Commit 7b0017ad authored by Isaac Boukris's avatar Isaac Boukris
Browse files

ITS#9189 add channel-bindings tests

parent 3cd50fa8
......@@ -63,3 +63,6 @@ rootpw secret
sasl-realm @KRB5REALM@
sasl-host localhost
database config
rootpw secret
......@@ -142,3 +142,11 @@ if test $RC != 0 ; then
exit 0
fi
fi
HAVE_SASL_GSS_CBIND=no
grep CHANNEL_BINDING $TESTDIR/plugin_out > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
HAVE_SASL_GSS_CBIND=yes
fi
......@@ -88,6 +88,28 @@ else
echo "success"
fi
# Exercise channel-bindings code in builds without SASL support
for cb in "none" "tls-unique" "tls-endpoint" ; do
echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...."
$LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
-o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt \
-o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key \
-o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1 \
> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $PID
exit $RC
else
echo "success"
fi
done
test $KILLSERVERS != no && kill -HUP $KILLPIDS
if test $RC != 0 ; then
......
......@@ -21,7 +21,10 @@ if test $WITH_SASL = no ; then
exit 0
fi
mkdir -p $TESTDIR $DBDIR1
SLAPTEST="$TESTWD/../servers/slapd/slaptest"
CONFDIR=$TESTDIR/slapd.d
mkdir -p $TESTDIR $DBDIR1 $CONFDIR
cp -r $DATADIR/tls $TESTDIR
cd $TESTWD
......@@ -32,7 +35,8 @@ echo "Starting KDC for SASL/GSSAPI tests..."
echo "Running slapadd to build slapd database..."
. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
$SLAPADD -f $CONF1 -l $LDIFORDERED
$SLAPTEST -f $CONF1 -F $CONFDIR
$SLAPADD -F $CONFDIR -l $LDIFORDERED
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
......@@ -41,7 +45,7 @@ if test $RC != 0 ; then
fi
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
......@@ -144,6 +148,79 @@ else
fi
fi
if test $WITH_TLS = no ; then
echo "TLS support not available, skipping channe-binding test"
elif test $HAVE_SASL_GSS_CBIND = no ; then
echo "SASL has no channel-binding support in GSSAPI, test skipped"
else
echo "Testing SASL/GSSAPI with SASL_CBINDING..."
for acb in "none" "tls-unique" "tls-endpoint" ; do
echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
$LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
dn: cn=config
changetype: modify
replace: olcSaslCBinding
olcSaslCBinding: ${acb}
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
for icb in "none" "tls-unique" "tls-endpoint" ; do
# The gnutls implemantation of "tls-unique" seems broken
if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
if test $WITH_TLS_TYPE == gnutls ; then
continue
fi
fi
fail="no"
if test $icb != $acb -a $acb != "none" ; then
# This currently fails in MIT, but it is planned to be
# fixed not to fail like in heimdal - avoid testing.
if test $icb = "none" ; then
continue
fi
# Otherwise unmatching bindings are expected to fail.
fail="yes"
fi
echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
echo -ne "(client: ${icb},\tserver: ${acb}): "
$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
-o SASL_CBINDING=$icb > $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
if test $fail = "no" ; then
echo "test failed ($RC)!"
kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
elif test $fail = "yes" ; then
echo "failed: command succeeded unexpectedly."
kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit 1
fi
echo "success"
RC=0
done
done
fi
kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment