From 2bccb94a3de8be12b5235c936583de633a6fef4c Mon Sep 17 00:00:00 2001 From: bluhm Date: Wed, 31 Dec 2014 01:25:07 +0000 Subject: [PATCH] Create CA and certificates for TLS tests consistently. Better logging of SSL errors. Do not import unneeded Socket constants. --- regress/usr.sbin/relayd/Client.pm | 6 +++--- regress/usr.sbin/relayd/Makefile | 21 ++++++++++++++------- regress/usr.sbin/relayd/Server.pm | 14 +++++++------- regress/usr.sbin/syslogd/Makefile | 25 +++++++++++++------------ regress/usr.sbin/syslogd/Server.pm | 12 ++++++------ 5 files changed, 43 insertions(+), 35 deletions(-) diff --git a/regress/usr.sbin/relayd/Client.pm b/regress/usr.sbin/relayd/Client.pm index 8a8a95f3593..8d4edd84df6 100644 --- a/regress/usr.sbin/relayd/Client.pm +++ b/regress/usr.sbin/relayd/Client.pm @@ -1,6 +1,6 @@ -# $OpenBSD: Client.pm,v 1.8 2014/07/11 15:38:44 bluhm Exp $ +# $OpenBSD: Client.pm,v 1.9 2014/12/31 01:25:07 bluhm Exp $ -# Copyright (c) 2010-2012 Alexander Bluhm +# Copyright (c) 2010-2014 Alexander Bluhm # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -20,7 +20,7 @@ use warnings; package Client; use parent 'Proc'; use Carp; -use Socket qw(IPPROTO_TCP TCP_NODELAY); +use Socket; use Socket6; use IO::Socket; use IO::Socket::INET6; diff --git a/regress/usr.sbin/relayd/Makefile b/regress/usr.sbin/relayd/Makefile index 1033fb21508..90fd808148e 100644 --- a/regress/usr.sbin/relayd/Makefile +++ b/regress/usr.sbin/relayd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.9 2014/07/11 20:41:20 bluhm Exp $ +# $OpenBSD: Makefile,v 1.10 2014/12/31 01:25:07 bluhm Exp $ # The following ports must be installed for the regression tests: # p5-IO-Socket-INET6 object interface for AF_INET and AF_INET6 domain sockets @@ -34,7 +34,8 @@ REMOTE_SSH ?= ARGS != cd ${.CURDIR} && ls args-*.pl TARGETS ?= ${ARGS} REGRESS_TARGETS = ${TARGETS:S/^/run-regress-/} -CLEANFILES += *.log *.pem *.crt *.key relayd.conf ktrace.out stamp-* +CLEANFILES += *.log relayd.conf ktrace.out stamp-* +CLEANFILES += *.pem *.req *.crt *.key *.srl # Set variables so that make runs with and without obj directory. # Only do that if necessary to keep visible output short. @@ -63,11 +64,11 @@ run-regress-$a: $a .endif .endfor -# create the certificates for SSL +# create certificates for TLS .for ip in ${REMOTE_ADDR} 127.0.0.1 ${ip}.crt: - openssl req -batch -new -nodes -newkey rsa -keyout ${ip}.key -subj /CN=${ip}/ -x509 -out $@ + openssl req -batch -new -subj /L=OpenBSD/O=relayd-regress/OU=relay/CN=${ip}/ -nodes -newkey rsa -keyout ${ip}.key -x509 -out $@ .if empty (REMOTE_SSH) ${SUDO} cp 127.0.0.1.crt /etc/ssl/ ${SUDO} cp 127.0.0.1.key /etc/ssl/private/ @@ -77,10 +78,16 @@ ${ip}.crt: .endif .endfor -server-cert.pem: - openssl req -batch -new -nodes -newkey rsa -keyout server-key.pem -subj /CN=localhost/ -x509 -out $@ +ca.crt: + openssl req -batch -new -subj /L=OpenBSD/O=relayd-regress/OU=ca/CN=root/ -nodes -newkey rsa -keyout ca.key -x509 -out ca.crt -${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server-cert.pem +server.req: + openssl req -batch -new -subj /L=OpenBSD/O=relayd-regress/OU=server/CN=localhost/ -nodes -newkey rsa -keyout server.key -out server.req + +server.crt: ca.crt server.req + openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in server.req -out server.crt + +${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server.crt .if empty (REMOTE_SSH) ${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: 127.0.0.1.crt .else diff --git a/regress/usr.sbin/relayd/Server.pm b/regress/usr.sbin/relayd/Server.pm index 70a492aeb79..a860eeb82e5 100644 --- a/regress/usr.sbin/relayd/Server.pm +++ b/regress/usr.sbin/relayd/Server.pm @@ -1,6 +1,6 @@ -# $OpenBSD: Server.pm,v 1.6 2014/07/10 10:19:06 bluhm Exp $ +# $OpenBSD: Server.pm,v 1.7 2014/12/31 01:25:07 bluhm Exp $ -# Copyright (c) 2010-2012 Alexander Bluhm +# Copyright (c) 2010-2014 Alexander Bluhm # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -20,7 +20,7 @@ use warnings; package Server; use parent 'Proc'; use Carp; -use Socket qw(IPPROTO_TCP TCP_NODELAY); +use Socket; use Socket6; use IO::Socket; use IO::Socket::INET6; @@ -43,8 +43,8 @@ sub new { Listen => 1, $self->{listenaddr} ? (LocalAddr => $self->{listenaddr}) : (), $self->{listenport} ? (LocalPort => $self->{listenport}) : (), - SSL_key_file => "server-key.pem", - SSL_cert_file => "server-cert.pem", + SSL_key_file => "server.key", + SSL_cert_file => "server.crt", SSL_verify_mode => SSL_VERIFY_NONE, ) or die ref($self), " $iosocket socket listen failed: $!,$SSL_ERROR"; my $log = $self->{log}; @@ -62,9 +62,9 @@ sub child { shutdown(\*STDOUT, SHUT_WR); delete $self->{as}; - my $iosocket = $self->{ssl} ? "IO::Socket::SSL" : "IO::Socket::INET6"; my $as = $self->{ls}->accept() - or die ref($self), " $iosocket socket accept failed: $!"; + or die ref($self)," ",ref($self->{ls}), + " socket accept failed: $!,$SSL_ERROR"; print STDERR "accept sock: ",$as->sockhost()," ",$as->sockport(),"\n"; print STDERR "accept peer: ",$as->peerhost()," ",$as->peerport(),"\n"; diff --git a/regress/usr.sbin/syslogd/Makefile b/regress/usr.sbin/syslogd/Makefile index a40f36d6062..5ffce4a0549 100644 --- a/regress/usr.sbin/syslogd/Makefile +++ b/regress/usr.sbin/syslogd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.6 2014/12/28 14:08:01 bluhm Exp $ +# $OpenBSD: Makefile,v 1.7 2014/12/31 01:25:07 bluhm Exp $ # The following ports must be installed for the regression tests: # p5-IO-Socket-INET6 object interface for AF_INET and AF_INET6 domain sockets @@ -31,8 +31,9 @@ TARGETS ?= ${ARGS} TARGETS ?= ${ARGS:Nargs-rsyslog*} .endif REGRESS_TARGETS = ${TARGETS:S/^/run-regress-/} -CLEANFILES += *.log *.log.? *.pem *.crt *.key *.conf stamp-* -CLEANFILES += *.out *.sock ktrace.out *.ktrace *.fstat +CLEANFILES += *.log *.log.? *.conf ktrace.out stamp-* +CLEANFILES += *.out *.sock *.ktrace *.fstat +CLEANFILES += *.pem *.req *.crt *.key *.srl .MAIN: all @@ -65,18 +66,18 @@ run-regress-$a: $a time SUDO=${SUDO} KTRACE=${KTRACE} SYSLOGD=${SYSLOGD} perl ${PERLINC} ${PERLPATH}syslogd.pl ${PERLPATH}$a .endfor -# create the certificates for SSL +# create certificates for TLS -127.0.0.1.crt: - openssl req -batch -new -nodes -newkey rsa -keyout 127.0.0.1.key -subj /CN=127.0.0.1/ -x509 -out $@ - ${SUDO} cp 127.0.0.1.crt /etc/ssl/ - ${SUDO} cp 127.0.0.1.key /etc/ssl/private/ +ca.crt: + openssl req -batch -new -subj /L=OpenBSD/O=syslogd-regress/OU=ca/CN=root/ -nodes -newkey rsa -keyout ca.key -x509 -out ca.crt -server-cert.pem: - openssl req -batch -new -nodes -newkey rsa -keyout server-key.pem -subj /CN=localhost/ -x509 -out $@ +server.req: + openssl req -batch -new -subj /L=OpenBSD/O=syslogd-regress/OU=server/CN=localhost/ -nodes -newkey rsa -keyout server.key -out server.req -${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server-cert.pem -${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: 127.0.0.1.crt +server.crt: ca.crt server.req + openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in server.req -out server.crt + +${REGRESS_TARGETS:M*tls*}: server.crt # make perl syntax check for all args files diff --git a/regress/usr.sbin/syslogd/Server.pm b/regress/usr.sbin/syslogd/Server.pm index 818e694eba1..6d4c46edb48 100644 --- a/regress/usr.sbin/syslogd/Server.pm +++ b/regress/usr.sbin/syslogd/Server.pm @@ -1,4 +1,4 @@ -# $OpenBSD: Server.pm,v 1.3 2014/12/28 14:08:01 bluhm Exp $ +# $OpenBSD: Server.pm,v 1.4 2014/12/31 01:25:07 bluhm Exp $ # Copyright (c) 2010-2014 Alexander Bluhm # @@ -47,11 +47,11 @@ sub new { Domain => $self->{listendomain}, $self->{listenaddr} ? (LocalAddr => $self->{listenaddr}) : (), $self->{listenport} ? (LocalPort => $self->{listenport}) : (), - SSL_key_file => "server-key.pem", - SSL_cert_file => "server-cert.pem", + SSL_key_file => "server.key", + SSL_cert_file => "server.crt", SSL_verify_mode => SSL_VERIFY_NONE, ) or die ref($self), " $iosocket socket listen failed: $!,$SSL_ERROR"; - if ($self->{listenproto} eq "tcp") { + if ($self->{listenproto} ne "udp") { listen($ls, 1) or die ref($self), " socket failed: $!"; } @@ -66,11 +66,11 @@ sub new { sub child { my $self = shift; - my $iosocket = $self->{ssl} ? "IO::Socket::SSL" : "IO::Socket::INET6"; my $as = $self->{ls}; if ($self->{listenproto} ne "udp") { $as = $self->{ls}->accept() - or die ref($self), " $iosocket socket accept failed: $!"; + or die ref($self)," ",ref($self->{ls}), + " socket accept failed: $!,$SSL_ERROR"; print STDERR "accept sock: ",$as->sockhost()," ", $as->sockport(),"\n"; print STDERR "accept peer: ",$as->peerhost()," ", -- 2.20.1