source: mod_gnutls/test/Makefile.am @ b8b1990

debian/masterdebian/stretch-backportsupstream
Last change on this file since b8b1990 was b8b1990, checked in by Thomas Klute <thomas2.klute@…>, 2 years ago

Use fixed DH parameters for tests that log DH prime length in CGI output

Default key and DH parameter sizes vary between GnuTLS versions, so
using the defaults could lead to unexpected output and thus failing
tests. Fixed parameters avoid the problem.

  • Property mode set to 100644
File size: 8.8 KB
Line 
1SUBDIRS = tests
2
3dist_check_SCRIPTS = test-00_basic.bash \
4        test-01_serverwide_priorities.bash \
5        test-02_cache_in_vhost.bash \
6        test-03_cachetimeout_in_vhost.bash \
7        test-04_basic_nosni.bash \
8        test-05_mismatched-priorities.bash \
9        test-06_verify_sni_a.bash \
10        test-07_verify_sni_b.bash \
11        test-08_verify_no_sni_fallback_to_first_vhost.bash \
12        test-09_verify_no_sni_fails_with_wrong_order.bash \
13        test-10_basic_client_verification.bash \
14        test-11_basic_client_verification_fail.bash \
15        test-12_cgi_variables.bash \
16        test-13_cgi_variables_no_client_cert.bash \
17        test-14_basic_openpgp.bash
18if USE_MSVA
19dist_check_SCRIPTS += test-15_basic_msva.bash
20endif
21dist_check_SCRIPTS += test-16_view-status.bash \
22        test-17_cgi_vars_large_cert.bash \
23        test-18_client_verification_wrong_cert.bash \
24        test-19_TLS_reverse_proxy.bash \
25        test-20_TLS_reverse_proxy_client_auth.bash \
26        test-21_TLS_reverse_proxy_wrong_cert.bash \
27        test-22_TLS_reverse_proxy_crl_revoke.bash \
28        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
29        test-24_pkcs11_cert.bash \
30        test-25_Disable_TLS_1.0.bash \
31        test-26_redirect_HTTP_to_HTTPS.bash \
32        test-27_OCSP_server.bash
33
34TEST_EXTENSIONS = .bash
35TESTS = $(dist_check_SCRIPTS)
36
37check_PROGRAMS = pgpcrc gnutls_openpgp_support
38pgpcrc_SOURCES = pgpcrc.c
39gnutls_openpgp_support_SOURCES = gnutls_openpgp_support.c
40gnutls_openpgp_support_CFLAGS = $(LIBGNUTLS_CFLAGS)
41gnutls_openpgp_support_LDFLAGS = $(LIBGNUTLS_LIBS)
42
43# build OCSP database tool
44if ENABLE_OCSP_TEST
45check_PROGRAMS += gen_ocsp_index
46gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
47gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
48gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
49noinst_HEADERS = cert_helper.h
50endif
51
52# Identities in the miniature CA, server, and client environment for
53# the test suite
54shared_identities = server authority client imposter rogueca
55pgp_identities = $(shared_identities)
56x509_only_identities = rogueclient
57if ENABLE_OCSP_TEST
58x509_only_identities += ocsp-responder
59endif
60x509_identities = $(shared_identities) $(x509_only_identities)
61identities = $(shared_identities) $(x509_only_identities)
62# Append strings after ":=" to each identity to generate a list of
63# necessary files
64pgp_tokens = $(pgp_identities:=/cert.pgp) \
65        $(pgp_identities:=/secret.pgp)
66x509_keys = $(x509_identities:=/secret.key)
67x509_certs = $(x509_identities:=/x509.pem)
68x509_tokens = $(x509_certs) $(x509_keys)
69tokens = $(x509_tokens) $(pgp_tokens)
70
71if !DISABLE_FLOCK
72# flock command for write access to the authority keyring
73GPG_FLOCK = @FLOCK@ authority/lock
74endif
75
76include $(srcdir)/test_ca.mk
77
78# Test cases trying to create keys and certificates in parallel causes
79# race conditions. Ensure that all keys and certificates are generated
80# before tests get to run.
81#
82# NOTE: Once the support files have been generated, test cases can be
83# run with multiple jobs, but real parallelization would require
84# dynamic port assignments. At the moment, lock files ensure that only
85# one Apache instance (possibly plus a proxy back end instance) is
86# running at any time, so test cases actually have to wait for each
87# other - just not in any particular order.
88check_DATA = $(tokens) server/crl.pem
89
90MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
91
92cert_templates = authority.template.in client.template.in \
93        imposter.template.in ocsp-responder.template rogueca.template \
94        rogueclient.template.in server.template.in
95generated_templates = authority.template client.template \
96        imposter.template rogueclient.template server.template
97
98# Delete X.509 private keys on full clean. Note that unless you need
99# to generate fresh keys, the "mostlyclean" target should be
100# sufficient (see below).
101CLEANFILES = $(x509_keys)
102
103# Delete X.509 certificates and generated templates on "mostlyclean"
104# target. Certificates can be rebuilt without generating new key
105# pairs, and regenerating them makes it possible to change identities
106# (e.g. host names) without wasting time on new keys (which would
107# happen after "clean").
108MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
109
110
111# Delete PGP keyrings on "mostlyclean" target. They are created from
112# the X.509 private keys and certificates with an expiration time of
113# one day, so regenerating them is both fast and frequently
114# necessary.
115MOSTLYCLEANFILES += */*.pgp */*.pgp.raw */*.gpg */*.gpg~ */gpg.conf \
116        authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/*
117# GnuPG random pool, no need to regenerate on every build
118CLEANFILES += authority/random_seed
119
120# Delete lock files for test servers on "mostlyclean" target.
121MOSTLYCLEANFILES += *.lock
122
123# rule to build MSVA trust database
124if USE_MSVA
125msva_home = msva.gnupghome
126check_DATA += $(msva_home)/trustdb.gpg client.uid
127MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
128$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
129        mkdir -p -m 0700 $(dir $@)
130        GNUPGHOME=$(dir $@) gpg --import < $<
131        printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
132        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
133        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
134endif
135
136if ENABLE_OCSP_TEST
137# rules to build OCSP database
138check_DATA += authority/ocsp_index.txt
139MOSTLYCLEANFILES += authority/ocsp_index.txt authority/ocsp_index.txt.attr
140authority/ocsp_index.txt: $(x509_tokens) gen_ocsp_index authority/ocsp_index.txt.attr
141        ./gen_ocsp_index server/x509.pem client/x509.pem > $@
142
143authority/ocsp_index.txt.attr: authority/secret.key
144        echo "unique_subject = no" > $@
145
146# build certificate chain file for server
147check_DATA += server/x509-chain.pem
148MOSTLYCLEANFILES += server/x509-chain.pem
149%/x509-chain.pem: %/x509.pem authority/x509.pem
150        cat $< authority/x509.pem > $@
151endif
152
153# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
154# hence has to be treated slightly differently.
155SOFTHSM_TOKEN = server/softhsm.db
156SOFTHSM2_TOKEN = server/softhsm2.db
157
158# Tokens should be cleaned whether or not the matching SoftHSM version
159# was detected on the last ./configure run.
160MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
161# included in mostlyclean-local below
162clean-softhsm2-db:
163        -rm -rf $(SOFTHSM2_TOKEN)
164
165if HAVE_SOFTHSM1
166check_DATA += $(SOFTHSM_TOKEN)
167endif HAVE_SOFTHSM1
168
169if HAVE_SOFTHSM2
170check_DATA += $(SOFTHSM2_TOKEN)
171endif HAVE_SOFTHSM2
172
173check_DATA += make-test-dirs
174extra_dirs = logs cache outputs
175make-test-dirs:
176        mkdir -p $(extra_dirs)
177
178.PHONY: make-test-dirs clean-softhsm2-db
179
180mostlyclean-local: clean-softhsm2-db
181        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
182if USE_MSVA
183        -rmdir $(msva_home)/private-keys-v1.d || true
184endif
185
186clean-local:
187        -rmdir $(identities) || true
188        -rmdir $(extra_dirs) || true
189if USE_MSVA
190        -rmdir $(msva_home) || true
191endif
192
193# Apache configuration and data files
194apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
195        data/secret.txt data/test.txt ffdhe3072.pem mime.types \
196        ocsp_server.conf proxy_mods.conf
197
198EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
199        common.bash proxy_backend.bash runtests server-crl.template \
200        softhsm.bash
201
202# Lockfile for the main Apache process
203test_lockfile = ./test.lock
204# Lockfile for the proxy backend Apache process (if any)
205backend_lockfile = ./backend.lock
206
207# port for the main Apache server
208TEST_PORT ?= 9932
209# port for MSVA in test cases that use it
210MSVA_PORT ?= 9933
211# port for OCSP server (Apache vhost if enabled)
212if ENABLE_OCSP_TEST
213OCSP_PORT ?= 9936
214endif
215# maximum time to wait for MSVA startup (milliseconds)
216TEST_SERVICE_MAX_WAIT ?= 10000
217# wait loop time for MSVA startup (milliseconds)
218TEST_SERVICE_WAIT ?= 400
219
220AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
221        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
222        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
223        export TEST_HOST="@TEST_HOST@"; \
224        export TEST_PORT="$(TEST_PORT)"; \
225        export MSVA_PORT="$(MSVA_PORT)"; \
226        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
227        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
228        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
229        export BACKEND_HOST="@TEST_HOST@"; \
230        export HTTP_CLI="@HTTP_CLI@";
231
232if HAVE_SOFTHSM
233AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
234        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
235        export SOFTHSM_LIB="@SOFTHSM_LIB@"
236endif
237
238if ENABLE_OCSP_TEST
239AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
240        export OCSP_PORT="$(OCSP_PORT)";
241endif
242
243if ENABLE_NETNS
244AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
245        export USE_TEST_NAMESPACE=1;
246endif
247# Without flock tests must not run in parallel. Otherwise set lock files.
248if DISABLE_FLOCK
249.NOTPARALLEL:
250else
251AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
252        export TEST_LOCK="$(test_lockfile)"; \
253        export BACKEND_LOCK="$(backend_lockfile)";
254endif
255
256# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
257# you want to manually run an Apache instance with Valgrind using the
258# same configuration as a test case.
259show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
260show-test-env:
261        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.