From 3a330b8d85ce6562637aa814e015fdc6d0b5a9f9 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 20 Jul 2018 22:06:11 +0200 Subject: [PATCH] tests: added unit tests for AES-128-GCM and AES-256-GCM Signed-off-by: Nikos Mavrogiannopoulos --- tests/Makefile.am | 5 +- tests/aes128-cipher | 134 +--------------------------------- tests/aes128-gcm-cipher | 27 +++++++ tests/aes256-cipher | 134 +--------------------------------- tests/aes256-gcm-cipher | 27 +++++++ tests/cipher-common.sh | 155 ++++++++++++++++++++++++++++++++++++++++ 6 files changed, 218 insertions(+), 264 deletions(-) create mode 100755 tests/aes128-gcm-cipher create mode 100755 tests/aes256-gcm-cipher create mode 100755 tests/cipher-common.sh diff --git a/tests/Makefile.am b/tests/Makefile.am index 4ed771b9..1ce963dd 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -28,7 +28,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem data/vhost.hosts data/multiple-routes.config data/haproxy-auth.cfg data/test-haproxy-auth.config \ data/haproxy-connect.cfg data/test-haproxy-connect.config scripts/vpnc-script \ data/test-traffic.config data/test-compression-lzs.config data/test-compression-lz4.config \ - certs/crl.pem server-cert-rsa-pss data/test-gssapi-opt-cert.config data/test-ciphers.config + certs/crl.pem server-cert-rsa-pss data/test-gssapi-opt-cert.config data/test-ciphers.config \ + cipher-common.sh SUBDIRS = docker-ocserv docker-kerberos @@ -60,7 +61,7 @@ dist_check_SCRIPTS += test-iroute test-multi-cookie test-pass-script \ #other tests requiring nuttcp for traffic if ENABLE_NUTTCP_TESTS dist_check_SCRIPTS += traffic lz4-compression lzs-compression \ - aes256-cipher aes128-cipher + aes256-cipher aes128-cipher aes256-gcm-cipher aes128-gcm-cipher endif endif diff --git a/tests/aes128-cipher b/tests/aes128-cipher index 4c22b593..eb7866f7 100755 --- a/tests/aes128-cipher +++ b/tests/aes128-cipher @@ -20,136 +20,8 @@ # This tests operation/traffic under compression (lzs or lz4). -OCCTL="${OCCTL:-../src/occtl/occtl}" -SERV="${SERV:-../src/ocserv}" -srcdir=${srcdir:-.} -PORT=4574 -PIDFILE=ocserv-pid.$$.tmp -CLIPID=oc-pid.$$.tmp -PATH=${PATH}:/usr/sbin -IP=$(which ip) -OUTFILE=traffic.$$.tmp +CIPHER_NAME="AES128-SHA" +GNUTLS_NAME="(DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1)" -. `dirname $0`/common.sh +. cipher-common.sh -if test -z "${IP}";then - echo "no IP tool is present" - exit 77 -fi - -if test "$(id -u)" != "0";then - echo "This test must be run as root" - exit 77 -fi - -echo "Testing ocserv connection with AES128-SHA under legacy DTLS... " - -function finish { - set +e - echo " * Cleaning up..." - test -n "${PID}" && kill ${PID} >/dev/null 2>&1 - test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1 - test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1 - test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1 - test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1 - rm -f ${OUTFILE} 2>&1 -} -trap finish EXIT - -# server address -ADDRESS=10.201.2.1 -CLI_ADDRESS=10.201.1.1 -VPNNET=192.168.2.0/24 -VPNADDR=192.168.2.1 -VPNNET6=fd91:6d87:7341:dc6a::/112 -VPNADDR6=fd91:6d87:7341:dc6a::1 -OCCTL_SOCKET=./occtl-comp-$$.socket -USERNAME=test - -. `dirname $0`/ns.sh - -# Run servers -update_config test-ciphers.config -if test "$VERBOSE" = 1;then -DEBUG="-d 3" -fi - -${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! - -sleep 4 - -# Run clients -echo " * Getting cookie from ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --dtls-ciphers=AES128-SHA --cookieonly ) -if test $? != 0;then - echo "Could not get cookie from server" - exit 1 -fi - -echo " * Connecting to ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --dtls-ciphers=AES128-SHA -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -if test $? != 0;then - echo "Could not connect to server" - exit 1 -fi - -set -e -echo " * ping remote address" - -${CMDNS2} nuttcp -1 - -${CMDNS1} ping -c 3 ${VPNADDR} - -sleep 2 - -echo " * Transmitting with nuttcp" - -${CMDNS1} nuttcp -T 6 -t ${VPNADDR} - -# IPv6 - -${CMDNS2} nuttcp -1 - -${CMDNS1} ping -c 3 ${VPNADDR6} - -echo " * Receiving with nuttcp" - -${CMDNS1} nuttcp -T 6 -r ${VPNADDR} - -set +e - -${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME} -if test $? != 0;then - echo "occtl didn't find connected user!" - exit 1 -fi - -${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE} -if test $? != 0;then - ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} - echo "occtl didn't find connected user!" - exit 1 -fi - -grep "Username: ${USERNAME}" ${OUTFILE} -if test $? != 0;then - ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} - echo "occtl show user didn't find connected user!" - exit 1 -fi - -grep "DTLS cipher: (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1)" ${OUTFILE} -if test $? != 0;then - ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} - echo "occtl show user didn't show cipher!" - exit 1 -fi - -grep ${CLI_ADDRESS} ${OUTFILE} -if test $? != 0;then - ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} - echo "occtl show user didn't find client address!" - exit 1 -fi - -exit 0 diff --git a/tests/aes128-gcm-cipher b/tests/aes128-gcm-cipher new file mode 100755 index 00000000..ac058da6 --- /dev/null +++ b/tests/aes128-gcm-cipher @@ -0,0 +1,27 @@ +#!/bin/bash +# +# Copyright (C) 2018 Nikos Mavrogiannopoulos +# +# This file is part of ocserv. +# +# ocserv is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# ocserv is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +# This tests operation/traffic under compression (lzs or lz4). + +CIPHER_NAME="OC-DTLS1_2-AES128-GCM" +GNUTLS_NAME="(DTLS1.2)-(RSA)-(AES-128-GCM)" + +. cipher-common.sh + diff --git a/tests/aes256-cipher b/tests/aes256-cipher index 1d7b4c43..0284a50d 100755 --- a/tests/aes256-cipher +++ b/tests/aes256-cipher @@ -20,136 +20,8 @@ # This tests operation/traffic under compression (lzs or lz4). -OCCTL="${OCCTL:-../src/occtl/occtl}" -SERV="${SERV:-../src/ocserv}" -srcdir=${srcdir:-.} -PORT=4574 -PIDFILE=ocserv-pid.$$.tmp -CLIPID=oc-pid.$$.tmp -PATH=${PATH}:/usr/sbin -IP=$(which ip) -OUTFILE=traffic.$$.tmp +CIPHER_NAME="AES256-SHA" +GNUTLS_NAME="(DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1)" -. `dirname $0`/common.sh +. cipher-common.sh -if test -z "${IP}";then - echo "no IP tool is present" - exit 77 -fi - -if test "$(id -u)" != "0";then - echo "This test must be run as root" - exit 77 -fi - -echo "Testing ocserv connection with AES256-SHA under legacy DTLS... " - -function finish { - set +e - echo " * Cleaning up..." - test -n "${PID}" && kill ${PID} >/dev/null 2>&1 - test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1 - test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1 - test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1 - test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1 - rm -f ${OUTFILE} 2>&1 -} -trap finish EXIT - -# server address -ADDRESS=10.201.2.1 -CLI_ADDRESS=10.201.1.1 -VPNNET=192.168.2.0/24 -VPNADDR=192.168.2.1 -VPNNET6=fd91:6d87:7341:dc6a::/112 -VPNADDR6=fd91:6d87:7341:dc6a::1 -OCCTL_SOCKET=./occtl-comp-$$.socket -USERNAME=test - -. `dirname $0`/ns.sh - -# Run servers -update_config test-ciphers.config -if test "$VERBOSE" = 1;then -DEBUG="-d 3" -fi - -${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! - -sleep 4 - -# Run clients -echo " * Getting cookie from ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --dtls-ciphers=AES256-SHA --cookieonly ) -if test $? != 0;then - echo "Could not get cookie from server" - exit 1 -fi - -echo " * Connecting to ${ADDRESS}:${PORT}..." -( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --dtls-ciphers=AES256-SHA -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -if test $? != 0;then - echo "Could not connect to server" - exit 1 -fi - -set -e -echo " * ping remote address" - -${CMDNS2} nuttcp -1 - -${CMDNS1} ping -c 3 ${VPNADDR} - -sleep 2 - -echo " * Transmitting with nuttcp" - -${CMDNS1} nuttcp -T 6 -t ${VPNADDR} - -# IPv6 - -${CMDNS2} nuttcp -1 - -${CMDNS1} ping -c 3 ${VPNADDR6} - -echo " * Receiving with nuttcp" - -${CMDNS1} nuttcp -T 6 -r ${VPNADDR} - -set +e - -${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME} -if test $? != 0;then - echo "occtl didn't find connected user!" - exit 1 -fi - -${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE} -if test $? != 0;then - ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} - echo "occtl didn't find connected user!" - exit 1 -fi - -grep "Username: ${USERNAME}" ${OUTFILE} -if test $? != 0;then - ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} - echo "occtl show user didn't find connected user!" - exit 1 -fi - -grep "DTLS cipher: (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1)" ${OUTFILE} -if test $? != 0;then - ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} - echo "occtl show user didn't show cipher!" - exit 1 -fi - -grep ${CLI_ADDRESS} ${OUTFILE} -if test $? != 0;then - ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} - echo "occtl show user didn't find client address!" - exit 1 -fi - -exit 0 diff --git a/tests/aes256-gcm-cipher b/tests/aes256-gcm-cipher new file mode 100755 index 00000000..84d0f017 --- /dev/null +++ b/tests/aes256-gcm-cipher @@ -0,0 +1,27 @@ +#!/bin/bash +# +# Copyright (C) 2018 Nikos Mavrogiannopoulos +# +# This file is part of ocserv. +# +# ocserv is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# ocserv is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +# This tests operation/traffic under compression (lzs or lz4). + +CIPHER_NAME="OC-DTLS1_2-AES256-GCM" +GNUTLS_NAME="(DTLS1.2)-(RSA)-(AES-256-GCM)" + +. cipher-common.sh + diff --git a/tests/cipher-common.sh b/tests/cipher-common.sh new file mode 100755 index 00000000..9bc1b110 --- /dev/null +++ b/tests/cipher-common.sh @@ -0,0 +1,155 @@ +#!/bin/bash +# +# Copyright (C) 2018 Nikos Mavrogiannopoulos +# +# This file is part of ocserv. +# +# ocserv is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# ocserv is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +# This tests operation/traffic under compression (lzs or lz4). + +OCCTL="${OCCTL:-../src/occtl/occtl}" +SERV="${SERV:-../src/ocserv}" +srcdir=${srcdir:-.} +PORT=4574 +PIDFILE=ocserv-pid.$$.tmp +CLIPID=oc-pid.$$.tmp +PATH=${PATH}:/usr/sbin +IP=$(which ip) +OUTFILE=traffic.$$.tmp + +. `dirname $0`/common.sh + +if test -z "${IP}";then + echo "no IP tool is present" + exit 77 +fi + +if test "$(id -u)" != "0";then + echo "This test must be run as root" + exit 77 +fi + +echo "Testing ocserv connection with ${CIPHER_NAME} under legacy DTLS... " + +function finish { + set +e + echo " * Cleaning up..." + test -n "${PID}" && kill ${PID} >/dev/null 2>&1 + test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1 + test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1 + test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1 + test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1 + rm -f ${OUTFILE} 2>&1 +} +trap finish EXIT + +# server address +ADDRESS=10.201.2.1 +CLI_ADDRESS=10.201.1.1 +VPNNET=192.168.2.0/24 +VPNADDR=192.168.2.1 +VPNNET6=fd91:6d87:7341:dc6a::/112 +VPNADDR6=fd91:6d87:7341:dc6a::1 +OCCTL_SOCKET=./occtl-comp-$$.socket +USERNAME=test + +. `dirname $0`/ns.sh + +# Run servers +update_config test-ciphers.config +if test "$VERBOSE" = 1;then +DEBUG="-d 3" +fi + +${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! + +sleep 4 + +# Run clients +echo " * Getting cookie from ${ADDRESS}:${PORT}..." +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --dtls-ciphers=${CIPHER_NAME} --cookieonly ) +if test $? != 0;then + echo "Could not get cookie from server" + exit 1 +fi + +echo " * Connecting to ${ADDRESS}:${PORT}..." +( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --dtls-ciphers=${CIPHER_NAME} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +if test $? != 0;then + echo "Could not connect to server" + exit 1 +fi + +set -e +echo " * ping remote address" + +${CMDNS2} nuttcp -1 + +${CMDNS1} ping -c 3 ${VPNADDR} + +sleep 2 + +echo " * Transmitting with nuttcp" + +${CMDNS1} nuttcp -T 6 -t ${VPNADDR} + +# IPv6 + +${CMDNS2} nuttcp -1 + +${CMDNS1} ping -c 3 ${VPNADDR6} + +echo " * Receiving with nuttcp" + +${CMDNS1} nuttcp -T 6 -r ${VPNADDR} + +set +e + +${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME} +if test $? != 0;then + echo "occtl didn't find connected user!" + exit 1 +fi + +${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE} +if test $? != 0;then + ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} + echo "occtl didn't find connected user!" + exit 1 +fi + +grep "Username: ${USERNAME}" ${OUTFILE} +if test $? != 0;then + ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} + echo "occtl show user didn't find connected user!" + exit 1 +fi + +grep "DTLS cipher: ${GNUTLS_NAME}" ${OUTFILE} +if test $? != 0;then + ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} + echo "occtl show user didn't show cipher!" + exit 1 +fi + +grep ${CLI_ADDRESS} ${OUTFILE} +if test $? != 0;then + ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} + echo "occtl show user didn't find client address!" + exit 1 +fi + +exit 0