xref: /netbsd-src/external/bsd/openldap/dist/tests/scripts/test067-tls (revision e670fd5c413e99c2f6a37901bb21c537fcd322d2) 
1*e670fd5cSchristos#! /bin/sh
2*e670fd5cSchristos# $OpenLDAP$
3*e670fd5cSchristos## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4*e670fd5cSchristos##
5*e670fd5cSchristos## Copyright 1998-2021 The OpenLDAP Foundation.
6*e670fd5cSchristos## All rights reserved.
7*e670fd5cSchristos##
8*e670fd5cSchristos## Redistribution and use in source and binary forms, with or without
9*e670fd5cSchristos## modification, are permitted only as authorized by the OpenLDAP
10*e670fd5cSchristos## Public License.
11*e670fd5cSchristos##
12*e670fd5cSchristos## A copy of this license is available in the file LICENSE in the
13*e670fd5cSchristos## top-level directory of the distribution or, alternatively, at
14*e670fd5cSchristos## <http://www.OpenLDAP.org/license.html>.
15*e670fd5cSchristos
16*e670fd5cSchristosecho "running defines.sh"
17*e670fd5cSchristos. $SRCDIR/scripts/defines.sh
18*e670fd5cSchristos
19*e670fd5cSchristosif test $WITH_TLS = no ; then
20*e670fd5cSchristos        echo "TLS support not available, test skipped"
21*e670fd5cSchristos        exit 0
22*e670fd5cSchristosfi
23*e670fd5cSchristos
24*e670fd5cSchristosopenssl=`command -v openssl 2>/dev/null`
25*e670fd5cSchristoscerttool=`command -v certtool 2>/dev/null`
26*e670fd5cSchristosbase64=`command -v base64 2>/dev/null`
27*e670fd5cSchristos
28*e670fd5cSchristosmkdir -p $TESTDIR $DBDIR1
29*e670fd5cSchristoscp -r $DATADIR/tls $TESTDIR
30*e670fd5cSchristos
31*e670fd5cSchristoscd $TESTWD
32*e670fd5cSchristos
33*e670fd5cSchristosif test -z "$TLS_PEERKEY_HASHALG"; then
34*e670fd5cSchristos	TLS_PEERKEY_HASHALG=sha256
35*e670fd5cSchristosfi
36*e670fd5cSchristosif test -n "${openssl}"; then
37*e670fd5cSchristos	TLS_PEERKEY="`"${openssl}" x509 -pubkey -noout -in $TESTDIR/tls/certs/localhost.crt | \
38*e670fd5cSchristos		"${openssl}" rsa -pubin -outform der 2>/dev/null | \
39*e670fd5cSchristos		"${openssl}" enc -base64 2>/dev/null`"
40*e670fd5cSchristos
41*e670fd5cSchristos	TLS_PEERKEY_HASHED="$TLS_PEERKEY_HASHALG:`"${openssl}" x509 -pubkey -noout -in $TESTDIR/tls/certs/localhost.crt | \
42*e670fd5cSchristos		"${openssl}" rsa -pubin -outform der 2>/dev/null | \
43*e670fd5cSchristos		"${openssl}" dgst "-$TLS_PEERKEY_HASHALG" -binary 2>/dev/null | \
44*e670fd5cSchristos		"${openssl}" enc -base64 2>/dev/null`"
45*e670fd5cSchristos
46*e670fd5cSchristos	TLS_PEERKEY_HASHED_FAIL="$TLS_PEERKEY_HASHALG:`echo \"a fake key to hash\" | \
47*e670fd5cSchristos		"${openssl}" dgst "-$TLS_PEERKEY_HASHALG" -binary 2>/dev/null | \
48*e670fd5cSchristos		"${openssl}" enc -base64 2>/dev/null`"
49*e670fd5cSchristoselif test -n "${certtool}" && test -n "${base64}"; then
50*e670fd5cSchristos	echo "OpenSSL not found, falling back to certtool"
51*e670fd5cSchristos	echo "This will not exercise hashed pin functionality"
52*e670fd5cSchristos	TLS_PEERKEY="`"${certtool}" --certificate-pubkey --outder \
53*e670fd5cSchristos		--infile $TESTDIR/tls/certs/localhost.crt \
54*e670fd5cSchristos		--load-pubkey $TESTDIR/tls/certs/localhost.crt \
55*e670fd5cSchristos		| "${base64}"`"
56*e670fd5cSchristoselse
57*e670fd5cSchristos	echo "No way to extract the public key from certificate, key pinning tests will be skipped..."
58*e670fd5cSchristosfi
59*e670fd5cSchristos
60*e670fd5cSchristosecho "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
61*e670fd5cSchristos. $CONFFILTER $BACKEND < $TLSCONF > $CONF1
62*e670fd5cSchristos$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL > $LOG1 2>&1 &
63*e670fd5cSchristosPID=$!
64*e670fd5cSchristosif test $WAIT != 0 ; then
65*e670fd5cSchristos    echo PID $PID
66*e670fd5cSchristos    read foo
67*e670fd5cSchristosfi
68*e670fd5cSchristosKILLPIDS="$PID"
69*e670fd5cSchristos
70*e670fd5cSchristossleep 1
71*e670fd5cSchristos
72*e670fd5cSchristosfor i in 0 1 2 3 4 5; do
73*e670fd5cSchristos	$LDAPSEARCH -s base -b "" -H $URI1 \
74*e670fd5cSchristos		'objectclass=*' > /dev/null 2>&1
75*e670fd5cSchristos        RC=$?
76*e670fd5cSchristos        if test $RC = 0 ; then
77*e670fd5cSchristos                break
78*e670fd5cSchristos        fi
79*e670fd5cSchristos        echo "Waiting 5 seconds for slapd to start..."
80*e670fd5cSchristos        sleep 5
81*e670fd5cSchristosdone
82*e670fd5cSchristos
83*e670fd5cSchristosif test $RC != 0 ; then
84*e670fd5cSchristos	echo "ldapsearch failed ($RC)!"
85*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
86*e670fd5cSchristos	exit $RC
87*e670fd5cSchristosfi
88*e670fd5cSchristos
89*e670fd5cSchristosecho -n "Using ldapsearch with startTLS with no server cert validation...."
90*e670fd5cSchristos$LDAPSEARCH -o tls_reqcert=never -ZZ -b "" -s base -H $URIP1 \
91*e670fd5cSchristos	'@extensibleObject' > $SEARCHOUT 2>&1
92*e670fd5cSchristosRC=$?
93*e670fd5cSchristosif test $RC != 0 ; then
94*e670fd5cSchristos	echo "ldapsearch (startTLS) failed ($RC)!"
95*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
96*e670fd5cSchristos	exit $RC
97*e670fd5cSchristoselse
98*e670fd5cSchristos	echo "success"
99*e670fd5cSchristosfi
100*e670fd5cSchristos
101*e670fd5cSchristosecho -n "Using ldapsearch with startTLS with hard require cert...."
102*e670fd5cSchristos$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -ZZ -b "" -s base -H $URIP1 \
103*e670fd5cSchristos	'@extensibleObject' > $SEARCHOUT 2>&1
104*e670fd5cSchristosRC=$?
105*e670fd5cSchristosif test $RC != 0 ; then
106*e670fd5cSchristos	echo "ldapsearch (startTLS) failed ($RC)!"
107*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
108*e670fd5cSchristos	exit $RC
109*e670fd5cSchristoselse
110*e670fd5cSchristos	echo "success"
111*e670fd5cSchristosfi
112*e670fd5cSchristos
113*e670fd5cSchristosif test $WITH_TLS_TYPE = openssl ; then
114*e670fd5cSchristos	echo -n "Using ldapsearch with startTLS and specific protocol version...."
115*e670fd5cSchristos	$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -o tls_protocol_min=3.3 -ZZ -b "" -s base -H $URIP1 \
116*e670fd5cSchristos		'@extensibleObject' > $SEARCHOUT 2>&1
117*e670fd5cSchristos	RC=$?
118*e670fd5cSchristos	if test $RC != 0 ; then
119*e670fd5cSchristos		echo "ldapsearch (protocol-min) failed ($RC)!"
120*e670fd5cSchristos		test $KILLSERVERS != no && kill -HUP $KILLPIDS
121*e670fd5cSchristos		exit $RC
122*e670fd5cSchristos	else
123*e670fd5cSchristos		echo "success"
124*e670fd5cSchristos	fi
125*e670fd5cSchristosfi
126*e670fd5cSchristos
127*e670fd5cSchristosecho -n "Using ldapsearch with StartTLS and pinning enabled but a pin that doesn't match..."
128*e670fd5cSchristos$LDAPSEARCH -o tls_reqcert=never -o tls_peerkey_hash=abcd -ZZ \
129*e670fd5cSchristos	-b "" -s base -H $URIP1 '@extensibleObject' > $SEARCHOUT 2>&1
130*e670fd5cSchristosRC=$?
131*e670fd5cSchristosif test $RC = 0 ; then
132*e670fd5cSchristos	echo "ldapsearch (StartTLS) succeeded when it should have failed($RC)!"
133*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
134*e670fd5cSchristos	exit 1
135*e670fd5cSchristoselse
136*e670fd5cSchristos	echo "failed correctly with error code ($RC)"
137*e670fd5cSchristosfi
138*e670fd5cSchristos
139*e670fd5cSchristosecho -n "Using ldapsearch with StartTLS and a valid plaintext pin..."
140*e670fd5cSchristosif test -n "$TLS_PEERKEY"; then
141*e670fd5cSchristos	$LDAPSEARCH -o tls_reqcert=hard -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
142*e670fd5cSchristos		-o tls_peerkey_hash="${TLS_PEERKEY}" \
143*e670fd5cSchristos		-ZZ -b "" -s base -H $URIP1 '@extensibleObject' > $SEARCHOUT 2>&1
144*e670fd5cSchristos	RC=$?
145*e670fd5cSchristos	if test $RC != 0 ; then
146*e670fd5cSchristos		echo "ldapsearch (StartTLS) failed ($RC)!"
147*e670fd5cSchristos		test $KILLSERVERS != no && kill -HUP $KILLPIDS
148*e670fd5cSchristos		exit $RC
149*e670fd5cSchristos	else
150*e670fd5cSchristos		echo "success"
151*e670fd5cSchristos	fi
152*e670fd5cSchristoselse
153*e670fd5cSchristos	echo "skipped"
154*e670fd5cSchristosfi
155*e670fd5cSchristos
156*e670fd5cSchristosecho -n "Using ldapsearch with StartTLS and an invalid hashed pin..."
157*e670fd5cSchristosif test -n "$TLS_PEERKEY_HASHED_FAIL"; then
158*e670fd5cSchristos	$LDAPSEARCH -o tls_reqcert=hard -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
159*e670fd5cSchristos		-o tls_peerkey_hash="${TLS_PEERKEY_HASHED_FAIL}" \
160*e670fd5cSchristos		-ZZ -b "" -s base -H $URIP1 '@extensibleObject' > $SEARCHOUT 2>&1
161*e670fd5cSchristos	RC=$?
162*e670fd5cSchristos	if test $RC = 0 ; then
163*e670fd5cSchristos		echo "ldapsearch (StartTLS) succeeded when it should have failed($RC)!"
164*e670fd5cSchristos		test $KILLSERVERS != no && kill -HUP $KILLPIDS
165*e670fd5cSchristos		exit 1
166*e670fd5cSchristos	else
167*e670fd5cSchristos		echo "failed correctly with error code ($RC)"
168*e670fd5cSchristos	fi
169*e670fd5cSchristoselse
170*e670fd5cSchristos	echo "skipped"
171*e670fd5cSchristosfi
172*e670fd5cSchristos
173*e670fd5cSchristosecho -n "Using ldapsearch with StartTLS and a valid hashed pin..."
174*e670fd5cSchristosif test -n "$TLS_PEERKEY_HASHED"; then
175*e670fd5cSchristos	$LDAPSEARCH -o tls_reqcert=hard -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
176*e670fd5cSchristos		-o tls_peerkey_hash="${TLS_PEERKEY_HASHED}" \
177*e670fd5cSchristos		-ZZ -b "" -s base -H $URIP1 '@extensibleObject' > $SEARCHOUT 2>&1
178*e670fd5cSchristos	RC=$?
179*e670fd5cSchristos	if test $RC != 0 ; then
180*e670fd5cSchristos		echo "ldapsearch (StartTLS) failed ($RC)!"
181*e670fd5cSchristos		test $KILLSERVERS != no && kill -HUP $KILLPIDS
182*e670fd5cSchristos		exit $RC
183*e670fd5cSchristos	else
184*e670fd5cSchristos		echo "success"
185*e670fd5cSchristos	fi
186*e670fd5cSchristoselse
187*e670fd5cSchristos	echo "skipped"
188*e670fd5cSchristosfi
189*e670fd5cSchristos
190*e670fd5cSchristosecho -n "Using ldapsearch on $SURI2 with no server cert validation..."
191*e670fd5cSchristos$LDAPSEARCH -o tls_reqcert=never -b "cn=Subschema" -s base -H $SURIP2 \
192*e670fd5cSchristos	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
193*e670fd5cSchristos	>> $SEARCHOUT  2>&1
194*e670fd5cSchristosRC=$?
195*e670fd5cSchristosif test $RC != 0 ; then
196*e670fd5cSchristos	echo "ldapsearch (ldaps) failed($RC)!"
197*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
198*e670fd5cSchristos	exit $RC
199*e670fd5cSchristoselse
200*e670fd5cSchristos	echo "success"
201*e670fd5cSchristosfi
202*e670fd5cSchristos
203*e670fd5cSchristosecho -n "Using ldapsearch on $SURI2 with reqcert HARD and no CA cert.  Should fail..."
204*e670fd5cSchristos$LDAPSEARCH -o tls_reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \
205*e670fd5cSchristos	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
206*e670fd5cSchristos	>> $SEARCHOUT  2>&1
207*e670fd5cSchristosRC=$?
208*e670fd5cSchristosif test $RC = 0 ; then
209*e670fd5cSchristos	echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!"
210*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
211*e670fd5cSchristos	exit 1
212*e670fd5cSchristoselse
213*e670fd5cSchristos	echo "failed correctly with error code ($RC)"
214*e670fd5cSchristosfi
215*e670fd5cSchristos
216*e670fd5cSchristosecho -n "Using ldapsearch on $SURI2 with CA cert and reqcert HARD..."
217*e670fd5cSchristos$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \
218*e670fd5cSchristos	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
219*e670fd5cSchristos	>> $SEARCHOUT  2>&1
220*e670fd5cSchristosRC=$?
221*e670fd5cSchristosif test $RC != 0 ; then
222*e670fd5cSchristos	echo "ldapsearch (ldaps) failed ($RC)!"
223*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
224*e670fd5cSchristos	exit $RC
225*e670fd5cSchristoselse
226*e670fd5cSchristos	echo "success"
227*e670fd5cSchristosfi
228*e670fd5cSchristos
229*e670fd5cSchristosecho -n "Using ldapsearch on $SURI2 with pinning enabled but a pin that doesn't match..."
230*e670fd5cSchristos$LDAPSEARCH -o tls_reqcert=never -o tls_peerkey_hash=abcd \
231*e670fd5cSchristos	-b "cn=Subschema" -s base -H $SURIP2 \
232*e670fd5cSchristos	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
233*e670fd5cSchristos	>> $SEARCHOUT  2>&1
234*e670fd5cSchristosRC=$?
235*e670fd5cSchristosif test $RC = 0 ; then
236*e670fd5cSchristos	echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!"
237*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
238*e670fd5cSchristos	exit 1
239*e670fd5cSchristoselse
240*e670fd5cSchristos	echo "failed correctly with error code ($RC)"
241*e670fd5cSchristosfi
242*e670fd5cSchristos
243*e670fd5cSchristosecho -n "Using ldapsearch on $SURI2 with a valid plaintext pin..."
244*e670fd5cSchristosif test -n "$TLS_PEERKEY"; then
245*e670fd5cSchristos	$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard \
246*e670fd5cSchristos		-o tls_peerkey_hash="${TLS_PEERKEY}" -b "cn=Subschema" -s base -H $SURIP2 \
247*e670fd5cSchristos		'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
248*e670fd5cSchristos		>> $SEARCHOUT  2>&1
249*e670fd5cSchristos	RC=$?
250*e670fd5cSchristos	if test $RC != 0 ; then
251*e670fd5cSchristos		echo "ldapsearch (ldaps) failed ($RC)!"
252*e670fd5cSchristos		test $KILLSERVERS != no && kill -HUP $KILLPIDS
253*e670fd5cSchristos		exit $RC
254*e670fd5cSchristos	else
255*e670fd5cSchristos		echo "success"
256*e670fd5cSchristos	fi
257*e670fd5cSchristoselse
258*e670fd5cSchristos	echo "skipped"
259*e670fd5cSchristosfi
260*e670fd5cSchristos
261*e670fd5cSchristosecho -n "Using ldapsearch on $SURI2 with an invalid hashed pin..."
262*e670fd5cSchristosif test -n "$TLS_PEERKEY_HASHED_FAIL"; then
263*e670fd5cSchristos	$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard \
264*e670fd5cSchristos		-o tls_peerkey_hash="${TLS_PEERKEY_HASHED_FAIL}" -b "cn=Subschema" -s base -H $SURIP2 \
265*e670fd5cSchristos		'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
266*e670fd5cSchristos		>> $SEARCHOUT  2>&1
267*e670fd5cSchristos	RC=$?
268*e670fd5cSchristos	if test $RC = 0 ; then
269*e670fd5cSchristos		echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!"
270*e670fd5cSchristos		test $KILLSERVERS != no && kill -HUP $KILLPIDS
271*e670fd5cSchristos		exit 1
272*e670fd5cSchristos	else
273*e670fd5cSchristos		echo "failed correctly with error code ($RC)"
274*e670fd5cSchristos	fi
275*e670fd5cSchristoselse
276*e670fd5cSchristos	echo "skipped"
277*e670fd5cSchristosfi
278*e670fd5cSchristos
279*e670fd5cSchristosecho -n "Using ldapsearch on $SURI2 with a valid hashed pin..."
280*e670fd5cSchristosif test -n "$TLS_PEERKEY_HASHED"; then
281*e670fd5cSchristos	$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard \
282*e670fd5cSchristos		-o tls_peerkey_hash="${TLS_PEERKEY_HASHED}" -b "cn=Subschema" -s base -H $SURIP2 \
283*e670fd5cSchristos		'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
284*e670fd5cSchristos		>> $SEARCHOUT  2>&1
285*e670fd5cSchristos	RC=$?
286*e670fd5cSchristos	if test $RC != 0 ; then
287*e670fd5cSchristos		echo "ldapsearch (ldaps) failed ($RC)!"
288*e670fd5cSchristos		test $KILLSERVERS != no && kill -HUP $KILLPIDS
289*e670fd5cSchristos		exit $RC
290*e670fd5cSchristos	else
291*e670fd5cSchristos		echo "success"
292*e670fd5cSchristos	fi
293*e670fd5cSchristoselse
294*e670fd5cSchristos	echo "skipped"
295*e670fd5cSchristosfi
296*e670fd5cSchristos
297*e670fd5cSchristostest $KILLSERVERS != no && kill -HUP $KILLPIDS
298*e670fd5cSchristos
299*e670fd5cSchristosecho ">>>>> Test succeeded"
300*e670fd5cSchristosRC=0
301*e670fd5cSchristos
302*e670fd5cSchristostest $KILLSERVERS != no && wait
303*e670fd5cSchristos
304*e670fd5cSchristosexit $RC
305