1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
|
# -*- makefile -*-
##
## Makefile -- Build and run tests for the server.
##
## http://www.freeradius.org/
## $Id$
##
#
include ../../Make.inc
BUILD_PATH := $(top_builddir)/build
#
# Build eapol_test if requested to.
#
.PHONY: eapol_test
eapol_test: $(BUILD_PATH)/tests/eapol_test/eapol_test.mk
@echo EAPOL_TEST=$(EAPOL_TEST)
#
# If we're doing anything resembling EAP, then make sure that
# EAPOL_TEST is defined.
#
ifneq "(findstring eap,$(MAKECMDGOALS))" ""
$(BUILD_PATH)/tests/eapol_test:
@mkdir -p $@
TEST_PATH := $(top_builddir)/src/tests
DICT_PATH := $(TEST_PATH)
BIN_PATH := $(BUILD_PATH)/bin/local
RADIUSD_BIN := $(BIN_PATH)/radiusd
ifeq "$(DICT_PATH)" "$(TEST_PATH)"
LIB_PATH := $(BUILD_PATH)/lib/local/.libs/
DYLD_LIBRARY_PATH := $(DYLD_LIBRARY_PATH):$(LIB_PATH)
export DYLD_LIBRARY_PATH
endif
ifneq "$(OPENSSL_LIBS)" ""
#
# Build eapol_test, and cache its output. Note that EAPOL_TEST may not be
# defined, so we have to run the shell script for the second line, too.
#
# Normal expansion will still run the script if EAPOL_TEST_BIN is
# set but empty, which we don't want.
#
ifeq "$(EAPOL_TEST_BIN)" ""
override EAPOL_TEST_BIN := $(shell $(top_builddir)/scripts/ci/eapol_test-build.sh)
endif
$(BUILD_PATH)/tests/eapol_test/eapol_test.mk: | $(BUILD_PATH)/tests/eapol_test
@echo "EAPOL_TEST=$(EAPOL_TEST_BIN)" > $@
@echo "TLS1_3=$(shell openssl ciphers -s -v 'ECDHE:!COMPLEMENTOFDEFAULT'| grep -q 'TLSv1.3' && echo yes)" >> $@
@echo "OPENSSL_OK=$(shell openssl version | grep -v ' 1\.0' >/dev/null && echo yes)" >> $@
@echo "OPENSSL3_OK=$(shell openssl version | grep -q ' OpenSSL 3\.0' && echo yes)" >> $@
else
#
# No OpenSSL means that we don't even try to build eapol_test
#
.PHONY: $(BUILD_PATH)/tests/eapol_test/eapol_test.mk
$(BUILD_PATH)/tests/eapol_test/eapol_test.mk: | $(BUILD_PATH)/tests/eapol_test
@touch $@
endif
-include $(BUILD_PATH)/tests/eapol_test/eapol_test.mk
endif
#
# OpenSSL 1.0.x doesn't support cipher_list="DEFAULT@SECLEVEL=1"
#
# If the variable is empty, then OpenSSL isn't OK.
#
ifeq "$(OPENSSL_OK)" ""
SECLEVEL=
else
SECLEVEL=@SECLEVEL=1
endif
#
# For OpenSSL 3.0.x, as described in https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod
#
# "The security strength of SHA1 and MD5 based signatures in TLS has been reduced.
# This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer working at the
# default security level of 1 and instead requires security level 0."
#
ifeq "$(OPENSSL3_OK)" "yes"
SECLEVEL=@SECLEVEL=0
endif
RADDB_PATH := $(top_builddir)/raddb/
TESTS = mschapv1 digest-01/digest* \
test.example.com
PORT = 12340
ACCTPORT = $(shell expr $(PORT) + 1)
# example.com stripped.example.com
SECRET = testing123
.PHONY: all eap dictionary clean
#
# Build the directory for testing the server
#
all: tests
clean:
@rm -f test.conf dictionary *.ok *.log $(BUILD_DIR)/tests/eap
dictionary:
@echo "# test dictionary. Do not install. Delete at any time." > dictionary; \
echo '$$INCLUDE ' $(top_builddir)/share/dictionary >> dictionary; \
echo '$$INCLUDE ' $(top_builddir)/src/tests/dictionary.test >> dictionary; \
if [ "$(DICT_PATH)" = "$(TEST_PATH)" ]; then \
echo '$$INCLUDE ' $(top_builddir)/share/dictionary.dhcp >> dictionary; \
echo '$$INCLUDE ' $(top_builddir)/share/dictionary.vqp >> dictionary; \
fi
test.conf: dictionary config/eap-test
@echo "# test configuration file. Do not install. Delete at any time." > $@
@if [ -n "$(LIB_PATH)" ]; then \
echo "libdir =" $(LIB_PATH) >> $@; \
fi
@echo "testdir =" $(TEST_PATH) >> $@
@echo 'logdir = $${testdir}' >> $@
@echo "maindir =" $(RADDB_PATH) >> $@
@echo 'radacctdir = $${testdir}' >> $@
@echo 'pidfile = $${testdir}/radiusd.pid' >> $@
@echo 'panic_action = "gdb -batch -x $${testdir}/panic.gdb %e %p > $${testdir}/gdb.log 2>&1; cat $${testdir}/gdb.log"' >> $@
@echo 'security {' >> $@
@echo ' allow_vulnerable_openssl = yes' >> $@
@echo '}' >> $@
@echo >> $@
@echo 'modconfdir = $${maindir}mods-config' >> $@
@echo 'certdir = $${maindir}/certs' >> $@
@echo 'cadir = $${maindir}/certs' >> $@
@echo '$$INCLUDE $${testdir}/config/' >> $@
@echo '$$INCLUDE $${maindir}/radiusd.conf' >> $@
#
# Rename "inner-tunnel", and ensure that it only uses the "eap-test" module.
#
config/eap-test-inner-tunnel: $(RADDB_PATH)sites-available/inner-tunnel
@sed 's/eap/eap-test/;s/server inner-tunnel/server eap-test-inner-tunnel/' < $< > $@
#
# * Same renames as above
# * enable caching
# * uncomment caching directory
# * set the minimum TLS version to 1.0 for testing
# * set the maximum TLS version to 1.2 or 1.3, depending if 1.3 is available
# * always enable TLS 1.3 for the tests, via the super-secret magic flag.
# * tell OpenSSL to enable insecure ciphers TLS 1.0 and TLS 1.1
#
config/eap-test: $(RADDB_PATH)mods-available/eap config/eap-test-inner-tunnel
@sed -e 's/eap {/eap eap-test {/' \
-e 's/= inner-tunnel/= eap-test-inner-tunnel/;s/use_tunneled_reply = no/use_tunneled_reply = yes/' \
-e 's/enable = no/enable = yes/' \
-e 's/^\(.*\)persist_dir =/ persist_dir =/' \
-e 's/tls_min_version = "1.2"/tls_min_version = "1.0"/' \
-e '$(if $(TLS1_3),s/tls_max_version = "1.2"/tls_max_version = "1.3"/)' \
-e 's/cipher_list = "DEFAULT"/cipher_list = "DEFAULT${SECLEVEL}"/' \
< $< > $@
radiusd.pid: test.conf
@rm -rf $(TEST_PATH)/gdb.log $(TEST_PATH)/radius.log $(TEST_PATH)/tlscache
@mkdir -p $(TEST_PATH)/tlscache
@printf "Starting server... "
@if ! $(RADIUSD_BIN) -Pxxxxml $(TEST_PATH)/radius.log -d ${top_builddir}/src/tests -n test -i 127.0.0.1 -p $(PORT) -D $(DICT_PATH); then \
echo "failed"; \
echo "Last log entries were:"; \
tail -n 20 "$(TEST_PATH)/radius.log"; \
fi
@echo "ok"
# We can't make this depend on radiusd.pid, because then make will create
# radiusd.pid when we make radiusd.kill, which we don't want.
.PHONY: radiusd.kill
radiusd.kill:
@if [ -f radiusd.pid ]; then \
ret=0; \
if ! ps `cat $(TEST_PATH)/radiusd.pid` >/dev/null 2>&1; then \
rm -f radiusd.pid; \
echo "FreeRADIUS terminated during test"; \
echo "GDB output was:"; \
cat "$(TEST_PATH)/gdb.log"; \
echo "Last log entries were:"; \
tail -n 20 $(TEST_PATH)/radius.log; \
ret=1; \
fi; \
if ! kill -TERM `cat $(TEST_PATH)/radiusd.pid` >/dev/null 2>&1; then \
ret=1; \
fi; \
exit $$ret; \
fi
@rm -f radiusd.pid
#
# Run eapol_test if it exists and we built with openssl support.
# Otherwise do nothing.
#
ifneq "$(EAPOL_TEST)" ""
EAP_FILES = eap-md5.conf
EAP_TLS_FILES = eap-ttls-pap.conf eap-ttls-mschapv2.conf peap-mschapv2.conf
EAP_TLS_VERSIONS = 1.1 1.2
EAP_TLS_DISABLE_STRING = tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1
ifneq "$(TLS1_3)" ""
EAP_TLS_VERSIONS += 1.3
EAP_TLS_DISABLE_STRING += tls_disable_tlsv1_3=1
endif
.PHONY: $(BUILD_PATH)/tests/eap
$(BUILD_PATH)/tests/eap:
@mkdir -p $@
.PHONY: clean.tests.eap
clean.tests.eap:
@rm -rf $(BUILD_PATH)/tests/eap config/tlscache config/eap-test config/eap-test-inner-tunnel
#
# Set target-specific variables, so that the later shell scripts are rather more understandable.
#
# MD5 doesn't use MPPE keys
#
$(BUILD_PATH)/tests/eap/%.ok: NO_MPPE = $(filter eap-md5,$(basename $(notdir $@)))
$(BUILD_PATH)/tests/eap/%.ok: CMD = $(EAPOL_TEST) -c $< -p $(PORT) -s $(SECRET) $(if $(NO_MPPE),-n)
$(BUILD_PATH)/tests/eap/%.ok: LOG = $(patsubst %.ok,%,$@).log
$(BUILD_PATH)/tests/eap/%.ok: $(top_builddir)/src/tests/%.conf | radiusd.kill $(BUILD_PATH)/tests/eap radiusd.pid radiusd.kill
@printf 'EAPOL_TEST %s ' $(notdir $(patsubst %.conf,%,$<))
@if ! $(CMD) > $(LOG) 2>&1; then \
echo " - " FAILED - command failed; \
echo ">>> cmd -" $(CMD); \
echo ">>> log -" $(LOG); \
echo "===================="; \
tail -10 $(LOG); \
echo "===================="; \
$(MAKE) radiusd.kill; \
exit 1; \
fi
@echo
@touch $@
#
# Don't run the full TLS version tests for CI post-install.
#
ifneq "$(prefix)" ""
#
# ${1} is the config file
# ${2} is the TLS version to use.
#
# Update the phase1 configuration to enable/disable various TLS versions
# insert an OpenSSL cipher configuration line by cloning "password" and editing it.
#
define EAP_TLS_CONFIG
$(BUILD_PATH)/tests/eap/${1}-${2}.conf: $(top_builddir)/src/tests/${1}.conf
@sed -e 's/phase1="/phase1="$(subst $(subst .,_,${2})=1,$(subst .,_,${2})=0,$(EAP_TLS_DISABLE_STRING)) /' \
-e '/password/s/^//p; /password/s/^.*/ openssl_ciphers="DEFAULT${SECLEVEL}"/' \
< $$< > $$@
$(BUILD_PATH)/tests/eap/${1}-${2}.ok: $(BUILD_PATH)/tests/eap/${1}-${2}.conf
@printf 'EAPOL_TEST %s' $$(notdir $$(patsubst %.ok,%,$$@))
@if ! $$(CMD) -r 1 > $$(LOG) 2>&1; then \
echo " - " FAILED - command failed; \
echo ">>> cmd -" $$(CMD) -r 1; \
echo ">>> log -" $$(LOG); \
echo "===================="; \
tail -10 $$(LOG); \
echo "===================="; \
$(MAKE) radiusd.kill; \
exit 1; \
elif ! grep -q '^SSL: Using TLS version TLSv${2}$$$$' $$(patsubst %.ok,%,$$@).log; then \
echo " - " FAILED - not using TLS version ${2}; \
echo ">>> cmd -" $$(CMD) -r 1; \
echo ">>> log -" $$(LOG); \
$(MAKE) radiusd.kill; \
exit 1; \
elif ! grep -q '^OpenSSL: Handshake finished - resumed=1$$$$' $$(patsubst %.ok,%,$$@).log; then \
echo " - " FAILED - did not use resumption; \
echo ">>> cmd -" $$(CMD) -r 1; \
echo ">>> log -" $$(LOG); \
$(MAKE) radiusd.kill; \
exit 1; \
fi
@echo
@touch $$@
# EAP-FAST doesn't do TLS 1.3
ifneq "${1}-${2}" "eap-fast-1.3"
EAP_TLS_VERSION_FILES += $(BUILD_PATH)/tests/eap/${1}-${2}.ok
endif
endef
$(foreach FILE,$(patsubst %.conf,%,$(EAP_TLS_FILES)),$(foreach TLS,$(EAP_TLS_VERSIONS),$(eval $(call EAP_TLS_CONFIG,${FILE},${TLS}))))
endif # there's no "prefix", so we don't run the full EAP tests
EAPOL_OK_FILES := $(sort $(addprefix $(BUILD_PATH)/tests/eap/,$(patsubst %.conf,%.ok, $(notdir $(EAP_TLS_FILES) $(EAP_FILES)))) $(EAP_TLS_VERSION_FILES))
tests.eap: $(EAPOL_OK_FILES) | radiusd.kill radiusd.pid
@$(MAKE) radiusd.kill
endif # we have eapol_test built
# kill the server (if it's running)
# start the server
# run the tests (ignoring any failures)
# kill the server
# remove the changes to raddb/
tests: test.conf | radiusd.kill radiusd.pid
@chmod a+x runtests.sh
@BIN_PATH="$(BIN_PATH)" PORT="$(PORT)" ./runtests.sh $(TESTS)
ifneq "$(EAPOL_TEST)" ""
@$(MAKE) tests.eap
endif
|