Create CA and certificates for TLS tests consistently. Better

author bluhm <bluhm@openbsd.org>

Wed, 31 Dec 2014 01:25:07 +0000 (01:25 +0000)

committer bluhm <bluhm@openbsd.org>

Wed, 31 Dec 2014 01:25:07 +0000 (01:25 +0000)
author bluhm <bluhm@openbsd.org>
Wed, 31 Dec 2014 01:25:07 +0000 (01:25 +0000)
committer bluhm <bluhm@openbsd.org>
Wed, 31 Dec 2014 01:25:07 +0000 (01:25 +0000)
diff --git a/regress/usr.sbin/relayd/Client.pm b/regress/usr.sbin/relayd/Client.pm

index 8a8a95f..8d4edd8 100644 (file)
--- a/regress/usr.sbin/relayd/Client.pm
+++ b/regress/usr.sbin/relayd/Client.pm
@@ -1,6 +1,6 @@
-#      $OpenBSD: Client.pm,v 1.8 2014/07/11 15:38:44 bluhm Exp $
+#      $OpenBSD: Client.pm,v 1.9 2014/12/31 01:25:07 bluhm Exp $
  
-# Copyright (c) 2010-2012 Alexander Bluhm <bluhm@openbsd.org>
+# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org>
  #
  # Permission to use, copy, modify, and distribute this software for any
  # purpose with or without fee is hereby granted, provided that the above
@@ -20,7 +20,7 @@ use warnings;
  package Client;
  use parent 'Proc';
  use Carp;
-use Socket qw(IPPROTO_TCP TCP_NODELAY);
+use Socket;
  use Socket6;
  use IO::Socket;
  use IO::Socket::INET6;
diff --git a/regress/usr.sbin/relayd/Makefile b/regress/usr.sbin/relayd/Makefile

index 1033fb2..90fd808 100644 (file)
--- a/regress/usr.sbin/relayd/Makefile
+++ b/regress/usr.sbin/relayd/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.9 2014/07/11 20:41:20 bluhm Exp $
+#      $OpenBSD: Makefile,v 1.10 2014/12/31 01:25:07 bluhm Exp $
  
  # The following ports must be installed for the regression tests:
  # p5-IO-Socket-INET6   object interface for AF_INET and AF_INET6 domain sockets
@@ -34,7 +34,8 @@ REMOTE_SSH ?=
  ARGS !=                        cd ${.CURDIR} && ls args-*.pl
  TARGETS ?=             ${ARGS}
  REGRESS_TARGETS =      ${TARGETS:S/^/run-regress-/}
-CLEANFILES +=          *.log *.pem *.crt *.key relayd.conf ktrace.out stamp-*
+CLEANFILES +=          *.log relayd.conf ktrace.out stamp-*
+CLEANFILES +=          *.pem *.req *.crt *.key *.srl
  
  # Set variables so that make runs with and without obj directory.
  # Only do that if necessary to keep visible output short.
@@ -63,11 +64,11 @@ run-regress-$a: $a
  .endif
  .endfor
  
-# create the certificates for SSL
+# create certificates for TLS
  
  .for ip in ${REMOTE_ADDR} 127.0.0.1
  ${ip}.crt:
-       openssl req -batch -new -nodes -newkey rsa -keyout ${ip}.key -subj /CN=${ip}/ -x509 -out $@
+       openssl req -batch -new -subj /L=OpenBSD/O=relayd-regress/OU=relay/CN=${ip}/ -nodes -newkey rsa -keyout ${ip}.key -x509 -out $@
  .if empty (REMOTE_SSH)
         ${SUDO} cp 127.0.0.1.crt /etc/ssl/
         ${SUDO} cp 127.0.0.1.key /etc/ssl/private/
@@ -77,10 +78,16 @@ ${ip}.crt:
  .endif
  .endfor
  
-server-cert.pem:
-       openssl req -batch -new -nodes -newkey rsa -keyout server-key.pem -subj /CN=localhost/ -x509 -out $@
+ca.crt:
+       openssl req -batch -new -subj /L=OpenBSD/O=relayd-regress/OU=ca/CN=root/ -nodes -newkey rsa -keyout ca.key -x509 -out ca.crt
  
-${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server-cert.pem
+server.req:
+       openssl req -batch -new -subj /L=OpenBSD/O=relayd-regress/OU=server/CN=localhost/ -nodes -newkey rsa -keyout server.key -out server.req
+
+server.crt: ca.crt server.req
+       openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in server.req -out server.crt
+
+${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server.crt
  .if empty (REMOTE_SSH)
  ${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: 127.0.0.1.crt
  .else
diff --git a/regress/usr.sbin/relayd/Server.pm b/regress/usr.sbin/relayd/Server.pm

index 70a492a..a860eeb 100644 (file)
--- a/regress/usr.sbin/relayd/Server.pm
+++ b/regress/usr.sbin/relayd/Server.pm
@@ -1,6 +1,6 @@
-#      $OpenBSD: Server.pm,v 1.6 2014/07/10 10:19:06 bluhm Exp $
+#      $OpenBSD: Server.pm,v 1.7 2014/12/31 01:25:07 bluhm Exp $
  
-# Copyright (c) 2010-2012 Alexander Bluhm <bluhm@openbsd.org>
+# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org>
  #
  # Permission to use, copy, modify, and distribute this software for any
  # purpose with or without fee is hereby granted, provided that the above
@@ -20,7 +20,7 @@ use warnings;
  package Server;
  use parent 'Proc';
  use Carp;
-use Socket qw(IPPROTO_TCP TCP_NODELAY);
+use Socket;
  use Socket6;
  use IO::Socket;
  use IO::Socket::INET6;
@@ -43,8 +43,8 @@ sub new {
             Listen              => 1,
             $self->{listenaddr} ? (LocalAddr => $self->{listenaddr}) : (),
             $self->{listenport} ? (LocalPort => $self->{listenport}) : (),
-           SSL_key_file        => "server-key.pem",
-           SSL_cert_file       => "server-cert.pem",
+           SSL_key_file        => "server.key",
+           SSL_cert_file       => "server.crt",
             SSL_verify_mode     => SSL_VERIFY_NONE,
         ) or die ref($self), " $iosocket socket listen failed: $!,$SSL_ERROR";
         my $log = $self->{log};
@@ -62,9 +62,9 @@ sub child {
         shutdown(\*STDOUT, SHUT_WR);
         delete $self->{as};
  
-       my $iosocket = $self->{ssl} ? "IO::Socket::SSL" : "IO::Socket::INET6";
         my $as = $self->{ls}->accept()
-           or die ref($self), " $iosocket socket accept failed: $!";
+           or die ref($self)," ",ref($self->{ls}),
+           " socket accept failed: $!,$SSL_ERROR";
         print STDERR "accept sock: ",$as->sockhost()," ",$as->sockport(),"\n";
         print STDERR "accept peer: ",$as->peerhost()," ",$as->peerport(),"\n";
  
diff --git a/regress/usr.sbin/syslogd/Makefile b/regress/usr.sbin/syslogd/Makefile

index a40f36d..5ffce4a 100644 (file)
--- a/regress/usr.sbin/syslogd/Makefile
+++ b/regress/usr.sbin/syslogd/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.6 2014/12/28 14:08:01 bluhm Exp $
+#      $OpenBSD: Makefile,v 1.7 2014/12/31 01:25:07 bluhm Exp $
  
  # The following ports must be installed for the regression tests:
  # p5-IO-Socket-INET6   object interface for AF_INET and AF_INET6 domain sockets
@@ -31,8 +31,9 @@ TARGETS ?=            ${ARGS}
  TARGETS ?=             ${ARGS:Nargs-rsyslog*}
  .endif
  REGRESS_TARGETS =      ${TARGETS:S/^/run-regress-/}
-CLEANFILES +=          *.log *.log.? *.pem *.crt *.key *.conf stamp-*
-CLEANFILES +=          *.out *.sock ktrace.out *.ktrace *.fstat
+CLEANFILES +=          *.log *.log.? *.conf ktrace.out stamp-*
+CLEANFILES +=          *.out *.sock *.ktrace *.fstat
+CLEANFILES +=          *.pem *.req *.crt *.key *.srl
  
  .MAIN: all
  
@@ -65,18 +66,18 @@ run-regress-$a: $a
         time SUDO=${SUDO} KTRACE=${KTRACE} SYSLOGD=${SYSLOGD} perl ${PERLINC} ${PERLPATH}syslogd.pl ${PERLPATH}$a
  .endfor
  
-# create the certificates for SSL
+# create certificates for TLS
  
-127.0.0.1.crt:
-       openssl req -batch -new -nodes -newkey rsa -keyout 127.0.0.1.key -subj /CN=127.0.0.1/ -x509 -out $@
-       ${SUDO} cp 127.0.0.1.crt /etc/ssl/
-       ${SUDO} cp 127.0.0.1.key /etc/ssl/private/
+ca.crt:
+       openssl req -batch -new -subj /L=OpenBSD/O=syslogd-regress/OU=ca/CN=root/ -nodes -newkey rsa -keyout ca.key -x509 -out ca.crt
  
-server-cert.pem:
-       openssl req -batch -new -nodes -newkey rsa -keyout server-key.pem -subj /CN=localhost/ -x509 -out $@
+server.req:
+       openssl req -batch -new -subj /L=OpenBSD/O=syslogd-regress/OU=server/CN=localhost/ -nodes -newkey rsa -keyout server.key -out server.req
  
-${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server-cert.pem
-${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: 127.0.0.1.crt
+server.crt: ca.crt server.req
+       openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in server.req -out server.crt
+
+${REGRESS_TARGETS:M*tls*}: server.crt
  
  # make perl syntax check for all args files
  
diff --git a/regress/usr.sbin/syslogd/Server.pm b/regress/usr.sbin/syslogd/Server.pm

index 818e694..6d4c46e 100644 (file)
--- a/regress/usr.sbin/syslogd/Server.pm
+++ b/regress/usr.sbin/syslogd/Server.pm
@@ -1,4 +1,4 @@
-#      $OpenBSD: Server.pm,v 1.3 2014/12/28 14:08:01 bluhm Exp $
+#      $OpenBSD: Server.pm,v 1.4 2014/12/31 01:25:07 bluhm Exp $
  
  # Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org>
  #
@@ -47,11 +47,11 @@ sub new {
             Domain              => $self->{listendomain},
             $self->{listenaddr} ? (LocalAddr => $self->{listenaddr}) : (),
             $self->{listenport} ? (LocalPort => $self->{listenport}) : (),
-           SSL_key_file        => "server-key.pem",
-           SSL_cert_file       => "server-cert.pem",
+           SSL_key_file        => "server.key",
+           SSL_cert_file       => "server.crt",
             SSL_verify_mode     => SSL_VERIFY_NONE,
         ) or die ref($self), " $iosocket socket listen failed: $!,$SSL_ERROR";
-       if ($self->{listenproto} eq "tcp") {
+       if ($self->{listenproto} ne "udp") {
                 listen($ls, 1)
                     or die ref($self), " socket failed: $!";
         }
@@ -66,11 +66,11 @@ sub new {
  sub child {
         my $self = shift;
  
-       my $iosocket = $self->{ssl} ? "IO::Socket::SSL" : "IO::Socket::INET6";
         my $as = $self->{ls};
         if ($self->{listenproto} ne "udp") {
                 $as = $self->{ls}->accept()
-                   or die ref($self), " $iosocket socket accept failed: $!";
+                   or die ref($self)," ",ref($self->{ls}),
+                   " socket accept failed: $!,$SSL_ERROR";
                 print STDERR "accept sock: ",$as->sockhost()," ",
                     $as->sockport(),"\n";
                 print STDERR "accept peer: ",$as->peerhost()," ",
author	bluhm <bluhm@openbsd.org>
	Wed, 31 Dec 2014 01:25:07 +0000 (01:25 +0000)
committer	bluhm <bluhm@openbsd.org>
	Wed, 31 Dec 2014 01:25:07 +0000 (01:25 +0000)
regress/usr.sbin/relayd/Client.pm		patch \| blob \| history
regress/usr.sbin/relayd/Makefile		patch \| blob \| history
regress/usr.sbin/relayd/Server.pm		patch \| blob \| history
regress/usr.sbin/syslogd/Makefile		patch \| blob \| history
regress/usr.sbin/syslogd/Server.pm		patch \| blob \| history