ITS#9189 add channel-bindings tests

7b0017ad · Isaac Boukris · 3cd50fa8 · 7b0017ad · 7b0017ad · 7b0017ad
Commit 7b0017ad authored Apr 18, 2020 by Isaac Boukris
--- a/tests/data/slapd-sasl-gssapi.conf
+++ b/tests/data/slapd-sasl-gssapi.conf
@@ -63,3 +63,6 @@ rootpw          secret

 sasl-realm	@KRB5REALM@
 sasl-host	localhost
+
+database	config
+rootpw		secret
--- a/tests/scripts/setup_kdc.sh
+++ b/tests/scripts/setup_kdc.sh
@@ -142,3 +142,11 @@ if test $RC != 0 ; then
 		exit 0
 	fi
 fi
+
+HAVE_SASL_GSS_CBIND=no
+
+grep CHANNEL_BINDING $TESTDIR/plugin_out > /dev/null 2>&1
+RC=$?
+if test $RC = 0 ; then
+	HAVE_SASL_GSS_CBIND=yes
+fi
--- a/tests/scripts/test068-sasl-tls-external
+++ b/tests/scripts/test068-sasl-tls-external
@@ -88,6 +88,28 @@ else
 	echo "success"
 fi

+# Exercise channel-bindings code in builds without SASL support
+for cb in "none" "tls-unique" "tls-endpoint" ; do
+
+	echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...."
+
+	$LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt     \
+	-o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt           \
+	-o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key          \
+	-o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1      \
+	> $TESTOUT 2>&1
+
+	RC=$?
+	if test $RC != 0 ; then
+		echo "ldapwhoami failed ($RC)!"
+		test $KILLSERVERS != no && kill -HUP $PID
+		exit $RC
+	else
+		echo "success"
+	fi
+done
+
+
 test $KILLSERVERS != no && kill -HUP $KILLPIDS

 if test $RC != 0 ; then

--- a/tests/scripts/test077-sasl-gssapi
+++ b/tests/scripts/test077-sasl-gssapi
@@ -21,7 +21,10 @@ if test $WITH_SASL = no ; then
        exit 0
 fi

-mkdir -p $TESTDIR $DBDIR1
+SLAPTEST="$TESTWD/../servers/slapd/slaptest"
+CONFDIR=$TESTDIR/slapd.d
+
+mkdir -p $TESTDIR $DBDIR1 $CONFDIR
 cp -r $DATADIR/tls $TESTDIR

 cd $TESTWD
@@ -32,7 +35,8 @@ echo "Starting KDC for SASL/GSSAPI tests..."

 echo "Running slapadd to build slapd database..."
 . $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
-$SLAPADD -f $CONF1 -l $LDIFORDERED
+$SLAPTEST -f $CONF1 -F $CONFDIR
+$SLAPADD -F $CONFDIR -l $LDIFORDERED
 RC=$?
 if test $RC != 0 ; then
 	echo "slapadd failed ($RC)!"
@@ -41,7 +45,7 @@ if test $RC != 0 ; then
 fi

 echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
 PID=$!
 if test $WAIT != 0 ; then
    echo PID $PID
@@ -144,6 +148,79 @@ else
 	fi
 fi

+if test $WITH_TLS = no ; then
+        echo "TLS support not available, skipping channe-binding test"
+elif test $HAVE_SASL_GSS_CBIND = no ; then
+        echo "SASL has no channel-binding support in GSSAPI, test skipped"
+else
+	echo "Testing SASL/GSSAPI with SASL_CBINDING..."
+
+	for acb in "none" "tls-unique" "tls-endpoint" ; do
+
+		echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
+		$LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
+dn: cn=config
+changetype: modify
+replace: olcSaslCBinding
+olcSaslCBinding: ${acb}
+EOF
+		RC=$?
+		if test $RC != 0 ; then
+			echo "ldapmodify failed ($RC)!"
+			kill $KDCPROC
+			test $KILLSERVERS != no && kill -HUP $KILLPIDS
+			exit $RC
+		fi
+
+		for icb in "none" "tls-unique" "tls-endpoint" ; do
+
+			# The gnutls implemantation of "tls-unique" seems broken
+			if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
+				if test $WITH_TLS_TYPE == gnutls  ; then
+					continue
+				fi
+			fi
+
+			fail="no"
+			if test $icb != $acb -a $acb != "none" ; then
+				# This currently fails in MIT, but it is planned to be
+				# fixed not to fail like in heimdal - avoid testing.
+				if test $icb = "none" ; then
+					continue
+				fi
+				# Otherwise unmatching bindings are expected to fail.
+				fail="yes"
+			fi
+
+			echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
+			echo -ne "(client: ${icb},\tserver: ${acb}): "
+
+			$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow	\
+			-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
+			-o SASL_CBINDING=$icb > $TESTOUT 2>&1
+
+			RC=$?
+			if test $RC != 0 ; then
+				if test $fail = "no" ; then
+					echo "test failed ($RC)!"
+					kill $KDCPROC
+					test $KILLSERVERS != no && kill -HUP $KILLPIDS
+					exit $RC
+				fi
+			elif test $fail = "yes" ; then
+				echo "failed: command succeeded unexpectedly."
+				kill $KDCPROC
+				test $KILLSERVERS != no && kill -HUP $KILLPIDS
+				exit 1
+			fi
+
+			echo "success"
+			RC=0
+		done
+	done
+fi
+
+
 kill $KDCPROC
 test $KILLSERVERS != no && kill -HUP $KILLPIDS