From: Nick Porter Date: Tue, 17 Jun 2025 20:07:41 +0000 (+0100) Subject: Move all rlm_crl tests to one file X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef1a74c4e8afa874a2fe99be5d1b305b74b0b565;p=thirdparty%2Ffreeradius-server.git Move all rlm_crl tests to one file To avoid parallel runs conflicting - OpenSSL appears to sometimes get in a mess if there are parallel attempts to sign / revoke / create crl --- diff --git a/src/tests/modules/crl/accept.unlang b/src/tests/modules/crl/accept.unlang deleted file mode 100644 index 493ab27dac9..00000000000 --- a/src/tests/modules/crl/accept.unlang +++ /dev/null @@ -1,29 +0,0 @@ -# -# Test a CRL check for a certificate that is not in the CRL -# -string serial -uint8 len -uint8 clientno - -clientno := 1 - -prepare_cnf - -create_client_cert - -build_crl - -read_cert_serial - -session-state.TLS-Certificate.Serial = %bin(serial) -# This is a dummy URI - the module is configured to just cat the crl using %exec() -session-state.TLS-Certificate.X509v3-CRL-Distribution-Points = 'http://www.example.com/example_ca.crl' - -crl - -if (!ok) { - test_fail -} - -test_pass - diff --git a/src/tests/modules/crl/all.unlang b/src/tests/modules/crl/all.unlang new file mode 100644 index 00000000000..621529707ac --- /dev/null +++ b/src/tests/modules/crl/all.unlang @@ -0,0 +1,106 @@ +# +# Tests for checking certificates against CRLs +# +string serial +uint8 len +uint8 clientno + +# Build a client cert +clientno := 1 + +prepare_cnf + +create_client_cert + +# Build a second client cert and revoke it + +clientno := 2 + +prepare_cnf + +create_client_cert + +revoke_client_cert + +# Build a third client cert + +clientno := 3 + +prepare_cnf + +create_client_cert + +build_crl + +# Test a CRL check for a certificate that is valid +clientno := 1 + +read_cert_serial + +session-state.TLS-Certificate.Serial := %bin(serial) +# This is a dummy URI - the module is configured to just cat the crl using %exec() +session-state.TLS-Certificate.X509v3-CRL-Distribution-Points = 'http://www.example.com/example_ca.crl' + +crl + +if (!ok) { + test_fail +} + +# +# Test a CRL check for a certificate that is revoked +# +clientno := 2 + +read_cert_serial + +session-state.TLS-Certificate.Serial := %bin(serial) + +crl { + reject = 1 +} + +if (!reject) { + test_fail +} + +# +# Test that CRL reload works +# +clientno := 3 + +read_cert_serial + +session-state.TLS-Certificate.Serial := %bin(serial) + +# +# Check that CRL passes +# +crl + +if (!ok) { + test_fail +} + +# +# And advance time beyond the forced CRL refresh interval +# +%time.advance(10s) + +# +# Now revoke the cert and update the crl +# +revoke_client_cert + +build_crl + +crl { + reject = 1 +} + +if (!reject) { + test_fail +} + +test_pass + diff --git a/src/tests/modules/crl/module.conf b/src/tests/modules/crl/module.conf index 7b7f15e039c..ac74204e7b3 100644 --- a/src/tests/modules/crl/module.conf +++ b/src/tests/modules/crl/module.conf @@ -1,7 +1,7 @@ crl { source { dynamic { - http = %exec_bin('/bin/cat', "$ENV{MODULE_TEST_DIR}/ca%{clientno}.crl") + http = %exec_bin('/bin/cat', "$ENV{MODULE_TEST_DIR}/ca.crl") } } ca_file = raddb/certs/rsa/ca.pem diff --git a/src/tests/modules/crl/policy.conf b/src/tests/modules/crl/policy.conf index 1e8a8f04fb6..dc7b7106df3 100644 --- a/src/tests/modules/crl/policy.conf +++ b/src/tests/modules/crl/policy.conf @@ -35,8 +35,8 @@ revoke_client_cert { # Build the CRL # build_crl { - %exec('/usr/bin/openssl', 'ca', '-gencrl', '-keyfile', "$ENV{top_srcdir}raddb/certs/rsa/ca.key", '-cert', "$ENV{top_srcdir}raddb/certs/rsa/ca.pem", '-config', "$ENV{MODULE_TEST_DIR}/ca%{clientno}.cnf", '-out', "$ENV{MODULE_TEST_DIR}/ca-crl%{clientno}.pem", '-key', 'whatever') - %exec('/usr/bin/openssl', 'crl', '-in', "$ENV{MODULE_TEST_DIR}/ca-crl%{clientno}.pem", '-outform', 'DER', '-out', "$ENV{MODULE_TEST_DIR}/ca%{clientno}.crl") + %exec('/usr/bin/openssl', 'ca', '-gencrl', '-keyfile', "$ENV{top_srcdir}raddb/certs/rsa/ca.key", '-cert', "$ENV{top_srcdir}raddb/certs/rsa/ca.pem", '-config', "$ENV{MODULE_TEST_DIR}/ca%{clientno}.cnf", '-out', "$ENV{MODULE_TEST_DIR}/ca-crl.pem", '-key', 'whatever') + %exec('/usr/bin/openssl', 'crl', '-in', "$ENV{MODULE_TEST_DIR}/ca-crl.pem", '-outform', 'DER', '-out', "$ENV{MODULE_TEST_DIR}/ca.crl") } # @@ -47,7 +47,7 @@ build_crl { # - the length (in bytes) # read_cert_serial { - serial = %exec('/usr/bin/openssl', 'x509', '-in', "$ENV{MODULE_TEST_DIR}/client%{clientno}.crt", '-serial', '-noout') + serial := %exec('/usr/bin/openssl', 'x509', '-in', "$ENV{MODULE_TEST_DIR}/client%{clientno}.crt", '-serial', '-noout') serial := %substr(serial, 7) len = %length(serial) / 2 serial := '02' + %hex(len) + serial diff --git a/src/tests/modules/crl/reject.unlang b/src/tests/modules/crl/reject.unlang deleted file mode 100644 index 1c2fe7b9e30..00000000000 --- a/src/tests/modules/crl/reject.unlang +++ /dev/null @@ -1,32 +0,0 @@ -# -# Test a CRL check for a certificate that is revoked -# -string serial -uint8 len -uint8 clientno - -clientno := 2 - -prepare_cnf - -create_client_cert - -revoke_client_cert - -build_crl - -read_cert_serial - -session-state.TLS-Certificate.Serial = %bin(serial) -session-state.TLS-Certificate.X509v3-CRL-Distribution-Points = 'http://www.example.com/example_ca.crl' - -crl { - reject = 1 -} - -if (!reject) { - test_fail -} - -test_pass - diff --git a/src/tests/modules/crl/reload.unlang b/src/tests/modules/crl/reload.unlang deleted file mode 100644 index 0336ca88156..00000000000 --- a/src/tests/modules/crl/reload.unlang +++ /dev/null @@ -1,51 +0,0 @@ -# -# Test that CRL reload works -# -string serial -uint8 len -uint8 clientno - -clientno := 3 - -prepare_cnf - -create_client_cert - -build_crl - -read_cert_serial - -session-state.TLS-Certificate.Serial = %bin(serial) -session-state.TLS-Certificate.X509v3-CRL-Distribution-Points = 'http://www.example.com/example_ca.crl' - -# -# Check that CRL passes -# -crl - -if (!ok) { - test_fail -} - -# -# And advance time beyond the forced CRL refresh interval -# -%time.advance(10s) - -# -# Now revoke the cert and update the crl -# -revoke_client_cert - -build_crl - -crl { - reject = 1 -} - -if (!reject) { - test_fail -} - -test_pass -