summaryrefslogtreecommitdiff
path: root/app/openvpn/tests
diff options
context:
space:
mode:
authorParménides GV <parmegv@sdf.org>2014-04-08 11:38:09 +0200
committerParménides GV <parmegv@sdf.org>2014-04-08 11:43:27 +0200
commit5fc5d37330d3535a0f421632694d1e7918fc22d7 (patch)
tree1aad0c286e58962c8895854907e530b9bc9bce5a /app/openvpn/tests
parentc206a91d320995f37f8abb33188bfd384249da3d (diff)
Compiles correctly: app/build-native + gradle.
Diffstat (limited to 'app/openvpn/tests')
-rw-r--r--app/openvpn/tests/Makefile.am23
-rw-r--r--app/openvpn/tests/t_client.rc-sample93
-rwxr-xr-xapp/openvpn/tests/t_client.sh.in316
-rwxr-xr-xapp/openvpn/tests/t_cltsrv-down.sh2
-rwxr-xr-xapp/openvpn/tests/t_cltsrv.sh91
-rwxr-xr-xapp/openvpn/tests/t_lpback.sh32
6 files changed, 557 insertions, 0 deletions
diff --git a/app/openvpn/tests/Makefile.am b/app/openvpn/tests/Makefile.am
new file mode 100644
index 00000000..b7980e04
--- /dev/null
+++ b/app/openvpn/tests/Makefile.am
@@ -0,0 +1,23 @@
+#
+# OpenVPN -- An application to securely tunnel IP networks
+# over a single UDP port, with support for SSL/TLS-based
+# session authentication and key exchange,
+# packet encryption, packet authentication, and
+# packet compression.
+#
+# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com>
+#
+
+MAINTAINERCLEANFILES = \
+ $(srcdir)/Makefile.in
+
+test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh
+
+TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)"
+TESTS = $(test_scripts)
+
+dist_noinst_SCRIPTS = \
+ $(test_scripts) \
+ t_cltsrv-down.sh
+
diff --git a/app/openvpn/tests/t_client.rc-sample b/app/openvpn/tests/t_client.rc-sample
new file mode 100644
index 00000000..dcb3e4ae
--- /dev/null
+++ b/app/openvpn/tests/t_client.rc-sample
@@ -0,0 +1,93 @@
+#
+# this is sourced from t_client.sh and defines which openvpn client tests
+# to run
+#
+# (sample config, copy to t_client.rc and adapt to your environment)
+#
+#
+# define these - if empty, no tests will run
+#
+top_srcdir="${top_srcdir:-..}"
+CA_CERT="${top_srcdir}/sample/sample-keys/ca.crt"
+CLIENT_KEY="${top_srcdir}/sample/sample-keys/client.key"
+CLIENT_CERT="${top_srcdir}/sample/sample-keys/client.crt"
+#
+# remote host (used as macro below)
+#
+REMOTE=mytestserver
+#
+# tests to run (list suffixes for config stanzas below)
+#
+TEST_RUN_LIST="1 2"
+
+#
+# use "sudo" (etc) to give openvpn the necessary privileges
+# if this is not active, "make check" must be run as root
+#
+#RUN_SUDO=sudo
+
+#
+# base confic that is the same for all the p2mp test runs
+#
+OPENVPN_BASE_P2MP="--client --ca $CA_CERT \
+ --cert $CLIENT_CERT --key $CLIENT_KEY \
+ --ns-cert-type server --nobind --comp-lzo --verb 3"
+
+# base config for p2p tests
+#
+OPENVPN_BASE_P2P="..."
+
+#
+#
+# now define the individual tests - all variables suffixed with _1, _2 etc
+# will be used in test run "1", "2", etc.
+#
+# if something is not defined here, the corresponding test is not run
+#
+# possible test options:
+#
+# RUN_TITLE_x="what is being tested on here" (purely informational)
+# OPENVPN_CONF_x = "how to call ./openvpn" [mandatory]
+# EXPECT_IFCONFIG4_x = "this IPv4 address needs to show up in ifconfig"
+# EXPECT_IFCONFIG6_x = "this IPv6 address needs to show up in ifconfig"
+# PING4_HOSTS_x = "these hosts musts ping when openvpn is up (IPv4 fping)"
+# PING6_HOSTS_x = "these hosts musts ping when openvpn is up (IPv6 fping6)"
+#
+# Test 1: UDP / p2mp tun
+# specify IPv4+IPv6 addresses expected from server and ping targets
+#
+RUN_TITLE_1="testing tun/udp/ipv4+ipv6"
+OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194"
+EXPECT_IFCONFIG4_1="10.100.50.6"
+EXPECT_IFCONFIG6_1="2001:dba:a050::1:0"
+PING4_HOSTS_1="10.100.50.1 10.100.0.1"
+PING6_HOSTS_1="2001:dba::1 2001:dba:a050::1"
+
+# Test 2: TCP / p2mp tun
+#
+RUN_TITLE_2="testing tun/tcp/ipv4+ipv6"
+OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE --port 51194"
+EXPECT_IFCONFIG4_2="10.100.51.6"
+EXPECT_IFCONFIG6_2="2001:dba:a051::1:0"
+PING4_HOSTS_2="10.100.51.1 10.100.0.1"
+PING6_HOSTS_1="2001:dba::1 2001:dba:a051::1"
+
+# Test 3: UDP / p2p tun
+# ...
+
+# Test 4: TCP / p2p tun
+# ...
+
+# Test 5: UDP / p2mp tap
+# ...
+
+# Test 6: TCP / p2mp tun
+# ...
+
+# Test 7: UDP / p2p tap
+# ...
+
+# Test 8: TCP / p2p tap
+# ...
+
+# Test 9: whatever you want to test... :-)
diff --git a/app/openvpn/tests/t_client.sh.in b/app/openvpn/tests/t_client.sh.in
new file mode 100755
index 00000000..189eecce
--- /dev/null
+++ b/app/openvpn/tests/t_client.sh.in
@@ -0,0 +1,316 @@
+#!@SHELL@
+#
+# run OpenVPN client against ``test reference'' server
+# - check that ping, http, ... via tunnel works
+# - check that interface config / routes are properly cleaned after test end
+#
+# prerequisites:
+# - openvpn binary in current directory
+# - writable current directory to create subdir for logs
+# - t_client.rc in current directory OR source dir that specifies tests
+# - for "ping4" checks: fping binary in $PATH
+# - for "ping6" checks: fping6 binary in $PATH
+#
+
+srcdir="${srcdir:-.}"
+top_builddir="${top_builddir:-..}"
+if [ -r "${top_builddir}"/t_client.rc ] ; then
+ . "${top_builddir}"/t_client.rc
+elif [ -r "${srcdir}"/t_client.rc ] ; then
+ . "${srcdir}"/t_client.rc
+else
+ echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2
+ echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2
+ exit 77
+fi
+
+if [ ! -x "${top_builddir}/src/openvpn/openvpn" ]
+then
+ echo "no (executable) openvpn binary in current build tree. FAIL." >&2
+ exit 1
+fi
+
+if [ ! -w . ]
+then
+ echo "current directory is not writable (required for logging). FAIL." >&2
+ exit 1
+fi
+
+if [ -z "$CA_CERT" ] ; then
+ echo "CA_CERT not defined in 't_client.rc'. SKIP test." >&2
+ exit 77
+fi
+
+if [ -z "$TEST_RUN_LIST" ] ; then
+ echo "TEST_RUN_LIST empty, no tests defined. SKIP test." >&2
+ exit 77
+fi
+
+# make sure we have permissions to run ifconfig/route from OpenVPN
+# can't use "id -u" here - doesn't work on Solaris
+ID=`id`
+if expr "$ID" : "uid=0" >/dev/null
+then :
+else
+ if [ -z "$RUN_SUDO" ]
+ then
+ echo "$0: this test must run be as root, or RUN_SUDO=... " >&2
+ echo " must be set correctly in 't_client.rc'. SKIP." >&2
+ exit 77
+ fi
+fi
+
+LOGDIR=t_client-`hostname`-`date +%Y%m%d-%H%M%S`
+if mkdir $LOGDIR
+then :
+else
+ echo "can't create log directory '$LOGDIR'. FAIL." >&2
+ exit 1
+fi
+
+exit_code=0
+
+# ----------------------------------------------------------
+# helper functions
+# ----------------------------------------------------------
+# print failure message, increase FAIL counter
+fail()
+{
+ echo ""
+ echo "FAIL: $@" >&2
+ fail_count=$(( $fail_count + 1 ))
+}
+
+# print "all interface IP addresses" + "all routes"
+# this is higly system dependent...
+get_ifconfig_route()
+{
+ # linux / iproute2? (-> if configure got a path)
+ if [ -n "@IPROUTE@" ]
+ then
+ echo "-- linux iproute2 --"
+ @IPROUTE@ addr show | grep -v valid_lft
+ @IPROUTE@ route show
+ @IPROUTE@ -o -6 route show | grep -v ' cache' | sed -e 's/expires [0-9]*sec//'
+ return
+ fi
+
+ # try uname
+ case `uname -s` in
+ Linux)
+ echo "-- linux / ifconfig --"
+ LANG=C @IFCONFIG@ -a |egrep "( addr:|encap:)"
+ LANG=C @NETSTAT@ -rn -4 -6
+ return
+ ;;
+ FreeBSD|NetBSD|Darwin)
+ echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --"
+ @IFCONFIG@ -a | egrep "(flags=|inet)"
+ @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }'
+ return
+ ;;
+ OpenBSD)
+ echo "-- OpenBSD --"
+ @IFCONFIG@ -a | egrep "(flags=|inet)" | \
+ sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//'
+ @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }'
+ return
+ ;;
+ SunOS)
+ echo "-- Solaris --"
+ @IFCONFIG@ -a | egrep "(flags=|inet)"
+ @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }'
+ return
+ ;;
+ esac
+
+ echo "get_ifconfig_route(): no idea how to get info on your OS. FAIL." >&2
+ exit 20
+}
+
+# ----------------------------------------------------------
+# check ifconfig
+# arg1: "4" or "6" -> for message
+# arg2: IPv4/IPv6 address that must show up in out of "get_ifconfig_route"
+check_ifconfig()
+{
+ proto=$1 ; shift
+ expect_list="$@"
+
+ if [ -z "$expect_list" ] ; then return ; fi
+
+ for expect in $expect_list
+ do
+ if get_ifconfig_route | fgrep "$expect" >/dev/null
+ then :
+ else
+ fail "check_ifconfig(): expected IPv$proto address '$expect' not found in ifconfig output."
+ fi
+ done
+}
+
+# ----------------------------------------------------------
+# run pings
+# arg1: "4" or "6" -> fping/fing6
+# arg2: "want_ok" or "want_fail" (expected ping result)
+# arg3... -> fping arguments (host list)
+run_ping_tests()
+{
+ proto=$1 ; want=$2 ; shift ; shift
+ targetlist="$@"
+
+ # "no targets" is fine
+ if [ -z "$targetlist" ] ; then return ; fi
+
+ case $proto in
+ 4) cmd=fping ;;
+ 6) cmd=fping6 ;;
+ *) echo "internal error in run_ping_tests arg 1: '$proto'" >&2
+ exit 1 ;;
+ esac
+
+ case $want in
+ want_ok) sizes_list="64 1440 3000" ;;
+ want_fail) sizes_list="64" ;;
+ esac
+
+ for bytes in $sizes_list
+ do
+ echo "run IPv$proto ping tests ($want), $bytes byte packets..."
+
+ echo "$cmd -b $bytes -C 20 -p 250 -q $targetlist" >>$LOGDIR/$SUF:fping.out
+ $cmd -b $bytes -C 20 -p 250 -q $targetlist >>$LOGDIR/$SUF:fping.out 2>&1
+
+ # while OpenVPN is running, pings must succeed (want='want_ok')
+ # before OpenVPN is up, pings must NOT succeed (want='want_fail')
+
+ rc=$?
+ if [ $rc = 0 ] # all ping OK
+ then
+ if [ $want = "want_fail" ] # not what we want
+ then
+ fail "IPv$proto ping test succeeded, but needs to *fail*."
+ fi
+ else # ping failed
+ if [ $want = "want_ok" ] # not what we wanted
+ then
+ fail "IPv$proto ping test ($bytes bytes) failed, but should succeed."
+ fi
+ fi
+ done
+}
+
+# ----------------------------------------------------------
+# main test loop
+# ----------------------------------------------------------
+SUMMARY_OK=
+SUMMARY_FAIL=
+
+for SUF in $TEST_RUN_LIST
+do
+ # get config variables
+ eval test_run_title=\"\$RUN_TITLE_$SUF\"
+ eval openvpn_conf=\"\$OPENVPN_CONF_$SUF\"
+ eval expect_ifconfig4=\"\$EXPECT_IFCONFIG4_$SUF\"
+ eval expect_ifconfig6=\"\$EXPECT_IFCONFIG6_$SUF\"
+ eval ping4_hosts=\"\$PING4_HOSTS_$SUF\"
+ eval ping6_hosts=\"\$PING6_HOSTS_$SUF\"
+
+ echo -e "\n### test run $SUF: '$test_run_title' ###\n"
+ fail_count=0
+
+ echo "save pre-openvpn ifconfig + route"
+ get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_pre.txt
+
+ echo -e "\nrun pre-openvpn ping tests - targets must not be reachable..."
+ run_ping_tests 4 want_fail "$ping4_hosts"
+ run_ping_tests 6 want_fail "$ping6_hosts"
+ if [ "$fail_count" = 0 ] ; then
+ echo -e "OK.\n"
+ else
+ echo -e "FAIL: make sure that ping hosts are ONLY reachable via VPN, SKIP test $SUF".
+ exit_code=31
+ continue
+ fi
+
+ echo " run openvpn $openvpn_conf"
+ echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log
+ $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf >>$LOGDIR/$SUF:openvpn.log &
+ opid=$!
+
+ # make sure openvpn client is terminated in case shell exits
+ trap "$RUN_SUDO kill $opid" 0
+ trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15
+
+ echo "wait for connection to establish..."
+ sleep ${SETUP_TIME_WAIT:-10}
+
+ # test whether OpenVPN process is still there
+ if $RUN_SUDO kill -0 $opid
+ then :
+ else
+ echo -e "OpenVPN process has failed to start up, check log ($LOGDIR/$SUF:openvpn.log). FAIL.\ntail of logfile follows:\n..." >&2
+ tail $LOGDIR/$SUF:openvpn.log >&2
+ trap - 0 1 2 3 15
+ exit 10
+ fi
+
+ # compare whether anything changed in ifconfig/route setup?
+ echo "save ifconfig+route"
+ get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route.txt
+
+ echo -n "compare pre-openvpn ifconfig+route with current values..."
+ if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \
+ $LOGDIR/$SUF:ifconfig_route.txt >/dev/null
+ then
+ fail "no differences between ifconfig/route before OpenVPN start and now."
+ else
+ echo -e " OK!\n"
+ fi
+
+ # expected ifconfig values in there?
+ check_ifconfig 4 "$expect_ifconfig4"
+ check_ifconfig 6 "$expect_ifconfig6"
+
+ run_ping_tests 4 want_ok "$ping4_hosts"
+ run_ping_tests 6 want_ok "$ping6_hosts"
+ echo -e "ping tests done.\n"
+
+ echo "stopping OpenVPN"
+ $RUN_SUDO kill $opid
+ wait $!
+ rc=$?
+ if [ $rc != 0 ] ; then
+ fail "OpenVPN return code $rc, expect 0"
+ fi
+
+ echo -e "\nsave post-openvpn ifconfig + route..."
+ get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_post.txt
+
+ echo -n "compare pre- and post-openvpn ifconfig + route..."
+ if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \
+ $LOGDIR/$SUF:ifconfig_route_post.txt >$LOGDIR/$SUF:ifconfig_route_diff.txt
+ then
+ echo -e " OK.\n"
+ else
+ cat $LOGDIR/$SUF:ifconfig_route_diff.txt >&2
+ fail "differences between pre- and post-ifconfig/route"
+ fi
+ if [ "$fail_count" = 0 ] ; then
+ echo -e "test run $SUF: all tests OK.\n"
+ SUMMARY_OK="$SUMMARY_OK $SUF"
+ else
+ echo -e "test run $SUF: $fail_count test failures. FAIL.\n";
+ SUMMARY_FAIL="$SUMMARY_FAIL $SUF"
+ exit_code=30
+ fi
+done
+
+if [ -z "$SUMMARY_OK" ] ; then SUMMARY_OK=" none"; fi
+if [ -z "$SUMMARY_FAIL" ] ; then SUMMARY_FAIL=" none"; fi
+echo "Test sets succeded:$SUMMARY_OK."
+echo "Test sets failed:$SUMMARY_FAIL."
+
+# remove trap handler
+trap - 0 1 2 3 15
+exit $exit_code
diff --git a/app/openvpn/tests/t_cltsrv-down.sh b/app/openvpn/tests/t_cltsrv-down.sh
new file mode 100755
index 00000000..2ef852aa
--- /dev/null
+++ b/app/openvpn/tests/t_cltsrv-down.sh
@@ -0,0 +1,2 @@
+#! /bin/sh
+echo "${role}:${signal}" >&3
diff --git a/app/openvpn/tests/t_cltsrv.sh b/app/openvpn/tests/t_cltsrv.sh
new file mode 100755
index 00000000..752251e4
--- /dev/null
+++ b/app/openvpn/tests/t_cltsrv.sh
@@ -0,0 +1,91 @@
+#! /bin/sh
+#
+# t_cltsrv.sh - script to test OpenVPN's crypto loopback
+# Copyright (C) 2005, 2006, 2008 Matthias Andree
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.
+
+set -e
+srcdir="${srcdir:-.}"
+top_srcdir="${top_srcdir:-..}"
+top_builddir="${top_builddir:-..}"
+trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15
+trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3
+addopts=
+case `uname -s` in
+ FreeBSD)
+ # FreeBSD jails map the outgoing IP to the jail IP - we need to
+ # allow the real IP unless we want the test to run forever.
+ if test "`sysctl 2>/dev/null -n security.jail.jailed`" = 1 \
+ || ps -ostate= -p $$ | grep -q J; then
+ addopts="--float"
+ if test "x`ifconfig | grep inet`" = x ; then
+ echo "###"
+ echo "### To run the test in a FreeBSD jail, you MUST add an IP alias for the jail's IP."
+ echo "###"
+ exit 77
+ fi
+ fi
+ ;;
+esac
+
+# make sure that the --down script is executable -- fail (rather than
+# skip) test if it isn't.
+downscript="../tests/t_cltsrv-down.sh"
+root="${top_srcdir}/sample"
+test -x "${root}/${downscript}" || chmod +x "${root}/${downscript}" || { echo >&2 "${root}/${downscript} is not executable, failing." ; exit 1 ; }
+echo "The following test will take about two minutes." >&2
+echo "If the addresses are in use, this test will retry up to two times." >&2
+
+# go
+success=0
+for i in 1 2 3 ; do
+ set +e
+ (
+ "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${root}" ${addopts} --setenv role srv --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-server" &
+ "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${top_srcdir}/sample" ${addopts} --setenv role clt --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-client"
+ ) 3>log.$$.signal >log.$$ 2>&1
+ e1=$?
+ wait $!
+ e2=$?
+ grep 'TCP/UDP: Socket bind failed on local address.*in use' log.$$ >/dev/null && {
+ echo 'address in use, retrying in 150 s'
+ sleep 150
+ continue
+ }
+ grep -v ':inactive$' log.$$.signal >/dev/null && { cat log.$$.signal ; echo ; cat log.$$ ; exit 1 ; }
+ success=1
+ break
+done
+
+set -e
+
+# exit code - defaults to 0, PASS
+ec=0
+
+if [ $success != 1 ] ; then
+ # couldn't run test -- addresses in use, skip test
+ cat log.$$
+ ec=77
+elif [ $e1 != 0 ] || [ $e2 != 0 ] ; then
+ # failure -- fail test
+ cat log.$$
+ ec=1
+fi
+
+rm log.$$ log.$$.signal
+trap 0
+exit $ec
diff --git a/app/openvpn/tests/t_lpback.sh b/app/openvpn/tests/t_lpback.sh
new file mode 100755
index 00000000..40767a1b
--- /dev/null
+++ b/app/openvpn/tests/t_lpback.sh
@@ -0,0 +1,32 @@
+#! /bin/sh
+#
+# t_lpback.sh - script to test OpenVPN's crypto loopback
+# Copyright (C) 2005 Matthias Andree
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.
+
+set -e
+top_builddir="${top_builddir:-..}"
+trap "rm -f key.$$ log.$$ ; trap 0 ; exit 77" 1 2 15
+trap "rm -f key.$$ log.$$ ; exit 1" 0 3
+"${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$
+set +e
+( "${top_builddir}/src/openvpn/openvpn" --test-crypto --secret key.$$ ) >log.$$ 2>&1
+e=$?
+if [ $e != 0 ] ; then cat log.$$ ; fi
+rm key.$$ log.$$
+trap 0
+exit $e