Merge branch 'tmp-test-aes-gcm' into 'master'

tests: added tests for anyconnect's DTLS1.2 support

See merge request openconnect/ocserv!94

NEWS

@@ -1,3 +1,7 @@
+* Version 0.12.3 (unreleased)
+- Prevented crash when no DTLS ciphersuite is negotiated
+
+
 * Version 0.12.2 (released 2019-01-10)
 - Added support for AES256-SHA legacy cipher. This allows the anyconnect
   clients to use AES256.

src/worker-http.c

@@ -432,7 +432,6 @@ void header_value_check(struct worker_st *ws, struct http_req_st *req)
 	        req->selected_ciphersuite = cand;
 
 		break;
-
 	case HEADER_DTLS12_CIPHERSUITE:
 		if (req->use_psk || !WSCONFIG(ws)->dtls_legacy)
 			break;
@@ -441,8 +440,9 @@ void header_value_check(struct worker_st *ws, struct http_req_st *req)
 		 * anyconnect's openssl fail: https://gitlab.com/gnutls/gnutls/merge_requests/868
 		 */
 #ifdef gnutls_check_version_numeric
-		if (!gnutls_check_version_numeric(3,6,6) &&
-		    (!gnutls_check_version_numeric(3,3,0) || gnutls_check_version_numeric(3,6,0))) {
+		if (req->user_agent_type != AGENT_OPENCONNECT &&
+		    (!gnutls_check_version_numeric(3,6,6) &&
+		    (!gnutls_check_version_numeric(3,3,0) || gnutls_check_version_numeric(3,6,0)))) {
 			break;
 		}
 #endif

src/worker-vpn.c

@@ -1751,7 +1751,7 @@ static void calc_mtu_values(worker_st * ws)
 						gnutls_cipher_get(ws->session),
 						gnutls_mac_get(ws->session));
 			}
-		} else {
+		} else if (ws->req.selected_ciphersuite) {
 			ws->dtls_crypto_overhead =
 			    tls_get_overhead(ws->req.
 					     selected_ciphersuite->gnutls_version,
@@ -2199,7 +2199,7 @@ static int connect_handler(worker_st * ws)
 			oclog(ws, LOG_INFO, "DTLS ciphersuite: "DTLS_PROTO_INDICATOR);
 			ret =
 			    cstp_printf(ws, "X-DTLS-CipherSuite: "DTLS_PROTO_INDICATOR"\r\n");
-		} else {
+		} else if (ws->req.selected_ciphersuite) {
 			ret =
 			    cstp_printf(ws, "X-DTLS-Session-ID: %s\r\n",
 				       ws->buffer);

tests/Makefile.am

@@ -58,8 +58,9 @@ dist_check_SCRIPTS += test-iroute test-multi-cookie test-pass-script \
 #other tests requiring nuttcp for traffic
 if ENABLE_NUTTCP_TESTS
 dist_check_SCRIPTS += traffic lz4-compression lzs-compression \
-	aes256-cipher aes128-cipher aes256-gcm-cipher aes128-gcm-cipher \
-	test-config-per-group
+	aes256-cipher aes128-cipher oc-aes256-gcm-cipher oc-aes128-gcm-cipher \
+	test-config-per-group ac-aes128-gcm-cipher ac-aes256-gcm-cipher \
+	no-dtls-cipher
 endif
 
 endif

tests/ac-aes128-gcm-cipher

@@ -0,0 +1,31 @@
+#!/bin/bash
+#
+# Copyright (C) 2019 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# This tests support for anyconnect's DTLS1.2 support
+
+PKG_CONFIG="${PKG_CONFIG:-/usr/bin/pkg-config}"
+CIPHER12_NAME="AES128-GCM-SHA256"
+GNUTLS_NAME="(DTLS1.2)-(RSA)-(AES-128-GCM)"
+
+${PKG_CONFIG} --atleast-version=8.02 openconnect
+test $? != 0 && exit 77
+
+. cipher-common.sh
+

tests/ac-aes256-gcm-cipher

@@ -0,0 +1,33 @@
+#!/bin/bash
+#
+# Copyright (C) 2019 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# This tests support for anyconnect's DTLS1.2 support
+
+PKG_CONFIG="${PKG_CONFIG:-/usr/bin/pkg-config}"
+CIPHER12_NAME="AES256-GCM-SHA384"
+GNUTLS_NAME="(DTLS1.2)-(RSA)-(AES-256-GCM)"
+
+# There is a bug preventing AES256-GCM-SHA384 to work in openconnect
+# 8.02.
+${PKG_CONFIG} --atleast-version=8.03 openconnect
+test $? != 0 && exit 77
+
+. cipher-common.sh
+

tests/cipher-common.sh

@@ -78,16 +78,22 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
 
 sleep 4
 
+if test -n "${CIPHER12_NAME}";then
+	CSTR="--dtls12-ciphers ${CIPHER12_NAME} --dtls-ciphers UNKNOWN"
+else
+	CSTR="--dtls-ciphers ${CIPHER_NAME}"
+fi
+
 # Run clients
 echo " * Getting cookie from ${ADDRESS}:${PORT}..."
-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --dtls-ciphers=${CIPHER_NAME} --cookieonly )
+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ${CSTR} --cookieonly )
 if test $? != 0;then
 	echo "Could not get cookie from server"
 	exit 1
 fi
 
 echo " * Connecting to ${ADDRESS}:${PORT}..."
-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --dtls-ciphers=${CIPHER_NAME} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ${CSTR} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
 if test $? != 0;then
 	echo "Could not connect to server"
 	exit 1
@@ -138,11 +144,20 @@ if test $? != 0;then
 	exit 1
 fi
 
-grep "DTLS cipher: ${GNUTLS_NAME}" ${OUTFILE}
-if test $? != 0;then
-	${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
-	echo "occtl show user didn't show cipher!"
-	exit 1
+if test -z "${GNUTLS_NAME}";then
+	grep "DTLS cipher:" ${OUTFILE}
+	if test $? = 0;then
+		${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
+		echo "occtl show user did show a cipher!"
+		exit 1
+	fi
+else
+	grep "DTLS cipher: ${GNUTLS_NAME}" ${OUTFILE}
+	if test $? != 0;then
+		${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
+		echo "occtl show user didn't show cipher!"
+		exit 1
+	fi
 fi
 
 grep ${CLI_ADDRESS} ${OUTFILE}

tests/no-dtls-cipher

@@ -0,0 +1,28 @@
+#!/bin/bash
+#
+# Copyright (C) 2019 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# This tests support for anyconnect's DTLS1.2 support
+
+PKG_CONFIG="${PKG_CONFIG:-/usr/bin/pkg-config}"
+CIPHER_NAME="UNKNOWN"
+GNUTLS_NAME=""
+
+. cipher-common.sh
+