#!/bin/sh # # Copyright (C) 2016 Red Hat, Inc. # # This file is part of ocserv. # # ocserv is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # ocserv is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} NO_NEED_ROOT=1 PORT=4473 TEMPLATE=temp-key.$$.tmpl.tmp SERVER_CERT=server-cert-temp.pem.tmp SERVER_KEY=server-key-temp.pem.tmp . `dirname $0`/common.sh echo "Testing ocserv and SIGHUP behavior on server key change... " cat <<_EOF_>"${TEMPLATE}" cn = "VPN server" dns_name = $ADDRESS expiration_days = -1 signing_key encryption_key tls_www_server _EOF_ update_config test-sighup-key-change.config # changing server cert sed -i 's/server-cert.pem/'"${SERVER_CERT}"'/' "${CONFIG}" sed -i 's/server-key.pem/'"${SERVER_KEY}"'/' "${CONFIG}" cp "${srcdir}/certs/server-cert.pem" "${SERVER_CERT}" cp "${srcdir}/certs/server-key.pem" "${SERVER_KEY}" launch_simple_sr_server -d 1 -f -c "${CONFIG}" PID=$! wait_server $PID echo -n "Connecting to obtain cookie (with certificate)... " ( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert="sha1:a82547f68f44d6351bef6cacd1d7b96e84f9dfa3" --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok sleep 5 #updating the certificate certtool --generate-self-signed --load-privkey "${SERVER_KEY}" --template "${TEMPLATE}" --outfile "${SERVER_CERT}" 2>/dev/null echo "Reloading server with new certificate" kill -HUP $PID sleep 5 echo -n "Connecting to obtain cookie (with certificate)... " ( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert="sha1:a82547f68f44d6351bef6cacd1d7b96e84f9dfa3" --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok sleep 10 #updating the certificate and key certtool --generate-privkey --outfile "${SERVER_KEY}" 2>/dev/null certtool --generate-self-signed --load-privkey "${SERVER_KEY}" --template "${TEMPLATE}" --outfile "${SERVER_CERT}" 2>/dev/null CERTARG=`certtool --key-id < "${SERVER_CERT}" 2>/dev/null | grep -v '^Invalid option'` if test -n "$CERTARG";then CERTARG="sha1:${CERTARG}" else CERTARG=`certtool -i < "${SERVER_CERT}" 2>/dev/null | sed -n '/SHA-*1 fingerprint:/{x;N;s/.*\s\([0-9a-f]\+\).*/\1/;p}'` fi echo "Reloading server with new key/cert pair" kill -HUP $PID sleep 5 echo -n "Connecting to obtain cookie (with certificate)... " ( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert="${CERTARG}" --cookieonly /dev/null 2>&1 ) || fail $PID "Could not connect with certificate!" echo ok rm -f "${SERVER_CERT}" rm -f "${SERVER_KEY}" rm -f "${TEMPLATE}" cleanup exit 0