aboutsummaryrefslogtreecommitdiffstats
path: root/tests/tls-pin-fingerprint/t
blob: c8806c73099eeb2cf988133295d554d617c2fa63 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
    | openssl x509 -pubkey | openssl pkey -pubin -outform DER \
    | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")"
INVALID_FPR="sha256\$deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
INVALID_FPR2="sha256\$deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbee2"

# backup config
install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"
with_remote_config() {
    install -m0600 "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config"
    cat >>"$XDG_CONFIG_HOME/interimap/config"
}

# pinned valid fingerprint
with_remote_config <<-EOF
	SSL_fingerprint = sha256\$$PKEY_SHA256
EOF

for ((i = 0; i < 32; i++)); do
    u="$(shuf -n1 -e "local" "remote")"
    sample_message | deliver -u "$u"
done
interimap_init
check_mailbox_status "INBOX"


# with default algorithm (SHA256)
with_remote_config <<-EOF
	SSL_fingerprint = $INVALID_FPR $PKEY_SHA256
EOF
interimap --debug || error
grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error


# and now an invalid one
with_remote_config <<-EOF
	SSL_fingerprint = $INVALID_FPR
EOF
! interimap --debug || error

grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
# make sure we didn't send any credentials or started speaking IMAP
! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error

# two invalid ones
with_remote_config <<-EOF
	SSL_fingerprint = $INVALID_FPR $INVALID_FPR2
EOF
! interimap --debug || error

grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
# make sure we didn't send any credentials or started speaking IMAP
! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error


# valid + invalid
with_remote_config <<-EOF
	SSL_fingerprint = sha256\$$PKEY_SHA256 $INVALID_FPR
EOF
interimap --debug || error
grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error


# invalid + valid
with_remote_config <<-EOF
	SSL_fingerprint = $INVALID_FPR sha256\$$PKEY_SHA256
EOF
interimap --debug || error
grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error

# vim: set filetype=bash :