Add channel binding support in SSPs (#4723)

* Implement channel bindings

* Hotpatch kerberos doc. More to come later

* Try to fix LDAP test

Author: gpotter2

.config/ci/install.sh

@@ -37,12 +37,7 @@ then
   sudo apt-get -qy install can-utils || exit 1
   sudo apt-get -qy install linux-modules-extra-$(uname -r) || exit 1
   sudo apt-get -qy install samba smbclient
-  # For OpenLDAP, we need to pre-populate some setup questions
-  sudo debconf-set-selections <<< 'slapd slapd/password2 password Bonjour1'
-  sudo debconf-set-selections <<< 'slapd slapd/password1 password Bonjour1'
-  sudo debconf-set-selections <<< 'slapd slapd/domain string scapy.net'
-  sudo apt-get -qy install slapd
-  ldapadd -D "cn=admin,dc=scapy,dc=net" -w Bonjour1 -f $CUR/openldap-testdata.ldif -c
+  sudo bash $CUR/openldap/install.sh
   # Make sure libpcap is installed
   if [ ! -z $SCAPY_USE_LIBPCAP ]
   then

.config/ci/openldap-testdata.ldif

@@ -0,0 +1,31 @@
+# SPDX-License-Identifier: GPL-2.0-only
+# This file is part of Scapy
+
+# Contains the configuration of our OpenLDAP test server
+
+# Configure LDAPS
+dn: cn=config
+changetype: modify
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: {{CAFILE}}
+
+dn: cn=config
+changetype: modify
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: {{KEYFILE}}
+
+dn: cn=config
+changetype: modify
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: {{CRTFILE}}
+
+dn: cn=config
+changetype: modify
+add: olcTLSVerifyClient
+olcTLSVerifyClient: never
+
+# Set channel bindings to 'tls-endpoint', like it would be on Windows
+dn: cn=config
+changetype: modify
+replace: olcSaslCbinding
+olcSaslCbinding: tls-endpoint

.config/ci/openldap/config.ldif

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# SPDX-License-Identifier: GPL-2.0-only
+# This file is part of Scapy
+# See https://scapy.net/ for more information
+
+# Install an OpenLDAP test server
+
+# Pre-populate some setup questions
+sudo debconf-set-selections <<< 'slapd slapd/password2 password Bonjour1'
+sudo debconf-set-selections <<< 'slapd slapd/password1 password Bonjour1'
+sudo debconf-set-selections <<< 'slapd slapd/domain string scapy.net'
+
+# Run setup
+sudo apt-get -qy install slapd
+
+# Enable LDAPs
+echo "Enabling HTTPS on slapd..."
+sudo sed -i '/^SLAPD_SERVICES/ c\SLAPD_SERVICES="ldap:/// ldapi:/// ldaps://"' /etc/default/slapd
+sudo systemctl restart slapd
+
+# Calculate the paths we're going to need.
+CUR=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P )
+PKIPATH=$(realpath "$CUR/../../../test/scapy/layers/tls/pki")
+OLDAPPATH=$(mktemp -d -t scapy_openldap_XXXX)
+
+# Copy certificates to temp path
+cp ${PKIPATH}/ca_cert.pem ${OLDAPPATH}
+cp ${PKIPATH}/srv_cert.pem ${OLDAPPATH}
+cp ${PKIPATH}/srv_key.pem ${OLDAPPATH}
+chmod a+rx -R ${OLDAPPATH}
+
+# Copy config template and replace variables.
+echo "Creating OpenLDAP config..."
+openldap_conf=${OLDAPPATH}/openldap_config.ldif
+cp $CUR/config.ldif $openldap_conf
+sed -i "s@{{CAFILE}}@${OLDAPPATH}/ca_cert.pem@g" $openldap_conf
+sed -i "s@{{CRTFILE}}@${OLDAPPATH}/srv_cert.pem@g" $openldap_conf
+sed -i "s@{{KEYFILE}}@${OLDAPPATH}/srv_key.pem@g" $openldap_conf
+
+echo "Applying OpenLDAP config..."
+sudo ldapmodify -Y EXTERNAL -H "ldapi:///" -w Bonjour1 -f $openldap_conf -c
+echo "Adding initial dummy data..."
+sudo ldapadd    -D "cn=admin,dc=scapy,dc=net" -w Bonjour1 -H "ldapi:///" -f $CUR/testdata.ldif -c

.config/ci/openldap/install.sh

@@ -0,0 +1,66 @@
+# SPDX-License-Identifier: OLDAP-2.8
+# This file is based on https://git.openldap.org/openldap/openldap/-/blob/master/tests/data/ppolicy.ldif?ref_type=heads
+# (renamed to dc=scapy, dc=net)
+
+dn: dc=scapy, dc=net
+objectClass: top
+objectClass: organization
+objectClass: dcObject
+o: Scapy
+dc: scapy
+
+dn: ou=People, dc=scapy, dc=net
+objectClass: top
+objectClass: organizationalUnit
+ou: People
+
+dn: ou=Groups, dc=scapy, dc=net
+objectClass: organizationalUnit
+ou: Groups
+
+dn: cn=Policy Group, ou=Groups, dc=scapy, dc=net
+objectClass: groupOfNames
+cn: Policy Group
+member: uid=nd, ou=People, dc=scapy, dc=net
+owner: uid=ndadmin, ou=People, dc=scapy, dc=net
+
+dn: cn=Test Group, ou=Groups, dc=scapy, dc=net
+objectClass: groupOfNames
+cn: Policy Group
+member: uid=another, ou=People, dc=scapy, dc=net
+
+dn: ou=Policies, dc=scapy, dc=net
+objectClass: top
+objectClass: organizationalUnit
+ou: Policies
+
+dn: uid=nd, ou=People, dc=scapy, dc=net
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+cn: Neil Dunbar
+uid: nd
+sn: Dunbar
+givenName: Neil
+userPassword: testpassword
+
+dn: uid=ndadmin, ou=People, dc=scapy, dc=net
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+cn: Neil Dunbar (Admin)
+uid: ndadmin
+sn: Dunbar
+givenName: Neil
+userPassword: testpw
+
+dn: uid=another, ou=People, dc=scapy, dc=net
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+cn: Another Test
+uid: another
+sn: Test
+givenName:  Another
+userPassword: testing
+