12 files changed, 351 insertions, 0 deletions

diff --git a/src/tests/tls/README.md b/src/tests/tls/README.md
new file mode 100644
index 0000000..e0cb686
--- /dev/null
+++ b/src/tests/tls/README.md
@@ -0,0 +1,40 @@
+# Tests for TLS
+
+You will need at least 3 terminal windows:
+
+1. Home Server
+
+```
+./radiusd-home.sh
+```
+
+This server receives Access-Request packets over TLS, and sends Access-Accept.
+
+2. Proxy server
+
+```
+./radiusd-proxy.sh
+```
+
+This server receives Access-Request packets over UDP, and proxies them to the home server.
+
+3. Client(s)
+
+Send one packet:
+
+```
+./radclient.sh
+```
+
+Send 500,000 packets:
+
+```
+./radclient.sh -c 500000
+```
+
+You can also send accounting packets:
+
+```
+./radacct.sh
+```
+
diff --git a/src/tests/tls/acct b/src/tests/tls/acct
new file mode 100644
index 0000000..c246714
--- /dev/null
+++ b/src/tests/tls/acct
@@ -0,0 +1,7 @@
+User-Name = "bob"
+Acct-Session-Id := "0000"
+Acct-Status-Type = Start
+Called-Station-Id := "00:01:02:03"
+Calling-Station-Id := "04:05:06:07"
+Message-Authenticator = 0x00
+Framed-IP-Address = 127.0.0.1
diff --git a/src/tests/tls/block.sh b/src/tests/tls/block.sh
new file mode 100755
index 0000000..20d8bab
--- /dev/null
+++ b/src/tests/tls/block.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+#
+# Simple script blocking requests from proxy to home server
+#
+#  This works only on Linux.  It can be used to create random networking issues.
+
+if [ $UID -ne 0 ]; then
+        echo "Only 'root' can modify 'iptables' rules"
+        exit 1
+fi
+
+# avoid keep the server blocked
+function trap_ctrlc ()
+{
+        echo "Ctrl-C caught...performing clean up"
+
+        iptables -D INPUT -p tcp --dport 2083 -j REJECT 1> /dev/null 2>&1
+        exit 0
+}
+
+trap "trap_ctrlc" 2
+
+MAXWAIT=5
+while true; do
+        _wait="$((RANDOM % MAXWAIT))"
+
+        echo "(*) Blocking the port 2083 for ${_wait}s"
+        iptables -A INPUT -p tcp --dport 2083 -j REJECT
+        sleep $_wait
+
+        echo "(*) Allowing the port 2083 for ${_wait}s"
+        iptables -D INPUT -p tcp --dport 2083 -j REJECT
+        sleep $_wait
+done
diff --git a/src/tests/tls/common.sh b/src/tests/tls/common.sh
new file mode 100644
index 0000000..020345b
--- /dev/null
+++ b/src/tests/tls/common.sh
@@ -0,0 +1,12 @@
+#
+#  Common definitions.
+#
+DIR=$(dirname $0)/../../..
+PROGRAM=$(basename $0)
+
+export RADDB=$DIR/raddb
+export FR_LOCAL_PREFIX=`cat prefix 2>/dev/null`
+export TEST_PATH=$(dirname $0)/
+export LIB_PATH=$DIR/build/lib/local/
+export FR_LIBRARY_PATH=$DIR/build/lib/local/.libs/
+
diff --git a/src/tests/tls/home/radiusd.conf b/src/tests/tls/home/radiusd.conf
new file mode 100644
index 0000000..69d44f7
--- /dev/null
+++ b/src/tests/tls/home/radiusd.conf
@@ -0,0 +1,105 @@
+#
+#  Minimal radiusd.conf for testing
+#
+raddb        = $ENV{RADDB}
+modconfdir   = ${raddb}/mods-config
+testdir      = $ENV{TEST_PATH}
+pidfile      = ${testdir}/radiusd.pid
+panic_action = "gdb -batch -x ${raddb}/panic.gdb %e %p > ${testdir}/gdb-radiusd.log 2>&1; cat ${testdir}/gdb-radiusd.log"
+certdir      = ${raddb}/certs
+cadir        = ${raddb}/certs
+libdir       = $ENV{LIB_PATH}
+
+max_requests = 1048576
+
+thread pool {
+	start_servers = 5
+	max_servers = 32
+	min_spare_servers = 3
+	max_spare_servers = 10
+	max_requests_per_server = 0
+	cleanup_delay = 5
+	max_queue_size = 65536
+	auto_limit_acct = no
+}
+
+#
+#  Referenced by some modules for default thread pool configuration
+#
+modules {
+	
+$INCLUDE ${raddb}/mods-available/always
+}
+
+clients radsec {
+	client home {
+		ipaddr = 127.0.0.1
+		proto = tls
+	}
+}
+
+listen {
+	type = auth
+
+	ipaddr = 127.0.0.1
+	port = $ENV{FR_LOCAL_PREFIX}2083
+	proto = tcp
+
+	clients = radsec
+
+	virtual_server = default
+
+	tls {
+		private_key_password = whatever
+		private_key_file = ${certdir}/server.pem
+		certificate_file = ${certdir}/server.pem
+		ca_file = ${cadir}/ca.pem
+		fragment_size = 8192
+		ca_path = ${cadir}
+		cipher_list = "DEFAULT"
+		tls_min_version = "1.2"
+		tls_max_version = "1.2"
+	}
+}
+
+listen {
+	type = acct
+
+	ipaddr = 127.0.0.1
+	port = $ENV{FR_LOCAL_PREFIX}2084
+	proto = tcp
+
+	clients = radsec
+
+	virtual_server = default
+
+	tls {
+		private_key_password = whatever
+		private_key_file = ${certdir}/server.pem
+		certificate_file = ${certdir}/server.pem
+		ca_file = ${cadir}/ca.pem
+		fragment_size = 8192
+		ca_path = ${cadir}
+		cipher_list = "DEFAULT"
+		tls_min_version = "1.3"
+		tls_max_version = "1.3"
+	}
+}
+
+server default {
+	authorize {
+		update control {
+			Auth-Type := accept
+		}
+	}
+
+	preacct {
+		update control {
+			Response-Packet-Type := Accounting-Response
+		}
+	}
+
+	acct {
+		ok
+	}
+}
diff --git a/src/tests/tls/proxy/proxy.conf b/src/tests/tls/proxy/proxy.conf
new file mode 100644
index 0000000..e2631c4
--- /dev/null
+++ b/src/tests/tls/proxy/proxy.conf
@@ -0,0 +1,59 @@
+home_server home {
+	ipaddr = 127.0.0.1
+	port = $ENV{FR_LOCAL_PREFIX}2083
+	type = auth
+	secret = radsec
+	proto = tcp
+	status_check = none
+
+	nonblock = yes
+
+	revive_interval = 10
+
+	tls {
+		private_key_password = whatever
+		private_key_file = ${certdir}/client.pem
+		certificate_file = ${certdir}/client.pem
+		ca_file = ${cadir}/ca.pem
+		fragment_size = 8192
+		ca_path = ${cadir}
+		cipher_list = "DEFAULT"
+		tls_min_version = "1.2"
+		tls_max_version = "1.2"
+	}
+}
+
+home_server_pool home {
+	type = fail-over
+	home_server = home
+}
+
+home_server home_acct {
+	ipaddr = 127.0.0.1
+	port = $ENV{FR_LOCAL_PREFIX}2084
+	type = acct
+	secret = radsec
+	proto = tcp
+	status_check = none
+
+#	nonblock = yes
+
+	revive_interval = 10
+
+	tls {
+		private_key_password = whatever
+		private_key_file = ${certdir}/client.pem
+		certificate_file = ${certdir}/client.pem
+		ca_file = ${cadir}/ca.pem
+		fragment_size = 8192
+		ca_path = ${cadir}
+		cipher_list = "DEFAULT"
+		tls_min_version = "1.3"
+		tls_max_version = "1.3"
+	}
+}
+
+home_server_pool home_acct {
+	type = fail-over
+	home_server = home_acct
+}
diff --git a/src/tests/tls/proxy/radiusd.conf b/src/tests/tls/proxy/radiusd.conf
new file mode 100644
index 0000000..8e0577d
--- /dev/null
+++ b/src/tests/tls/proxy/radiusd.conf
@@ -0,0 +1,63 @@
+raddb        = $ENV{RADDB}
+modconfdir   = ${raddb}/mods-config
+testdir      = $ENV{TEST_PATH}/proxy
+pidfile      = ${testdir}/radiusd.pid
+panic_action = "gdb -batch -x ${raddb}/panic.gdb %e %p > ${testdir}/gdb-radiusd.log 2>&1; cat ${testdir}/gdb-radiusd.log"
+certdir      = ${raddb}/certs
+cadir        = ${raddb}/certs
+libdir       = $ENV{LIB_PATH}
+
+max_requests = 1048576
+
+thread pool {
+	start_servers = 5
+	max_servers = 32
+	min_spare_servers = 3
+	max_spare_servers = 10
+	max_requests_per_server = 0
+	cleanup_delay = 5
+	max_queue_size = 65536
+	auto_limit_acct = no
+}
+
+#
+# Minimum configuration for Proxy Server -> SRADIUSD
+#
+$INCLUDE ${testdir}/proxy.conf
+
+client local_test {
+	ipaddr = 127.0.0.1
+	secret = testing123
+	proto = *
+}
+
+listen {
+	type = auth
+	ipaddr = 127.0.0.1
+	port = $ENV{FR_LOCAL_PREFIX}1812
+	proto = udp
+	virtual_server = default
+}
+
+listen {
+	type = acct
+	ipaddr = 127.0.0.1
+	port = $ENV{FR_LOCAL_PREFIX}1813
+	proto = udp
+	virtual_server = default
+}
+
+
+server default {
+	authorize {
+		update control {
+			&Home-Server-Pool = "home"
+		}
+	}
+
+	preacct {
+		update control {
+			&Home-Server-Pool = "home_acct"
+		}
+	}
+}
diff --git a/src/tests/tls/radacct.sh b/src/tests/tls/radacct.sh
new file mode 100755
index 0000000..0469727
--- /dev/null
+++ b/src/tests/tls/radacct.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+. $(dirname $0)/common.sh
+
+#
+#  Run radclient acct
+#
+exec $DIR/build/make/jlibtool --mode=execute $FR_DEBUGGER $DIR/build/bin/local/radclient -d $(dirname $0)/home -D $DIR/share/ -f acct $@ localhost:${FR_LOCAL_PREFIX}1813 acct testing123
diff --git a/src/tests/tls/radclient.sh b/src/tests/tls/radclient.sh
new file mode 100755
index 0000000..e82386e
--- /dev/null
+++ b/src/tests/tls/radclient.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+. $(dirname $0)/common.sh
+
+#
+#  Run radclient auth
+#
+exec $DIR/build/make/jlibtool --mode=execute $FR_DEBUGGER $DIR/build/bin/local/radclient -d $(dirname $0)/home -D $DIR/share/ -f user_password $@ localhost:${FR_LOCAL_PREFIX}1812 auth testing123
diff --git a/src/tests/tls/radiusd-home.sh b/src/tests/tls/radiusd-home.sh
new file mode 100755
index 0000000..ea2e694
--- /dev/null
+++ b/src/tests/tls/radiusd-home.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+. $(dirname $0)/common.sh
+
+#
+#  Run the home server.
+#
+exec $DIR/build/make/jlibtool --mode=execute $FR_DEBUGGER $DIR/build/bin/local/radiusd -d $(dirname $0)/home -D $DIR/share/ -fxx -l stdout $@
diff --git a/src/tests/tls/radiusd-proxy.sh b/src/tests/tls/radiusd-proxy.sh
new file mode 100755
index 0000000..65f8066
--- /dev/null
+++ b/src/tests/tls/radiusd-proxy.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+. $(dirname $0)/common.sh
+
+#
+#  Run the proxy server.
+#
+exec $DIR/build/make/jlibtool --mode=execute $FR_DEBUGGER $DIR/build/bin/local/radiusd -d $(dirname $0)/proxy -D $DIR/share/ -fxx -l stdout $@
diff --git a/src/tests/tls/user_password b/src/tests/tls/user_password
new file mode 100644
index 0000000..9d0a12c
--- /dev/null
+++ b/src/tests/tls/user_password
@@ -0,0 +1,3 @@
+User-Name = "bob"
+User-Password = "bob"
+Message-Authenticator = 0x00