From 037367f64b3620cd200d9cb554e770b4c7c93f35 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Fri, 22 May 2015 19:09:18 +0000
Subject: [PATCH] Add tests for relayd TLS inspection with plain SSL and HTTPS.

---
 regress/usr.sbin/relayd/Client.pm             | 10 +++++--
 regress/usr.sbin/relayd/Makefile              |  5 ++--
 regress/usr.sbin/relayd/Relayd.pm             |  9 +++++--
 regress/usr.sbin/relayd/Server.pm             | 10 +++++--
 regress/usr.sbin/relayd/args-https-inspect.pl | 27 +++++++++++++++++++
 regress/usr.sbin/relayd/args-https.pl         |  1 +
 regress/usr.sbin/relayd/args-ssl-inspect.pl   | 21 +++++++++++++++
 regress/usr.sbin/relayd/args-ssl.pl           |  1 +
 8 files changed, 76 insertions(+), 8 deletions(-)
 create mode 100644 regress/usr.sbin/relayd/args-https-inspect.pl
 create mode 100644 regress/usr.sbin/relayd/args-ssl-inspect.pl

diff --git a/regress/usr.sbin/relayd/Client.pm b/regress/usr.sbin/relayd/Client.pm
index 8d4edd84df6..fd987f93bb1 100644
--- a/regress/usr.sbin/relayd/Client.pm
+++ b/regress/usr.sbin/relayd/Client.pm
@@ -1,6 +1,6 @@
-#	$OpenBSD: Client.pm,v 1.9 2014/12/31 01:25:07 bluhm Exp $
+#	$OpenBSD: Client.pm,v 1.10 2015/05/22 19:09:18 bluhm Exp $
 
-# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org>
+# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -60,6 +60,12 @@ sub child {
 	) or die ref($self), " $iosocket socket connect failed: $!,$SSL_ERROR";
 	print STDERR "connect sock: ",$cs->sockhost()," ",$cs->sockport(),"\n";
 	print STDERR "connect peer: ",$cs->peerhost()," ",$cs->peerport(),"\n";
+	if ($self->{ssl}) {
+		print STDERR "ssl version: ",$cs->get_sslversion(),"\n";
+		print STDERR "ssl cipher: ",$cs->get_cipher(),"\n";
+		print STDERR "ssl peer certificate:\n",
+		    $cs->dump_peer_certificate();
+	}
 
 	*STDIN = *STDOUT = $self->{cs} = $cs;
 }
diff --git a/regress/usr.sbin/relayd/Makefile b/regress/usr.sbin/relayd/Makefile
index 90fd808148e..7c958cd8a9c 100644
--- a/regress/usr.sbin/relayd/Makefile
+++ b/regress/usr.sbin/relayd/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.10 2014/12/31 01:25:07 bluhm Exp $
+#	$OpenBSD: Makefile,v 1.11 2015/05/22 19:09:18 bluhm Exp $
 
 # The following ports must be installed for the regression tests:
 # p5-IO-Socket-INET6	object interface for AF_INET and AF_INET6 domain sockets
@@ -67,7 +67,7 @@ run-regress-$a: $a
 # create certificates for TLS
 
 .for ip in ${REMOTE_ADDR} 127.0.0.1
-${ip}.crt:
+${ip}.crt: ca.crt
 	openssl req -batch -new -subj /L=OpenBSD/O=relayd-regress/OU=relay/CN=${ip}/ -nodes -newkey rsa -keyout ${ip}.key -x509 -out $@
 .if empty (REMOTE_SSH)
 	${SUDO} cp 127.0.0.1.crt /etc/ssl/
@@ -75,6 +75,7 @@ ${ip}.crt:
 .else
 	scp ${REMOTE_ADDR}.crt root@${REMOTE_SSH}:/etc/ssl/
 	scp ${REMOTE_ADDR}.key root@${REMOTE_SSH}:/etc/ssl/private/
+	scp ca.crt ca.key ${REMOTE_SSH}:
 .endif
 .endfor
 
diff --git a/regress/usr.sbin/relayd/Relayd.pm b/regress/usr.sbin/relayd/Relayd.pm
index 1328978471e..d4fdbf0bfac 100644
--- a/regress/usr.sbin/relayd/Relayd.pm
+++ b/regress/usr.sbin/relayd/Relayd.pm
@@ -1,6 +1,6 @@
-#	$OpenBSD: Relayd.pm,v 1.14 2015/05/17 22:49:03 bluhm Exp $
+#	$OpenBSD: Relayd.pm,v 1.15 2015/05/22 19:09:18 bluhm Exp $
 
-# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org>
+# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -72,6 +72,11 @@ sub new {
 	    die ref($self), " invalid forward $self->{forward}"
 	    unless grep { /splice/ } @protocol;
 	print $fh "${proto}protocol proto-$test {";
+	if ($self->{inspectssl}) {
+		$self->{listenssl} = $self->{forwardssl} = 1;
+		print $fh "\n\ttls ca cert ca.crt";
+		print $fh "\n\ttls ca key ca.key password ''";
+	}
 	# substitute variables in config file
 	foreach (@protocol) {
 		s/(\$[a-z]+)/$1/eeg;
diff --git a/regress/usr.sbin/relayd/Server.pm b/regress/usr.sbin/relayd/Server.pm
index a860eeb82e5..0ab32b7e5e2 100644
--- a/regress/usr.sbin/relayd/Server.pm
+++ b/regress/usr.sbin/relayd/Server.pm
@@ -1,6 +1,6 @@
-#	$OpenBSD: Server.pm,v 1.7 2014/12/31 01:25:07 bluhm Exp $
+#	$OpenBSD: Server.pm,v 1.8 2015/05/22 19:09:18 bluhm Exp $
 
-# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org>
+# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -67,6 +67,12 @@ sub child {
 	    " socket accept failed: $!,$SSL_ERROR";
 	print STDERR "accept sock: ",$as->sockhost()," ",$as->sockport(),"\n";
 	print STDERR "accept peer: ",$as->peerhost()," ",$as->peerport(),"\n";
+	if ($self->{ssl}) {
+		print STDERR "ssl version: ",$as->get_sslversion(),"\n";
+		print STDERR "ssl cipher: ",$as->get_cipher(),"\n";
+		print STDERR "ssl peer certificate:\n",
+		    $as->dump_peer_certificate();
+	}
 
 	*STDIN = *STDOUT = $self->{as} = $as;
 }
diff --git a/regress/usr.sbin/relayd/args-https-inspect.pl b/regress/usr.sbin/relayd/args-https-inspect.pl
new file mode 100644
index 00000000000..5db6c695ab9
--- /dev/null
+++ b/regress/usr.sbin/relayd/args-https-inspect.pl
@@ -0,0 +1,27 @@
+# test https connection over http relay with TLS inspection
+
+use strict;
+use warnings;
+
+our %args = (
+    client => {
+	func => \&http_client,
+	ssl => 1,
+	loggrep => 'Issuer.*/OU=ca/',
+    },
+    relayd => {
+	protocol => [ "http",
+	    "match request header log foo",
+	    "match response header log bar",
+	],
+	inspectssl => 1,
+    },
+    server => {
+	func => \&http_server,
+	ssl => 1,
+    },
+    len => 251,
+    md5 => "bc3a3f39af35fe5b1687903da2b00c7f",
+);
+
+1;
diff --git a/regress/usr.sbin/relayd/args-https.pl b/regress/usr.sbin/relayd/args-https.pl
index ed2c9212406..325eaead08b 100644
--- a/regress/usr.sbin/relayd/args-https.pl
+++ b/regress/usr.sbin/relayd/args-https.pl
@@ -7,6 +7,7 @@ our %args = (
     client => {
 	func => \&http_client,
 	ssl => 1,
+	loggrep => 'Issuer.*/OU=relay/',
     },
     relayd => {
 	protocol => [ "http",
diff --git a/regress/usr.sbin/relayd/args-ssl-inspect.pl b/regress/usr.sbin/relayd/args-ssl-inspect.pl
new file mode 100644
index 00000000000..3c360494eaa
--- /dev/null
+++ b/regress/usr.sbin/relayd/args-ssl-inspect.pl
@@ -0,0 +1,21 @@
+# test both client and server ssl connection with TLS inspection
+
+use strict;
+use warnings;
+
+our %args = (
+    client => {
+	ssl => 1,
+	loggrep => 'Issuer.*/OU=ca/',
+    },
+    relayd => {
+	inspectssl => 1,
+    },
+    server => {
+	ssl => 1,
+    },
+    len => 251,
+    md5 => "bc3a3f39af35fe5b1687903da2b00c7f",
+);
+
+1;
diff --git a/regress/usr.sbin/relayd/args-ssl.pl b/regress/usr.sbin/relayd/args-ssl.pl
index 31a9e58b1c0..e75c68ebd3b 100644
--- a/regress/usr.sbin/relayd/args-ssl.pl
+++ b/regress/usr.sbin/relayd/args-ssl.pl
@@ -6,6 +6,7 @@ use warnings;
 our %args = (
     client => {
 	ssl => 1,
+	loggrep => 'Issuer.*/OU=relay/',
     },
     relayd => {
 	forwardssl => 1,
-- 
2.20.1