diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 14:11:00 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 14:11:00 +0000 |
commit | af754e596a8dbb05ed8580c342e7fe02e08b28e0 (patch) | |
tree | b2f334c2b55ede42081aa6710a72da784547d8ea /src/tests/tls | |
parent | Initial commit. (diff) | |
download | freeradius-af754e596a8dbb05ed8580c342e7fe02e08b28e0.tar.xz freeradius-af754e596a8dbb05ed8580c342e7fe02e08b28e0.zip |
Adding upstream version 3.2.3+dfsg.upstream/3.2.3+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/tests/tls')
-rw-r--r-- | src/tests/tls/README.md | 40 | ||||
-rw-r--r-- | src/tests/tls/acct | 7 | ||||
-rwxr-xr-x | src/tests/tls/block.sh | 34 | ||||
-rw-r--r-- | src/tests/tls/common.sh | 12 | ||||
-rw-r--r-- | src/tests/tls/home/radiusd.conf | 105 | ||||
-rw-r--r-- | src/tests/tls/proxy/proxy.conf | 59 | ||||
-rw-r--r-- | src/tests/tls/proxy/radiusd.conf | 63 | ||||
-rwxr-xr-x | src/tests/tls/radacct.sh | 7 | ||||
-rwxr-xr-x | src/tests/tls/radclient.sh | 7 | ||||
-rwxr-xr-x | src/tests/tls/radiusd-home.sh | 7 | ||||
-rwxr-xr-x | src/tests/tls/radiusd-proxy.sh | 7 | ||||
-rw-r--r-- | src/tests/tls/user_password | 3 |
12 files changed, 351 insertions, 0 deletions
diff --git a/src/tests/tls/README.md b/src/tests/tls/README.md new file mode 100644 index 0000000..e0cb686 --- /dev/null +++ b/src/tests/tls/README.md @@ -0,0 +1,40 @@ +# Tests for TLS + +You will need at least 3 terminal windows: + +1. Home Server + +``` +./radiusd-home.sh +``` + +This server receives Access-Request packets over TLS, and sends Access-Accept. + +2. Proxy server + +``` +./radiusd-proxy.sh +``` + +This server receives Access-Request packets over UDP, and proxies them to the home server. + +3. Client(s) + +Send one packet: + +``` +./radclient.sh +``` + +Send 500,000 packets: + +``` +./radclient.sh -c 500000 +``` + +You can also send accounting packets: + +``` +./radacct.sh +``` + diff --git a/src/tests/tls/acct b/src/tests/tls/acct new file mode 100644 index 0000000..c246714 --- /dev/null +++ b/src/tests/tls/acct @@ -0,0 +1,7 @@ +User-Name = "bob" +Acct-Session-Id := "0000" +Acct-Status-Type = Start +Called-Station-Id := "00:01:02:03" +Calling-Station-Id := "04:05:06:07" +Message-Authenticator = 0x00 +Framed-IP-Address = 127.0.0.1 diff --git a/src/tests/tls/block.sh b/src/tests/tls/block.sh new file mode 100755 index 0000000..20d8bab --- /dev/null +++ b/src/tests/tls/block.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# +# Simple script blocking requests from proxy to home server +# +# This works only on Linux. It can be used to create random networking issues. + +if [ $UID -ne 0 ]; then + echo "Only 'root' can modify 'iptables' rules" + exit 1 +fi + +# avoid keep the server blocked +function trap_ctrlc () +{ + echo "Ctrl-C caught...performing clean up" + + iptables -D INPUT -p tcp --dport 2083 -j REJECT 1> /dev/null 2>&1 + exit 0 +} + +trap "trap_ctrlc" 2 + +MAXWAIT=5 +while true; do + _wait="$((RANDOM % MAXWAIT))" + + echo "(*) Blocking the port 2083 for ${_wait}s" + iptables -A INPUT -p tcp --dport 2083 -j REJECT + sleep $_wait + + echo "(*) Allowing the port 2083 for ${_wait}s" + iptables -D INPUT -p tcp --dport 2083 -j REJECT + sleep $_wait +done diff --git a/src/tests/tls/common.sh b/src/tests/tls/common.sh new file mode 100644 index 0000000..020345b --- /dev/null +++ b/src/tests/tls/common.sh @@ -0,0 +1,12 @@ +# +# Common definitions. +# +DIR=$(dirname $0)/../../.. +PROGRAM=$(basename $0) + +export RADDB=$DIR/raddb +export FR_LOCAL_PREFIX=`cat prefix 2>/dev/null` +export TEST_PATH=$(dirname $0)/ +export LIB_PATH=$DIR/build/lib/local/ +export FR_LIBRARY_PATH=$DIR/build/lib/local/.libs/ + diff --git a/src/tests/tls/home/radiusd.conf b/src/tests/tls/home/radiusd.conf new file mode 100644 index 0000000..69d44f7 --- /dev/null +++ b/src/tests/tls/home/radiusd.conf @@ -0,0 +1,105 @@ +# +# Minimal radiusd.conf for testing +# +raddb = $ENV{RADDB} +modconfdir = ${raddb}/mods-config +testdir = $ENV{TEST_PATH} +pidfile = ${testdir}/radiusd.pid +panic_action = "gdb -batch -x ${raddb}/panic.gdb %e %p > ${testdir}/gdb-radiusd.log 2>&1; cat ${testdir}/gdb-radiusd.log" +certdir = ${raddb}/certs +cadir = ${raddb}/certs +libdir = $ENV{LIB_PATH} + +max_requests = 1048576 + +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 + cleanup_delay = 5 + max_queue_size = 65536 + auto_limit_acct = no +} + +# +# Referenced by some modules for default thread pool configuration +# +modules { + +$INCLUDE ${raddb}/mods-available/always +} + +clients radsec { + client home { + ipaddr = 127.0.0.1 + proto = tls + } +} + +listen { + type = auth + + ipaddr = 127.0.0.1 + port = $ENV{FR_LOCAL_PREFIX}2083 + proto = tcp + + clients = radsec + + virtual_server = default + + tls { + private_key_password = whatever + private_key_file = ${certdir}/server.pem + certificate_file = ${certdir}/server.pem + ca_file = ${cadir}/ca.pem + fragment_size = 8192 + ca_path = ${cadir} + cipher_list = "DEFAULT" + tls_min_version = "1.2" + tls_max_version = "1.2" + } +} + +listen { + type = acct + + ipaddr = 127.0.0.1 + port = $ENV{FR_LOCAL_PREFIX}2084 + proto = tcp + + clients = radsec + + virtual_server = default + + tls { + private_key_password = whatever + private_key_file = ${certdir}/server.pem + certificate_file = ${certdir}/server.pem + ca_file = ${cadir}/ca.pem + fragment_size = 8192 + ca_path = ${cadir} + cipher_list = "DEFAULT" + tls_min_version = "1.3" + tls_max_version = "1.3" + } +} + +server default { + authorize { + update control { + Auth-Type := accept + } + } + + preacct { + update control { + Response-Packet-Type := Accounting-Response + } + } + + acct { + ok + } +} diff --git a/src/tests/tls/proxy/proxy.conf b/src/tests/tls/proxy/proxy.conf new file mode 100644 index 0000000..e2631c4 --- /dev/null +++ b/src/tests/tls/proxy/proxy.conf @@ -0,0 +1,59 @@ +home_server home { + ipaddr = 127.0.0.1 + port = $ENV{FR_LOCAL_PREFIX}2083 + type = auth + secret = radsec + proto = tcp + status_check = none + + nonblock = yes + + revive_interval = 10 + + tls { + private_key_password = whatever + private_key_file = ${certdir}/client.pem + certificate_file = ${certdir}/client.pem + ca_file = ${cadir}/ca.pem + fragment_size = 8192 + ca_path = ${cadir} + cipher_list = "DEFAULT" + tls_min_version = "1.2" + tls_max_version = "1.2" + } +} + +home_server_pool home { + type = fail-over + home_server = home +} + +home_server home_acct { + ipaddr = 127.0.0.1 + port = $ENV{FR_LOCAL_PREFIX}2084 + type = acct + secret = radsec + proto = tcp + status_check = none + +# nonblock = yes + + revive_interval = 10 + + tls { + private_key_password = whatever + private_key_file = ${certdir}/client.pem + certificate_file = ${certdir}/client.pem + ca_file = ${cadir}/ca.pem + fragment_size = 8192 + ca_path = ${cadir} + cipher_list = "DEFAULT" + tls_min_version = "1.3" + tls_max_version = "1.3" + } +} + +home_server_pool home_acct { + type = fail-over + home_server = home_acct +} diff --git a/src/tests/tls/proxy/radiusd.conf b/src/tests/tls/proxy/radiusd.conf new file mode 100644 index 0000000..8e0577d --- /dev/null +++ b/src/tests/tls/proxy/radiusd.conf @@ -0,0 +1,63 @@ +raddb = $ENV{RADDB} +modconfdir = ${raddb}/mods-config +testdir = $ENV{TEST_PATH}/proxy +pidfile = ${testdir}/radiusd.pid +panic_action = "gdb -batch -x ${raddb}/panic.gdb %e %p > ${testdir}/gdb-radiusd.log 2>&1; cat ${testdir}/gdb-radiusd.log" +certdir = ${raddb}/certs +cadir = ${raddb}/certs +libdir = $ENV{LIB_PATH} + +max_requests = 1048576 + +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 + cleanup_delay = 5 + max_queue_size = 65536 + auto_limit_acct = no +} + +# +# Minimum configuration for Proxy Server -> SRADIUSD +# +$INCLUDE ${testdir}/proxy.conf + +client local_test { + ipaddr = 127.0.0.1 + secret = testing123 + proto = * +} + +listen { + type = auth + ipaddr = 127.0.0.1 + port = $ENV{FR_LOCAL_PREFIX}1812 + proto = udp + virtual_server = default +} + +listen { + type = acct + ipaddr = 127.0.0.1 + port = $ENV{FR_LOCAL_PREFIX}1813 + proto = udp + virtual_server = default +} + + +server default { + authorize { + update control { + &Home-Server-Pool = "home" + } + } + + preacct { + update control { + &Home-Server-Pool = "home_acct" + } + } +} diff --git a/src/tests/tls/radacct.sh b/src/tests/tls/radacct.sh new file mode 100755 index 0000000..0469727 --- /dev/null +++ b/src/tests/tls/radacct.sh @@ -0,0 +1,7 @@ +#!/bin/sh +. $(dirname $0)/common.sh + +# +# Run radclient acct +# +exec $DIR/build/make/jlibtool --mode=execute $FR_DEBUGGER $DIR/build/bin/local/radclient -d $(dirname $0)/home -D $DIR/share/ -f acct $@ localhost:${FR_LOCAL_PREFIX}1813 acct testing123 diff --git a/src/tests/tls/radclient.sh b/src/tests/tls/radclient.sh new file mode 100755 index 0000000..e82386e --- /dev/null +++ b/src/tests/tls/radclient.sh @@ -0,0 +1,7 @@ +#!/bin/sh +. $(dirname $0)/common.sh + +# +# Run radclient auth +# +exec $DIR/build/make/jlibtool --mode=execute $FR_DEBUGGER $DIR/build/bin/local/radclient -d $(dirname $0)/home -D $DIR/share/ -f user_password $@ localhost:${FR_LOCAL_PREFIX}1812 auth testing123 diff --git a/src/tests/tls/radiusd-home.sh b/src/tests/tls/radiusd-home.sh new file mode 100755 index 0000000..ea2e694 --- /dev/null +++ b/src/tests/tls/radiusd-home.sh @@ -0,0 +1,7 @@ +#!/bin/sh +. $(dirname $0)/common.sh + +# +# Run the home server. +# +exec $DIR/build/make/jlibtool --mode=execute $FR_DEBUGGER $DIR/build/bin/local/radiusd -d $(dirname $0)/home -D $DIR/share/ -fxx -l stdout $@ diff --git a/src/tests/tls/radiusd-proxy.sh b/src/tests/tls/radiusd-proxy.sh new file mode 100755 index 0000000..65f8066 --- /dev/null +++ b/src/tests/tls/radiusd-proxy.sh @@ -0,0 +1,7 @@ +#!/bin/sh +. $(dirname $0)/common.sh + +# +# Run the proxy server. +# +exec $DIR/build/make/jlibtool --mode=execute $FR_DEBUGGER $DIR/build/bin/local/radiusd -d $(dirname $0)/proxy -D $DIR/share/ -fxx -l stdout $@ diff --git a/src/tests/tls/user_password b/src/tests/tls/user_password new file mode 100644 index 0000000..9d0a12c --- /dev/null +++ b/src/tests/tls/user_password @@ -0,0 +1,3 @@ +User-Name = "bob" +User-Password = "bob" +Message-Authenticator = 0x00 |