[Date Prev][Date Next] [Chronological] [Thread] [Top]

ITS#8573 code for review (command line TLS options)



Attached for review is code to add TLS command line options to the client tools. Included are documentation updates to the manual pages and a related test suite.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
>From cff66313706c607d4df6f074255703da8d87b35a Mon Sep 17 00:00:00 2001From: Quanah Gibson-Mount <quanah@openldap.org>Date: Wed, 10 May 2017 10:31:30 +0000Subject: [PATCH] ITS#8573 TLS options and test suite--- clients/tools/common.c                             |  97 +++++++++++++++- configure                                          |   4 + configure.in                                       |   4 + doc/man/man1/ldapcompare.1                         |  10 ++ doc/man/man1/ldapdelete.1                          |  10 ++ doc/man/man1/ldapexop.1                            |  10 ++ doc/man/man1/ldapmodify.1                          |  10 ++ doc/man/man1/ldapmodrdn.1                          |  10 ++ doc/man/man1/ldappasswd.1                          |  10 ++ doc/man/man1/ldapsearch.1                          |  10 ++ doc/man/man1/ldapwhoami.1                          |  10 ++ tests/data/slapd-tls-sasl.conf                     |  65 +++++++++++ tests/data/slapd-tls.conf                          |  61 ++++++++++ tests/data/tls/ca/certs/testsuiteCA.crt            |  16 +++ tests/data/tls/ca/private/testsuiteCA.key          |  16 +++ .../data/tls/certs/bjensen@mailgw.example.com.crt  |  16 +++ tests/data/tls/certs/localhost.crt                 |  16 +++ tests/data/tls/conf/openssl.cnf                    | 129 +++++++++++++++++++++ tests/data/tls/create-crt.sh                       |  78 +++++++++++++ .../tls/private/bjensen@mailgw.example.com.key     |  16 +++ tests/data/tls/private/localhost.key               |  16 +++ tests/run.in                                       |   3 +- tests/scripts/defines.sh                           |  21 +++- tests/scripts/test067-tls                          | 118 +++++++++++++++++++ tests/scripts/test068-sasl-tls-external            | 102 ++++++++++++++++ 25 files changed, 855 insertions(+), 3 deletions(-) create mode 100644 tests/data/slapd-tls-sasl.conf create mode 100644 tests/data/slapd-tls.conf create mode 100644 tests/data/tls/ca/certs/testsuiteCA.crt create mode 100644 tests/data/tls/ca/private/testsuiteCA.key create mode 100644 tests/data/tls/certs/bjensen@mailgw.example.com.crt create mode 100644 tests/data/tls/certs/localhost.crt create mode 100644 tests/data/tls/conf/openssl.cnf create mode 100755 tests/data/tls/create-crt.sh create mode 100644 tests/data/tls/private/bjensen@mailgw.example.com.key create mode 100644 tests/data/tls/private/localhost.key create mode 100755 tests/scripts/test067-tls create mode 100755 tests/scripts/test068-sasl-tls-externaldiff --git a/clients/tools/common.c b/clients/tools/common.cindex 5eb41aa..00314b4 100644--- a/clients/tools/common.c+++ b/clients/tools/common.c@@ -92,6 +92,35 @@ char		*sasl_mech = NULL; char		*sasl_secprops = NULL; #endif +/* TLS */+#ifdef HAVE_TLS+typedef struct tls_options {+	const char * name;+	char * value;+	size_t	offset;+} tls_options;++tls_options tls_opts[]= {+	{ "tls-cacertfile", NULL, LDAP_OPT_X_TLS_CACERTFILE },+	{ "tls-cacertdir", NULL, LDAP_OPT_X_TLS_CACERTDIR },+	{ "tls-certfile", NULL, LDAP_OPT_X_TLS_CERTFILE },+	{ "tls-keyfile", NULL, LDAP_OPT_X_TLS_KEYFILE },+	{ "tls-reqcert", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT },+	{ "tls-cipher-suite", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE },+#ifdef HAVE_OPENSSL+	{ "tls-protocol-min", NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN },+	{ "tls-randfile", NULL, LDAP_OPT_X_TLS_RANDOM_FILE },+#endif+#ifdef HAVE_OPENSSL_CRL+	{ "tls-crl-check", NULL, LDAP_OPT_X_TLS_CRLCHECK },+#endif+#ifdef HAVE_GNUTLS+	{ "tls-crl-file", NULL, LDAP_OPT_X_TLS_CRLFILE },+#endif+	{ NULL, NULL, 0 },+};++#endif /* controls */ int		assertctl; char		*assertion = NULL;@@ -375,8 +404,26 @@ N_("  -n         show what would be done but don't actually do it\n"), N_("  -N         do not use reverse DNS to canonicalize SASL host name\n"), N_("  -O props   SASL security properties\n"), N_("  -o <opt>[=<optparam>] general options\n"),-N_("             nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"), N_("             ldif-wrap=<width> (in columns, or \"no\" for no wrapping)\n"),+N_("             nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),+#ifdef HAVE_TLS+N_("             tls-cacertfile=<path> (path to CA file for TLS operations)\n"),+N_("             tls-cacertdir=<path> (path to CA directory for TLS operations)\n"),+N_("             tls-certfile=<path> (path to public cert file for TLS certificate authentication)\n"),+N_("             tls-keyfile=<path> (path to private key file for TLS certificate authentication)\n"),+N_("             tls-reqcert=<level> (check to perform within a TLS session (never, allow, try, demand|hard))\n"),+N_("             tls-cipher-suite=<cipher-suite-spec> (specifies acceptable cipher suite(s) and preference order)\n"),+#ifdef HAVE_OPENSSL+N_("             tls-protocol-min=<major[.<minor>]> (specifies minimum TLS protocol version to negotiate))\n"),+N_("             tls-randfile=<path> (file to obtain random bits from when /dev/[u]random is not available)\n"),+#endif+#ifdef HAVE_OPENSSL_CRL+N_("             tls-crl-check=<level> (specifies if CRL of CA should be used for server certs (none, peer, all))\n"),+#endif+#ifdef HAVE_GNUTLS+N_("             tls-crl-file=<path> (specifies the file containing a CRL to be used for verification of server certs)\n"),+#endif+#endif /* HAVE_TLS */ N_("  -p port    port on LDAP server\n"), N_("  -Q         use SASL Quiet mode\n"), N_("  -R realm   SASL realm\n"),@@ -884,6 +931,24 @@ tool_args( int argc, char **argv ) 					ldif_wrap = (ber_len_t)u; 				} +#ifdef HAVE_TLS+			} else if (strstr(control, "tls-")) {+				int i;+				for ( i = 0; tls_opts[ i ].name != NULL; i++ ) {+					if ( strcasecmp( control, tls_opts[ i ].name ) == 0 ) {+						if ( tls_opts[ i ].value != NULL ) {+							fprintf( stderr, "%s option previously specified\n", control );+						}+						if( cvalue == NULL || cvalue[0] == '\0' ) {+							fprintf( stderr, "%s: option value expected\n", control );+							usage();+						}+						tls_opts[ i ].value = ber_strdup( cvalue );+						break;+					}+				}+#endif /* HAVE_TLS */+ 			} else { 				fprintf( stderr, "Invalid general option name: %s\n", 					control );@@ -1215,6 +1280,10 @@ tool_conn_setup( int dont, void (*private_setup)( LDAP * ) ) { 	LDAP *ld = NULL; +#ifdef HAVE_TLS+	int need_tls_ctx = 0;+#endif+ 	if ( debug ) { 		if( ber_set_option( NULL, LBER_OPT_DEBUG_LEVEL, &debug ) 			!= LBER_OPT_SUCCESS )@@ -1230,6 +1299,32 @@ tool_conn_setup( int dont, void (*private_setup)( LDAP * ) ) 		} 	} +#ifdef HAVE_TLS+		int i;+		for ( i = 0; tls_opts[ i ].name != NULL; i++ ) {+			if (tls_opts[ i ].value) {+				if ( ldap_pvt_tls_config( NULL, tls_opts[ i ].offset, tls_opts[ i ].value )+					!= LDAP_OPT_SUCCESS )+				{+					fprintf( stderr, "Could not set option %s to %s\n",+						tls_opts[ i ].name, tls_opts[ i ].value);+					tool_exit( ld, EXIT_FAILURE );+				}+				need_tls_ctx = 1;+			}+		}++		if ( need_tls_ctx ) {+			int new_ctx = 0;+			if ( ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &new_ctx)+				!= LDAP_OPT_SUCCESS )+			{+				fprintf( stderr, "Could not set LDAP_OPT_X_TLS_NEWCTX\n");+				tool_exit( ld, EXIT_FAILURE );+			}+		}++#endif /* HAVE_TLS */ #ifdef SIGPIPE 	(void) SIGNAL( SIGPIPE, SIG_IGN ); #endifdiff --git a/configure b/configureindex 620260e..574f9bc 100755--- a/configure+++ b/configure@@ -761,6 +761,7 @@ AUTH_LIBS LIBSLAPI SLAPI_LIBS MODULES_LIBS+WITH_TLS_TYPE TLS_LIBS SASL_LIBS KRB5_LIBS@@ -5223,6 +5224,7 @@ KRB4_LIBS= KRB5_LIBS= SASL_LIBS= TLS_LIBS=+WITH_TLS_TYPE= MODULES_LIBS= SLAPI_LIBS= LIBSLAPI=@@ -15656,6 +15658,7 @@ fi 		if test $have_openssl = yes ; then 			ol_with_tls=openssl 			ol_link_tls=yes+			WITH_TLS_TYPE=openssl   $as_echo "#define HAVE_OPENSSL 1" >>confdefs.h@@ -15790,6 +15793,7 @@ fi 			if test $have_gnutls = yes ; then 				ol_with_tls=gnutls 				ol_link_tls=yes+				WITH_TLS_TYPE=gnutls  				TLS_LIBS="-lgnutls" diff --git a/configure.in b/configure.inindex 5bb2c11..19e9b39 100644--- a/configure.in+++ b/configure.in@@ -610,6 +610,7 @@ KRB4_LIBS= KRB5_LIBS= SASL_LIBS= TLS_LIBS=+WITH_TLS_TYPE= MODULES_LIBS= SLAPI_LIBS= LIBSLAPI=@@ -1198,6 +1199,7 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then 		if test $have_openssl = yes ; then 			ol_with_tls=openssl 			ol_link_tls=yes+			WITH_TLS_TYPE=openssl  			AC_DEFINE(HAVE_OPENSSL, 1,  				[define if you have OpenSSL])@@ -1238,6 +1240,7 @@ if test $ol_link_tls = no ; then 			if test $have_gnutls = yes ; then 				ol_with_tls=gnutls 				ol_link_tls=yes+				WITH_TLS_TYPE=gnutls  				TLS_LIBS="-lgnutls" @@ -3243,6 +3246,7 @@ AC_SUBST(KRB4_LIBS) AC_SUBST(KRB5_LIBS) AC_SUBST(SASL_LIBS) AC_SUBST(TLS_LIBS)+AC_SUBST(WITH_TLS_TYPE) AC_SUBST(MODULES_LIBS) AC_SUBST(SLAPI_LIBS) AC_SUBST(LIBSLAPI)diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1index e569deb..55865e9 100644--- a/doc/man/man1/ldapcompare.1+++ b/doc/man/man1/ldapcompare.1@@ -192,6 +192,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1index 1203beb..d78dbc8 100644--- a/doc/man/man1/ldapdelete.1+++ b/doc/man/man1/ldapdelete.1@@ -198,6 +198,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1index 0264507..daa26ef 100644--- a/doc/man/man1/ldapexop.1+++ b/doc/man/man1/ldapexop.1@@ -195,6 +195,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1index 84473bc..ef80578 100644--- a/doc/man/man1/ldapmodify.1+++ b/doc/man/man1/ldapmodify.1@@ -261,6 +261,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1index 644bd63..9a1f6a5 100644--- a/doc/man/man1/ldapmodrdn.1+++ b/doc/man/man1/ldapmodrdn.1@@ -192,6 +192,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1index 357442c..74ac9ed 100644--- a/doc/man/man1/ldappasswd.1+++ b/doc/man/man1/ldappasswd.1@@ -194,6 +194,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1index 2980c65..62b7116 100644--- a/doc/man/man1/ldapsearch.1+++ b/doc/man/man1/ldapsearch.1@@ -338,6 +338,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1index f92e116..22209a9 100644--- a/doc/man/man1/ldapwhoami.1+++ b/doc/man/man1/ldapwhoami.1@@ -149,6 +149,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/tests/data/slapd-tls-sasl.conf b/tests/data/slapd-tls-sasl.confnew file mode 100644index 0000000..f4bb077--- /dev/null+++ b/tests/data/slapd-tls-sasl.conf@@ -0,0 +1,65 @@+# stand-alone slapd config -- for testing (with indexing)+# $OpenLDAP$+## This work is part of OpenLDAP Software <http://www.openldap.org/>.+##+## Copyright 1998-2017 The OpenLDAP Foundation.+## All rights reserved.+##+## Redistribution and use in source and binary forms, with or without+## modification, are permitted only as authorized by the OpenLDAP+## Public License.+##+## A copy of this license is available in the file LICENSE in the+## top-level directory of the distribution or, alternatively, at+## <http://www.OpenLDAP.org/license.html>.++#+include		@SCHEMADIR@/core.schema+include		@SCHEMADIR@/cosine.schema+#+include		@SCHEMADIR@/corba.schema+include		@SCHEMADIR@/java.schema+include		@SCHEMADIR@/inetorgperson.schema+include		@SCHEMADIR@/misc.schema+include		@SCHEMADIR@/nis.schema+include		@SCHEMADIR@/openldap.schema+#+include		@SCHEMADIR@/duaconf.schema+include		@SCHEMADIR@/dyngroup.schema+include		@SCHEMADIR@/ppolicy.schema++#+pidfile		@TESTDIR@/slapd.1.pid+argsfile	@TESTDIR@/slapd.1.args++# SSL configuration+TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt+TLSVerifyClient hard++#+rootdse 	@DATADIR@/rootdse.ldif++#mod#modulepath	../servers/slapd/back-@BACKEND@/+#mod#moduleload	back_@BACKEND@.la+#monitormod#modulepath ../servers/slapd/back-monitor/+#monitormod#moduleload back_monitor.la++authz-regexp "email=([^,]*),cn=[^,]*,ou=OpenLDAP,o=OpenLDAP Foundation,st=CA,c=US" ldap:///ou=People,dc=example,dc=com??sub?(mail=$1)++#######################################################################+# database definitions+#######################################################################++database	@BACKEND@+suffix          "dc=example,dc=com"+rootdn          "cn=Manager,dc=example,dc=com"+rootpw          secret+#~null~#directory	@TESTDIR@/db.1.a+#indexdb#index		objectClass eq+#indexdb#index		mail eq+#ndb#dbname db_1_a+#ndb#include @DATADIR@/ndb.conf++#monitor#database	monitordiff --git a/tests/data/slapd-tls.conf b/tests/data/slapd-tls.confnew file mode 100644index 0000000..6a77855--- /dev/null+++ b/tests/data/slapd-tls.conf@@ -0,0 +1,61 @@+# stand-alone slapd config -- for testing (with indexing)+# $OpenLDAP$+## This work is part of OpenLDAP Software <http://www.openldap.org/>.+##+## Copyright 1998-2017 The OpenLDAP Foundation.+## All rights reserved.+##+## Redistribution and use in source and binary forms, with or without+## modification, are permitted only as authorized by the OpenLDAP+## Public License.+##+## A copy of this license is available in the file LICENSE in the+## top-level directory of the distribution or, alternatively, at+## <http://www.OpenLDAP.org/license.html>.++#+include		@SCHEMADIR@/core.schema+include		@SCHEMADIR@/cosine.schema+#+include		@SCHEMADIR@/corba.schema+include		@SCHEMADIR@/java.schema+include		@SCHEMADIR@/inetorgperson.schema+include		@SCHEMADIR@/misc.schema+include		@SCHEMADIR@/nis.schema+include		@SCHEMADIR@/openldap.schema+#+include		@SCHEMADIR@/duaconf.schema+include		@SCHEMADIR@/dyngroup.schema+include		@SCHEMADIR@/ppolicy.schema++#+pidfile		@TESTDIR@/slapd.1.pid+argsfile	@TESTDIR@/slapd.1.args++# SSL configuration+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt++#+rootdse 	@DATADIR@/rootdse.ldif++#mod#modulepath	../servers/slapd/back-@BACKEND@/+#mod#moduleload	back_@BACKEND@.la+#monitormod#modulepath ../servers/slapd/back-monitor/+#monitormod#moduleload back_monitor.la++#######################################################################+# database definitions+#######################################################################++database	@BACKEND@+suffix          "dc=example,dc=com"+rootdn          "cn=Manager,dc=example,dc=com"+rootpw          secret+#~null~#directory	@TESTDIR@/db.1.a+#indexdb#index		objectClass eq+#indexdb#index		mail eq+#ndb#dbname db_1_a+#ndb#include @DATADIR@/ndb.conf++#monitor#database	monitordiff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crtnew file mode 100644index 0000000..7458e74--- /dev/null+++ b/tests/data/tls/ca/certs/testsuiteCA.crt@@ -0,0 +1,16 @@+-----BEGIN CERTIFICATE-----+MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV+BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv+bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0+NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB+MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB+UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd+rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb+lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL+6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU+7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB+SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/+wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws+ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q+aL52EFPS0o3tiAJXS82U2wrQdJ0YEw==+-----END CERTIFICATE-----diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.keynew file mode 100644index 0000000..2e14d70--- /dev/null+++ b/tests/data/tls/ca/private/testsuiteCA.key@@ -0,0 +1,16 @@+-----BEGIN PRIVATE KEY-----+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ+WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc+338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/+dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg+O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf+7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn+rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f+wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk+AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l+vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9+27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X+KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N+I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL++b2qljWeZbGH+-----END PRIVATE KEY-----diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crtnew file mode 100644index 0000000..93e3a0d--- /dev/null+++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt@@ -0,0 +1,16 @@+-----BEGIN CERTIFICATE-----+MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV+BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx+ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV+BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD+VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa+YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A+MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg+QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU+U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL+MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn+wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f+7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo+4DnnYQBDnq48VORVX94=+-----END CERTIFICATE-----diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crtnew file mode 100644index 0000000..194cb11--- /dev/null+++ b/tests/data/tls/certs/localhost.crt@@ -0,0 +1,16 @@+-----BEGIN CERTIFICATE-----+MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV+BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx+ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE+CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT+dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB+iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4+7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv+8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ+BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A+AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG+8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl+0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR+GjeZB1FxqDGHjxBq2O828iejw28bSz4=+-----END CERTIFICATE-----diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnfnew file mode 100644index 0000000..a3c8ad9--- /dev/null+++ b/tests/data/tls/conf/openssl.cnf@@ -0,0 +1,129 @@+HOME                    = .+RANDFILE                = $ENV::HOME/.rnd++oid_section             = new_oids++[ new_oids ]+tsa_policy1 = 1.2.3.4.1+tsa_policy2 = 1.2.3.4.5.6+tsa_policy3 = 1.2.3.4.5.7++[ ca ]+default_ca      = CA_default            # The default ca section++[ CA_default ]++dir             = ./cruft		# Where everything is kept+certs           = $dir/certs            # Where the issued certs are kept+crl_dir         = $dir/crl              # Where the issued crl are kept+database        = $dir/index.txt        # database index file.+new_certs_dir   = $dir/certs         # default place for new certs.+certificate     = $dir/cacert.pem       # The CA certificate+serial          = $dir/serial           # The current serial number+crlnumber       = $dir/crlnumber        # the current crl number+crl             = $dir/crl.pem          # The current CRL+private_key     = $dir/private/cakey.pem# The private key+RANDFILE        = $dir/private/.rand    # private random number file+x509_extensions = usr_cert              # The extentions to add to the cert+name_opt        = ca_default            # Subject Name options+cert_opt        = ca_default            # Certificate field options+default_days    = 365                   # how long to certify for+default_crl_days= 30                    # how long before next CRL+default_md      = default               # use public key default MD+preserve        = no                    # keep passed DN ordering+policy          = policy_match++[ policy_match ]+countryName             = match+stateOrProvinceName     = match+organizationName        = match+organizationalUnitName  = optional+commonName              = supplied+emailAddress            = optional++[ policy_anything ]+countryName             = optional+stateOrProvinceName     = optional+localityName            = optional+organizationName        = optional+organizationalUnitName  = optional+commonName              = supplied+emailAddress            = optional++[ req ]+default_bits            = 2048+default_keyfile         = privkey.pem+distinguished_name      = req_distinguished_name+attributes              = req_attributes+x509_extensions = v3_ca # The extentions to add to the self signed cert++string_mask = utf8only++[ req_distinguished_name ]+basicConstraints=CA:FALSE++[ req_attributes ]+challengePassword               = A challenge password+challengePassword_min           = 4+challengePassword_max           = 20++unstructuredName                = An optional company name++[ usr_cert ]++basicConstraints=CA:FALSE+nsComment                       = "OpenSSL Generated Certificate"++subjectKeyIdentifier=hash+authorityKeyIdentifier=keyid,issuer++[ v3_req ]++basicConstraints = CA:FALSE+keyUsage = nonRepudiation, digitalSignature, keyEncipherment+subjectAltName = DNS:localhost,IP:127.0.0.1,IP:::1++[ v3_ca ]+subjectKeyIdentifier=hash+authorityKeyIdentifier=keyid:always,issuer+basicConstraints = CA:true++[ crl_ext ]++authorityKeyIdentifier=keyid:always++[ proxy_cert_ext ]+basicConstraints=CA:FALSE+nsComment                       = "OpenSSL Generated Certificate"++subjectKeyIdentifier=hash+authorityKeyIdentifier=keyid,issuer+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo++[ tsa ]++default_tsa = tsa_config1       # the default TSA section++[ tsa_config1 ]++dir             = ./demoCA              # TSA root directory+serial          = $dir/tsaserial        # The current serial number (mandatory)+crypto_device   = builtin               # OpenSSL engine to use for signing+signer_cert     = $dir/tsacert.pem      # The TSA signing certificate+                                        # (optional)+certs           = $dir/cacert.pem       # Certificate chain to include in reply+                                        # (optional)+signer_key      = $dir/private/tsakey.pem # The TSA private key (optional)++default_policy  = tsa_policy1           # Policy if request did not specify it+                                        # (optional)+other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)+digests         = md5, sha1             # Acceptable message digests (mandatory)+accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)+clock_precision_digits  = 0     # number of digits after dot. (optional)+ordering                = yes   # Is ordering defined for timestamps?+                                # (optional, default: no)+tsa_name                = yes   # Must the TSA name be included in the reply?+                                # (optional, default: no)+ess_cert_id_chain       = no    # Must the ESS cert id chain be included?+                                # (optional, default: no)diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.shnew file mode 100755index 0000000..8c33a24--- /dev/null+++ b/tests/data/tls/create-crt.sh@@ -0,0 +1,78 @@+#!/bin/sh+openssl=$(which openssl)++if [ x"$openssl" = "x" ]; then+echo "OpenSSL command line binary not found, skipping..."+fi++USAGE="$0 [-s] [-u <user@domain.com>]"+SERVER=0+USER=0+EMAIL=++while test $# -gt 0 ; do+	case "$1" in+		-s | -server)+			SERVER=1;+			shift;;+		-u | -user)+			if [ x"$2" = "x" ]; then+				echo "User cert requires an email address as an argument"+				exit;+			fi+			USER=1;+			EMAIL="$2";+			shift; shift;;+		-)+			shift;;+		-*)+			echo "$USAGE"; exit 1+			;;+		*)+			break;;+	esac+done++if [ $SERVER = 0 -a $USER = 0 ]; then+	echo "$USAGE";+	exit 1;+fi++rm -rf ./openssl.cnf cruft+mkdir -p private certs cruft/private cruft/certs++echo "00" > cruft/serial+touch cruft/index.txt+touch cruft/index.txt.attr+hn=$(hostname -f)+sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf >  ./openssl.cnf++if [ $SERVER = 1 ]; then+	rm -rf private/localhost.key certs/localhost.crt++	$openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \+		-newkey rsa:1024 -config ./openssl.cnf \+		-subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \+		-batch > /dev/null 2>&1++	$openssl ca -out certs/localhost.crt -notext -config ./openssl.cnf -days 183000 -in localhost.csr \+		-keyfile ca/private/testsuiteCA.key -extensions v3_req -cert ca/certs/testsuiteCA.crt \+		-batch >/dev/null 2>&1++	rm -rf ./openssl.cnf ./localhost.csr cruft+fi++if [ $USER = 1 ]; then+	rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr++	$openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \+		-newkey rsa:1024 -config ./openssl.cnf \+		-subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \+		-batch >/dev/null 2>&1++	$openssl ca -out certs/$EMAIL.crt -notext -config ./openssl.cnf -days 183000 -in $EMAIL.csr \+		-keyfile ca/private/testsuiteCA.key -extensions req_distinguished_name \+		-cert ca/certs/testsuiteCA.crt -batch >/dev/null 2>&1++	rm -rf ./openssl.cnf ./$EMAIL.csr cruft+fidiff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.keynew file mode 100644index 0000000..5f4625f--- /dev/null+++ b/tests/data/tls/private/bjensen@mailgw.example.com.key@@ -0,0 +1,16 @@+-----BEGIN PRIVATE KEY-----+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2+xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4+9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z+yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r+oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e+nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg+xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra+EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd+9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/+pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI+tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ+3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D+tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg+36Ixj3L+5H18+-----END PRIVATE KEY-----diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.keynew file mode 100644index 0000000..8a24f69--- /dev/null+++ b/tests/data/tls/private/localhost.key@@ -0,0 +1,16 @@+-----BEGIN PRIVATE KEY-----+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg+ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM+w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM+brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij+Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf+2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ+bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q+1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf+3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U+VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7+TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b+iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP+5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3+b61hkjQZfbEg5cg=+-----END PRIVATE KEY-----diff --git a/tests/run.in b/tests/run.inindex 73db243..3a77ef2 100644--- a/tests/run.in+++ b/tests/run.in@@ -57,6 +57,7 @@ AC_valsort=valsort@BUILD_VALSORT@ # misc AC_WITH_SASL=@WITH_SASL@ AC_WITH_TLS=@WITH_TLS@+AC_TLS_TYPE=@WITH_TLS_TYPE@ AC_WITH_MODULES_ENABLED=@WITH_MODULES_ENABLED@ AC_ACI_ENABLED=aci@WITH_ACI_ENABLED@ AC_THREADS=threads@BUILD_THREAD@@@ -75,7 +76,7 @@ export AC_bdb AC_hdb AC_ldap AC_mdb AC_meta AC_monitor AC_null AC_relay AC_sql \ 	AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \ 	AC_valsort \ 	AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \-	AC_THREADS AC_LIBS_DYNAMIC+	AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE  if test ! -x ../servers/slapd/slapd ; then 	echo "Could not locate slapd(8)"diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.shindex 0750f88..96c41ff 100755--- a/tests/scripts/defines.sh+++ b/tests/scripts/defines.sh@@ -46,6 +46,9 @@ VALSORT=${AC_valsort-valsortno} # misc WITH_SASL=${AC_WITH_SASL-no} USE_SASL=${SLAPD_USE_SASL-no}+WITH_TLS=${AC_WITH_TLS-no}+WITH_TLS_TYPE=${AC_TLS_TYPE-no}+ ACI=${AC_ACI_ENABLED-acino} THREADS=${AC_THREADS-threadsno} SLEEP0=${SLEEP0-1}@@ -104,6 +107,8 @@ P2SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-persist2.conf P3SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-persist3.conf REFSLAVECONF=$DATADIR/slapd-ref-slave.conf SCHEMACONF=$DATADIR/slapd-schema.conf+TLSCONF=$DATADIR/slapd-tls.conf+TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf GLUECONF=$DATADIR/slapd-glue.conf REFINTCONF=$DATADIR/slapd-refint.conf RETCODECONF=$DATADIR/slapd-retcode.conf@@ -164,6 +169,7 @@ SLURPLOG=$TESTDIR/slurp.log CONFIGPWF=$TESTDIR/configpw  # args+SASLARGS="-Q" TOOLARGS="-x $LDAP_TOOLARGS" TOOLPROTO="-P 3" @@ -186,7 +192,8 @@ BCMP="diff -iB" CMPOUT=/dev/null SLAPD="$TESTWD/../servers/slapd/slapd -s0" LDAPPASSWD="$CLIENTDIR/ldappasswd $TOOLARGS"-LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $LDAP_TOOLARGS -LLL"+LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $SASLARGS $TOOLPROTO $LDAP_TOOLARGS -LLL"+LDAPSASLWHOAMI="$CLIENTDIR/ldapwhoami $SASLARGS $LDAP_TOOLARGS" LDAPSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS -LLL" LDAPRSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS" LDAPDELETE="$CLIENTDIR/ldapdelete $TOOLPROTO $TOOLARGS"@@ -201,6 +208,7 @@ LDIFFILTER=$PROGDIR/ldif-filter SLAPDMTREAD=$PROGDIR/slapd-mtread LVL=${SLAPD_DEBUG-0x4105} LOCALHOST=localhost+LOCALIP=127.0.0.1 BASEPORT=${SLAPD_BASEPORT-9010} PORT1=`expr $BASEPORT + 1` PORT2=`expr $BASEPORT + 2`@@ -209,11 +217,22 @@ PORT4=`expr $BASEPORT + 4` PORT5=`expr $BASEPORT + 5` PORT6=`expr $BASEPORT + 6` URI1="ldap://${LOCALHOST}:$PORT1/"+URIP1="ldap://${LOCALIP}:$PORT1/"; URI2="ldap://${LOCALHOST}:$PORT2/"+URIP2="ldap://${LOCALIP}:$PORT2/"; URI3="ldap://${LOCALHOST}:$PORT3/"+URIP3="ldap://${LOCALIP}:$PORT3/"; URI4="ldap://${LOCALHOST}:$PORT4/"; URI5="ldap://${LOCALHOST}:$PORT5/"; URI6="ldap://${LOCALHOST}:$PORT6/"+SURI1="ldaps://${LOCALHOST}:$PORT1/"+SURIP1="ldaps://${LOCALIP}:$PORT1/"+SURI2="ldaps://${LOCALHOST}:$PORT2/"+SURIP2="ldaps://${LOCALIP}:$PORT2/"+SURI3="ldaps://${LOCALHOST}:$PORT3/"+SURI4="ldaps://${LOCALHOST}:$PORT4/"+SURI5="ldaps://${LOCALHOST}:$PORT5/"+SURI6="ldaps://${LOCALHOST}:$PORT6/";  # LDIF LDIF=$DATADIR/test.ldifdiff --git a/tests/scripts/test067-tls b/tests/scripts/test067-tlsnew file mode 100755index 0000000..3e087f1--- /dev/null+++ b/tests/scripts/test067-tls@@ -0,0 +1,118 @@+#! /bin/sh+# $OpenLDAP$+## This work is part of OpenLDAP Software <http://www.openldap.org/>.+##+## Copyright 1998-2017 The OpenLDAP Foundation.+## All rights reserved.+##+## Redistribution and use in source and binary forms, with or without+## modification, are permitted only as authorized by the OpenLDAP+## Public License.+##+## A copy of this license is available in the file LICENSE in the+## top-level directory of the distribution or, alternatively, at+## <http://www.OpenLDAP.org/license.html>.++echo "running defines.sh"+. $SRCDIR/scripts/defines.sh++if test $WITH_TLS = no ; then+        echo "TLS support not available, test skipped"+        exit 0+fi++mkdir -p $TESTDIR $DBDIR1+cp -r $DATADIR/tls $TESTDIR++cd $TESTWD++echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."+. $CONFFILTER $BACKEND $MONITORDB < $TLSCONF > $CONF1+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &+PID=$!+if test $WAIT != 0 ; then+    echo PID $PID+    read foo+fi+KILLPIDS="$PID"++sleep 1++for i in 0 1 2 3 4 5; do+	$LDAPSEARCH -s base -b "" -H $URI1 \+		'objectclass=*' > /dev/null 2>&1+        RC=$?+        if test $RC = 0 ; then+                break+        fi+        echo "Waiting 5 seconds for slapd to start..."+        sleep 5+done++if test $RC != 0 ; then+	echo "ldapsearch failed ($RC)!"+	test $KILLSERVERS != no && kill -HUP $KILLPIDS+	exit $RC+fi++echo -n "Using ldapsearch with startTLS...."+$LDAPSEARCH -o tls-cacertfile=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -ZZ -b "" -s base -H $URIP1 \+	'@extensibleObject' > $SEARCHOUT 2>&1+RC=$?+if test $RC != 0 ; then+	echo "ldapsearch (startTLS) failed ($RC)!"+	exit $RC+else+	echo "success"+fi+++if test $WITH_TLS_TYPE = openssl ; then+	echo -n "Using ldapsearch with startTLS and specific protocol version...."+	$LDAPSEARCH -o tls-cacertfile=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -o tls-protocol-min=3.3 -ZZ -b "" -s base -H $URIP1 \+		'@extensibleObject' > $SEARCHOUT 2>&1+	RC=$?+	if test $RC != 0 ; then+		echo "ldapsearch (protocol-min) failed ($RC)!"+		exit $RC+	else+		echo "success"+	fi+fi++echo -n "Using ldapsearch on $SURI2 with reqcert HARD and no CA cert.  Should fail..."+$LDAPSEARCH -o tls-reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \+	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \+	>> $SEARCHOUT  2>&1+RC=$?+if test $RC = 0 ; then+	echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!"+	exit 1+else+	echo "failed correctly with error code ($RC)"+fi++echo -n "Using ldapsearch on $SURI2 with CA cert and reqcert HARD..."+$LDAPSEARCH -o tls-cacertfile=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \+	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \+	>> $SEARCHOUT  2>&1+RC=$?+if test $RC != 0 ; then+	echo "ldapsearch (ldaps) failed ($RC)!"+	exit $RC+else+	echo "success"+fi++test $KILLSERVERS != no && kill -HUP $KILLPIDS++if test $RC != 0 ; then+	echo ">>>>> Test failed"+else+	echo ">>>>> Test succeeded"+	RC=0+fi++test $KILLSERVERS != no && wait++exit $RCdiff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-externalnew file mode 100755index 0000000..329d66a--- /dev/null+++ b/tests/scripts/test068-sasl-tls-external@@ -0,0 +1,102 @@+#! /bin/sh+# $OpenLDAP$+## This work is part of OpenLDAP Software <http://www.openldap.org/>.+##+## Copyright 1998-2017 The OpenLDAP Foundation.+## All rights reserved.+##+## Redistribution and use in source and binary forms, with or without+## modification, are permitted only as authorized by the OpenLDAP+## Public License.+##+## A copy of this license is available in the file LICENSE in the+## top-level directory of the distribution or, alternatively, at+## <http://www.OpenLDAP.org/license.html>.++echo "running defines.sh"+. $SRCDIR/scripts/defines.sh++if test $WITH_TLS = no ; then+        echo "TLS support not available, test skipped"+        exit 0+fi++mkdir -p $TESTDIR $DBDIR1+cp -r $DATADIR/tls $TESTDIR++cd $TESTWD++echo "Running slapadd to build slapd database..."+. $CONFFILTER $BACKEND $MONITORDB < $TLSSASLCONF > $CONF1+$SLAPADD -f $CONF1 -l $LDIFORDERED+RC=$?+if test $RC != 0 ; then+        echo "slapadd failed ($RC)!"+        exit $RC+fi++echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &+PID=$!+if test $WAIT != 0 ; then+    echo PID $PID+    read foo+fi+KILLPIDS="$PID"++sleep 1++for i in 0 1 2 3 4 5; do+	$LDAPSEARCH -s base -b "" -H $URI1 \+		'objectclass=*' > /dev/null 2>&1+        RC=$?+        if test $RC = 0 ; then+                break+        fi+        echo "Waiting 5 seconds for slapd to start..."+        sleep 5+done++if test $RC != 0 ; then+	echo "ldapsearch failed ($RC)!"+	test $KILLSERVERS != no && kill -HUP $KILLPIDS+	exit $RC+fi++echo -n "Using ldapwhoami with SASL/EXTERNAL...."+$LDAPSASLWHOAMI -o tls-cacertfile=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard \+	-o tls-certfile=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt -o tls-keyfile=$TESTDIR/tls/private/bjensen@mailgw.example.com.key -ZZ -Y EXTERNAL -H $URIP1 \+	> $TESTOUT 2>&1+RC=$?+if test $RC != 0 ; then+	echo "ldapwhoami (startTLS) failed ($RC)!"+	exit $RC+else+	echo "success"+fi++echo -n "Validating mapped SASL ID..."+echo 'dn:cn=barbara jensen,ou=information technology division,ou=people,dc=example,dc=com' > $TESTDIR/dn.out+$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT++RC=$?+if test $RC != 0 ; then+	echo "Comparison failed"+	test $KILLSERVERS != no && kill -HUP $PID+	exit $RC+else+	echo "success"+fi++test $KILLSERVERS != no && kill -HUP $KILLPIDS++if test $RC != 0 ; then+	echo ">>>>> Test failed"+else+	echo ">>>>> Test succeeded"+	RC=0+fi++test $KILLSERVERS != no && wait++exit $RC-- 2.7.4