clones/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2024-09-21 10:27:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ignore querystring while dispatching

Browse Source 
Signed-off-by: johnson <10619522-OnFIs@users.noreply.gitlab.com>
This commit is contained in:
johnson 2023-05-23 20:10:09 +00:00 committed by whiler
parent d98a06e143
commit eadebbbd71
148 changed files with 1481 additions and 970 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitlab-ci.yml
View File

@ -71,6 +71,8 @@ Ubuntu16.04:
- autoreconf -fvi
- ./configure --without-nuttcp-tests
- make -j$JOBS
# ubuntu16.04 openconnect doesn't support pin-sha256
- find ./tests/ -maxdepth 1 -type f -exec sed -i 's@pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=@2c46d7319df419c92ad59e38f0bb9681c088f1dc@g' '{}' ';'
# this version of openconnect doesn't work with IPv6 only
- make check -j$JOBS XFAIL_TESTS="ipv6-iface ipv6-small-net"
tags:

4
NEWS
View File

@ -1,3 +1,7 @@
* Version 1.1.8 (unreleased)
- Added "Camouflage" functionality that makes ocserv look
like a web server to unauthorized parties.
* Version 1.1.7 (released 2023-05-07)
- Emit a LOG_ERR error message with plain authentication fails
- The bundled inih was updated to r56.

16
README.md
View File

@ -33,11 +33,11 @@ configuration while ocserv-main will use the previous configuration.
# Required
apt-get install -y libgnutls28-dev libev-dev
# Optional functionality and testing
apt get install -y libpam0g-dev liblz4-dev libseccomp-dev \
apt-get install -y libpam0g-dev liblz4-dev libseccomp-dev \
libreadline-dev libnl-route-3-dev libkrb5-dev libradcli-dev \
libcurl4-gnutls-dev libcjose-dev libjansson-dev libprotobuf-c-dev \
libtalloc-dev libhttp-parser-dev protobuf-c-compiler gperf \
nuttcp lcov libuid-wrapper libpam-wrapper libnss-wrapper \
libcurl4-gnutls-dev libcjose-dev libjansson-dev liboath-dev \
libprotobuf-c-dev libtalloc-dev libhttp-parser-dev protobuf-c-compiler \
gperf nuttcp lcov libuid-wrapper libpam-wrapper libnss-wrapper \
libsocket-wrapper gss-ntlmssp haproxy iputils-ping freeradius \
gawk gnutls-bin iproute2 yajl-tools tcpdump
```
@ -49,10 +49,10 @@ yum install -y gnutls-devel libev-devel
# Optional functionality and testing
yum install -y pam-devel lz4-devel libseccomp-devel readline-devel \
libnl3-devel krb5-devel radcli-devel libcurl-devel cjose-devel \
jansson-devel protobuf-c-devel libtalloc-devel http-parser-devel \
protobuf-c gperf nuttcp lcov uid_wrapper pam_wrapper nss_wrapper \
socket_wrapper gssntlmssp haproxy iputils freeradius gawk \
gnutls-utils iproute yajl tcpdump
jansson-devel liboath-devel protobuf-c-devel libtalloc-devel \
http-parser-devel protobuf-c gperf nuttcp lcov uid_wrapper \
pam_wrapper nss_wrapper socket_wrapper gssntlmssp haproxy iputils \
freeradius gawk gnutls-utils iproute yajl tcpdump
```
See [README-radius](doc/README-radius.md) for more information on Radius

3
doc/ocserv.8.md
View File

@ -10,7 +10,8 @@ is used by several CISCO routers.
## DESCRIPTION
This a standalone server that reads a configuration file (see below for more details),
and waits for client connections. Log messages are redirected to daemon facility.
and waits for client connections. Log messages are directed to the syslog daemon
facility.
The server maintains two connections/channels with the client. The main VPN
channel is established over TCP, HTTP and TLS. This is the control channel as well

18
doc/sample.config
View File

@ -704,6 +704,24 @@ dtls-legacy = true
# currently only understood by Anyconnect clients.
client-bypass-protocol = false
# The following options are related to server camouflage (hidden service)
# This option allows you to enable the camouflage feature of ocserv that makes it look
# like a web server to unauthorized parties.
# With "camouflage" enabled, connection to the VPN can be established only if the client provided a specific
# "secret string" in the connection URL, e.g. "https://example.com/?mysecretkey",
# otherwise the server will return HTTP error for all requests.
camouflage = false
# The URL prefix that should be set on the client (after '?' sign) to pass through the camouflage check,
# e.g. in case of 'mysecretkey', the server URL on the client should be like "https://example.com/?mysecretkey".
camouflage_secret = "mysecretkey"
# Defines the realm (browser prompt) for HTTP authentication.
# If no realm is set, the server will return 404 Not found error instead of 401 Unauthorized.
# Better change it from the default value to avoid fingerprinting.
camouflage_realm = "Restricted Content"
#Advanced options
# Option to allow sending arbitrary custom headers to the client after

1
src/acct/pam.c
View File

@ -81,7 +81,6 @@ fail1:
static void pam_acct_close_session(void *vctx, unsigned auth_method, const struct common_acct_info_st *ai, stats_st *stats, unsigned status)
{
return;
}
const struct acct_mod_st pam_acct_funcs = {

6
src/acct/radius.c
View File

@ -105,8 +105,6 @@ static void append_stats(rc_handle *rh, VALUE_PAIR **send, stats_st *stats)
uout = stats->bytes_out / 4294967296;
rc_avpair_add(rh, send, PW_ACCT_OUTPUT_GIGAWORDS, &uout, -1, 0);
return;
}
static void append_acct_standard(struct radius_vhost_ctx *vctx, rc_handle *rh, const common_acct_info_st *ai, VALUE_PAIR **send)
@ -163,8 +161,6 @@ static void append_acct_standard(struct radius_vhost_ctx *vctx, rc_handle *rh, c
i = PW_RADIUS;
rc_avpair_add(rh, send, PW_ACCT_AUTHENTIC, &i, -1, 0);
return;
}
static void radius_acct_session_stats(void *_vctx, unsigned auth_method, const common_acct_info_st *ai, stats_st *stats)
@ -197,7 +193,6 @@ static void radius_acct_session_stats(void *_vctx, unsigned auth_method, const c
cleanup:
rc_avpair_free(send);
return;
}
static int radius_acct_open_session(void *_vctx, unsigned auth_method, const common_acct_info_st *ai, const void *sid, unsigned sid_size)
@ -287,7 +282,6 @@ static void radius_acct_close_session(void *_vctx, unsigned auth_method, const c
cleanup:
rc_avpair_free(send);
return;
}
const struct acct_mod_st radius_acct_funcs = {

1
src/auth-unix.c
View File

@ -102,7 +102,6 @@ void unix_group_list(void *pool, unsigned gid_min, char ***groupname, unsigned *
exit:
endgrent();
return;
}
#endif

1
src/auth/gssapi.c
View File

@ -137,7 +137,6 @@ static void gssapi_vhost_init(void **_vctx, void *pool, void *additional)
}
*_vctx = vctx;
return;
}
static void gssapi_vhost_deinit(void *_vctx)

2
src/auth/openidconnect.c
View File

@ -112,8 +112,6 @@ static void oidc_vhost_init(void **vctx, void *pool, void *additional)
}
*vctx = (void *)vc;
return;
}
static void oidc_vhost_deinit(void *ctx)

2
src/auth/plain.c
View File

@ -76,7 +76,6 @@ static void plain_vhost_init(void **vctx, void *pool, void *additional)
#ifdef HAVE_LIBOATH
oath_init();
#endif
return;
}
/* Breaks a list of "xxx", "yyy", to a character array, of
@ -483,7 +482,6 @@ static void plain_group_list(void *pool, void *additional, char ***groupname, un
htable_clear(&hash);
safe_memset(line, 0, sizeof(line));
fclose(fp);
return;
}
const struct auth_mod_st plain_auth_funcs = {

1
src/common/base64-helper.c
View File

@ -32,7 +32,6 @@ void oc_base64_encode (const char *restrict in, size_t inlen,
}
base64_encode_raw((void*)out, inlen, (uint8_t*)in);
out[raw] = 0;
return;
}
int

2
src/config-kkdcp.c
View File

@ -102,8 +102,6 @@ void parse_kkdcp_string(char *str, int *socktype, char **_port, char **_server,
*_realm = realm;
*_path = path;
*_server = server;
return;
}
#endif

39
src/config.c
View File

@ -75,13 +75,16 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile
#define WARNSTR "warning: "
#define NOTESTR "note: "
#define READ_MULTI_LINE(varname, num) { \
#define READ_MULTI_LINE(varname, num) \
do { \
if (_add_multi_line_val(pool, &varname, &num, value) < 0) { \
fprintf(stderr, ERRSTR"memory\n"); \
exit(EXIT_FAILURE); \
}}
} \
} while (0)
#define READ_MULTI_BRACKET_LINE(varname, varname2, num) { \
#define READ_MULTI_BRACKET_LINE(varname, varname2, num) \
do { \
if (varname == NULL || varname2 == NULL) { \
num = 0; \
varname = talloc_size(pool, sizeof(char*)*DEFAULT_CONFIG_ENTRIES); \
@ -99,7 +102,8 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile
num++; \
varname[num] = NULL; \
varname2[num] = NULL; \
}}
} \
} while (0)
#define PREAD_STRING(pool, varname) { \
unsigned len = strlen(value); \
@ -115,25 +119,28 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile
strlcpy(varname, value, sizeof(varname)); \
}
#define READ_TF(varname) {\
#define READ_TF(varname) \
do { \
if (c_strcasecmp(value, "true") == 0 || c_strcasecmp(value, "yes") == 0) \
varname = 1; \
else \
varname = 0; \
}
} while (0)
#define READ_NUMERIC(varname) { \
varname = strtol(value, NULL, 10); \
}
#define READ_PRIO_TOS(varname) \
do { \
if (strncmp(value, "0x", 2) == 0) { \
varname = strtol(value, NULL, 16); \
varname = TOS_PACK(varname); \
} else { \
varname = strtol(value, NULL, 10); \
varname++; \
}
} \
} while (0)
struct snapshot_t * config_snapshot = NULL;
@ -440,7 +447,7 @@ char *sanitize_config_value(void *pool, const char *value)
if (len < 0)
return NULL;
return talloc_strndup(pool, &value[i], len); \
return talloc_strndup(pool, &value[i], len);
}
@ -489,8 +496,6 @@ static void append_iroutes_from_file(struct cfg_st *config, const char *file)
if (ip_route_sanity_check(config->known_iroutes, &config->known_iroutes[j]) != 0)
exit(EXIT_FAILURE);
}
return;
}
static void load_iroutes(struct cfg_st *config)
@ -1124,6 +1129,12 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co
READ_STRING(config->default_user_conf);
} else if (strcmp(name, "default-group-config") == 0) {
READ_STRING(config->default_group_conf);
} else if (strcmp(name, "camouflage") == 0) {
READ_TF(config->camouflage);
} else if (strcmp(name, "camouflage_secret") == 0) {
READ_STRING(config->camouflage_secret);
} else if (strcmp(name, "camouflage_realm") == 0) {
READ_STRING(config->camouflage_realm);
} else {
if (reload == 0)
fprintf(stderr, WARNSTR"skipping unknown option '%s'\n", name);
@ -1688,8 +1699,6 @@ static void archive_cfg(struct list_head *head)
list_add(&vhost->perm_config.attic, &e->list);
}
}
return;
}
static void clear_cfg(struct list_head *head)
@ -1701,8 +1710,6 @@ static void clear_cfg(struct list_head *head)
talloc_free(cpos->perm_config.config);
cpos->perm_config.config = NULL;
}
return;
}
void clear_vhosts(struct list_head *head)
@ -1715,8 +1722,6 @@ void clear_vhosts(struct list_head *head)
talloc_free(vhost->perm_config.config);
vhost->perm_config.config = NULL;
}
return;
}
static void append(const char *option)
@ -1795,8 +1800,6 @@ void reload_cfg_file(void *pool, struct list_head *configs, unsigned sec_mod)
/* parse the config again */
parse_cfg_file(pool, cfg_file, configs, flags);
return;
}
void write_pid_file(void)

14
src/http-parser/http_parser.c
View File

@ -1298,7 +1298,7 @@ reexecute:
}
break;
/* Connection */
/* connection */
case h_matching_connection:
parser->index++;
@ -1310,7 +1310,7 @@ reexecute:
}
break;
/* Proxy-Connection */
/* proxy-connection */
case h_matching_proxy_connection:
parser->index++;
@ -1322,7 +1322,7 @@ reexecute:
}
break;
/* Content-Length */
/* content-length */
case h_matching_content_length:
parser->index++;
@ -1334,7 +1334,7 @@ reexecute:
}
break;
/* Transfer-Encoding */
/* transfer-encoding */
case h_matching_transfer_encoding:
parser->index++;
@ -1347,7 +1347,7 @@ reexecute:
}
break;
/* Upgrade */
/* upgrade */
case h_matching_upgrade:
parser->index++;
@ -1803,7 +1803,7 @@ reexecute:
REEXECUTE();
}
/* Cannot use Transfer-Encoding and Content-Length headers together
/* Cannot use transfer-encoding and a content-length header together
per the HTTP specification. (RFC 7230 Section 3.3.3) */
if ((parser->uses_transfer_encoding == 1) &&
(parser->flags & F_CONTENTLENGTH)) {
@ -1928,7 +1928,7 @@ reexecute:
UPDATE_STATE(s_body_identity);
} else {
if (!http_message_needs_eof(parser)) {
/* Assume Content-Length 0 - read the next */
/* Assume content-length 0 - read the next */
UPDATE_STATE(NEW_MESSAGE());
CALLBACK_NOTIFY(message_complete);
} else {

2
src/ip-lease.c
View File

@ -62,8 +62,6 @@ struct htable_iter iter;
cache = htable_next(&db->ht, &iter);
}
htable_clear(&db->ht);
return;
}
static size_t rehash(const void* _e, void* unused)

10
src/log.c
View File

@ -105,8 +105,6 @@ void __attribute__ ((format(printf, 3, 4)))
name[0] = 0;
syslog(priority, "worker%s: %s %s", name, ip?ip:"[unknown]", buf);
return;
}
/* proc is optional */
@ -151,8 +149,6 @@ void __attribute__ ((format(printf, 4, 5)))
name[0] = 0;
syslog(priority, "main%s:%s %s", name, ip?ip:"[unknown]", buf);
return;
}
void mslog_hex(const main_server_st * s, const struct proc_st* proc,
@ -182,8 +178,6 @@ void mslog_hex(const main_server_st * s, const struct proc_st* proc,
}
_mslog(s, proc, priority, "%s %s", prefix, buf);
return;
}
void oclog_hex(const worker_st* ws, int priority,
@ -213,8 +207,6 @@ void oclog_hex(const worker_st* ws, int priority,
}
_oclog(ws, priority, "%s %s", prefix, buf);
return;
}
void seclog_hex(const struct sec_mod_st* sec, int priority,
@ -238,6 +230,4 @@ void seclog_hex(const struct sec_mod_st* sec, int priority,
}
seclog(sec, priority, "%s %s", prefix, buf);
return;
}

33
src/main-ctl-unix.c
View File

@ -241,8 +241,6 @@ static void method_status(method_ctx *ctx, int cfd, uint8_t * msg,
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply");
}
return;
}
static void method_reload(method_ctx *ctx, int cfd, uint8_t * msg,
@ -263,8 +261,6 @@ static void method_reload(method_ctx *ctx, int cfd, uint8_t * msg,
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply");
}
return;
}
static void method_stop(method_ctx *ctx, int cfd, uint8_t * msg,
@ -285,8 +281,6 @@ static void method_stop(method_ctx *ctx, int cfd, uint8_t * msg,
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply");
}
return;
}
#define IPBUF_SIZE 64
@ -479,7 +473,7 @@ static void method_list_users(method_ctx *ctx, int cfd, uint8_t * msg,
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR,
"error appending user info to reply");
goto error;
return;
}
}
@ -489,9 +483,6 @@ static void method_list_users(method_ctx *ctx, int cfd, uint8_t * msg,
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply");
}
error:
return;
}
static void method_top(method_ctx *ctx, int cfd, uint8_t * msg,
@ -557,7 +548,7 @@ static void method_list_banned(method_ctx *ctx, int cfd, uint8_t * msg,
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR,
"error appending ban info to reply");
goto error;
return;
}
e = htable_next(db, &iter);
}
@ -568,9 +559,6 @@ static void method_list_banned(method_ctx *ctx, int cfd, uint8_t * msg,
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR, "error sending ban list reply");
}
error:
return;
}
static void method_list_cookies(method_ctx *ctx, int cfd, uint8_t * msg,
@ -655,7 +643,6 @@ reply_and_exit:
if (cookies) {
talloc_free(cookies);
}
return;
}
static void single_info_common(method_ctx *ctx, int cfd, uint8_t * msg,
@ -686,7 +673,7 @@ static void single_info_common(method_ctx *ctx, int cfd, uint8_t * msg,
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR,
"error appending user info to reply");
goto error;
return;
}
found_user = 1;
@ -709,9 +696,6 @@ static void single_info_common(method_ctx *ctx, int cfd, uint8_t * msg,
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply");
}
error:
return;
}
static void method_user_info(method_ctx *ctx, int cfd, uint8_t * msg,
@ -729,8 +713,6 @@ static void method_user_info(method_ctx *ctx, int cfd, uint8_t * msg,
single_info_common(ctx, cfd, msg, msg_size, req->username, 0);
username_req__free_unpacked(req, NULL);
return;
}
static void method_id_info(method_ctx *ctx, int cfd, uint8_t * msg,
@ -748,8 +730,6 @@ static void method_id_info(method_ctx *ctx, int cfd, uint8_t * msg,
single_info_common(ctx, cfd, msg, msg_size, NULL, req->id);
id_req__free_unpacked(req, NULL);
return;
}
static void method_unban_ip(method_ctx *ctx,
@ -781,8 +761,6 @@ static void method_unban_ip(method_ctx *ctx,
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR, "error sending unban IP ctl reply");
}
return;
}
static void method_disconnect_user_name(method_ctx *ctx,
@ -820,8 +798,6 @@ static void method_disconnect_user_name(method_ctx *ctx,
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply");
}
return;
}
static void method_disconnect_user_id(method_ctx *ctx, int cfd,
@ -861,8 +837,6 @@ static void method_disconnect_user_id(method_ctx *ctx, int cfd,
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR, "error sending ctl reply");
}
return;
}
struct ctl_watcher_st {
@ -919,7 +893,6 @@ static void ctl_cmd_wacher_cb(EV_P_ ev_io *w, int revents)
close(wst->fd);
ev_io_stop(EV_A_ w);
talloc_free(wst);
return;
}
static void ctl_handle_commands(main_server_st * s)

4
src/main-user.c
View File

@ -50,11 +50,13 @@
#define OCSERV_FW_SCRIPT "/usr/bin/ocserv-fw"
#define APPEND_TO_STR(str, val) \
do { \
ret = str_append_str(str, val); \
if (ret < 0) { \
mslog(s, proc, LOG_ERR, "could not append value to environment\n"); \
exit(EXIT_FAILURE); \
}
} \
} while (0)
typedef enum script_type_t {
SCRIPT_CONNECT,

4
src/main.c
View File

@ -72,7 +72,7 @@
#ifdef HAVE_GSSAPI
# include <libtasn1.h>
extern const ASN1_ARRAY_TYPE kkdcp_asn1_tab[];
extern const asn1_static_node kkdcp_asn1_tab[];
asn1_node _kkdcp_pkix1_asn = NULL;
#endif
@ -431,8 +431,6 @@ int y;
set_mtu_disc(fd, family, 1);
}
set_cloexec_flag (fd, 1);
return;
}
/* clears the server listen_list and proc_list. To be used after fork().

2
src/occtl/cache.c
View File

@ -62,8 +62,6 @@ void entries_add(void *pool, const char* user, unsigned user_size, unsigned id)
snprintf(entries[entries_size].id, sizeof(entries[entries_size].id), "%u", id);
entries_size++;
return;
}
char* search_for_user(unsigned idx, const char* match, int match_size)

4
src/occtl/geoip.c
View File

@ -113,8 +113,6 @@ void geo_ipv4_lookup(struct in_addr ip, char **country, char **city, char **coor
pGeoIP_delete(gi);
}
}
return;
}
void geo_ipv6_lookup(struct in6_addr *ip, char **country, char **city, char **coord)
@ -171,8 +169,6 @@ void geo_ipv6_lookup(struct in6_addr *ip, char **country, char **city, char **co
pGeoIP_delete(gi);
}
}
return;
}
char *geo_lookup(const char *ip, char *buf, unsigned buf_size)

2
src/occtl/ip-cache.c
View File

@ -57,8 +57,6 @@ void ip_entries_add(void *pool, const char* ip, unsigned ip_size)
strlcpy(ip_entries[ip_entries_size].ip, ip, sizeof(ip_entries[ip_entries_size].ip));
ip_entries[ip_entries_size].ip_size = ip_size;
ip_entries_size++;
return;
}
char* search_for_ip(unsigned idx, const char* match, int match_size)

3
src/occtl/nl.c
View File

@ -117,13 +117,10 @@ void print_iface_stats(const char *iface, time_t since, FILE * out, cmd_params_s
fprintf(out, " \"Average RX\": \"%s\",\n \"Average TX\": \"%s\"%s\n", buf1, buf2, have_more?",":"");
else
fprintf(out, "\tAverage bandwidth RX: %s TX: %s\n", buf1, buf2);
return;
}
#else
void print_iface_stats(const char *iface, time_t since, FILE * out, cmd_params_st *params, unsigned have_more)
{
return;
}
#endif

12
src/occtl/occtl.c
View File

@ -211,7 +211,7 @@ static char *rl_gets(char *line_read)
if (line_read && *line_read)
add_history(line_read);
return (line_read);
return line_read;
}
void
@ -225,18 +225,14 @@ double data;
if (bytes > 1000 && bytes < 1000 * 1000) {
data = ((double) bytes) / 1000;
snprintf(output, output_size, "%.1f KB%s", data, suffix);
return;
} else if (bytes >= 1000 * 1000 && bytes < 1000 * 1000 * 1000) {
data = ((double) bytes) / (1000 * 1000);
snprintf(output, output_size, "%.1f MB%s", data, suffix);
return;
} else if (bytes >= 1000 * 1000 * 1000) {
data = ((double) bytes) / (1000 * 1000 * 1000);
snprintf(output, output_size, "%.1f GB%s", data, suffix);
return;
} else {
snprintf(output, output_size, "%lu bytes%s", bytes, suffix);
return;
}
}
@ -245,13 +241,10 @@ time2human(uint64_t microseconds, char* output, unsigned output_size)
{
if (microseconds < 1000) {
snprintf(output, output_size, "<1ms");
return;
} else if (microseconds < 1000000) {
snprintf(output, output_size, "%ldms", microseconds / 1000);
return;
} else {
snprintf(output, output_size, "%lds", microseconds / 1000000);
return;
}
}
@ -499,7 +492,7 @@ static char *command_generator(const char *text, int state)
name += cmd_start;
if (c_strncasecmp(name, text, len) == 0) {
return (strdup(name));
return strdup(name);
}
}
@ -520,7 +513,6 @@ void handle_sigint(int signo)
rl_crlf();
#endif
rl_redisplay();
return;
}
void initialize_readline(void)

2
src/occtl/session-cache.c
View File

@ -50,8 +50,6 @@ void session_entries_add(void *pool, const char* session)
strlcpy(session_entries[session_entries_size].session, session, sizeof(session_entries[session_entries_size].session));
session_entries_size++;
return;
}
char* search_for_session(unsigned idx, const char* match, int match_size)

2
src/occtl/time.c
View File

@ -36,7 +36,7 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], time_t t1, time_t t2)
{
time_t t = t1 - t2;
if ((long)t < (long)0) {
if ((long)t < 0) {
/* system clock changed? */
snprintf(output, MAX_TMPSTR_SIZE, " ? ");
return;

1
src/occtl/unix.c
View File

@ -1426,7 +1426,6 @@ int handle_show_user_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_st *p
static void dummy_sighandler(int signo)
{
return;
}

12
src/pcl/pcl.c
View File

@ -93,7 +93,7 @@ static void co_switch_context(co_ctx_t *octx, co_ctx_t *nctx)
if (swapcontext(&octx->cc, &nctx->cc) < 0) {
fprintf(stderr, "[PCL] Context switch failed: curr=%p\n",
tctx->co_curr);
exit(EXIT_FAILURE);
exit(1);
}
}
@ -150,7 +150,7 @@ static void co_ctx_bootstrap(void)
fprintf(stderr, "[PCL] Hmm, you really shouldn't reach this point: curr=%p\n",
tctx->co_curr);
exit(EXIT_FAILURE);
exit(1);
}
static void co_ctx_trampoline(int sig)
@ -418,7 +418,7 @@ void co_delete(coroutine_t coro)
if (co == tctx->co_curr) {
fprintf(stderr, "[PCL] Cannot delete itself: curr=%p\n",
tctx->co_curr);
exit(EXIT_FAILURE);
exit(1);
}
if (co->alloc)
free(co);
@ -455,7 +455,7 @@ static void co_del_helper(void *data)
co_delete(tctx->co_curr->caller);
co_call((coroutine_t) cdh);
if (tctx->co_dhelper == NULL) {
exit(EXIT_FAILURE);
exit(1);
}
}
}
@ -470,7 +470,7 @@ void co_exit_to(coroutine_t coro)
tctx->stk, sizeof(tctx->stk))) == NULL) {
fprintf(stderr, "[PCL] Unable to create delete helper coroutine: curr=%p\n",
tctx->co_curr);
exit(EXIT_FAILURE);
exit(1);
}
tctx->co_dhelper = co;
@ -478,7 +478,7 @@ void co_exit_to(coroutine_t coro)
fprintf(stderr, "[PCL] Stale coroutine called: curr=%p exitto=%p caller=%p\n",
tctx->co_curr, co, tctx->co_curr->caller);
exit(EXIT_FAILURE);
exit(1);
}
void co_exit(void)

2
src/route-add.c
View File

@ -196,6 +196,4 @@ unsigned i;
route_del(s, proc, proc->config->iroutes[i], proc->tun_lease.name);
}
proc->applied_iroutes = 0;
return;
}

4
src/sec-mod-auth.c
View File

@ -113,8 +113,6 @@ void sec_mod_add_score_to_ip(sec_mod_st *sec, client_entry_st *e, const char *ip
fail:
talloc_free(lpool);
return;
}
static void update_auth_time_stats(sec_mod_st * sec, time_t secs)
@ -629,8 +627,6 @@ void handle_sec_auth_ban_ip_reply(sec_mod_st *sec, const BanIpReplyMsg *msg)
if (msg->reply != AUTH__REP__OK) {
e->status = PS_AUTH_FAILED;
}
return;
}
int handle_sec_auth_stats_cmd(sec_mod_st * sec, const CliStatsMsg * req, pid_t pid)

2
src/sec-mod-resume.c
View File

@ -208,6 +208,4 @@ void expire_tls_sessions(sec_mod_st *sec)
}
cache = htable_next(sec->tls_db.ht, &iter);
}
return;
}

6
src/sec-mod.c
View File

@ -609,8 +609,6 @@ static void send_stats_to_main(sec_mod_st *sec)
seclog(sec, LOG_ERR, "error in sending statistics to main");
return;
}
return;
}
static void reload_server(sec_mod_st *sec)
@ -760,11 +758,13 @@ int serve_request_worker(sec_mod_st *sec, int cfd, pid_t pid, uint8_t *buffer, u
}
#define CHECK_LOOP_ERR(x) \
do { \
if (force != 0) { GNUTLS_FATAL_ERR(x); } \
else { if (ret < 0) { \
seclog(sec, LOG_ERR, "could not reload key %s", vhost->perm_config.key[i]); \
continue; } \
}
} \
} while (0)
static int load_keys(sec_mod_st *sec, unsigned force)
{

8
src/sec-mod.h
View File

@ -143,14 +143,18 @@ void cleanup_client_entries(sec_mod_st *sec);
#ifdef __GNUC__
# define seclog(sec, prio, fmt, ...) \
do { \
if (prio != LOG_DEBUG || GETPCONFIG(sec)->debug >= 3) { \
syslog(prio, "sec-mod: "fmt, ##__VA_ARGS__); \
}
} \
} while (0)
#else
# define seclog(sec,prio,...) \
do { \
if (prio != LOG_DEBUG || GETPCONFIG(sec)->debug >= 3) { \
syslog(prio, __VA_ARGS__); \
}
} \
} while (0)
#endif
void seclog_hex(const struct sec_mod_st* sec, int priority,

1
src/setproctitle.c
View File

@ -60,7 +60,6 @@ void setproctitle (const char *fmt, ...)
void setproctitle (const char *fmt, ...)
{
return;
}
# endif /* __linux__ */

19
src/tlslib.c
View File

@ -53,7 +53,7 @@
#ifndef UNDER_TEST
static void tls_reload_ocsp(main_server_st* s, struct vhost_cfg_st *vhost);
#endif
#endif /* UNDER_TEST */
void cstp_cork(worker_st *ws)
{
@ -433,14 +433,14 @@ void tls_cache_deinit(tls_sess_db_st* db)
htable_clear(db->ht);
db->entries = 0;
talloc_free(db->ht);
return;
}
#ifndef UNDER_TEST
static void tls_log_func(int level, const char *str)
{
syslog(LOG_DEBUG, "TLS[<%d>]: %s", level, str);
}
#endif /* UNDER_TEST */
static void tls_audit_log_func(gnutls_session_t session, const char *str)
{
@ -457,6 +457,7 @@ static void tls_audit_log_func(gnutls_session_t session, const char *str)
}
}
#ifndef UNDER_TEST
static int verify_certificate_cb(gnutls_session_t session)
{
unsigned int status;
@ -540,6 +541,7 @@ no_cert:
fail:
return GNUTLS_E_CERTIFICATE_ERROR;
}
#endif /* UNDER_TEST */
void tls_global_init(void)
{
@ -571,10 +573,9 @@ void tls_vhost_deinit(struct vhost_cfg_st *vhost)
vhost->creds.xcred = NULL;
vhost->creds.pskcred = NULL;
vhost->creds.cprio = NULL;
return;
}
#ifndef UNDER_TEST
/* Checks, if there is a single certificate specified, whether it
* is compatible with all ciphersuites */
static void certificate_check(main_server_st *s, const char *vhostname, gnutls_pcert_st *pcert)
@ -640,7 +641,6 @@ cleanup:
gnutls_x509_crt_deinit(crt);
gnutls_free(data.data);
gnutls_free(dn.data);
return;
}
static void set_dh_params(main_server_st* s, struct vhost_cfg_st *vhost)
@ -669,7 +669,6 @@ static void set_dh_params(main_server_st* s, struct vhost_cfg_st *vhost)
}
}
#ifndef UNDER_TEST
struct key_cb_data {
unsigned pk;
unsigned bits;
@ -1016,8 +1015,6 @@ void tls_load_files(main_server_st *s, struct vhost_cfg_st *vhost)
}
tls_reload_ocsp(s, vhost);
return;
}
static int ocsp_get_func(gnutls_session_t session, void *ptr, gnutls_datum_t *response)
@ -1071,8 +1068,6 @@ void tls_load_prio(main_server_st *s, struct vhost_cfg_st *vhost)
if (ret == GNUTLS_E_PARSING_ERROR)
mslog(s, NULL, LOG_ERR, "error in TLS priority string: %s", perr);
GNUTLS_FATAL_ERR(ret);
return;
}
/*
@ -1117,7 +1112,7 @@ void tls_reload_crl(main_server_st* s, struct vhost_cfg_st *vhost, unsigned forc
mslog(s, NULL, LOG_INFO, "loaded CRL: %s", vhost->perm_config.config->crl);
}
}
#endif
#endif /* UNDER_TEST */
void tls_cork(gnutls_session_t session)
{

8
src/tlslib.h
View File

@ -73,17 +73,20 @@ size_t tls_get_overhead(gnutls_protocol_t, gnutls_cipher_algorithm_t, gnutls_mac
#endif
#define DTLS_FATAL_ERR_CMD(x, CMD) \
do { \
if (x < 0 && gnutls_error_is_fatal (x) != 0) { \
if (syslog_open) \
syslog(LOG_WARNING, "GnuTLS error (at %s:%d): %s", __FILE__, __LINE__, gnutls_strerror(x)); \
else \
fprintf(stderr, "GnuTLS error (at %s:%d): %s\n", __FILE__, __LINE__, gnutls_strerror(x)); \
CMD; \
}
} \
} while (0)
#define DTLS_FATAL_ERR(x) DTLS_FATAL_ERR_CMD(x, exit(EXIT_FAILURE))
#define CSTP_FATAL_ERR_CMD(ws, x, CMD) \
do { \
if (ws->session != NULL) { \
if (x < 0 && gnutls_error_is_fatal (x) != 0) { \
oclog(ws, LOG_WARNING, "GnuTLS error (at %s:%d): %s", __FILE__, __LINE__, gnutls_strerror(x)); \
@ -94,7 +97,8 @@ size_t tls_get_overhead(gnutls_protocol_t, gnutls_cipher_algorithm_t, gnutls_mac
oclog(ws, LOG_WARNING, "socket error (at %s:%d): %s", __FILE__, __LINE__, strerror(errno)); \
CMD; \
} \
}
} \
} while (0)
#define CSTP_FATAL_ERR(ws, x) CSTP_FATAL_ERR_CMD(ws, x, exit(EXIT_FAILURE))

9
src/tun.c
View File

@ -320,7 +320,6 @@ static int os_set_ipv6_addr(main_server_st * s, struct proc_st *proc)
static void os_reset_ipv6_addr(struct proc_st *proc)
{
return;
}
#endif
@ -785,8 +784,6 @@ void close_tun(main_server_st * s, struct proc_st *proc)
if (fd != -1)
close(fd);
#endif
return;
}
static void reset_ipv4_addr(struct proc_st *proc)
@ -906,8 +903,7 @@ ssize_t tun_read(int sockfd, void *buf, size_t len)
#ifndef __FreeBSD__
int tun_claim(int sockfd)
{
return (0);
return 0;
}
#else
/*
@ -917,7 +913,6 @@ int tun_claim(int sockfd)
*/
int tun_claim(int sockfd)
{
return (ioctl(sockfd, TUNSIFPID, 0));
return ioctl(sockfd, TUNSIFPID, 0);
}
#endif /* !__FreeBSD__ */

4
src/vpn.h
View File

@ -358,6 +358,10 @@ struct cfg_st {
/* holds a usage count of holders of pointers in this struct */
int *usage_count;
bool camouflage;
char *camouflage_secret;
char *camouflage_realm;
};
struct perm_cfg_st {

6
src/worker-auth.c
View File

@ -919,6 +919,12 @@ void cookie_authenticate_or_exit(worker_st *ws)
ret = auth_cookie(ws, ws->cookie, sizeof(ws->cookie));
if (ret < 0) {
oclog(ws, LOG_WARNING, "failed cookie authentication attempt");
if (WSCONFIG(ws)->camouflage && ws->camouflage_check_passed == 0)
{
cstp_puts(ws,
"HTTP/1.1 405 Method Not Allowed\r\n\r\n");
}
else
if (ret == ERR_AUTH_FAIL) {
cstp_puts(ws,
"HTTP/1.1 401 Cookie is not acceptable\r\n\r\n");

12
src/worker-http-handlers.c
View File

@ -39,6 +39,7 @@
#include <tlslib.h>
#define HTML_404 "<html><body><h1>404 Not Found</h1></body></html>\r\n"
#define HTML_401 "<html><body><h1>401 Unauthorized</h1></body></html>\r\n"
int response_404(worker_st *ws, unsigned http_ver)
{
@ -50,6 +51,17 @@ int response_404(worker_st *ws, unsigned http_ver)
return 0;
}
int response_401(worker_st *ws, unsigned http_ver, char* realm)
{
if (cstp_printf(ws, "HTTP/1.%u 401 Unauthorized\r\n", http_ver) < 0 ||
cstp_printf(ws, "WWW-Authenticate: Basic realm=\"%s\"\r\n", realm) < 0 ||
cstp_printf(ws, "Content-Length: %u\r\n", (unsigned)(sizeof(HTML_401) - 1)) < 0 ||
cstp_puts (ws, "Connection: close\r\n\r\n") < 0 ||
cstp_puts (ws, HTML_401) < 0)
return -1;
return 0;
}
static int send_headers(worker_st *ws, unsigned http_ver, const char *content_type,
unsigned content_length)
{

12
src/worker-http.c
View File

@ -104,7 +104,8 @@ static const dtls_ciphersuite_st ciphersuites[] = {
.gnutls_mac = GNUTLS_MAC_AEAD,
.gnutls_kx = GNUTLS_KX_RSA,
.gnutls_cipher = GNUTLS_CIPHER_AES_128_GCM,
.server_prio = 80},
.server_prio = 80,
},
{
.oc_name = CS_AES256_GCM,
.gnutls_name =
@ -144,7 +145,7 @@ static const dtls_ciphersuite_st ciphersuites[] = {
.gnutls_kx = GNUTLS_KX_RSA,
.gnutls_cipher = GNUTLS_CIPHER_3DES_CBC,
.server_prio = 1,
}
},
};
static const dtls_ciphersuite_st ciphersuites12[] = {
@ -698,12 +699,17 @@ url_handler_fn http_get_url_handler(const char *url)
url_handler_fn http_post_url_handler(struct worker_st *ws, const char *url)
{
const struct known_urls_st *p;
unsigned len = strlen(url);
unsigned i;
p = known_urls;
do {
if (p->url != NULL && strcmp(p->url, url) == 0)
if (p->url != NULL) {
if ((len == p->url_size && strcmp(p->url, url) == 0) ||
(len > p->url_size && strncmp(p->url, url, p->url_size) == 0
&& p->partial_match == 0 && url[p->url_size] == '?'))
return p->post_handler;
}
p++;
} while (p->url != NULL);

4
src/worker-privs.c
View File

@ -92,13 +92,15 @@ int disable_system_calls(struct worker_st *ws)
}
#define ADD_SYSCALL(name, ...) \
do { \
ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(name), __VA_ARGS__); \
/* libseccomp returns EDOM for pseudo-syscalls due to a bug */ \
if (ret < 0 && ret != -EDOM) { \
oclog(ws, LOG_DEBUG, "could not add " #name " to seccomp filter: %s", strerror(-ret)); \
ret = -1; \
goto fail; \
}
} \
} while (0)
/* These seem to be called by libc or some other dependent library;
* they are not necessary for functioning, but we must allow them in order

63
src/worker-vpn.c
View File

@ -490,8 +490,6 @@ void ws_add_score_to_ip(worker_st *ws, unsigned points, unsigned final, unsigned
}
ban_ip_reply_msg__free_unpacked(reply, &pa);
return;
}
void send_stats_to_secmod(worker_st * ws, time_t now, unsigned discon_reason)
@ -575,7 +573,8 @@ void exit_worker_reason(worker_st * ws, unsigned reason)
#define HANDSHAKE_SESSION_ID_POS (34)
#define SKIP_V16(pos, total) \
{ uint16_t _s; \
{ \
uint16_t _s; \
if (pos+2 > total) goto finish; \
_s = (msg->data[pos] << 8) | msg->data[pos+1]; \
if (pos+2+_s > total) goto finish; \
@ -583,15 +582,20 @@ void exit_worker_reason(worker_st * ws, unsigned reason)
}
#define SKIP16(pos, total) \
do { \
if (pos+2 > total) goto finish; \
pos += 2
pos += 2; \
} while (0)
#define SKIP8(pos, total) \
do { \
if (pos+1 > total) goto finish; \
pos++
pos++; \
} while (0)
#define SKIP_V8(pos, total) \
{ uint8_t _s; \
{ \
uint8_t _s; \
if (pos+1 > total) goto finish; \
_s = msg->data[pos]; \
if (pos+1+_s > total) goto finish; \
@ -599,6 +603,7 @@ void exit_worker_reason(worker_st * ws, unsigned reason)
}
#define SET_VHOST_CREDS \
do { \
ret = \
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, \
WSCREDS(ws)->xcred); \
@ -606,7 +611,8 @@ void exit_worker_reason(worker_st * ws, unsigned reason)
gnutls_certificate_server_set_request(session, WSCONFIG(ws)->cert_req); \
ret = gnutls_priority_set(session, WSCREDS(ws)->cprio); \
GNUTLS_FATAL_ERR(ret); \
gnutls_db_set_cache_expiration(session, TLS_SESSION_EXPIRATION_TIME(WSCONFIG(ws)))
gnutls_db_set_cache_expiration(session, TLS_SESSION_EXPIRATION_TIME(WSCONFIG(ws))); \
} while (0)
/* Parse the TLS client hello to figure vhost */
static int hello_hook_func(gnutls_session_t session, unsigned int htype,
@ -750,6 +756,20 @@ static void peek_client_hello(struct worker_st *ws, gnutls_session_t session, in
}
#endif
void check_camouflage_url(struct worker_st *ws)
{
if (WSCONFIG(ws)->camouflage_secret == NULL)
return;
char* url_camouflage_part = strchr(ws->req.url, '?');
if (url_camouflage_part
&& !strcmp(url_camouflage_part + 1, WSCONFIG(ws)->camouflage_secret))
{
*url_camouflage_part = '\0';
ws->camouflage_check_passed = 1;
}
}
/* vpn_server:
* @ws: an initialized worker structure
*
@ -921,6 +941,21 @@ void vpn_server(struct worker_st *ws)
}
} while (ws->req.headers_complete == 0);
if ((parser.method == HTTP_GET || parser.method == HTTP_POST) &&
(WSCONFIG(ws)->camouflage && ws->camouflage_check_passed == 0))
{
check_camouflage_url(ws);
if (ws->camouflage_check_passed == 0)
{
oclog(ws, LOG_INFO, "Secret not found in URL, declining...");
if (WSCONFIG(ws)->camouflage_realm)
response_401(ws, parser.http_minor, WSCONFIG(ws)->camouflage_realm);
else
response_404(ws, parser.http_minor);
goto finish;
}
}
if (parser.method == HTTP_GET) {
oclog(ws, LOG_HTTP_DEBUG, "HTTP GET %s", ws->req.url);
fn = http_get_url_handler(ws->req.url);
@ -1182,14 +1217,15 @@ void mtu_ok(worker_st * ws, struct dtls_st * dtls)
c = (ws->link_mtu + ws->last_bad_mtu) / 2;
link_mtu_set(ws, dtls, c);
return;
}
#define FUZZ(x, diff, rnd) \
do { \
if (x > diff) { \
int16_t r = rnd; \
x += r % diff; \
}
} \
} while (0)
int get_pmtu_approx(worker_st *ws)
{
@ -1349,11 +1385,9 @@ static void set_no_delay(worker_st * ws, int fd)
int ret;
ret = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &flag, sizeof(flag));
if (ret == -1) {
if (ret == -1)
oclog(ws, LOG_DEBUG,
"setsockopt(TCP_NODELAY) to %x, failed.", (unsigned)flag);
return;
}
}
#define TOSCLASS(x) (IPTOS_CLASS_CS##x)
@ -1374,7 +1408,7 @@ static void set_net_priority(worker_st * ws, int fd, int priority)
}
#endif
#ifdef SO_PRIORITY
#if defined(SO_PRIORITY)
if (priority != 0 && priority <= 7) {
t = ws->user_config->net_priority - 1;
ret = setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &t, sizeof(t));
@ -1385,10 +1419,9 @@ static void set_net_priority(worker_st * ws, int fd, int priority)
return;
}
#endif
return;
}
#define SEND_ERR(x) if (x<0) goto send_error
#define SEND_ERR(x) do { if (x<0) goto send_error; } while (0)
static int dtls_mainloop(worker_st * ws, struct dtls_st * dtls, struct timespec *tnow)
{

2
src/worker.c
View File

@ -38,7 +38,7 @@
#ifdef HAVE_GSSAPI
#include <libtasn1.h>
extern const ASN1_ARRAY_TYPE kkdcp_asn1_tab[];
extern const asn1_static_node kkdcp_asn1_tab[];
asn1_node _kkdcp_pkix1_asn = NULL;
#endif

2
src/worker.h
View File

@ -325,6 +325,7 @@ typedef struct worker_st {
uint32_t samples[LATENCY_SAMPLE_SIZE];
} latency;
#endif
bool camouflage_check_passed;
} worker_st;
void vpn_server(struct worker_st* ws);
@ -341,6 +342,7 @@ int get_ca_handler(worker_st * ws, unsigned http_ver);
int get_ca_der_handler(worker_st * ws, unsigned http_ver);
int response_404(worker_st *ws, unsigned http_ver);
int response_401(worker_st *ws, unsigned http_ver, char* realm);
int get_empty_handler(worker_st *server, unsigned http_ver);
#ifdef ANYCONNECT_CLIENT_COMPAT
int get_config_handler(worker_st *ws, unsigned http_ver);

27
tests/Makefile.am
View File

@ -44,7 +44,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem
data/disconnect-user2.config data/ping-leases.config data/haproxy-proxyproto.config \
data/haproxy-proxyproto.cfg scripts/proxy-connectscript data/haproxy-proxyproto-v1.config \
data/haproxy-proxyproto-v1.cfg scripts/proxy-connectscript-v1 data/test-multiple-client-ip.config \
data/test-client-bypass-protocol.config asan.supp
data/test-client-bypass-protocol.config asan.supp certs/ca.tmpl certs/server-cert.tmpl \
certs/user-cert.tmpl data/test-camouflage.config data/test-camouflage-norealm.config
xfail_scripts =
dist_check_SCRIPTS = ocpasswd-test
@ -61,7 +62,8 @@ dist_check_SCRIPTS += haproxy-connect test-iroute test-multi-cookie test-pass-sc
test-cookie-invalidation test-user-config test-append-routes test-ban \
multiple-routes json test-udp-listen-host test-max-same-1 test-script-multi-user \
apple-ios ipv6-iface test-namespace-listen disconnect-user disconnect-user2 \
ping-leases test-ban-local test-client-bypass-protocol ipv6-small-net
ping-leases test-ban-local test-client-bypass-protocol ipv6-small-net test-camouflage \
test-camouflage-norealm
if RADIUS_ENABLED
dist_check_SCRIPTS += radius-group radius-otp
@ -92,7 +94,7 @@ dist_check_SCRIPTS += test-pass test-pass-cert test-cert test-group-pass \
test-gssapi test-pass-opt-cert test-cert-opt-pass test-gssapi-opt-pass \
test-gssapi-opt-cert haproxy-auth test-maintenance resumption \
test-group-name flowcontrol banner invalid-configs haproxy-proxyproto \
haproxy-proxyproto-v1 drain-server drain-server-fail
haproxy-proxyproto-v1 drain-server drain-server-fail test-ignore-querystring-of-post
if HAVE_CWRAP_PAM
dist_check_SCRIPTS += test-pam test-pam-noauth
@ -176,6 +178,25 @@ gen_oidc_test_data_CPPFLAGS = $(AM_CPPFLAGS)
gen_oidc_test_data_SOURCES = generate_oidc_test_data.c
gen_oidc_test_data_LDADD = $(LDADD) $(CJOSE_LIBS) $(JANSSON_LIBS)
certs/ca.pem: certs/ca-key.pem certs/ca.tmpl
certtool --generate-self-signed --template certs/ca.tmpl --load-privkey certs/ca-key.pem --outfile certs/ca.pem
certs/server-cert-ca.pem: certs/ca.pem certs/server-cert.pem
cat certs/server-cert.pem certs/ca.pem > certs/server-cert-ca.pem
certs/server-cert.pem: certs/server-cert.tmpl certs/ca.pem certs/server-key.pem certs/ca-key.pem
certtool --generate-certificate --template certs/server-cert.tmpl --load-privkey certs/server-key.pem --load-ca-certificate certs/ca.pem --load-ca-privkey certs/ca-key.pem --outfile certs/server-cert.pem
certs/user-cert.pem: certs/user-cert.tmpl certs/ca.pem certs/user-key.pem certs/ca-key.pem
certtool --generate-certificate --template certs/user-cert.tmpl --load-privkey certs/user-key.pem --load-ca-certificate certs/ca.pem --load-ca-privkey certs/ca-key.pem --outfile certs/user-cert.pem
# make the user certificate invalid by signing it with another CA
certs/user-cert-invalid.pem: certs/user-cert.tmpl
certtool --generate-privkey --outfile ca-key.tmp
certtool --generate-self-signed --template certs/ca.tmpl --load-privkey ca-key.tmp --outfile ca.tmp
certtool --generate-certificate --template certs/user-cert.tmpl --load-privkey certs/user-key.pem --load-ca-certificate ca.tmp --load-ca-privkey ca-key.tmp --outfile certs/user-cert-invalid.pem
rm -f ca-key.tmp ca.tmp
if ENABLE_OIDC_AUTH_TESTS
check_PROGRAMS += gen_oidc_test_data
dist_check_SCRIPTS += test-oidc

8
tests/apple-ios
View File

@ -54,11 +54,11 @@ wait_server $PID
sleep 2
echo " * Connecting to obtain cookie... "
( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null ) ||
( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null ) ||
fail $PID "Could not receive cookie from server"
echo " * Re-connect to force script run with platform... "
echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1
echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1
sleep 5
@ -87,7 +87,7 @@ fi
rm -f ${TMPFILE}
echo " * Re-connecting to force script run with user agent... "
echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose --useragent="Cisco AnyConnect VPN Agent for Apple" localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1
echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose --useragent="Cisco AnyConnect VPN Agent for Apple" localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1
sleep 5
@ -114,7 +114,7 @@ fi
sleep 5
echo " - Check server status"
( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) ||
fail $PID "Could not receive cookie from server"
echo " - Killing server"

2
tests/ban-ips.c
View File

@ -52,7 +52,7 @@ unsigned check_if_banned_str(main_server_st *s, const char *ip)
return check_if_banned(s, &addr, addr.ss_family==AF_INET?sizeof(struct sockaddr_in):sizeof(struct sockaddr_in6));
}
int main()
int main(void)
{
main_server_st *s = talloc(NULL, struct main_server_st);
vhost_cfg_st *vhost;

4
tests/banner
View File

@ -50,7 +50,7 @@ wait_server $PID
sleep 3
echo "Connecting to obtain cookie... "
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >${TMPFILE} 2>&1 ) ||
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >${TMPFILE} 2>&1 ) ||
fail $PID "Could not receive cookie from server"
grep "${BANNER}" ${TMPFILE} >/dev/null
@ -61,7 +61,7 @@ if test $? != 0;then
fi
echo "Connecting to obtain cookie with wrong password... "
( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >${TMPFILE} 2>&1 ) &&
( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >${TMPFILE} 2>&1 ) &&
fail $PID "Received cookie when we shouldn't"
grep "${BANNER}" ${TMPFILE} >/dev/null

22
tests/certs/ca-key.pem
View File

@ -31,25 +31,3 @@ y1hvTfWRAoGZALNT3AbF9EDnJmZlS30MWtBggw83UhszC8XN2tY30AsvsDOS6a0F
UVhyNvBTKo6lPqXqUsVxp16TKeeQKF+DuYuuNZN3pXXsHTiHkRMDCRVEqz7UnZEc
/Bq/Kh2aOkelkX2S27QzTZGL
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDtDCCAmygAwIBAgIETeC0yjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5H
bnVUTFMgVGVzdCBDQTAeFw0xMTA1MjgwODM5MzlaFw0zODEwMTIwODM5NDBaMC8x
LTArBgNVBAMTJEdudVRMUyBUZXN0IFNlcnZlciAoUlNBIGNlcnRpZmljYXRlKTCC
AVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/HsqwfvTYvO1D
hmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJl1U1F/Oh
ckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq
58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mB
VAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03
U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b7eujbZ3L
xTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUC
AwEAAaOBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAT
BgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBR2
B1hM6rUp9S2ABoyDSoINCeyT3jAfBgNVHSMEGDAWgBRNVrdqAFjxZ5L0pnVVG45T
AQPvzzANBgkqhkiG9w0BAQsFAAOCATEAdNWmTsh5uIfngyhOWwm7pK2+vgUMY8nH
gMoMFHt0yuxuImcUMXu3LRS1dZSoCJACBpTFGi/Dg2U0qvOHQcEmc3OwNqHB90R3
LG5jUSCtq/bYW7h/6Gd9KeWCgZczaHbQ9IPTjLH1dLswVPt+fXKB6Eh0ggSrGATE
/wRZT/XgDCW8t4C+2+TmJ8ZEzvU87KAPQ9rUBS1+p3EUAR/FfMApApsEig1IZ+ZD
5joaGBW7zh1H0B9mEKidRvD7yuRJyzAcvD25nT15NLW0QR3dEeXosLc720xxJl1h
h8NJ7YOvn323mOjR9er4i4D6iJlXmJ8tvN9vakCankWvBzb7plFn2sfMQqICFpRc
w075D8hdQxfpGffL2tEeKSgjyNHXS7x3dFhUpN3IQjUi2x4f2e/ZXg==
-----END CERTIFICATE-----

36
tests/certs/ca.pem
View File

@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD
EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw
fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ
l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW
DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh
zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt
c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b
7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep
n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA
MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC
ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT
z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP
g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX
ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk
x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH
yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg
fJbi9Ui2FmXEeKkX34f1ONNj9Q==
MIIDPDCCAfSgAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAgFw0xMzAyMTMxNTMyMTJaGA85OTk5MTIzMTIzNTk1OVowDTELMAkGA1UEAxMC
Q0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7KsH70
2LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8WyZdV
NRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITclg6y
bBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7oc0l
YpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLyrXPl
GQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+G+3r
o22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjehKZ+A
eap1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0G
A1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOCATEA
foqPGdiyJYHih4J5YHwFPQxmkOzPHSa13K/q8sDvobE+HFTzrlTbAFC8bS38Bv2f
9ZrPME4JvnsGdRGYwxS3LUmNdHHWR8LkvGXBE3u/TZsJfPtOR8JwdulQXpRw7hhL
ew/mR5IEHZrUZgnnI4dg1kJhE1JPTvmtgqcE1CsikVQ14NvG/ehJbJyPgKTq/Zxm
Ru4B5N+Jef/LaOqZvK4xK8x2ZaZ/L/ANou+7EY4DoWAkOEEoCU8DQHLAFgf6B7La
oemLQGNHcBpba81jlS5EXXGJccOvfbw0MJTP3ZvyVIlEYu/X4roC7EJP/UkCZUJG
f79Nc28q2/2D8tuFOqG7UbP7r2cWSa8OO3cI/V1W1k3iWZ63WltqDwFC0c8iqYFL
9xKfQ96Q7wrYOCjmuaCLbw==
-----END CERTIFICATE-----

6
tests/certs/ca.tmpl Normal file
View File

@ -0,0 +1,6 @@
cn = CA
ca
cert_signing_key
expiration_days = -1
activation_date = "2013-02-13 16:32:12"
serial = 0x51d82ecc

76
tests/certs/server-cert-ca.pem
View File

@ -1,42 +1,42 @@
-----BEGIN CERTIFICATE-----
MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD
Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs
PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8
u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd
YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ
IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759
KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5
7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU
yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL
gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg
ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0
UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s
9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9
GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C
zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/
eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF
FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j
LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM
zzJKdNg=
MIIDjjCCAkagAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJ
bG9jYWxob3N0MIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEApzor7D8U
sCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leAWOGW/O7QvQQVfl9/pTP4/LuR
7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6zJlm4RYJFZTeX06qGNJZ3WCc
dl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kapfe2AGUV3DKEF1Y20Zs1S2SFb
pkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ROhb62gHMvniNIF0xpO+fSjT
2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjpV3Ymf8ox4OfkSkOXbd3ZOe5Q
CFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0uxLQdDQiDO4b4ct9kKyeWVMjZ
3E0n+qjFaHnYHQIDAQABo4GMMIGJMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJ
bG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0UwqJ
MThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAGQoUMiZVg6+Ibj8kyfq
l/vfu4QxlUlqAbm/b9PVdOLrhz+T986HMFhL0b2HUGg5Mb0NZcgHjH4VLkei4AIb
g/1nGdJ2I6EcLiQOvO4h2F3CoU6HkEGVEUXFaBd19tSDm7aM+2h7oPb3Vs3YT9QE
x7ejmVeA+Qr9+H9xHyModpA1PkKRW31TOYtjUXHdHObT1uar++C1JLHn49ooKDZM
5p9a4ExQVYd6WMRXKC83py1V4Ne5kBxC/l+3QkVZnMwByChySP7SEMa9yGv4KFM9
FT7XvxQsrkqPi5bCllUyGDrVeyTpyPDrb4BKgAu/Cy4tyDxLzBTZ5TXDH7E1IBps
g1k5llFIyGdO5vQrX8vF61tqK5DBhgVvwu0k/m2lP9esLfaF7I5oGAbUKGhRr8mE
xs8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD
EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw
fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ
l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW
DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh
zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt
c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b
7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep
n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA
MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC
ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT
z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP
g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX
ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk
x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH
yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg
fJbi9Ui2FmXEeKkX34f1ONNj9Q==
MIIDPDCCAfSgAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAgFw0xMzAyMTMxNTMyMTJaGA85OTk5MTIzMTIzNTk1OVowDTELMAkGA1UEAxMC
Q0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7KsH70
2LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8WyZdV
NRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITclg6y
bBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7oc0l
YpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLyrXPl
GQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+G+3r
o22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjehKZ+A
eap1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0G
A1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOCATEA
foqPGdiyJYHih4J5YHwFPQxmkOzPHSa13K/q8sDvobE+HFTzrlTbAFC8bS38Bv2f
9ZrPME4JvnsGdRGYwxS3LUmNdHHWR8LkvGXBE3u/TZsJfPtOR8JwdulQXpRw7hhL
ew/mR5IEHZrUZgnnI4dg1kJhE1JPTvmtgqcE1CsikVQ14NvG/ehJbJyPgKTq/Zxm
Ru4B5N+Jef/LaOqZvK4xK8x2ZaZ/L/ANou+7EY4DoWAkOEEoCU8DQHLAFgf6B7La
oemLQGNHcBpba81jlS5EXXGJccOvfbw0MJTP3ZvyVIlEYu/X4roC7EJP/UkCZUJG
f79Nc28q2/2D8tuFOqG7UbP7r2cWSa8OO3cI/V1W1k3iWZ63WltqDwFC0c8iqYFL
9xKfQ96Q7wrYOCjmuaCLbw==
-----END CERTIFICATE-----

40
tests/certs/server-cert.pem
View File

@ -1,22 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD
Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs
PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8
u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd
YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ
IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759
KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5
7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU
yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL
gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg
ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0
UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s
9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9
GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C
zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/
eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF
FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j
LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM
zzJKdNg=
MIIDjjCCAkagAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJ
bG9jYWxob3N0MIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEApzor7D8U
sCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leAWOGW/O7QvQQVfl9/pTP4/LuR
7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6zJlm4RYJFZTeX06qGNJZ3WCc
dl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kapfe2AGUV3DKEF1Y20Zs1S2SFb
pkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ROhb62gHMvniNIF0xpO+fSjT
2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjpV3Ymf8ox4OfkSkOXbd3ZOe5Q
CFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0uxLQdDQiDO4b4ct9kKyeWVMjZ
3E0n+qjFaHnYHQIDAQABo4GMMIGJMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJ
bG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0UwqJ
MThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAGQoUMiZVg6+Ibj8kyfq
l/vfu4QxlUlqAbm/b9PVdOLrhz+T986HMFhL0b2HUGg5Mb0NZcgHjH4VLkei4AIb
g/1nGdJ2I6EcLiQOvO4h2F3CoU6HkEGVEUXFaBd19tSDm7aM+2h7oPb3Vs3YT9QE
x7ejmVeA+Qr9+H9xHyModpA1PkKRW31TOYtjUXHdHObT1uar++C1JLHn49ooKDZM
5p9a4ExQVYd6WMRXKC83py1V4Ne5kBxC/l+3QkVZnMwByChySP7SEMa9yGv4KFM9
FT7XvxQsrkqPi5bCllUyGDrVeyTpyPDrb4BKgAu/Cy4tyDxLzBTZ5TXDH7E1IBps
g1k5llFIyGdO5vQrX8vF61tqK5DBhgVvwu0k/m2lP9esLfaF7I5oGAbUKGhRr8mE
xs8=
-----END CERTIFICATE-----

8
tests/certs/server-cert.tmpl Normal file
View File

@ -0,0 +1,8 @@
cn = localhost
dns_name = localhost
tls_www_server
signing_key
encryption_key
expiration_days = -1
activation_date = "2013-06-06 14:51:29"
serial = 0x51d82ef0

126
tests/certs/user-cert-invalid.pem
View File

@ -1,107 +1,23 @@
X.509 Certificate Information:
Version: 3
Serial Number (hex): 51d82f14
Issuer: CN=CA
Validity:
Not Before: Sat Jul 06 14:52:05 UTC 2013
Not After: Mon May 15 14:52:05 UTC 2023
Subject: CN=A user,UID=test
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2432 bits)
Modulus (bits 2432):
00:ab:54:98:fc:a9:c6:15:95:9d:a6:c1:94:84:94:91
79:1e:78:db:2d:48:51:99:65:01:02:c0:40:52:49:5d
eb:70:bc:26:ef:68:39:1e:04:91:e2:db:cb:6f:93:40
45:1e:22:8e:71:5a:58:89:28:79:5e:1a:32:25:3e:8b
9d:3b:34:7f:19:f8:d0:2f:37:b7:62:32:b7:53:a5:43
2c:c5:5d:ec:ac:f9:35:fa:14:2b:34:66:f1:d6:a7:a1
d0:83:9a:56:f4:19:83:bc:bf:11:74:30:2d:a8:28:5b
a2:ab:7a:c6:cd:9c:5c:f8:51:e9:a9:0c:48:db:71:bb
b1:34:77:f7:ee:de:5d:78:c0:48:0a:37:0d:65:1e:3b
2b:14:03:89:72:f2:52:ed:5f:00:c5:06:60:ea:80:20
d0:43:ec:66:bc:d2:26:db:f0:29:3e:6a:f9:62:20:be
58:26:44:ba:d7:8c:6f:76:a6:05:20:e4:98:b7:c4:72
7a:5d:df:4f:0d:23:ec:2e:9c:71:ec:30:f9:14:5f:c8
75:0b:ab:67:f6:7d:fb:4d:76:64:4a:a5:d5:fa:b4:08
50:9d:13:c7:8f:c2:79:b0:b4:3e:2f:89:d3:33:27:4d
9f:8b:d3:60:24:07:ab:b2:72:3d:29:a5:c4:4a:ec:3c
04:d2:49:3e:26:1b:ec:7a:10:3d:ca:45:5a:80:8b:4d
2a:96:63:4f:2d:63:28:0f:3b:47:47:ca:7c:2c:15:41
32:d5:e0:c9:be:a5:55:2c:b3:6b:46:2a:56:b1:1b:ed
29
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
8b01094b3b91ece321b91dec8d6b4c5d9e40805e
Authority Key Identifier (not critical):
482334530a8931384a5aeacab6d2a6dece1d2b18
Signature Algorithm: RSA-SHA256
Signature:
6b:bd:e2:90:d7:11:cf:6c:0d:e3:bd:f4:61:cd:57:83
41:be:2a:92:46:dd:fa:44:6c:60:1c:ef:3e:1e:2f:e1
e2:5b:45:88:6a:1e:50:2d:8d:96:c4:c7:80:75:59:7b
54:6b:fb:86:b0:f1:6d:45:09:db:48:de:20:0a:87:60
30:5e:35:f0:52:c4:55:44:c1:ff:e1:7c:3d:d6:6d:58
ca:1c:fd:bf:04:9a:9b:10:35:05:fc:d1:01:3c:af:bb
64:31:5e:59:8f:ef:6f:0d:35:e5:c0:07:77:0e:31:20
8e:e3:2e:f1:a6:4d:f1:be:85:5b:df:04:48:9d:8c:c9
c9:c1:b8:e3:e2:d2:4b:55:83:e9:d8:7b:71:2f:8e:89
fc:4d:a7:f1:b0:bf:47:9b:97:c4:85:dd:c3:3d:38:15
36:08:73:10:87:08:f6:e6:1c:4e:29:a8:a5:f5:24:b8
0d:e9:d9:b8:19:27:1d:73:35:fe:7b:81:1f:4a:81:6a
93:cd:a2:71:d7:60:0e:08:ee:ea:c8:2b:44:1b:e4:45
6c:fe:44:68:d6:86:ad:89:4f:7e:9f:f9:1a:2a:97:0f
6b:eb:5d:6e:38:b3:5b:13:b9:e3:4a:10:32:5b:dc:a9
b4:a1:4e:b3:f9:4f:91:de:bc:cc:36:91:44:ba:e0:34
74:f7:68:b4:7b:0e:db:4e:ec:28:03:01:cf:0a:63:c4
23:75:0b:4b:41:9d:e0:68:b3:cb:bf:b5:5c:3d:52:93
20:ba:ea:b8:f0:8c:f7:a6:ec:cd:a3:aa:4f:2a:ff:20
Other Information:
SHA1 fingerprint:
5509a76b8738216938cdb3ec25048812737170de
SHA256 fingerprint:
c93e38ef35f1a9c485a27b161e708f2d45bf8768eb53a23fec841a8f35d6e478
Public Key ID:
8b01094b3b91ece321b91dec8d6b4c5d9e40805e
Public key's random art:
+--[ RSA 2432]----+
| o=o |
|..oE.. |
|.+=.o |
|o.*.... |
| * B +..S |
|. * o oo . |
| o . . . |
| + |
| . |
+-----------------+
-----BEGIN CERTIFICATE-----
MIIDjDCCAkSgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAiGA8yMDEzMDcwNjE0NTIwNVoYDzIwMjMwNTE1MTQ1MjA1WjAnMQ8wDQYDVQQD
EwZBIHVzZXIxFDASBgoJkiaJk/IsZAEBEwR0ZXN0MIIBUjANBgkqhkiG9w0BAQEF
AAOCAT8AMIIBOgKCATEAq1SY/KnGFZWdpsGUhJSReR542y1IUZllAQLAQFJJXetw
vCbvaDkeBJHi28tvk0BFHiKOcVpYiSh5XhoyJT6LnTs0fxn40C83t2Iyt1OlQyzF
Xeys+TX6FCs0ZvHWp6HQg5pW9BmDvL8RdDAtqChboqt6xs2cXPhR6akMSNtxu7E0
d/fu3l14wEgKNw1lHjsrFAOJcvJS7V8AxQZg6oAg0EPsZrzSJtvwKT5q+WIgvlgm
RLrXjG92pgUg5Ji3xHJ6Xd9PDSPsLpxx7DD5FF/IdQurZ/Z9+012ZEql1fq0CFCd
E8ePwnmwtD4vidMzJ02fi9NgJAersnI9KaXESuw8BNJJPiYb7HoQPcpFWoCLTSqW
Y08tYygPO0dHynwsFUEy1eDJvqVVLLNrRipWsRvtKQIDAQABo3YwdDAMBgNVHRMB
Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYD
VR0OBBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4
SlrqyrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQBrveKQ1xHPbA3jvfRhzVeD
Qb4qkkbd+kRsYBzvPh4v4eJbRYhqHlAtjZbEx4B1WXtUa/uGsPFtRQnbSN4gCodg
MF418FLEVUTB/+F8PdZtWMoc/b8EmpsQNQX80QE8r7tkMV5Zj+9vDTXlwAd3DjEg
juMu8aZN8b6FW98ESJ2MycnBuOPi0ktVg+nYe3Evjon8TafxsL9Hm5fEhd3DPTgV
NghzEIcI9uYcTimopfUkuA3p2bgZJx1zNf57gR9KgWqTzaJx12AOCO7qyCtEG+RF
bP5EaNaGrYlPfp/5GiqXD2vrXW44s1sTueNKEDJb3Km0oU6z+U+R3rzMNpFEuuA0
dPdotHsO207sKAMBzwpjxCN1C0tBneBos8u/tVw9UpMguuq48Iz3puzNo6pPKv8g
MIID2TCCAkGgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowJzEPMA0GA1UEAxMG
QSB1c2VyMRQwEgYKCZImiZPyLGQBARMEdGVzdDCCAVIwDQYJKoZIhvcNAQEBBQAD
ggE/ADCCAToCggExAKtUmPypxhWVnabBlISUkXkeeNstSFGZZQECwEBSSV3rcLwm
72g5HgSR4tvLb5NARR4ijnFaWIkoeV4aMiU+i507NH8Z+NAvN7diMrdTpUMsxV3s
rPk1+hQrNGbx1qeh0IOaVvQZg7y/EXQwLagoW6KresbNnFz4UempDEjbcbuxNHf3
7t5deMBICjcNZR47KxQDiXLyUu1fAMUGYOqAINBD7Ga80ibb8Ck+avliIL5YJkS6
14xvdqYFIOSYt8Ryel3fTw0j7C6cceww+RRfyHULq2f2fftNdmRKpdX6tAhQnRPH
j8J5sLQ+L4nTMydNn4vTYCQHq7JyPSmlxErsPATSST4mG+x6ED3KRVqAi00qlmNP
LWMoDztHR8p8LBVBMtXgyb6lVSyza0YqVrEb7SkCAwEAAaN1MHMwDAYDVR0TAQH/
BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0O
BBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFAV+KcZC+G2nf/6V
sElx119oZKWUMA0GCSqGSIb3DQEBCwUAA4IBgQCTOjwtK5sDPFdbWWlScDX9xfNf
tnqRL22Id6VIRcAiuu6KVAYRNs3Pdv65H9orSaohrBRfWKEqAi51bhvDQvzhbw7u
881txF+6s0fauArxAUai3e11eCil3gt0JOQVephmPKw6pVq9mMieho5I2SQ8CXoQ
pSrselGaOTp8CK1r90pn8RGiJrZ3xJu5Yezb3AWCs3IOHhRT1Rc5mFnvs9VVR64h
Pvlr9yBOf/pBEuylQr00plhsZdLra/nIspsGnOIiuM4eIliP6bQwE06u1LxlCbgB
CAGTQ86vbO2xT1i8dZeq8TJ72OatmRboUBncaZNIT3rUTZxZYkYhkNtVTKnv/8qq
LZI23qtcWLEAsc1O0Xva22wjkg5QE06AiWdcwK3f/Qpvj5yO9+PL7X4lP47n5D6m
t1S6xisKgjo/IP9Wk3mPNaNDN3hZCaFRYEHn4CYrlXHqjg1w7quCKApYzrh5/L1Y
b9U/qzwF7SatFovndYtf02bjcrHC/TA53IdiQPA=
-----END CERTIFICATE-----

38
tests/certs/user-cert.pem
View File

@ -1,21 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDjDCCAkSgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAiGA8yMDEzMDcwNjE0NTIwNVoYDzIwMjMwNTE1MTQ1MjA1WjAnMQ8wDQYDVQQD
EwZBIHVzZXIxFDASBgoJkiaJk/IsZAEBEwR0ZXN0MIIBUjANBgkqhkiG9w0BAQEF
AAOCAT8AMIIBOgKCATEAq1SY/KnGFZWdpsGUhJSReR542y1IUZllAQLAQFJJXetw
vCbvaDkeBJHi28tvk0BFHiKOcVpYiSh5XhoyJT6LnTs0fxn40C83t2Iyt1OlQyzF
Xeys+TX6FCs0ZvHWp6HQg5pW9BmDvL8RdDAtqChboqt6xs2cXPhR6akMSNtxu7E0
d/fu3l14wEgKNw1lHjsrFAOJcvJS7V8AxQZg6oAg0EPsZrzSJtvwKT5q+WIgvlgm
RLrXjG92pgUg5Ji3xHJ6Xd9PDSPsLpxx7DD5FF/IdQurZ/Z9+012ZEql1fq0CFCd
E8ePwnmwtD4vidMzJ02fi9NgJAersnI9KaXESuw8BNJJPiYb7HoQPcpFWoCLTSqW
Y08tYygPO0dHynwsFUEy1eDJvqVVLLNrRipWsRvtKQIDAQABo3YwdDAMBgNVHRMB
Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYD
VR0OBBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4
SlrqyrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQBrveOQ1xHPbA3jvfRhzVeD
Qb4qkkbd+kRsYBzvPh4v4eJbRYhqHlAtjZbEx4B1WXtUa/uGsPFtRQnbSN4gCodg
MF418FLEVUTB/+F8PdZtWMoc/b8EmpsQNQX80QE8r7tkMV5Zj+9vDTXlwAd3DjEg
juMu8aZN8b6FW98ESJ2MycnBuOPi0ktVg+nYe3Evjon8TafxsL9Hm5fEhd3DPTgV
NghzEIcI9uYcTimopfUkuA3p2bgZJx1zNf57gR9KgWqTzaJx12AOCO7qyCtEG+RF
bP5EaNaGrYlPfp/5GiqXD2vrXW44s1sTueNKEDJb3Km0oU6z+U+R3rzMNpFEuuA0
dPdotHsO207sKAMBzwpjxCN1C0tBneBos8u/tVw9UpMguuq48Iz3puzNo6pPKv8g
MIIDiTCCAkGgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowJzEPMA0GA1UEAxMG
QSB1c2VyMRQwEgYKCZImiZPyLGQBARMEdGVzdDCCAVIwDQYJKoZIhvcNAQEBBQAD
ggE/ADCCAToCggExAKtUmPypxhWVnabBlISUkXkeeNstSFGZZQECwEBSSV3rcLwm
72g5HgSR4tvLb5NARR4ijnFaWIkoeV4aMiU+i507NH8Z+NAvN7diMrdTpUMsxV3s
rPk1+hQrNGbx1qeh0IOaVvQZg7y/EXQwLagoW6KresbNnFz4UempDEjbcbuxNHf3
7t5deMBICjcNZR47KxQDiXLyUu1fAMUGYOqAINBD7Ga80ibb8Ck+avliIL5YJkS6
14xvdqYFIOSYt8Ryel3fTw0j7C6cceww+RRfyHULq2f2fftNdmRKpdX6tAhQnRPH
j8J5sLQ+L4nTMydNn4vTYCQHq7JyPSmlxErsPATSST4mG+x6ED3KRVqAi00qlmNP
LWMoDztHR8p8LBVBMtXgyb6lVSyza0YqVrEb7SkCAwEAAaN1MHMwDAYDVR0TAQH/
BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0O
BBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4Slrq
yrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQAp51Ks5DDWVlLB6fMM2NJV80sX
Rx6U1g6ovA7N5BDQiF6FYzVZECMH3d9nyZssHbkzb6qyO1m58P0cNkVurEH27+Z2
xdkNw5bbcvNDVhfVSjwa6nyTLfhf7vOTWaIxGGmffP72PIe87N6QmyCCGG0IXIkO
kcTAE8IgX6k1mEr1Xy2ZtFVgKjPPLxsixIJ7TEktvJR1RqWQfbsOS8f13lvS1Vhh
vc+UMbIQnz+jl4qNV/AX7GfpEYiBkbrgcjsggl/KMuwcauhEDdvfIQjcyRbQN36p
KcVEXDpnG54sAfXAs9Z+adbvmu0ONAMCDuxKCT2eG1SGVrtiT5+7kCMso1eKz/5A
r1XP0RgCKFExIRYb1elFpLc8wmJbN4qof2zisKG8UajFIHzIGateiu53enNn
-----END CERTIFICATE-----

7
tests/certs/user-cert.tmpl Normal file
View File

@ -0,0 +1,7 @@
dn = "uid=test,cn=A user"
tls_www_client
signing_key
encryption_key
expiration_days = -1
activation_date = "2013-06-06 14:51:29"
serial = 0x51d82f14

4
tests/cipher-common.sh
View File

@ -91,14 +91,14 @@ fi
# Run clients
echo " * Getting cookie from ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ${CSTR} --cookieonly )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ${CSTR} --cookieonly )
if test $? != 0;then
echo "Could not get cookie from server"
exit 1
fi
echo " * Connecting to ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ${CSTR} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ${CSTR} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1

3
tests/cstp-recv.c
View File

@ -68,7 +68,6 @@ void writer(int fd)
assert(write(fd, buf+j, 1) == 1);
}
}
return;
}
void receiver(int fd)
@ -87,8 +86,6 @@ void receiver(int fd)
fprintf(stderr, "received %d\n", ret);
assert(ret > 0);
}
return;
}
int main(int argc, char **argv)

191
tests/data/test-camouflage-norealm.config Normal file
View File

@ -0,0 +1,191 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
#auth = "certificate"
auth = "plain[./data/test1.passwd]"
#auth = "pam"
isolate-workers = @ISOLATE_WORKERS@
# A banner to be displayed on clients
#banner = "Welcome"
# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
#listen-host = [IP|HOSTNAME]
use-dbus = no
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting multiple times)
# Unset or set to zero for unlimited.
max-same-clients = 2
# TCP and UDP port number
tcp-port = @PORT@
udp-port = @PORT@
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds
dpd = 440
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = ./certs/server-cert.pem
server-key = ./certs/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
# root key).
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The Certificate Authority that will be used
# to verify clients if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
#crl = /path/to/crl.pem
# GnuTLS priority string
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. That cookie will be invalided if not
# used within this timeout value. On a user disconnection, that
# cookie will also be active for this time amount prior to be
# invalid. That should allow a reasonable amount of time for roaming
# between different networks.
cookie-timeout = 30
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
use-utmp = true
# PID file
pid-file = /var/run/ocserv.pid
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# Network settings
device = vpns
# The default domain to be advertised
default-domain = example.com
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
# Use the keyword local to advertise the local P-t-P address as DNS server
dns = 192.168.1.1
# The NBNS server (if any)
#ipv4-nbns = 192.168.2.3
ipv6-network = fe80::
ipv6-prefix = 16
#ipv6-dns =
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false
camouflage = true
camouflage_secret = "mysecretkey"

192
tests/data/test-camouflage.config Normal file
View File

@ -0,0 +1,192 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
#auth = "certificate"
auth = "plain[./data/test1.passwd]"
#auth = "pam"
isolate-workers = @ISOLATE_WORKERS@
# A banner to be displayed on clients
#banner = "Welcome"
# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
#listen-host = [IP|HOSTNAME]
use-dbus = no
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting multiple times)
# Unset or set to zero for unlimited.
max-same-clients = 2
# TCP and UDP port number
tcp-port = @PORT@
udp-port = @PORT@
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds
dpd = 440
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = ./certs/server-cert.pem
server-key = ./certs/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
# root key).
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The Certificate Authority that will be used
# to verify clients if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
#crl = /path/to/crl.pem
# GnuTLS priority string
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. That cookie will be invalided if not
# used within this timeout value. On a user disconnection, that
# cookie will also be active for this time amount prior to be
# invalid. That should allow a reasonable amount of time for roaming
# between different networks.
cookie-timeout = 30
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
use-utmp = true
# PID file
pid-file = /var/run/ocserv.pid
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# Network settings
device = vpns
# The default domain to be advertised
default-domain = example.com
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
# Use the keyword local to advertise the local P-t-P address as DNS server
dns = 192.168.1.1
# The NBNS server (if any)
#ipv4-nbns = 192.168.2.3
ipv6-network = fe80::
ipv6-prefix = 16
#ipv6-dns =
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false
camouflage = true
camouflage_secret = "mysecretkey"
camouflage_realm = "Please enter password"

6
tests/disconnect-user
View File

@ -77,7 +77,7 @@ sleep 3
# Run clients
echo " * Getting cookie from ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${TMPFILE} )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${TMPFILE} )
if test $? != 0;then
echo "Could not get cookie from server"
exit 1
@ -85,7 +85,7 @@ fi
eval $(cat ${TMPFILE})
echo " * Connecting to ${ADDRESS}:${PORT}..."
( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b )
( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1
@ -105,7 +105,7 @@ if test $? != 0;then
fi
echo " * Re-connecting to obtain cookie after disconnect... "
( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b )
( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b )
if test $? = 0;then
echo "Succeeded using the cookie to connect"
exit 1

6
tests/disconnect-user2
View File

@ -75,7 +75,7 @@ sleep 3
# Run clients
echo " * Getting cookie from ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${TMPFILE} )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${TMPFILE} )
if test $? != 0;then
echo "Could not get cookie from server"
exit 1
@ -83,7 +83,7 @@ fi
eval $(cat ${TMPFILE})
echo " * Connecting to ${ADDRESS}:${PORT}..."
( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b )
( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1
@ -103,7 +103,7 @@ if test $? != 0;then
fi
echo " * Re-connecting to obtain cookie after disconnect... "
( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b )
( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b )
if test $? = 0;then
echo "Succeeded using the cookie to connect"
exit 1

4
tests/drain-server
View File

@ -35,7 +35,7 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$!
wait_server $PID
echo "Connecting to obtain cookie... "
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ||
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) ||
fail $PID "Could not receive cookie from server"
if ! test -f ${PIDFILE};then
@ -48,7 +48,7 @@ kill -15 $(cat $PIDFILE)
sleep 1
echo "Connecting to obtain cookie... "
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) &&
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) &&
fail $PID "Server is still listening"
wait

2
tests/drain-server-fail
View File

@ -48,7 +48,7 @@ launch_simple_sr_server -d 3 -p ${PIDFILE} -f -c ${CONFIG} & PID=$!
wait_server $PID
echo "Connecting to obtain cookie... "
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ||
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) ||
fail $PID "Could not receive cookie from server"
if ! test -f ${PIDFILE};then

16
tests/flowcontrol
View File

@ -37,39 +37,39 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$!
wait_server $PID
echo "Connecting to obtain cookie... "
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ||
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) ||
fail $PID "Could not receive cookie from server"
echo "Connecting to obtain cookie with wrong password... "
( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) &&
( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) &&
fail $PID "Received cookie when we shouldn't"
echo "Connecting to obtain cookie with empty password... "
( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) &&
( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) &&
fail $PID "Received cookie when we shouldn't"
echo "Connecting to obtain cookie with wrong username... "
( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) &&
( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) &&
fail $PID "Received cookie when we shouldn't"
# test locked account
echo "Connecting to obtain cookie with locked account... "
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) &&
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) &&
fail $PID "Received cookie when we shouldn't"
#test special characters
echo "Connecting to obtain cookie with special password... "
( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) ||
fail $PID "Could not receive cookie from server"
echo "Connecting to obtain cookie with empty password... "
( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) ||
fail $PID "Could not receive cookie from server"
#echo "Normal connection... "
#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) ||
#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) ||
# fail $PID "Could not connect to server"
if ! test -f ${PIDFILE};then

4
tests/haproxy-auth
View File

@ -51,7 +51,7 @@ LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT
wait_server ${HAPID}
echo "Connecting to obtain cookie... "
( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? != 0;then
kill ${HAPID}
fail ${PID} "Could not receive cookie from server"
@ -66,7 +66,7 @@ LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT
wait_server ${HAPID}
echo "Re-connecting to obtain cookie after haproxy restart... "
( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? != 0;then
kill ${HAPID}
fail ${PID} "Could not receive cookie from server"

6
tests/haproxy-connect
View File

@ -91,14 +91,14 @@ sleep 3
# Run clients
echo " * Getting cookie from ${ADDRESS}:${HAPORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? != 0;then
echo "Could not get cookie from server"
exit 1
fi
echo " * Connecting to ${ADDRESS}:${HAPORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1
@ -135,7 +135,7 @@ set +e
sleep 3
echo " * Re-connecting to obtain cookie after haproxy restart... "
( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? != 0;then
echo "Could not receive cookie from server on reconnection"
exit 1

4
tests/haproxy-proxyproto
View File

@ -94,14 +94,14 @@ sleep 3
# Run clients
echo " * Getting cookie from ${ADDRESS}:${HAPORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? != 0;then
echo "Could not get cookie from server"
exit 1
fi
echo " * Connecting to ${ADDRESS}:${HAPORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1

4
tests/haproxy-proxyproto-v1
View File

@ -94,14 +94,14 @@ sleep 3
# Run clients
echo " * Getting cookie from ${ADDRESS}:${HAPORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? != 0;then
echo "Could not get cookie from server"
exit 1
fi
echo " * Connecting to ${ADDRESS}:${HAPORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1

5
tests/html-escape.c
View File

@ -25,6 +25,7 @@
#include <netdb.h>
#include "../src/html.h"
#include "../src/html.c"
#include "../src/common/common.h"
static char *strings[] =
{
@ -54,13 +55,13 @@ static char *encoded_strings[] =
"Ahoy matey&#33"
};
int main()
int main(void)
{
char *dec;
unsigned i;
unsigned len;
for (i=0;i<sizeof(encoded_strings)/sizeof(encoded_strings[0]);i++) {
for (i=0;i<ARRAY_SIZE(encoded_strings);i++) {
dec = unescape_html(NULL, encoded_strings[i], strlen(encoded_strings[i]), &len);
if (dec == NULL) {
fprintf(stderr, "failed to unescape %s\n", encoded_strings[i]);

4
tests/human_addr.c
View File

@ -76,7 +76,6 @@ static void check(const char *ip)
exit(1);
}
return;
}
static void check_port(const char *ip, unsigned port)
@ -105,10 +104,9 @@ static void check_port(const char *ip, unsigned port)
exit(1);
}
return;
}
int main()
int main(void)
{
check("172.18.52.43");
check("192.168.1.1");

2
tests/ipv4-prefix.c
View File

@ -23,7 +23,7 @@
#include "../src/ip-util.h"
#include "../src/ip-util.c"
int main()
int main(void)
{
char *p;

2
tests/ipv6-iface
View File

@ -70,7 +70,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
wait_server $PID
echo -n "Connecting to setup interface... "
echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b
echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b
if test $? != 0;then
echo "Could not connect to server"
exit 1

2
tests/ipv6-prefix.c
View File

@ -36,7 +36,7 @@ static char* my_ipv6_prefix_to_mask(char str[MAX_IP_STR], unsigned prefix)
return str;
}
int main()
int main(void)
{
char *p;
char str[MAX_IP_STR];

2
tests/ipv6-small-net
View File

@ -70,7 +70,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
wait_server $PID
echo -n "Connecting to setup interface... "
echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b
echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b
if test $? != 0;then
echo "Could not connect to server"
exit 1

2
tests/json
View File

@ -78,7 +78,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
sleep 4
echo " * Connecting to ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1

5
tests/json-escape.c
View File

@ -25,6 +25,7 @@
#include <netdb.h>
#include "../src/occtl/json.h"
#include "../src/occtl/json.c"
#include "../src/common/common.h"
static char *strings[] =
{
@ -46,13 +47,13 @@ static char *encoded_strings[] =
"\\u0009big pile \\u0008\\u0008 of stuff\\u000d\\u000a"
};
int main()
int main(void)
{
char tmp[512];
char *p;
unsigned i;
for (i=0;i<sizeof(strings)/sizeof(strings[0]);i++) {
for (i=0;i<ARRAY_SIZE(strings);i++) {
tmp[0] = 0;
p = json_escape_val(tmp, sizeof(tmp), strings[i]);
if (strcmp(p, encoded_strings[i]) != 0) {

2
tests/kkdcp-parsing.c
View File

@ -27,7 +27,7 @@
#include "../src/common-config.h"
#include "../src/config-kkdcp.c"
int main()
int main(void)
{
#ifndef HAVE_GSSAPI
exit(77);

4
tests/lz4-compression
View File

@ -81,14 +81,14 @@ sleep 4
# Run clients
echo " * Getting cookie from ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? != 0;then
echo "Could not get cookie from server"
exit 1
fi
echo " * Connecting to ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1

4
tests/lzs-compression
View File

@ -81,14 +81,14 @@ sleep 4
# Run clients
echo " * Getting cookie from ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? != 0;then
echo "Could not get cookie from server"
exit 1
fi
echo " * Connecting to ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1

4
tests/multiple-routes
View File

@ -39,13 +39,13 @@ PID=$!
wait_server $PID
echo -n "Connecting to obtain cookie (with certificate)... "
( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly </dev/null >/dev/null ) ||
( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly </dev/null >/dev/null ) ||
fail $PID "Could not connect with certificate!"
echo ok
echo -n "Re-connecting to get routes... "
timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true </dev/null >${TMPFILE1} 2>&1
timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true </dev/null >${TMPFILE1} 2>&1
echo ok

4
tests/no-route-default
View File

@ -43,7 +43,7 @@ PID=$!
wait_server $PID
echo -n "Connecting to get routes... "
timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true </dev/null >${TMPFILE} 2>&1
timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true </dev/null >${TMPFILE} 2>&1
echo ok
@ -68,7 +68,7 @@ PID=$!
wait_server $PID
echo -n "Connecting to get routes... "
timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true </dev/null >${TMPFILE} 2>&1
timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true </dev/null >${TMPFILE} 2>&1
echo ok

4
tests/no-route-group
View File

@ -43,7 +43,7 @@ PID=$!
wait_server $PID
echo -n "Connecting to get routes... "
echo "test" | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1
echo "test" | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 -u test --passwd-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1
echo ok
@ -68,7 +68,7 @@ PID=$!
wait_server $PID
echo -n "Connecting to get routes... "
echo test | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 --passwd-on-stdin -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1
echo test | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 --passwd-on-stdin -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1
echo ok

4
tests/ping-leases
View File

@ -52,12 +52,12 @@ fi
echo "Server started with PID $PID..."
echo "Connecting to obtain cookie..."
( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ||
( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) ||
fail $PID "Could not receive cookie from server"
echo "Connecting to ping lease..."
echo "test" | timeout 10 $OPENCONNECT localhost:$PORT -u "test" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true
echo "test" | timeout 10 $OPENCONNECT localhost:$PORT -u "test" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true
if test $? != 124;then
fail $PID "Could not connect to server"

3
tests/port-parsing.c
View File

@ -35,7 +35,6 @@
void fw_port_st__init(FwPortSt *message)
{
return;
}
void check_vals(FwPortSt **fw_ports, size_t n_fw_ports) {
@ -61,7 +60,7 @@ void check_vals(FwPortSt **fw_ports, size_t n_fw_ports) {
}
}
int main()
int main(void)
{
char p[256];
int ret;

10
tests/radius
View File

@ -98,21 +98,21 @@ sleep 4
# Run clients
echo " * Testing wrong username at ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u xxx --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u xxx --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? = 0;then
echo "Connected with incorrect username"
exit 1
fi
echo " * Testing wrong password at ${ADDRESS}:${PORT}..."
( echo "xxx" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
( echo "xxx" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? = 0;then
echo "Connected with incorrect password"
exit 1
fi
echo " * Getting cookie from ${ADDRESS}:${PORT}..."
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
if test $? != 0;then
echo "Could not get cookie from server"
exit 1
@ -120,7 +120,7 @@ fi
echo " * Connecting to ${ADDRESS}:${PORT} with special IP..."
USERNAME=test-arb
( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1
@ -148,7 +148,7 @@ sleep 3
echo " * Connecting to ${ADDRESS}:${PORT}..."
USERNAME=test
( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1

2
tests/radius-config
View File

@ -123,7 +123,7 @@ sleep 4
echo " * Connecting to ${ADDRESS}:${PORT}..."
USERNAME=testtime
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1

4
tests/radius-group
View File

@ -100,7 +100,7 @@ sleep 4
echo " * Tests the radius group functionality"
USERNAME=test-class
( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group2 -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group2 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1
@ -137,7 +137,7 @@ sleep 4
echo " * Tests the alt radius group functionality"
USERNAME=test-class
( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group1 -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group1 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1

14
tests/radius-otp
View File

@ -111,7 +111,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do
sleep 0.5
echo "$USERNAME-stage$COUNT"
done
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b >/dev/null 2>&1)
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b >/dev/null 2>&1)
if test $? != 0; then
echo "Could not connect to server"
exit 1
@ -151,7 +151,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do
sleep 0.5
echo "$USERNAME-stage"
done
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1)
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1)
if test $? == 0; then
echo "Connected with wrong username"
exit 1
@ -173,7 +173,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do
echo "$USERNAME-stage$COUNT"
fi
done
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1)
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1)
if test $? == 0; then
echo "Connected with wrong OTP"
exit 1
@ -197,7 +197,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do
echo "$USERNAME-stage$COUNT"
fi
done
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1)
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1)
if test $? == 0; then
echo "Connected with wrong OTP"
exit 1
@ -218,7 +218,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do
echo "$USERNAME-stage$COUNT"
fi
done
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1)
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1)
if test $? == 0; then
echo "Connected with blank OTP"
exit 1
@ -247,7 +247,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do
echo "$USERNAME-stage$COUNT"
fi
done
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1)
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1)
if test $? == 0; then
echo "Successful connection with the number of OTP retries greater than allowed by the ban system (default 30)."
${OCCTL} -s ${OCCTL_SOCKET} show ip ban points
@ -265,7 +265,7 @@ for (( COUNT=1; COUNT <= 17; COUNT++ )); do
sleep 0.5
echo "$USERNAME-stage$COUNT"
done
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1)
} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1)
if test $? == 0; then
echo "Connected to server - MAX_CHALLENGES test failed"
exit 1

2
tests/str-test.c
View File

@ -30,7 +30,7 @@ static char *myfunc(void *pool, const char *str)
}
#define STR1 "hi there people. How are you?"
int main()
int main(void)
{
str_st str;
str_rep_tab tab[16];

2
tests/str-test2.c
View File

@ -25,7 +25,7 @@
#include "../src/str.c"
#define STR1 " hi there people. How are you?"
int main()
int main(void)
{
char str[64];

2
tests/test-append-routes
View File

@ -41,7 +41,7 @@ wait_server $PID
echo "Checking if routes are appended... "
timeout 15s $OPENCONNECT localhost:$PORT -v --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true </dev/null >${TMPFILE1} 2>&1
timeout 15s $OPENCONNECT localhost:$PORT -v --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true </dev/null >${TMPFILE1} 2>&1
echo "cat"
cat ${TMPFILE1}

26
tests/test-ban
View File

@ -59,15 +59,15 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
sleep 4
echo "Connecting with wrong password 5 times... "
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo ""
echo "Connecting with correct password... "
eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3`
eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=`
if [ -n "$COOKIE" ];then
fail $PID "Obtained cookie although should have been banned"
@ -90,7 +90,7 @@ sleep 25
echo ""
echo "Connecting with correct password after ban time... "
eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3`
eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=`
if [ -z "$COOKIE" ];then
fail $PID "Could not obtain cookie even though ban should be lifted"
@ -99,16 +99,16 @@ fi
echo ""
echo "Checking ban reset time... "
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
sleep 11
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo ""
echo "Connecting with correct password after ban reset time... "
eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3`
eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=`
if [ -z "$COOKIE" ];then
fail $PID "Could not obtain cookie even though ban should be lifted"

12
tests/test-ban-local
View File

@ -60,15 +60,15 @@ ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
sleep 4
echo "Connecting with wrong password 5 times... "
echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3
echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
echo ""
echo "Connecting with correct password... "
eval `echo "test" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3`
eval `echo "test" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=`
if [ -z "$COOKIE" ];then
fail $PID "Could not obtain cookie even though client should be exempt"

84
tests/test-camouflage Executable file
View File

@ -0,0 +1,84 @@
#!/bin/sh
#
# Copyright (C) 2013 Nikos Mavrogiannopoulos
# Copyright (C) 2023 Kirill Ovchinnikov
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
SERV="${SERV:-../src/ocserv}"
srcdir=${srcdir:-.}
CLIENTPIDFILE=openconnect-pid.$$.tmp
SECRETURL="/?mysecretkey"
SERVERCERT="pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8="
. `dirname $0`/common.sh
eval "${GETPORT}"
echo "Testing connection to the server with camouflage enabled"
update_config test-camouflage.config
launch_server -d 1 -f -c ${CONFIG} & PID=$!
wait_server ${PID}
echo "Checking with CURL that server returns us HTTP 401 for GET"
http_result=$(curl --insecure https://localhost:${PORT} --output /dev/null --silent --write-out "%{http_code}")
if [ "${http_result}" != "401" ]; then
fail ${PID} "Server returned ${http_result} instead of 401 for GET"
fi
echo "OK"
echo "Checking with CURL that server returns us HTTP 403 for POST"
http_result=$(curl -X POST -F 'test=test' --insecure https://localhost:${PORT} --output /dev/null --silent --write-out "%{http_code}")
if [ "${http_result}" != "401" ]; then
fail ${PID} "Server returned ${http_result} instead of 401 for POST"
fi
echo "OK"
echo "Connecting to obtain cookie without secret URL"
eval `echo "test" | ${OPENCONNECT} -q localhost:${PORT} -u test --servercert ${SERVERCERT} --authenticate`
if [ ! -z "${COOKIE}" ];then
fail ${PID} "Got a cookie, this shouldn't happen"
fi
echo "OK"
echo "Connecting to obtain cookie using secret URL.."
eval `echo "test" | ${OPENCONNECT} -q localhost:${PORT}${SECRETURL} -u test --servercert ${SERVERCERT} --authenticate`
if [ -z "${COOKIE}" ];then
fail ${PID} "Could not obtain cookie"
fi
echo "OK"
echo "Connecting with cookie..."
$OPENCONNECT -q localhost:${PORT} -u test -C "${COOKIE}" --servercert ${SERVERCERT} --script=/bin/true --verbose --pid-file "${CLIENTPIDFILE}" --background
sleep 4
if [ ! -f "${CLIENTPIDFILE}" ];then
fail ${PID} "Failed to establish the session"
fi
echo "Seems like the connection is established, stopping the client to finish the test...."
kill -USR1 `cat "${CLIENTPIDFILE}"`
if test $? != 0;then
fail ${PID} "Client process could not be killed"
fi
echo "OK"
cleanup
exit 0

59
tests/test-camouflage-norealm Executable file
View File

@ -0,0 +1,59 @@
#!/bin/sh
#
# Copyright (C) 2013 Nikos Mavrogiannopoulos
# Copyright (C) 2023 Kirill Ovchinnikov
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
SERV="${SERV:-../src/ocserv}"
srcdir=${srcdir:-.}
CLIENTPIDFILE=openconnect-pid.$$.tmp
SECRETURL="/?mysecretkey"
SERVERCERT="pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8="
. `dirname $0`/common.sh
eval "${GETPORT}"
echo "Testing connection to the server with camouflage enabled"
update_config test-camouflage-norealm.config
launch_server -d 1 -f -c ${CONFIG} & PID=$!
wait_server ${PID}
# Most of the logic is tested in 'test-camouflage' test,
# so here we will only pay attention to the no-realm-specifics
echo "Checking with CURL that server returns us HTTP 404 for request with no secret in URL"
http_result=$(curl --insecure https://localhost:${PORT} --output /dev/null --silent --write-out "%{http_code}")
if [ "${http_result}" != "404" ]; then
fail ${PID} "Server returned ${http_result} instead of 404 for GET"
fi
echo "OK"
echo "Checking with CURL that server returns us HTTP 200 when there's a secret in URL"
http_result=$(curl --insecure https://localhost:${PORT}${SECRETURL} --output /dev/null --silent --write-out "%{http_code}")
if [ "${http_result}" != "200" ]; then
fail ${PID} "Server returned ${http_result} instead of 200"
fi
echo "OK"
cleanup
exit 0

12
tests/test-cert
View File

@ -49,19 +49,19 @@ PID=$!
wait_server $PID
echo -n "Connecting to obtain cookie (without certificate)... "
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly </dev/null >/dev/null 2>&1 ) &&
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly </dev/null >/dev/null 2>&1 ) &&
fail $PID "Connected without certificate!"
echo "ok (failed as expected)"
echo -n "Connecting to obtain cookie (with invalid certificate)... "
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly </dev/null >/dev/null 2>&1 ) &&
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly </dev/null >/dev/null 2>&1 ) &&
fail $PID "Connected with invalid certificate!"
echo "ok (failed as expected)"
echo -n "Connecting to obtain cookie (with certificate)... "
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly </dev/null >/dev/null 2>&1 ) ||
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly </dev/null >/dev/null 2>&1 ) ||
fail $PID "Could not connect with certificate!"
echo ok
@ -80,7 +80,7 @@ kill -HUP $PID
sleep 5
echo -n "Connecting to obtain cookie (with DER CRL)... "
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly </dev/null >/dev/null 2>&1 ) ||
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly </dev/null >/dev/null 2>&1 ) ||
fail $PID "Could not connect with certificate!"
echo ok
@ -99,13 +99,13 @@ kill -HUP $PID
sleep 5
echo -n "Connecting to obtain cookie (with revoked certificate)... "
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly </dev/null >/dev/null 2>&1 ) &&
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly </dev/null >/dev/null 2>&1 ) &&
fail $PID "Connected with revoked certificate!"
echo "ok (failed as expected)"
#echo "Normal connection... "
#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) ||
#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) ||
# fail $PID "Could not connect to server"
rm -f "${CRLNAME}" "${CRLTMPLNAME}"

Some files were not shown because too many files have changed in this diff Show More