summaryrefslogtreecommitdiffstats
path: root/src/tests/Makefile
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/tests/Makefile317
1 files changed, 317 insertions, 0 deletions
diff --git a/src/tests/Makefile b/src/tests/Makefile
new file mode 100644
index 0000000..fe836c6
--- /dev/null
+++ b/src/tests/Makefile
@@ -0,0 +1,317 @@
+# -*- makefile -*-
+##
+## Makefile -- Build and run tests for the server.
+##
+## http://www.freeradius.org/
+## $Id$
+##
+#
+include ../../Make.inc
+
+BUILD_PATH := $(top_builddir)/build
+
+#
+# Build eapol_test if requested to.
+#
+.PHONY: eapol_test
+eapol_test: $(BUILD_PATH)/tests/eapol_test/eapol_test.mk
+ @echo EAPOL_TEST=$(EAPOL_TEST)
+
+#
+# If we're doing anything resembling EAP, then make sure that
+# EAPOL_TEST is defined.
+#
+ifneq "(findstring eap,$(MAKECMDGOALS))" ""
+$(BUILD_PATH)/tests/eapol_test:
+ @mkdir -p $@
+
+TEST_PATH := $(top_builddir)/src/tests
+DICT_PATH := $(TEST_PATH)
+BIN_PATH := $(BUILD_PATH)/bin/local
+RADIUSD_BIN := $(BIN_PATH)/radiusd
+
+ifeq "$(DICT_PATH)" "$(TEST_PATH)"
+LIB_PATH := $(BUILD_PATH)/lib/local/.libs/
+DYLD_LIBRARY_PATH := $(DYLD_LIBRARY_PATH):$(LIB_PATH)
+export DYLD_LIBRARY_PATH
+endif
+
+ifneq "$(OPENSSL_LIBS)" ""
+#
+# Build eapol_test, and cache its output. Note that EAPOL_TEST may not be
+# defined, so we have to run the shell script for the second line, too.
+#
+# Normal expansion will still run the script if EAPOL_TEST_BIN is
+# set but empty, which we don't want.
+#
+ifeq "$(EAPOL_TEST_BIN)" ""
+override EAPOL_TEST_BIN := $(shell $(top_builddir)/scripts/ci/eapol_test-build.sh)
+endif
+
+$(BUILD_PATH)/tests/eapol_test/eapol_test.mk: | $(BUILD_PATH)/tests/eapol_test
+ @echo "EAPOL_TEST=$(EAPOL_TEST_BIN)" > $@
+ @echo "TLS1_3=$(shell openssl ciphers -s -v 'ECDHE:!COMPLEMENTOFDEFAULT'| grep -q 'TLSv1.3' && echo yes)" >> $@
+ @echo "OPENSSL_OK=$(shell openssl version | grep -v ' 1\.0' >/dev/null && echo yes)" >> $@
+ @echo "OPENSSL3_OK=$(shell openssl version | grep -q ' OpenSSL 3\.0' && echo yes)" >> $@
+else
+#
+# No OpenSSL means that we don't even try to build eapol_test
+#
+.PHONY: $(BUILD_PATH)/tests/eapol_test/eapol_test.mk
+$(BUILD_PATH)/tests/eapol_test/eapol_test.mk: | $(BUILD_PATH)/tests/eapol_test
+ @touch $@
+endif
+
+-include $(BUILD_PATH)/tests/eapol_test/eapol_test.mk
+endif
+
+#
+# OpenSSL 1.0.x doesn't support cipher_list="DEFAULT@SECLEVEL=1"
+#
+# If the variable is empty, then OpenSSL isn't OK.
+#
+ifeq "$(OPENSSL_OK)" ""
+SECLEVEL=
+else
+SECLEVEL=@SECLEVEL=1
+endif
+
+#
+# For OpenSSL 3.0.x, as described in https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod
+#
+# "The security strength of SHA1 and MD5 based signatures in TLS has been reduced.
+# This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer working at the
+# default security level of 1 and instead requires security level 0."
+#
+ifeq "$(OPENSSL3_OK)" "yes"
+SECLEVEL=@SECLEVEL=0
+endif
+
+RADDB_PATH := $(top_builddir)/raddb/
+
+TESTS = mschapv1 digest-01/digest* \
+ test.example.com
+
+PORT = 12340
+ACCTPORT = $(shell expr $(PORT) + 1)
+
+# example.com stripped.example.com
+
+SECRET = testing123
+
+.PHONY: all eap dictionary clean
+
+#
+# Build the directory for testing the server
+#
+all: tests
+
+clean:
+ @rm -f test.conf dictionary *.ok *.log $(BUILD_DIR)/tests/eap
+
+dictionary:
+ @echo "# test dictionary. Do not install. Delete at any time." > dictionary; \
+ echo '$$INCLUDE ' $(top_builddir)/share/dictionary >> dictionary; \
+ echo '$$INCLUDE ' $(top_builddir)/src/tests/dictionary.test >> dictionary; \
+ if [ "$(DICT_PATH)" = "$(TEST_PATH)" ]; then \
+ echo '$$INCLUDE ' $(top_builddir)/share/dictionary.dhcp >> dictionary; \
+ echo '$$INCLUDE ' $(top_builddir)/share/dictionary.vqp >> dictionary; \
+ fi
+
+test.conf: dictionary config/eap-test
+ @echo "# test configuration file. Do not install. Delete at any time." > $@
+ @if [ -n "$(LIB_PATH)" ]; then \
+ echo "libdir =" $(LIB_PATH) >> $@; \
+ fi
+ @echo "testdir =" $(TEST_PATH) >> $@
+ @echo 'logdir = $${testdir}' >> $@
+ @echo "maindir =" $(RADDB_PATH) >> $@
+ @echo 'radacctdir = $${testdir}' >> $@
+ @echo 'pidfile = $${testdir}/radiusd.pid' >> $@
+ @echo 'panic_action = "gdb -batch -x $${testdir}/panic.gdb %e %p > $${testdir}/gdb.log 2>&1; cat $${testdir}/gdb.log"' >> $@
+ @echo 'security {' >> $@
+ @echo ' allow_vulnerable_openssl = yes' >> $@
+ @echo '}' >> $@
+ @echo >> $@
+ @echo 'modconfdir = $${maindir}mods-config' >> $@
+ @echo 'certdir = $${maindir}/certs' >> $@
+ @echo 'cadir = $${maindir}/certs' >> $@
+ @echo '$$INCLUDE $${testdir}/config/' >> $@
+ @echo '$$INCLUDE $${maindir}/radiusd.conf' >> $@
+
+#
+# Rename "inner-tunnel", and ensure that it only uses the "eap-test" module.
+#
+config/eap-test-inner-tunnel: $(RADDB_PATH)sites-available/inner-tunnel
+ @sed 's/eap/eap-test/;s/server inner-tunnel/server eap-test-inner-tunnel/' < $< > $@
+
+#
+# * Same renames as above
+# * enable caching
+# * uncomment caching directory
+# * set the minimum TLS version to 1.0 for testing
+# * set the maximum TLS version to 1.2 or 1.3, depending if 1.3 is available
+# * always enable TLS 1.3 for the tests, via the super-secret magic flag.
+# * tell OpenSSL to enable insecure ciphers TLS 1.0 and TLS 1.1
+#
+config/eap-test: $(RADDB_PATH)mods-available/eap config/eap-test-inner-tunnel
+ @sed -e 's/eap {/eap eap-test {/' \
+ -e 's/= inner-tunnel/= eap-test-inner-tunnel/;s/use_tunneled_reply = no/use_tunneled_reply = yes/' \
+ -e 's/enable = no/enable = yes/' \
+ -e 's/^\(.*\)persist_dir =/ persist_dir =/' \
+ -e 's/tls_min_version = "1.2"/tls_min_version = "1.0"/' \
+ -e '$(if $(TLS1_3),s/tls_max_version = "1.2"/tls_max_version = "1.3"/)' \
+ -e 's/cipher_list = "DEFAULT"/cipher_list = "DEFAULT${SECLEVEL}"/' \
+ < $< > $@
+
+radiusd.pid: test.conf
+ @rm -rf $(TEST_PATH)/gdb.log $(TEST_PATH)/radius.log $(TEST_PATH)/tlscache
+ @mkdir -p $(TEST_PATH)/tlscache
+ @printf "Starting server... "
+ @if ! $(RADIUSD_BIN) -Pxxxxml $(TEST_PATH)/radius.log -d ${top_builddir}/src/tests -n test -i 127.0.0.1 -p $(PORT) -D $(DICT_PATH); then \
+ echo "failed"; \
+ echo "Last log entries were:"; \
+ tail -n 20 "$(TEST_PATH)/radius.log"; \
+ fi
+ @echo "ok"
+
+# We can't make this depend on radiusd.pid, because then make will create
+# radiusd.pid when we make radiusd.kill, which we don't want.
+.PHONY: radiusd.kill
+radiusd.kill:
+ @if [ -f radiusd.pid ]; then \
+ ret=0; \
+ if ! ps `cat $(TEST_PATH)/radiusd.pid` >/dev/null 2>&1; then \
+ rm -f radiusd.pid; \
+ echo "FreeRADIUS terminated during test"; \
+ echo "GDB output was:"; \
+ cat "$(TEST_PATH)/gdb.log"; \
+ echo "Last log entries were:"; \
+ tail -n 20 $(TEST_PATH)/radius.log; \
+ ret=1; \
+ fi; \
+ if ! kill -TERM `cat $(TEST_PATH)/radiusd.pid` >/dev/null 2>&1; then \
+ ret=1; \
+ fi; \
+ exit $$ret; \
+ fi
+ @rm -f radiusd.pid
+
+#
+# Run eapol_test if it exists and we built with openssl support.
+# Otherwise do nothing.
+#
+ifneq "$(EAPOL_TEST)" ""
+EAP_FILES = eap-md5.conf
+EAP_TLS_FILES = eap-ttls-pap.conf eap-ttls-mschapv2.conf peap-mschapv2.conf
+EAP_TLS_VERSIONS = 1.1 1.2
+EAP_TLS_DISABLE_STRING = tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1
+
+ifneq "$(TLS1_3)" ""
+EAP_TLS_VERSIONS += 1.3
+EAP_TLS_DISABLE_STRING += tls_disable_tlsv1_3=1
+endif
+
+.PHONY: $(BUILD_PATH)/tests/eap
+$(BUILD_PATH)/tests/eap:
+ @mkdir -p $@
+
+.PHONY: clean.tests.eap
+clean.tests.eap:
+ @rm -rf $(BUILD_PATH)/tests/eap config/tlscache config/eap-test config/eap-test-inner-tunnel
+
+#
+# Set target-specific variables, so that the later shell scripts are rather more understandable.
+#
+# MD5 doesn't use MPPE keys
+#
+$(BUILD_PATH)/tests/eap/%.ok: NO_MPPE = $(filter eap-md5,$(basename $(notdir $@)))
+$(BUILD_PATH)/tests/eap/%.ok: CMD = $(EAPOL_TEST) -c $< -p $(PORT) -s $(SECRET) $(if $(NO_MPPE),-n)
+$(BUILD_PATH)/tests/eap/%.ok: LOG = $(patsubst %.ok,%,$@).log
+
+$(BUILD_PATH)/tests/eap/%.ok: $(top_builddir)/src/tests/%.conf | radiusd.kill $(BUILD_PATH)/tests/eap radiusd.pid radiusd.kill
+ @printf 'EAPOL_TEST %s ' $(notdir $(patsubst %.conf,%,$<))
+ @if ! $(CMD) > $(LOG) 2>&1; then \
+ echo " - " FAILED - command failed; \
+ echo ">>> cmd -" $(CMD); \
+ echo ">>> log -" $(LOG); \
+ echo "===================="; \
+ tail -10 $(LOG); \
+ echo "===================="; \
+ $(MAKE) radiusd.kill; \
+ exit 1; \
+ fi
+ @echo
+ @touch $@
+
+#
+# Don't run the full TLS version tests for CI post-install.
+#
+ifneq "$(prefix)" ""
+#
+# ${1} is the config file
+# ${2} is the TLS version to use.
+#
+# Update the phase1 configuration to enable/disable various TLS versions
+# insert an OpenSSL cipher configuration line by cloning "password" and editing it.
+#
+define EAP_TLS_CONFIG
+$(BUILD_PATH)/tests/eap/${1}-${2}.conf: $(top_builddir)/src/tests/${1}.conf
+ @sed -e 's/phase1="/phase1="$(subst $(subst .,_,${2})=1,$(subst .,_,${2})=0,$(EAP_TLS_DISABLE_STRING)) /' \
+ -e '/password/s/^//p; /password/s/^.*/ openssl_ciphers="DEFAULT${SECLEVEL}"/' \
+ < $$< > $$@
+
+$(BUILD_PATH)/tests/eap/${1}-${2}.ok: $(BUILD_PATH)/tests/eap/${1}-${2}.conf
+ @printf 'EAPOL_TEST %s' $$(notdir $$(patsubst %.ok,%,$$@))
+ @if ! $$(CMD) -r 1 > $$(LOG) 2>&1; then \
+ echo " - " FAILED - command failed; \
+ echo ">>> cmd -" $$(CMD) -r 1; \
+ echo ">>> log -" $$(LOG); \
+ echo "===================="; \
+ tail -10 $$(LOG); \
+ echo "===================="; \
+ $(MAKE) radiusd.kill; \
+ exit 1; \
+ elif ! grep -q '^SSL: Using TLS version TLSv${2}$$$$' $$(patsubst %.ok,%,$$@).log; then \
+ echo " - " FAILED - not using TLS version ${2}; \
+ echo ">>> cmd -" $$(CMD) -r 1; \
+ echo ">>> log -" $$(LOG); \
+ $(MAKE) radiusd.kill; \
+ exit 1; \
+ elif ! grep -q '^OpenSSL: Handshake finished - resumed=1$$$$' $$(patsubst %.ok,%,$$@).log; then \
+ echo " - " FAILED - did not use resumption; \
+ echo ">>> cmd -" $$(CMD) -r 1; \
+ echo ">>> log -" $$(LOG); \
+ $(MAKE) radiusd.kill; \
+ exit 1; \
+ fi
+ @echo
+ @touch $$@
+
+# EAP-FAST doesn't do TLS 1.3
+ifneq "${1}-${2}" "eap-fast-1.3"
+EAP_TLS_VERSION_FILES += $(BUILD_PATH)/tests/eap/${1}-${2}.ok
+endif
+endef
+
+$(foreach FILE,$(patsubst %.conf,%,$(EAP_TLS_FILES)),$(foreach TLS,$(EAP_TLS_VERSIONS),$(eval $(call EAP_TLS_CONFIG,${FILE},${TLS}))))
+endif # there's no "prefix", so we don't run the full EAP tests
+
+EAPOL_OK_FILES := $(sort $(addprefix $(BUILD_PATH)/tests/eap/,$(patsubst %.conf,%.ok, $(notdir $(EAP_TLS_FILES) $(EAP_FILES)))) $(EAP_TLS_VERSION_FILES))
+
+tests.eap: $(EAPOL_OK_FILES) | radiusd.kill radiusd.pid
+ @$(MAKE) radiusd.kill
+
+endif # we have eapol_test built
+
+# kill the server (if it's running)
+# start the server
+# run the tests (ignoring any failures)
+# kill the server
+# remove the changes to raddb/
+tests: test.conf | radiusd.kill radiusd.pid
+ @chmod a+x runtests.sh
+ @BIN_PATH="$(BIN_PATH)" PORT="$(PORT)" ./runtests.sh $(TESTS)
+ifneq "$(EAPOL_TEST)" ""
+ @$(MAKE) tests.eap
+endif