首頁 探索 說明
登入
vimacs
/
openconnect
關註 1
讚好 0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
分支: h3cssl
分支列表 標籤列表
openconnect
/
tests
/
pfs

pfs 2.2 KB
永久連結 文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. #!/bin/sh
    2. 

  2. #
    3. 

  3. # Copyright (C) 2020 Daniel Lenski
    4. 

  4. #
    5. 

  5. # This file is part of openconnect.
    6. 

  6. #
    7. 

  7. # This is free software; you can redistribute it and/or
    8. 

  8. # modify it under the terms of the GNU Lesser General Public License
    9. 

  9. # as published by the Free Software Foundation; either version 2.1 of
    10. 

  10. # the License, or (at your option) any later version.
    11. 

  11. #
    12. 

  12. # This library is distributed in the hope that it will be useful, but
    13. 

  13. # WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    15. 

  15. # Lesser General Public License for more details.
    16. 

  16. #
    17. 

  17. # You should have received a copy of the GNU Lesser General Public License
    18. 

  18. # along with this program.  If not, see <http://www.gnu.org/licenses/>
    19. 

  19. 

  20. # This test uses LD_PRELOAD
    21. 

  21. PRELOAD=1
    22. 

  22. SERV="${SERV:-../src/ocserv}"
    23. 

  23. srcdir=${srcdir:-.}
    24. 

  24. top_builddir=${top_builddir:-..}
    25. 

  25. 

  26. . `dirname $0`/common.sh
    27. 

  27. 

  28. ########################################
    29. 

  29. # Verify that we cannot connect to a server offering only RSA key exchange
    30. 

  30. # IF --pfs is specified to require perfect forward secrecy, but that we
    31. 

  31. # CAN connect if it is not specified.
    32. 

  32. ########################################
    33. 

  33. 

  34. echo "Testing against server without PFS..."
    35. 

  35. 

  36. # Need to disable TLS 1.3 here because GnuTLS v3.6.13 is allowing non-RSA KX with TLS 1.3, even with -KX-ALL
    37. 

  37. # But can't use -VERS-TLS1.3 here, because it's not known to earlier versions of GnuTLS.
    38. 

  38. PORT=4569
    39. 

  39. TLS_PRIORITIES="LEGACY:%SERVER_PRECEDENCE:%COMPAT:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:-KX-ALL:+RSA"
    40. 

  40. update_config test-obsolete-server-crypto.config
    41. 

  41. launch_simple_sr_server -d 1 -f -c $CONFIG
    42. 

  42. PID=$!
    43. 

  43. wait_server $PID
    44. 

  44. 

  45. echo -n "Connecting with --pfs... "
    46. 

  46. ( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --pfs --cookieonly >/dev/null 2>&1) &&
    47. 

  47. 	fail $PID "Connected successfully when we shouldn't"
    48. 

  48. 

  49. echo ok
    50. 

  50. 

  51. echo -n "Connecting without --pfs... "
    52. 

  52. ( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1) ||
    53. 

  53. 	fail $PID "Could not connect and obtain cookie without --pfs"
    54. 

  54. 

  55. echo ok
    56. 

  56. 

  57. cleanup
    58. 

  58. 

  59. exit 0
    60. 

  60.