diff options
Diffstat (limited to 'src/rts.base')
| -rw-r--r-- | src/rts.base | 329 |
1 files changed, 329 insertions, 0 deletions
diff --git a/src/rts.base b/src/rts.base new file mode 100644 index 0000000..0096007 --- /dev/null +++ b/src/rts.base @@ -0,0 +1,329 @@ +#!/bin/sh +# Assumptions: +# ucspi-tcp +# available TCP ports on ::1: 50013--50021 +# 127.0.0.1 is resolved as 'localhost' +# ::1/128 is resolved as 'ip6-loopback' +# 0.0.0.0 and ::/128 is resolved as 'localnet' +# +# $here is ucspi-ssl current directory +# +# Not tested: +# setting UID or GID +# rules +# write timeout + +echo '---> test sslserver + sslclient: four instances of sslserver (ports 50013, 50014, 50015, 50016) are used' +echo '---> sslserver @port 50015 requires client certs' +echo '++++' + +sslserver -w 2 \ +-s -E -c 1 -Bbanner -Vo -D -1 -3 -Xx rules.cdb -Rt5 -h -l Localserver -b 2 \ +::1 50016 ./print 3< $CADIR/::1.pw > log.50016 2>&1 & +pid_50016=$! + +sslserver -w 2 \ +-s -e -c 1 -Bbanner -Vo -D -1 -3 -Xx rules.cdb -Rt5 -h -l Localserver -b 2 -m \ +::1 50015 ./print 3< $CADIR/::1.pw > log.50015 2>&1 & +pid_50015=$! + +CIPHERS='' sslserver -w 2 \ +-s -e -c 1 -Bbanner -Vo -D -1 -3 -Xx rules.cdb -Rt5 -h -l Localserver -b 2 \ +::1 50014 ./print >log.50014 3< $CADIR/::1.pw 2>&1 & +pid_50014=$! +sleep 1 + +sslserver -w 2 \ +-s -e -c 1 -Bbanner -Vo -D -1 -3 -Xx rules.cdb -Rt5 -h -l Localserver -b 2 \ +::1 50013 cat - >log.50013 3< $CADIR/::1.pw 2>&1 & +pid_50013=$! +sleep 1 + +echo '---> test sslclient/sslserver behavior with wrong parm (timeout 2 secs)' +echo '++++' + +echo '--- sslclient prints usage message without enough arguments' +sslclient -T2 0 0; echo $? + +echo '--- sslclient prints error message with unknown port name' +sslclient -T2 0 nonexistentport echo wrong; echo $? + +echo '--- sslclient prints error message when connection fails' +sslclient -T2 0 016 echo wrong; echo $? + +echo '--- sslclient -q does not print error message when connection fails' +sslclient -T2 -q 0 016 echo wrong; echo $? + +echo '--- sslclient prints error message with unknown host name' +sslclient nonexistent.local. 016 echo wrong; echo $? + +echo '--- sslclient prints error message with unresolvable host name' +sslclient thislabelistoolongbecausednshasalimitof63charactersinasinglelabel. 50016 echo wrong; echo $? + +echo '--- sslserver prints usage message without enough arguments' +sslserver 0 0; echo $? + +echo '--- sslserver prints error message with unknown port name' +sslserver 0 nonexistentport echo wrong; echo $? + +echo '--- sslserver prints error message with unknown host name' +sslserver nonexistent.local. 016 echo wrong; echo $? + +echo '--- sslserver prints error message with unresolvable host name' +sslserver thislabelistoolongbecausednshasalimitof63charactersinasinglelabel. 50016 echo wrong; echo $? + +echo '--- sslserver prints error message with non-local host name' +( sslserver 1.2.3.4 016 echo wrong 2>&1 + echo $? +) | sed -e 's/unable to bind to: .*/unable to bind to: .../' + + +echo '---> test sslclient to connect to sslserver (on different port; note: cert verify will fail on localhost)' +echo '++++' + +echo '--- sslclient sets basic environment variables' +{ + sslclient -p 50017 -R -N -H -T 10 -l Local -a "$CAFILE" ::1 50016 sh -c 'cat <&6' + echo $? +} | sed -e 's/unable to bind to: .*/unable to bind to: .../' + + +echo '--- sslserver -e also sets TCP environment variables' +{ + sslclient -p 50018 -e -S -R -N -H -T 10 -l Local -a "$CAFILE" ::1 50016 sh -c 'cat <&6' + echo $? +} | sanitize + +echo '--- sslclient recognizes -D, -z, -r, -h, -t (with elective cipher)' +{ + sslclient -p 50019 -N -D -r -t1 -l Local -a "$CAFILE" \ + -z 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' \ + ::1 50016 sh -c 'cat <&6' + echo $? +} +#} | sanitize + +echo '--- sslclient sets basic environment variables' +{ + sslclient -p 50020 -R -N -H -l Local -a "$CAFILE" ::1 50016 ./print + echo $? +} | sanitize + +echo '--- sslclient -e sets TCP environment variables' +{ + sslclient -p 50021 -e -R -N -H -l Local -a "$CAFILE" ::1 50016 ./print + echo $? +} | sanitize + +echo '--- sslclient -s sets TLS environment variables' +{ + sslclient -p 50022 -s -R -N -H -l Local -a "$CAFILE" ::1 50016 ./print + echo $? +} | sanitize + +echo '--- sslclient looks up host names properly (localhost. -> ip6-loopback)' +{ + sslclient -p 50023 -R -N -a "$CAFILE" localhost. 50016 ./print + echo $? +} | sanitize + +echo '--- sslclient -v works' +sslclient -p 50024 -v -R -N -H -l Local -a "$CAFILE" ::1 50016 echo ok +echo $? + +echo '--- sslserver -N does not check certificates CN' +( exec 2>&1 + sslclient -p 50025 -v -R -H -N -l ip6-localhost -a "$CAFILE" -X ::1 50014 sh -c 'sleep 1; echo ok' + echo $? +) | sanitize + +echo '--- sslserver and sslclient print errors for incompatible cipher lists for TLS < 1.3' +( exec 2>&1 + sslclient -p 50026 -v -R -H -N -l ip6-localhost -z 'FOOBAR' -a "$CAFILE" ::1 50014 \ + sh -c 'sleep 1; echo ok' + echo $? +) | sanitize + +echo '--- sslclient -X ignores any server certificate' +( exec 2>&1 + sslclient -p 50027 -v -R -H -l ip6-localhost -X ::1 50014 \ + sh -c 'sleep 1; echo ok' + echo $? +) | sanitize + +echo '--- sslclient -n checks hostname with certificates SAN/CN' +( exec 2>&1 + sslclient -p 50027 -v -R -H -l ip6-localhost -a "$CAFILE" ::1 50014 \ + sh -c 'sleep 1; echo ok' + echo $? +) | sanitize + +echo '---> test sslclient to connect to sslserver requiring client cert' +echo '++++' + +echo '--- sslserver prints error for no client certificate' +( exec 2>&1 + sslclient -p 50028 -v -R -N -h -l ip6-localhost -a "$CAFILE" ::1 50015 \ + sh -c 'sleep 1; echo ok' + echo $? +) | sanitize + +echo '--- sslserver prints error for bad client certificate' +( exec 2>&1 + exec 3< $CADIR/::1.pw + sslclient -p 50029 -v -R -h -l ip6-localhost -a "$CAFILE" -c "$CERTFILE" -k "$KEYFILE" -3 \ + ::1 50015 sh -c 'sleep 1; echo ok' + echo $? +) | sanitize + +echo '--- sslclient uses certificates' +( exec 2>&1 + exec 3< $CADIR/localhost.pw + sslclient -p 50030 -v -s -R -N -h -l ip6-localhost -a "$CAFILE" -c "$CCERTFILE" -k "$CKEYFILE" -3 \ + ::1 50015 sh -c 'cat <&6; ./print' + echo $? +) | sanitize + +echo '---> test sslcat to connect to sslserver@5016' +echo '++++' + +echo '--- sslcat works' +{ + sslcat ::1 50013 -N -a "$CAFILE" -N + echo $? +} | sanitize + +echo '--- sslconnect works' +{ + sslconnect ::1 50013 -N -a "$CAFILE" </dev/null + echo $? +} | sanitize + +echo '--- https@ works' +https@ ::1 somefile 50013 -X -a "$CAFILE" +echo $? + + +echo '---> test sslconnect to connect to sslserver@5013' +echo '++++' + + +echo '--- sslclient and sslserver handle larger data' +( exec 2>&1 + exec 3< $CADIR/localhost.pw + { for i in 0 1 2 3 4 5 6 7 8 9 + do + for j in 0 1 2 3 4 5 6 7 8 9 + do + for k in 0 1 2 3 4 5 6 7 8 9 + do + echo "abcdefghijklmnopqrstuvwxyz" + echo "abcdefghijklmnopqrstuvwxyz" + echo "abcdefghijklmnopqrstuvwxyz" + echo "abcdefghijklmnopqrstuvwxyz" + done + done + done + } | sslconnect ::1 50013 -v -s -N \ + -a "$CAFILE" -c "$CCERTFILE" -k "$CKEYFILE" -3 > /dev/null + echo $? +) | sanitize + +echo '--- sslserver times out' +( exec 2>&1 + exec 3< $CADIR/localhost.pw + ( exec echo hereur ) | sslconnect ::1 50013 -v -s -N \ + -a "$CAFILE" -c "$CCERTFILE" -k "$CKEYFILE" -3 + echo $? +) | sanitize + +( exec 2>&1 + exec 3< $CADIR/localhost.pw + ( sleep 6; exec echo hereur; ) | sslconnect ::1 50013 -v -s -N \ + -a "$CAFILE" -c "$CCERTFILE" -k "$CKEYFILE" -3 + echo $? +) | sanitize + +## Kill all sslserver processes + +kill -TERM $pid_50013 +kill -TERM $pid_50014 +kill -TERM $pid_50015 +kill -TERM $pid_50016 +wait $pid_50013 +wait $pid_50014 +wait $pid_50015 +wait $pid_50016 + +echo '---> test sslprint@50021' +echo '++++' + + +sslprint \ +-s -c 1 -Bsslprint -vo -D -e -1 -3 -Xx rules.cdb -Rt5 -hp -l Localserver -b 2 \ +::1 50021 3< $CADIR/::1.pw > log.sslprint 2>&1 & +pid_50021=$! +sleep 2 + +echo '--- sslprint prints usage message without enough arguments' +sslprint 0; echo $? + +echo '--- sslprint prints error message with unknown port name' +sslprint 0 nonexistentport; echo $? + +echo '--- sslprint prints error message with unknown host name' +sslprint nonexistent.local. 016; echo $? + +echo '--- sslprint prints error message with unresolvable host name' +sslprint thislabelistoolongbecausednshasalimitof63charactersinasinglelabel. 016; echo $? + +echo '--- sslprint prints error message with non-local host name' +( sslprint 1.2.3.4 16 2>&1 + echo $? +) | sed -e 's/unable to bind to: .*/unable to bind to: .../' + + +echo '--- sslprint prints error message with used port' +sslprint -R -H -l Localserver ::1 50021 echo wrong +echo $? + +echo '--- sslprint sets basic environment variables' +{ sslclient -R -H -T 5 -l Local -a "$CAFILE" -N ::1 50021 sh -c 'cat <&6' + echo $? +} | sanitize + +echo '--- sslprint exits when environment changes' +{ sslclient -R -H -T 5 -l Local -a "$CAFILE" -N ::1 50021 sh -c 'cat <&6' + echo $? +} | sanitize + +echo '--- sslprint does not lose descriptors' +{ sslclient -R -H -T 5 -l Local -a "$CAFILE" -N ::1 50021 sh -c 'cat <&6' \ + 0<&- 2<&- + echo $? +} | sanitize + +sleep 1 +kill -TERM $pid_50021 +wait $pid_50021 + + +echo '--- sslserver -1v prints proper messages' +cat log.50016 log.50015 log.50014 log.50013 log.sslprint | \ +sed -e 's/::*/::x/' \ + -e 's} [0-9]* } x }g' \ + -e 's} ip6-loopback:::1::[0-9]*} ip6-loopback:::1::x}' \ + -e 's} :::1:[0-9]*} :::1:x}' \ + -e 's} cafile x .*/\([^/]*\)} cafile x xxx/\1}' \ + -e 's} ccafile x .*/\([^/]*\)} ccafile x xxx/\1}' \ + -e 's} cadir x .*/\([^/]*\)} cadir x xxx/\1}' \ + -e 's} cert x .*/\([^/]*\)} cert x xxx/\1}' \ + -e 's} key x .*/\([^/]*\)} key x xxx/\1}' \ + -e 's} dhparam x .*} dhparam x xxx}' \ + -e 's} speak TLS: .*} speak TLS: ...}' \ + -e 's} accept TLS: .*} accept TLS: ...}' \ + -e 's} done [0-9]*$} done ...}' \ + -e 's} Localserver:::1:[0-9]*} Localserver:::1:x}' \ + -e 's} ip6-localnet:::::[0-9]*} ip6-localnet:::::x}' \ + -e 's} valid client cert received for pid: .*} valid client cert received for pid: ...}' + |