tests: auto-generate random addresses instead of hard-coding them

The main benefit is that there is less manual work to add a
test (discovery of unique random addresses is not necessary),
but it also ensures that the tests can run on environments where the
previously hard-coded addresses were present.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>

tests/Makefile.am

@@ -47,7 +47,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem
 	data/test-client-bypass-protocol.config asan.supp certs/ca.tmpl certs/server-cert.tmpl \
 	certs/user-cert.tmpl data/test-camouflage.config data/test-camouflage-norealm.config \
 	data/radius-multi-group.config data/test-group-cert.config data/session-timeout.config \
-	data/idle-timeout.config data/test-occtl.config
+	data/idle-timeout.config data/test-occtl.config data/vhost-traffic.config random-net.sh \
+	random-net2.sh data/defvhost-traffic.config
 
 xfail_scripts =
 dist_check_SCRIPTS =  ocpasswd-test

tests/cipher-common.sh

@@ -58,15 +58,10 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.201.2.1
-CLI_ADDRESS=10.201.1.1
-VPNNET=192.168.2.0/24
-VPNADDR=192.168.2.1
-VPNNET6=fd91:6d87:7341:dc6a::/112
-VPNADDR6=fd91:6d87:7341:dc6a::1
 OCCTL_SOCKET=./occtl-comp-$$.socket
 USERNAME=test
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 if test -z "${TEST_CONFIG}";then

tests/data/defvhost-traffic.config

@@ -0,0 +1,213 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam.
+#enable-auth = "certificate"
+auth = "plain[passwd=@SRCDIR@/data/test1.passwd]"
+#auth = "pam"
+
+isolate-workers = @ISOLATE_WORKERS@
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+max-ban-score = 0
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = @PORT@
+udp-port = @PORT@
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g.,
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = @SRCDIR@/certs/server-cert.pem
+server-key = @SRCDIR@/certs/server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+ca-cert = @SRCDIR@/certs/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+#  OU (organizational unit) = 2.5.4.11
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+#use-utmp = true
+
+# PID file
+pid-file = ocserv-vhost.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = ocserv-socket-vhost
+
+occtl-socket-file = @OCCTL_SOCKET@
+use-occtl = true
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = @USERNAME@
+run-as-group = @GROUP@
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = @VPNNET@
+
+# Use the keyword local to advertise the local P-t-P address as DNS server
+ipv4-dns = 192.168.1.1
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+#ipv6-address =
+#ipv6-mask =
+#ipv6-dns =
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu =
+
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client
+# compatibility. They are only available if the server is built
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot.
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#cisco-client-compat = true
+
+#config-per-user = @SRCDIR@/user-config-opt/
+
+
+# An example virtual host with different authentication methods serviced
+# by this server.
+
+[vhost: cert.example.com	 ]
+auth = "certificate"
+
+ca-cert = @SRCDIR@/certs/ca.pem
+
+server-cert = @SRCDIR@/certs/server-cert-secp521r1.pem
+server-key = @SRCDIR@/certs/server-key-secp521r1.pem
+
+ipv4-network = 192.168.2.0
+ipv4-netmask = 255.255.255.0
+
+cert-user-oid = 0.9.2342.19200300.100.1.1
+
+[vhost:pass2.example.com]
+auth = plain[passwd=@SRCDIR@/data/test-vhost2.passwd]
+
+ca-cert = @SRCDIR@/certs/ca.pem
+
+server-cert = @SRCDIR@/certs/server-cert-secp521r1.pem
+server-key = @SRCDIR@/certs/server-key-secp521r1.pem
+
+ipv4-network = 192.168.3.0/24

tests/data/haproxy-proxyproto-v1.config

@@ -143,8 +143,7 @@ device = vpns
 # The default domain to be advertised
 default-domain = example.com
 
-ipv4-network = 192.168.1.0
-ipv4-netmask = 255.255.255.0
+ipv4-network = @VPNNET@
 # Use the keyword local to advertise the local P-t-P address as DNS server
 ipv4-dns = 192.168.1.1
 

tests/data/haproxy-proxyproto.config

@@ -148,8 +148,7 @@ device = vpns
 # The default domain to be advertised
 default-domain = example.com
 
-ipv4-network = 192.168.1.0
-ipv4-netmask = 255.255.255.0
+ipv4-network = @VPNNET@
 # Use the keyword local to advertise the local P-t-P address as DNS server
 ipv4-dns = 192.168.1.1
 

tests/data/vhost-traffic.config

@@ -0,0 +1,213 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam.
+#enable-auth = "certificate"
+auth = "plain[passwd=@SRCDIR@/data/test1.passwd]"
+#auth = "pam"
+
+isolate-workers = @ISOLATE_WORKERS@
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+max-ban-score = 0
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = @PORT@
+udp-port = @PORT@
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g.,
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = @SRCDIR@/certs/server-cert.pem
+server-key = @SRCDIR@/certs/server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+ca-cert = @SRCDIR@/certs/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+#  OU (organizational unit) = 2.5.4.11
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+#use-utmp = true
+
+# PID file
+pid-file = ocserv-vhost.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = ocserv-socket-vhost
+
+occtl-socket-file = @OCCTL_SOCKET@
+use-occtl = true
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = @USERNAME@
+run-as-group = @GROUP@
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+# Use the keyword local to advertise the local P-t-P address as DNS server
+ipv4-dns = 192.168.1.1
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+#ipv6-address =
+#ipv6-mask =
+#ipv6-dns =
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu =
+
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client
+# compatibility. They are only available if the server is built
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot.
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#cisco-client-compat = true
+
+#config-per-user = @SRCDIR@/user-config-opt/
+
+
+# An example virtual host with different authentication methods serviced
+# by this server.
+
+[vhost: cert.example.com	 ]
+auth = "certificate"
+
+ca-cert = @SRCDIR@/certs/ca.pem
+
+server-cert = @SRCDIR@/certs/server-cert-secp521r1.pem
+server-key = @SRCDIR@/certs/server-key-secp521r1.pem
+
+ipv4-network = 192.168.2.0
+ipv4-netmask = 255.255.255.0
+
+cert-user-oid = 0.9.2342.19200300.100.1.1
+
+[vhost:pass2.example.com]
+auth = plain[passwd=@SRCDIR@/data/test-vhost2.passwd]
+
+ca-cert = @SRCDIR@/certs/ca.pem
+
+server-cert = @SRCDIR@/certs/server-cert-secp521r1.pem
+server-key = @SRCDIR@/certs/server-key-secp521r1.pem
+
+ipv4-network = @VPNNET@

tests/defvhost-traffic

@@ -58,19 +58,14 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.223.22.1
-CLI_ADDRESS=10.223.21.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-#VPNNET6=fd91:6d87:7341:dc6a::/112
-#VPNADDR6=fd91:6d87:7341:dc6a::1
 OCCTL_SOCKET=./occtl-defvhost-$$.socket
 USERNAME=vhost
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 # Run servers
-update_config test-vhost-pass-cert.config
+update_config defvhost-traffic.config
 if test "$VERBOSE" = 1;then
 DEBUG="-d 3"
 fi

tests/disconnect-user

@@ -56,13 +56,7 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.236.2.1
-CLI_ADDRESS=10.236.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-VPNNET6=fcbe:735c:407a:3b62:164d:fa21:1495:0/112
-VPNADDR6=fcbe:735c:407a:3b62:164d:fa21:1495:1
-
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 # Run servers

tests/disconnect-user2

@@ -54,13 +54,7 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.32.81.0
-CLI_ADDRESS=10.32.80.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-VPNNET6=fcbe:735c:407a:3fc2:164d:fa21:1495:0/112
-VPNADDR6=fcbe:735c:407a:3fc2:164d:fa21:1495:1
-
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 # Run servers

tests/haproxy-connect

@@ -66,11 +66,7 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.214.2.1
-CLI_ADDRESS=10.214.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 # Run servers

tests/haproxy-proxyproto

@@ -73,11 +73,7 @@ trap finish EXIT
 rm -f proxyproto-connect-ok
 
 # server address
-ADDRESS=10.214.2.1
-CLI_ADDRESS=10.214.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 # Run servers

tests/haproxy-proxyproto-v1

@@ -69,11 +69,7 @@ trap finish EXIT
 rm -f proxyproto-v1-connect-ok
 
 # server address
-ADDRESS=10.214.2.1
-CLI_ADDRESS=10.214.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 # Run servers

tests/idle-timeout

@@ -26,13 +26,7 @@ PIDFILE=ocserv-pid.$$.tmp
 CPIDFILE=openpid.$$.tmp
 OUTFILE=ban.$$.tmp
 
-ADDRESS=10.23.2.1
-CLI_ADDRESS=10.23.1.1
-VPNNET=172.34.215.0/24
-VPNADDR=172.34.215.1
-VPNNET6=fd7b:b45a:eef2:3dee:b86c:b589:fce9:0/112
-VPNADDR6=fd7b:b45a:eef2:3dee:b86c:b589:fce9:0
-
+. `dirname $0`/random-net.sh
 . `dirname $0`/common.sh
 . `dirname $0`/ns.sh
 

tests/ipv6-iface

@@ -52,13 +52,10 @@ function finish {
 }
 trap finish EXIT
 
-ADDRESS=10.227.208.0
-CLI_ADDRESS=10.227.209.0
-VPNNET6=fcea:78de:9bb7:e4cd:3841:4827:3349:0/112
-VPNADDR6=fcea:78de:9bb7:e4cd:3841:4827:3349:1
 OCCTL_SOCKET=./ipv6-iface-$$.socket
 USERNAME=test
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 update_config ipv6-iface.config

tests/ipv6-small-net

@@ -52,13 +52,10 @@ function finish {
 }
 trap finish EXIT
 
-ADDRESS=10.201.128.0
-CLI_ADDRESS=10.57.49.0
-VPNNET6=fc04:1b8e:bdca:11ca:576b:80e3:4956:f00c/127
-VPNADDR6=fc04:1b8e:bdca:11ca:576b:80e3:4956:f00d
 OCCTL_SOCKET=./ipv6-iface-$$.socket
 USERNAME=test
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 update_config ipv6-iface.config

tests/json

@@ -56,15 +56,10 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.210.2.1
-CLI_ADDRESS=10.210.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-VPNNET6=fd91:6d97:7341:db6a::/112
-VPNADDR6=fd91:6d97:7341:db6a::1
 OCCTL_SOCKET=./occtl-json-$$.socket
 USERNAME=test
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 # Run servers

tests/kerberos

@@ -79,15 +79,9 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.97.216.1
-CLI_ADDRESS=10.97.217.1
-
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-VPNNET6=fd91:6d87:7341:db6a::/112
-VPNADDR6=fd91:6d87:7341:db6a::1
 OCCTL_SOCKET=./occtl-radius-$$.socket
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 ${CMDNS2} ${IP} link set dev lo up

tests/lz4-compression

@@ -58,15 +58,10 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.201.2.1
-CLI_ADDRESS=10.201.1.1
-VPNNET=192.168.2.0/24
-VPNADDR=192.168.2.1
-VPNNET6=fd91:6d87:7341:dc6a::/112
-VPNADDR6=fd91:6d87:7341:dc6a::1
 OCCTL_SOCKET=./occtl-comp-$$.socket
 USERNAME=test
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 # Run servers

tests/lzs-compression

@@ -58,15 +58,10 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.201.2.1
-CLI_ADDRESS=10.201.1.1
-VPNNET=192.168.2.0/24
-VPNADDR=192.168.2.1
-VPNNET6=fd91:6d87:7341:dc6a::/112
-VPNADDR6=fd91:6d87:7341:dc6a::1
 OCCTL_SOCKET=./occtl-comp-$$.socket
 USERNAME=test
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 # Run servers

tests/no-ipv6-ocv3

@@ -53,13 +53,10 @@ function finish {
 }
 trap finish EXIT
 
-ADDRESS=172.23.236.0
-CLI_ADDRESS=10.119.255.0
-VPNNET6=fd50:efcf:d5e5:636d:ffb2:edad:dfe8:5a5c/127
-VPNADDR6=fd50:efcf:d5e5:636d:ffb2:edad:dfe8:5a5d
 OCCTL_SOCKET=./ipv6-no-$$.socket
 USERNAME=test
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 update_config ipv6-iface.config

tests/radius

@@ -71,16 +71,10 @@ function finish {
 }
 trap finish EXIT
 
-# server address
-ADDRESS=10.203.2.1
-CLI_ADDRESS=10.203.1.1
-VPNNET=192.168.7.0/24
-VPNADDR=192.168.7.1
-VPNNET6=fd3e:4469:d98:ff54:e437:c9ee:52ac:0/112
-VPNADDR6=fd3e:4469:d98:ff54:e437:c9ee:52ac:1
 OCCTL_SOCKET=./occtl-radius-$$.socket
 USERNAME=test
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 ${CMDNS2} ${IP} link set dev lo up

tests/radius-config

@@ -94,8 +94,7 @@ function wait_file_contents {
 }
 
 # server address
-ADDRESS=10.102.246.1
-CLI_ADDRESS=10.102.247.1
+. `dirname $0`/random-net.sh
 
 # These addresses must match the radius sent ranges
 VPNNET=192.168.66.0/24

tests/radius-group

@@ -72,8 +72,7 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.173.78.1
-CLI_ADDRESS=10.173.79.1
+. `dirname $0`/random-net.sh
 
 # These must match the data/raddb/users:test-class user
 VPNNET=192.168.93.0/24

tests/radius-multi-group

@@ -72,8 +72,7 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.55.93.0
-CLI_ADDRESS=10.55.92.1
+. `dirname $0`/random-net.sh
 
 # These must match the data/raddb/users:test-class user
 VPNNET=192.168.94.0/24

tests/radius-otp

@@ -79,8 +79,7 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.173.78.1
-CLI_ADDRESS=10.173.79.1
+. `dirname $0`/random-net.sh
 
 # These must match the data/raddb/users:test-class user
 VPNNET=192.168.55.0/24

tests/random-net.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+#
+# Copyright (C) 2023 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# This script generates a pair of random client and server addresses and
+# two (IPv4+IPv6) random network addresses for use with the VPN;
+# it sets variables needs by ns.sh. For tests that need two server
+# sets include additionally random-net2.sh
+
+IPCALC=$(which ipcalc-ng 2>/dev/null)
+if test -z "${IPCALC}"; then
+	IPCALC=$(which ipcalc 2>/dev/null)
+fi
+
+if test -z "${IPCALC}"; then
+	echo "ipcalc was not found"
+	exit 1
+fi
+
+PINGOPS="-W 1 -c 2"
+
+# Generate random IPv4 VPN network
+ret=0
+while [ $ret = 0 ]
+do
+	eval $(${IPCALC} -r 24 -np --minaddr)
+	VPNNET="${NETWORK}/${PREFIX}"
+	VPNADDR=${MINADDR}
+	ping ${PINGOPS} ${VPNADDR} >/dev/null 2>&1
+	ret=$?
+done
+
+# Generate random IPv6 VPN network
+ret=0
+while [ $ret = 0 ]
+do
+	eval $(${IPCALC} -r 112 -np --minaddr)
+	VPNNET6="${NETWORK}/${PREFIX}"
+	VPNADDR6="${NETWORK}1"
+	ping ${PINGOPS} ${VPNADDR6} >/dev/null 2>&1
+	ret=$?
+done
+
+# Generate random IPv4 addresses for the client and server
+ret=0
+while [ $ret = 0 ]
+do
+	eval $(${IPCALC} -r 32 --minaddr)
+	ADDRESS=${MINADDR}
+	ping ${PINGOPS} ${ADDRESS} >/dev/null 2>&1
+	ret=$?
+done
+
+ret=0
+while [ $ret = 0 ]
+do
+	eval $(${IPCALC} -r 32 --minaddr)
+	CLI_ADDRESS=${MINADDR}
+	ping ${PINGOPS} ${CLI_ADDRESS} >/dev/null 2>&1
+	ret=$?
+done
+
+echo "**************************"
+echo "VPN IPv4 network: $VPNNET"
+echo "VPN IPv4 server address: $VPNADDR"
+echo "VPN IPv6 network: $VPNNET6"
+echo "VPN IPv6 server address: $VPNADDR6"
+echo "Client address: $CLI_ADDRESS"
+echo "Server address: $ADDRESS"
+echo "**************************"

tests/random-net2.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+#
+# Copyright (C) 2023 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# This script generates an additional pair of random server and client
+# addresses for use by ns.sh. It is intended to be used by tests that
+# require two separate ocserv instances and clients.
+
+if test -z "${IPCALC}"; then
+	echo "ipcalc was not found"
+	exit 1
+fi
+
+ret=0
+while [ $ret = 0 ]
+do
+	eval $(${IPCALC} -r 32 --minaddr)
+	ADDRESS2=${MINADDR}
+	ping ${PINGOPS} ${ADDRESS2} >/dev/null 2>&1
+	ret=$?
+done
+
+ret=0
+while [ $ret = 0 ]
+do
+	eval $(${IPCALC} -r 32 --minaddr)
+	CLI_ADDRESS2=${MINADDR}
+	ping ${PINGOPS} ${CLI_ADDRESS2} >/dev/null 2>&1
+	ret=$?
+done
+
+echo "**************************"
+echo "Client address2: $CLI_ADDRESS2"
+echo "Server address2: $ADDRESS2"
+echo "**************************"

tests/session-timeout

@@ -26,13 +26,7 @@ PIDFILE=ocserv-pid.$$.tmp
 CPIDFILE=openpid.$$.tmp
 OUTFILE=ban.$$.tmp
 
-ADDRESS=10.74.2.1
-CLI_ADDRESS=10.74.1.1
-VPNNET=172.34.135.0/24
-VPNADDR=172.34.135.1
-VPNNET6=fd7b:b45a:eef2:3d3e:b86c:b589:fce9:0/112
-VPNADDR6=fd7b:b45a:eef2:3d3e:b86c:b589:fce9:0
-
+. `dirname $0`/random-net.sh
 . `dirname $0`/common.sh
 . `dirname $0`/ns.sh
 

tests/test-ban

@@ -25,14 +25,8 @@ OCCTL_SOCKET=./occtl-ban-$$.socket
 PIDFILE=ocserv-pid.$$.tmp
 OUTFILE=ban.$$.tmp
 
-ADDRESS=10.213.2.1
-CLI_ADDRESS=10.213.1.1
-VPNNET=172.17.215.0/24
-VPNADDR=172.17.215.1
-VPNNET6=fc39:d561:62c6:861b:9f38:9734:9fa1:0/112
-VPNADDR6=fc39:d561:62c6:861b:9f38:9734:9fa1:0
-
 . `dirname $0`/common.sh
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 eval "${GETPORT}"

tests/test-ban-local

@@ -26,11 +26,8 @@ PIDFILE=ocserv-pid.$$.tmp
 OUTFILE=ban.$$.tmp
 
 ADDRESS=127.0.0.1
-VPNNET=172.17.215.0/24
-VPNADDR=172.17.215.1
-VPNNET6=fc39:d561:62c6:861b:9f38:9734:9fa1:0/112
-VPNADDR6=fc39:d561:62c6:861b:9f38:9734:9fa1:0
-
+. `dirname $0`/random-net.sh
+ADDRESS=127.0.0.1
 
 . `dirname $0`/common.sh
 

tests/test-config-per-group

@@ -57,17 +57,12 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.204.2.1
-CLI_ADDRESS=10.204.1.1
-VPNNET=192.168.4.0/24
-VPNADDR=192.168.4.1
-VPNNET6=fd91:6d87:7344:dc6a::/112
-VPNADDR6=fd91:6d87:7344:dc6a::1
 OCCTL_SOCKET=./occtl-cpg-$$.socket
 ROUTE1=192.168.4.0/24
 USERNAME=test2
 PASSWORD=test2
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 # Run servers

tests/test-multiple-client-ip

@@ -59,17 +59,11 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.200.2.1
-ADDRESS2=10.200.2.2
-CLI_ADDRESS=10.200.1.1
-CLI_ADDRESS2=10.200.1.2
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-VPNNET6=fd91:6d87:7341:db6a::/112
-VPNADDR6=fd91:6d87:7341:db6a::1
 OCCTL_SOCKET=./occtl-traffic-$$.socket
 USERNAME=test
 
+. `dirname $0`/random-net.sh
+. `dirname $0`/random-net2.sh
 . `dirname $0`/ns.sh
 
 # Run servers

tests/test-namespace-listen

@@ -24,13 +24,6 @@ srcdir=${srcdir:-.}
 OUTFILE=ss.$$.tmp
 SS=$(which ss)
 
-ADDRESS=10.213.2.1
-ADDRESS2=10.213.2.2
-CLI_ADDRESS=10.213.1.1
-CLI_ADDRESS2=10.213.1.2
-VPNNET=172.17.215.0/24
-VPNADDR=172.17.215.1
-
 function finish {
   set +e
   echo " * Cleaning up..."
@@ -43,6 +36,8 @@ function finish {
 }
 trap finish EXIT
 
+. `dirname $0`/random-net.sh
+. `dirname $0`/random-net2.sh
 . `dirname $0`/common.sh
 . `dirname $0`/ns.sh
 LISTEN_NS=$NSNAME2

tests/test-occtl

@@ -28,15 +28,10 @@ CPIDFILE=oc-pid.$$.tmp
 PATH=${PATH}:/usr/sbin
 OUTFILE=occtl.$$.tmp
 
-ADDRESS=10.49.186.1
-CLI_ADDRESS=10.49.187.1
-VPNNET=192.168.163.0/24
-VPNADDR=192.168.163.1
-VPNNET6=fd4c:2018:1224:8944:e319:3890:a139::/112
-VPNADDR6=fd4c:2018:1224:8944:e319:3890:a139::1
 OCCTL_SOCKET=./occtl-comp-$$.socket
 USERNAME=test
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/common.sh
 . `dirname $0`/ns.sh
 

tests/test-udp-listen-host

@@ -85,13 +85,10 @@ function wait_file {
 }
 
 # server address
-ADDRESS=10.201.2.1
-CLI_ADDRESS=10.201.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
 OCCTL_SOCKET=./occtl-udp-listen-host-$$.socket
 USERNAME=test
 
+. "$(dirname "$0")/random-net.sh"
 . "$(dirname "$0")/ns.sh"
 
 # Run servers

tests/traffic

@@ -56,15 +56,10 @@ function finish {
 trap finish EXIT
 
 # server address
-ADDRESS=10.200.2.1
-CLI_ADDRESS=10.200.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-VPNNET6=fd91:6d87:7341:db6a::/112
-VPNADDR6=fd91:6d87:7341:db6a::1
 OCCTL_SOCKET=./occtl-traffic-$$.socket
 USERNAME=test
 
+. `dirname $0`/random-net.sh
 . `dirname $0`/ns.sh
 
 # Run servers

tests/vhost-traffic

@@ -57,13 +57,6 @@ function finish {
 }
 trap finish EXIT
 
-# server address
-ADDRESS=10.223.2.1
-CLI_ADDRESS=10.223.1.1
-VPNNET=192.168.3.0/24
-VPNADDR=192.168.3.1
-#VPNNET6=fd91:6d87:7341:dc6a::/112
-#VPNADDR6=fd91:6d87:7341:dc6a::1
 OCCTL_SOCKET=./occtl-vhost-$$.socket
 USERNAME=test
 SNI=pass2.example.com
@@ -74,10 +67,13 @@ if test $? != 0;then
 	exit 77
 fi
 
+. `dirname $0`/random-net.sh
+unset VPNNET6 VPNADDR6
+
 . `dirname $0`/ns.sh
 
 # Run servers
-update_config test-vhost-pass-cert.config
+update_config vhost-traffic.config
 if test "$VERBOSE" = 1;then
 DEBUG="-d 3"
 fi