eap: test for TLS session resumption

diff --git a/src/tests/.gitignore b/src/tests/.gitignore
index 5d793d92906c465058d702d81f68e296e7f105a8..a019664498a0caf55b4ba7396438a65f6c56db97 100644 (file)
--- a/src/tests/.gitignore
+++ b/src/tests/.gitignore
@@ -7,3 +7,6 @@ test.conf
 radius.log
 radiusd.pid
 eapol_test
+tlscache
+config/eap-test
+config/eap-test-inner-tunnel

diff --git a/src/tests/Makefile b/src/tests/Makefile
index 734fdac66a47117cd55f02d9fdd6875439734a0d..4310eacc20a60e9364bc69ab8d0dd2a4055c2e45 100644 (file)
--- a/src/tests/Makefile
+++ b/src/tests/Makefile
@@ -84,17 +84,17 @@ dictionary:
            echo '$$INCLUDE ' $(top_builddir)/share/dictionary.vqp >> dictionary;  \
        fi
 
-test.conf: dictionary
-       @echo "# test configuration file.  Do not install.  Delete at any time." > test.conf
+test.conf: dictionary config/eap-test
+       @echo "# test configuration file.  Do not install.  Delete at any time." > $@
        @if [ -n "$(LIB_PATH)" ]; then  \
-           echo "libdir =" $(LIB_PATH) >> test.conf; \
+           echo "libdir =" $(LIB_PATH) >> $@; \
        fi
-       @echo "testdir =" $(TEST_PATH) >> test.conf
-       @echo 'logdir = $${testdir}' >> test.conf
-       @echo "maindir =" $(RADDB_PATH) >> test.conf
-       @echo 'radacctdir = $${testdir}' >> test.conf
-       @echo 'pidfile = $${testdir}/radiusd.pid' >> test.conf
-       @echo 'panic_action = "gdb -batch -x ${testdir}/panic.gdb %e %p > ${testdir}/gdb.log 2>&1; cat ${testdir}/gdb.log"' >> test.conf
+       @echo "testdir =" $(TEST_PATH) >> $@
+       @echo 'logdir = $${testdir}' >> $@
+       @echo "maindir =" $(RADDB_PATH) >> $@
+       @echo 'radacctdir = $${testdir}' >> $@
+       @echo 'pidfile = $${testdir}/radiusd.pid' >> $@
+       @echo 'panic_action = "gdb -batch -x ${testdir}/panic.gdb %e %p > ${testdir}/gdb.log 2>&1; cat ${testdir}/gdb.log"' >> $@
        @echo 'security {' >> $@
        @echo '        allow_vulnerable_openssl = yes' >> $@
        @echo '}' >> $@
@@ -102,11 +102,24 @@ test.conf: dictionary
        @echo 'modconfdir = $${maindir}mods-config' >> $@
        @echo 'certdir = $${maindir}/certs' >> $@
        @echo 'cadir   = $${maindir}/certs' >> $@
-       @echo '$$INCLUDE $${testdir}/config/' >> test.conf
-       @echo '$$INCLUDE $${maindir}/radiusd.conf' >> test.conf
+       @echo '$$INCLUDE $${testdir}/config/' >> $@
+       @echo '$$INCLUDE $${maindir}/radiusd.conf' >> $@
+
+#
+#  Rename "inner-tunnel", and ensure that it only uses the "eap-test" module.
+#
+config/eap-test-inner-tunnel: $(RADDB_PATH)sites-available/inner-tunnel
+       @sed 's/eap/eap-test/;s/server inner-tunnel/server eap-test-inner-tunnel/' < $< > $@
+
+#
+#  Same as above, but enable caching, and set the persist_dir
+#
+config/eap-test: $(RADDB_PATH)mods-available/eap config/eap-test-inner-tunnel
+       @sed 's/eap {/eap eap-test {/;s/= inner-tunnel/= eap-test-inner-tunnel/;s/use_tunneled_reply = no/use_tunneled_reply = yes/;s/enable = no/enable = yes/;s/^\(.*\)persist_dir =/  persist_dir =/' < $< > $@
 
 radiusd.pid: test.conf
-       @rm -f $(TEST_PATH)/gdb.log $(TEST_PATH)/radius.log
+       @rm -rf $(TEST_PATH)/gdb.log $(TEST_PATH)/radius.log $(TEST_PATH)/tlscache
+       @mkdir -p $(TEST_PATH)/tlscache
        @printf "Starting server... "
        @if ! $(RADIUSD_BIN) -Pxxxxml $(TEST_PATH)/radius.log -d ${top_builddir}/src/tests -n test -i 127.0.0.1 -p $(PORT) -D $(DICT_PATH); then \
                echo "failed"; \
@@ -151,7 +164,8 @@ $(BUILD_PATH)/tests/eap:
 
 .PHONY: clean.tests.eap
 clean.tests.eap:
-       @rm -rf $(BUILD_PATH)/tests/eap
+       @rm -rf $(BUILD_PATH)/tests/eap config/tlscache config/eap-test config/eap-test-inner-tunnel
+
 $(BUILD_PATH)/tests/eap/%.ok: $(top_builddir)/src/tests/%.conf | $(BUILD_PATH)/tests/eap
        @echo EAPOL_TEST $(notdir $(patsubst %.conf,%,$<))
        @if $(EAPOL_TEST) -c $< -p $(PORT) -s $(SECRET) > $(patsubst %.ok,%,$@).log 2>&1; then \
@@ -172,26 +186,21 @@ $(BUILD_PATH)/tests/eap/${1}-${2}.conf: $(top_builddir)/src/tests/${1}.conf
 
 $(BUILD_PATH)/tests/eap/${1}-${2}.ok: $(BUILD_PATH)/tests/eap/${1}-${2}.conf
        @echo EAPOL_TEST $$(notdir $$(patsubst %.ok,%,$$@))
-       @if $(EAPOL_TEST) -c $$< -p $(PORT) -s $(SECRET) > $$(patsubst %.ok,%,$$@).log 2>&1; then \
-               if grep -q '^SSL: Using TLS version TLSv${2}$$$$' $$(patsubst %.ok,%,$$@).log; then \
-                       touch $$@; \
-               else \
-                       echo FAILED - not using TLS version ${2}; \
-                       echo "        " $(EAPOL_TEST) -c $$< -p $(PORT) -s $(SECRET); \
-               fi \
-       else \
+       @if ! $(EAPOL_TEST) -r 1 -c $$< -p $(PORT) -s $(SECRET) > $$(patsubst %.ok,%,$$@).log 2>&1; then \
                echo FAILED; \
                echo "        " $(EAPOL_TEST) -c $$< -p $(PORT) -s $(SECRET); \
        fi
-
-$(BUILD_PATH)/tests/eap/${1}-${2}-resumption.ok: $(BUILD_PATH)/tests/eap/${1}-${2}.conf
-       @echo EAPOL_TEST $$(notdir $$(patsubst %.ok,%,$$@))
-       @if $(EAPOL_TEST) -r 2 -c $$< -p $(PORT) -s $(SECRET) > $$@.log 2>&1; then \
-               touch $$@; \
-       else \
-               echo FAILED; \
-               echo "        " $(EAPOL_TEST) -r 2 -c $$< -p $(PORT) -s $(SECRET); \
+       @if ! grep -q '^SSL: Using TLS version TLSv${2}$$$$' $$(patsubst %.ok,%,$$@).log; then \
+               echo "    " FAILED - not using TLS version ${2}; \
+               echo "        " $(EAPOL_TEST) -c $$< -p $(PORT) -s $(SECRET); \
+               exit 1; \
+       fi
+       @if ! grep -q '^OpenSSL: Handshake finished - resumed=1$$$$' $$(patsubst %.ok,%,$$@).log; then \
+               echo "    " FAILED - did not use resumption; \
+               echo "        " $(EAPOL_TEST) -r -c $$< -p $(PORT) -s $(SECRET); \
+               exit 1; \
        fi
+       @touch $$@
 
 EAP_TLS_VERSION_FILES += $(BUILD_PATH)/tests/eap/${1}-${2}.ok
 endef

diff --git a/src/tests/config/test.conf b/src/tests/config/test.conf
index 58a8ff877bf626b448063a01259f30140ef4f6c3..bab2c4d33986b79f0c7cb95f9e26d89d154be168 100644 (file)
--- a/src/tests/config/test.conf
+++ b/src/tests/config/test.conf
@@ -7,17 +7,22 @@
 
 test_port      = 10000
 
+correct_escapes = true
+
 #  Only for testing!
 #  Setting this on a production system is a BAD IDEA.
 security {
        allow_vulnerable_openssl = yes
 }
 
-correct_escapes = true
+modules {
+       $INCLUDE ${maindir}/mods-enabled/
+       $INCLUDE ${testdir}/config/eap-test
+}
 
 realm test.example.com {
-      authhost = 127.0.0.1:${test_port}
-      secret = testing123
+       authhost = 127.0.0.1:${test_port}
+       secret = testing123
 }
 
 policy {
@@ -29,7 +34,7 @@ policy {
                }
        }
 
-$INCLUDE ${maindir}/policy.d/
+       $INCLUDE ${maindir}/policy.d/
 }
 
 
@@ -39,11 +44,11 @@ $INCLUDE ${maindir}/policy.d/
 #      radiusd -Xd src/tests/ -i 127.0.0.1 -p 12340 -n test
 #
 server test {
-       listen {
-             type = detail
-             filename = ${radacctdir}/detail
-             load_factor = 10
-       }
+       listen {
+               type = detail
+               filename = ${radacctdir}/detail
+               load_factor = 10
+       }
 
        listen {
                ipaddr = 127.0.0.1
@@ -92,7 +97,7 @@ authorize {
        chap
        mschap
        digest
-       eap
+       eap-test
        pap
 }
 
@@ -101,15 +106,15 @@ authenticate {
        chap
        mschap
        digest
-       eap
+       eap-test
 }
 
 accounting {
-          if (Packet-Src-IP-Address != 255.255.255.255) {
-             detail
-          }
+       if (Packet-Src-IP-Address != 255.255.255.255) {
+               detail
+       }
 
-          ok
+       ok
 }
 
 }