diff --git a/tests/Makefile.am b/tests/Makefile.am index 06e9cb65..88261546 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -42,7 +42,7 @@ EXTRA_DIST = certs/ca.pem certs/ca-key.pem certs/user-cert.pem $(USER_KEYS) $(US dist_check_SCRIPTS = if HAVE_CWRAP -dist_check_SCRIPTS += auth-username-pass auth-certificate id-test +dist_check_SCRIPTS += auth-username-pass auth-certificate auth-nonascii id-test if TEST_PKCS11 dist_check_SCRIPTS += auth-pkcs11 @@ -99,7 +99,7 @@ keyfiles: $(USER_KEYS) $(USER_CERTS) OPENSSL = openssl OSSLARGS = -in $< -out $@ -passout pass:password -OSSLARGSP12 = -inkey $< -out $@ -in $${KEYFILE%-key-pkcs8.pem}-cert.pem -passout pass:password +OSSLARGSP12 = -inkey $< -out $@ -in $${KEYFILE%-key-pkcs8.pem}-cert.pem -passout pass:$${PASSWORD%-password} # Strictly speaking this is only PKCS#1 for RSA. For EC it's probably # best described as RFC5915§4, and no idea what defines it for DSA. @@ -156,6 +156,12 @@ $(certsdir)/ec-key-pkcs1-aes128.pem: certs/ec-key-pkcs1.pem KEYFILE="$<"; $(OPENSSL) pkcs12 $(OSSLARGSP12) -export -macalg SHA256 \ -certpbe AES-256-CBC -keypbe AES-256-CBC +# NB: Needs OpenSSL 1.1 or newer +%-key-nonascii-password.p12: %-key-pkcs8.pem %-cert.pem + LC_ALL=en_GB.UTF-8 PASSWORD="$$(cat $(srcdir)/pass-UTF-8)" KEYFILE="$<" ; \ + $(OPENSSL) pkcs12 $(OSSLARGSP12) -export -macalg SHA256 \ + -certpbe AES-256-CBC -keypbe AES-256-CBC + # This one makes GnuTLS behave strangely... %-key-aes256-cbc-md5-des-sha256.p12: %-key-pkcs8.pem %-cert.pem KEYFILE="$<"; $(OPENSSL) pkcs12 $(OSSLARGSP12) -export -macalg SHA256 \ diff --git a/tests/auth-nonascii b/tests/auth-nonascii new file mode 100755 index 00000000..d930b117 --- /dev/null +++ b/tests/auth-nonascii @@ -0,0 +1,45 @@ +#!/bin/sh +# +# Copyright (C) 2016 Red Hat, Inc. +# +# This file is part of openconnect. +# +# This is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public License +# as published by the Free Software Foundation; either version 2.1 of +# the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see + +SERV="${SERV:-../src/ocserv}" +srcdir=${srcdir:-.} +top_builddir=${top_builddir:-..} + +. `dirname $0`/common.sh + +echo "Testing certificate auth with non-ASCII passwords... " + +launch_simple_sr_server -d 1 -f -c configs/test-user-cert.config +PID=$! +wait_server $PID + +KEY=${srcdir}/certs/user-key-nonascii-password.p12 +set -x +for CHARSET in UTF-8 ISO8859-2; do + echo -n "Connecting to obtain cookie (with password charset ${CHARSET})... " + CERTARGS="-c ${KEY} --key-password $(cat ${srcdir}/pass-${CHARSET})" + ( echo "test" | LC_CTYPE=cs_CZ.${CHARSET} LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:443 -u test $CERTARGS --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly --passwd-on-stdin ) || + fail $PID "Could not connect with charset ${CHARSET}!" +done + +echo ok + +cleanup + +exit 0 diff --git a/tests/certs/user-key-nonascii-password.p12 b/tests/certs/user-key-nonascii-password.p12 new file mode 100644 index 00000000..1c903473 Binary files /dev/null and b/tests/certs/user-key-nonascii-password.p12 differ diff --git a/tests/pass-ISO8859-2 b/tests/pass-ISO8859-2 new file mode 100644 index 00000000..4731a84b --- /dev/null +++ b/tests/pass-ISO8859-2 @@ -0,0 +1 @@ +ï diff --git a/tests/pass-UTF-8 b/tests/pass-UTF-8 new file mode 100644 index 00000000..198277f8 --- /dev/null +++ b/tests/pass-UTF-8 @@ -0,0 +1 @@ +ĂŻ