diff --git a/configure.ac b/configure.ac index f8c9c614..d269de67 100644 --- a/configure.ac +++ b/configure.ac @@ -192,6 +192,8 @@ have_liboath=yes], [have_liboath=no]) fi +AM_CONDITIONAL(HAVE_LIBOATH, test "x$have_liboath" != xno) + have_glibc=no AC_LIB_HAVE_LINKFLAGS(c,, [ #include diff --git a/tests/Makefile.am b/tests/Makefile.am index c6579735..21970f5b 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -22,7 +22,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem common.sh certs/server-cert.pem \ data/test-san-cert.config certs/user-san-cert.pem \ certs/server-cert-ed25519.pem certs/server-key-ed25519.pem data/test-ed25519.config \ certs/server-cert-rsa-pss.pem certs/server-key-rsa-pss.pem data/test-rsa-pss.config \ - data/test-otp-cert.config data/test-otp.oath test-otp-cert data/test-otp.passwd + data/test-otp-cert.config data/test-otp.oath test-otp-cert data/test-otp.passwd \ + data/test-otp.config SUBDIRS = docker-ocserv docker-kerberos @@ -37,7 +38,7 @@ if ENABLE_ROOT_TESTS if ENABLE_DOCKER_TESTS #docker tests dist_check_SCRIPTS += radius-test full-test unix-test kerberos-test radius-test-config \ - proxyproto-test proxyproto-v1-test proxyproto-unix-test otp-test \ + proxyproto-test proxyproto-v1-test proxyproto-unix-test \ reload-info-test radius-group-test endif @@ -51,12 +52,16 @@ if HAVE_CWRAP dist_check_SCRIPTS += test-pass test-pass-cert test-cert test-group-pass \ test-pass-group-cert test-pass-group-cert-no-pass test-sighup \ test-enc-key test-sighup-key-change test-get-cert test-san-cert \ - test-gssapi test-otp-cert + test-gssapi if HAVE_CWRAP_PAM dist_check_SCRIPTS += test-pam test-pam-noauth endif +if HAVE_LIBOATH +dist_check_SCRIPTS += test-otp-cert test-otp +endif + endif diff --git a/tests/data/test-otp.config b/tests/data/test-otp.config new file mode 100644 index 00000000..bfd0c7c5 --- /dev/null +++ b/tests/data/test-otp.config @@ -0,0 +1,185 @@ +# User authentication method. Could be set multiple times and in that case +# all should succeed. +# Options: certificate, pam. +#auth = "certificate" +auth = "plain[passwd=@SRCDIR@/data/test-otp.passwd,otp=@OTP_FILE@]" +#auth = "pam" + +# A banner to be displayed on clients +#banner = "Welcome" + +# Use listen-host to limit to specific IPs or to the IPs of a provided hostname. +#listen-host = [IP|HOSTNAME] + +use-dbus = no + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = 16 + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Limit the number of identical clients (i.e., users connecting multiple times) +# Unset or set to zero for unlimited. +max-same-clients = 2 + +# TCP and UDP port number +tcp-port = 4489 +udp-port = 4489 + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds +dpd = 440 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# There may be multiple certificate and key pairs and each key +# should correspond to the preceding certificate. +server-cert = @SRCDIR@/certs/server-cert-ca.pem +server-key = @SRCDIR@/certs/server-key.pem + +# Diffie-Hellman parameters. Only needed if you require support +# for the DHE ciphersuites (by default this server supports ECDHE). +# Can be generated using: +# certtool --generate-dh-params --outfile /path/to/dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der + +# In case PKCS #11 or TPM keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only (It's the storage +# root key). +#pin-file = /path/to/pin.txt +#srk-pin-file = /path/to/srkpin.txt + +# The Certificate Authority that will be used +# to verify clients if certificate authentication +# is set. +ca-cert = @SRCDIR@/certs/ca.pem + +# The object identifier that will be used to read the user ID in the client certificate. +# The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# A revocation list of ca-cert is set +#crl = /path/to/crl.pem + +# GnuTLS priority string +tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT" + +# To enforce perfect forward secrecy (PFS) on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 40 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +#min-reauth-time = 2 + +# Cookie validity time (in seconds) +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. This option sets the maximum lifetime +# of that cookie. +cookie-validity = 172800 + +# Script to call when a client connects and obtains an IP +# Parameters are passed on the environment. +# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), +# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON +# may be "connect" or "disconnect". +#connect-script = /usr/bin/myscript +#disconnect-script = /usr/bin/myscript + +# UTMP +use-utmp = true + +# PID file +pid-file = ./ocserv.pid + +# The default server directory. Does not require any devices present. +#chroot-dir = /path/to/chroot + +# socket file used for IPC, will be appended with .PID +# It must be accessible within the chroot environment (if any) +socket-file = ./ocserv-socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = @USERNAME@ +run-as-group = @GROUP@ + +# Network settings + +device = vpns + +# The default domain to be advertised +default-domain = example.com + +ipv4-network = 192.168.1.0 +ipv4-netmask = 255.255.255.0 +# Use the keywork local to advertize the local P-t-P address as DNS server +ipv4-dns = 192.168.1.1 + +# The NBNS server (if any) +#ipv4-nbns = 192.168.2.3 + +#ipv6-address = +#ipv6-mask = +#ipv6-dns = + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +ping-leases = false + +# Leave empty to assign the default MTU of the device +# mtu = + +route = 192.168.1.0/255.255.255.0 +#route = 192.168.5.0/255.255.255.0 + +# +# The following options are for (experimental) AnyConnect client +# compatibility. They are only available if the server is built +# with --enable-anyconnect +# + +# Client profile xml. A sample file exists in doc/profile.xml. +# This file must be accessible from inside the worker's chroot. +# The profile is ignored by the openconnect client. +#user-profile = profile.xml + +# Unless set to false it is required for clients to present their +# certificate even if they are authenticating via a previously granted +# cookie. Legacy CISCO clients do not do that, and thus this option +# should be set for them. +cisco-client-compat = true + +max-ban-score = 0 diff --git a/tests/docker-ocserv/Dockerfile-fedora-otp b/tests/docker-ocserv/Dockerfile-fedora-otp deleted file mode 100644 index 5b1d3fdc..00000000 --- a/tests/docker-ocserv/Dockerfile-fedora-otp +++ /dev/null @@ -1,28 +0,0 @@ -FROM fedora:25 - -RUN yum install -y gnutls gnutls-utils protobuf-c iproute pcllib http-parser tcp_wrappers pam systemd libseccomp -RUN yum install -y libnl3 libtalloc freeradius-client lz4 radcli liboauth oathtool procps-ng iputils krb5-libs less bash openssh-server nuttcp libev -RUN systemctl enable sshd -RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config - -RUN echo 'root:root' |chpasswd -RUN useradd -m -d /home/admin -s /bin/bash admin -RUN echo 'admin:admin' |chpasswd - -RUN mkdir /etc/ocserv - - -ADD key.pem /etc/ocserv/ -ADD cert.pem /etc/ocserv/ -ADD ocserv-otp.conf /etc/ocserv/ocserv.conf -ADD passwd /etc/ocserv/ -ADD users2.oath /etc/ocserv/users.oath -ADD ocserv /usr/sbin/ -ADD ocpasswd /usr/bin/ -ADD occtl /usr/bin/ -ADD myscript /usr/bin/ -# It's not possible to use mknod inside a container with the default LXC -# template, so we untar it from this archive. -ADD dev-tun.tgz /dev/ - -CMD nuttcp -S;sshd-keygen;/usr/sbin/sshd;mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600 diff --git a/tests/docker-ocserv/Makefile.am b/tests/docker-ocserv/Makefile.am index cb98d9d2..79602ed1 100644 --- a/tests/docker-ocserv/Makefile.am +++ b/tests/docker-ocserv/Makefile.am @@ -7,7 +7,7 @@ EXTRA_DIST = passwd ocserv.conf Dockerfile-debian-tcp dev-tun.tgz myscript key.p ocserv-proxyproto.conf Dockerfile-fedora-proxyproto haproxy-proxyproto.cfg \ haproxy-proxyproto-unix.cfg Dockerfile-fedora-proxyproto-unix ocserv-proxyproto-unix.conf \ proxy-connectscript \ - Dockerfile-fedora-otp ocserv-otp.conf users2.oath Dockerfile-fedora-reload \ + Dockerfile-fedora-reload \ ocserv-reload.conf radiusclient-debian.conf \ ocserv-radius-group.conf Dockerfile-fedora-radius-group diff --git a/tests/docker-ocserv/ocserv-otp.conf b/tests/docker-ocserv/ocserv-otp.conf deleted file mode 100644 index 9c527374..00000000 --- a/tests/docker-ocserv/ocserv-otp.conf +++ /dev/null @@ -1,303 +0,0 @@ -# User authentication method. Could be set multiple times and in that case -# all should succeed. -# Options: certificate, pam. -#auth = "certificate" -auth = "plain[passwd=/etc/ocserv/passwd,otp=/etc/ocserv/users.oath]" - -# Whether to enable support for the occtl tool (i.e., either through D-BUS, -# or via a unix socket). -use-occtl = true - -# socket file used for IPC with occtl. You only need to set that, -# if you use more than a single servers. -#occtl-socket-file = /var/run/occtl.socket - -# The plain option requires specifying a password file which contains -# entries of the following format. -# "username:groupname:encoded-password" -# One entry must be listed per line, and 'ocpasswd' can be used -# to generate password entries. -#auth = "plain[/etc/ocserv/ocpasswd]" - -# A banner to be displayed on clients -#banner = "Welcome" - -# Use listen-host to limit to specific IPs or to the IPs of a provided -# hostname. -#listen-host = [IP|HOSTNAME] - -# Limit the number of clients. Unset or set to zero for unlimited. -#max-clients = 1024 -max-clients = 16 - -# Limit the number of client connections to one every X milliseconds -# (X is the provided value). Set to zero for no limit. -#rate-limit-ms = 100 - -# Limit the number of identical clients (i.e., users connecting -# multiple times). Unset or set to zero for unlimited. -max-same-clients = 2 - -# TCP and UDP port number -tcp-port = 443 -udp-port = 443 - -# Keepalive in seconds -keepalive = 32400 - -# Dead peer detection in seconds. -dpd = 240 - -# Dead peer detection for mobile clients. The needs to -# be much higher to prevent such clients being awaken too -# often by the DPD messages, and save battery. -# (clients that send the X-AnyConnect-Identifier-DeviceType) -mobile-dpd = 1800 - -# MTU discovery (DPD must be enabled) -try-mtu-discovery = false - -# The key and the certificates of the server -# The key may be a file, or any URL supported by GnuTLS (e.g., -# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user -# or pkcs11:object=my-vpn-key;object-type=private) -# -# There may be multiple certificate and key pairs and each key -# should correspond to the preceding certificate. -server-cert = /etc/ocserv/cert.pem -server-key = /etc/ocserv/key.pem - -# Diffie-Hellman parameters. Only needed if you require support -# for the DHE ciphersuites (by default this server supports ECDHE). -# Can be generated using: -# certtool --generate-dh-params --outfile /path/to/dh.pem -#dh-params = /path/to/dh.pem - -# If you have a certificate from a CA that provides an OCSP -# service you may provide a fresh OCSP status response within -# the TLS handshake. That will prevent the client from connecting -# independently on the OCSP server. -# You can update this response periodically using: -# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response -# Make sure that you replace the following file in an atomic way. -#ocsp-response = /path/to/ocsp.der - -# In case PKCS #11 or TPM keys are used the PINs should be available -# in files. The srk-pin-file is applicable to TPM keys only, and is the -# storage root key. -#pin-file = /path/to/pin.txt -#srk-pin-file = /path/to/srkpin.txt - -# The Certificate Authority that will be used to verify -# client certificates (public keys) if certificate authentication -# is set. -#ca-cert = /path/to/ca.pem - -# The object identifier that will be used to read the user ID in the client -# certificate. The object identifier should be part of the certificate's DN -# Useful OIDs are: -# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 -#cert-user-oid = 0.9.2342.19200300.100.1.1 - -# The object identifier that will be used to read the user group in the -# client certificate. The object identifier should be part of the certificate's -# DN. Useful OIDs are: -# OU (organizational unit) = 2.5.4.11 -#cert-group-oid = 2.5.4.11 - -# The revocation list of the certificates issued by the 'ca-cert' above. -#crl = /path/to/crl.pem - -# GnuTLS priority string -tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" - -# To enforce perfect forward secrecy (PFS) on the main channel. -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" - -# The time (in seconds) that a client is allowed to stay connected prior -# to authentication -auth-timeout = 40 - -# The time (in seconds) that a client is allowed to stay idle (no traffic) -# before being disconnected. Unset to disable. -#idle-timeout = 1200 - -# The time (in seconds) that a mobile client is allowed to stay idle (no -# traffic) before being disconnected. Unset to disable. -#mobile-idle-timeout = 2400 - -# The time (in seconds) that a client is not allowed to reconnect after -# a failed authentication attempt. -#min-reauth-time = 2 - -# Set to zero to disable. -max-ban-score = 0 - -# Cookie validity time (in seconds) -# Once a client is authenticated he's provided a cookie with -# which he can reconnect. This option sets the maximum lifetime -# of that cookie. -cookie-validity = 86400 - -# ReKey time (in seconds) -# ocserv will ask the client to refresh keys periodically once -# this amount of seconds is elapsed. Set to zero to disable. -rekey-time = 172800 - -# ReKey method -# Valid options: ssl, new-tunnel -# ssl: Will perform an efficient rehandshake on the channel allowing -# a seamless connection during rekey. -# new-tunnel: Will instruct the client to discard and re-establish the channel. -# Use this option only if the connecting clients have issues with the ssl -# option. -rekey-method = ssl - -# Script to call when a client connects and obtains an IP -# Parameters are passed on the environment. -# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), -# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP -# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), -# ID (a unique numeric ID); REASON may be "connect" or "disconnect". -#connect-script = /usr/bin/myscript -disconnect-script = /usr/bin/myscript - -# UTMP -use-utmp = true - -# D-BUS usage. If disabled occtl tool cannot be used. If enabled -# then ocserv must have access to register org.infradead.ocserv -# D-BUS service. See doc/dbus/org.infradead.ocserv.conf -use-dbus = false - -# PID file. It can be overridden in the command line. -pid-file = /var/run/ocserv.pid - -# The default server directory. Does not require any devices present. -#chroot-dir = /path/to/chroot - -# socket file used for IPC, will be appended with .PID -# It must be accessible within the chroot environment (if any) -socket-file = /var/run/ocserv-socket - -# The user the worker processes will be run as. It should be -# unique (no other services run as this user). -run-as-user = nobody -run-as-group = daemon - -# Set the protocol-defined priority (SO_PRIORITY) for packets to -# be sent. That is a number from 0 to 6 with 0 being the lowest -# priority. Alternatively this can be used to set the IP Type- -# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). -# This can be set per user/group or globally. -#net-priority = 3 - -# Set the VPN worker process into a specific cgroup. This is Linux -# specific and can be set per user/group or globally. -#cgroup = "cpuset,cpu:test" - -# -# Network settings -# - -# The name of the tun device -device = vpns - -# The default domain to be advertised -default-domain = example.com - -# The pool of addresses that leases will be given from. -ipv4-network = 192.168.237.0 -ipv4-netmask = 255.255.255.0 - -# The advertized DNS server. Use multiple lines for -# multiple servers. -# dns = fc00::4be0 -#dns = 192.168.1.2 - -# The NBNS server (if any) -#nbns = 192.168.1.3 - -# The IPv6 subnet that leases will be given from. -#ipv6-network = fd91:6d87:7341:dc6b:: -#ipv6-prefix = 64 - -# The domains over which the provided DNS should be used. Use -# multiple lines for multiple domains. -#split-dns = example.com - -# Prior to leasing any IP from the pool ping it to verify that -# it is not in use by another (unrelated to this server) host. -ping-leases = false - -# Unset to assign the default MTU of the device -# mtu = - -# Unset to enable bandwidth restrictions (in bytes/sec). The -# setting here is global, but can also be set per user or per group. -#rx-data-per-sec = 40000 -#tx-data-per-sec = 40000 - -# The number of packets (of MTU size) that are available in -# the output buffer. The default is low to improve latency. -# Setting it higher will improve throughput. -#output-buffer = 10 - -# Routes to be forwarded to the client. If you need the -# client to forward routes to the server, you may use the -# config-per-user/group or even connect and disconnect scripts. -# -# To set the server as the default gateway for the client just -# comment out all routes from the server. -route = 10.98.224.0/24 -#route = 192.168.5.0/255.255.255.0 -route = fd91:6d87:7341:dc6b::/64 - -# Configuration files that will be applied per user connection or -# per group. Each file name on these directories must match the username -# or the groupname. -# The options allowed in the configuration files are dns, nbns, -# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, -# net-priority and cgroup. -# -# Note that the 'iroute' option allows one to add routes on the server -# based on a user or group. The syntax depends on the input accepted -# by the commands route-add-cmd and route-del-cmd (see below). - -#config-per-user = /etc/ocserv/config-per-user/ -#config-per-group = /etc/ocserv/config-per-group/ - -# The system command to use to setup a route. %R will be replaced with the -# route/mask and %D with the (tun) device. -# -# The following example is from linux systems. %R should be something -# like 192.168.2.0/24 - -#route-add-cmd = "ip route add %R dev %D" -#route-del-cmd = "ip route delete %R dev %D" - -# -# The following options are for (experimental) AnyConnect client -# compatibility. - -# Client profile xml. A sample file exists in doc/profile.xml. -# This file must be accessible from inside the worker's chroot. -# It is not used by the openconnect client. -#user-profile = profile.xml - -# Binary files that may be downloaded by the CISCO client. Must -# be within any chroot environment. -#binary-files = /path/to/binaries - -# Unless set to false it is required for clients to present their -# certificate even if they are authenticating via a previously granted -# cookie and complete their authentication in the same TCP connection. -# Legacy CISCO clients do not do that, and thus this option should be -# set for them. -#cisco-client-compat = false - -#Advanced options - -# Option to allow sending arbitrary custom headers to the client after -# authentication and prior to VPN tunnel establishment. -#custom-header = "X-My-Header: hi there" diff --git a/tests/docker-ocserv/users2.oath b/tests/docker-ocserv/users2.oath deleted file mode 100644 index 15bd0cb1..00000000 --- a/tests/docker-ocserv/users2.oath +++ /dev/null @@ -1 +0,0 @@ -HOTP test - 00 diff --git a/tests/otp-test b/tests/otp-test deleted file mode 100755 index 005f2c5b..00000000 --- a/tests/otp-test +++ /dev/null @@ -1,102 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2014 Red Hat -# -# This file is part of ocserv. -# -# ocserv is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at -# your option) any later version. -# -# ocserv is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with ocserv; if not, write to the Free Software Foundation, -# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -srcdir=${srcdir:-.} - -#this test can only be run as root -id|grep root >/dev/null 2>&1 -if [ $? != 0 ];then - exit 77 -fi - -PORT_OCSERV=443 -CONFIG="otp" -IMAGE=ocserv-otp -IMAGE_NAME=otp_ocserv -TMP=$IMAGE_NAME.tmp -. ./docker-common.sh - -$DOCKER run -e OCCTL_PAGER=cat -P --privileged=true -p 22 --tty=false -d --name $IMAGE_NAME $IMAGE -if test $? != 0;then - echo "Cannot run docker image" - exit 1 -fi - -echo "ocserv image was run" -#wait for ocserv to server -sleep 5 - -get_ip -if test -z "$IP";then - echo "Detected IP is null!" - stop -fi -echo "Detected IP: $IP" - -if test ! -z "$QUIT_ON_INIT";then - exit 0 -fi - -echo "" -echo "Trying with wrong username" -echo -e "test\n328482\n" >pass-${TMP}.tmp -$OPENCONNECT $IP:$PORT_OCSERV -u falseuser --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-${TMP}.tmp -if test $? = 0;then - echo "Authentication with wrong username succeeded!" - stop -fi - -echo "" -echo "Trying with wrong OTP" -echo -e "test\n99999\n" >pass-${TMP}.tmp -$OPENCONNECT $IP:$PORT_OCSERV -q -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-${TMP}.tmp -if test $? = 0;then - echo "Authentication with wrong OTP succeeded!" - stop -fi - -echo "" -echo "Trying with correct password" -#oathtool -w 0 00 -echo -e "test\n328482\n" >pass-${TMP}.tmp -cat pass-${TMP}.tmp -$OPENCONNECT $IP:$PORT_OCSERV -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass-${TMP}.tmp & -PID=$! - -#wait for openconnect -sleep 5 - -rm -f pass-${TMP}.tmp - -# The client IP depends on the username so it shouldn't change. -ping -w 5 192.168.237.1 -if test $? != 0;then - kill -INT $PID - echo "Cannot ping ocserv" - stop -fi - -retrieve_user_info test -kill -INT $PID - -$DOCKER stop $IMAGE_NAME -$DOCKER rm $IMAGE_NAME - -exit $ret diff --git a/tests/test-otp b/tests/test-otp new file mode 100755 index 00000000..e9ea83ba --- /dev/null +++ b/tests/test-otp @@ -0,0 +1,69 @@ +#!/bin/bash +# +# Copyright (C) 2018 Nikos Mavrogiannopoulos +# +# This file is part of ocserv. +# +# ocserv is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# ocserv is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# bash script because of echo -e + +SERV="${SERV:-../src/ocserv}" +srcdir=${srcdir:-.} +NO_NEED_ROOT=1 +PORT=4489 +OTP_FILE=test-otp.$$.tmp + +. `dirname $0`/common.sh + +echo "Testing local backend with username-password-otp and certificate... " + +#user 'test' has cert, password + OTP +#user 'testuser' has cert and OTP only + +rm -f ${OTP_FILE} +cp data/test-otp.oath ${OTP_FILE} +update_config test-otp.config +launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! +wait_server $PID + +echo -n "Connecting with wrong username... " +( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u falsetest --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && + fail $PID "Connected with wrong username!" +echo ok + +echo -n "Connecting with wrong OTP... " +( echo -e "test\n999482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && + fail $PID "Should not have connected with wrong OTP!" +echo ok + +echo -n "Connecting with correct password and OTP... " +( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not connect with OTP!" +echo ok + +echo -n "Connecting with empty password and wrong OTP... " +( echo -e "999999\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && + fail $PID "Should have not connected with wrong OTP!" +echo ok + +echo -n "Connecting with empty password and OTP... " +( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not connect with OTP-only!" +echo ok + +rm -f ${OTP_FILE} +cleanup + +exit 0 diff --git a/tests/test-otp-cert b/tests/test-otp-cert index 9302e57a..230ecf77 100755 --- a/tests/test-otp-cert +++ b/tests/test-otp-cert @@ -15,8 +15,7 @@ # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with GnuTLS; if not, write to the Free Software Foundation, -# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# along with this program. If not, see . # bash script because of echo -e