From 5fc5d37330d3535a0f421632694d1e7918fc22d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Tue, 8 Apr 2014 11:38:09 +0200 Subject: Compiles correctly: app/build-native + gradle. --- app/openvpn/tests/Makefile.am | 23 +++ app/openvpn/tests/t_client.rc-sample | 93 +++++++++++ app/openvpn/tests/t_client.sh.in | 316 +++++++++++++++++++++++++++++++++++ app/openvpn/tests/t_cltsrv-down.sh | 2 + app/openvpn/tests/t_cltsrv.sh | 91 ++++++++++ app/openvpn/tests/t_lpback.sh | 32 ++++ 6 files changed, 557 insertions(+) create mode 100644 app/openvpn/tests/Makefile.am create mode 100644 app/openvpn/tests/t_client.rc-sample create mode 100755 app/openvpn/tests/t_client.sh.in create mode 100755 app/openvpn/tests/t_cltsrv-down.sh create mode 100755 app/openvpn/tests/t_cltsrv.sh create mode 100755 app/openvpn/tests/t_lpback.sh (limited to 'app/openvpn/tests') diff --git a/app/openvpn/tests/Makefile.am b/app/openvpn/tests/Makefile.am new file mode 100644 index 00000000..b7980e04 --- /dev/null +++ b/app/openvpn/tests/Makefile.am @@ -0,0 +1,23 @@ +# +# OpenVPN -- An application to securely tunnel IP networks +# over a single UDP port, with support for SSL/TLS-based +# session authentication and key exchange, +# packet encryption, packet authentication, and +# packet compression. +# +# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. +# Copyright (C) 2006-2012 Alon Bar-Lev +# + +MAINTAINERCLEANFILES = \ + $(srcdir)/Makefile.in + +test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh + +TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)" +TESTS = $(test_scripts) + +dist_noinst_SCRIPTS = \ + $(test_scripts) \ + t_cltsrv-down.sh + diff --git a/app/openvpn/tests/t_client.rc-sample b/app/openvpn/tests/t_client.rc-sample new file mode 100644 index 00000000..dcb3e4ae --- /dev/null +++ b/app/openvpn/tests/t_client.rc-sample @@ -0,0 +1,93 @@ +# +# this is sourced from t_client.sh and defines which openvpn client tests +# to run +# +# (sample config, copy to t_client.rc and adapt to your environment) +# +# +# define these - if empty, no tests will run +# +top_srcdir="${top_srcdir:-..}" +CA_CERT="${top_srcdir}/sample/sample-keys/ca.crt" +CLIENT_KEY="${top_srcdir}/sample/sample-keys/client.key" +CLIENT_CERT="${top_srcdir}/sample/sample-keys/client.crt" +# +# remote host (used as macro below) +# +REMOTE=mytestserver +# +# tests to run (list suffixes for config stanzas below) +# +TEST_RUN_LIST="1 2" + +# +# use "sudo" (etc) to give openvpn the necessary privileges +# if this is not active, "make check" must be run as root +# +#RUN_SUDO=sudo + +# +# base confic that is the same for all the p2mp test runs +# +OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ + --cert $CLIENT_CERT --key $CLIENT_KEY \ + --ns-cert-type server --nobind --comp-lzo --verb 3" + +# base config for p2p tests +# +OPENVPN_BASE_P2P="..." + +# +# +# now define the individual tests - all variables suffixed with _1, _2 etc +# will be used in test run "1", "2", etc. +# +# if something is not defined here, the corresponding test is not run +# +# possible test options: +# +# RUN_TITLE_x="what is being tested on here" (purely informational) +# OPENVPN_CONF_x = "how to call ./openvpn" [mandatory] +# EXPECT_IFCONFIG4_x = "this IPv4 address needs to show up in ifconfig" +# EXPECT_IFCONFIG6_x = "this IPv6 address needs to show up in ifconfig" +# PING4_HOSTS_x = "these hosts musts ping when openvpn is up (IPv4 fping)" +# PING6_HOSTS_x = "these hosts musts ping when openvpn is up (IPv6 fping6)" +# +# Test 1: UDP / p2mp tun +# specify IPv4+IPv6 addresses expected from server and ping targets +# +RUN_TITLE_1="testing tun/udp/ipv4+ipv6" +OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194" +EXPECT_IFCONFIG4_1="10.100.50.6" +EXPECT_IFCONFIG6_1="2001:dba:a050::1:0" +PING4_HOSTS_1="10.100.50.1 10.100.0.1" +PING6_HOSTS_1="2001:dba::1 2001:dba:a050::1" + +# Test 2: TCP / p2mp tun +# +RUN_TITLE_2="testing tun/tcp/ipv4+ipv6" +OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE --port 51194" +EXPECT_IFCONFIG4_2="10.100.51.6" +EXPECT_IFCONFIG6_2="2001:dba:a051::1:0" +PING4_HOSTS_2="10.100.51.1 10.100.0.1" +PING6_HOSTS_1="2001:dba::1 2001:dba:a051::1" + +# Test 3: UDP / p2p tun +# ... + +# Test 4: TCP / p2p tun +# ... + +# Test 5: UDP / p2mp tap +# ... + +# Test 6: TCP / p2mp tun +# ... + +# Test 7: UDP / p2p tap +# ... + +# Test 8: TCP / p2p tap +# ... + +# Test 9: whatever you want to test... :-) diff --git a/app/openvpn/tests/t_client.sh.in b/app/openvpn/tests/t_client.sh.in new file mode 100755 index 00000000..189eecce --- /dev/null +++ b/app/openvpn/tests/t_client.sh.in @@ -0,0 +1,316 @@ +#!@SHELL@ +# +# run OpenVPN client against ``test reference'' server +# - check that ping, http, ... via tunnel works +# - check that interface config / routes are properly cleaned after test end +# +# prerequisites: +# - openvpn binary in current directory +# - writable current directory to create subdir for logs +# - t_client.rc in current directory OR source dir that specifies tests +# - for "ping4" checks: fping binary in $PATH +# - for "ping6" checks: fping6 binary in $PATH +# + +srcdir="${srcdir:-.}" +top_builddir="${top_builddir:-..}" +if [ -r "${top_builddir}"/t_client.rc ] ; then + . "${top_builddir}"/t_client.rc +elif [ -r "${srcdir}"/t_client.rc ] ; then + . "${srcdir}"/t_client.rc +else + echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2 + echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2 + exit 77 +fi + +if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] +then + echo "no (executable) openvpn binary in current build tree. FAIL." >&2 + exit 1 +fi + +if [ ! -w . ] +then + echo "current directory is not writable (required for logging). FAIL." >&2 + exit 1 +fi + +if [ -z "$CA_CERT" ] ; then + echo "CA_CERT not defined in 't_client.rc'. SKIP test." >&2 + exit 77 +fi + +if [ -z "$TEST_RUN_LIST" ] ; then + echo "TEST_RUN_LIST empty, no tests defined. SKIP test." >&2 + exit 77 +fi + +# make sure we have permissions to run ifconfig/route from OpenVPN +# can't use "id -u" here - doesn't work on Solaris +ID=`id` +if expr "$ID" : "uid=0" >/dev/null +then : +else + if [ -z "$RUN_SUDO" ] + then + echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 + echo " must be set correctly in 't_client.rc'. SKIP." >&2 + exit 77 + fi +fi + +LOGDIR=t_client-`hostname`-`date +%Y%m%d-%H%M%S` +if mkdir $LOGDIR +then : +else + echo "can't create log directory '$LOGDIR'. FAIL." >&2 + exit 1 +fi + +exit_code=0 + +# ---------------------------------------------------------- +# helper functions +# ---------------------------------------------------------- +# print failure message, increase FAIL counter +fail() +{ + echo "" + echo "FAIL: $@" >&2 + fail_count=$(( $fail_count + 1 )) +} + +# print "all interface IP addresses" + "all routes" +# this is higly system dependent... +get_ifconfig_route() +{ + # linux / iproute2? (-> if configure got a path) + if [ -n "@IPROUTE@" ] + then + echo "-- linux iproute2 --" + @IPROUTE@ addr show | grep -v valid_lft + @IPROUTE@ route show + @IPROUTE@ -o -6 route show | grep -v ' cache' | sed -e 's/expires [0-9]*sec//' + return + fi + + # try uname + case `uname -s` in + Linux) + echo "-- linux / ifconfig --" + LANG=C @IFCONFIG@ -a |egrep "( addr:|encap:)" + LANG=C @NETSTAT@ -rn -4 -6 + return + ;; + FreeBSD|NetBSD|Darwin) + echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --" + @IFCONFIG@ -a | egrep "(flags=|inet)" + @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' + return + ;; + OpenBSD) + echo "-- OpenBSD --" + @IFCONFIG@ -a | egrep "(flags=|inet)" | \ + sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//' + @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' + return + ;; + SunOS) + echo "-- Solaris --" + @IFCONFIG@ -a | egrep "(flags=|inet)" + @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' + return + ;; + esac + + echo "get_ifconfig_route(): no idea how to get info on your OS. FAIL." >&2 + exit 20 +} + +# ---------------------------------------------------------- +# check ifconfig +# arg1: "4" or "6" -> for message +# arg2: IPv4/IPv6 address that must show up in out of "get_ifconfig_route" +check_ifconfig() +{ + proto=$1 ; shift + expect_list="$@" + + if [ -z "$expect_list" ] ; then return ; fi + + for expect in $expect_list + do + if get_ifconfig_route | fgrep "$expect" >/dev/null + then : + else + fail "check_ifconfig(): expected IPv$proto address '$expect' not found in ifconfig output." + fi + done +} + +# ---------------------------------------------------------- +# run pings +# arg1: "4" or "6" -> fping/fing6 +# arg2: "want_ok" or "want_fail" (expected ping result) +# arg3... -> fping arguments (host list) +run_ping_tests() +{ + proto=$1 ; want=$2 ; shift ; shift + targetlist="$@" + + # "no targets" is fine + if [ -z "$targetlist" ] ; then return ; fi + + case $proto in + 4) cmd=fping ;; + 6) cmd=fping6 ;; + *) echo "internal error in run_ping_tests arg 1: '$proto'" >&2 + exit 1 ;; + esac + + case $want in + want_ok) sizes_list="64 1440 3000" ;; + want_fail) sizes_list="64" ;; + esac + + for bytes in $sizes_list + do + echo "run IPv$proto ping tests ($want), $bytes byte packets..." + + echo "$cmd -b $bytes -C 20 -p 250 -q $targetlist" >>$LOGDIR/$SUF:fping.out + $cmd -b $bytes -C 20 -p 250 -q $targetlist >>$LOGDIR/$SUF:fping.out 2>&1 + + # while OpenVPN is running, pings must succeed (want='want_ok') + # before OpenVPN is up, pings must NOT succeed (want='want_fail') + + rc=$? + if [ $rc = 0 ] # all ping OK + then + if [ $want = "want_fail" ] # not what we want + then + fail "IPv$proto ping test succeeded, but needs to *fail*." + fi + else # ping failed + if [ $want = "want_ok" ] # not what we wanted + then + fail "IPv$proto ping test ($bytes bytes) failed, but should succeed." + fi + fi + done +} + +# ---------------------------------------------------------- +# main test loop +# ---------------------------------------------------------- +SUMMARY_OK= +SUMMARY_FAIL= + +for SUF in $TEST_RUN_LIST +do + # get config variables + eval test_run_title=\"\$RUN_TITLE_$SUF\" + eval openvpn_conf=\"\$OPENVPN_CONF_$SUF\" + eval expect_ifconfig4=\"\$EXPECT_IFCONFIG4_$SUF\" + eval expect_ifconfig6=\"\$EXPECT_IFCONFIG6_$SUF\" + eval ping4_hosts=\"\$PING4_HOSTS_$SUF\" + eval ping6_hosts=\"\$PING6_HOSTS_$SUF\" + + echo -e "\n### test run $SUF: '$test_run_title' ###\n" + fail_count=0 + + echo "save pre-openvpn ifconfig + route" + get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_pre.txt + + echo -e "\nrun pre-openvpn ping tests - targets must not be reachable..." + run_ping_tests 4 want_fail "$ping4_hosts" + run_ping_tests 6 want_fail "$ping6_hosts" + if [ "$fail_count" = 0 ] ; then + echo -e "OK.\n" + else + echo -e "FAIL: make sure that ping hosts are ONLY reachable via VPN, SKIP test $SUF". + exit_code=31 + continue + fi + + echo " run openvpn $openvpn_conf" + echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log + $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf >>$LOGDIR/$SUF:openvpn.log & + opid=$! + + # make sure openvpn client is terminated in case shell exits + trap "$RUN_SUDO kill $opid" 0 + trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15 + + echo "wait for connection to establish..." + sleep ${SETUP_TIME_WAIT:-10} + + # test whether OpenVPN process is still there + if $RUN_SUDO kill -0 $opid + then : + else + echo -e "OpenVPN process has failed to start up, check log ($LOGDIR/$SUF:openvpn.log). FAIL.\ntail of logfile follows:\n..." >&2 + tail $LOGDIR/$SUF:openvpn.log >&2 + trap - 0 1 2 3 15 + exit 10 + fi + + # compare whether anything changed in ifconfig/route setup? + echo "save ifconfig+route" + get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route.txt + + echo -n "compare pre-openvpn ifconfig+route with current values..." + if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \ + $LOGDIR/$SUF:ifconfig_route.txt >/dev/null + then + fail "no differences between ifconfig/route before OpenVPN start and now." + else + echo -e " OK!\n" + fi + + # expected ifconfig values in there? + check_ifconfig 4 "$expect_ifconfig4" + check_ifconfig 6 "$expect_ifconfig6" + + run_ping_tests 4 want_ok "$ping4_hosts" + run_ping_tests 6 want_ok "$ping6_hosts" + echo -e "ping tests done.\n" + + echo "stopping OpenVPN" + $RUN_SUDO kill $opid + wait $! + rc=$? + if [ $rc != 0 ] ; then + fail "OpenVPN return code $rc, expect 0" + fi + + echo -e "\nsave post-openvpn ifconfig + route..." + get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_post.txt + + echo -n "compare pre- and post-openvpn ifconfig + route..." + if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \ + $LOGDIR/$SUF:ifconfig_route_post.txt >$LOGDIR/$SUF:ifconfig_route_diff.txt + then + echo -e " OK.\n" + else + cat $LOGDIR/$SUF:ifconfig_route_diff.txt >&2 + fail "differences between pre- and post-ifconfig/route" + fi + if [ "$fail_count" = 0 ] ; then + echo -e "test run $SUF: all tests OK.\n" + SUMMARY_OK="$SUMMARY_OK $SUF" + else + echo -e "test run $SUF: $fail_count test failures. FAIL.\n"; + SUMMARY_FAIL="$SUMMARY_FAIL $SUF" + exit_code=30 + fi +done + +if [ -z "$SUMMARY_OK" ] ; then SUMMARY_OK=" none"; fi +if [ -z "$SUMMARY_FAIL" ] ; then SUMMARY_FAIL=" none"; fi +echo "Test sets succeded:$SUMMARY_OK." +echo "Test sets failed:$SUMMARY_FAIL." + +# remove trap handler +trap - 0 1 2 3 15 +exit $exit_code diff --git a/app/openvpn/tests/t_cltsrv-down.sh b/app/openvpn/tests/t_cltsrv-down.sh new file mode 100755 index 00000000..2ef852aa --- /dev/null +++ b/app/openvpn/tests/t_cltsrv-down.sh @@ -0,0 +1,2 @@ +#! /bin/sh +echo "${role}:${signal}" >&3 diff --git a/app/openvpn/tests/t_cltsrv.sh b/app/openvpn/tests/t_cltsrv.sh new file mode 100755 index 00000000..752251e4 --- /dev/null +++ b/app/openvpn/tests/t_cltsrv.sh @@ -0,0 +1,91 @@ +#! /bin/sh +# +# t_cltsrv.sh - script to test OpenVPN's crypto loopback +# Copyright (C) 2005, 2006, 2008 Matthias Andree +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +set -e +srcdir="${srcdir:-.}" +top_srcdir="${top_srcdir:-..}" +top_builddir="${top_builddir:-..}" +trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15 +trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3 +addopts= +case `uname -s` in + FreeBSD) + # FreeBSD jails map the outgoing IP to the jail IP - we need to + # allow the real IP unless we want the test to run forever. + if test "`sysctl 2>/dev/null -n security.jail.jailed`" = 1 \ + || ps -ostate= -p $$ | grep -q J; then + addopts="--float" + if test "x`ifconfig | grep inet`" = x ; then + echo "###" + echo "### To run the test in a FreeBSD jail, you MUST add an IP alias for the jail's IP." + echo "###" + exit 77 + fi + fi + ;; +esac + +# make sure that the --down script is executable -- fail (rather than +# skip) test if it isn't. +downscript="../tests/t_cltsrv-down.sh" +root="${top_srcdir}/sample" +test -x "${root}/${downscript}" || chmod +x "${root}/${downscript}" || { echo >&2 "${root}/${downscript} is not executable, failing." ; exit 1 ; } +echo "The following test will take about two minutes." >&2 +echo "If the addresses are in use, this test will retry up to two times." >&2 + +# go +success=0 +for i in 1 2 3 ; do + set +e + ( + "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${root}" ${addopts} --setenv role srv --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-server" & + "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${top_srcdir}/sample" ${addopts} --setenv role clt --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-client" + ) 3>log.$$.signal >log.$$ 2>&1 + e1=$? + wait $! + e2=$? + grep 'TCP/UDP: Socket bind failed on local address.*in use' log.$$ >/dev/null && { + echo 'address in use, retrying in 150 s' + sleep 150 + continue + } + grep -v ':inactive$' log.$$.signal >/dev/null && { cat log.$$.signal ; echo ; cat log.$$ ; exit 1 ; } + success=1 + break +done + +set -e + +# exit code - defaults to 0, PASS +ec=0 + +if [ $success != 1 ] ; then + # couldn't run test -- addresses in use, skip test + cat log.$$ + ec=77 +elif [ $e1 != 0 ] || [ $e2 != 0 ] ; then + # failure -- fail test + cat log.$$ + ec=1 +fi + +rm log.$$ log.$$.signal +trap 0 +exit $ec diff --git a/app/openvpn/tests/t_lpback.sh b/app/openvpn/tests/t_lpback.sh new file mode 100755 index 00000000..40767a1b --- /dev/null +++ b/app/openvpn/tests/t_lpback.sh @@ -0,0 +1,32 @@ +#! /bin/sh +# +# t_lpback.sh - script to test OpenVPN's crypto loopback +# Copyright (C) 2005 Matthias Andree +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +set -e +top_builddir="${top_builddir:-..}" +trap "rm -f key.$$ log.$$ ; trap 0 ; exit 77" 1 2 15 +trap "rm -f key.$$ log.$$ ; exit 1" 0 3 +"${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$ +set +e +( "${top_builddir}/src/openvpn/openvpn" --test-crypto --secret key.$$ ) >log.$$ 2>&1 +e=$? +if [ $e != 0 ] ; then cat log.$$ ; fi +rm key.$$ log.$$ +trap 0 +exit $e -- cgit v1.2.3 From 3c3421afd8f74a3aa8d1011de07a8c18f9549210 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Tue, 8 Apr 2014 12:04:17 +0200 Subject: Rename app->bitmask_android This way, gradle commands generate apks correctly named. --- app/openvpn/tests/Makefile.am | 23 --- app/openvpn/tests/t_client.rc-sample | 93 ----------- app/openvpn/tests/t_client.sh.in | 316 ----------------------------------- app/openvpn/tests/t_cltsrv-down.sh | 2 - app/openvpn/tests/t_cltsrv.sh | 91 ---------- app/openvpn/tests/t_lpback.sh | 32 ---- 6 files changed, 557 deletions(-) delete mode 100644 app/openvpn/tests/Makefile.am delete mode 100644 app/openvpn/tests/t_client.rc-sample delete mode 100755 app/openvpn/tests/t_client.sh.in delete mode 100755 app/openvpn/tests/t_cltsrv-down.sh delete mode 100755 app/openvpn/tests/t_cltsrv.sh delete mode 100755 app/openvpn/tests/t_lpback.sh (limited to 'app/openvpn/tests') diff --git a/app/openvpn/tests/Makefile.am b/app/openvpn/tests/Makefile.am deleted file mode 100644 index b7980e04..00000000 --- a/app/openvpn/tests/Makefile.am +++ /dev/null @@ -1,23 +0,0 @@ -# -# OpenVPN -- An application to securely tunnel IP networks -# over a single UDP port, with support for SSL/TLS-based -# session authentication and key exchange, -# packet encryption, packet authentication, and -# packet compression. -# -# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. -# Copyright (C) 2006-2012 Alon Bar-Lev -# - -MAINTAINERCLEANFILES = \ - $(srcdir)/Makefile.in - -test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh - -TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)" -TESTS = $(test_scripts) - -dist_noinst_SCRIPTS = \ - $(test_scripts) \ - t_cltsrv-down.sh - diff --git a/app/openvpn/tests/t_client.rc-sample b/app/openvpn/tests/t_client.rc-sample deleted file mode 100644 index dcb3e4ae..00000000 --- a/app/openvpn/tests/t_client.rc-sample +++ /dev/null @@ -1,93 +0,0 @@ -# -# this is sourced from t_client.sh and defines which openvpn client tests -# to run -# -# (sample config, copy to t_client.rc and adapt to your environment) -# -# -# define these - if empty, no tests will run -# -top_srcdir="${top_srcdir:-..}" -CA_CERT="${top_srcdir}/sample/sample-keys/ca.crt" -CLIENT_KEY="${top_srcdir}/sample/sample-keys/client.key" -CLIENT_CERT="${top_srcdir}/sample/sample-keys/client.crt" -# -# remote host (used as macro below) -# -REMOTE=mytestserver -# -# tests to run (list suffixes for config stanzas below) -# -TEST_RUN_LIST="1 2" - -# -# use "sudo" (etc) to give openvpn the necessary privileges -# if this is not active, "make check" must be run as root -# -#RUN_SUDO=sudo - -# -# base confic that is the same for all the p2mp test runs -# -OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ - --cert $CLIENT_CERT --key $CLIENT_KEY \ - --ns-cert-type server --nobind --comp-lzo --verb 3" - -# base config for p2p tests -# -OPENVPN_BASE_P2P="..." - -# -# -# now define the individual tests - all variables suffixed with _1, _2 etc -# will be used in test run "1", "2", etc. -# -# if something is not defined here, the corresponding test is not run -# -# possible test options: -# -# RUN_TITLE_x="what is being tested on here" (purely informational) -# OPENVPN_CONF_x = "how to call ./openvpn" [mandatory] -# EXPECT_IFCONFIG4_x = "this IPv4 address needs to show up in ifconfig" -# EXPECT_IFCONFIG6_x = "this IPv6 address needs to show up in ifconfig" -# PING4_HOSTS_x = "these hosts musts ping when openvpn is up (IPv4 fping)" -# PING6_HOSTS_x = "these hosts musts ping when openvpn is up (IPv6 fping6)" -# -# Test 1: UDP / p2mp tun -# specify IPv4+IPv6 addresses expected from server and ping targets -# -RUN_TITLE_1="testing tun/udp/ipv4+ipv6" -OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194" -EXPECT_IFCONFIG4_1="10.100.50.6" -EXPECT_IFCONFIG6_1="2001:dba:a050::1:0" -PING4_HOSTS_1="10.100.50.1 10.100.0.1" -PING6_HOSTS_1="2001:dba::1 2001:dba:a050::1" - -# Test 2: TCP / p2mp tun -# -RUN_TITLE_2="testing tun/tcp/ipv4+ipv6" -OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE --port 51194" -EXPECT_IFCONFIG4_2="10.100.51.6" -EXPECT_IFCONFIG6_2="2001:dba:a051::1:0" -PING4_HOSTS_2="10.100.51.1 10.100.0.1" -PING6_HOSTS_1="2001:dba::1 2001:dba:a051::1" - -# Test 3: UDP / p2p tun -# ... - -# Test 4: TCP / p2p tun -# ... - -# Test 5: UDP / p2mp tap -# ... - -# Test 6: TCP / p2mp tun -# ... - -# Test 7: UDP / p2p tap -# ... - -# Test 8: TCP / p2p tap -# ... - -# Test 9: whatever you want to test... :-) diff --git a/app/openvpn/tests/t_client.sh.in b/app/openvpn/tests/t_client.sh.in deleted file mode 100755 index 189eecce..00000000 --- a/app/openvpn/tests/t_client.sh.in +++ /dev/null @@ -1,316 +0,0 @@ -#!@SHELL@ -# -# run OpenVPN client against ``test reference'' server -# - check that ping, http, ... via tunnel works -# - check that interface config / routes are properly cleaned after test end -# -# prerequisites: -# - openvpn binary in current directory -# - writable current directory to create subdir for logs -# - t_client.rc in current directory OR source dir that specifies tests -# - for "ping4" checks: fping binary in $PATH -# - for "ping6" checks: fping6 binary in $PATH -# - -srcdir="${srcdir:-.}" -top_builddir="${top_builddir:-..}" -if [ -r "${top_builddir}"/t_client.rc ] ; then - . "${top_builddir}"/t_client.rc -elif [ -r "${srcdir}"/t_client.rc ] ; then - . "${srcdir}"/t_client.rc -else - echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2 - echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2 - exit 77 -fi - -if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] -then - echo "no (executable) openvpn binary in current build tree. FAIL." >&2 - exit 1 -fi - -if [ ! -w . ] -then - echo "current directory is not writable (required for logging). FAIL." >&2 - exit 1 -fi - -if [ -z "$CA_CERT" ] ; then - echo "CA_CERT not defined in 't_client.rc'. SKIP test." >&2 - exit 77 -fi - -if [ -z "$TEST_RUN_LIST" ] ; then - echo "TEST_RUN_LIST empty, no tests defined. SKIP test." >&2 - exit 77 -fi - -# make sure we have permissions to run ifconfig/route from OpenVPN -# can't use "id -u" here - doesn't work on Solaris -ID=`id` -if expr "$ID" : "uid=0" >/dev/null -then : -else - if [ -z "$RUN_SUDO" ] - then - echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 - echo " must be set correctly in 't_client.rc'. SKIP." >&2 - exit 77 - fi -fi - -LOGDIR=t_client-`hostname`-`date +%Y%m%d-%H%M%S` -if mkdir $LOGDIR -then : -else - echo "can't create log directory '$LOGDIR'. FAIL." >&2 - exit 1 -fi - -exit_code=0 - -# ---------------------------------------------------------- -# helper functions -# ---------------------------------------------------------- -# print failure message, increase FAIL counter -fail() -{ - echo "" - echo "FAIL: $@" >&2 - fail_count=$(( $fail_count + 1 )) -} - -# print "all interface IP addresses" + "all routes" -# this is higly system dependent... -get_ifconfig_route() -{ - # linux / iproute2? (-> if configure got a path) - if [ -n "@IPROUTE@" ] - then - echo "-- linux iproute2 --" - @IPROUTE@ addr show | grep -v valid_lft - @IPROUTE@ route show - @IPROUTE@ -o -6 route show | grep -v ' cache' | sed -e 's/expires [0-9]*sec//' - return - fi - - # try uname - case `uname -s` in - Linux) - echo "-- linux / ifconfig --" - LANG=C @IFCONFIG@ -a |egrep "( addr:|encap:)" - LANG=C @NETSTAT@ -rn -4 -6 - return - ;; - FreeBSD|NetBSD|Darwin) - echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --" - @IFCONFIG@ -a | egrep "(flags=|inet)" - @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' - return - ;; - OpenBSD) - echo "-- OpenBSD --" - @IFCONFIG@ -a | egrep "(flags=|inet)" | \ - sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//' - @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' - return - ;; - SunOS) - echo "-- Solaris --" - @IFCONFIG@ -a | egrep "(flags=|inet)" - @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' - return - ;; - esac - - echo "get_ifconfig_route(): no idea how to get info on your OS. FAIL." >&2 - exit 20 -} - -# ---------------------------------------------------------- -# check ifconfig -# arg1: "4" or "6" -> for message -# arg2: IPv4/IPv6 address that must show up in out of "get_ifconfig_route" -check_ifconfig() -{ - proto=$1 ; shift - expect_list="$@" - - if [ -z "$expect_list" ] ; then return ; fi - - for expect in $expect_list - do - if get_ifconfig_route | fgrep "$expect" >/dev/null - then : - else - fail "check_ifconfig(): expected IPv$proto address '$expect' not found in ifconfig output." - fi - done -} - -# ---------------------------------------------------------- -# run pings -# arg1: "4" or "6" -> fping/fing6 -# arg2: "want_ok" or "want_fail" (expected ping result) -# arg3... -> fping arguments (host list) -run_ping_tests() -{ - proto=$1 ; want=$2 ; shift ; shift - targetlist="$@" - - # "no targets" is fine - if [ -z "$targetlist" ] ; then return ; fi - - case $proto in - 4) cmd=fping ;; - 6) cmd=fping6 ;; - *) echo "internal error in run_ping_tests arg 1: '$proto'" >&2 - exit 1 ;; - esac - - case $want in - want_ok) sizes_list="64 1440 3000" ;; - want_fail) sizes_list="64" ;; - esac - - for bytes in $sizes_list - do - echo "run IPv$proto ping tests ($want), $bytes byte packets..." - - echo "$cmd -b $bytes -C 20 -p 250 -q $targetlist" >>$LOGDIR/$SUF:fping.out - $cmd -b $bytes -C 20 -p 250 -q $targetlist >>$LOGDIR/$SUF:fping.out 2>&1 - - # while OpenVPN is running, pings must succeed (want='want_ok') - # before OpenVPN is up, pings must NOT succeed (want='want_fail') - - rc=$? - if [ $rc = 0 ] # all ping OK - then - if [ $want = "want_fail" ] # not what we want - then - fail "IPv$proto ping test succeeded, but needs to *fail*." - fi - else # ping failed - if [ $want = "want_ok" ] # not what we wanted - then - fail "IPv$proto ping test ($bytes bytes) failed, but should succeed." - fi - fi - done -} - -# ---------------------------------------------------------- -# main test loop -# ---------------------------------------------------------- -SUMMARY_OK= -SUMMARY_FAIL= - -for SUF in $TEST_RUN_LIST -do - # get config variables - eval test_run_title=\"\$RUN_TITLE_$SUF\" - eval openvpn_conf=\"\$OPENVPN_CONF_$SUF\" - eval expect_ifconfig4=\"\$EXPECT_IFCONFIG4_$SUF\" - eval expect_ifconfig6=\"\$EXPECT_IFCONFIG6_$SUF\" - eval ping4_hosts=\"\$PING4_HOSTS_$SUF\" - eval ping6_hosts=\"\$PING6_HOSTS_$SUF\" - - echo -e "\n### test run $SUF: '$test_run_title' ###\n" - fail_count=0 - - echo "save pre-openvpn ifconfig + route" - get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_pre.txt - - echo -e "\nrun pre-openvpn ping tests - targets must not be reachable..." - run_ping_tests 4 want_fail "$ping4_hosts" - run_ping_tests 6 want_fail "$ping6_hosts" - if [ "$fail_count" = 0 ] ; then - echo -e "OK.\n" - else - echo -e "FAIL: make sure that ping hosts are ONLY reachable via VPN, SKIP test $SUF". - exit_code=31 - continue - fi - - echo " run openvpn $openvpn_conf" - echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log - $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf >>$LOGDIR/$SUF:openvpn.log & - opid=$! - - # make sure openvpn client is terminated in case shell exits - trap "$RUN_SUDO kill $opid" 0 - trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15 - - echo "wait for connection to establish..." - sleep ${SETUP_TIME_WAIT:-10} - - # test whether OpenVPN process is still there - if $RUN_SUDO kill -0 $opid - then : - else - echo -e "OpenVPN process has failed to start up, check log ($LOGDIR/$SUF:openvpn.log). FAIL.\ntail of logfile follows:\n..." >&2 - tail $LOGDIR/$SUF:openvpn.log >&2 - trap - 0 1 2 3 15 - exit 10 - fi - - # compare whether anything changed in ifconfig/route setup? - echo "save ifconfig+route" - get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route.txt - - echo -n "compare pre-openvpn ifconfig+route with current values..." - if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \ - $LOGDIR/$SUF:ifconfig_route.txt >/dev/null - then - fail "no differences between ifconfig/route before OpenVPN start and now." - else - echo -e " OK!\n" - fi - - # expected ifconfig values in there? - check_ifconfig 4 "$expect_ifconfig4" - check_ifconfig 6 "$expect_ifconfig6" - - run_ping_tests 4 want_ok "$ping4_hosts" - run_ping_tests 6 want_ok "$ping6_hosts" - echo -e "ping tests done.\n" - - echo "stopping OpenVPN" - $RUN_SUDO kill $opid - wait $! - rc=$? - if [ $rc != 0 ] ; then - fail "OpenVPN return code $rc, expect 0" - fi - - echo -e "\nsave post-openvpn ifconfig + route..." - get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_post.txt - - echo -n "compare pre- and post-openvpn ifconfig + route..." - if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \ - $LOGDIR/$SUF:ifconfig_route_post.txt >$LOGDIR/$SUF:ifconfig_route_diff.txt - then - echo -e " OK.\n" - else - cat $LOGDIR/$SUF:ifconfig_route_diff.txt >&2 - fail "differences between pre- and post-ifconfig/route" - fi - if [ "$fail_count" = 0 ] ; then - echo -e "test run $SUF: all tests OK.\n" - SUMMARY_OK="$SUMMARY_OK $SUF" - else - echo -e "test run $SUF: $fail_count test failures. FAIL.\n"; - SUMMARY_FAIL="$SUMMARY_FAIL $SUF" - exit_code=30 - fi -done - -if [ -z "$SUMMARY_OK" ] ; then SUMMARY_OK=" none"; fi -if [ -z "$SUMMARY_FAIL" ] ; then SUMMARY_FAIL=" none"; fi -echo "Test sets succeded:$SUMMARY_OK." -echo "Test sets failed:$SUMMARY_FAIL." - -# remove trap handler -trap - 0 1 2 3 15 -exit $exit_code diff --git a/app/openvpn/tests/t_cltsrv-down.sh b/app/openvpn/tests/t_cltsrv-down.sh deleted file mode 100755 index 2ef852aa..00000000 --- a/app/openvpn/tests/t_cltsrv-down.sh +++ /dev/null @@ -1,2 +0,0 @@ -#! /bin/sh -echo "${role}:${signal}" >&3 diff --git a/app/openvpn/tests/t_cltsrv.sh b/app/openvpn/tests/t_cltsrv.sh deleted file mode 100755 index 752251e4..00000000 --- a/app/openvpn/tests/t_cltsrv.sh +++ /dev/null @@ -1,91 +0,0 @@ -#! /bin/sh -# -# t_cltsrv.sh - script to test OpenVPN's crypto loopback -# Copyright (C) 2005, 2006, 2008 Matthias Andree -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301, USA. - -set -e -srcdir="${srcdir:-.}" -top_srcdir="${top_srcdir:-..}" -top_builddir="${top_builddir:-..}" -trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15 -trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3 -addopts= -case `uname -s` in - FreeBSD) - # FreeBSD jails map the outgoing IP to the jail IP - we need to - # allow the real IP unless we want the test to run forever. - if test "`sysctl 2>/dev/null -n security.jail.jailed`" = 1 \ - || ps -ostate= -p $$ | grep -q J; then - addopts="--float" - if test "x`ifconfig | grep inet`" = x ; then - echo "###" - echo "### To run the test in a FreeBSD jail, you MUST add an IP alias for the jail's IP." - echo "###" - exit 77 - fi - fi - ;; -esac - -# make sure that the --down script is executable -- fail (rather than -# skip) test if it isn't. -downscript="../tests/t_cltsrv-down.sh" -root="${top_srcdir}/sample" -test -x "${root}/${downscript}" || chmod +x "${root}/${downscript}" || { echo >&2 "${root}/${downscript} is not executable, failing." ; exit 1 ; } -echo "The following test will take about two minutes." >&2 -echo "If the addresses are in use, this test will retry up to two times." >&2 - -# go -success=0 -for i in 1 2 3 ; do - set +e - ( - "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${root}" ${addopts} --setenv role srv --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-server" & - "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${top_srcdir}/sample" ${addopts} --setenv role clt --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-client" - ) 3>log.$$.signal >log.$$ 2>&1 - e1=$? - wait $! - e2=$? - grep 'TCP/UDP: Socket bind failed on local address.*in use' log.$$ >/dev/null && { - echo 'address in use, retrying in 150 s' - sleep 150 - continue - } - grep -v ':inactive$' log.$$.signal >/dev/null && { cat log.$$.signal ; echo ; cat log.$$ ; exit 1 ; } - success=1 - break -done - -set -e - -# exit code - defaults to 0, PASS -ec=0 - -if [ $success != 1 ] ; then - # couldn't run test -- addresses in use, skip test - cat log.$$ - ec=77 -elif [ $e1 != 0 ] || [ $e2 != 0 ] ; then - # failure -- fail test - cat log.$$ - ec=1 -fi - -rm log.$$ log.$$.signal -trap 0 -exit $ec diff --git a/app/openvpn/tests/t_lpback.sh b/app/openvpn/tests/t_lpback.sh deleted file mode 100755 index 40767a1b..00000000 --- a/app/openvpn/tests/t_lpback.sh +++ /dev/null @@ -1,32 +0,0 @@ -#! /bin/sh -# -# t_lpback.sh - script to test OpenVPN's crypto loopback -# Copyright (C) 2005 Matthias Andree -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301, USA. - -set -e -top_builddir="${top_builddir:-..}" -trap "rm -f key.$$ log.$$ ; trap 0 ; exit 77" 1 2 15 -trap "rm -f key.$$ log.$$ ; exit 1" 0 3 -"${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$ -set +e -( "${top_builddir}/src/openvpn/openvpn" --test-crypto --secret key.$$ ) >log.$$ 2>&1 -e=$? -if [ $e != 0 ] ; then cat log.$$ ; fi -rm key.$$ log.$$ -trap 0 -exit $e -- cgit v1.2.3 From 1684c8f398922065a97e7da4dac4ac6a33cc5218 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Wed, 9 Apr 2014 16:03:55 +0200 Subject: Back to the standard "app" module. This return to "app" instead of "bitmask_android" is due to this reading: https://developer.android.com/sdk/installing/studio-build.html#projectStructure I'll have to tweak the final apk name in build.gradle. --- app/openvpn/tests/Makefile.am | 23 +++ app/openvpn/tests/t_client.rc-sample | 93 +++++++++++ app/openvpn/tests/t_client.sh.in | 316 +++++++++++++++++++++++++++++++++++ app/openvpn/tests/t_cltsrv-down.sh | 2 + app/openvpn/tests/t_cltsrv.sh | 91 ++++++++++ app/openvpn/tests/t_lpback.sh | 32 ++++ 6 files changed, 557 insertions(+) create mode 100644 app/openvpn/tests/Makefile.am create mode 100644 app/openvpn/tests/t_client.rc-sample create mode 100755 app/openvpn/tests/t_client.sh.in create mode 100755 app/openvpn/tests/t_cltsrv-down.sh create mode 100755 app/openvpn/tests/t_cltsrv.sh create mode 100755 app/openvpn/tests/t_lpback.sh (limited to 'app/openvpn/tests') diff --git a/app/openvpn/tests/Makefile.am b/app/openvpn/tests/Makefile.am new file mode 100644 index 00000000..b7980e04 --- /dev/null +++ b/app/openvpn/tests/Makefile.am @@ -0,0 +1,23 @@ +# +# OpenVPN -- An application to securely tunnel IP networks +# over a single UDP port, with support for SSL/TLS-based +# session authentication and key exchange, +# packet encryption, packet authentication, and +# packet compression. +# +# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. +# Copyright (C) 2006-2012 Alon Bar-Lev +# + +MAINTAINERCLEANFILES = \ + $(srcdir)/Makefile.in + +test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh + +TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)" +TESTS = $(test_scripts) + +dist_noinst_SCRIPTS = \ + $(test_scripts) \ + t_cltsrv-down.sh + diff --git a/app/openvpn/tests/t_client.rc-sample b/app/openvpn/tests/t_client.rc-sample new file mode 100644 index 00000000..dcb3e4ae --- /dev/null +++ b/app/openvpn/tests/t_client.rc-sample @@ -0,0 +1,93 @@ +# +# this is sourced from t_client.sh and defines which openvpn client tests +# to run +# +# (sample config, copy to t_client.rc and adapt to your environment) +# +# +# define these - if empty, no tests will run +# +top_srcdir="${top_srcdir:-..}" +CA_CERT="${top_srcdir}/sample/sample-keys/ca.crt" +CLIENT_KEY="${top_srcdir}/sample/sample-keys/client.key" +CLIENT_CERT="${top_srcdir}/sample/sample-keys/client.crt" +# +# remote host (used as macro below) +# +REMOTE=mytestserver +# +# tests to run (list suffixes for config stanzas below) +# +TEST_RUN_LIST="1 2" + +# +# use "sudo" (etc) to give openvpn the necessary privileges +# if this is not active, "make check" must be run as root +# +#RUN_SUDO=sudo + +# +# base confic that is the same for all the p2mp test runs +# +OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ + --cert $CLIENT_CERT --key $CLIENT_KEY \ + --ns-cert-type server --nobind --comp-lzo --verb 3" + +# base config for p2p tests +# +OPENVPN_BASE_P2P="..." + +# +# +# now define the individual tests - all variables suffixed with _1, _2 etc +# will be used in test run "1", "2", etc. +# +# if something is not defined here, the corresponding test is not run +# +# possible test options: +# +# RUN_TITLE_x="what is being tested on here" (purely informational) +# OPENVPN_CONF_x = "how to call ./openvpn" [mandatory] +# EXPECT_IFCONFIG4_x = "this IPv4 address needs to show up in ifconfig" +# EXPECT_IFCONFIG6_x = "this IPv6 address needs to show up in ifconfig" +# PING4_HOSTS_x = "these hosts musts ping when openvpn is up (IPv4 fping)" +# PING6_HOSTS_x = "these hosts musts ping when openvpn is up (IPv6 fping6)" +# +# Test 1: UDP / p2mp tun +# specify IPv4+IPv6 addresses expected from server and ping targets +# +RUN_TITLE_1="testing tun/udp/ipv4+ipv6" +OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194" +EXPECT_IFCONFIG4_1="10.100.50.6" +EXPECT_IFCONFIG6_1="2001:dba:a050::1:0" +PING4_HOSTS_1="10.100.50.1 10.100.0.1" +PING6_HOSTS_1="2001:dba::1 2001:dba:a050::1" + +# Test 2: TCP / p2mp tun +# +RUN_TITLE_2="testing tun/tcp/ipv4+ipv6" +OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE --port 51194" +EXPECT_IFCONFIG4_2="10.100.51.6" +EXPECT_IFCONFIG6_2="2001:dba:a051::1:0" +PING4_HOSTS_2="10.100.51.1 10.100.0.1" +PING6_HOSTS_1="2001:dba::1 2001:dba:a051::1" + +# Test 3: UDP / p2p tun +# ... + +# Test 4: TCP / p2p tun +# ... + +# Test 5: UDP / p2mp tap +# ... + +# Test 6: TCP / p2mp tun +# ... + +# Test 7: UDP / p2p tap +# ... + +# Test 8: TCP / p2p tap +# ... + +# Test 9: whatever you want to test... :-) diff --git a/app/openvpn/tests/t_client.sh.in b/app/openvpn/tests/t_client.sh.in new file mode 100755 index 00000000..189eecce --- /dev/null +++ b/app/openvpn/tests/t_client.sh.in @@ -0,0 +1,316 @@ +#!@SHELL@ +# +# run OpenVPN client against ``test reference'' server +# - check that ping, http, ... via tunnel works +# - check that interface config / routes are properly cleaned after test end +# +# prerequisites: +# - openvpn binary in current directory +# - writable current directory to create subdir for logs +# - t_client.rc in current directory OR source dir that specifies tests +# - for "ping4" checks: fping binary in $PATH +# - for "ping6" checks: fping6 binary in $PATH +# + +srcdir="${srcdir:-.}" +top_builddir="${top_builddir:-..}" +if [ -r "${top_builddir}"/t_client.rc ] ; then + . "${top_builddir}"/t_client.rc +elif [ -r "${srcdir}"/t_client.rc ] ; then + . "${srcdir}"/t_client.rc +else + echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2 + echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2 + exit 77 +fi + +if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] +then + echo "no (executable) openvpn binary in current build tree. FAIL." >&2 + exit 1 +fi + +if [ ! -w . ] +then + echo "current directory is not writable (required for logging). FAIL." >&2 + exit 1 +fi + +if [ -z "$CA_CERT" ] ; then + echo "CA_CERT not defined in 't_client.rc'. SKIP test." >&2 + exit 77 +fi + +if [ -z "$TEST_RUN_LIST" ] ; then + echo "TEST_RUN_LIST empty, no tests defined. SKIP test." >&2 + exit 77 +fi + +# make sure we have permissions to run ifconfig/route from OpenVPN +# can't use "id -u" here - doesn't work on Solaris +ID=`id` +if expr "$ID" : "uid=0" >/dev/null +then : +else + if [ -z "$RUN_SUDO" ] + then + echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 + echo " must be set correctly in 't_client.rc'. SKIP." >&2 + exit 77 + fi +fi + +LOGDIR=t_client-`hostname`-`date +%Y%m%d-%H%M%S` +if mkdir $LOGDIR +then : +else + echo "can't create log directory '$LOGDIR'. FAIL." >&2 + exit 1 +fi + +exit_code=0 + +# ---------------------------------------------------------- +# helper functions +# ---------------------------------------------------------- +# print failure message, increase FAIL counter +fail() +{ + echo "" + echo "FAIL: $@" >&2 + fail_count=$(( $fail_count + 1 )) +} + +# print "all interface IP addresses" + "all routes" +# this is higly system dependent... +get_ifconfig_route() +{ + # linux / iproute2? (-> if configure got a path) + if [ -n "@IPROUTE@" ] + then + echo "-- linux iproute2 --" + @IPROUTE@ addr show | grep -v valid_lft + @IPROUTE@ route show + @IPROUTE@ -o -6 route show | grep -v ' cache' | sed -e 's/expires [0-9]*sec//' + return + fi + + # try uname + case `uname -s` in + Linux) + echo "-- linux / ifconfig --" + LANG=C @IFCONFIG@ -a |egrep "( addr:|encap:)" + LANG=C @NETSTAT@ -rn -4 -6 + return + ;; + FreeBSD|NetBSD|Darwin) + echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --" + @IFCONFIG@ -a | egrep "(flags=|inet)" + @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' + return + ;; + OpenBSD) + echo "-- OpenBSD --" + @IFCONFIG@ -a | egrep "(flags=|inet)" | \ + sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//' + @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' + return + ;; + SunOS) + echo "-- Solaris --" + @IFCONFIG@ -a | egrep "(flags=|inet)" + @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' + return + ;; + esac + + echo "get_ifconfig_route(): no idea how to get info on your OS. FAIL." >&2 + exit 20 +} + +# ---------------------------------------------------------- +# check ifconfig +# arg1: "4" or "6" -> for message +# arg2: IPv4/IPv6 address that must show up in out of "get_ifconfig_route" +check_ifconfig() +{ + proto=$1 ; shift + expect_list="$@" + + if [ -z "$expect_list" ] ; then return ; fi + + for expect in $expect_list + do + if get_ifconfig_route | fgrep "$expect" >/dev/null + then : + else + fail "check_ifconfig(): expected IPv$proto address '$expect' not found in ifconfig output." + fi + done +} + +# ---------------------------------------------------------- +# run pings +# arg1: "4" or "6" -> fping/fing6 +# arg2: "want_ok" or "want_fail" (expected ping result) +# arg3... -> fping arguments (host list) +run_ping_tests() +{ + proto=$1 ; want=$2 ; shift ; shift + targetlist="$@" + + # "no targets" is fine + if [ -z "$targetlist" ] ; then return ; fi + + case $proto in + 4) cmd=fping ;; + 6) cmd=fping6 ;; + *) echo "internal error in run_ping_tests arg 1: '$proto'" >&2 + exit 1 ;; + esac + + case $want in + want_ok) sizes_list="64 1440 3000" ;; + want_fail) sizes_list="64" ;; + esac + + for bytes in $sizes_list + do + echo "run IPv$proto ping tests ($want), $bytes byte packets..." + + echo "$cmd -b $bytes -C 20 -p 250 -q $targetlist" >>$LOGDIR/$SUF:fping.out + $cmd -b $bytes -C 20 -p 250 -q $targetlist >>$LOGDIR/$SUF:fping.out 2>&1 + + # while OpenVPN is running, pings must succeed (want='want_ok') + # before OpenVPN is up, pings must NOT succeed (want='want_fail') + + rc=$? + if [ $rc = 0 ] # all ping OK + then + if [ $want = "want_fail" ] # not what we want + then + fail "IPv$proto ping test succeeded, but needs to *fail*." + fi + else # ping failed + if [ $want = "want_ok" ] # not what we wanted + then + fail "IPv$proto ping test ($bytes bytes) failed, but should succeed." + fi + fi + done +} + +# ---------------------------------------------------------- +# main test loop +# ---------------------------------------------------------- +SUMMARY_OK= +SUMMARY_FAIL= + +for SUF in $TEST_RUN_LIST +do + # get config variables + eval test_run_title=\"\$RUN_TITLE_$SUF\" + eval openvpn_conf=\"\$OPENVPN_CONF_$SUF\" + eval expect_ifconfig4=\"\$EXPECT_IFCONFIG4_$SUF\" + eval expect_ifconfig6=\"\$EXPECT_IFCONFIG6_$SUF\" + eval ping4_hosts=\"\$PING4_HOSTS_$SUF\" + eval ping6_hosts=\"\$PING6_HOSTS_$SUF\" + + echo -e "\n### test run $SUF: '$test_run_title' ###\n" + fail_count=0 + + echo "save pre-openvpn ifconfig + route" + get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_pre.txt + + echo -e "\nrun pre-openvpn ping tests - targets must not be reachable..." + run_ping_tests 4 want_fail "$ping4_hosts" + run_ping_tests 6 want_fail "$ping6_hosts" + if [ "$fail_count" = 0 ] ; then + echo -e "OK.\n" + else + echo -e "FAIL: make sure that ping hosts are ONLY reachable via VPN, SKIP test $SUF". + exit_code=31 + continue + fi + + echo " run openvpn $openvpn_conf" + echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log + $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf >>$LOGDIR/$SUF:openvpn.log & + opid=$! + + # make sure openvpn client is terminated in case shell exits + trap "$RUN_SUDO kill $opid" 0 + trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15 + + echo "wait for connection to establish..." + sleep ${SETUP_TIME_WAIT:-10} + + # test whether OpenVPN process is still there + if $RUN_SUDO kill -0 $opid + then : + else + echo -e "OpenVPN process has failed to start up, check log ($LOGDIR/$SUF:openvpn.log). FAIL.\ntail of logfile follows:\n..." >&2 + tail $LOGDIR/$SUF:openvpn.log >&2 + trap - 0 1 2 3 15 + exit 10 + fi + + # compare whether anything changed in ifconfig/route setup? + echo "save ifconfig+route" + get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route.txt + + echo -n "compare pre-openvpn ifconfig+route with current values..." + if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \ + $LOGDIR/$SUF:ifconfig_route.txt >/dev/null + then + fail "no differences between ifconfig/route before OpenVPN start and now." + else + echo -e " OK!\n" + fi + + # expected ifconfig values in there? + check_ifconfig 4 "$expect_ifconfig4" + check_ifconfig 6 "$expect_ifconfig6" + + run_ping_tests 4 want_ok "$ping4_hosts" + run_ping_tests 6 want_ok "$ping6_hosts" + echo -e "ping tests done.\n" + + echo "stopping OpenVPN" + $RUN_SUDO kill $opid + wait $! + rc=$? + if [ $rc != 0 ] ; then + fail "OpenVPN return code $rc, expect 0" + fi + + echo -e "\nsave post-openvpn ifconfig + route..." + get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_post.txt + + echo -n "compare pre- and post-openvpn ifconfig + route..." + if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \ + $LOGDIR/$SUF:ifconfig_route_post.txt >$LOGDIR/$SUF:ifconfig_route_diff.txt + then + echo -e " OK.\n" + else + cat $LOGDIR/$SUF:ifconfig_route_diff.txt >&2 + fail "differences between pre- and post-ifconfig/route" + fi + if [ "$fail_count" = 0 ] ; then + echo -e "test run $SUF: all tests OK.\n" + SUMMARY_OK="$SUMMARY_OK $SUF" + else + echo -e "test run $SUF: $fail_count test failures. FAIL.\n"; + SUMMARY_FAIL="$SUMMARY_FAIL $SUF" + exit_code=30 + fi +done + +if [ -z "$SUMMARY_OK" ] ; then SUMMARY_OK=" none"; fi +if [ -z "$SUMMARY_FAIL" ] ; then SUMMARY_FAIL=" none"; fi +echo "Test sets succeded:$SUMMARY_OK." +echo "Test sets failed:$SUMMARY_FAIL." + +# remove trap handler +trap - 0 1 2 3 15 +exit $exit_code diff --git a/app/openvpn/tests/t_cltsrv-down.sh b/app/openvpn/tests/t_cltsrv-down.sh new file mode 100755 index 00000000..2ef852aa --- /dev/null +++ b/app/openvpn/tests/t_cltsrv-down.sh @@ -0,0 +1,2 @@ +#! /bin/sh +echo "${role}:${signal}" >&3 diff --git a/app/openvpn/tests/t_cltsrv.sh b/app/openvpn/tests/t_cltsrv.sh new file mode 100755 index 00000000..752251e4 --- /dev/null +++ b/app/openvpn/tests/t_cltsrv.sh @@ -0,0 +1,91 @@ +#! /bin/sh +# +# t_cltsrv.sh - script to test OpenVPN's crypto loopback +# Copyright (C) 2005, 2006, 2008 Matthias Andree +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +set -e +srcdir="${srcdir:-.}" +top_srcdir="${top_srcdir:-..}" +top_builddir="${top_builddir:-..}" +trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15 +trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3 +addopts= +case `uname -s` in + FreeBSD) + # FreeBSD jails map the outgoing IP to the jail IP - we need to + # allow the real IP unless we want the test to run forever. + if test "`sysctl 2>/dev/null -n security.jail.jailed`" = 1 \ + || ps -ostate= -p $$ | grep -q J; then + addopts="--float" + if test "x`ifconfig | grep inet`" = x ; then + echo "###" + echo "### To run the test in a FreeBSD jail, you MUST add an IP alias for the jail's IP." + echo "###" + exit 77 + fi + fi + ;; +esac + +# make sure that the --down script is executable -- fail (rather than +# skip) test if it isn't. +downscript="../tests/t_cltsrv-down.sh" +root="${top_srcdir}/sample" +test -x "${root}/${downscript}" || chmod +x "${root}/${downscript}" || { echo >&2 "${root}/${downscript} is not executable, failing." ; exit 1 ; } +echo "The following test will take about two minutes." >&2 +echo "If the addresses are in use, this test will retry up to two times." >&2 + +# go +success=0 +for i in 1 2 3 ; do + set +e + ( + "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${root}" ${addopts} --setenv role srv --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-server" & + "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${top_srcdir}/sample" ${addopts} --setenv role clt --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-client" + ) 3>log.$$.signal >log.$$ 2>&1 + e1=$? + wait $! + e2=$? + grep 'TCP/UDP: Socket bind failed on local address.*in use' log.$$ >/dev/null && { + echo 'address in use, retrying in 150 s' + sleep 150 + continue + } + grep -v ':inactive$' log.$$.signal >/dev/null && { cat log.$$.signal ; echo ; cat log.$$ ; exit 1 ; } + success=1 + break +done + +set -e + +# exit code - defaults to 0, PASS +ec=0 + +if [ $success != 1 ] ; then + # couldn't run test -- addresses in use, skip test + cat log.$$ + ec=77 +elif [ $e1 != 0 ] || [ $e2 != 0 ] ; then + # failure -- fail test + cat log.$$ + ec=1 +fi + +rm log.$$ log.$$.signal +trap 0 +exit $ec diff --git a/app/openvpn/tests/t_lpback.sh b/app/openvpn/tests/t_lpback.sh new file mode 100755 index 00000000..40767a1b --- /dev/null +++ b/app/openvpn/tests/t_lpback.sh @@ -0,0 +1,32 @@ +#! /bin/sh +# +# t_lpback.sh - script to test OpenVPN's crypto loopback +# Copyright (C) 2005 Matthias Andree +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +set -e +top_builddir="${top_builddir:-..}" +trap "rm -f key.$$ log.$$ ; trap 0 ; exit 77" 1 2 15 +trap "rm -f key.$$ log.$$ ; exit 1" 0 3 +"${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$ +set +e +( "${top_builddir}/src/openvpn/openvpn" --test-crypto --secret key.$$ ) >log.$$ 2>&1 +e=$? +if [ $e != 0 ] ; then cat log.$$ ; fi +rm key.$$ log.$$ +trap 0 +exit $e -- cgit v1.2.3