GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'tmp-enable-asan' into 'master'

Browse Source 
.gitlab-ci.yml: reenable address sanitizer

See merge request openconnect/ocserv!202
This commit is contained in:
Nikos Mavrogiannopoulos
2020-08-06 11:10:13 +00:00
parent df61f59e3e 0ecef93423
commit c3e62fe7a3
11 changed files with 107 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.gitlab-ci.yml
View File

@@ -408,16 +408,16 @@ minimal/Ubuntu20.04:
# We do not compile with PAM under address sanitizer since we are using co-routines # We do not compile with PAM under address sanitizer since we are using co-routines
# without instrumentation for sanitizer. # without instrumentation for sanitizer.
.asan/Fedora: asan/clang/Fedora:
stage: testing stage: testing
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
script: script:
- chmod o-w tests/data/raddb - chmod -R o-w tests/data/raddb
- git submodule update --init - git submodule update --init
- autoreconf -fvi - autoreconf -fvi
- CFLAGS="-fsanitize=address -g -O2" LDFLAGS="-static-libasan" ./configure --without-pam --without-docker-tests - CC=clang CFLAGS="-fsanitize=address -fno-optimize-sibling-calls -fno-omit-frame-pointer -g -O1" ./configure --without-pam --without-docker-tests --without-asan-broken-tests
- make -j$JOBS - make -j$JOBS
- make check -j$JOBS VERBOSE=1 - make check -j$JOBS
tags: tags:
- shared - shared
- linux - linux

12
configure.ac
View File

@@ -14,7 +14,7 @@ gl_EARLY
AM_PROG_AR AM_PROG_AR
AM_PROG_CC_C_O AM_PROG_CC_C_O
AC_PROG_SED AC_PROG_SED
if test "$GCC" = "yes" && ! echo "$CC"|grep clang;then if test "$GCC" = "yes" && ! expr "$CC" : clang >/dev/null 2>&1;then
CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation" CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation"
fi fi
@@ -129,6 +129,16 @@ AC_ARG_WITH(docker-tests,
AM_CONDITIONAL(ENABLE_DOCKER_TESTS, test "x$docker_tests" = xyes) AM_CONDITIONAL(ENABLE_DOCKER_TESTS, test "x$docker_tests" = xyes)
AC_ARG_WITH(asan-broken-tests,
AS_HELP_STRING([--without-asan-broken-tests], [disable any tests that cannot be run under asan]),
enable_asan_broken_tests=$withval,
enable_asan_broken_tests=yes)
AC_MSG_CHECKING([whether to enable broken in asan tests])
AC_MSG_RESULT([${enable_asan_broken_tests}])
AM_CONDITIONAL(DISABLE_ASAN_BROKEN_TESTS, test "x$enable_asan_broken_tests" = xno)
AC_ARG_WITH(kerberos-tests, AC_ARG_WITH(kerberos-tests,
AS_HELP_STRING([--with-kerberos-tests], [enable any tests requiring kerberos setup]), AS_HELP_STRING([--with-kerberos-tests], [enable any tests requiring kerberos setup]),
kerberos_tests=$withval, kerberos_tests=$withval,

5
doc/sample.config
View File

@@ -405,7 +405,8 @@ rekey-method = ssl
# Script to call when a client connects and obtains an IP. # Script to call when a client connects and obtains an IP.
# The following parameters are passed on the environment. # The following parameters are passed on the environment.
# REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client), # REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL # REMOTE_HOSTNAME (the remotely advertised hostname), IP_REAL_LOCAL
# (the local interface IP the client connected), IP_LOCAL
# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client), # (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and # assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
@@ -426,7 +427,7 @@ rekey-method = ssl
# This script is to be called when the client's advertised hostname becomes # This script is to be called when the client's advertised hostname becomes
# available. It will contain REASON with "host-update" value and the # available. It will contain REASON with "host-update" value and the
# variable HOSTNAME in addition to the connect variables. # variable REMOTE_HOSTNAME in addition to the connect variables.
#host-update-script = /usr/bin/myhostnamescript #host-update-script = /usr/bin/myhostnamescript

7
src/common/snapshot.c
View File

@@ -120,6 +120,12 @@ static int snapshot_add_entry(snapshot_t * snapshot, const char *filename,
return retval; return retval;
} }
static int talloc_clear_htable(snapshot_t *s)
{
htable_clear(&s->ht);
return 0;
}
int snapshot_init(void *pool, struct snapshot_t **snapshot, const char *prefix) int snapshot_init(void *pool, struct snapshot_t **snapshot, const char *prefix)
{ {
snapshot_t *new_snapshot = NULL; snapshot_t *new_snapshot = NULL;
@@ -141,6 +147,7 @@ int snapshot_init(void *pool, struct snapshot_t **snapshot, const char *prefix)
goto cleanup; goto cleanup;
htable_init(&new_snapshot->ht, snapshot_rehash, new_snapshot); htable_init(&new_snapshot->ht, snapshot_rehash, new_snapshot);
talloc_set_destructor(new_snapshot, talloc_clear_htable);
*snapshot = new_snapshot; *snapshot = new_snapshot;
new_snapshot = NULL; new_snapshot = NULL;

1
src/main-user.c
View File

@@ -341,6 +341,7 @@ const char* script, *next_script = NULL;
setenv("USERNAME", proc->username, 1); setenv("USERNAME", proc->username, 1);
setenv("GROUPNAME", proc->groupname, 1); setenv("GROUPNAME", proc->groupname, 1);
setenv("HOSTNAME", proc->hostname, 1); setenv("HOSTNAME", proc->hostname, 1);
setenv("REMOTE_HOSTNAME", proc->hostname, 1);
setenv("DEVICE", proc->tun_lease.name, 1); setenv("DEVICE", proc->tun_lease.name, 1);
setenv("USER_AGENT", proc->user_agent, 1); setenv("USER_AGENT", proc->user_agent, 1);
setenv("DEVICE_TYPE", proc->device_type, 1); setenv("DEVICE_TYPE", proc->device_type, 1);

6
src/occtl/occtl.c
View File

@@ -558,6 +558,7 @@ int main(int argc, char **argv)
const char *file = NULL; const char *file = NULL;
void *gl_pool; void *gl_pool;
cmd_params_st params; cmd_params_st params;
int ret;
memset(&params, 0, sizeof(params)); memset(&params, 0, sizeof(params));
@@ -615,7 +616,9 @@ int main(int argc, char **argv)
} }
/* handle all arguments as a command */ /* handle all arguments as a command */
exit(single_cmd(argc, argv, gl_pool, file, &params)); ret = single_cmd(argc, argv, gl_pool, file, &params);
talloc_free(gl_pool);
exit(ret);
} }
interactive: interactive:
@@ -634,5 +637,6 @@ int main(int argc, char **argv)
conn_close(conn); conn_close(conn);
talloc_free(gl_pool);
return 0; return 0;
} }

5
tests/Makefile.am
View File

@@ -192,3 +192,8 @@ XFAIL_TESTS = $(xfail_scripts)
TESTS_ENVIRONMENT = srcdir="$(srcdir)" \ TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
top_builddir="$(top_builddir)" top_builddir="$(top_builddir)"
if DISABLE_ASAN_BROKEN_TESTS
TESTS_ENVIRONMENT += DISABLE_ASAN_BROKEN_TESTS=1
else
TESTS_ENVIRONMENT += DISABLE_ASAN_BROKEN_TESTS=0
endif

9
tests/common.sh
View File

@@ -30,12 +30,21 @@ if test -z "${OPENCONNECT}" || ! test -x ${OPENCONNECT};then
exit 1 exit 1
fi fi
if test "${DISABLE_ASAN_BROKEN_TESTS}" = 1;then
echo "Disabling worker isolation to enable asan"
ISOLATE_WORKERS=false
fi
if test -z "$NO_NEED_ROOT";then if test -z "$NO_NEED_ROOT";then
if test "$(id -u)" != "0";then if test "$(id -u)" != "0";then
echo "You need to run this script as root" echo "You need to run this script as root"
exit 77 exit 77
fi fi
else else
if test "${DISABLE_ASAN_BROKEN_TESTS}" = 1;then
echo "Skipping test requiring ldpreload"
exit 77
fi
SOCKDIR="${srcdir}/tmp/sockwrap.$$.tmp" SOCKDIR="${srcdir}/tmp/sockwrap.$$.tmp"
mkdir -p $SOCKDIR mkdir -p $SOCKDIR
export SOCKET_WRAPPER_DIR=$SOCKDIR export SOCKET_WRAPPER_DIR=$SOCKDIR

1
tests/connect-script
View File

@@ -14,6 +14,7 @@ verify_env_set() {
verify_env_set "IP_REMOTE" verify_env_set "IP_REMOTE"
verify_env_set "REASON" verify_env_set "REASON"
verify_env_set "HOSTNAME" verify_env_set "HOSTNAME"
verify_env_set "REMOTE_HOSTNAME"
verify_env_set "USERNAME" verify_env_set "USERNAME"
verify_env_set "USER_AGENT" verify_env_set "USER_AGENT"
verify_env_set "DEVICE_PLATFORM" verify_env_set "DEVICE_PLATFORM"

80
tests/test-pass-script
View File

@@ -80,7 +80,15 @@ echo " * Connecting to obtain cookie... "
echo " * Re-connecting to force script run... " echo " * Re-connecting to force script run... "
echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true
sleep 5 TIMEOUT=5
while ! test -f ${builddir}/disconnect.ok; do
TIMEOUT=$(($TIMEOUT - 1))
if [ $TIMEOUT -eq 0 ]; then
echo "Timed out waiting for ${builddir}/disconnect.ok (1)"
exit 1
fi
sleep 1
done
if ! test -f ${builddir}/connect.ok;then if ! test -f ${builddir}/connect.ok;then
echo "Connect script was not run" echo "Connect script was not run"
@@ -117,41 +125,59 @@ fi
echo " * Re-connecting to force session stealing... " echo " * Re-connecting to force session stealing... "
eval "$(grep COOKIE ${PARAMSFILE})" eval "$(grep COOKIE ${PARAMSFILE})"
echo ${COOKIE}| $OPENCONNECT localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true --pid-file=${OPIDFILE} -b echo ${COOKIE}| $OPENCONNECT --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true --pid-file=${OPIDFILE} -b
sleep 4
echo " - Pausing client" echo " - Pausing client"
if ! test -f ${OPIDFILE};then TIMEOUT=4
echo "Could not find pid file" while ! test -f ${OPIDFILE}; do
TIMEOUT=$(($TIMEOUT - 1))
if [ $TIMEOUT -eq 0 ]; then
echo "Timed out waiting for ${OPIDFILE}"
exit 1 exit 1
fi fi
kill -s STOP $(cat ${OPIDFILE}) sleep 1
sleep 12 done
if ! test -f ${builddir}/connect.ok;then kill -s STOP $(cat ${OPIDFILE})
echo "Connect script was not run (2)"
TIMEOUT=12
while ! test -f ${builddir}/connect.ok; do
TIMEOUT=$(($TIMEOUT - 1))
if [ $TIMEOUT -eq 0 ]; then
echo "Timed out waiting for ${builddir}/connect.ok"
exit 1 exit 1
fi fi
sleep 1
done
rm -f ${builddir}/connect.ok rm -f ${builddir}/connect.ok
rm -f ${builddir}/disconnect.ok rm -f ${builddir}/disconnect.ok
echo " * Re-connecting to steal previous IP address... " echo " * Re-connecting to steal previous IP address... "
echo ${COOKIE} | $OPENCONNECT -q localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true --pid-file=${OPIDFILE2} -b echo ${COOKIE} | $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true --pid-file=${OPIDFILE2} -b
echo " - Resuming (disconnected) client" echo " - Resuming (disconnected) client"
kill -s CONT $(cat ${OPIDFILE}) kill -s CONT $(cat ${OPIDFILE})
sleep 6
if ! test -f ${builddir}/connect.ok;then TIMEOUT=6
echo "Connect script was not run (3)" while ! test -f ${builddir}/connect.ok; do
TIMEOUT=$(($TIMEOUT - 1))
if [ $TIMEOUT -eq 0 ]; then
echo "Timed out waiting for ${builddir}/connect.ok (3)"
exit 1 exit 1
fi fi
sleep 1
done
if ! test -f ${builddir}/disconnect.ok;then TIMEOUT=6
echo "Disconnect script was not run properly (3)" while ! test -f ${builddir}/disconnect.ok; do
TIMEOUT=$(($TIMEOUT - 1))
if [ $TIMEOUT -eq 0 ]; then
echo "Timed out waiting for ${builddir}/disconnect.ok (3)"
exit 1 exit 1
fi fi
sleep 1
done
rm -f ${builddir}/connect.ok rm -f ${builddir}/connect.ok
rm -f ${builddir}/disconnect.ok rm -f ${builddir}/disconnect.ok
@@ -160,18 +186,24 @@ echo " - Killing all clients"
sleep 2 sleep 2
test -f ${OPIDFILE2} && kill $(cat ${OPIDFILE2}) test -f ${OPIDFILE2} && kill $(cat ${OPIDFILE2})
test -f ${OPIDFILE} && kill $(cat ${OPIDFILE}) test -f ${OPIDFILE} && kill $(cat ${OPIDFILE})
sleep 6
echo " - Last check of files" echo " - Last check of files"
if ! test -f ${builddir}/disconnect.ok;then
echo "Disconnect script was not run properly (4)" TIMEOUT=6
while ! test -f ${builddir}/disconnect.ok; do
TIMEOUT=$(($TIMEOUT - 1))
if [ $TIMEOUT -eq 0 ]; then
echo "Timed out waiting for ${builddir}/disconnect.ok (4)"
exit 1 exit 1
fi fi
sleep 1
done
sleep 5 sleep 5
echo " - Check server status" echo " - Check server status"
( echo "!@#$%^&*()<>" | $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ( echo "!@#$%^&*()<>" | $OPENCONNECT --local-hostname='mylocalname' -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
fail $PID "Could not receive cookie from server" fail $PID "Could not receive cookie from server"
echo " - Killing server" echo " - Killing server"

5
tests/test-script-multi-user
View File

@@ -30,6 +30,11 @@ USERNAME=test
. `dirname $0`/common.sh . `dirname $0`/common.sh
if test "${DISABLE_ASAN_BROKEN_TESTS}" = 1;then
echo "Skipping test requiring ldpreload"
exit 77
fi
rm -f test-sleep.tmp rm -f test-sleep.tmp
OCCTL_SOCKET=./occtl-test-script-$$.socket OCCTL_SOCKET=./occtl-test-script-$$.socket