diff options
| author | Guilhem Moulin <guilhem@debian.org> | 2020-12-11 11:46:57 +0100 | 
|---|---|---|
| committer | Guilhem Moulin <guilhem@debian.org> | 2020-12-11 11:46:57 +0100 | 
| commit | f2b70e9691adc09f6191751c2009f411199ec35d (patch) | |
| tree | 9e7787f245396ffe380839e56df26e7d418c2f90 /tests/tls-verify-peer | |
| parent | bcb88ae0cdfa3548e3c650fd489fc49779e7235a (diff) | |
| parent | a51f2efacebbf941585809853d1adbfddc165ac2 (diff) | |
Merge tag 'v0.5.4' into debian/latest
Release version 0.5.4
Diffstat (limited to 'tests/tls-verify-peer')
| -rw-r--r-- | tests/tls-verify-peer/interimap.remote | 1 | ||||
| -rw-r--r-- | tests/tls-verify-peer/t | 67 | 
2 files changed, 57 insertions, 11 deletions
| diff --git a/tests/tls-verify-peer/interimap.remote b/tests/tls-verify-peer/interimap.remote index b02fcd0..263655f 100644 --- a/tests/tls-verify-peer/interimap.remote +++ b/tests/tls-verify-peer/interimap.remote @@ -1,2 +1 @@ -host = ::1  port = 10993 diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t index 9e4d9fa..2461a1f 100644 --- a/tests/tls-verify-peer/t +++ b/tests/tls-verify-peer/t @@ -1,6 +1,15 @@ +X509_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \ +    | openssl x509 -noout -fingerprint -sha256 \ +    | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")" +PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \ +    | openssl x509 -pubkey | openssl pkey -pubin -outform DER \ +    | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")" +  unverified_peer() {      ! interimap --debug || error +    # make sure we aborted the handshake immediately after connecting +    grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error      grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error      sed -nr "s/remote: \[[0-9]+\] (preverify=[0-9]+)$/\1/p" <"$STDERR" >"$TMPDIR/preverify"      [ -s "$TMPDIR/preverify" ] || error @@ -11,12 +20,13 @@ unverified_peer() {  }  verified_peer() {      local i u -    for ((i = 0; i < 32; i++)); do +    for ((i = 0; i < 4; i++)); do          u="$(shuf -n1 -e "local" "remote")"          sample_message | deliver -u "$u"      done      interimap --debug || error +    grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error      sed -nr "s/remote: \[[0-9]+\] (preverify=[0-9]+)$/\1/p" <"$STDERR" >"$TMPDIR/preverify"      [ -s "$TMPDIR/preverify" ] || error      ! grep -Fvx "preverify=1" <"$TMPDIR/preverify" || error @@ -28,9 +38,9 @@ verified_peer() {  }  # backup config -install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~" +install -m0600 -- "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"  with_remote_config() { -    install -m0600 "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config" +    install -m0600 -- "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config"      cat >>"$XDG_CONFIG_HOME/interimap/config"  } @@ -39,42 +49,79 @@ unverified_peer  step_done  step_start "peer verification result honored when pinned pubkey matches" -PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \ -    | openssl x509 -pubkey | openssl pkey -pubin -outform DER \ -    | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")"  with_remote_config <<-EOF  	SSL_fingerprint = sha256\$$PKEY_SHA256  EOF  unverified_peer -! grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error +grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error  step_done  capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX) +cp -T -- ~/.dovecot/conf.d/ca.crt "$capath/ca-certificates.crt"  step_start "SSL_CAfile"  if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then -    # our self-signed test cert should not be in there +    # assume our fake root CA is not there      with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt"      unverified_peer  fi -doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert >"$capath/ca-certificates.crt" +# default host (localhost) is the CN (and also subjectAltName)  with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt"  verified_peer + +# hostnames and IPs included in the subjectAltName should work as well +for host in "ip6-localhost" "127.0.0.1" "::1"; do +    with_remote_config <<-EOF +		host = $host +		SSL_CAfile = $capath/ca-certificates.crt +	EOF +    verified_peer +done + +# but not for other IPs or hostnames +for host in "ip6-loopback" "127.0.1.1"; do +    with_remote_config <<-EOF +		host = $host +		SSL_CAfile = $capath/ca-certificates.crt +	EOF +    unverified_peer +done +  step_done  step_start "SSL_CApath"  if [ -d "/etc/ssl/certs" ]; then -    # our self-signed test cert should not be in there +    # assume our fake root CA is not there      with_remote_config <<<"SSL_CApath = /etc/ssl/certs"      unverified_peer  fi  c_rehash "$capath" +# default host (localhost) is the CN (and also subjectAltName)  with_remote_config <<<"SSL_CApath = $capath"  verified_peer + +# hostnames and IPs included in the subjectAltName should work as well +for host in "ip6-localhost" "127.0.0.1" "::1"; do +    with_remote_config <<-EOF +		host = $host +		SSL_CApath = $capath +	EOF +    verified_peer +done + +# but not for other IPs or hostnames +for host in "ip6-loopback" "127.0.1.1"; do +    with_remote_config <<-EOF +		host = $host +		SSL_CApath = $capath +	EOF +    unverified_peer +done +  step_done  # vim: set filetype=sh : | 
