2026-02-10 08:46:58 +08:00 · 2018-02-25 15:13:08 +01:00
parent 86ae99864b
commit 30d4b4e677
3 changed files with 31 additions and 41 deletions
							
							
								
							
							
						
@@ -43,7 +43,7 @@ dist_check_SCRIPTS += radius-test full-test unix-test kerberos-test radius-test-
endif
#other root requiring tests
dist_check_SCRIPTS += test-iroute test-multi-cookie test-pass-script test-pass-opt-cert \
dist_check_SCRIPTS += test-iroute test-multi-cookie test-pass-script \
	test-cookie-timeout test-cookie-timeout-2 test-explicit-ip \
	test-cookie-invalidation test-user-config test-append-routes test-ban
endif
							
							
							
								
							
						
@@ -52,7 +52,7 @@ if HAVE_CWRAP
dist_check_SCRIPTS += test-pass test-pass-cert test-cert test-group-pass \
	test-pass-group-cert test-pass-group-cert-no-pass test-sighup \
	test-enc-key test-sighup-key-change test-get-cert test-san-cert \
	test-gssapi
	test-gssapi test-pass-opt-cert
if HAVE_CWRAP_PAM
dist_check_SCRIPTS += test-pam test-pam-noauth
							
								
							
							
							
						
 
							
							
							
						
@@ -1,8 +1,8 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam. 
auth = "plain[passwd=@SRCDIR@/data/test1.passwd]"
enable-auth = "certificate"
auth = "plain[./data/test1.passwd]"
#auth = "pam"
# A banner to be displayed on clients
							
								
							
							
								
							
							
						
@@ -45,8 +45,8 @@ try-mtu-discovery = false
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = ./certs/server-cert.pem
server-key = ./certs/server-key.pem
server-cert = @SRCDIR@/certs/server-cert-ca.pem
server-key = @SRCDIR@/certs/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
							
							
							
								
							
						
@@ -72,7 +72,7 @@ server-key = ./certs/server-key.pem
# The Certificate Authority that will be used
# to verify clients if certificate authentication
# is set.
ca-cert = ./certs/ca.pem
ca-cert = @SRCDIR@/certs/ca.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
							
								
							
							
								
							
							
						
@@ -118,23 +118,20 @@ cookie-validity = 172800
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
use-utmp = true
# PID file
pid-file = /var/run/ocserv.pid
pid-file = ./ocserv.pid
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket
socket-file = ./ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
run-as-user = @USERNAME@
run-as-group = @GROUP@
# Network settings
							
								
							
							
								
							
							
						
@@ -183,3 +180,5 @@ route = 192.168.1.0/255.255.255.0
cisco-client-compat = true
config-per-user = ./user-config-opt/
max-ban-score = 0
							
							
							
						
 
							
							
							
						
@@ -1,6 +1,7 @@
#!/bin/sh
#
# Copyright (C) 2014 Red Hat
# Copyright (C) 2018 Nikos Mavrogiannopoulos
#
# This file is part of ocserv.
#
							
							
							
								
							
						
@@ -15,47 +16,42 @@
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
SERV="${SERV:-../src/ocserv}"
srcdir=${srcdir:-.}
TMPFILE=${srcdir}/outfile.$$
TMPFILE=${srcdir}/outfile.$$.tmp
NO_NEED_ROOT=1
PORT=8445
. `dirname $0`/common.sh
echo "Testing local backend with username-password and optional certificate... "
update_config test-pass-opt-cert.config
launch_sr_server -d 1 -f -c ${CONFIG} & PID=$!
wait_server $PID
connect()
{
opts=$1
pass=$2
COOKIE=''
eval `echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate`
if [ -z "$COOKIE" ];then
	return 1
fi
rm -f $TMPFILE
echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pidx >$TMPFILE 2>&1 &
CPID=$!
sleep 3
grep "Established DTLS" $TMPFILE >/dev/null 2>&1
echo ${pass} | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --passwd-on-stdin --authenticate >${TMPFILE}
if test $? != 0;then
	rm -f $TMPFILE
	cat ${TMPFILE}
	return 1
fi
grep 'COOKIE=' ${TMPFILE}
if test $? != 0;then
	cat ${TMPFILE}
	return 1
fi
rm -f $TMPFILE
kill $CPID
return 0
}
echo "Testing local backend with username-password and optional certificate... "
launch_server -d 1 -f -c "${srcdir}/data/test-pass-opt-cert.config" & PID=$!
wait_server $PID
echo -n "Connecting to obtain cookie (user without certificate)... "
connect "-u test2" "test2"
if test $? != 0;then
							
								
							
							
								
							
							
						
@@ -84,11 +80,6 @@ if test $? = 0;then
fi
echo ok
#echo "Normal connection... "
#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) ||
#	fail $PID "Could not connect to server"
kill $PID
wait
cleanup
exit 0