1 OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1
|
||||
OPENSSL CLIENT X509 ISSUER $TESTCERT_ISSUER OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1 OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1
|
||||
openssl SERVER X509 ISSUER OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1 OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1 $TESTCERT_ISSUER
|
||||
openssl SERVER X509 SUBJECT OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1 OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1 $TESTCERT_SUBJECT
|
||||
openssl SERVER X509 COMMONNAME OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1 OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1 $TESTCERT_COMMONNAME
|
||||
openssl SERVER X509 COUNTRYNAME OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1 OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1 $TESTCERT_COUNTRYNAME
|
||||
openssl SERVER X509 LOCALITYNAME OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1 OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1 $TESTCERT_LOCALITYNAME
|
||||
openssl SERVER X509 ORGANIZATIONALUNITNAME OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1 OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1 $TESTCERT_ORGANIZATIONALUNITNAME
|
||||
openssl SERVER X509 ORGANIZATIONNAME OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1 OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1 $TESTCERT_ORGANIZATIONNAME
|
||||
openssl CLIENT X509 SUBJECT OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1 OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1 $TESTCERT_SUBJECT
|
||||
openssl CLIENT X509 ISSUER OPENSSL-CONNECT:$LOCALHOST:$PORT,cert=testcli.pem,cafile=testsrv.crt,verify=1 OPENSSL-LISTEN:$PORT,so-reuseaddr,bind=$LOCALHOST,cert=testsrv.pem,cafile=testcli.crt,verify=1 $TESTCERT_ISSUER
|
||||
"
|
||||
set +xv
|
||||
|
||||
|
||||
###############################################################################
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue