From eadebbbd71e7e044636cfacd8cd714f1194ad1fa Mon Sep 17 00:00:00 2001 From: johnson Date: Tue, 23 May 2023 20:10:09 +0000 Subject: [PATCH] ignore querystring while dispatching Signed-off-by: johnson <10619522-OnFIs@users.noreply.gitlab.com> --- .gitlab-ci.yml | 2 + NEWS | 4 + README.md | 16 +- doc/ocserv.8.md | 3 +- doc/sample.config | 18 ++ src/acct/pam.c | 1 - src/acct/radius.c | 6 - src/auth-unix.c | 1 - src/auth/gssapi.c | 1 - src/auth/openidconnect.c | 2 - src/auth/pam.c | 82 ++++----- src/auth/plain.c | 2 - src/common/base64-helper.c | 1 - src/common/common.c | 28 ++-- src/common/system.c | 2 +- src/config-kkdcp.c | 2 - src/config.c | 149 +++++++++-------- src/http-parser/http_parser.c | 14 +- src/ip-lease.c | 8 +- src/log.c | 68 ++++---- src/main-ctl-unix.c | 33 +--- src/main-user.c | 52 +++--- src/main.c | 4 +- src/occtl/cache.c | 2 - src/occtl/geoip.c | 4 - src/occtl/ip-cache.c | 2 - src/occtl/nl.c | 3 - src/occtl/occtl.c | 12 +- src/occtl/session-cache.c | 2 - src/occtl/time.c | 2 +- src/occtl/unix.c | 1 - src/ocpasswd/ocpasswd.c | 80 ++++----- src/pcl/pcl.c | 12 +- src/route-add.c | 2 - src/sec-mod-auth.c | 4 - src/sec-mod-resume.c | 2 - src/sec-mod-sup-config.h | 12 +- src/sec-mod.c | 14 +- src/sec-mod.h | 16 +- src/setproctitle.c | 1 - src/tlslib.c | 19 +-- src/tlslib.h | 38 +++-- src/tun.c | 9 +- src/vpn.h | 4 + src/worker-auth.c | 8 +- src/worker-http-handlers.c | 12 ++ src/worker-http.c | 24 ++- src/worker-misc.c | 102 ++++++------ src/worker-privs.c | 16 +- src/worker-vpn.c | 117 ++++++++----- src/worker.c | 2 +- src/worker.h | 2 + tests/Makefile.am | 27 ++- tests/apple-ios | 8 +- tests/ban-ips.c | 2 +- tests/banner | 4 +- tests/certs/ca-key.pem | 22 --- tests/certs/ca.pem | 36 ++-- tests/certs/ca.tmpl | 6 + tests/certs/server-cert-ca.pem | 76 ++++----- tests/certs/server-cert.pem | 40 ++--- tests/certs/server-cert.tmpl | 8 + tests/certs/user-cert-invalid.pem | 126 +++----------- tests/certs/user-cert.pem | 38 ++--- tests/certs/user-cert.tmpl | 7 + tests/cipher-common.sh | 4 +- tests/cstp-recv.c | 3 - tests/data/test-camouflage-norealm.config | 191 +++++++++++++++++++++ tests/data/test-camouflage.config | 192 ++++++++++++++++++++++ tests/disconnect-user | 6 +- tests/disconnect-user2 | 6 +- tests/drain-server | 4 +- tests/drain-server-fail | 2 +- tests/flowcontrol | 16 +- tests/haproxy-auth | 4 +- tests/haproxy-connect | 6 +- tests/haproxy-proxyproto | 4 +- tests/haproxy-proxyproto-v1 | 4 +- tests/html-escape.c | 5 +- tests/human_addr.c | 4 +- tests/ipv4-prefix.c | 2 +- tests/ipv6-iface | 2 +- tests/ipv6-prefix.c | 2 +- tests/ipv6-small-net | 2 +- tests/json | 2 +- tests/json-escape.c | 5 +- tests/kkdcp-parsing.c | 2 +- tests/lz4-compression | 4 +- tests/lzs-compression | 4 +- tests/multiple-routes | 4 +- tests/no-route-default | 4 +- tests/no-route-group | 4 +- tests/ping-leases | 4 +- tests/port-parsing.c | 3 +- tests/radius | 10 +- tests/radius-config | 2 +- tests/radius-group | 4 +- tests/radius-otp | 14 +- tests/str-test.c | 2 +- tests/str-test2.c | 2 +- tests/test-append-routes | 2 +- tests/test-ban | 26 +-- tests/test-ban-local | 12 +- tests/test-camouflage | 84 ++++++++++ tests/test-camouflage-norealm | 59 +++++++ tests/test-cert | 12 +- tests/test-cert-opt-pass | 2 +- tests/test-client-bypass-protocol | 4 +- tests/test-config-per-group | 4 +- tests/test-cookie-invalidation | 12 +- tests/test-cookie-timeout | 12 +- tests/test-cookie-timeout-2 | 6 +- tests/test-enc-key | 4 +- tests/test-explicit-ip | 4 +- tests/test-fork | 2 +- tests/test-group-cert | 10 +- tests/test-group-pass | 8 +- tests/test-gssapi-opt-cert | 2 +- tests/test-gssapi-opt-pass | 2 +- tests/test-ignore-querystring-of-post | 48 ++++++ tests/test-iroute | 4 +- tests/test-maintenance | 6 +- tests/test-max-same-1 | 6 +- tests/test-multi-cookie | 6 +- tests/test-multiple-client-ip | 8 +- tests/test-namespace-listen | 2 +- tests/test-otp | 10 +- tests/test-otp-cert | 8 +- tests/test-pam | 8 +- tests/test-pam-noauth | 8 +- tests/test-pass | 16 +- tests/test-pass-cert | 8 +- tests/test-pass-group-cert | 12 +- tests/test-pass-group-cert-no-pass | 8 +- tests/test-pass-opt-cert | 2 +- tests/test-pass-script | 14 +- tests/test-replay | 4 +- tests/test-san-cert | 8 +- tests/test-script-multi-user | 6 +- tests/test-sighup | 6 +- tests/test-stress | 2 +- tests/test-udp-listen-host | 4 +- tests/test-user-config | 10 +- tests/test-vhost | 6 +- tests/traffic | 4 +- tests/unix-test | 2 +- tests/url-escape.c | 4 +- tests/valid-hostname.c | 2 +- 148 files changed, 1481 insertions(+), 970 deletions(-) create mode 100644 tests/certs/ca.tmpl create mode 100644 tests/certs/server-cert.tmpl create mode 100644 tests/certs/user-cert.tmpl create mode 100644 tests/data/test-camouflage-norealm.config create mode 100644 tests/data/test-camouflage.config create mode 100755 tests/test-camouflage create mode 100755 tests/test-camouflage-norealm create mode 100755 tests/test-ignore-querystring-of-post diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index af574e25..c36e5d1a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -71,6 +71,8 @@ Ubuntu16.04: - autoreconf -fvi - ./configure --without-nuttcp-tests - make -j$JOBS +# ubuntu16.04 openconnect doesn't support pin-sha256 + - find ./tests/ -maxdepth 1 -type f -exec sed -i 's@pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=@2c46d7319df419c92ad59e38f0bb9681c088f1dc@g' '{}' ';' # this version of openconnect doesn't work with IPv6 only - make check -j$JOBS XFAIL_TESTS="ipv6-iface ipv6-small-net" tags: diff --git a/NEWS b/NEWS index 95d72010..5f020d51 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,7 @@ +* Version 1.1.8 (unreleased) +- Added "Camouflage" functionality that makes ocserv look + like a web server to unauthorized parties. + * Version 1.1.7 (released 2023-05-07) - Emit a LOG_ERR error message with plain authentication fails - The bundled inih was updated to r56. diff --git a/README.md b/README.md index 473aa227..6ebd83f4 100644 --- a/README.md +++ b/README.md @@ -33,11 +33,11 @@ configuration while ocserv-main will use the previous configuration. # Required apt-get install -y libgnutls28-dev libev-dev # Optional functionality and testing -apt get install -y libpam0g-dev liblz4-dev libseccomp-dev \ +apt-get install -y libpam0g-dev liblz4-dev libseccomp-dev \ libreadline-dev libnl-route-3-dev libkrb5-dev libradcli-dev \ - libcurl4-gnutls-dev libcjose-dev libjansson-dev libprotobuf-c-dev \ - libtalloc-dev libhttp-parser-dev protobuf-c-compiler gperf \ - nuttcp lcov libuid-wrapper libpam-wrapper libnss-wrapper \ + libcurl4-gnutls-dev libcjose-dev libjansson-dev liboath-dev \ + libprotobuf-c-dev libtalloc-dev libhttp-parser-dev protobuf-c-compiler \ + gperf nuttcp lcov libuid-wrapper libpam-wrapper libnss-wrapper \ libsocket-wrapper gss-ntlmssp haproxy iputils-ping freeradius \ gawk gnutls-bin iproute2 yajl-tools tcpdump ``` @@ -49,10 +49,10 @@ yum install -y gnutls-devel libev-devel # Optional functionality and testing yum install -y pam-devel lz4-devel libseccomp-devel readline-devel \ libnl3-devel krb5-devel radcli-devel libcurl-devel cjose-devel \ - jansson-devel protobuf-c-devel libtalloc-devel http-parser-devel \ - protobuf-c gperf nuttcp lcov uid_wrapper pam_wrapper nss_wrapper \ - socket_wrapper gssntlmssp haproxy iputils freeradius gawk \ - gnutls-utils iproute yajl tcpdump + jansson-devel liboath-devel protobuf-c-devel libtalloc-devel \ + http-parser-devel protobuf-c gperf nuttcp lcov uid_wrapper \ + pam_wrapper nss_wrapper socket_wrapper gssntlmssp haproxy iputils \ + freeradius gawk gnutls-utils iproute yajl tcpdump ``` See [README-radius](doc/README-radius.md) for more information on Radius diff --git a/doc/ocserv.8.md b/doc/ocserv.8.md index 5405cac8..64d87d63 100644 --- a/doc/ocserv.8.md +++ b/doc/ocserv.8.md @@ -10,7 +10,8 @@ is used by several CISCO routers. ## DESCRIPTION This a standalone server that reads a configuration file (see below for more details), -and waits for client connections. Log messages are redirected to daemon facility. +and waits for client connections. Log messages are directed to the syslog daemon +facility. The server maintains two connections/channels with the client. The main VPN channel is established over TCP, HTTP and TLS. This is the control channel as well diff --git a/doc/sample.config b/doc/sample.config index cbd30660..5fbb6e57 100644 --- a/doc/sample.config +++ b/doc/sample.config @@ -704,6 +704,24 @@ dtls-legacy = true # currently only understood by Anyconnect clients. client-bypass-protocol = false +# The following options are related to server camouflage (hidden service) + +# This option allows you to enable the camouflage feature of ocserv that makes it look +# like a web server to unauthorized parties. +# With "camouflage" enabled, connection to the VPN can be established only if the client provided a specific +# "secret string" in the connection URL, e.g. "https://example.com/?mysecretkey", +# otherwise the server will return HTTP error for all requests. +camouflage = false + +# The URL prefix that should be set on the client (after '?' sign) to pass through the camouflage check, +# e.g. in case of 'mysecretkey', the server URL on the client should be like "https://example.com/?mysecretkey". +camouflage_secret = "mysecretkey" + +# Defines the realm (browser prompt) for HTTP authentication. +# If no realm is set, the server will return 404 Not found error instead of 401 Unauthorized. +# Better change it from the default value to avoid fingerprinting. +camouflage_realm = "Restricted Content" + #Advanced options # Option to allow sending arbitrary custom headers to the client after diff --git a/src/acct/pam.c b/src/acct/pam.c index 4d7e8d8f..9752c4c9 100644 --- a/src/acct/pam.c +++ b/src/acct/pam.c @@ -81,7 +81,6 @@ fail1: static void pam_acct_close_session(void *vctx, unsigned auth_method, const struct common_acct_info_st *ai, stats_st *stats, unsigned status) { - return; } const struct acct_mod_st pam_acct_funcs = { diff --git a/src/acct/radius.c b/src/acct/radius.c index e8912d53..470ab36d 100644 --- a/src/acct/radius.c +++ b/src/acct/radius.c @@ -105,8 +105,6 @@ static void append_stats(rc_handle *rh, VALUE_PAIR **send, stats_st *stats) uout = stats->bytes_out / 4294967296; rc_avpair_add(rh, send, PW_ACCT_OUTPUT_GIGAWORDS, &uout, -1, 0); - - return; } static void append_acct_standard(struct radius_vhost_ctx *vctx, rc_handle *rh, const common_acct_info_st *ai, VALUE_PAIR **send) @@ -163,8 +161,6 @@ static void append_acct_standard(struct radius_vhost_ctx *vctx, rc_handle *rh, c i = PW_RADIUS; rc_avpair_add(rh, send, PW_ACCT_AUTHENTIC, &i, -1, 0); - - return; } static void radius_acct_session_stats(void *_vctx, unsigned auth_method, const common_acct_info_st *ai, stats_st *stats) @@ -197,7 +193,6 @@ static void radius_acct_session_stats(void *_vctx, unsigned auth_method, const c cleanup: rc_avpair_free(send); - return; } static int radius_acct_open_session(void *_vctx, unsigned auth_method, const common_acct_info_st *ai, const void *sid, unsigned sid_size) @@ -287,7 +282,6 @@ static void radius_acct_close_session(void *_vctx, unsigned auth_method, const c cleanup: rc_avpair_free(send); - return; } const struct acct_mod_st radius_acct_funcs = { diff --git a/src/auth-unix.c b/src/auth-unix.c index 8ac2e8e7..80841e61 100644 --- a/src/auth-unix.c +++ b/src/auth-unix.c @@ -102,7 +102,6 @@ void unix_group_list(void *pool, unsigned gid_min, char ***groupname, unsigned * exit: endgrent(); - return; } #endif diff --git a/src/auth/gssapi.c b/src/auth/gssapi.c index 700cedfe..0ef00cc4 100644 --- a/src/auth/gssapi.c +++ b/src/auth/gssapi.c @@ -137,7 +137,6 @@ static void gssapi_vhost_init(void **_vctx, void *pool, void *additional) } *_vctx = vctx; - return; } static void gssapi_vhost_deinit(void *_vctx) diff --git a/src/auth/openidconnect.c b/src/auth/openidconnect.c index d01e5638..ab787d8c 100644 --- a/src/auth/openidconnect.c +++ b/src/auth/openidconnect.c @@ -112,8 +112,6 @@ static void oidc_vhost_init(void **vctx, void *pool, void *additional) } *vctx = (void *)vc; - - return; } static void oidc_vhost_deinit(void *ctx) diff --git a/src/auth/pam.c b/src/auth/pam.c index b03a59e9..1b757e73 100644 --- a/src/auth/pam.c +++ b/src/auth/pam.c @@ -76,56 +76,56 @@ static int ocserv_conv(int msg_size, const struct pam_message **msg, for (i=0;imsg_style) { - case PAM_ERROR_MSG: - case PAM_TEXT_INFO: - syslog(LOG_DEBUG, "PAM-auth conv info: %s", msg[i]->msg); + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: + syslog(LOG_DEBUG, "PAM-auth conv info: %s", msg[i]->msg); - // That should never happen, but also not a big deal if we fail to add message here. - // coverity[check_return : FALSE] + // That should never happen, but also not a big deal if we fail to add message here. + // coverity[check_return : FALSE] + ret = str_append_str(&pctx->msg, msg[i]->msg); + if (ret >= 0) + ret = str_append_data(&pctx->msg, " ", 1); + + if (ret < 0) { + syslog(LOG_ERR, "Error in memory allocation in PAM"); + return PAM_BUF_ERR; + } + + pctx->sent_msg = 1; + break; + case PAM_PROMPT_ECHO_OFF: + case PAM_PROMPT_ECHO_ON: + if (pctx->sent_msg == 0) { + /* no message, just asking for password */ + str_reset(&pctx->msg); + pctx->sent_msg = 1; + + } + + if (msg[i]->msg) { ret = str_append_str(&pctx->msg, msg[i]->msg); - if (ret >= 0) - ret = str_append_data(&pctx->msg, " ", 1); - if (ret < 0) { syslog(LOG_ERR, "Error in memory allocation in PAM"); return PAM_BUF_ERR; } + } - pctx->sent_msg = 1; - break; - case PAM_PROMPT_ECHO_OFF: - case PAM_PROMPT_ECHO_ON: - if (pctx->sent_msg == 0) { - /* no message, just asking for password */ - str_reset(&pctx->msg); - pctx->sent_msg = 1; + syslog(LOG_DEBUG, "PAM-auth conv: echo-%s, msg: '%s'", (msg[i]->msg_style==PAM_PROMPT_ECHO_ON)?"on":"off", msg[i]->msg!=NULL?msg[i]->msg:""); + pctx->state = PAM_S_WAIT_FOR_PASS; + pctx->cr_ret = PAM_SUCCESS; + co_resume(); + pctx->state = PAM_S_INIT; + + if (pctx->password[0] != 0) { + pctx->replies[i].resp = strdup(pctx->password); + if (pctx->replies[i].resp == NULL) { + syslog(LOG_ERR, "Error in memory allocation in PAM"); + return PAM_BUF_ERR; } - - if (msg[i]->msg) { - ret = str_append_str(&pctx->msg, msg[i]->msg); - if (ret < 0) { - syslog(LOG_ERR, "Error in memory allocation in PAM"); - return PAM_BUF_ERR; - } - } - - syslog(LOG_DEBUG, "PAM-auth conv: echo-%s, msg: '%s'", (msg[i]->msg_style==PAM_PROMPT_ECHO_ON)?"on":"off", msg[i]->msg!=NULL?msg[i]->msg:""); - - pctx->state = PAM_S_WAIT_FOR_PASS; - pctx->cr_ret = PAM_SUCCESS; - co_resume(); - pctx->state = PAM_S_INIT; - - if (pctx->password[0] != 0) { - pctx->replies[i].resp = strdup(pctx->password); - if (pctx->replies[i].resp == NULL) { - syslog(LOG_ERR, "Error in memory allocation in PAM"); - return PAM_BUF_ERR; - } - } - pctx->sent_msg = 0; - break; + } + pctx->sent_msg = 0; + break; } } diff --git a/src/auth/plain.c b/src/auth/plain.c index 8ca891e7..1c5de9c8 100644 --- a/src/auth/plain.c +++ b/src/auth/plain.c @@ -76,7 +76,6 @@ static void plain_vhost_init(void **vctx, void *pool, void *additional) #ifdef HAVE_LIBOATH oath_init(); #endif - return; } /* Breaks a list of "xxx", "yyy", to a character array, of @@ -483,7 +482,6 @@ static void plain_group_list(void *pool, void *additional, char ***groupname, un htable_clear(&hash); safe_memset(line, 0, sizeof(line)); fclose(fp); - return; } const struct auth_mod_st plain_auth_funcs = { diff --git a/src/common/base64-helper.c b/src/common/base64-helper.c index 6481bedc..5852da94 100644 --- a/src/common/base64-helper.c +++ b/src/common/base64-helper.c @@ -32,7 +32,6 @@ void oc_base64_encode (const char *restrict in, size_t inlen, } base64_encode_raw((void*)out, inlen, (uint8_t*)in); out[raw] = 0; - return; } int diff --git a/src/common/common.c b/src/common/common.c index d4ab6f2a..8c056144 100644 --- a/src/common/common.c +++ b/src/common/common.c @@ -76,20 +76,20 @@ char *calc_safe_id(const uint8_t *data, unsigned size, char *output, unsigned ou const char *ps_status_to_str(int status, unsigned cookie) { switch (status) { - case PS_AUTH_COMPLETED: - if (cookie) - return "authenticated"; - else - return "connected"; - case PS_AUTH_INIT: - case PS_AUTH_CONT: - return "authenticating"; - case PS_AUTH_INACTIVE: - return "pre-auth"; - case PS_AUTH_FAILED: - return "auth failed"; - default: - return "unknown"; + case PS_AUTH_COMPLETED: + if (cookie) + return "authenticated"; + else + return "connected"; + case PS_AUTH_INIT: + case PS_AUTH_CONT: + return "authenticating"; + case PS_AUTH_INACTIVE: + return "pre-auth"; + case PS_AUTH_FAILED: + return "auth failed"; + default: + return "unknown"; } } diff --git a/src/common/system.c b/src/common/system.c index 42114b5e..a104e266 100644 --- a/src/common/system.c +++ b/src/common/system.c @@ -103,7 +103,7 @@ int check_upeer_id(const char *mod, int debug, int cfd, uid_t uid, uid_t gid, ui syslog(LOG_ERR, "%s: received unauthorized request from pid %u and uid %u", mod, (unsigned)cr.pid, (unsigned)cr.uid); - return -1; + return -1; } #elif defined(HAVE_GETPEEREID) uid_t euid; diff --git a/src/config-kkdcp.c b/src/config-kkdcp.c index 61a3dfb7..fcf084d8 100644 --- a/src/config-kkdcp.c +++ b/src/config-kkdcp.c @@ -102,8 +102,6 @@ void parse_kkdcp_string(char *str, int *socktype, char **_port, char **_server, *_realm = realm; *_path = path; *_server = server; - - return; } #endif diff --git a/src/config.c b/src/config.c index 3b3cea21..3aed62c6 100644 --- a/src/config.c +++ b/src/config.c @@ -75,31 +75,35 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile #define WARNSTR "warning: " #define NOTESTR "note: " -#define READ_MULTI_LINE(varname, num) { \ - if (_add_multi_line_val(pool, &varname, &num, value) < 0) { \ - fprintf(stderr, ERRSTR"memory\n"); \ - exit(EXIT_FAILURE); \ - }} - -#define READ_MULTI_BRACKET_LINE(varname, varname2, num) { \ - if (varname == NULL || varname2 == NULL) { \ - num = 0; \ - varname = talloc_size(pool, sizeof(char*)*DEFAULT_CONFIG_ENTRIES); \ - varname2 = talloc_size(pool, sizeof(char*)*DEFAULT_CONFIG_ENTRIES); \ - if (varname == NULL || varname2 == NULL) { \ +#define READ_MULTI_LINE(varname, num) \ + do { \ + if (_add_multi_line_val(pool, &varname, &num, value) < 0) { \ fprintf(stderr, ERRSTR"memory\n"); \ exit(EXIT_FAILURE); \ } \ - } \ - if (num < DEFAULT_CONFIG_ENTRIES) { \ - char *xp; \ - varname[num] = talloc_strdup(pool, value); \ - xp = strchr(varname[num], '['); if (xp != NULL) *xp = 0; \ - varname2[num] = get_brackets_string1(pool, value); \ - num++; \ - varname[num] = NULL; \ - varname2[num] = NULL; \ - }} + } while (0) + +#define READ_MULTI_BRACKET_LINE(varname, varname2, num) \ + do { \ + if (varname == NULL || varname2 == NULL) { \ + num = 0; \ + varname = talloc_size(pool, sizeof(char*)*DEFAULT_CONFIG_ENTRIES); \ + varname2 = talloc_size(pool, sizeof(char*)*DEFAULT_CONFIG_ENTRIES); \ + if (varname == NULL || varname2 == NULL) { \ + fprintf(stderr, ERRSTR"memory\n"); \ + exit(EXIT_FAILURE); \ + } \ + } \ + if (num < DEFAULT_CONFIG_ENTRIES) { \ + char *xp; \ + varname[num] = talloc_strdup(pool, value); \ + xp = strchr(varname[num], '['); if (xp != NULL) *xp = 0; \ + varname2[num] = get_brackets_string1(pool, value); \ + num++; \ + varname[num] = NULL; \ + varname2[num] = NULL; \ + } \ + } while (0) #define PREAD_STRING(pool, varname) { \ unsigned len = strlen(value); \ @@ -115,25 +119,28 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile strlcpy(varname, value, sizeof(varname)); \ } -#define READ_TF(varname) {\ - if (c_strcasecmp(value, "true") == 0 || c_strcasecmp(value, "yes") == 0) \ - varname = 1; \ - else \ - varname = 0; \ - } +#define READ_TF(varname) \ + do { \ + if (c_strcasecmp(value, "true") == 0 || c_strcasecmp(value, "yes") == 0) \ + varname = 1; \ + else \ + varname = 0; \ + } while (0) #define READ_NUMERIC(varname) { \ varname = strtol(value, NULL, 10); \ } #define READ_PRIO_TOS(varname) \ - if (strncmp(value, "0x", 2) == 0) { \ - varname = strtol(value, NULL, 16); \ - varname = TOS_PACK(varname); \ - } else { \ - varname = strtol(value, NULL, 10); \ - varname++; \ - } + do { \ + if (strncmp(value, "0x", 2) == 0) { \ + varname = strtol(value, NULL, 16); \ + varname = TOS_PACK(varname); \ + } else { \ + varname = strtol(value, NULL, 10); \ + varname++; \ + } \ + } while (0) struct snapshot_t * config_snapshot = NULL; @@ -440,7 +447,7 @@ char *sanitize_config_value(void *pool, const char *value) if (len < 0) return NULL; - return talloc_strndup(pool, &value[i], len); \ + return talloc_strndup(pool, &value[i], len); } @@ -489,8 +496,6 @@ static void append_iroutes_from_file(struct cfg_st *config, const char *file) if (ip_route_sanity_check(config->known_iroutes, &config->known_iroutes[j]) != 0) exit(EXIT_FAILURE); } - - return; } static void load_iroutes(struct cfg_st *config) @@ -1124,6 +1129,12 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co READ_STRING(config->default_user_conf); } else if (strcmp(name, "default-group-config") == 0) { READ_STRING(config->default_group_conf); + } else if (strcmp(name, "camouflage") == 0) { + READ_TF(config->camouflage); + } else if (strcmp(name, "camouflage_secret") == 0) { + READ_STRING(config->camouflage_secret); + } else if (strcmp(name, "camouflage_realm") == 0) { + READ_STRING(config->camouflage_realm); } else { if (reload == 0) fprintf(stderr, WARNSTR"skipping unknown option '%s'\n", name); @@ -1610,33 +1621,33 @@ int cmd_parser (void *pool, int argc, char **argv, struct list_head *head, bool break; switch(c) { - case 'f': - vhost->perm_config.foreground = 1; - break; - case 'p': - strlcpy(pid_file, optarg, sizeof(pid_file)); - break; - case 'c': - strlcpy(cfg_file, optarg, sizeof(cfg_file)); - break; - case 'd': - vhost->perm_config.debug = atoi(optarg); - break; - case 't': - test_only = 1; - break; - case OPT_NO_CHDIR: - vhost->perm_config.no_chdir = 1; - break; - case 'h': - usage(); - exit(EXIT_SUCCESS); - case 'v': - print_version(); - exit(EXIT_SUCCESS); - case 'x': - vhost->perm_config.pr_dumpable = 1; - break; + case 'f': + vhost->perm_config.foreground = 1; + break; + case 'p': + strlcpy(pid_file, optarg, sizeof(pid_file)); + break; + case 'c': + strlcpy(cfg_file, optarg, sizeof(cfg_file)); + break; + case 'd': + vhost->perm_config.debug = atoi(optarg); + break; + case 't': + test_only = 1; + break; + case OPT_NO_CHDIR: + vhost->perm_config.no_chdir = 1; + break; + case 'h': + usage(); + exit(EXIT_SUCCESS); + case 'v': + print_version(); + exit(EXIT_SUCCESS); + case 'x': + vhost->perm_config.pr_dumpable = 1; + break; } } @@ -1688,8 +1699,6 @@ static void archive_cfg(struct list_head *head) list_add(&vhost->perm_config.attic, &e->list); } } - - return; } static void clear_cfg(struct list_head *head) @@ -1701,8 +1710,6 @@ static void clear_cfg(struct list_head *head) talloc_free(cpos->perm_config.config); cpos->perm_config.config = NULL; } - - return; } void clear_vhosts(struct list_head *head) @@ -1715,8 +1722,6 @@ void clear_vhosts(struct list_head *head) talloc_free(vhost->perm_config.config); vhost->perm_config.config = NULL; } - - return; } static void append(const char *option) @@ -1795,8 +1800,6 @@ void reload_cfg_file(void *pool, struct list_head *configs, unsigned sec_mod) /* parse the config again */ parse_cfg_file(pool, cfg_file, configs, flags); - - return; } void write_pid_file(void) diff --git a/src/http-parser/http_parser.c b/src/http-parser/http_parser.c index 1594bef6..71b5c98e 100644 --- a/src/http-parser/http_parser.c +++ b/src/http-parser/http_parser.c @@ -1298,7 +1298,7 @@ reexecute: } break; - /* Connection */ + /* connection */ case h_matching_connection: parser->index++; @@ -1310,7 +1310,7 @@ reexecute: } break; - /* Proxy-Connection */ + /* proxy-connection */ case h_matching_proxy_connection: parser->index++; @@ -1322,7 +1322,7 @@ reexecute: } break; - /* Content-Length */ + /* content-length */ case h_matching_content_length: parser->index++; @@ -1334,7 +1334,7 @@ reexecute: } break; - /* Transfer-Encoding */ + /* transfer-encoding */ case h_matching_transfer_encoding: parser->index++; @@ -1347,7 +1347,7 @@ reexecute: } break; - /* Upgrade */ + /* upgrade */ case h_matching_upgrade: parser->index++; @@ -1803,7 +1803,7 @@ reexecute: REEXECUTE(); } - /* Cannot use Transfer-Encoding and Content-Length headers together + /* Cannot use transfer-encoding and a content-length header together per the HTTP specification. (RFC 7230 Section 3.3.3) */ if ((parser->uses_transfer_encoding == 1) && (parser->flags & F_CONTENTLENGTH)) { @@ -1928,7 +1928,7 @@ reexecute: UPDATE_STATE(s_body_identity); } else { if (!http_message_needs_eof(parser)) { - /* Assume Content-Length 0 - read the next */ + /* Assume content-length 0 - read the next */ UPDATE_STATE(NEW_MESSAGE()); CALLBACK_NOTIFY(message_complete); } else { diff --git a/src/ip-lease.c b/src/ip-lease.c index 7f6b13c0..d9e36f3b 100644 --- a/src/ip-lease.c +++ b/src/ip-lease.c @@ -62,8 +62,6 @@ struct htable_iter iter; cache = htable_next(&db->ht, &iter); } htable_clear(&db->ht); - - return; } static size_t rehash(const void* _e, void* unused) @@ -168,9 +166,9 @@ static int is_ipv4_ok(main_server_st *s, struct sockaddr_storage *ip, struct soc } if (ip_lease_exists(s, ip, sizeof(struct sockaddr_in)) != 0 || - ip_cmp(ip, net) == 0 || - ip_cmp(ip, &broadcast) == 0) { - return 0; + ip_cmp(ip, net) == 0 || + ip_cmp(ip, &broadcast) == 0) { + return 0; } return 1; } diff --git a/src/log.c b/src/log.c index 583ccdf9..9cc3de4e 100644 --- a/src/log.c +++ b/src/log.c @@ -35,35 +35,35 @@ static unsigned check_priority(int *priority, int debug_prio) { switch(*priority) { - case LOG_ERR: - case LOG_WARNING: - case LOG_NOTICE: - break; - case LOG_DEBUG: - if (debug_prio < DEBUG_DEBUG) - return 0; - break; - case LOG_INFO: - if (debug_prio < DEBUG_INFO) - return 0; - break; - case LOG_HTTP_DEBUG: - if (debug_prio < DEBUG_HTTP) - return 0; - *priority = LOG_INFO; - break; - case LOG_TRANSFER_DEBUG: - if (debug_prio < DEBUG_TRANSFERRED) - return 0; - *priority = LOG_DEBUG; - break; - case LOG_SENSITIVE: - if (debug_prio < DEBUG_SENSITIVE) - return 0; - *priority = LOG_DEBUG; - break; - default: - syslog(LOG_DEBUG, "unknown log level %d", *priority); + case LOG_ERR: + case LOG_WARNING: + case LOG_NOTICE: + break; + case LOG_DEBUG: + if (debug_prio < DEBUG_DEBUG) + return 0; + break; + case LOG_INFO: + if (debug_prio < DEBUG_INFO) + return 0; + break; + case LOG_HTTP_DEBUG: + if (debug_prio < DEBUG_HTTP) + return 0; + *priority = LOG_INFO; + break; + case LOG_TRANSFER_DEBUG: + if (debug_prio < DEBUG_TRANSFERRED) + return 0; + *priority = LOG_DEBUG; + break; + case LOG_SENSITIVE: + if (debug_prio < DEBUG_SENSITIVE) + return 0; + *priority = LOG_DEBUG; + break; + default: + syslog(LOG_DEBUG, "unknown log level %d", *priority); } return 1; @@ -105,8 +105,6 @@ void __attribute__ ((format(printf, 3, 4))) name[0] = 0; syslog(priority, "worker%s: %s %s", name, ip?ip:"[unknown]", buf); - - return; } /* proc is optional */ @@ -151,8 +149,6 @@ void __attribute__ ((format(printf, 4, 5))) name[0] = 0; syslog(priority, "main%s:%s %s", name, ip?ip:"[unknown]", buf); - - return; } void mslog_hex(const main_server_st * s, const struct proc_st* proc, @@ -182,8 +178,6 @@ void mslog_hex(const main_server_st * s, const struct proc_st* proc, } _mslog(s, proc, priority, "%s %s", prefix, buf); - - return; } void oclog_hex(const worker_st* ws, int priority, @@ -213,8 +207,6 @@ void oclog_hex(const worker_st* ws, int priority, } _oclog(ws, priority, "%s %s", prefix, buf); - - return; } void seclog_hex(const struct sec_mod_st* sec, int priority, @@ -238,6 +230,4 @@ void seclog_hex(const struct sec_mod_st* sec, int priority, } seclog(sec, priority, "%s %s", prefix, buf); - - return; } diff --git a/src/main-ctl-unix.c b/src/main-ctl-unix.c index 25d5c26b..e951c40b 100644 --- a/src/main-ctl-unix.c +++ b/src/main-ctl-unix.c @@ -241,8 +241,6 @@ static void method_status(method_ctx *ctx, int cfd, uint8_t * msg, if (ret < 0) { mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply"); } - - return; } static void method_reload(method_ctx *ctx, int cfd, uint8_t * msg, @@ -263,8 +261,6 @@ static void method_reload(method_ctx *ctx, int cfd, uint8_t * msg, if (ret < 0) { mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply"); } - - return; } static void method_stop(method_ctx *ctx, int cfd, uint8_t * msg, @@ -285,8 +281,6 @@ static void method_stop(method_ctx *ctx, int cfd, uint8_t * msg, if (ret < 0) { mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply"); } - - return; } #define IPBUF_SIZE 64 @@ -479,7 +473,7 @@ static void method_list_users(method_ctx *ctx, int cfd, uint8_t * msg, if (ret < 0) { mslog(ctx->s, NULL, LOG_ERR, "error appending user info to reply"); - goto error; + return; } } @@ -489,9 +483,6 @@ static void method_list_users(method_ctx *ctx, int cfd, uint8_t * msg, if (ret < 0) { mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply"); } - - error: - return; } static void method_top(method_ctx *ctx, int cfd, uint8_t * msg, @@ -557,7 +548,7 @@ static void method_list_banned(method_ctx *ctx, int cfd, uint8_t * msg, if (ret < 0) { mslog(ctx->s, NULL, LOG_ERR, "error appending ban info to reply"); - goto error; + return; } e = htable_next(db, &iter); } @@ -568,9 +559,6 @@ static void method_list_banned(method_ctx *ctx, int cfd, uint8_t * msg, if (ret < 0) { mslog(ctx->s, NULL, LOG_ERR, "error sending ban list reply"); } - - error: - return; } static void method_list_cookies(method_ctx *ctx, int cfd, uint8_t * msg, @@ -655,7 +643,6 @@ reply_and_exit: if (cookies) { talloc_free(cookies); } - return; } static void single_info_common(method_ctx *ctx, int cfd, uint8_t * msg, @@ -686,7 +673,7 @@ static void single_info_common(method_ctx *ctx, int cfd, uint8_t * msg, if (ret < 0) { mslog(ctx->s, NULL, LOG_ERR, "error appending user info to reply"); - goto error; + return; } found_user = 1; @@ -709,9 +696,6 @@ static void single_info_common(method_ctx *ctx, int cfd, uint8_t * msg, if (ret < 0) { mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply"); } - - error: - return; } static void method_user_info(method_ctx *ctx, int cfd, uint8_t * msg, @@ -729,8 +713,6 @@ static void method_user_info(method_ctx *ctx, int cfd, uint8_t * msg, single_info_common(ctx, cfd, msg, msg_size, req->username, 0); username_req__free_unpacked(req, NULL); - - return; } static void method_id_info(method_ctx *ctx, int cfd, uint8_t * msg, @@ -748,8 +730,6 @@ static void method_id_info(method_ctx *ctx, int cfd, uint8_t * msg, single_info_common(ctx, cfd, msg, msg_size, NULL, req->id); id_req__free_unpacked(req, NULL); - - return; } static void method_unban_ip(method_ctx *ctx, @@ -781,8 +761,6 @@ static void method_unban_ip(method_ctx *ctx, if (ret < 0) { mslog(ctx->s, NULL, LOG_ERR, "error sending unban IP ctl reply"); } - - return; } static void method_disconnect_user_name(method_ctx *ctx, @@ -820,8 +798,6 @@ static void method_disconnect_user_name(method_ctx *ctx, if (ret < 0) { mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply"); } - - return; } static void method_disconnect_user_id(method_ctx *ctx, int cfd, @@ -861,8 +837,6 @@ static void method_disconnect_user_id(method_ctx *ctx, int cfd, if (ret < 0) { mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply"); } - - return; } struct ctl_watcher_st { @@ -919,7 +893,6 @@ static void ctl_cmd_wacher_cb(EV_P_ ev_io *w, int revents) close(wst->fd); ev_io_stop(EV_A_ w); talloc_free(wst); - return; } static void ctl_handle_commands(main_server_st * s) diff --git a/src/main-user.c b/src/main-user.c index f932d542..b12e7bb1 100644 --- a/src/main-user.c +++ b/src/main-user.c @@ -50,11 +50,13 @@ #define OCSERV_FW_SCRIPT "/usr/bin/ocserv-fw" #define APPEND_TO_STR(str, val) \ - ret = str_append_str(str, val); \ - if (ret < 0) { \ - mslog(s, proc, LOG_ERR, "could not append value to environment\n"); \ - exit(EXIT_FAILURE); \ - } + do { \ + ret = str_append_str(str, val); \ + if (ret < 0) { \ + mslog(s, proc, LOG_ERR, "could not append value to environment\n"); \ + exit(EXIT_FAILURE); \ + } \ + } while (0) typedef enum script_type_t { SCRIPT_CONNECT, @@ -199,26 +201,26 @@ static void export_fw_info(main_server_st *s, struct proc_st* proc) negate = 1; switch(proc->config->fw_ports[i]->proto) { - case PROTO_UDP: - ret = str_append_printf(&str_common, "udp %u ", proc->config->fw_ports[i]->port); - break; - case PROTO_TCP: - ret = str_append_printf(&str_common, "tcp %u ", proc->config->fw_ports[i]->port); - break; - case PROTO_SCTP: - ret = str_append_printf(&str_common, "sctp %u ", proc->config->fw_ports[i]->port); - break; - case PROTO_ICMP: - ret = str_append_printf(&str_common, "icmp all "); - break; - case PROTO_ESP: - ret = str_append_printf(&str_common, "esp all "); - break; - case PROTO_ICMPv6: - ret = str_append_printf(&str_common, "icmpv6 all "); - break; - default: - ret = -1; + case PROTO_UDP: + ret = str_append_printf(&str_common, "udp %u ", proc->config->fw_ports[i]->port); + break; + case PROTO_TCP: + ret = str_append_printf(&str_common, "tcp %u ", proc->config->fw_ports[i]->port); + break; + case PROTO_SCTP: + ret = str_append_printf(&str_common, "sctp %u ", proc->config->fw_ports[i]->port); + break; + case PROTO_ICMP: + ret = str_append_printf(&str_common, "icmp all "); + break; + case PROTO_ESP: + ret = str_append_printf(&str_common, "esp all "); + break; + case PROTO_ICMPv6: + ret = str_append_printf(&str_common, "icmpv6 all "); + break; + default: + ret = -1; } if (ret < 0) { diff --git a/src/main.c b/src/main.c index 3ea8a3c0..b79aba7d 100644 --- a/src/main.c +++ b/src/main.c @@ -72,7 +72,7 @@ #ifdef HAVE_GSSAPI # include -extern const ASN1_ARRAY_TYPE kkdcp_asn1_tab[]; +extern const asn1_static_node kkdcp_asn1_tab[]; asn1_node _kkdcp_pkix1_asn = NULL; #endif @@ -431,8 +431,6 @@ int y; set_mtu_disc(fd, family, 1); } set_cloexec_flag (fd, 1); - - return; } /* clears the server listen_list and proc_list. To be used after fork(). diff --git a/src/occtl/cache.c b/src/occtl/cache.c index 63099e43..d194a40f 100644 --- a/src/occtl/cache.c +++ b/src/occtl/cache.c @@ -62,8 +62,6 @@ void entries_add(void *pool, const char* user, unsigned user_size, unsigned id) snprintf(entries[entries_size].id, sizeof(entries[entries_size].id), "%u", id); entries_size++; - - return; } char* search_for_user(unsigned idx, const char* match, int match_size) diff --git a/src/occtl/geoip.c b/src/occtl/geoip.c index 1d843ce8..622902a5 100644 --- a/src/occtl/geoip.c +++ b/src/occtl/geoip.c @@ -113,8 +113,6 @@ void geo_ipv4_lookup(struct in_addr ip, char **country, char **city, char **coor pGeoIP_delete(gi); } } - - return; } void geo_ipv6_lookup(struct in6_addr *ip, char **country, char **city, char **coord) @@ -171,8 +169,6 @@ void geo_ipv6_lookup(struct in6_addr *ip, char **country, char **city, char **co pGeoIP_delete(gi); } } - - return; } char *geo_lookup(const char *ip, char *buf, unsigned buf_size) diff --git a/src/occtl/ip-cache.c b/src/occtl/ip-cache.c index caa8b8b0..e382c9d4 100644 --- a/src/occtl/ip-cache.c +++ b/src/occtl/ip-cache.c @@ -57,8 +57,6 @@ void ip_entries_add(void *pool, const char* ip, unsigned ip_size) strlcpy(ip_entries[ip_entries_size].ip, ip, sizeof(ip_entries[ip_entries_size].ip)); ip_entries[ip_entries_size].ip_size = ip_size; ip_entries_size++; - - return; } char* search_for_ip(unsigned idx, const char* match, int match_size) diff --git a/src/occtl/nl.c b/src/occtl/nl.c index 93075946..8b154e71 100644 --- a/src/occtl/nl.c +++ b/src/occtl/nl.c @@ -117,13 +117,10 @@ void print_iface_stats(const char *iface, time_t since, FILE * out, cmd_params_s fprintf(out, " \"Average RX\": \"%s\",\n \"Average TX\": \"%s\"%s\n", buf1, buf2, have_more?",":""); else fprintf(out, "\tAverage bandwidth RX: %s TX: %s\n", buf1, buf2); - - return; } #else void print_iface_stats(const char *iface, time_t since, FILE * out, cmd_params_st *params, unsigned have_more) { - return; } #endif diff --git a/src/occtl/occtl.c b/src/occtl/occtl.c index 8a9df2a7..d98d0248 100644 --- a/src/occtl/occtl.c +++ b/src/occtl/occtl.c @@ -211,7 +211,7 @@ static char *rl_gets(char *line_read) if (line_read && *line_read) add_history(line_read); - return (line_read); + return line_read; } void @@ -225,18 +225,14 @@ double data; if (bytes > 1000 && bytes < 1000 * 1000) { data = ((double) bytes) / 1000; snprintf(output, output_size, "%.1f KB%s", data, suffix); - return; } else if (bytes >= 1000 * 1000 && bytes < 1000 * 1000 * 1000) { data = ((double) bytes) / (1000 * 1000); snprintf(output, output_size, "%.1f MB%s", data, suffix); - return; } else if (bytes >= 1000 * 1000 * 1000) { data = ((double) bytes) / (1000 * 1000 * 1000); snprintf(output, output_size, "%.1f GB%s", data, suffix); - return; } else { snprintf(output, output_size, "%lu bytes%s", bytes, suffix); - return; } } @@ -245,13 +241,10 @@ time2human(uint64_t microseconds, char* output, unsigned output_size) { if (microseconds < 1000) { snprintf(output, output_size, "<1ms"); - return; } else if (microseconds < 1000000) { snprintf(output, output_size, "%ldms", microseconds / 1000); - return; } else { snprintf(output, output_size, "%lds", microseconds / 1000000); - return; } } @@ -499,7 +492,7 @@ static char *command_generator(const char *text, int state) name += cmd_start; if (c_strncasecmp(name, text, len) == 0) { - return (strdup(name)); + return strdup(name); } } @@ -520,7 +513,6 @@ void handle_sigint(int signo) rl_crlf(); #endif rl_redisplay(); - return; } void initialize_readline(void) diff --git a/src/occtl/session-cache.c b/src/occtl/session-cache.c index d74af6c7..7fc473e8 100644 --- a/src/occtl/session-cache.c +++ b/src/occtl/session-cache.c @@ -50,8 +50,6 @@ void session_entries_add(void *pool, const char* session) strlcpy(session_entries[session_entries_size].session, session, sizeof(session_entries[session_entries_size].session)); session_entries_size++; - - return; } char* search_for_session(unsigned idx, const char* match, int match_size) diff --git a/src/occtl/time.c b/src/occtl/time.c index 70957d69..78b324c4 100644 --- a/src/occtl/time.c +++ b/src/occtl/time.c @@ -36,7 +36,7 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], time_t t1, time_t t2) { time_t t = t1 - t2; - if ((long)t < (long)0) { + if ((long)t < 0) { /* system clock changed? */ snprintf(output, MAX_TMPSTR_SIZE, " ? "); return; diff --git a/src/occtl/unix.c b/src/occtl/unix.c index f187d42e..5a3b8f7f 100644 --- a/src/occtl/unix.c +++ b/src/occtl/unix.c @@ -1426,7 +1426,6 @@ int handle_show_user_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_st *p static void dummy_sighandler(int signo) { - return; } diff --git a/src/ocpasswd/ocpasswd.c b/src/ocpasswd/ocpasswd.c index b6d1e6ef..75445d61 100644 --- a/src/ocpasswd/ocpasswd.c +++ b/src/ocpasswd/ocpasswd.c @@ -429,47 +429,47 @@ int main(int argc, char **argv) break; switch(c) { - case 'c': - if (fpasswd) { - fprintf(stderr, "-c option cannot be specified multiple time\n"); - exit(EXIT_FAILURE); - } - fpasswd = strdup(optarg); - break; - case 'g': - if (groupname) { - fprintf(stderr, "-g option cannot be specified multiple time\n"); - exit(EXIT_FAILURE); - } - groupname = strdup(optarg); - break; - case 'd': - if (flags) { - usage(); - exit(EXIT_FAILURE); - } - flags |= FLAG_DELETE; - break; - case 'u': - if (flags) { - usage(); - exit(EXIT_FAILURE); - } - flags |= FLAG_UNLOCK; - break; - case 'l': - if (flags) { - usage(); - exit(EXIT_FAILURE); - } - flags |= FLAG_LOCK; - break; - case 'h': + case 'c': + if (fpasswd) { + fprintf(stderr, "-c option cannot be specified multiple time\n"); + exit(EXIT_FAILURE); + } + fpasswd = strdup(optarg); + break; + case 'g': + if (groupname) { + fprintf(stderr, "-g option cannot be specified multiple time\n"); + exit(EXIT_FAILURE); + } + groupname = strdup(optarg); + break; + case 'd': + if (flags) { usage(); - exit(EXIT_SUCCESS); - case 'v': - version(); - exit(EXIT_SUCCESS); + exit(EXIT_FAILURE); + } + flags |= FLAG_DELETE; + break; + case 'u': + if (flags) { + usage(); + exit(EXIT_FAILURE); + } + flags |= FLAG_UNLOCK; + break; + case 'l': + if (flags) { + usage(); + exit(EXIT_FAILURE); + } + flags |= FLAG_LOCK; + break; + case 'h': + usage(); + exit(EXIT_SUCCESS); + case 'v': + version(); + exit(EXIT_SUCCESS); } } diff --git a/src/pcl/pcl.c b/src/pcl/pcl.c index 15ceb9a5..8a72296f 100644 --- a/src/pcl/pcl.c +++ b/src/pcl/pcl.c @@ -93,7 +93,7 @@ static void co_switch_context(co_ctx_t *octx, co_ctx_t *nctx) if (swapcontext(&octx->cc, &nctx->cc) < 0) { fprintf(stderr, "[PCL] Context switch failed: curr=%p\n", tctx->co_curr); - exit(EXIT_FAILURE); + exit(1); } } @@ -150,7 +150,7 @@ static void co_ctx_bootstrap(void) fprintf(stderr, "[PCL] Hmm, you really shouldn't reach this point: curr=%p\n", tctx->co_curr); - exit(EXIT_FAILURE); + exit(1); } static void co_ctx_trampoline(int sig) @@ -418,7 +418,7 @@ void co_delete(coroutine_t coro) if (co == tctx->co_curr) { fprintf(stderr, "[PCL] Cannot delete itself: curr=%p\n", tctx->co_curr); - exit(EXIT_FAILURE); + exit(1); } if (co->alloc) free(co); @@ -455,7 +455,7 @@ static void co_del_helper(void *data) co_delete(tctx->co_curr->caller); co_call((coroutine_t) cdh); if (tctx->co_dhelper == NULL) { - exit(EXIT_FAILURE); + exit(1); } } } @@ -470,7 +470,7 @@ void co_exit_to(coroutine_t coro) tctx->stk, sizeof(tctx->stk))) == NULL) { fprintf(stderr, "[PCL] Unable to create delete helper coroutine: curr=%p\n", tctx->co_curr); - exit(EXIT_FAILURE); + exit(1); } tctx->co_dhelper = co; @@ -478,7 +478,7 @@ void co_exit_to(coroutine_t coro) fprintf(stderr, "[PCL] Stale coroutine called: curr=%p exitto=%p caller=%p\n", tctx->co_curr, co, tctx->co_curr->caller); - exit(EXIT_FAILURE); + exit(1); } void co_exit(void) diff --git a/src/route-add.c b/src/route-add.c index 2f5fa925..929558a1 100644 --- a/src/route-add.c +++ b/src/route-add.c @@ -196,6 +196,4 @@ unsigned i; route_del(s, proc, proc->config->iroutes[i], proc->tun_lease.name); } proc->applied_iroutes = 0; - - return; } diff --git a/src/sec-mod-auth.c b/src/sec-mod-auth.c index dca342fc..2be1a37c 100644 --- a/src/sec-mod-auth.c +++ b/src/sec-mod-auth.c @@ -113,8 +113,6 @@ void sec_mod_add_score_to_ip(sec_mod_st *sec, client_entry_st *e, const char *ip fail: talloc_free(lpool); - - return; } static void update_auth_time_stats(sec_mod_st * sec, time_t secs) @@ -629,8 +627,6 @@ void handle_sec_auth_ban_ip_reply(sec_mod_st *sec, const BanIpReplyMsg *msg) if (msg->reply != AUTH__REP__OK) { e->status = PS_AUTH_FAILED; } - - return; } int handle_sec_auth_stats_cmd(sec_mod_st * sec, const CliStatsMsg * req, pid_t pid) diff --git a/src/sec-mod-resume.c b/src/sec-mod-resume.c index 68a55385..39ded40b 100644 --- a/src/sec-mod-resume.c +++ b/src/sec-mod-resume.c @@ -208,6 +208,4 @@ void expire_tls_sessions(sec_mod_st *sec) } cache = htable_next(sec->tls_db.ht, &iter); } - - return; } diff --git a/src/sec-mod-sup-config.h b/src/sec-mod-sup-config.h index 490f2104..b2f87a6c 100644 --- a/src/sec-mod-sup-config.h +++ b/src/sec-mod-sup-config.h @@ -30,12 +30,12 @@ inline static const char *sup_config_name(unsigned s) { switch(s) { - case SUP_CONFIG_FILE: - return "file"; - case SUP_CONFIG_RADIUS: - return "radius"; - default: - return "unknown"; + case SUP_CONFIG_FILE: + return "file"; + case SUP_CONFIG_RADIUS: + return "radius"; + default: + return "unknown"; } } diff --git a/src/sec-mod.c b/src/sec-mod.c index 2236c9e0..b58bb446 100644 --- a/src/sec-mod.c +++ b/src/sec-mod.c @@ -609,8 +609,6 @@ static void send_stats_to_main(sec_mod_st *sec) seclog(sec, LOG_ERR, "error in sending statistics to main"); return; } - - return; } static void reload_server(sec_mod_st *sec) @@ -760,11 +758,13 @@ int serve_request_worker(sec_mod_st *sec, int cfd, pid_t pid, uint8_t *buffer, u } #define CHECK_LOOP_ERR(x) \ - if (force != 0) { GNUTLS_FATAL_ERR(x); } \ - else { if (ret < 0) { \ - seclog(sec, LOG_ERR, "could not reload key %s", vhost->perm_config.key[i]); \ - continue; } \ - } + do { \ + if (force != 0) { GNUTLS_FATAL_ERR(x); } \ + else { if (ret < 0) { \ + seclog(sec, LOG_ERR, "could not reload key %s", vhost->perm_config.key[i]); \ + continue; } \ + } \ + } while (0) static int load_keys(sec_mod_st *sec, unsigned force) { diff --git a/src/sec-mod.h b/src/sec-mod.h index 8fc7257d..932d1501 100644 --- a/src/sec-mod.h +++ b/src/sec-mod.h @@ -143,14 +143,18 @@ void cleanup_client_entries(sec_mod_st *sec); #ifdef __GNUC__ # define seclog(sec, prio, fmt, ...) \ - if (prio != LOG_DEBUG || GETPCONFIG(sec)->debug >= 3) { \ - syslog(prio, "sec-mod: "fmt, ##__VA_ARGS__); \ - } + do { \ + if (prio != LOG_DEBUG || GETPCONFIG(sec)->debug >= 3) { \ + syslog(prio, "sec-mod: "fmt, ##__VA_ARGS__); \ + } \ + } while (0) #else # define seclog(sec,prio,...) \ - if (prio != LOG_DEBUG || GETPCONFIG(sec)->debug >= 3) { \ - syslog(prio, __VA_ARGS__); \ - } + do { \ + if (prio != LOG_DEBUG || GETPCONFIG(sec)->debug >= 3) { \ + syslog(prio, __VA_ARGS__); \ + } \ + } while (0) #endif void seclog_hex(const struct sec_mod_st* sec, int priority, diff --git a/src/setproctitle.c b/src/setproctitle.c index dfffd17c..3f3591b0 100644 --- a/src/setproctitle.c +++ b/src/setproctitle.c @@ -60,7 +60,6 @@ void setproctitle (const char *fmt, ...) void setproctitle (const char *fmt, ...) { - return; } # endif /* __linux__ */ diff --git a/src/tlslib.c b/src/tlslib.c index 70d95832..b91d1cc1 100644 --- a/src/tlslib.c +++ b/src/tlslib.c @@ -53,7 +53,7 @@ #ifndef UNDER_TEST static void tls_reload_ocsp(main_server_st* s, struct vhost_cfg_st *vhost); -#endif +#endif /* UNDER_TEST */ void cstp_cork(worker_st *ws) { @@ -433,14 +433,14 @@ void tls_cache_deinit(tls_sess_db_st* db) htable_clear(db->ht); db->entries = 0; talloc_free(db->ht); - - return; } +#ifndef UNDER_TEST static void tls_log_func(int level, const char *str) { syslog(LOG_DEBUG, "TLS[<%d>]: %s", level, str); } +#endif /* UNDER_TEST */ static void tls_audit_log_func(gnutls_session_t session, const char *str) { @@ -457,6 +457,7 @@ static void tls_audit_log_func(gnutls_session_t session, const char *str) } } +#ifndef UNDER_TEST static int verify_certificate_cb(gnutls_session_t session) { unsigned int status; @@ -540,6 +541,7 @@ no_cert: fail: return GNUTLS_E_CERTIFICATE_ERROR; } +#endif /* UNDER_TEST */ void tls_global_init(void) { @@ -571,10 +573,9 @@ void tls_vhost_deinit(struct vhost_cfg_st *vhost) vhost->creds.xcred = NULL; vhost->creds.pskcred = NULL; vhost->creds.cprio = NULL; - - return; } +#ifndef UNDER_TEST /* Checks, if there is a single certificate specified, whether it * is compatible with all ciphersuites */ static void certificate_check(main_server_st *s, const char *vhostname, gnutls_pcert_st *pcert) @@ -640,7 +641,6 @@ cleanup: gnutls_x509_crt_deinit(crt); gnutls_free(data.data); gnutls_free(dn.data); - return; } static void set_dh_params(main_server_st* s, struct vhost_cfg_st *vhost) @@ -669,7 +669,6 @@ static void set_dh_params(main_server_st* s, struct vhost_cfg_st *vhost) } } -#ifndef UNDER_TEST struct key_cb_data { unsigned pk; unsigned bits; @@ -1016,8 +1015,6 @@ void tls_load_files(main_server_st *s, struct vhost_cfg_st *vhost) } tls_reload_ocsp(s, vhost); - - return; } static int ocsp_get_func(gnutls_session_t session, void *ptr, gnutls_datum_t *response) @@ -1071,8 +1068,6 @@ void tls_load_prio(main_server_st *s, struct vhost_cfg_st *vhost) if (ret == GNUTLS_E_PARSING_ERROR) mslog(s, NULL, LOG_ERR, "error in TLS priority string: %s", perr); GNUTLS_FATAL_ERR(ret); - - return; } /* @@ -1117,7 +1112,7 @@ void tls_reload_crl(main_server_st* s, struct vhost_cfg_st *vhost, unsigned forc mslog(s, NULL, LOG_INFO, "loaded CRL: %s", vhost->perm_config.config->crl); } } -#endif +#endif /* UNDER_TEST */ void tls_cork(gnutls_session_t session) { diff --git a/src/tlslib.h b/src/tlslib.h index bc945e8e..8a133b4f 100644 --- a/src/tlslib.h +++ b/src/tlslib.h @@ -73,28 +73,32 @@ size_t tls_get_overhead(gnutls_protocol_t, gnutls_cipher_algorithm_t, gnutls_mac #endif #define DTLS_FATAL_ERR_CMD(x, CMD) \ - if (x < 0 && gnutls_error_is_fatal (x) != 0) { \ - if (syslog_open) \ - syslog(LOG_WARNING, "GnuTLS error (at %s:%d): %s", __FILE__, __LINE__, gnutls_strerror(x)); \ - else \ - fprintf(stderr, "GnuTLS error (at %s:%d): %s\n", __FILE__, __LINE__, gnutls_strerror(x)); \ - CMD; \ - } + do { \ + if (x < 0 && gnutls_error_is_fatal (x) != 0) { \ + if (syslog_open) \ + syslog(LOG_WARNING, "GnuTLS error (at %s:%d): %s", __FILE__, __LINE__, gnutls_strerror(x)); \ + else \ + fprintf(stderr, "GnuTLS error (at %s:%d): %s\n", __FILE__, __LINE__, gnutls_strerror(x)); \ + CMD; \ + } \ + } while (0) #define DTLS_FATAL_ERR(x) DTLS_FATAL_ERR_CMD(x, exit(EXIT_FAILURE)) #define CSTP_FATAL_ERR_CMD(ws, x, CMD) \ - if (ws->session != NULL) { \ - if (x < 0 && gnutls_error_is_fatal (x) != 0) { \ - oclog(ws, LOG_WARNING, "GnuTLS error (at %s:%d): %s", __FILE__, __LINE__, gnutls_strerror(x)); \ - CMD; \ + do { \ + if (ws->session != NULL) { \ + if (x < 0 && gnutls_error_is_fatal (x) != 0) { \ + oclog(ws, LOG_WARNING, "GnuTLS error (at %s:%d): %s", __FILE__, __LINE__, gnutls_strerror(x)); \ + CMD; \ + } \ + } else { \ + if (x < 0 && errno != EINTR && errno != EAGAIN) { \ + oclog(ws, LOG_WARNING, "socket error (at %s:%d): %s", __FILE__, __LINE__, strerror(errno)); \ + CMD; \ + } \ } \ - } else { \ - if (x < 0 && errno != EINTR && errno != EAGAIN) { \ - oclog(ws, LOG_WARNING, "socket error (at %s:%d): %s", __FILE__, __LINE__, strerror(errno)); \ - CMD; \ - } \ - } + } while (0) #define CSTP_FATAL_ERR(ws, x) CSTP_FATAL_ERR_CMD(ws, x, exit(EXIT_FAILURE)) diff --git a/src/tun.c b/src/tun.c index d290becf..59c38697 100644 --- a/src/tun.c +++ b/src/tun.c @@ -320,7 +320,6 @@ static int os_set_ipv6_addr(main_server_st * s, struct proc_st *proc) static void os_reset_ipv6_addr(struct proc_st *proc) { - return; } #endif @@ -785,8 +784,6 @@ void close_tun(main_server_st * s, struct proc_st *proc) if (fd != -1) close(fd); #endif - - return; } static void reset_ipv4_addr(struct proc_st *proc) @@ -906,8 +903,7 @@ ssize_t tun_read(int sockfd, void *buf, size_t len) #ifndef __FreeBSD__ int tun_claim(int sockfd) { - - return (0); + return 0; } #else /* @@ -917,7 +913,6 @@ int tun_claim(int sockfd) */ int tun_claim(int sockfd) { - - return (ioctl(sockfd, TUNSIFPID, 0)); + return ioctl(sockfd, TUNSIFPID, 0); } #endif /* !__FreeBSD__ */ diff --git a/src/vpn.h b/src/vpn.h index 23d82bd9..f8bebbb3 100644 --- a/src/vpn.h +++ b/src/vpn.h @@ -358,6 +358,10 @@ struct cfg_st { /* holds a usage count of holders of pointers in this struct */ int *usage_count; + + bool camouflage; + char *camouflage_secret; + char *camouflage_realm; }; struct perm_cfg_st { diff --git a/src/worker-auth.c b/src/worker-auth.c index b67eea0c..a61f95b7 100644 --- a/src/worker-auth.c +++ b/src/worker-auth.c @@ -618,7 +618,7 @@ unsigned check_if_default_route(char **routes, unsigned routes_size) for (i=0;icookie, sizeof(ws->cookie)); if (ret < 0) { oclog(ws, LOG_WARNING, "failed cookie authentication attempt"); + if (WSCONFIG(ws)->camouflage && ws->camouflage_check_passed == 0) + { + cstp_puts(ws, + "HTTP/1.1 405 Method Not Allowed\r\n\r\n"); + } + else if (ret == ERR_AUTH_FAIL) { cstp_puts(ws, "HTTP/1.1 401 Cookie is not acceptable\r\n\r\n"); diff --git a/src/worker-http-handlers.c b/src/worker-http-handlers.c index af9aa00a..bb8948a1 100644 --- a/src/worker-http-handlers.c +++ b/src/worker-http-handlers.c @@ -39,6 +39,7 @@ #include #define HTML_404 "

404 Not Found

\r\n" +#define HTML_401 "

401 Unauthorized

\r\n" int response_404(worker_st *ws, unsigned http_ver) { @@ -50,6 +51,17 @@ int response_404(worker_st *ws, unsigned http_ver) return 0; } +int response_401(worker_st *ws, unsigned http_ver, char* realm) +{ + if (cstp_printf(ws, "HTTP/1.%u 401 Unauthorized\r\n", http_ver) < 0 || + cstp_printf(ws, "WWW-Authenticate: Basic realm=\"%s\"\r\n", realm) < 0 || + cstp_printf(ws, "Content-Length: %u\r\n", (unsigned)(sizeof(HTML_401) - 1)) < 0 || + cstp_puts (ws, "Connection: close\r\n\r\n") < 0 || + cstp_puts (ws, HTML_401) < 0) + return -1; + return 0; +} + static int send_headers(worker_st *ws, unsigned http_ver, const char *content_type, unsigned content_length) { diff --git a/src/worker-http.c b/src/worker-http.c index 66ed2df9..e878f775 100644 --- a/src/worker-http.c +++ b/src/worker-http.c @@ -104,7 +104,8 @@ static const dtls_ciphersuite_st ciphersuites[] = { .gnutls_mac = GNUTLS_MAC_AEAD, .gnutls_kx = GNUTLS_KX_RSA, .gnutls_cipher = GNUTLS_CIPHER_AES_128_GCM, - .server_prio = 80}, + .server_prio = 80, + }, { .oc_name = CS_AES256_GCM, .gnutls_name = @@ -114,7 +115,7 @@ static const dtls_ciphersuite_st ciphersuites[] = { .gnutls_kx = GNUTLS_KX_RSA, .gnutls_cipher = GNUTLS_CIPHER_AES_256_GCM, .server_prio = 90, - }, + }, { .oc_name = "AES256-SHA", .gnutls_name = @@ -124,7 +125,7 @@ static const dtls_ciphersuite_st ciphersuites[] = { .gnutls_kx = GNUTLS_KX_RSA, .gnutls_cipher = GNUTLS_CIPHER_AES_256_CBC, .server_prio = 60, - }, + }, { .oc_name = "AES128-SHA", .gnutls_name = @@ -134,7 +135,7 @@ static const dtls_ciphersuite_st ciphersuites[] = { .gnutls_kx = GNUTLS_KX_RSA, .gnutls_cipher = GNUTLS_CIPHER_AES_128_CBC, .server_prio = 50, - }, + }, { .oc_name = "DES-CBC3-SHA", .gnutls_name = @@ -144,7 +145,7 @@ static const dtls_ciphersuite_st ciphersuites[] = { .gnutls_kx = GNUTLS_KX_RSA, .gnutls_cipher = GNUTLS_CIPHER_3DES_CBC, .server_prio = 1, - } + }, }; static const dtls_ciphersuite_st ciphersuites12[] = { @@ -471,7 +472,7 @@ void header_value_check(struct worker_st *ws, struct http_req_st *req) if (want_cipher != -1) { if (want_cipher == cand->gnutls_cipher && want_mac == cand->gnutls_mac) - goto ciphersuite_finish; + goto ciphersuite_finish; } } } @@ -536,7 +537,7 @@ void header_value_check(struct worker_st *ws, struct http_req_st *req) if (want_cipher != -1) { if (want_cipher == cand->gnutls_cipher && want_mac == cand->gnutls_mac) - goto ciphersuite12_finish; + goto ciphersuite12_finish; } } } @@ -698,12 +699,17 @@ url_handler_fn http_get_url_handler(const char *url) url_handler_fn http_post_url_handler(struct worker_st *ws, const char *url) { const struct known_urls_st *p; + unsigned len = strlen(url); unsigned i; p = known_urls; do { - if (p->url != NULL && strcmp(p->url, url) == 0) - return p->post_handler; + if (p->url != NULL) { + if ((len == p->url_size && strcmp(p->url, url) == 0) || + (len > p->url_size && strncmp(p->url, url, p->url_size) == 0 + && p->partial_match == 0 && url[p->url_size] == '?')) + return p->post_handler; + } p++; } while (p->url != NULL); diff --git a/src/worker-misc.c b/src/worker-misc.c index 29beccf4..e09e8886 100644 --- a/src/worker-misc.c +++ b/src/worker-misc.c @@ -109,70 +109,70 @@ int handle_commands_from_main(struct worker_st *ws) /*cmd_data_len = ret - 1;*/ switch(cmd) { - case CMD_TERMINATE: - exit_worker_reason(ws, REASON_SERVER_DISCONNECT); - case CMD_UDP_FD: { - unsigned has_hello = 1; + case CMD_TERMINATE: + exit_worker_reason(ws, REASON_SERVER_DISCONNECT); + case CMD_UDP_FD: { + unsigned has_hello = 1; - if (DTLS_ACTIVE(ws)->udp_state != UP_WAIT_FD) { - oclog(ws, LOG_DEBUG, "received another a UDP fd!"); - } + if (DTLS_ACTIVE(ws)->udp_state != UP_WAIT_FD) { + oclog(ws, LOG_DEBUG, "received another a UDP fd!"); + } - tmsg = udp_fd_msg__unpack(NULL, length, ws->buffer); - if (tmsg) { - has_hello = tmsg->hello; - } + tmsg = udp_fd_msg__unpack(NULL, length, ws->buffer); + if (tmsg) { + has_hello = tmsg->hello; + } - if (fd == -1) { - oclog(ws, LOG_ERR, "received UDP fd message of wrong type"); + if (fd == -1) { + oclog(ws, LOG_ERR, "received UDP fd message of wrong type"); + if (tmsg) + udp_fd_msg__free_unpacked(tmsg, NULL); + + if (DTLS_ACTIVE(ws)->udp_state == UP_WAIT_FD) + DTLS_ACTIVE(ws)->udp_state = UP_DISABLED; + return -1; + } + + set_non_block(fd); + if (has_hello == 0) { + /* check if the first packet received is a valid one - + * if not discard the new fd */ + if (!recv_from_new_fd(ws, DTLS_ACTIVE(ws), fd, &tmsg)) { + oclog(ws, LOG_INFO, "received UDP fd message but its session has invalid data!"); if (tmsg) udp_fd_msg__free_unpacked(tmsg, NULL); - - if (DTLS_ACTIVE(ws)->udp_state == UP_WAIT_FD) - DTLS_ACTIVE(ws)->udp_state = UP_DISABLED; - return -1; + close(fd); + return 0; } + dtls = DTLS_ACTIVE(ws); + } else { /* received client hello */ + dtls = DTLS_INACTIVE(ws); + dtls->udp_state = UP_SETUP; + oclog(ws, LOG_DEBUG, "Starting DTLS session %d", ws->dtls_active_session ^ 1); + } - set_non_block(fd); - if (has_hello == 0) { - /* check if the first packet received is a valid one - - * if not discard the new fd */ - if (!recv_from_new_fd(ws, DTLS_ACTIVE(ws), fd, &tmsg)) { - oclog(ws, LOG_INFO, "received UDP fd message but its session has invalid data!"); - if (tmsg) - udp_fd_msg__free_unpacked(tmsg, NULL); - close(fd); - return 0; - } - dtls = DTLS_ACTIVE(ws); - } else { /* received client hello */ - dtls = DTLS_INACTIVE(ws); - dtls->udp_state = UP_SETUP; - oclog(ws, LOG_DEBUG, "Starting DTLS session %d", ws->dtls_active_session ^ 1); - } + if (dtls->dtls_tptr.fd != -1) + close(dtls->dtls_tptr.fd); + if (dtls->dtls_tptr.msg != NULL) + udp_fd_msg__free_unpacked(dtls->dtls_tptr.msg, NULL); - if (dtls->dtls_tptr.fd != -1) - close(dtls->dtls_tptr.fd); - if (dtls->dtls_tptr.msg != NULL) - udp_fd_msg__free_unpacked(dtls->dtls_tptr.msg, NULL); + dtls->dtls_tptr.msg = tmsg; + dtls->dtls_tptr.fd = fd; - dtls->dtls_tptr.msg = tmsg; - dtls->dtls_tptr.fd = fd; + if (WSCONFIG(ws)->try_mtu == 0) + set_mtu_disc(fd, ws->proto, 0); - if (WSCONFIG(ws)->try_mtu == 0) - set_mtu_disc(fd, ws->proto, 0); + oclog(ws, LOG_DEBUG, "received new UDP fd and connected to peer"); + ws->udp_recv_time = time(NULL); - oclog(ws, LOG_DEBUG, "received new UDP fd and connected to peer"); - ws->udp_recv_time = time(NULL); + return 0; - return 0; - - } - break; - default: - oclog(ws, LOG_ERR, "unknown CMD 0x%x", (unsigned)cmd); - exit_worker_reason(ws, REASON_ERROR); + } + break; + default: + oclog(ws, LOG_ERR, "unknown CMD 0x%x", (unsigned)cmd); + exit_worker_reason(ws, REASON_ERROR); } return 0; diff --git a/src/worker-privs.c b/src/worker-privs.c index 927e59ff..64587922 100644 --- a/src/worker-privs.c +++ b/src/worker-privs.c @@ -92,13 +92,15 @@ int disable_system_calls(struct worker_st *ws) } #define ADD_SYSCALL(name, ...) \ - ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(name), __VA_ARGS__); \ - /* libseccomp returns EDOM for pseudo-syscalls due to a bug */ \ - if (ret < 0 && ret != -EDOM) { \ - oclog(ws, LOG_DEBUG, "could not add " #name " to seccomp filter: %s", strerror(-ret)); \ - ret = -1; \ - goto fail; \ - } + do { \ + ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(name), __VA_ARGS__); \ + /* libseccomp returns EDOM for pseudo-syscalls due to a bug */ \ + if (ret < 0 && ret != -EDOM) { \ + oclog(ws, LOG_DEBUG, "could not add " #name " to seccomp filter: %s", strerror(-ret)); \ + ret = -1; \ + goto fail; \ + } \ + } while (0) /* These seem to be called by libc or some other dependent library; * they are not necessary for functioning, but we must allow them in order diff --git a/src/worker-vpn.c b/src/worker-vpn.c index 9c07b8ed..ba888d00 100644 --- a/src/worker-vpn.c +++ b/src/worker-vpn.c @@ -490,8 +490,6 @@ void ws_add_score_to_ip(worker_st *ws, unsigned points, unsigned final, unsigned } ban_ip_reply_msg__free_unpacked(reply, &pa); - - return; } void send_stats_to_secmod(worker_st * ws, time_t now, unsigned discon_reason) @@ -575,38 +573,46 @@ void exit_worker_reason(worker_st * ws, unsigned reason) #define HANDSHAKE_SESSION_ID_POS (34) #define SKIP_V16(pos, total) \ - { uint16_t _s; \ - if (pos+2 > total) goto finish; \ - _s = (msg->data[pos] << 8) | msg->data[pos+1]; \ - if (pos+2+_s > total) goto finish; \ - pos += 2+_s; \ + { \ + uint16_t _s; \ + if (pos+2 > total) goto finish; \ + _s = (msg->data[pos] << 8) | msg->data[pos+1]; \ + if (pos+2+_s > total) goto finish; \ + pos += 2+_s; \ } #define SKIP16(pos, total) \ - if (pos+2 > total) goto finish; \ - pos += 2 + do { \ + if (pos+2 > total) goto finish; \ + pos += 2; \ + } while (0) #define SKIP8(pos, total) \ - if (pos+1 > total) goto finish; \ - pos++ + do { \ + if (pos+1 > total) goto finish; \ + pos++; \ + } while (0) #define SKIP_V8(pos, total) \ - { uint8_t _s; \ - if (pos+1 > total) goto finish; \ - _s = msg->data[pos]; \ - if (pos+1+_s > total) goto finish; \ - pos += 1+_s; \ + { \ + uint8_t _s; \ + if (pos+1 > total) goto finish; \ + _s = msg->data[pos]; \ + if (pos+1+_s > total) goto finish; \ + pos += 1+_s; \ } #define SET_VHOST_CREDS \ - ret = \ - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, \ - WSCREDS(ws)->xcred); \ - GNUTLS_FATAL_ERR(ret); \ - gnutls_certificate_server_set_request(session, WSCONFIG(ws)->cert_req); \ - ret = gnutls_priority_set(session, WSCREDS(ws)->cprio); \ - GNUTLS_FATAL_ERR(ret); \ - gnutls_db_set_cache_expiration(session, TLS_SESSION_EXPIRATION_TIME(WSCONFIG(ws))) + do { \ + ret = \ + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, \ + WSCREDS(ws)->xcred); \ + GNUTLS_FATAL_ERR(ret); \ + gnutls_certificate_server_set_request(session, WSCONFIG(ws)->cert_req); \ + ret = gnutls_priority_set(session, WSCREDS(ws)->cprio); \ + GNUTLS_FATAL_ERR(ret); \ + gnutls_db_set_cache_expiration(session, TLS_SESSION_EXPIRATION_TIME(WSCONFIG(ws))); \ + } while (0) /* Parse the TLS client hello to figure vhost */ static int hello_hook_func(gnutls_session_t session, unsigned int htype, @@ -750,6 +756,20 @@ static void peek_client_hello(struct worker_st *ws, gnutls_session_t session, in } #endif +void check_camouflage_url(struct worker_st *ws) +{ + if (WSCONFIG(ws)->camouflage_secret == NULL) + return; + + char* url_camouflage_part = strchr(ws->req.url, '?'); + if (url_camouflage_part + && !strcmp(url_camouflage_part + 1, WSCONFIG(ws)->camouflage_secret)) + { + *url_camouflage_part = '\0'; + ws->camouflage_check_passed = 1; + } +} + /* vpn_server: * @ws: an initialized worker structure * @@ -921,6 +941,21 @@ void vpn_server(struct worker_st *ws) } } while (ws->req.headers_complete == 0); + if ((parser.method == HTTP_GET || parser.method == HTTP_POST) && + (WSCONFIG(ws)->camouflage && ws->camouflage_check_passed == 0)) + { + check_camouflage_url(ws); + if (ws->camouflage_check_passed == 0) + { + oclog(ws, LOG_INFO, "Secret not found in URL, declining..."); + if (WSCONFIG(ws)->camouflage_realm) + response_401(ws, parser.http_minor, WSCONFIG(ws)->camouflage_realm); + else + response_404(ws, parser.http_minor); + goto finish; + } + } + if (parser.method == HTTP_GET) { oclog(ws, LOG_HTTP_DEBUG, "HTTP GET %s", ws->req.url); fn = http_get_url_handler(ws->req.url); @@ -1182,14 +1217,15 @@ void mtu_ok(worker_st * ws, struct dtls_st * dtls) c = (ws->link_mtu + ws->last_bad_mtu) / 2; link_mtu_set(ws, dtls, c); - return; } #define FUZZ(x, diff, rnd) \ + do { \ if (x > diff) { \ int16_t r = rnd; \ x += r % diff; \ - } + } \ + } while (0) int get_pmtu_approx(worker_st *ws) { @@ -1349,11 +1385,9 @@ static void set_no_delay(worker_st * ws, int fd) int ret; ret = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &flag, sizeof(flag)); - if (ret == -1) { + if (ret == -1) oclog(ws, LOG_DEBUG, "setsockopt(TCP_NODELAY) to %x, failed.", (unsigned)flag); - return; - } } #define TOSCLASS(x) (IPTOS_CLASS_CS##x) @@ -1374,7 +1408,7 @@ static void set_net_priority(worker_st * ws, int fd, int priority) } #endif -#ifdef SO_PRIORITY +#if defined(SO_PRIORITY) if (priority != 0 && priority <= 7) { t = ws->user_config->net_priority - 1; ret = setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &t, sizeof(t)); @@ -1385,10 +1419,9 @@ static void set_net_priority(worker_st * ws, int fd, int priority) return; } #endif - return; } -#define SEND_ERR(x) if (x<0) goto send_error +#define SEND_ERR(x) do { if (x<0) goto send_error; } while (0) static int dtls_mainloop(worker_st * ws, struct dtls_st * dtls, struct timespec *tnow) { @@ -2062,16 +2095,16 @@ static int connect_handler(worker_st * ws) oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because IPv6 support was not requested."); } else { switch (req->user_agent_type) { - case AGENT_OPENCONNECT: - case AGENT_ANYCONNECT: - case AGENT_OPENCONNECT_CLAVISTER: - case AGENT_ANYLINK: - break; - case AGENT_OPENCONNECT_V3: - case AGENT_UNKNOWN: - default: - req->no_ipv6 = 1; - oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because the agent is not known."); + case AGENT_OPENCONNECT: + case AGENT_ANYCONNECT: + case AGENT_OPENCONNECT_CLAVISTER: + case AGENT_ANYLINK: + break; + case AGENT_OPENCONNECT_V3: + case AGENT_UNKNOWN: + default: + req->no_ipv6 = 1; + oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because the agent is not known."); } } diff --git a/src/worker.c b/src/worker.c index fb25860e..6396203f 100644 --- a/src/worker.c +++ b/src/worker.c @@ -38,7 +38,7 @@ #ifdef HAVE_GSSAPI #include -extern const ASN1_ARRAY_TYPE kkdcp_asn1_tab[]; +extern const asn1_static_node kkdcp_asn1_tab[]; asn1_node _kkdcp_pkix1_asn = NULL; #endif diff --git a/src/worker.h b/src/worker.h index d8984b1d..d890c8cd 100644 --- a/src/worker.h +++ b/src/worker.h @@ -325,6 +325,7 @@ typedef struct worker_st { uint32_t samples[LATENCY_SAMPLE_SIZE]; } latency; #endif + bool camouflage_check_passed; } worker_st; void vpn_server(struct worker_st* ws); @@ -341,6 +342,7 @@ int get_ca_handler(worker_st * ws, unsigned http_ver); int get_ca_der_handler(worker_st * ws, unsigned http_ver); int response_404(worker_st *ws, unsigned http_ver); +int response_401(worker_st *ws, unsigned http_ver, char* realm); int get_empty_handler(worker_st *server, unsigned http_ver); #ifdef ANYCONNECT_CLIENT_COMPAT int get_config_handler(worker_st *ws, unsigned http_ver); diff --git a/tests/Makefile.am b/tests/Makefile.am index d965eae3..7f2033c9 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -44,7 +44,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem data/disconnect-user2.config data/ping-leases.config data/haproxy-proxyproto.config \ data/haproxy-proxyproto.cfg scripts/proxy-connectscript data/haproxy-proxyproto-v1.config \ data/haproxy-proxyproto-v1.cfg scripts/proxy-connectscript-v1 data/test-multiple-client-ip.config \ - data/test-client-bypass-protocol.config asan.supp + data/test-client-bypass-protocol.config asan.supp certs/ca.tmpl certs/server-cert.tmpl \ + certs/user-cert.tmpl data/test-camouflage.config data/test-camouflage-norealm.config xfail_scripts = dist_check_SCRIPTS = ocpasswd-test @@ -61,7 +62,8 @@ dist_check_SCRIPTS += haproxy-connect test-iroute test-multi-cookie test-pass-sc test-cookie-invalidation test-user-config test-append-routes test-ban \ multiple-routes json test-udp-listen-host test-max-same-1 test-script-multi-user \ apple-ios ipv6-iface test-namespace-listen disconnect-user disconnect-user2 \ - ping-leases test-ban-local test-client-bypass-protocol ipv6-small-net + ping-leases test-ban-local test-client-bypass-protocol ipv6-small-net test-camouflage \ + test-camouflage-norealm if RADIUS_ENABLED dist_check_SCRIPTS += radius-group radius-otp @@ -92,7 +94,7 @@ dist_check_SCRIPTS += test-pass test-pass-cert test-cert test-group-pass \ test-gssapi test-pass-opt-cert test-cert-opt-pass test-gssapi-opt-pass \ test-gssapi-opt-cert haproxy-auth test-maintenance resumption \ test-group-name flowcontrol banner invalid-configs haproxy-proxyproto \ - haproxy-proxyproto-v1 drain-server drain-server-fail + haproxy-proxyproto-v1 drain-server drain-server-fail test-ignore-querystring-of-post if HAVE_CWRAP_PAM dist_check_SCRIPTS += test-pam test-pam-noauth @@ -176,6 +178,25 @@ gen_oidc_test_data_CPPFLAGS = $(AM_CPPFLAGS) gen_oidc_test_data_SOURCES = generate_oidc_test_data.c gen_oidc_test_data_LDADD = $(LDADD) $(CJOSE_LIBS) $(JANSSON_LIBS) +certs/ca.pem: certs/ca-key.pem certs/ca.tmpl + certtool --generate-self-signed --template certs/ca.tmpl --load-privkey certs/ca-key.pem --outfile certs/ca.pem + +certs/server-cert-ca.pem: certs/ca.pem certs/server-cert.pem + cat certs/server-cert.pem certs/ca.pem > certs/server-cert-ca.pem + +certs/server-cert.pem: certs/server-cert.tmpl certs/ca.pem certs/server-key.pem certs/ca-key.pem + certtool --generate-certificate --template certs/server-cert.tmpl --load-privkey certs/server-key.pem --load-ca-certificate certs/ca.pem --load-ca-privkey certs/ca-key.pem --outfile certs/server-cert.pem + +certs/user-cert.pem: certs/user-cert.tmpl certs/ca.pem certs/user-key.pem certs/ca-key.pem + certtool --generate-certificate --template certs/user-cert.tmpl --load-privkey certs/user-key.pem --load-ca-certificate certs/ca.pem --load-ca-privkey certs/ca-key.pem --outfile certs/user-cert.pem + +# make the user certificate invalid by signing it with another CA +certs/user-cert-invalid.pem: certs/user-cert.tmpl + certtool --generate-privkey --outfile ca-key.tmp + certtool --generate-self-signed --template certs/ca.tmpl --load-privkey ca-key.tmp --outfile ca.tmp + certtool --generate-certificate --template certs/user-cert.tmpl --load-privkey certs/user-key.pem --load-ca-certificate ca.tmp --load-ca-privkey ca-key.tmp --outfile certs/user-cert-invalid.pem + rm -f ca-key.tmp ca.tmp + if ENABLE_OIDC_AUTH_TESTS check_PROGRAMS += gen_oidc_test_data dist_check_SCRIPTS += test-oidc diff --git a/tests/apple-ios b/tests/apple-ios index 897d8233..45b0cd38 100755 --- a/tests/apple-ios +++ b/tests/apple-ios @@ -54,11 +54,11 @@ wait_server $PID sleep 2 echo " * Connecting to obtain cookie... " -( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null ) || +( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null ) || fail $PID "Could not receive cookie from server" echo " * Re-connect to force script run with platform... " -echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 +echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 sleep 5 @@ -87,7 +87,7 @@ fi rm -f ${TMPFILE} echo " * Re-connecting to force script run with user agent... " -echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose --useragent="Cisco AnyConnect VPN Agent for Apple" localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 +echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose --useragent="Cisco AnyConnect VPN Agent for Apple" localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 sleep 5 @@ -114,7 +114,7 @@ fi sleep 5 echo " - Check server status" -( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo " - Killing server" diff --git a/tests/ban-ips.c b/tests/ban-ips.c index 541f98e5..bc7f3d03 100644 --- a/tests/ban-ips.c +++ b/tests/ban-ips.c @@ -52,7 +52,7 @@ unsigned check_if_banned_str(main_server_st *s, const char *ip) return check_if_banned(s, &addr, addr.ss_family==AF_INET?sizeof(struct sockaddr_in):sizeof(struct sockaddr_in6)); } -int main() +int main(void) { main_server_st *s = talloc(NULL, struct main_server_st); vhost_cfg_st *vhost; diff --git a/tests/banner b/tests/banner index 44954e29..08f8f19d 100755 --- a/tests/banner +++ b/tests/banner @@ -50,7 +50,7 @@ wait_server $PID sleep 3 echo "Connecting to obtain cookie... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >${TMPFILE} 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >${TMPFILE} 2>&1 ) || fail $PID "Could not receive cookie from server" grep "${BANNER}" ${TMPFILE} >/dev/null @@ -61,7 +61,7 @@ if test $? != 0;then fi echo "Connecting to obtain cookie with wrong password... " -( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >${TMPFILE} 2>&1 ) && +( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >${TMPFILE} 2>&1 ) && fail $PID "Received cookie when we shouldn't" grep "${BANNER}" ${TMPFILE} >/dev/null diff --git a/tests/certs/ca-key.pem b/tests/certs/ca-key.pem index 9bd07541..ee5599c7 100644 --- a/tests/certs/ca-key.pem +++ b/tests/certs/ca-key.pem @@ -31,25 +31,3 @@ y1hvTfWRAoGZALNT3AbF9EDnJmZlS30MWtBggw83UhszC8XN2tY30AsvsDOS6a0F UVhyNvBTKo6lPqXqUsVxp16TKeeQKF+DuYuuNZN3pXXsHTiHkRMDCRVEqz7UnZEc /Bq/Kh2aOkelkX2S27QzTZGL -----END RSA PRIVATE KEY----- ------BEGIN CERTIFICATE----- -MIIDtDCCAmygAwIBAgIETeC0yjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5H -bnVUTFMgVGVzdCBDQTAeFw0xMTA1MjgwODM5MzlaFw0zODEwMTIwODM5NDBaMC8x -LTArBgNVBAMTJEdudVRMUyBUZXN0IFNlcnZlciAoUlNBIGNlcnRpZmljYXRlKTCC -AVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/HsqwfvTYvO1D -hmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJl1U1F/Oh -ckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq -58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mB -VAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03 -U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b7eujbZ3L -xTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUC -AwEAAaOBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAT -BgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBR2 -B1hM6rUp9S2ABoyDSoINCeyT3jAfBgNVHSMEGDAWgBRNVrdqAFjxZ5L0pnVVG45T -AQPvzzANBgkqhkiG9w0BAQsFAAOCATEAdNWmTsh5uIfngyhOWwm7pK2+vgUMY8nH -gMoMFHt0yuxuImcUMXu3LRS1dZSoCJACBpTFGi/Dg2U0qvOHQcEmc3OwNqHB90R3 -LG5jUSCtq/bYW7h/6Gd9KeWCgZczaHbQ9IPTjLH1dLswVPt+fXKB6Eh0ggSrGATE -/wRZT/XgDCW8t4C+2+TmJ8ZEzvU87KAPQ9rUBS1+p3EUAR/FfMApApsEig1IZ+ZD -5joaGBW7zh1H0B9mEKidRvD7yuRJyzAcvD25nT15NLW0QR3dEeXosLc720xxJl1h -h8NJ7YOvn323mOjR9er4i4D6iJlXmJ8tvN9vakCankWvBzb7plFn2sfMQqICFpRc -w075D8hdQxfpGffL2tEeKSgjyNHXS7x3dFhUpN3IQjUi2x4f2e/ZXg== ------END CERTIFICATE----- diff --git a/tests/certs/ca.pem b/tests/certs/ca.pem index c4058ee0..02f0b76e 100644 --- a/tests/certs/ca.pem +++ b/tests/certs/ca.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD -EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw -fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ -l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW -DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh -zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt -c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b -7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep -n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA -MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC -ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT -z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP -g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX -ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk -x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH -yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg -fJbi9Ui2FmXEeKkX34f1ONNj9Q== +MIIDPDCCAfSgAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +QTAgFw0xMzAyMTMxNTMyMTJaGA85OTk5MTIzMTIzNTk1OVowDTELMAkGA1UEAxMC +Q0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7KsH70 +2LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8WyZdV +NRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITclg6y +bBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7oc0l +YpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLyrXPl +GQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+G+3r +o22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjehKZ+A +eap1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0G +A1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOCATEA +foqPGdiyJYHih4J5YHwFPQxmkOzPHSa13K/q8sDvobE+HFTzrlTbAFC8bS38Bv2f +9ZrPME4JvnsGdRGYwxS3LUmNdHHWR8LkvGXBE3u/TZsJfPtOR8JwdulQXpRw7hhL +ew/mR5IEHZrUZgnnI4dg1kJhE1JPTvmtgqcE1CsikVQ14NvG/ehJbJyPgKTq/Zxm +Ru4B5N+Jef/LaOqZvK4xK8x2ZaZ/L/ANou+7EY4DoWAkOEEoCU8DQHLAFgf6B7La +oemLQGNHcBpba81jlS5EXXGJccOvfbw0MJTP3ZvyVIlEYu/X4roC7EJP/UkCZUJG +f79Nc28q2/2D8tuFOqG7UbP7r2cWSa8OO3cI/V1W1k3iWZ63WltqDwFC0c8iqYFL +9xKfQ96Q7wrYOCjmuaCLbw== -----END CERTIFICATE----- diff --git a/tests/certs/ca.tmpl b/tests/certs/ca.tmpl new file mode 100644 index 00000000..da5cc3f0 --- /dev/null +++ b/tests/certs/ca.tmpl @@ -0,0 +1,6 @@ +cn = CA +ca +cert_signing_key +expiration_days = -1 +activation_date = "2013-02-13 16:32:12" +serial = 0x51d82ecc diff --git a/tests/certs/server-cert-ca.pem b/tests/certs/server-cert-ca.pem index 818101a4..8ffaad34 100644 --- a/tests/certs/server-cert-ca.pem +++ b/tests/certs/server-cert-ca.pem @@ -1,42 +1,42 @@ -----BEGIN CERTIFICATE----- -MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD -Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs -PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8 -u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd -YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ -IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759 -KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5 -7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU -yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL -gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg -ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0 -UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s -9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9 -GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C -zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/ -eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF -FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j -LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM -zzJKdNg= +MIIDjjCCAkagAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJ +bG9jYWxob3N0MIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEApzor7D8U +sCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leAWOGW/O7QvQQVfl9/pTP4/LuR +7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6zJlm4RYJFZTeX06qGNJZ3WCc +dl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kapfe2AGUV3DKEF1Y20Zs1S2SFb +pkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ROhb62gHMvniNIF0xpO+fSjT +2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjpV3Ymf8ox4OfkSkOXbd3ZOe5Q +CFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0uxLQdDQiDO4b4ct9kKyeWVMjZ +3E0n+qjFaHnYHQIDAQABo4GMMIGJMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJ +bG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd +BgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0UwqJ +MThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAGQoUMiZVg6+Ibj8kyfq +l/vfu4QxlUlqAbm/b9PVdOLrhz+T986HMFhL0b2HUGg5Mb0NZcgHjH4VLkei4AIb +g/1nGdJ2I6EcLiQOvO4h2F3CoU6HkEGVEUXFaBd19tSDm7aM+2h7oPb3Vs3YT9QE +x7ejmVeA+Qr9+H9xHyModpA1PkKRW31TOYtjUXHdHObT1uar++C1JLHn49ooKDZM +5p9a4ExQVYd6WMRXKC83py1V4Ne5kBxC/l+3QkVZnMwByChySP7SEMa9yGv4KFM9 +FT7XvxQsrkqPi5bCllUyGDrVeyTpyPDrb4BKgAu/Cy4tyDxLzBTZ5TXDH7E1IBps +g1k5llFIyGdO5vQrX8vF61tqK5DBhgVvwu0k/m2lP9esLfaF7I5oGAbUKGhRr8mE +xs8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD -EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw -fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ -l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW -DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh -zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt -c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b -7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep -n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA -MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC -ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT -z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP -g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX -ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk -x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH -yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg -fJbi9Ui2FmXEeKkX34f1ONNj9Q== +MIIDPDCCAfSgAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +QTAgFw0xMzAyMTMxNTMyMTJaGA85OTk5MTIzMTIzNTk1OVowDTELMAkGA1UEAxMC +Q0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7KsH70 +2LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8WyZdV +NRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITclg6y +bBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7oc0l +YpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLyrXPl +GQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+G+3r +o22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjehKZ+A +eap1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0G +A1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOCATEA +foqPGdiyJYHih4J5YHwFPQxmkOzPHSa13K/q8sDvobE+HFTzrlTbAFC8bS38Bv2f +9ZrPME4JvnsGdRGYwxS3LUmNdHHWR8LkvGXBE3u/TZsJfPtOR8JwdulQXpRw7hhL +ew/mR5IEHZrUZgnnI4dg1kJhE1JPTvmtgqcE1CsikVQ14NvG/ehJbJyPgKTq/Zxm +Ru4B5N+Jef/LaOqZvK4xK8x2ZaZ/L/ANou+7EY4DoWAkOEEoCU8DQHLAFgf6B7La +oemLQGNHcBpba81jlS5EXXGJccOvfbw0MJTP3ZvyVIlEYu/X4roC7EJP/UkCZUJG +f79Nc28q2/2D8tuFOqG7UbP7r2cWSa8OO3cI/V1W1k3iWZ63WltqDwFC0c8iqYFL +9xKfQ96Q7wrYOCjmuaCLbw== -----END CERTIFICATE----- diff --git a/tests/certs/server-cert.pem b/tests/certs/server-cert.pem index 4acde02b..b304b47e 100644 --- a/tests/certs/server-cert.pem +++ b/tests/certs/server-cert.pem @@ -1,22 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD -Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs -PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8 -u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd -YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ -IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759 -KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5 -7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU -yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL -gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg -ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0 -UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s -9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9 -GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C -zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/ -eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF -FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j -LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM -zzJKdNg= +MIIDjjCCAkagAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJ +bG9jYWxob3N0MIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEApzor7D8U +sCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leAWOGW/O7QvQQVfl9/pTP4/LuR +7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6zJlm4RYJFZTeX06qGNJZ3WCc +dl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kapfe2AGUV3DKEF1Y20Zs1S2SFb +pkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ROhb62gHMvniNIF0xpO+fSjT +2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjpV3Ymf8ox4OfkSkOXbd3ZOe5Q +CFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0uxLQdDQiDO4b4ct9kKyeWVMjZ +3E0n+qjFaHnYHQIDAQABo4GMMIGJMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJ +bG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd +BgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0UwqJ +MThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAGQoUMiZVg6+Ibj8kyfq +l/vfu4QxlUlqAbm/b9PVdOLrhz+T986HMFhL0b2HUGg5Mb0NZcgHjH4VLkei4AIb +g/1nGdJ2I6EcLiQOvO4h2F3CoU6HkEGVEUXFaBd19tSDm7aM+2h7oPb3Vs3YT9QE +x7ejmVeA+Qr9+H9xHyModpA1PkKRW31TOYtjUXHdHObT1uar++C1JLHn49ooKDZM +5p9a4ExQVYd6WMRXKC83py1V4Ne5kBxC/l+3QkVZnMwByChySP7SEMa9yGv4KFM9 +FT7XvxQsrkqPi5bCllUyGDrVeyTpyPDrb4BKgAu/Cy4tyDxLzBTZ5TXDH7E1IBps +g1k5llFIyGdO5vQrX8vF61tqK5DBhgVvwu0k/m2lP9esLfaF7I5oGAbUKGhRr8mE +xs8= -----END CERTIFICATE----- diff --git a/tests/certs/server-cert.tmpl b/tests/certs/server-cert.tmpl new file mode 100644 index 00000000..82e34ca3 --- /dev/null +++ b/tests/certs/server-cert.tmpl @@ -0,0 +1,8 @@ +cn = localhost +dns_name = localhost +tls_www_server +signing_key +encryption_key +expiration_days = -1 +activation_date = "2013-06-06 14:51:29" +serial = 0x51d82ef0 diff --git a/tests/certs/user-cert-invalid.pem b/tests/certs/user-cert-invalid.pem index 0175bdfe..4f5dd96c 100644 --- a/tests/certs/user-cert-invalid.pem +++ b/tests/certs/user-cert-invalid.pem @@ -1,107 +1,23 @@ -X.509 Certificate Information: - Version: 3 - Serial Number (hex): 51d82f14 - Issuer: CN=CA - Validity: - Not Before: Sat Jul 06 14:52:05 UTC 2013 - Not After: Mon May 15 14:52:05 UTC 2023 - Subject: CN=A user,UID=test - Subject Public Key Algorithm: RSA - Algorithm Security Level: Medium (2432 bits) - Modulus (bits 2432): - 00:ab:54:98:fc:a9:c6:15:95:9d:a6:c1:94:84:94:91 - 79:1e:78:db:2d:48:51:99:65:01:02:c0:40:52:49:5d - eb:70:bc:26:ef:68:39:1e:04:91:e2:db:cb:6f:93:40 - 45:1e:22:8e:71:5a:58:89:28:79:5e:1a:32:25:3e:8b - 9d:3b:34:7f:19:f8:d0:2f:37:b7:62:32:b7:53:a5:43 - 2c:c5:5d:ec:ac:f9:35:fa:14:2b:34:66:f1:d6:a7:a1 - d0:83:9a:56:f4:19:83:bc:bf:11:74:30:2d:a8:28:5b - a2:ab:7a:c6:cd:9c:5c:f8:51:e9:a9:0c:48:db:71:bb - b1:34:77:f7:ee:de:5d:78:c0:48:0a:37:0d:65:1e:3b - 2b:14:03:89:72:f2:52:ed:5f:00:c5:06:60:ea:80:20 - d0:43:ec:66:bc:d2:26:db:f0:29:3e:6a:f9:62:20:be - 58:26:44:ba:d7:8c:6f:76:a6:05:20:e4:98:b7:c4:72 - 7a:5d:df:4f:0d:23:ec:2e:9c:71:ec:30:f9:14:5f:c8 - 75:0b:ab:67:f6:7d:fb:4d:76:64:4a:a5:d5:fa:b4:08 - 50:9d:13:c7:8f:c2:79:b0:b4:3e:2f:89:d3:33:27:4d - 9f:8b:d3:60:24:07:ab:b2:72:3d:29:a5:c4:4a:ec:3c - 04:d2:49:3e:26:1b:ec:7a:10:3d:ca:45:5a:80:8b:4d - 2a:96:63:4f:2d:63:28:0f:3b:47:47:ca:7c:2c:15:41 - 32:d5:e0:c9:be:a5:55:2c:b3:6b:46:2a:56:b1:1b:ed - 29 - Exponent (bits 24): - 01:00:01 - Extensions: - Basic Constraints (critical): - Certificate Authority (CA): FALSE - Key Purpose (not critical): - TLS WWW Client. - Key Usage (critical): - Digital signature. - Key encipherment. - Subject Key Identifier (not critical): - 8b01094b3b91ece321b91dec8d6b4c5d9e40805e - Authority Key Identifier (not critical): - 482334530a8931384a5aeacab6d2a6dece1d2b18 - Signature Algorithm: RSA-SHA256 - Signature: - 6b:bd:e2:90:d7:11:cf:6c:0d:e3:bd:f4:61:cd:57:83 - 41:be:2a:92:46:dd:fa:44:6c:60:1c:ef:3e:1e:2f:e1 - e2:5b:45:88:6a:1e:50:2d:8d:96:c4:c7:80:75:59:7b - 54:6b:fb:86:b0:f1:6d:45:09:db:48:de:20:0a:87:60 - 30:5e:35:f0:52:c4:55:44:c1:ff:e1:7c:3d:d6:6d:58 - ca:1c:fd:bf:04:9a:9b:10:35:05:fc:d1:01:3c:af:bb - 64:31:5e:59:8f:ef:6f:0d:35:e5:c0:07:77:0e:31:20 - 8e:e3:2e:f1:a6:4d:f1:be:85:5b:df:04:48:9d:8c:c9 - c9:c1:b8:e3:e2:d2:4b:55:83:e9:d8:7b:71:2f:8e:89 - fc:4d:a7:f1:b0:bf:47:9b:97:c4:85:dd:c3:3d:38:15 - 36:08:73:10:87:08:f6:e6:1c:4e:29:a8:a5:f5:24:b8 - 0d:e9:d9:b8:19:27:1d:73:35:fe:7b:81:1f:4a:81:6a - 93:cd:a2:71:d7:60:0e:08:ee:ea:c8:2b:44:1b:e4:45 - 6c:fe:44:68:d6:86:ad:89:4f:7e:9f:f9:1a:2a:97:0f - 6b:eb:5d:6e:38:b3:5b:13:b9:e3:4a:10:32:5b:dc:a9 - b4:a1:4e:b3:f9:4f:91:de:bc:cc:36:91:44:ba:e0:34 - 74:f7:68:b4:7b:0e:db:4e:ec:28:03:01:cf:0a:63:c4 - 23:75:0b:4b:41:9d:e0:68:b3:cb:bf:b5:5c:3d:52:93 - 20:ba:ea:b8:f0:8c:f7:a6:ec:cd:a3:aa:4f:2a:ff:20 -Other Information: - SHA1 fingerprint: - 5509a76b8738216938cdb3ec25048812737170de - SHA256 fingerprint: - c93e38ef35f1a9c485a27b161e708f2d45bf8768eb53a23fec841a8f35d6e478 - Public Key ID: - 8b01094b3b91ece321b91dec8d6b4c5d9e40805e - Public key's random art: - +--[ RSA 2432]----+ - | o=o | - |..oE.. | - |.+=.o | - |o.*.... | - | * B +..S | - |. * o oo . | - | o . . . | - | + | - | . | - +-----------------+ - -----BEGIN CERTIFICATE----- -MIIDjDCCAkSgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -QTAiGA8yMDEzMDcwNjE0NTIwNVoYDzIwMjMwNTE1MTQ1MjA1WjAnMQ8wDQYDVQQD -EwZBIHVzZXIxFDASBgoJkiaJk/IsZAEBEwR0ZXN0MIIBUjANBgkqhkiG9w0BAQEF -AAOCAT8AMIIBOgKCATEAq1SY/KnGFZWdpsGUhJSReR542y1IUZllAQLAQFJJXetw -vCbvaDkeBJHi28tvk0BFHiKOcVpYiSh5XhoyJT6LnTs0fxn40C83t2Iyt1OlQyzF -Xeys+TX6FCs0ZvHWp6HQg5pW9BmDvL8RdDAtqChboqt6xs2cXPhR6akMSNtxu7E0 -d/fu3l14wEgKNw1lHjsrFAOJcvJS7V8AxQZg6oAg0EPsZrzSJtvwKT5q+WIgvlgm -RLrXjG92pgUg5Ji3xHJ6Xd9PDSPsLpxx7DD5FF/IdQurZ/Z9+012ZEql1fq0CFCd -E8ePwnmwtD4vidMzJ02fi9NgJAersnI9KaXESuw8BNJJPiYb7HoQPcpFWoCLTSqW -Y08tYygPO0dHynwsFUEy1eDJvqVVLLNrRipWsRvtKQIDAQABo3YwdDAMBgNVHRMB -Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYD -VR0OBBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4 -SlrqyrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQBrveKQ1xHPbA3jvfRhzVeD -Qb4qkkbd+kRsYBzvPh4v4eJbRYhqHlAtjZbEx4B1WXtUa/uGsPFtRQnbSN4gCodg -MF418FLEVUTB/+F8PdZtWMoc/b8EmpsQNQX80QE8r7tkMV5Zj+9vDTXlwAd3DjEg -juMu8aZN8b6FW98ESJ2MycnBuOPi0ktVg+nYe3Evjon8TafxsL9Hm5fEhd3DPTgV -NghzEIcI9uYcTimopfUkuA3p2bgZJx1zNf57gR9KgWqTzaJx12AOCO7qyCtEG+RF -bP5EaNaGrYlPfp/5GiqXD2vrXW44s1sTueNKEDJb3Km0oU6z+U+R3rzMNpFEuuA0 -dPdotHsO207sKAMBzwpjxCN1C0tBneBos8u/tVw9UpMguuq48Iz3puzNo6pPKv8g +MIID2TCCAkGgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowJzEPMA0GA1UEAxMG +QSB1c2VyMRQwEgYKCZImiZPyLGQBARMEdGVzdDCCAVIwDQYJKoZIhvcNAQEBBQAD +ggE/ADCCAToCggExAKtUmPypxhWVnabBlISUkXkeeNstSFGZZQECwEBSSV3rcLwm +72g5HgSR4tvLb5NARR4ijnFaWIkoeV4aMiU+i507NH8Z+NAvN7diMrdTpUMsxV3s +rPk1+hQrNGbx1qeh0IOaVvQZg7y/EXQwLagoW6KresbNnFz4UempDEjbcbuxNHf3 +7t5deMBICjcNZR47KxQDiXLyUu1fAMUGYOqAINBD7Ga80ibb8Ck+avliIL5YJkS6 +14xvdqYFIOSYt8Ryel3fTw0j7C6cceww+RRfyHULq2f2fftNdmRKpdX6tAhQnRPH +j8J5sLQ+L4nTMydNn4vTYCQHq7JyPSmlxErsPATSST4mG+x6ED3KRVqAi00qlmNP +LWMoDztHR8p8LBVBMtXgyb6lVSyza0YqVrEb7SkCAwEAAaN1MHMwDAYDVR0TAQH/ +BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0O +BBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFAV+KcZC+G2nf/6V +sElx119oZKWUMA0GCSqGSIb3DQEBCwUAA4IBgQCTOjwtK5sDPFdbWWlScDX9xfNf +tnqRL22Id6VIRcAiuu6KVAYRNs3Pdv65H9orSaohrBRfWKEqAi51bhvDQvzhbw7u +881txF+6s0fauArxAUai3e11eCil3gt0JOQVephmPKw6pVq9mMieho5I2SQ8CXoQ +pSrselGaOTp8CK1r90pn8RGiJrZ3xJu5Yezb3AWCs3IOHhRT1Rc5mFnvs9VVR64h +Pvlr9yBOf/pBEuylQr00plhsZdLra/nIspsGnOIiuM4eIliP6bQwE06u1LxlCbgB +CAGTQ86vbO2xT1i8dZeq8TJ72OatmRboUBncaZNIT3rUTZxZYkYhkNtVTKnv/8qq +LZI23qtcWLEAsc1O0Xva22wjkg5QE06AiWdcwK3f/Qpvj5yO9+PL7X4lP47n5D6m +t1S6xisKgjo/IP9Wk3mPNaNDN3hZCaFRYEHn4CYrlXHqjg1w7quCKApYzrh5/L1Y +b9U/qzwF7SatFovndYtf02bjcrHC/TA53IdiQPA= -----END CERTIFICATE----- diff --git a/tests/certs/user-cert.pem b/tests/certs/user-cert.pem index ef5114cb..32ab2352 100644 --- a/tests/certs/user-cert.pem +++ b/tests/certs/user-cert.pem @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDjDCCAkSgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -QTAiGA8yMDEzMDcwNjE0NTIwNVoYDzIwMjMwNTE1MTQ1MjA1WjAnMQ8wDQYDVQQD -EwZBIHVzZXIxFDASBgoJkiaJk/IsZAEBEwR0ZXN0MIIBUjANBgkqhkiG9w0BAQEF -AAOCAT8AMIIBOgKCATEAq1SY/KnGFZWdpsGUhJSReR542y1IUZllAQLAQFJJXetw -vCbvaDkeBJHi28tvk0BFHiKOcVpYiSh5XhoyJT6LnTs0fxn40C83t2Iyt1OlQyzF -Xeys+TX6FCs0ZvHWp6HQg5pW9BmDvL8RdDAtqChboqt6xs2cXPhR6akMSNtxu7E0 -d/fu3l14wEgKNw1lHjsrFAOJcvJS7V8AxQZg6oAg0EPsZrzSJtvwKT5q+WIgvlgm -RLrXjG92pgUg5Ji3xHJ6Xd9PDSPsLpxx7DD5FF/IdQurZ/Z9+012ZEql1fq0CFCd -E8ePwnmwtD4vidMzJ02fi9NgJAersnI9KaXESuw8BNJJPiYb7HoQPcpFWoCLTSqW -Y08tYygPO0dHynwsFUEy1eDJvqVVLLNrRipWsRvtKQIDAQABo3YwdDAMBgNVHRMB -Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYD -VR0OBBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4 -SlrqyrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQBrveOQ1xHPbA3jvfRhzVeD -Qb4qkkbd+kRsYBzvPh4v4eJbRYhqHlAtjZbEx4B1WXtUa/uGsPFtRQnbSN4gCodg -MF418FLEVUTB/+F8PdZtWMoc/b8EmpsQNQX80QE8r7tkMV5Zj+9vDTXlwAd3DjEg -juMu8aZN8b6FW98ESJ2MycnBuOPi0ktVg+nYe3Evjon8TafxsL9Hm5fEhd3DPTgV -NghzEIcI9uYcTimopfUkuA3p2bgZJx1zNf57gR9KgWqTzaJx12AOCO7qyCtEG+RF -bP5EaNaGrYlPfp/5GiqXD2vrXW44s1sTueNKEDJb3Km0oU6z+U+R3rzMNpFEuuA0 -dPdotHsO207sKAMBzwpjxCN1C0tBneBos8u/tVw9UpMguuq48Iz3puzNo6pPKv8g +MIIDiTCCAkGgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowJzEPMA0GA1UEAxMG +QSB1c2VyMRQwEgYKCZImiZPyLGQBARMEdGVzdDCCAVIwDQYJKoZIhvcNAQEBBQAD +ggE/ADCCAToCggExAKtUmPypxhWVnabBlISUkXkeeNstSFGZZQECwEBSSV3rcLwm +72g5HgSR4tvLb5NARR4ijnFaWIkoeV4aMiU+i507NH8Z+NAvN7diMrdTpUMsxV3s +rPk1+hQrNGbx1qeh0IOaVvQZg7y/EXQwLagoW6KresbNnFz4UempDEjbcbuxNHf3 +7t5deMBICjcNZR47KxQDiXLyUu1fAMUGYOqAINBD7Ga80ibb8Ck+avliIL5YJkS6 +14xvdqYFIOSYt8Ryel3fTw0j7C6cceww+RRfyHULq2f2fftNdmRKpdX6tAhQnRPH +j8J5sLQ+L4nTMydNn4vTYCQHq7JyPSmlxErsPATSST4mG+x6ED3KRVqAi00qlmNP +LWMoDztHR8p8LBVBMtXgyb6lVSyza0YqVrEb7SkCAwEAAaN1MHMwDAYDVR0TAQH/ +BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0O +BBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4Slrq +yrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQAp51Ks5DDWVlLB6fMM2NJV80sX +Rx6U1g6ovA7N5BDQiF6FYzVZECMH3d9nyZssHbkzb6qyO1m58P0cNkVurEH27+Z2 +xdkNw5bbcvNDVhfVSjwa6nyTLfhf7vOTWaIxGGmffP72PIe87N6QmyCCGG0IXIkO +kcTAE8IgX6k1mEr1Xy2ZtFVgKjPPLxsixIJ7TEktvJR1RqWQfbsOS8f13lvS1Vhh +vc+UMbIQnz+jl4qNV/AX7GfpEYiBkbrgcjsggl/KMuwcauhEDdvfIQjcyRbQN36p +KcVEXDpnG54sAfXAs9Z+adbvmu0ONAMCDuxKCT2eG1SGVrtiT5+7kCMso1eKz/5A +r1XP0RgCKFExIRYb1elFpLc8wmJbN4qof2zisKG8UajFIHzIGateiu53enNn -----END CERTIFICATE----- diff --git a/tests/certs/user-cert.tmpl b/tests/certs/user-cert.tmpl new file mode 100644 index 00000000..6a604964 --- /dev/null +++ b/tests/certs/user-cert.tmpl @@ -0,0 +1,7 @@ +dn = "uid=test,cn=A user" +tls_www_client +signing_key +encryption_key +expiration_days = -1 +activation_date = "2013-06-06 14:51:29" +serial = 0x51d82f14 diff --git a/tests/cipher-common.sh b/tests/cipher-common.sh index fb9e2acb..07443a0a 100755 --- a/tests/cipher-common.sh +++ b/tests/cipher-common.sh @@ -91,14 +91,14 @@ fi # Run clients echo " * Getting cookie from ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ${CSTR} --cookieonly ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ${CSTR} --cookieonly ) if test $? != 0;then echo "Could not get cookie from server" exit 1 fi echo " * Connecting to ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ${CSTR} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ${CSTR} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 diff --git a/tests/cstp-recv.c b/tests/cstp-recv.c index f474e493..6441ac81 100644 --- a/tests/cstp-recv.c +++ b/tests/cstp-recv.c @@ -68,7 +68,6 @@ void writer(int fd) assert(write(fd, buf+j, 1) == 1); } } - return; } void receiver(int fd) @@ -87,8 +86,6 @@ void receiver(int fd) fprintf(stderr, "received %d\n", ret); assert(ret > 0); } - - return; } int main(int argc, char **argv) diff --git a/tests/data/test-camouflage-norealm.config b/tests/data/test-camouflage-norealm.config new file mode 100644 index 00000000..3bd4739c --- /dev/null +++ b/tests/data/test-camouflage-norealm.config @@ -0,0 +1,191 @@ +# User authentication method. Could be set multiple times and in that case +# all should succeed. +# Options: certificate, pam. +#auth = "certificate" +auth = "plain[./data/test1.passwd]" +#auth = "pam" + +isolate-workers = @ISOLATE_WORKERS@ + +# A banner to be displayed on clients +#banner = "Welcome" + +# Use listen-host to limit to specific IPs or to the IPs of a provided hostname. +#listen-host = [IP|HOSTNAME] + +use-dbus = no + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = 16 + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Limit the number of identical clients (i.e., users connecting multiple times) +# Unset or set to zero for unlimited. +max-same-clients = 2 + +# TCP and UDP port number +tcp-port = @PORT@ +udp-port = @PORT@ + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds +dpd = 440 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# There may be multiple certificate and key pairs and each key +# should correspond to the preceding certificate. +server-cert = ./certs/server-cert.pem +server-key = ./certs/server-key.pem + +# Diffie-Hellman parameters. Only needed if you require support +# for the DHE ciphersuites (by default this server supports ECDHE). +# Can be generated using: +# certtool --generate-dh-params --outfile /path/to/dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der + +# In case PKCS #11 or TPM keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only (It's the storage +# root key). +#pin-file = /path/to/pin.txt +#srk-pin-file = /path/to/srkpin.txt + +# The Certificate Authority that will be used +# to verify clients if certificate authentication +# is set. +#ca-cert = /path/to/ca.pem + +# The object identifier that will be used to read the user ID in the client certificate. +# The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +#cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# A revocation list of ca-cert is set +#crl = /path/to/crl.pem + +# GnuTLS priority string +tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT" + +# To enforce perfect forward secrecy (PFS) on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 40 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +#min-reauth-time = 2 + +# Cookie timeout (in seconds) +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. That cookie will be invalided if not +# used within this timeout value. On a user disconnection, that +# cookie will also be active for this time amount prior to be +# invalid. That should allow a reasonable amount of time for roaming +# between different networks. +cookie-timeout = 30 + +# Script to call when a client connects and obtains an IP +# Parameters are passed on the environment. +# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), +# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON +# may be "connect" or "disconnect". +#connect-script = /usr/bin/myscript +#disconnect-script = /usr/bin/myscript + +# UTMP +use-utmp = true + +# PID file +pid-file = /var/run/ocserv.pid + +# The default server directory. Does not require any devices present. +#chroot-dir = /path/to/chroot + +# socket file used for IPC, will be appended with .PID +# It must be accessible within the chroot environment (if any) +socket-file = /var/run/ocserv-socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = nobody +run-as-group = daemon + +# Network settings + +device = vpns + +# The default domain to be advertised +default-domain = example.com + +ipv4-network = 192.168.1.0 +ipv4-netmask = 255.255.255.0 +# Use the keyword local to advertise the local P-t-P address as DNS server +dns = 192.168.1.1 + +# The NBNS server (if any) +#ipv4-nbns = 192.168.2.3 + +ipv6-network = fe80:: +ipv6-prefix = 16 +#ipv6-dns = + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +ping-leases = false + +# Leave empty to assign the default MTU of the device +# mtu = + +route = 192.168.1.0/255.255.255.0 +#route = 192.168.5.0/255.255.255.0 + +# +# The following options are for (experimental) AnyConnect client +# compatibility. They are only available if the server is built +# with --enable-anyconnect +# + +# Client profile xml. A sample file exists in doc/profile.xml. +# This file must be accessible from inside the worker's chroot. +# The profile is ignored by the openconnect client. +#user-profile = profile.xml + +# Unless set to false it is required for clients to present their +# certificate even if they are authenticating via a previously granted +# cookie. Legacy CISCO clients do not do that, and thus this option +# should be set for them. +#always-require-cert = false + +camouflage = true +camouflage_secret = "mysecretkey" diff --git a/tests/data/test-camouflage.config b/tests/data/test-camouflage.config new file mode 100644 index 00000000..852fe68e --- /dev/null +++ b/tests/data/test-camouflage.config @@ -0,0 +1,192 @@ +# User authentication method. Could be set multiple times and in that case +# all should succeed. +# Options: certificate, pam. +#auth = "certificate" +auth = "plain[./data/test1.passwd]" +#auth = "pam" + +isolate-workers = @ISOLATE_WORKERS@ + +# A banner to be displayed on clients +#banner = "Welcome" + +# Use listen-host to limit to specific IPs or to the IPs of a provided hostname. +#listen-host = [IP|HOSTNAME] + +use-dbus = no + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = 16 + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Limit the number of identical clients (i.e., users connecting multiple times) +# Unset or set to zero for unlimited. +max-same-clients = 2 + +# TCP and UDP port number +tcp-port = @PORT@ +udp-port = @PORT@ + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds +dpd = 440 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# There may be multiple certificate and key pairs and each key +# should correspond to the preceding certificate. +server-cert = ./certs/server-cert.pem +server-key = ./certs/server-key.pem + +# Diffie-Hellman parameters. Only needed if you require support +# for the DHE ciphersuites (by default this server supports ECDHE). +# Can be generated using: +# certtool --generate-dh-params --outfile /path/to/dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der + +# In case PKCS #11 or TPM keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only (It's the storage +# root key). +#pin-file = /path/to/pin.txt +#srk-pin-file = /path/to/srkpin.txt + +# The Certificate Authority that will be used +# to verify clients if certificate authentication +# is set. +#ca-cert = /path/to/ca.pem + +# The object identifier that will be used to read the user ID in the client certificate. +# The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +#cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# A revocation list of ca-cert is set +#crl = /path/to/crl.pem + +# GnuTLS priority string +tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT" + +# To enforce perfect forward secrecy (PFS) on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 40 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +#min-reauth-time = 2 + +# Cookie timeout (in seconds) +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. That cookie will be invalided if not +# used within this timeout value. On a user disconnection, that +# cookie will also be active for this time amount prior to be +# invalid. That should allow a reasonable amount of time for roaming +# between different networks. +cookie-timeout = 30 + +# Script to call when a client connects and obtains an IP +# Parameters are passed on the environment. +# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), +# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON +# may be "connect" or "disconnect". +#connect-script = /usr/bin/myscript +#disconnect-script = /usr/bin/myscript + +# UTMP +use-utmp = true + +# PID file +pid-file = /var/run/ocserv.pid + +# The default server directory. Does not require any devices present. +#chroot-dir = /path/to/chroot + +# socket file used for IPC, will be appended with .PID +# It must be accessible within the chroot environment (if any) +socket-file = /var/run/ocserv-socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = nobody +run-as-group = daemon + +# Network settings + +device = vpns + +# The default domain to be advertised +default-domain = example.com + +ipv4-network = 192.168.1.0 +ipv4-netmask = 255.255.255.0 +# Use the keyword local to advertise the local P-t-P address as DNS server +dns = 192.168.1.1 + +# The NBNS server (if any) +#ipv4-nbns = 192.168.2.3 + +ipv6-network = fe80:: +ipv6-prefix = 16 +#ipv6-dns = + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +ping-leases = false + +# Leave empty to assign the default MTU of the device +# mtu = + +route = 192.168.1.0/255.255.255.0 +#route = 192.168.5.0/255.255.255.0 + +# +# The following options are for (experimental) AnyConnect client +# compatibility. They are only available if the server is built +# with --enable-anyconnect +# + +# Client profile xml. A sample file exists in doc/profile.xml. +# This file must be accessible from inside the worker's chroot. +# The profile is ignored by the openconnect client. +#user-profile = profile.xml + +# Unless set to false it is required for clients to present their +# certificate even if they are authenticating via a previously granted +# cookie. Legacy CISCO clients do not do that, and thus this option +# should be set for them. +#always-require-cert = false + +camouflage = true +camouflage_secret = "mysecretkey" +camouflage_realm = "Please enter password" diff --git a/tests/disconnect-user b/tests/disconnect-user index 67a016ea..bf4c7abf 100755 --- a/tests/disconnect-user +++ b/tests/disconnect-user @@ -77,7 +77,7 @@ sleep 3 # Run clients echo " * Getting cookie from ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${TMPFILE} ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${TMPFILE} ) if test $? != 0;then echo "Could not get cookie from server" exit 1 @@ -85,7 +85,7 @@ fi eval $(cat ${TMPFILE}) echo " * Connecting to ${ADDRESS}:${PORT}..." -( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) +( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) if test $? != 0;then echo "Could not connect to server" exit 1 @@ -105,7 +105,7 @@ if test $? != 0;then fi echo " * Re-connecting to obtain cookie after disconnect... " -( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) +( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) if test $? = 0;then echo "Succeeded using the cookie to connect" exit 1 diff --git a/tests/disconnect-user2 b/tests/disconnect-user2 index ef8c3c12..e00cc671 100755 --- a/tests/disconnect-user2 +++ b/tests/disconnect-user2 @@ -75,7 +75,7 @@ sleep 3 # Run clients echo " * Getting cookie from ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${TMPFILE} ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${TMPFILE} ) if test $? != 0;then echo "Could not get cookie from server" exit 1 @@ -83,7 +83,7 @@ fi eval $(cat ${TMPFILE}) echo " * Connecting to ${ADDRESS}:${PORT}..." -( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) +( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) if test $? != 0;then echo "Could not connect to server" exit 1 @@ -103,7 +103,7 @@ if test $? != 0;then fi echo " * Re-connecting to obtain cookie after disconnect... " -( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) +( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) if test $? = 0;then echo "Succeeded using the cookie to connect" exit 1 diff --git a/tests/drain-server b/tests/drain-server index be51cd42..808067f8 100755 --- a/tests/drain-server +++ b/tests/drain-server @@ -35,7 +35,7 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || fail $PID "Could not receive cookie from server" if ! test -f ${PIDFILE};then @@ -48,7 +48,7 @@ kill -15 $(cat $PIDFILE) sleep 1 echo "Connecting to obtain cookie... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) && fail $PID "Server is still listening" wait diff --git a/tests/drain-server-fail b/tests/drain-server-fail index d61106e6..a2c495d3 100755 --- a/tests/drain-server-fail +++ b/tests/drain-server-fail @@ -48,7 +48,7 @@ launch_simple_sr_server -d 3 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || fail $PID "Could not receive cookie from server" if ! test -f ${PIDFILE};then diff --git a/tests/flowcontrol b/tests/flowcontrol index fb60f672..7ef6b708 100755 --- a/tests/flowcontrol +++ b/tests/flowcontrol @@ -37,39 +37,39 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || fail $PID "Could not receive cookie from server" echo "Connecting to obtain cookie with wrong password... " -( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" echo "Connecting to obtain cookie with empty password... " -( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" echo "Connecting to obtain cookie with wrong username... " -( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" # test locked account echo "Connecting to obtain cookie with locked account... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" #test special characters echo "Connecting to obtain cookie with special password... " -( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo "Connecting to obtain cookie with empty password... " -( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" #echo "Normal connection... " -#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || +#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || # fail $PID "Could not connect to server" if ! test -f ${PIDFILE};then diff --git a/tests/haproxy-auth b/tests/haproxy-auth index b6537146..5261860b 100755 --- a/tests/haproxy-auth +++ b/tests/haproxy-auth @@ -51,7 +51,7 @@ LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT wait_server ${HAPID} echo "Connecting to obtain cookie... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? != 0;then kill ${HAPID} fail ${PID} "Could not receive cookie from server" @@ -66,7 +66,7 @@ LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT wait_server ${HAPID} echo "Re-connecting to obtain cookie after haproxy restart... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? != 0;then kill ${HAPID} fail ${PID} "Could not receive cookie from server" diff --git a/tests/haproxy-connect b/tests/haproxy-connect index c42b76c7..662c08f1 100755 --- a/tests/haproxy-connect +++ b/tests/haproxy-connect @@ -91,14 +91,14 @@ sleep 3 # Run clients echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? != 0;then echo "Could not get cookie from server" exit 1 fi echo " * Connecting to ${ADDRESS}:${HAPORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 @@ -135,7 +135,7 @@ set +e sleep 3 echo " * Re-connecting to obtain cookie after haproxy restart... " -( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? != 0;then echo "Could not receive cookie from server on reconnection" exit 1 diff --git a/tests/haproxy-proxyproto b/tests/haproxy-proxyproto index 70c1390a..54e413cf 100755 --- a/tests/haproxy-proxyproto +++ b/tests/haproxy-proxyproto @@ -94,14 +94,14 @@ sleep 3 # Run clients echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? != 0;then echo "Could not get cookie from server" exit 1 fi echo " * Connecting to ${ADDRESS}:${HAPORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 diff --git a/tests/haproxy-proxyproto-v1 b/tests/haproxy-proxyproto-v1 index d2745757..f7675814 100755 --- a/tests/haproxy-proxyproto-v1 +++ b/tests/haproxy-proxyproto-v1 @@ -94,14 +94,14 @@ sleep 3 # Run clients echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? != 0;then echo "Could not get cookie from server" exit 1 fi echo " * Connecting to ${ADDRESS}:${HAPORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 diff --git a/tests/html-escape.c b/tests/html-escape.c index 4956f212..a07356b7 100644 --- a/tests/html-escape.c +++ b/tests/html-escape.c @@ -25,6 +25,7 @@ #include #include "../src/html.h" #include "../src/html.c" +#include "../src/common/common.h" static char *strings[] = { @@ -54,13 +55,13 @@ static char *encoded_strings[] = "Ahoy matey!" }; -int main() +int main(void) { char *dec; unsigned i; unsigned len; - for (i=0;i #include "../src/occtl/json.h" #include "../src/occtl/json.c" +#include "../src/common/common.h" static char *strings[] = { @@ -46,13 +47,13 @@ static char *encoded_strings[] = "\\u0009big pile \\u0008\\u0008 of stuff\\u000d\\u000a" }; -int main() +int main(void) { char tmp[512]; char *p; unsigned i; - for (i=0;i/dev/null ) || +( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Re-connecting to get routes... " -timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 +timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 echo ok diff --git a/tests/no-route-default b/tests/no-route-default index 0c6f4f20..6cc68f0c 100755 --- a/tests/no-route-default +++ b/tests/no-route-default @@ -43,7 +43,7 @@ PID=$! wait_server $PID echo -n "Connecting to get routes... " -timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 +timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 echo ok @@ -68,7 +68,7 @@ PID=$! wait_server $PID echo -n "Connecting to get routes... " -timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 +timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 echo ok diff --git a/tests/no-route-group b/tests/no-route-group index 59ec2f0f..25cfaa66 100755 --- a/tests/no-route-group +++ b/tests/no-route-group @@ -43,7 +43,7 @@ PID=$! wait_server $PID echo -n "Connecting to get routes... " -echo "test" | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 +echo "test" | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 -u test --passwd-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 echo ok @@ -68,7 +68,7 @@ PID=$! wait_server $PID echo -n "Connecting to get routes... " -echo test | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 --passwd-on-stdin -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 +echo test | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 --passwd-on-stdin -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 echo ok diff --git a/tests/ping-leases b/tests/ping-leases index d97012e2..3a43ac51 100755 --- a/tests/ping-leases +++ b/tests/ping-leases @@ -52,12 +52,12 @@ fi echo "Server started with PID $PID..." echo "Connecting to obtain cookie..." -( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || +( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || fail $PID "Could not receive cookie from server" echo "Connecting to ping lease..." -echo "test" | timeout 10 $OPENCONNECT localhost:$PORT -u "test" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true +echo "test" | timeout 10 $OPENCONNECT localhost:$PORT -u "test" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true if test $? != 124;then fail $PID "Could not connect to server" diff --git a/tests/port-parsing.c b/tests/port-parsing.c index fd355198..3c1ccb30 100644 --- a/tests/port-parsing.c +++ b/tests/port-parsing.c @@ -35,7 +35,6 @@ void fw_port_st__init(FwPortSt *message) { - return; } void check_vals(FwPortSt **fw_ports, size_t n_fw_ports) { @@ -61,7 +60,7 @@ void check_vals(FwPortSt **fw_ports, size_t n_fw_ports) { } } -int main() +int main(void) { char p[256]; int ret; diff --git a/tests/radius b/tests/radius index 859671d8..7bc705a6 100755 --- a/tests/radius +++ b/tests/radius @@ -98,21 +98,21 @@ sleep 4 # Run clients echo " * Testing wrong username at ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u xxx --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u xxx --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? = 0;then echo "Connected with incorrect username" exit 1 fi echo " * Testing wrong password at ${ADDRESS}:${PORT}..." -( echo "xxx" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +( echo "xxx" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? = 0;then echo "Connected with incorrect password" exit 1 fi echo " * Getting cookie from ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? != 0;then echo "Could not get cookie from server" exit 1 @@ -120,7 +120,7 @@ fi echo " * Connecting to ${ADDRESS}:${PORT} with special IP..." USERNAME=test-arb -( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 @@ -148,7 +148,7 @@ sleep 3 echo " * Connecting to ${ADDRESS}:${PORT}..." USERNAME=test -( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 diff --git a/tests/radius-config b/tests/radius-config index 72850912..af9d3f7b 100755 --- a/tests/radius-config +++ b/tests/radius-config @@ -123,7 +123,7 @@ sleep 4 echo " * Connecting to ${ADDRESS}:${PORT}..." USERNAME=testtime -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 diff --git a/tests/radius-group b/tests/radius-group index 1f28cdac..9b858898 100755 --- a/tests/radius-group +++ b/tests/radius-group @@ -100,7 +100,7 @@ sleep 4 echo " * Tests the radius group functionality" USERNAME=test-class -( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group2 -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group2 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 @@ -137,7 +137,7 @@ sleep 4 echo " * Tests the alt radius group functionality" USERNAME=test-class -( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group1 -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group1 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 diff --git a/tests/radius-otp b/tests/radius-otp index 11c39077..9b4fecb1 100755 --- a/tests/radius-otp +++ b/tests/radius-otp @@ -111,7 +111,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do sleep 0.5 echo "$USERNAME-stage$COUNT" done -} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b >/dev/null 2>&1) +} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b >/dev/null 2>&1) if test $? != 0; then echo "Could not connect to server" exit 1 @@ -151,7 +151,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do sleep 0.5 echo "$USERNAME-stage" done -} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) +} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) if test $? == 0; then echo "Connected with wrong username" exit 1 @@ -173,7 +173,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do echo "$USERNAME-stage$COUNT" fi done -} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) +} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) if test $? == 0; then echo "Connected with wrong OTP" exit 1 @@ -197,7 +197,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do echo "$USERNAME-stage$COUNT" fi done -} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) +} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) if test $? == 0; then echo "Connected with wrong OTP" exit 1 @@ -218,7 +218,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do echo "$USERNAME-stage$COUNT" fi done -} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) +} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) if test $? == 0; then echo "Connected with blank OTP" exit 1 @@ -247,7 +247,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do echo "$USERNAME-stage$COUNT" fi done -} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) +} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) if test $? == 0; then echo "Successful connection with the number of OTP retries greater than allowed by the ban system (default 30)." ${OCCTL} -s ${OCCTL_SOCKET} show ip ban points @@ -265,7 +265,7 @@ for (( COUNT=1; COUNT <= 17; COUNT++ )); do sleep 0.5 echo "$USERNAME-stage$COUNT" done -} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) +} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) if test $? == 0; then echo "Connected to server - MAX_CHALLENGES test failed" exit 1 diff --git a/tests/str-test.c b/tests/str-test.c index 4632d27c..e751283e 100644 --- a/tests/str-test.c +++ b/tests/str-test.c @@ -30,7 +30,7 @@ static char *myfunc(void *pool, const char *str) } #define STR1 "hi there people. How are you?" -int main() +int main(void) { str_st str; str_rep_tab tab[16]; diff --git a/tests/str-test2.c b/tests/str-test2.c index e07fc485..870a060b 100644 --- a/tests/str-test2.c +++ b/tests/str-test2.c @@ -25,7 +25,7 @@ #include "../src/str.c" #define STR1 " hi there people. How are you?" -int main() +int main(void) { char str[64]; diff --git a/tests/test-append-routes b/tests/test-append-routes index be71d228..923d0aa9 100755 --- a/tests/test-append-routes +++ b/tests/test-append-routes @@ -41,7 +41,7 @@ wait_server $PID echo "Checking if routes are appended... " -timeout 15s $OPENCONNECT localhost:$PORT -v --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 +timeout 15s $OPENCONNECT localhost:$PORT -v --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 echo "cat" cat ${TMPFILE1} diff --git a/tests/test-ban b/tests/test-ban index eb6a8748..be4695a2 100755 --- a/tests/test-ban +++ b/tests/test-ban @@ -59,15 +59,15 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! sleep 4 echo "Connecting with wrong password 5 times... " -echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= +echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= +echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= +echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= +echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= echo "" echo "Connecting with correct password... " -eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` +eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` if [ -n "$COOKIE" ];then fail $PID "Obtained cookie although should have been banned" @@ -90,7 +90,7 @@ sleep 25 echo "" echo "Connecting with correct password after ban time... " -eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` +eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` if [ -z "$COOKIE" ];then fail $PID "Could not obtain cookie even though ban should be lifted" @@ -99,16 +99,16 @@ fi echo "" echo "Checking ban reset time... " -echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= +echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= +echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= +echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= sleep 11 -echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= echo "" echo "Connecting with correct password after ban reset time... " -eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` +eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` if [ -z "$COOKIE" ];then fail $PID "Could not obtain cookie even though ban should be lifted" diff --git a/tests/test-ban-local b/tests/test-ban-local index d2a43976..fbe0eb27 100755 --- a/tests/test-ban-local +++ b/tests/test-ban-local @@ -60,15 +60,15 @@ ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! sleep 4 echo "Connecting with wrong password 5 times... " -echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= +echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= +echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= +echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= +echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= echo "" echo "Connecting with correct password... " -eval `echo "test" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` +eval `echo "test" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` if [ -z "$COOKIE" ];then fail $PID "Could not obtain cookie even though client should be exempt" diff --git a/tests/test-camouflage b/tests/test-camouflage new file mode 100755 index 00000000..53959e84 --- /dev/null +++ b/tests/test-camouflage @@ -0,0 +1,84 @@ +#!/bin/sh +# +# Copyright (C) 2013 Nikos Mavrogiannopoulos +# Copyright (C) 2023 Kirill Ovchinnikov +# +# This file is part of ocserv. +# +# ocserv is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# ocserv is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +SERV="${SERV:-../src/ocserv}" +srcdir=${srcdir:-.} +CLIENTPIDFILE=openconnect-pid.$$.tmp +SECRETURL="/?mysecretkey" +SERVERCERT="pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" + +. `dirname $0`/common.sh + +eval "${GETPORT}" + +echo "Testing connection to the server with camouflage enabled" + +update_config test-camouflage.config + +launch_server -d 1 -f -c ${CONFIG} & PID=$! +wait_server ${PID} + +echo "Checking with CURL that server returns us HTTP 401 for GET" +http_result=$(curl --insecure https://localhost:${PORT} --output /dev/null --silent --write-out "%{http_code}") +if [ "${http_result}" != "401" ]; then + fail ${PID} "Server returned ${http_result} instead of 401 for GET" +fi +echo "OK" + + +echo "Checking with CURL that server returns us HTTP 403 for POST" +http_result=$(curl -X POST -F 'test=test' --insecure https://localhost:${PORT} --output /dev/null --silent --write-out "%{http_code}") +if [ "${http_result}" != "401" ]; then + fail ${PID} "Server returned ${http_result} instead of 401 for POST" +fi +echo "OK" + +echo "Connecting to obtain cookie without secret URL" +eval `echo "test" | ${OPENCONNECT} -q localhost:${PORT} -u test --servercert ${SERVERCERT} --authenticate` +if [ ! -z "${COOKIE}" ];then + fail ${PID} "Got a cookie, this shouldn't happen" +fi +echo "OK" + +echo "Connecting to obtain cookie using secret URL.." +eval `echo "test" | ${OPENCONNECT} -q localhost:${PORT}${SECRETURL} -u test --servercert ${SERVERCERT} --authenticate` +if [ -z "${COOKIE}" ];then + fail ${PID} "Could not obtain cookie" +fi +echo "OK" + + +echo "Connecting with cookie..." +$OPENCONNECT -q localhost:${PORT} -u test -C "${COOKIE}" --servercert ${SERVERCERT} --script=/bin/true --verbose --pid-file "${CLIENTPIDFILE}" --background +sleep 4 +if [ ! -f "${CLIENTPIDFILE}" ];then + fail ${PID} "Failed to establish the session" +fi +echo "Seems like the connection is established, stopping the client to finish the test...." +kill -USR1 `cat "${CLIENTPIDFILE}"` +if test $? != 0;then + fail ${PID} "Client process could not be killed" +fi +echo "OK" + +cleanup + +exit 0 \ No newline at end of file diff --git a/tests/test-camouflage-norealm b/tests/test-camouflage-norealm new file mode 100755 index 00000000..6aaa08c2 --- /dev/null +++ b/tests/test-camouflage-norealm @@ -0,0 +1,59 @@ +#!/bin/sh +# +# Copyright (C) 2013 Nikos Mavrogiannopoulos +# Copyright (C) 2023 Kirill Ovchinnikov +# +# This file is part of ocserv. +# +# ocserv is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# ocserv is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +SERV="${SERV:-../src/ocserv}" +srcdir=${srcdir:-.} +CLIENTPIDFILE=openconnect-pid.$$.tmp +SECRETURL="/?mysecretkey" +SERVERCERT="pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" + +. `dirname $0`/common.sh + +eval "${GETPORT}" + +echo "Testing connection to the server with camouflage enabled" + +update_config test-camouflage-norealm.config + +launch_server -d 1 -f -c ${CONFIG} & PID=$! +wait_server ${PID} + +# Most of the logic is tested in 'test-camouflage' test, +# so here we will only pay attention to the no-realm-specifics + +echo "Checking with CURL that server returns us HTTP 404 for request with no secret in URL" +http_result=$(curl --insecure https://localhost:${PORT} --output /dev/null --silent --write-out "%{http_code}") +if [ "${http_result}" != "404" ]; then + fail ${PID} "Server returned ${http_result} instead of 404 for GET" +fi +echo "OK" + + +echo "Checking with CURL that server returns us HTTP 200 when there's a secret in URL" +http_result=$(curl --insecure https://localhost:${PORT}${SECRETURL} --output /dev/null --silent --write-out "%{http_code}") +if [ "${http_result}" != "200" ]; then + fail ${PID} "Server returned ${http_result} instead of 200" +fi +echo "OK" + +cleanup + +exit 0 \ No newline at end of file diff --git a/tests/test-cert b/tests/test-cert index 41362aa2..79671933 100755 --- a/tests/test-cert +++ b/tests/test-cert @@ -49,19 +49,19 @@ PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && fail $PID "Connected without certificate!" echo "ok (failed as expected)" echo -n "Connecting to obtain cookie (with invalid certificate)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && fail $PID "Connected with invalid certificate!" echo "ok (failed as expected)" echo -n "Connecting to obtain cookie (with certificate)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok @@ -80,7 +80,7 @@ kill -HUP $PID sleep 5 echo -n "Connecting to obtain cookie (with DER CRL)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok @@ -99,13 +99,13 @@ kill -HUP $PID sleep 5 echo -n "Connecting to obtain cookie (with revoked certificate)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && fail $PID "Connected with revoked certificate!" echo "ok (failed as expected)" #echo "Normal connection... " -#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || +#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || # fail $PID "Could not connect to server" rm -f "${CRLNAME}" "${CRLTMPLNAME}" diff --git a/tests/test-cert-opt-pass b/tests/test-cert-opt-pass index 18893d32..0109ef22 100755 --- a/tests/test-cert-opt-pass +++ b/tests/test-cert-opt-pass @@ -34,7 +34,7 @@ opts=$1 pass=$2 rm -f ${OUTFILE} -echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${OUTFILE} 2>&1 +echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${OUTFILE} 2>&1 if test $? != 0;then cat ${OUTFILE} return 1 diff --git a/tests/test-client-bypass-protocol b/tests/test-client-bypass-protocol index 09f3cb20..14cb5a5b 100755 --- a/tests/test-client-bypass-protocol +++ b/tests/test-client-bypass-protocol @@ -43,7 +43,7 @@ PID=$! wait_server $PID echo -n "Connecting... " -timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 +timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 echo ok @@ -68,7 +68,7 @@ PID=$! wait_server $PID echo -n "Reconnecting..." -timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 +timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 echo ok diff --git a/tests/test-config-per-group b/tests/test-config-per-group index 4a8bd60b..6b8929ab 100755 --- a/tests/test-config-per-group +++ b/tests/test-config-per-group @@ -81,7 +81,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & sleep 4 echo " * Connecting with user NOT in group..." -( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 @@ -129,7 +129,7 @@ sleep 2 USERNAME=test PASSWORD=test echo " * Connecting with user in group to ${ADDRESS}:${PORT}..." -( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 diff --git a/tests/test-cookie-invalidation b/tests/test-cookie-invalidation index 5f77afa3..a6f8ceaa 100755 --- a/tests/test-cookie-invalidation +++ b/tests/test-cookie-invalidation @@ -35,7 +35,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` +eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` if [ -z "$COOKIE" ];then fail $PID "Could not obtain cookie" @@ -44,7 +44,7 @@ fi #echo "Cookie: $COOKIE" echo "Connecting with cookie... " -echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background >/dev/null 2>&1 +echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background >/dev/null 2>&1 sleep 4 @@ -58,9 +58,9 @@ if test $? != 0;then fi echo "Terminating and connecting again with same cookie... " -#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || # fail $PID "Could not connect to server" -echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 +echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 sleep 4 @@ -82,9 +82,9 @@ rm -f "${PIDFILE2}" sleep 18 echo "Proper termination and connecting again with same (invalidated) cookie... " -#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || # fail $PID "Could not connect to server" -echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 +echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 sleep 4 diff --git a/tests/test-cookie-timeout b/tests/test-cookie-timeout index 08081b27..b8b4dda8 100755 --- a/tests/test-cookie-timeout +++ b/tests/test-cookie-timeout @@ -34,7 +34,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` +eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` if [ -z "$COOKIE" ];then fail $PID "Could not obtain cookie" @@ -44,7 +44,7 @@ fi sleep 16 echo "" echo "Connecting with cookie... " -echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background +echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background sleep 4 @@ -59,7 +59,7 @@ rm -f "${PIDFILE}" sleep 16 echo "" echo "Connecting again with cookie... " -echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background +echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background sleep 4 @@ -74,7 +74,7 @@ rm -f "${PIDFILE}" sleep 16 echo "" echo "Connecting after forced kill with cookie... " -echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background +echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background sleep 4 @@ -90,7 +90,7 @@ rm -f "${PIDFILE}" sleep 45 echo "" echo "Connecting with cookie after expiration... " -echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background +echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background sleep 4 @@ -104,7 +104,7 @@ fi # test cookie verification after cookie verification failure. That is to verify whether # the channel between main and sec-mod is in consistent state. echo "Connecting (again) to obtain cookie... " -echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= if test $? != 0;then fail $PID "Could not obtain cookie" diff --git a/tests/test-cookie-timeout-2 b/tests/test-cookie-timeout-2 index fbeba81f..4161eb69 100755 --- a/tests/test-cookie-timeout-2 +++ b/tests/test-cookie-timeout-2 @@ -33,7 +33,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` +eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` if [ -z "$COOKIE" ];then fail $PID "Could not obtain cookie" @@ -43,7 +43,7 @@ fi sleep 10 echo "" echo "Connecting with cookie... " -echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pid.$$ --background +echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file ${srcdir}/pid.$$ --background sleep 4 @@ -58,7 +58,7 @@ rm -f "${srcdir}/pid2.$$" sleep 30 echo "" echo "Connecting again with cookie (overriding first session)... " -echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pid2.$$ --background +echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file ${srcdir}/pid2.$$ --background sleep 6 diff --git a/tests/test-enc-key b/tests/test-enc-key index 0ca6249c..5d65b62b 100755 --- a/tests/test-enc-key +++ b/tests/test-enc-key @@ -33,7 +33,7 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" cleanup @@ -48,7 +48,7 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" cleanup diff --git a/tests/test-explicit-ip b/tests/test-explicit-ip index bfd1a9df..41d46651 100755 --- a/tests/test-explicit-ip +++ b/tests/test-explicit-ip @@ -31,13 +31,13 @@ connect() opts=$1 pass=$2 COOKIE='' -eval `echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate` +eval `echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate` if [ -z "$COOKIE" ];then return 1 fi rm -f $TMPFILE -echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pidx >$TMPFILE 2>&1 & +echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file ${srcdir}/pidx >$TMPFILE 2>&1 & CPID=$! sleep 3 diff --git a/tests/test-fork b/tests/test-fork index 2a0c5d63..a737aea6 100755 --- a/tests/test-fork +++ b/tests/test-fork @@ -42,7 +42,7 @@ fi echo "Server started with PID $PID..." echo "Connecting to obtain cookie..." -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || fail $PID "Could not receive cookie from server" if ! test -f ${PIDFILE};then diff --git a/tests/test-group-cert b/tests/test-group-cert index a86a6898..a5c45056 100755 --- a/tests/test-group-cert +++ b/tests/test-group-cert @@ -32,31 +32,31 @@ launch_sr_server -d 1 -f -c data/test-group-cert.config & PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Connected without certificate!" echo ok echo -n "Connecting to obtain cookie - group1 (with certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group2 (with certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group4 (with certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group4 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group4 -q $ADDRESS:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok diff --git a/tests/test-group-pass b/tests/test-group-pass index 1530f43b..7a78237c 100755 --- a/tests/test-group-pass +++ b/tests/test-group-pass @@ -33,19 +33,19 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group1 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group1 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo "Connecting to obtain cookie... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo "Connecting to obtain cookie... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo "Connecting to obtain cookie with wrong groupname... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group4 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group4 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" cleanup diff --git a/tests/test-gssapi-opt-cert b/tests/test-gssapi-opt-cert index 0ef2d55b..5cf1105a 100755 --- a/tests/test-gssapi-opt-cert +++ b/tests/test-gssapi-opt-cert @@ -29,7 +29,7 @@ opts=$1 pass=$2 rm -f ${OUTFILE} -echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${OUTFILE} 2>&1 +echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${OUTFILE} 2>&1 if test $? != 0;then cat ${OUTFILE} return 1 diff --git a/tests/test-gssapi-opt-pass b/tests/test-gssapi-opt-pass index 8999d308..b6ebd118 100755 --- a/tests/test-gssapi-opt-pass +++ b/tests/test-gssapi-opt-pass @@ -29,7 +29,7 @@ opts=$1 pass=$2 rm -f ${OUTFILE} -echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${OUTFILE} 2>&1 +echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${OUTFILE} 2>&1 if test $? != 0;then cat ${OUTFILE} return 1 diff --git a/tests/test-ignore-querystring-of-post b/tests/test-ignore-querystring-of-post new file mode 100755 index 00000000..cd5737b8 --- /dev/null +++ b/tests/test-ignore-querystring-of-post @@ -0,0 +1,48 @@ +#!/bin/sh +# +# This file is part of ocserv. +# +# ocserv is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# ocserv is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +SERV="${SERV:-../src/ocserv}" +srcdir=${srcdir:-.} +NO_NEED_ROOT=1 +PIDFILE=ocserv-pid.$$.tmp + +. `dirname $0`/common.sh + +eval "${GETPORT}" + +echo "Testing local backend with username-password... " + +update_config test1.config +launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! +wait_server $PID + +echo "Connecting to obtain cookie... " +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || + fail $PID "Could not receive cookie from server" + +echo "Connecting to obtain cookie with querystring... " +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q "$ADDRESS:$PORT/?k=v" -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || + fail $PID "Could not receive cookie from server with querystring" + +if ! test -f ${PIDFILE};then + fail $PID "Could not find pid file ${PIDFILE}" +fi + +cleanup + +exit 0 diff --git a/tests/test-iroute b/tests/test-iroute index d7b5f528..caf0a923 100755 --- a/tests/test-iroute +++ b/tests/test-iroute @@ -34,13 +34,13 @@ launch_server -d 1 -f -c "${CONFIG}" & PID=$! wait_server $PID echo -n "Connecting to obtain cookie (with certificate)... " -( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok @@ -47,7 +47,7 @@ kill -USR2 $PID sleep 5 echo -n "Connecting to obtain cookie (with certificate)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok @@ -58,7 +58,7 @@ kill -USR2 $PID sleep 5 echo -n "Connecting to obtain cookie (with certificate)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok diff --git a/tests/test-max-same-1 b/tests/test-max-same-1 index 51464837..ec19c0d7 100755 --- a/tests/test-max-same-1 +++ b/tests/test-max-same-1 @@ -47,7 +47,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` +eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` if [ -z "$COOKIE" ];then echo "Could not obtain cookie" @@ -57,12 +57,12 @@ fi #echo "Cookie: $COOKIE" echo "Connecting with cookie... " -echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background +echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background sleep 4 echo "Connecting again with same cookie... " -echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background +echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background sleep 4 diff --git a/tests/test-multi-cookie b/tests/test-multi-cookie index 83c9cb57..7581f9cf 100755 --- a/tests/test-multi-cookie +++ b/tests/test-multi-cookie @@ -47,7 +47,7 @@ launch_server -d 1 -f -c "${CONFIG}" & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` +eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` if [ -z "$COOKIE" ];then echo "Could not obtain cookie" @@ -57,12 +57,12 @@ fi #echo "Cookie: $COOKIE" echo "Connecting with cookie... " -echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background +echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background sleep 4 echo "Connecting again with same cookie... " -echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background +echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background sleep 4 diff --git a/tests/test-multiple-client-ip b/tests/test-multiple-client-ip index 0e799e06..76099fee 100755 --- a/tests/test-multiple-client-ip +++ b/tests/test-multiple-client-ip @@ -84,14 +84,14 @@ sleep 4 # Run client 1 echo " * Getting cookie from ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? != 0;then echo "Could not get cookie from server" exit 1 fi echo " * Connecting to ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 @@ -99,14 +99,14 @@ fi # Run client 2 echo " * Getting cookie from ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? != 0;then echo "Could not get cookie from server" exit 1 fi echo " * Connecting to ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID2} --passwd-on-stdin -b ) +( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID2} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 diff --git a/tests/test-namespace-listen b/tests/test-namespace-listen index 9691b283..81c3e86f 100755 --- a/tests/test-namespace-listen +++ b/tests/test-namespace-listen @@ -77,7 +77,7 @@ if test $? != 0; then fi echo " connecting to server" -(echo "test" | ${CMDNS3} $OPENCONNECT $ADDRESS:$PORT -u "test" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --pid-file=${CLIPID} -b) || +(echo "test" | ${CMDNS3} $OPENCONNECT $ADDRESS:$PORT -u "test" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --pid-file=${CLIPID} -b) || fail $PID "could not connect to server" sleep 5 diff --git a/tests/test-otp b/tests/test-otp index 5209b0af..ed1fe940 100755 --- a/tests/test-otp +++ b/tests/test-otp @@ -45,27 +45,27 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo -n "Connecting with wrong username... " -( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u falsetest --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u falsetest --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Connected with wrong username!" echo ok echo -n "Connecting with wrong OTP... " -( echo -e "test\n999482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "test\n999482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Should not have connected with wrong OTP!" echo ok echo -n "Connecting with correct password and OTP... " -( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with OTP!" echo ok echo -n "Connecting with empty password and wrong OTP... " -( echo -e "999999\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "999999\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Should have not connected with wrong OTP!" echo ok echo -n "Connecting with empty password and OTP... " -( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with OTP-only!" echo ok diff --git a/tests/test-otp-cert b/tests/test-otp-cert index c8dc12c1..61a71dbc 100755 --- a/tests/test-otp-cert +++ b/tests/test-otp-cert @@ -45,22 +45,22 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " -( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Connected without certificate!" echo ok echo -n "Connecting to obtain cookie (with incorrect certificate)... " -( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Should not have connected with wrong certificate!" echo ok echo -n "Connecting to obtain cookie (with certificate)... " -( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie (with no pass and certificate)... " -( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok diff --git a/tests/test-pam b/tests/test-pam index 8ec787a7..561a1409 100755 --- a/tests/test-pam +++ b/tests/test-pam @@ -37,22 +37,22 @@ wait_server $PID echo "" echo "Connecting with wrong password... " -( echo -e "testuser\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "testuser\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie with wrong cred" echo "" echo "Connecting with empty password... " -( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie with wrong cred" echo "" echo "Connecting with wrong username... " -( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie with wrong cred" echo "" echo "Connecting with correct password... " -( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ||#>/dev/null 2>&1 ) || +( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) ||#>/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" cleanup diff --git a/tests/test-pam-noauth b/tests/test-pam-noauth index dc8dd3de..1f67371f 100755 --- a/tests/test-pam-noauth +++ b/tests/test-pam-noauth @@ -35,19 +35,19 @@ launch_sr_pam_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting with correct password but no PAM user... " -( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u xtest --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u xtest --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie with non existing user" echo "Connecting with incorrect password (correct in PAM) and existing user... " -( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie with non existing user" echo "Connecting with empty password (correct in PAM) and existing user... " -( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie with non existing user" echo "Connecting with correct password and existing user... " -( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ||#>/dev/null 2>&1 ) || +( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) ||#>/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" cleanup diff --git a/tests/test-pass b/tests/test-pass index 9d5484ae..5aaaf48d 100755 --- a/tests/test-pass +++ b/tests/test-pass @@ -34,39 +34,39 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || fail $PID "Could not receive cookie from server" echo "Connecting to obtain cookie with wrong password... " -( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" echo "Connecting to obtain cookie with empty password... " -( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" echo "Connecting to obtain cookie with wrong username... " -( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" # test locked account echo "Connecting to obtain cookie with locked account... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" #test special characters echo "Connecting to obtain cookie with special password... " -( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo "Connecting to obtain cookie with empty password... " -( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" #echo "Normal connection... " -#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || +#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || # fail $PID "Could not connect to server" if ! test -f ${PIDFILE};then diff --git a/tests/test-pass-cert b/tests/test-pass-cert index 80507886..8d284b84 100755 --- a/tests/test-pass-cert +++ b/tests/test-pass-cert @@ -34,26 +34,26 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Connected without certificate!" echo ok echo -n "Connecting to obtain cookie (with certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie (with incorrect certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Should not have connected with wrong certificate!" echo ok #echo "Normal connection... " -#( echo "test" | $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || +#( echo "test" | $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || # fail $PID "Could not connect to server" cleanup diff --git a/tests/test-pass-group-cert b/tests/test-pass-group-cert index ff649933..e559ac67 100755 --- a/tests/test-pass-group-cert +++ b/tests/test-pass-group-cert @@ -33,37 +33,37 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Connected without certificate!" echo ok echo -n "Connecting to obtain cookie - group1 (with certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - DEFAULT (with certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup DEFAULT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup DEFAULT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group2 (with certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group4 (with certificate)... " -( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group4 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group4 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Got cookie when it shouldn't!" echo ok diff --git a/tests/test-pass-group-cert-no-pass b/tests/test-pass-group-cert-no-pass index bc39b459..401b24f7 100755 --- a/tests/test-pass-group-cert-no-pass +++ b/tests/test-pass-group-cert-no-pass @@ -33,25 +33,25 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " -LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 && +LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 && fail $PID "Connected without certificate!" echo ok echo -n "Connecting to obtain cookie - group1 (with certificate)... " -LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || +LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group2 (with certificate)... " -LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || +LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 || fail $PID "Could not connect with certificate!" echo ok echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... " -LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || +LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 || fail $PID "Could not connect with certificate!" echo ok diff --git a/tests/test-pass-opt-cert b/tests/test-pass-opt-cert index ac9adc1f..18365381 100755 --- a/tests/test-pass-opt-cert +++ b/tests/test-pass-opt-cert @@ -38,7 +38,7 @@ connect() { opts=$1 pass=$2 -echo ${pass} | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --passwd-on-stdin --authenticate >${TMPFILE} +echo ${pass} | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --passwd-on-stdin --authenticate >${TMPFILE} if test $? != 0;then cat ${TMPFILE} return 1 diff --git a/tests/test-pass-script b/tests/test-pass-script index 89a40946..0f185516 100755 --- a/tests/test-pass-script +++ b/tests/test-pass-script @@ -67,7 +67,7 @@ launch_server -d 1 -f -c "${CONFIG}" & PID=$! wait_server $PID echo " * Connecting to obtain cookie with wrong username... " -( echo "tost" | $OPENCONNECT -q localhost:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && +( echo "tost" | $OPENCONNECT -q localhost:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && fail $PID "Received cookie when we shouldn't" rm -f ${builddir}/connect.ok @@ -76,11 +76,11 @@ rm -f ${builddir}/host-update.ok #test special characters echo " * Connecting to obtain cookie... " -( echo "!@#$%^&*()<>" | $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "!@#$%^&*()<>" | $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo " * Re-connecting to force script run... " -echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true +echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true TIMEOUT=5 while ! test -f ${builddir}/disconnect.ok; do @@ -112,7 +112,7 @@ rm -f ${builddir}/disconnect.ok rm -f ${builddir}/host-update.ok echo " * Re-connecting to get cookie... " -echo "test2" | $OPENCONNECT -q localhost:$PORT -u "test2" --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${PARAMSFILE} +echo "test2" | $OPENCONNECT -q localhost:$PORT -u "test2" --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${PARAMSFILE} if test $? != 0;then echo "Could not connect" cat ${PARAMSFILE} @@ -127,7 +127,7 @@ fi echo " * Re-connecting to force session stealing... " eval "$(grep COOKIE ${PARAMSFILE})" -echo ${COOKIE}| $OPENCONNECT --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true --pid-file=${OPIDFILE} -b +echo ${COOKIE}| $OPENCONNECT --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true --pid-file=${OPIDFILE} -b echo " - Pausing client" TIMEOUT=4 @@ -156,7 +156,7 @@ rm -f ${builddir}/connect.ok rm -f ${builddir}/disconnect.ok echo " * Re-connecting to steal previous IP address... " -echo ${COOKIE} | $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true --pid-file=${OPIDFILE2} -b +echo ${COOKIE} | $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true --pid-file=${OPIDFILE2} -b echo " - Resuming (disconnected) client" kill -s CONT $(cat ${OPIDFILE}) @@ -205,7 +205,7 @@ done sleep 5 echo " - Check server status" -( echo "!@#$%^&*()<>" | $OPENCONNECT --local-hostname='mylocalname' -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "!@#$%^&*()<>" | $OPENCONNECT --local-hostname='mylocalname' -q localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo " - Killing server" diff --git a/tests/test-replay b/tests/test-replay index b8aa848f..05338931 100755 --- a/tests/test-replay +++ b/tests/test-replay @@ -60,7 +60,7 @@ launch_server -d 9999 -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to obtain cookie... " -eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` +eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` if [ -z "$COOKIE" ];then echo "Could not obtain cookie" @@ -70,7 +70,7 @@ fi #echo "Cookie: $COOKIE" echo "Connecting with cookie... " -echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --verbose --pid-file "${PIDFILE1}" --background +echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --verbose --pid-file "${PIDFILE1}" --background sleep 4 diff --git a/tests/test-san-cert b/tests/test-san-cert index a5040ae8..a41c3310 100755 --- a/tests/test-san-cert +++ b/tests/test-san-cert @@ -49,25 +49,25 @@ PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && fail $PID "Connected without certificate!" echo "ok (failed as expected)" echo -n "Connecting to obtain cookie (with invalid certificate)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && fail $PID "Connected with invalid certificate!" echo "ok (failed as expected)" echo -n "Connecting to obtain cookie (with certificate - no SAN)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && fail $PID "Connected with invalid certificate!" echo "ok (failed as expected)" echo -n "Connecting to obtain cookie (with certificate - SAN)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-san-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-san-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || fail $PID "Failed to connect with certificate!" echo ok diff --git a/tests/test-script-multi-user b/tests/test-script-multi-user index 6327a269..c0bfa3d8 100755 --- a/tests/test-script-multi-user +++ b/tests/test-script-multi-user @@ -47,16 +47,16 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! wait_server $PID echo "Connecting to force script block... " -echo "!@#$%^&*()<>" | timeout 60 $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true & +echo "!@#$%^&*()<>" | timeout 60 $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true & sleep 3 echo "Connecting to obtain cookie... " -( echo "${USERNAME}" | $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || +( echo "${USERNAME}" | $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || fail $PID "Could not receive cookie from server" echo "Connecting in background... " -( echo "${USERNAME}" | timeout 15 $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --background >/dev/null 2>&1 ) || +( echo "${USERNAME}" | timeout 15 $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --background >/dev/null 2>&1 ) || fail $PID "Could not connect to server; probably blocked" sleep 3 diff --git a/tests/test-sighup b/tests/test-sighup index add538f6..dd424e51 100755 --- a/tests/test-sighup +++ b/tests/test-sighup @@ -34,7 +34,7 @@ PID=$! wait_server $PID echo -n "Connecting to obtain cookie (with certificate)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok @@ -44,7 +44,7 @@ kill -HUP $PID sleep 5 echo -n "Connecting to obtain cookie (with certificate)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok @@ -57,7 +57,7 @@ kill -HUP $PID sleep 5 echo -n "Connecting to obtain cookie (with certificate)... " -( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && +( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && fail $PID "Could not connect with certificate!" echo ok diff --git a/tests/test-stress b/tests/test-stress index 3816604f..a2db96e2 100755 --- a/tests/test-stress +++ b/tests/test-stress @@ -33,7 +33,7 @@ run_client() { PASS=$1; shift; - ( echo $PASS | $OPENCONNECT -q $HOST -u $USER --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >/dev/null 2>&1 ) || + ( echo $PASS | $OPENCONNECT -q $HOST -u $USER --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >/dev/null 2>&1 ) || echo "$USER: Could not connect to server" } diff --git a/tests/test-udp-listen-host b/tests/test-udp-listen-host index f3e66232..956938b8 100755 --- a/tests/test-udp-listen-host +++ b/tests/test-udp-listen-host @@ -111,7 +111,7 @@ ${CMDNS2} ${HAPROXY} -f ${HACONFIG} -d & HAPID=$! sleep 3 echo " * Connecting to haproxy and using dtls ... " -echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${CLIPID}" --background +echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${CLIPID}" --background wait_file "${CLIPID}" 11 @@ -134,7 +134,7 @@ echo "restart ocsev with udp-listen-host set to 127.0.0.1" ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG_UDP_LISTEN_LOCAL} ${DEBUG} & PID=$! echo " * Connecting to haproxy and using dtls again ... " -echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${CLIPID2}" --background +echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${CLIPID2}" --background wait_file "${CLIPID2}" 11 diff --git a/tests/test-user-config b/tests/test-user-config index 1c7f5182..f8573ceb 100755 --- a/tests/test-user-config +++ b/tests/test-user-config @@ -42,20 +42,20 @@ PID=$! wait_server $PID echo -n "Connecting to obtain cookie (with certificate)... " -( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null ) || +( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null ) || fail $PID "Could not connect with certificate!" echo ok echo -n "Re-connecting to force script run... " -$OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true /dev/null & +$OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true /dev/null & kpid1=$! echo ok sleep 2 echo -n "Re-connecting to check the iroutes... " -$OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 & +$OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 & kpid2=$! echo ok @@ -63,7 +63,7 @@ sleep 3 echo -n "Checking if max-same-clients is considered... " -timeout 15s $OPENCONNECT localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE2} 2>&1 +timeout 15s $OPENCONNECT localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE2} 2>&1 if test $? = 124;then fail $PID "Max-same-clients directive was ignored" fi @@ -155,7 +155,7 @@ rm -f ${TMPFILE1} rm -f ${TMPFILE2} echo -n "Re-connecting to check the ipv4-network... " -$OPENCONNECT -v localhost:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-testipnet.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 & kpid3=$! +$OPENCONNECT -v localhost:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-testipnet.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 & kpid3=$! echo ok sleep 3 diff --git a/tests/test-vhost b/tests/test-vhost index 902f0112..1a57e609 100755 --- a/tests/test-vhost +++ b/tests/test-vhost @@ -62,7 +62,7 @@ PID=$! wait_server $PID echo -n "Connecting to default host to obtain cookie (user without certificate)... " -connect "default.example.com" "-u test" "test" "d66b507ae074d03b02eafca40d35f87dd81049d3" +connect "default.example.com" "-u test" "test" "pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" if test $? != 0;then fail $PID "Failed to connect with user without certificate!" fi @@ -111,7 +111,7 @@ fi echo ok echo -n "Connecting to default host to obtain cookie (with certificate)... " -connect "default.example.com" "-u test --sslkey ./certs/user-key.pem -c ./certs/user-cert.pem" "" "d66b507ae074d03b02eafca40d35f87dd81049d3" +connect "default.example.com" "-u test --sslkey ./certs/user-key.pem -c ./certs/user-cert.pem" "" "pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" if test $? = 0;then fail $PID "Connected to wrong host with certificate!" fi @@ -136,7 +136,7 @@ kill -HUP $PID sleep 5 echo -n "Sanity check to default host..." -connect "default.example.com" "-u test" "test" "d66b507ae074d03b02eafca40d35f87dd81049d3" +connect "default.example.com" "-u test" "test" "pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" if test $? != 0;then fail $PID "Failed to connect with user without certificate!" fi diff --git a/tests/traffic b/tests/traffic index 3ea962f9..1f0fcaf5 100755 --- a/tests/traffic +++ b/tests/traffic @@ -79,14 +79,14 @@ sleep 4 # Run clients echo " * Getting cookie from ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? != 0;then echo "Could not get cookie from server" exit 1 fi echo " * Connecting to ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) if test $? != 0;then echo "Could not connect to server" exit 1 diff --git a/tests/unix-test b/tests/unix-test index ad4430fd..67c41b35 100755 --- a/tests/unix-test +++ b/tests/unix-test @@ -54,7 +54,7 @@ if test ! -z "$QUIT_ON_INIT";then fi $ECHO_E "test\ntest" >pass$TMP -$OPENCONNECT $IP:6551 -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass$TMP & +$OPENCONNECT $IP:6551 -u test --passwd-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= < pass$TMP & PID=$! diff --git a/tests/url-escape.c b/tests/url-escape.c index 6b93c1d7..d4306a25 100644 --- a/tests/url-escape.c +++ b/tests/url-escape.c @@ -40,13 +40,13 @@ static char *decoded_strings[] = "Laguna%+@Beach" }; -int main() +int main(void) { char *dec, *url; unsigned i; unsigned len; - for (i=0;i