Added a full test between openconnect and ocserv based on docker.

That allows testing the establishment of a connection plus
the transferring of packets.

tests/Makefile.am

@@ -4,10 +4,10 @@ EXTRA_DIST = ca-key.pem ca.pem common.sh server-cert.pem server-key.pem test1.co
 	test-stress.config user-cert-wrong.pem connect-script
 
 dist_check_SCRIPTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \
-	test-multi-cookie test-pam test-stress
+	test-multi-cookie test-pam test-stress full-test
 
 TESTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \
-	test-multi-cookie
+	test-multi-cookie full-test
 
 TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
 	top_builddir="$(top_builddir)"

tests/docker-ocserv/Dockerfile

@@ -0,0 +1,34 @@
+FROM tianon/debian:jessie
+
+RUN apt-get update
+RUN apt-get install -y libgnutls28
+RUN apt-get install -y libwrap0 libpam0g libseccomp2 libdbus-1-3 libreadline5 libnl-route-3-200
+RUN apt-get install -y libprotobuf-c0 libhttp-parser2.1 libpcl1 libopts25 autogen
+RUN apt-get install -y libsystemd-daemon0 valgrind nuttcp openssh-server bash
+
+RUN echo 'root:root' |chpasswd
+RUN useradd -m -d /home/admin -s /bin/bash admin
+RUN echo 'admin:admin' |chpasswd
+EXPOSE 5000
+EXPOSE 5000/udp
+EXPOSE 5001
+EXPOSE 5001/udp
+EXPOSE 5551
+EXPOSE 5551/udp
+EXPOSE 22
+
+RUN mkdir /etc/ocserv
+
+
+ADD key.pem /etc/ocserv/
+ADD cert.pem /etc/ocserv/
+ADD ocserv.conf /etc/ocserv/
+ADD passwd /etc/ocserv/
+ADD ocserv /usr/sbin/
+ADD ocpasswd /usr/bin/
+ADD occtl /usr/bin/
+# It's not possible to use mknod inside a container with the default LXC
+# template, so we untar it from this archive.
+ADD dev-tun.tgz /dev/
+
+CMD nuttcp -S;/etc/init.d/ssh restart;/usr/sbin/ocserv -d 1 -f

tests/docker-ocserv/Makefile.am

@@ -0,0 +1,4 @@
+EXTRA_DIST = passwd ocserv.conf Dockerfile dev-tun.tgz
+
+TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
+	top_builddir="$(top_builddir)"

tests/docker-ocserv/cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
+QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD
+Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs
+PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8
+u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd
+YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ
+IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759
+KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5
+7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU
+yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL
+gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg
+ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0
+UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s
+9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9
+GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C
+zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/
+eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF
+FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j
+LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM
+zzJKdNg=
+-----END CERTIFICATE-----

tests/docker-ocserv/key.pem

@@ -0,0 +1,165 @@
+Public Key Info:
+	Public Key Algorithm: RSA
+	Key Security Level: Normal (2432 bits)
+
+modulus:
+	00:a7:3a:2b:ec:3f:14:b0:2c:19:f6:f1:6e:90:1d:
+	bf:8e:a9:f6:e9:70:84:09:87:f3:50:f3:5f:c3:94:
+	50:fa:2c:64:d6:57:80:58:e1:96:fc:ee:d0:bd:04:
+	15:7e:5f:7f:a5:33:f8:fc:bb:91:ef:37:79:c3:5a:
+	db:f8:19:ed:03:af:22:d6:e9:37:2c:e8:53:c2:b7:
+	8b:2b:11:f0:a4:87:99:79:e0:ba:cc:99:66:e1:16:
+	09:15:94:de:5f:4e:aa:18:d2:59:dd:60:9c:76:5f:
+	c5:96:95:d4:63:78:bf:bc:13:b9:c5:51:c1:52:b5:
+	6a:e0:8b:d0:33:80:c1:6b:8e:c2:f8:a6:a9:7d:ed:
+	80:19:45:77:0c:a1:05:d5:8d:b4:66:cd:52:d9:21:
+	5b:a6:43:2e:dc:fa:d9:7b:12:ac:fc:97:1f:f1:4b:
+	fe:45:c7:db:48:46:e9:ea:35:2e:63:11:4b:3c:36:
+	7e:44:e8:5b:eb:68:07:32:f9:e2:34:81:74:c6:93:
+	be:7d:28:d3:d8:8a:c4:aa:02:e1:40:9a:6b:7f:5c:
+	34:d3:be:f3:a8:e9:da:40:b1:e5:ea:b5:1d:bf:2e:
+	36:49:58:e9:57:76:26:7f:ca:31:e0:e7:e4:4a:43:
+	97:6d:dd:d9:39:ee:50:08:58:44:7d:7a:02:0e:a3:
+	ff:86:02:4c:9e:93:46:49:e4:65:94:e9:5c:53:b0:
+	57:08:97:aa:32:dd:2e:c4:b4:1d:0d:08:83:3b:86:
+	f8:72:df:64:2b:27:96:54:c8:d9:dc:4d:27:fa:a8:
+	c5:68:79:d8:1d:
+
+public exponent:
+	01:00:01:
+
+private exponent:
+	79:2b:86:6d:fd:5b:41:38:03:6c:52:8e:59:70:a4:
+	bf:7b:da:44:55:d9:e6:8a:12:bd:22:4b:ce:8c:66:
+	8c:8f:a4:55:47:3b:e1:ab:3c:5b:73:b3:de:71:da:
+	1d:22:97:7c:1e:07:99:21:54:61:f0:61:93:32:ff:
+	d6:6a:fa:b9:43:aa:cb:ec:5a:a5:78:86:50:bd:eb:
+	e2:3e:72:8e:d5:0e:59:28:84:52:02:09:70:a9:25:
+	d5:f4:73:98:bd:88:34:ca:1e:81:71:22:8e:07:61:
+	45:76:b5:59:8a:41:eb:c6:a3:42:1d:b6:25:f6:fc:
+	45:4e:29:83:58:15:4e:99:38:1f:31:ab:f8:6a:21:
+	fa:ad:c1:d0:6d:d0:ab:67:ad:43:1c:1d:9e:e5:33:
+	e2:68:f9:e2:fa:d8:9a:e7:36:e0:20:8c:25:4d:e9:
+	17:95:4b:71:38:df:18:71:cd:e0:a0:7f:b2:58:fe:
+	8b:c0:1c:d2:96:4a:17:14:bf:1c:3b:e8:b5:54:2b:
+	8d:47:50:a7:77:56:61:a8:e3:79:dd:70:88:5f:89:
+	a1:f8:78:0d:47:ef:32:98:c1:47:88:d8:33:ed:95:
+	10:90:7f:f1:57:cb:2b:18:c9:58:a1:de:ef:1c:70:
+	5a:58:3c:86:3d:96:17:ad:9c:fd:0b:eb:d8:33:a4:
+	5f:7f:db:97:c0:78:b4:94:56:56:0a:83:b3:d3:02:
+	c6:6f:08:dc:0d:22:8f:2a:4b:25:7a:34:97:8e:63:
+	49:8a:39:d1:c1:1e:9b:93:41:c5:9c:b6:50:9e:ff:
+	7a:37:e4:c1:
+
+prime1:
+	00:cb:13:4a:a3:8f:ad:5c:63:89:30:f3:3b:eb:25:
+	85:d9:6c:ad:6d:50:f8:03:00:d3:1e:e3:ae:ad:54:
+	7a:9b:21:1a:72:18:a6:54:e4:32:58:8d:66:37:65:
+	8c:f7:8f:37:65:ec:f8:ef:2e:a9:c1:78:bb:04:90:
+	aa:fe:0a:f2:7c:80:82:32:c7:db:ef:bc:10:c6:ff:
+	e0:d4:2e:b9:3a:0e:cc:29:28:81:b8:41:78:37:80:
+	69:39:5e:97:44:36:d6:cd:39:af:14:c2:df:f3:67:
+	b7:d4:a7:49:da:f4:d3:ee:14:10:e4:5c:3f:4a:62:
+	52:81:34:d0:8e:f3:7e:d4:42:0a:34:e2:f9:a7:bc:
+	03:f9:c0:48:e8:9b:7f:da:08:ec:db:82:fd:a2:aa:
+	0f:5d:71:
+
+prime2:
+	00:d2:cf:2d:81:00:28:43:76:b3:76:10:3f:04:57:
+	63:94:fa:bb:08:6a:a2:7d:99:4b:0f:ad:76:11:da:
+	5c:2a:2b:33:0a:05:0d:f8:51:9a:4d:b3:40:4b:53:
+	63:c8:c1:96:45:c7:42:35:cf:05:cf:8a:e2:aa:bd:
+	dc:96:c0:fd:c8:c4:dc:4c:0b:1f:43:74:04:cf:13:
+	f5:fa:ea:b6:0d:82:92:8c:03:bd:e9:7b:b1:f2:d0:
+	df:fd:c5:1b:6e:66:b7:ce:f6:12:65:34:c8:15:01:
+	da:36:5e:f9:d8:ad:37:86:52:2b:ea:9f:f5:75:6b:
+	91:b3:01:6f:52:e9:e9:07:16:db:ba:65:e2:49:cc:
+	4f:70:11:39:5c:fa:d2:da:d4:0c:24:17:c4:68:6f:
+	d4:7f:6d:
+
+coefficient:
+	3b:96:f2:06:96:22:14:a2:fe:27:09:2f:43:b0:22:
+	a6:f4:ae:33:c2:f8:be:d5:03:96:7d:4a:d1:eb:7b:
+	9d:51:bd:77:1d:3f:79:ef:62:1d:c3:e9:c2:9a:53:
+	df:ec:33:9b:32:36:f6:e7:40:e8:6c:1b:16:3d:4e:
+	94:97:94:02:5d:cc:23:45:6b:53:8d:b8:7c:0e:24:
+	f9:5c:30:e4:e3:76:5b:f6:1f:74:3d:ca:e7:ef:a0:
+	1e:d3:c8:a2:54:d2:db:06:4b:0d:b0:b9:64:ca:dd:
+	68:44:51:d6:07:c5:ac:5b:e7:11:4b:76:b0:78:ba:
+	aa:b1:af:06:64:0d:27:1a:85:2d:a8:5a:c1:d7:c1:
+	2e:f6:ef:fe:f6:0d:d6:f1:18:fc:0b:14:b1:d7:76:
+	51:1b:
+
+exp1:
+	76:ce:d4:8e:18:92:ee:48:75:8d:23:e0:dc:53:d9:
+	99:38:d1:c5:f0:e7:08:aa:c4:d9:7f:8f:44:6c:f6:
+	46:27:f9:d6:e2:c0:fd:4d:7c:7e:fe:4a:dd:02:16:
+	95:07:3e:fb:ec:c6:3e:f8:e7:eb:fe:fc:3b:51:80:
+	18:9c:c2:fd:40:19:ec:27:ad:6e:f6:72:42:5a:95:
+	68:cd:e5:24:28:60:1d:7c:4b:58:47:45:54:03:56:
+	8c:6f:e0:c3:d1:e9:9d:ab:af:d8:cf:a2:42:3f:5d:
+	f7:95:df:c9:b0:0f:05:6c:cb:ed:2e:63:00:db:c1:
+	35:42:76:fa:0b:4f:1a:53:80:b1:2c:51:af:66:7a:
+	54:f5:c0:32:06:37:a8:92:2c:30:c8:d4:27:04:a3:
+	74:a1:
+
+exp2:
+	18:07:41:5a:88:d8:0e:08:83:a0:1b:6d:f3:62:ba:
+	99:0a:93:32:fc:64:95:08:5a:03:e9:73:a1:c9:4f:
+	e4:06:94:84:b9:da:c3:c9:19:5b:6d:e9:10:2c:eb:
+	1c:c0:e4:0e:04:0e:49:ef:d4:eb:b9:1a:e8:f7:47:
+	23:6f:cf:fd:88:62:cb:d0:20:ba:21:89:42:c9:35:
+	aa:6a:02:62:3b:d5:d4:5b:c0:d3:d2:23:90:57:ba:
+	90:44:5d:42:12:37:35:41:db:0a:ea:1f:3c:35:bf:
+	d7:9e:af:bf:c0:ce:a9:62:c8:5a:af:ec:dc:7b:6c:
+	5a:08:f9:d5:6b:90:02:1c:da:e2:be:26:32:df:34:
+	d6:c3:3f:d4:97:4a:5d:62:fa:17:4b:16:3a:09:35:
+	21:69:
+
+
+Public Key ID: A8:25:47:F6:8F:44:D6:35:1B:EF:6C:AC:D1:D7:B9:6E:84:F9:DF:A3
+Public key's random art:
++--[ RSA 2432]----+
+|            +    |
+|         . . =   |
+|      o o . . .  |
+|     o =     =  o|
+|    . + S   . O.o|
+|     = . o   * o.|
+|    .   . . . o. |
+|              .+.|
+|             Eo.=|
++-----------------+
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIFegIBAAKCATEApzor7D8UsCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leA
+WOGW/O7QvQQVfl9/pTP4/LuR7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6
+zJlm4RYJFZTeX06qGNJZ3WCcdl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kap
+fe2AGUV3DKEF1Y20Zs1S2SFbpkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+
+ROhb62gHMvniNIF0xpO+fSjT2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjp
+V3Ymf8ox4OfkSkOXbd3ZOe5QCFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0u
+xLQdDQiDO4b4ct9kKyeWVMjZ3E0n+qjFaHnYHQIDAQABAoIBMHkrhm39W0E4A2xS
+jllwpL972kRV2eaKEr0iS86MZoyPpFVHO+GrPFtzs95x2h0il3weB5khVGHwYZMy
+/9Zq+rlDqsvsWqV4hlC96+I+co7VDlkohFICCXCpJdX0c5i9iDTKHoFxIo4HYUV2
+tVmKQevGo0IdtiX2/EVOKYNYFU6ZOB8xq/hqIfqtwdBt0KtnrUMcHZ7lM+Jo+eL6
+2JrnNuAgjCVN6ReVS3E43xhxzeCgf7JY/ovAHNKWShcUvxw76LVUK41HUKd3VmGo
+43ndcIhfiaH4eA1H7zKYwUeI2DPtlRCQf/FXyysYyVih3u8ccFpYPIY9lhetnP0L
+69gzpF9/25fAeLSUVlYKg7PTAsZvCNwNIo8qSyV6NJeOY0mKOdHBHpuTQcWctlCe
+/3o35MECgZkAyxNKo4+tXGOJMPM76yWF2WytbVD4AwDTHuOurVR6myEachimVOQy
+WI1mN2WM9483Zez47y6pwXi7BJCq/gryfICCMsfb77wQxv/g1C65Og7MKSiBuEF4
+N4BpOV6XRDbWzTmvFMLf82e31KdJ2vTT7hQQ5Fw/SmJSgTTQjvN+1EIKNOL5p7wD
++cBI6Jt/2gjs24L9oqoPXXECgZkA0s8tgQAoQ3azdhA/BFdjlPq7CGqifZlLD612
+EdpcKiszCgUN+FGaTbNAS1NjyMGWRcdCNc8Fz4riqr3clsD9yMTcTAsfQ3QEzxP1
++uq2DYKSjAO96Xux8tDf/cUbbma3zvYSZTTIFQHaNl752K03hlIr6p/1dWuRswFv
+UunpBxbbumXiScxPcBE5XPrS2tQMJBfEaG/Uf20CgZh2ztSOGJLuSHWNI+DcU9mZ
+ONHF8OcIqsTZf49EbPZGJ/nW4sD9TXx+/krdAhaVBz777MY++Ofr/vw7UYAYnML9
+QBnsJ61u9nJCWpVozeUkKGAdfEtYR0VUA1aMb+DD0emdq6/Yz6JCP133ld/JsA8F
+bMvtLmMA28E1Qnb6C08aU4CxLFGvZnpU9cAyBjeokiwwyNQnBKN0oQKBmBgHQVqI
+2A4Ig6AbbfNiupkKkzL8ZJUIWgPpc6HJT+QGlIS52sPJGVtt6RAs6xzA5A4EDknv
+1Ou5Guj3RyNvz/2IYsvQILohiULJNapqAmI71dRbwNPSI5BXupBEXUISNzVB2wrq
+Hzw1v9eer7/AzqliyFqv7Nx7bFoI+dVrkAIc2uK+JjLfNNbDP9SXSl1i+hdLFjoJ
+NSFpAoGYO5byBpYiFKL+JwkvQ7AipvSuM8L4vtUDln1K0et7nVG9dx0/ee9iHcPp
+wppT3+wzmzI29udA6GwbFj1OlJeUAl3MI0VrU424fA4k+Vww5ON2W/YfdD3K5++g
+HtPIolTS2wZLDbC5ZMrdaERR1gfFrFvnEUt2sHi6qrGvBmQNJxqFLahawdfBLvbv
+/vYN1vEY/AsUsdd2URs=
+-----END RSA PRIVATE KEY-----

tests/docker-ocserv/ocserv.conf

@@ -0,0 +1,293 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+#auth = "certificate"
+auth = "plain[/etc/ocserv/passwd]"
+#auth = "pam"
+
+# The plain option requires specifying a password file which contains
+# entries of the following format.
+# "username:groupname:encoded-password"
+# One entry must be listed per line, and 'ocpasswd' can be used
+# to generate password entries.
+#auth = "plain[/etc/ocserv/ocpasswd]"
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided 
+# hostname.
+#listen-host = [IP|HOSTNAME]
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting 
+# multiple times). Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 5551
+udp-port = 5551
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds.
+dpd = 240
+
+# Dead peer detection for mobile clients. The needs to
+# be much higher to prevent such clients being awaken too 
+# often by the DPD messages, and save battery.
+# (clients that send the X-AnyConnect-Identifier-DeviceType)
+mobile-dpd = 1800
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = /etc/ocserv/cert.pem
+server-key = /etc/ocserv/key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only, and is the 
+# storage root key.
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used to verify
+# client certificates (public keys) if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the 
+# client  certificate. The object identifier should be part of the certificate's
+# DN. Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# The revocation list of the certificates issued by the 'ca-cert' above.
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is allowed to stay idle (no traffic)
+# before being disconnected. Unset to disable.
+#idle-timeout = 1200
+
+# The time (in seconds) that a mobile client is allowed to stay idle (no
+# traffic) before being disconnected. Unset to disable.
+#mobile-idle-timeout = 2400
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+cookie-validity = 86400
+
+# ReKey time (in seconds)
+# ocserv will ask the client to refresh keys periodically once
+# this amount of seconds is elapsed. Set to zero to disable.
+rekey-time = 172800
+
+# ReKey method
+# Valid options: ssl, new-tunnel
+#  ssl: Will perform an efficient rehandshake on the channel allowing
+#       a seamless connection during rekey.
+#  new-tunnel: Will instruct the client to discard and re-establish the channel.
+#       Use this option only if the connecting clients have issues with the ssl
+#       option.
+rekey-method = ssl
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
+# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# D-BUS usage. If disabled occtl tool cannot be used. If enabled
+# then ocserv must have access to register org.infradead.ocserv
+# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
+use-dbus = false
+
+# PID file. It can be overriden in the command line.
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = /var/run/ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = nobody
+run-as-group = daemon
+
+# Set the protocol-defined priority (SO_PRIORITY) for packets to
+# be sent. That is a number from 0 to 6 with 0 being the lowest
+# priority. Alternatively this can be used to set the IP Type-
+# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
+# This can be set per user/group or globally.
+#net-priority = 3
+
+# Set the VPN worker process into a specific cgroup. This is Linux
+# specific and can be set per user/group or globally.
+#cgroup = "cpuset,cpu:test"
+
+#
+# Network settings
+#
+
+# The name of the tun device
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+# The pool of addresses that leases will be given from.
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+
+# The advertized DNS server. Use multiple lines for
+# multiple servers.
+# dns = fc00::4be0
+#dns = 192.168.1.2
+
+# The NBNS server (if any)
+#nbns = 192.168.1.3
+
+# The IPv6 subnet that leases will be given from.
+#ipv6-network = fc00::
+#ipv6-prefix = 16
+
+# The domains over which the provided DNS should be used. Use
+# multiple lines for multiple domains.
+#split-dns = example.com
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Unset to assign the default MTU of the device
+# mtu = 
+
+# Unset to enable bandwidth restrictions (in bytes/sec). The
+# setting here is global, but can also be set per user or per group.
+#rx-data-per-sec = 40000
+#tx-data-per-sec = 40000
+
+# The number of packets (of MTU size) that are available in
+# the output buffer. The default is low to improve latency.
+# Setting it higher will improve throughput.
+#output-buffer = 10
+
+# Routes to be forwarded to the client. If you need the
+# client to forward routes to the server, you may use the 
+# config-per-user/group or even connect and disconnect scripts.
+#
+# To set the server as the default gateway for the client just
+# comment out all routes from the server.
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+#route = fef4:db8:1000:1001::/64
+
+# Configuration files that will be applied per user connection or
+# per group. Each file name on these directories must match the username
+# or the groupname.
+# The options allowed in the configuration files are dns, nbns,
+#  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
+#  net-priority and cgroup.
+#
+# Note that the 'iroute' option allows to add routes on the server
+# based on a user or group. The syntax depends on the input accepted
+# by the commands route-add-cmd and route-del-cmd (see below).
+
+#config-per-user = /etc/ocserv/config-per-user/
+#config-per-group = /etc/ocserv/config-per-group/
+
+# The system command to use to setup a route. %R will be replaced with the
+# route/mask and %D with the (tun) device.
+#
+# The following example is from linux systems. %R should be something
+# like 192.168.2.0/24
+
+#route-add-cmd = "ip route add %R dev %D"
+#route-del-cmd = "ip route delete %R dev %D"
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. 
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# It is not used by the openconnect client.
+#user-profile = profile.xml
+
+# Binary files that may be downloaded by the CISCO client. Must
+# be within any chroot environment.
+#binary-files = /path/to/binaries
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie and complete their authentication in the same TCP connection.
+# Legacy CISCO clients do not do that, and thus this option should be 
+# set for them.
+#cisco-client-compat = false
+
+#Advanced options
+
+# Option to allow sending arbitrary custom headers to the client after
+# authentication and prior to VPN tunnel establishment.
+#custom-header = "X-My-Header: hi there"

tests/docker-ocserv/passwd

@@ -0,0 +1,2 @@
+test:tost:$5$i6SNmLDCgBNjyJ7q$SZ4bVJb7I/DLgXo3txHBVohRFBjOtdbxGQZp.DOnrA.
+tost:*:$5$qc1CKWjcmlrFREe2$h9zQJcD3AeuQmwMncdIqqls47TDOUvu2r2nXQ7aDfcD

tests/full-test

@@ -0,0 +1,114 @@
+#!/bin/sh
+#
+# Copyright (C) 2014 Red Hat
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with ocserv; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir=${srcdir:-.}
+PORT=4444
+
+#this test can only be run as root
+id|grep root >/dev/null 2>&1
+if [ $? != 0 ];then
+	exit 77
+fi
+
+if test -x /usr/bin/docker;then
+	echo "The docker program is needed to perform this test"
+	exit 77
+fi
+
+stop() {
+	docker stop test_ocserv
+	docker rm test_ocserv
+	exit 1
+}
+
+docker pull tianon/debian:jessie
+if test $? != 0;then
+	echo "Cannot pull docker image"
+	exit 1
+fi
+
+cp ../src/ocserv ../src/ocpasswd ../src/occtl docker-ocserv/
+
+#docker build -t ocserv-test1 docker-ocserv/
+#if test $? != 0;then
+#	echo "Cannot build docker image"
+#	exit 1
+#fi
+
+docker stop test_ocserv
+docker rm test_ocserv
+docker run -P --privileged=true -p 5000:5000/udp -p 5001:5001/udp -p 22 -p 5551:5551/udp --tty=false -d -n --name test_ocserv ocserv-test1
+if test $? != 0;then
+	echo "Cannot run docker image"
+	exit 1
+fi
+
+#wait for ocserv to server
+sleep 5
+
+IP=`docker inspect test_ocserv | grep IPAddress | cut -d '"' -f 4`
+
+printf "test\ntest\n" >pass.tmp
+openconnect $IP:5551 -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass.tmp &
+PID=$!
+
+rm -f pass.tmp
+
+#wait for openconnect
+sleep 5
+
+# The client IP depends on the username so it shouldn't change.
+ping -w 3 192.168.1.190
+if test $? != 0;then
+	kill $PID
+	echo "Cannot ping ocserv"
+	stop
+fi
+
+ping -w 3 192.168.1.190 -s 1500
+if test $? != 0;then
+	kill $PID
+	echo "Cannot ping ocserv"
+	stop
+fi
+
+# There is an issue in nuttcp that makes it crash under docker if
+# /proc/sys/net/ipv4/tcp_adv_win_scale does not exist.
+
+#nuttcp -T 10 -t 192.168.1.190
+#if test $? != 0;then
+#	kill $PID
+#	echo "Cannot send to ocserv"
+#	stop
+#fi
+
+#nuttcp -T 10 -r 192.168.1.190
+#if test $? != 0;then
+#	kill $PID
+#	echo "Cannot recv from ocserv"
+#	stop
+#fi
+
+docker stop test_ocserv
+docker rm test_ocserv
+
+kill $PID
+
+exit 0