Changeset 63468af in mod_gnutls for test


Ignore:
Timestamp:
Apr 16, 2016, 11:14:26 AM (6 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, upstream
Children:
b586b27, ce12806
Parents:
02c8e54 (diff), c6cfe6e (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Imported Upstream version 0.7.4

Location:
test
Files:
13 added
4 deleted
47 edited

Legend:

Unmodified
Added
Removed
  • test/Makefile.am

    r02c8e54 r63468af  
    2727        test-22_TLS_reverse_proxy_crl_revoke.bash \
    2828        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
    29         test-24_pkcs11_cert.bash
     29        test-24_pkcs11_cert.bash \
     30        test-25_Disable_TLS_1.0.bash \
     31        test-26_redirect_HTTP_to_HTTPS.bash
    3032
    3133TESTS = $(dist_check_SCRIPTS)
     
    3335# Identities in the miniature CA, server, and client environment for
    3436# the test suite
    35 identities = server authority client imposter rogueca
     37shared_identities = server authority client imposter rogueca
     38pgp_identities = $(shared_identities)
     39x509_only_identities = rogueclient
     40x509_identities = $(shared_identities) $(x509_only_identities)
     41identities = $(shared_identities) $(x509_only_identities)
    3642# Append strings after ":=" to each identity to generate a list of
    3743# necessary files
    38 pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
    39         $(identities:=/secret.pgp)
    40 x509_keys = $(identities:=/secret.key)
    41 x509_certs = $(identities:=/x509.pem)
     44pgp_tokens = $(pgp_identities:=/secring.gpg) $(pgp_identities:=/cert.pgp) \
     45        $(pgp_identities:=/secret.pgp)
     46x509_keys = $(x509_identities:=/secret.key)
     47x509_certs = $(x509_identities:=/x509.pem)
    4248x509_tokens = $(x509_certs) $(x509_keys)
    4349tokens = $(x509_tokens) $(pgp_tokens)
     50
     51if !DISABLE_FLOCK
     52# flock command for write access to the authority keyring
     53GPG_FLOCK = @FLOCK@ authority/lock
     54endif
    4455
    4556include $(srcdir)/test_ca.mk
     
    6071
    6172cert_templates = authority.template.in client.template.in \
    62         imposter.template.in rogueca.template server.template.in
     73        imposter.template.in rogueca.template rogueclient.template.in \
     74        server.template.in
    6375generated_templates = authority.template client.template \
    64         imposter.template server.template
     76        imposter.template rogueclient.template server.template
    6577
    6678# Delete X.509 private keys on full clean. Note that unless you need
     
    7284# target. Certificates can be rebuilt without generating new key
    7385# pairs, and regenerating them makes it possible to change identities
    74 # (e.g. host names) without wasting entropy on new keys (which would
     86# (e.g. host names) without wasting time on new keys (which would
    7587# happen after "clean").
    7688MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
     
    101113endif
    102114
    103 # SoftHSM files
    104 check_DATA += server/softhsm.db
    105 MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
    106 
     115
     116# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
     117# hence has to be treated slightly differently.
     118SOFTHSM_TOKEN = server/softhsm.db
     119SOFTHSM2_TOKEN = server/softhsm2.db
     120
     121# Tokens should be cleaned whether or not the matching SoftHSM version
     122# was detected on the last ./configure run.
     123MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
     124# included in mostlyclean-local below
     125clean-softhsm2-db:
     126        -rm -rf $(SOFTHSM2_TOKEN)
     127
     128if HAVE_SOFTHSM1
     129check_DATA += $(SOFTHSM_TOKEN)
     130endif HAVE_SOFTHSM1
     131
     132if HAVE_SOFTHSM2
     133check_DATA += $(SOFTHSM2_TOKEN)
     134endif HAVE_SOFTHSM2
    107135
    108136check_DATA += make-test-dirs
     
    110138make-test-dirs:
    111139        mkdir -p $(extra_dirs)
    112 .PHONY: make-test-dirs
     140
     141.PHONY: make-test-dirs clean-softhsm2-db
     142
     143mostlyclean-local: clean-softhsm2-db
    113144
    114145clean-local:
     
    122153apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
    123154
    124 EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \
    125         runtests server-crl.template server-softhsm.conf softhsm.bash
     155EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in common.bash \
     156        proxy_backend.bash runtests server-crl.template softhsm.bash
    126157
    127158# Lockfile for the main Apache process
    128159test_lockfile = ./test.lock
    129 # Maximum wait time in seconds for flock to aquire instance lock files
     160# Lockfile for the proxy backend Apache process (if any)
     161backend_lockfile = ./backend.lock
     162# Maximum wait time in seconds for flock to aquire instance lock
     163# files, or Apache to remove its PID file
    130164lock_wait = 30
    131165
     
    141175TEST_QUERY_DELAY ?= 30
    142176
    143 AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
    144         export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
    145         export TEST_LOCK="$(test_lockfile)"; \
     177AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
     178        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
    146179        export TEST_LOCK_WAIT="$(lock_wait)"; \
    147         export TEST_HOST="$(TEST_HOST)"; \
    148         export TEST_IP="$(TEST_IP)"; \
     180        export TEST_HOST="@TEST_HOST@"; \
    149181        export TEST_PORT="$(TEST_PORT)"; \
    150182        export MSVA_PORT="$(MSVA_PORT)"; \
     
    152184        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
    153185        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
    154         export BACKEND_HOST="$(TEST_HOST)"; \
    155         export BACKEND_IP="$(TEST_IP)";
     186        export BACKEND_HOST="@TEST_HOST@"; \
     187        export HTTP_CLI="@HTTP_CLI@";
     188
     189if HAVE_SOFTHSM
     190AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
     191        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
     192        export SOFTHSM_LIB="@SOFTHSM_LIB@"
     193endif
     194
     195if ENABLE_NETNS
     196AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
     197        export USE_TEST_NAMESPACE=1;
     198endif
     199# Without flock tests must not run in parallel. Otherwise set lock files.
     200if DISABLE_FLOCK
     201.NOTPARALLEL:
     202else
     203AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
     204        export TEST_LOCK="$(test_lockfile)"; \
     205        export BACKEND_LOCK="$(backend_lockfile)";
     206endif
    156207
    157208# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
  • test/README

    r02c8e54 r63468af  
    1212=================
    1313
    14 from the top level of the source, or from test/ (where this README is),
     14From the top level of the source, or from test/ (where this README is),
    1515just run:
    1616
    17  make check
     17  make check
    1818
    19 from test/ you can also run specific tests by passing their script
    20 names to make in the TESTS variable:
     19from test/. You can also run specific test cases by passing their
     20script names to make in the TESTS variable:
    2121
    22  TESTS="test-03_cachetimeout_in_vhost.bash" make -e check
     22  TESTS="test-03_cachetimeout_in_vhost.bash" make -e check
    2323
    2424This should be handy when you're just trying to experiment with a new
    2525test and don't want to wait for the full test suite to run.
    2626
    27 The default configuration assumes that an IPv6 loopback device is
    28 available (TEST_IP=[::1]) and that TEST_HOST="localhost" resolves to
    29 the IPv6 loopback address [::1]. If this does not apply to your
    30 system, you can pass different values to ./configure, e.g. to use IPv4
    31 instead:
     27The default configuration assumes that a loopback device with IPv4 and
     28IPv6 support is available (TEST_IP="[::1] 127.0.0.1") and that
     29TEST_HOST="localhost" resolves to at least one of these addresses. If
     30this does not apply to your system, you can pass different values to
     31./configure, e.g. to use IPv4 only:
    3232
    3333  TEST_HOST="localhost" TEST_IP="127.0.0.1" ./configure
     34
     35If tests fail due to expired certificates or PGP signatures, run
     36
     37  make mostlyclean
     38
     39to delete them and create fresh ones on the next test run. You could
     40also use "make clean", but in that case the keys will be deleted as
     41well and have to be recreated, too, which takes more time.
    3442
    3543
     
    4149The simplest way to add a test is (from test/):
    4250
    43  ./newtest
     51  ./newtest
    4452
    4553This will prompt you for a simple name for the test and then copy a
     
    5260==============
    5361
    54 Each test consists of a directory in test/tests/, which will cause the
    55 test suite to spin up an isolated apache instance and try to connect
    56 to it with gnutls-cli and make a simple HTTP 1.1 request.
     62Each test consists of a script in test/ and a directory in
     63test/tests/, which the test suite uses to spin up an isolated Apache
     64instance or two (for proxy tests) and try to connect to it with
     65gnutls-cli and make a simple HTTP 1.1 or 1.0 request.
    5766
    58 By default, these tests are expected to succeed, by having
     67Test directories usually contain the following files:
    5968
    60 In each directory, you can put the following files:
     69 * apache.conf -- Apache configuration to be used
    6170
    62  * apache.conf --  the apache configuration to be used
    63 
    64  * gnutls-cli.args --  the arguments to pass to gnutls-cli
     71 * gnutls-cli.args -- the arguments to pass to gnutls-cli
    6572
    6673 * input -- the full HTTP request (including the final blank line)
    6774
     75 * backend.conf [optional] -- Apache configuration for the proxy
     76   backend server, if any
     77
    6878 * output [optional] -- the lines of this file will be checked against
    6979   the same number of lines at the end of the output produced by the
    70    gnutls-cli process.
     80   gnutls-cli process. "Date" and "Server" headers are filtered from
     81   the response because they are expected to change between runs
     82   (date) or builds (server version).
    7183
    7284 * fail.server [optional] -- if this file exists, it means we expect
     
    7991   should result in a failed file retrieval.
    8092
     93The "runtests" script is used to start one Apache instance and send a
     94request based on the files described above. Note that some tests take
     95additional steps, e.g. starting another server to act as proxy
     96backend, and at least one does not use "runtests" at all.
     97
     98By default (if "unshare" is available and has the permissions required
     99to create network and user namespaces), each test case is run inside
     100its own network namespace. This avoids address and port conflicts with
     101other tests as well has the host system.
     102
     103When writing your own tests, make sure to call netns_reexec (defined
     104in common.bash) if you need to start any network services outside of
     105runtests (which will create the namespace if it doesn't exist
     106already). However, some architectures might not support namespaces, so
     107traditional locking (using flock) and serial execution are still
     108supported.
     109
    81110
    82111Robustness and Tuning
    83112=====================
    84113
    85 These tests aren't nearly as robust as i'd like them to be, but they
    86 work for the moment and they're better than no tests at all.
     114Here are some things that you might want to tune about the tests based
     115on your expected setup (along with the variables that can be passed to
     116"make check" to adjust them):
    87117
    88 Here are some things that you might want to tune based on your
    89 expected setup (along with the variables that can be passed to "make
    90 check" to adjust them):
     118 * They need a functioning loopback device.
    91119
    92  * they need a functioning loopback device.
     120 * They expect (by default) to have port 9932 [TEST_PORT] available
     121   and open for connections on the addresses listed in TEST_IP.
    93122
    94  * they expect (by default) the TEST_IP to have port 9932
    95    open. [TEST_PORT]
     123 * Depending on the compile time configuration of the Apache binary
     124   installed on your system you may need to load additional Apache
     125   modules. The recommended way to do this is to drop a configuration
     126   file into the test/apache-conf/ directory. Patches to detect such
     127   situations and automatically configure the tests accordingly are
     128   welcome.
    96129
    97  * if a machine is particularly slow or under heavy load, it's
     130 * If a machine is particularly slow or under heavy load, it's
    98131   possible that these tests will fail for timing
    99    reasons. [TEST_QUERY_DELAY (seconds for the http request to be sent
     132   reasons. [TEST_QUERY_DELAY (seconds for the HTTP request to be sent
    100133   and responded to)]
     134
     135The first two of these issues are avoided when the tests are isolated
     136using network namespaces, which is the default (see "Implementation"
     137above). The ./configure script tries to detect if namespaces can be
     138used (some Linux distributions disable them for unprivileged
     139users). If this detection returns a false positive or you do not want
     140to use namespace isolation for some other reason, you can run
     141configure with the --disable-test-namespaces option.
    101142
    102143In some situations you may want to see the exact environment as
     
    104145instance with Valgrind using the same configuration as a test
    105146case. Use "make show-test-env" to dump AM_TESTS_ENVIRONMENT to stdout.
     147
     148If you are building on an exotic architecture which does not support
     149flock (or timeouts using flock -w), ./configure should detect that and
     150disable locking, or you can disable it manually by passing
     151"--disable-flock" to ./configure. This will force serial execution of
     152tests, including environment setup.
  • test/base_apache.conf

    r02c8e54 r63468af  
    55ErrorLog logs/${TEST_NAME}.error.log
    66HostnameLookups Off
    7 PidFile apache2.pid
    87KeepAlive Off
    98LogLevel debug
     
    1413TypesConfig ${srcdir}/mime.types
    1514
    16 Listen ${TEST_IP}:${TEST_PORT}
     15Include         apache-conf/*.conf
    1716
    1817DocumentRoot ${srcdir}/data
  • test/proxy_backend.bash

    r02c8e54 r63468af  
    22
    33set -e
     4. ${srcdir}/common.bash
    45
    56if [ -z "${BACKEND_HOST}" ]; then
     
    1213    export BACKEND_PORT="9934"
    1314fi
    14 : ${BACKEND_LOCK:="backend.lock"}
     15: ${BACKEND_PID:="backend.pid"}
    1516: ${srcdir:="."}
    1617: ${APACHE2:="apache2"}
     
    2425    lockfile="${4}"
    2526
    26     if [ -n "${lockfile}" ]; then
    27         flock_cmd="flock -w ${TEST_LOCK_WAIT} ${lockfile}"
    28     fi
    29 
    3027    TEST_NAME="$(basename "${dir}")"
    3128    (
     
    3633        case $action in
    3734            start)
     35                if [ -n "${USE_TEST_NAMESPACE}" ]; then
     36                    echo "Using namespaces to isolate tests, no need for" \
     37                         "locking."
     38                    flock_cmd=""
     39                elif [ -n "${lockfile}" ]; then
     40                    flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} ${lockfile}"
     41                else
     42                    echo "Locking disabled, using wait based on proxy PID file."
     43                    wait_pid_gone "${BACKEND_PID}"
     44                    flock_cmd=""
     45                fi
    3846                ${flock_cmd} \
    3947                    ${APACHE2} -f "$(realpath ${testdir}/${conf})" -k start || return 1
  • test/runtests

    r02c8e54 r63468af  
    66
    77set -e
     8. ${srcdir}/common.bash
     9netns_reexec ${@}
    810
    911testid="${1##t-}"
     
    1719
    1820BADVARS=0
    19 for v in APACHE2 TEST_HOST TEST_IP TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
    20                  MSVA_PORT TEST_LOCK; do
     21for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
     22                 MSVA_PORT; do
    2123    if [ ! -v "$v" ]; then
    2224        printf "You need to set the %s environment variable\n" "$v" >&2
     
    150152fi
    151153
     154TEST_PID="apache2.pid"
    152155# configure locking for the Apache process
    153 flock_cmd="flock -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
     156if [ -n "${USE_TEST_NAMESPACE}" ]; then
     157    echo "Using namespaces to isolate tests, no need for locking."
     158    flock_cmd=""
     159elif [ -n "${TEST_LOCK}" ]; then
     160    flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
     161else
     162    echo "Locking disabled, using wait based on Apache PID file."
     163    wait_pid_gone "${TEST_PID}"
     164    flock_cmd=""
     165fi
    154166
    155167t="$(realpath ${testid})"
     
    189201           run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
    190202       gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
    191                   >"$output";
     203       | tee "$output" && test "${PIPESTATUS[1]}" -eq 0;
    192204then
    193205    if [ -e ${t}/fail* ]; then
     
    206218
    207219if [ -e ${t}/output ] ; then
    208     diff_output_filter_headers "${t}/output" "$output" "-q"
     220    diff_output_filter_headers "${t}/output" "$output" >&2
    209221fi
    210222if [ -n "${USE_MSVA}" ]; then
  • test/softhsm.bash

    r02c8e54 r63468af  
    1717    local label="${3}"
    1818
    19     p11tool --provider=${softhsm_lib} --login --write --label "${label}" \
     19    p11tool --provider=${SOFTHSM_LIB} --login --write --label "${label}" \
    2020            --load-privkey "${keyfile}" "${token}"
    2121}
     
    2828    local label="${3}"
    2929
    30     p11tool --provider=${softhsm_lib} --login --write --no-mark-private \
     30    p11tool --provider=${SOFTHSM_LIB} --login --write --no-mark-private \
    3131            --label "${label}" --load-certificate "${certfile}" "${token}"
    3232}
     
    3636{
    3737    local label="${1}"
    38     p11tool --provider=${softhsm_lib} --list-tokens | \
     38    p11tool --provider=${SOFTHSM_LIB} --list-tokens | \
    3939        grep -o -P "(?<=URL:\s)(.*token=${label}.*)$"
    4040}
     
    4444function get_object_url
    4545{
    46     p11tool --provider=${softhsm_lib} --list-all --login "${1}" | \
     46    p11tool --provider=${SOFTHSM_LIB} --list-all --login "${1}" | \
    4747        grep -o -P "(?<=URL:\s)(.*object=${2}.*)$"
    4848}
     
    6565
    6666# try to find SoftHSM
    67 softhsm="$(which softhsm)"
     67softhsm="$(basename ${SOFTHSM})"
     68
     69if [ "${softhsm}" = "softhsm" ]; then
     70    softhsm_libname="libsofthsm.so"
     71    # fail if SOFTHSM_CONF is not set
     72    if [ -z "${SOFTHSM_CONF}" ]; then
     73        echo "ERROR: SOFTHSM_CONF not set!" 1>&2
     74        exit 1
     75    else
     76        export SOFTHSM_CONF
     77    fi
     78    echo "using SOFTHSM_CONF=\"${SOFTHSM_CONF}\""
     79elif [ "${softhsm}" = "softhsm2-util" ]; then
     80    softhsm_libname="libsofthsm2.so"
     81    # fail if SOFTHSM2_CONF is not set
     82    if [ -z "${SOFTHSM2_CONF}" ]; then
     83        echo "ERROR: SOFTHSM2_CONF not set!" 1>&2
     84        exit 1
     85    else
     86        export SOFTHSM2_CONF
     87    fi
     88else
     89    # no SoftHSM
     90    echo "No SoftHSM!" >&2
     91    exit 77
     92fi
     93
     94if [ -z "${SOFTHSM_LIB}" ]; then
     95    # Try to find the libsofthsm[2] module in some common locations.
     96    softhsm_searchpath=(/usr/lib64/pkcs11 /usr/lib/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/lib /usr/lib64/softhsm)
     97    for i in ${softhsm_searchpath[@]} ""; do
     98        SOFTHSM_LIB="${i}/${softhsm_libname}"
     99        echo "checking ${SOFTHSM_LIB} ..."
     100        if [ -f "${SOFTHSM_LIB}" ]; then
     101            echo "found!"
     102            export SOFTHSM_LIB
     103            break;
     104        fi
     105    done
     106else
     107    echo "using ${SOFTHSM_LIB} (set by user)"
     108fi
     109
     110if [ ! -f "${SOFTHSM_LIB}" ]; then
     111    echo "${softhsm_libname} not found!" >&2
     112    exit 77
     113fi
    68114
    69115case "${1}" in
     
    88134set -e
    89135
    90 # Guess location of libsofthsm based on softhsm binary. The path
    91 # matches SoftHSM upstream, but this might fail if someone changes the
    92 # libdir or bindir of the SoftHSM installation independently of its
    93 # general prefix.
    94 softhsm_prefix="$(realpath $(dirname ${softhsm})/..)"
    95 softhsm_lib="${softhsm_prefix}/lib/softhsm/libsofthsm.so"
    96 
    97 # fail if SOFTHSM_CONF is not set
    98 if [ -z "${SOFTHSM_CONF}" ]; then
    99     echo "ERROR: SOFTHSM_CONF not set!" 1>&2
    100     exit 1
    101 else
    102     export SOFTHSM_CONF
    103 fi
    104 echo "using SOFTHSM_CONF=\"${SOFTHSM_CONF}\""
    105 
    106136# variables for token configuration
    107137token_label="mod_gnutls-test"
  • test/test-19_TLS_reverse_proxy.bash

    r02c8e54 r63468af  
    33set -e
    44: ${srcdir:="."}
     5. ${srcdir}/common.bash
     6netns_reexec ${@}
    57
    68testdir="${srcdir}/tests/19_TLS_reverse_proxy"
     
    911function stop_backend
    1012{
    11     backend_apache "${dir}" "backend.conf" stop
     13    backend_apache "${testdir}" "backend.conf" stop
    1214}
    1315backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-20_TLS_reverse_proxy_client_auth.bash

    r02c8e54 r63468af  
    33set -e
    44: ${srcdir:="."}
     5. ${srcdir}/common.bash
     6netns_reexec ${@}
    57
    68testdir="${srcdir}/tests/20_TLS_reverse_proxy_client_auth"
     
    911function stop_backend
    1012{
    11     backend_apache "${dir}" "backend.conf" stop
     13    backend_apache "${testdir}" "backend.conf" stop
    1214}
    1315backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-21_TLS_reverse_proxy_wrong_cert.bash

    r02c8e54 r63468af  
    33set -e
    44: ${srcdir:="."}
     5. ${srcdir}/common.bash
     6netns_reexec ${@}
    57
    68testdir="${srcdir}/tests/21_TLS_reverse_proxy_wrong_cert"
     
    911function stop_backend
    1012{
    11     backend_apache "${dir}" "backend.conf" stop
     13    backend_apache "${testdir}" "backend.conf" stop
    1214}
    1315backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-22_TLS_reverse_proxy_crl_revoke.bash

    r02c8e54 r63468af  
    33set -e
    44: ${srcdir:="."}
     5. ${srcdir}/common.bash
     6netns_reexec ${@}
    57
    68testdir="${srcdir}/tests/22_TLS_reverse_proxy_crl_revoke"
     
    911function stop_backend
    1012{
    11     backend_apache "${dir}" "backend.conf" stop
     13    backend_apache "${testdir}" "backend.conf" stop
    1214}
    1315backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-23_TLS_reverse_proxy_mismatched_priorities.bash

    r02c8e54 r63468af  
    33set -e
    44: ${srcdir:="."}
     5. ${srcdir}/common.bash
     6netns_reexec ${@}
    57
    68testdir="${srcdir}/tests/23_TLS_reverse_proxy_mismatched_priorities"
     
    1416function stop_backend
    1517{
    16     backend_apache "${dir}" "backend.conf" stop
     18    backend_apache "${testdir}" "backend.conf" stop
    1719}
    1820backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-24_pkcs11_cert.bash

    r02c8e54 r63468af  
    33testdir="$(dirname ${0})/tests/24_pkcs11_cert"
    44
    5 # The Apache/SoftHSM configuration mixes up directories, so generate a
    6 # config file with an absolute path to the token database from a
    7 # template. Generating it on every run avoids problems if the source
     5# The Apache/SoftHSM configuration mixes up directories, so generate
     6# config files with absolute paths to the token database from a
     7# template. Generating them on every run avoids problems if the source
    88# tree was moved.
    99tmp_softhsm_conf="$(mktemp mod_gnutls_test-XXXXXX.conf)"
     
    1414trap cleanup_tmpconf EXIT
    1515
    16 sed "s,__DIR__,$(realpath $(pwd))," \
    17     "${testdir}/softhsm.conf.in" \
    18     >"${tmp_softhsm_conf}"
    19 export SOFTHSM_CONF="${tmp_softhsm_conf}"
     16if [ "${SOFTHSM_MAJOR_VERSION}" = "1" ]; then
     17    cat - >"${tmp_softhsm_conf}" <<EOF
     180:$(realpath $(pwd))/server/softhsm.db
     19EOF
     20    export SOFTHSM_CONF="${tmp_softhsm_conf}"
     21elif [ "${SOFTHSM_MAJOR_VERSION}" = "2" ]; then
     22    cat - >"${tmp_softhsm_conf}" <<EOF
     23objectstore.backend = file
     24directories.tokendir = $(realpath $(pwd))/server/softhsm2.db
     25EOF
     26    export SOFTHSM2_CONF="${tmp_softhsm_conf}"
     27fi
     28
    2029echo "Generated temporary SoftHSM config ${tmp_softhsm_conf}:"
    2130cat "${tmp_softhsm_conf}"
  • test/test_ca.mk

    r02c8e54 r63468af  
    3535# conditions with parallel make. Locking avoids this problem.
    3636%/cert.pgp: %/minimal.pgp authority/gpg.conf
    37         GNUPGHOME=authority flock authority/lock gpg --import $<
    38         GNUPGHOME=authority flock authority/lock gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
     37        GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
     38        GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
    3939        GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
    4040
     
    4848        certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
    4949
     50# normal case: certificates signed by test CA
    5051%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
    5152        certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
    5253
    53 %/softhsm.db: %/x509.pem %/secret.key
    54         SOFTHSM_CONF="$(srcdir)/$(*)-softhsm.conf" $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
     54# error case: certificates signed by rogue CA
     55rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
     56        certtool --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< > $@
     57
     58%/softhsm.conf: %/secret.key
     59        echo "0:$(dir $@)softhsm.db" > $@
     60
     61%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
     62        SOFTHSM="$(SOFTHSM)" \
     63        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
     64        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
     65
     66%/softhsm2.conf: %/secret.key
     67        echo "objectstore.backend = file" > $@
     68        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
     69
     70%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
     71        mkdir -p $@
     72        SOFTHSM="$(SOFTHSM)" \
     73        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
     74        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
    5575
    5676# Generate CRL revoking a certain certificate. Currently used to
  • test/tests/00_basic/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/01_serverwide_priorities/apache.conf

    r02c8e54 r63468af  
    55GnuTLSPriorities NORMAL
    66
    7 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     7<VirtualHost _default_:${TEST_PORT}>
    88 ServerName ${TEST_HOST}
    99 GnuTLSEnable On
  • test/tests/02_cache_in_vhost/apache.conf

    r02c8e54 r63468af  
    11Include ${srcdir}/base_apache.conf
    22
    3 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     3<VirtualHost _default_:${TEST_PORT}>
    44 # Cache configuration not allowed in here:
    55 GnuTLSCache dbm cache/gnutls_cache
  • test/tests/03_cachetimeout_in_vhost/apache.conf

    r02c8e54 r63468af  
    11Include ${srcdir}/base_apache.conf
    22
    3 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     3<VirtualHost _default_:${TEST_PORT}>
    44 # Cache configuration not allowed in here:
    55 GnuTLSCacheTimeout 200
  • test/tests/04_basic_nosni/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/05_mismatched-priorities/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/06_verify_sni_a/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 NameVirtualHost ${TEST_IP}:${TEST_PORT}
     5NameVirtualHost _default_:${TEST_PORT}
    66
    7 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     7<VirtualHost _default_:${TEST_PORT}>
    88 ServerName ${TEST_HOST}
    99 GnuTLSEnable On
     
    1313</VirtualHost>
    1414
    15 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     15<VirtualHost _default_:${TEST_PORT}>
    1616 ServerName imposter.example
    1717 GnuTLSEnable On
  • test/tests/07_verify_sni_b/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 NameVirtualHost ${TEST_IP}:${TEST_PORT}
     5NameVirtualHost _default_:${TEST_PORT}
    66
    77# trying in a different order from 06_verify_sni_a
    88
    9 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     9<VirtualHost _default_:${TEST_PORT}>
    1010 ServerName imposter.example
    1111 GnuTLSEnable On
     
    1515</VirtualHost>
    1616
    17 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     17<VirtualHost _default_:${TEST_PORT}>
    1818 ServerName ${TEST_HOST}
    1919 GnuTLSEnable On
  • test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 NameVirtualHost ${TEST_IP}:${TEST_PORT}
     5NameVirtualHost _default_:${TEST_PORT}
    66
    7 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     7<VirtualHost _default_:${TEST_PORT}>
    88 ServerName ${TEST_HOST}
    99 GnuTLSEnable On
     
    1313</VirtualHost>
    1414
    15 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     15<VirtualHost _default_:${TEST_PORT}>
    1616 ServerName imposter.example
    1717 GnuTLSEnable On
  • test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 NameVirtualHost ${TEST_IP}:${TEST_PORT}
     5NameVirtualHost _default_:${TEST_PORT}
    66
    77# In this order, clients with no SNI should get the imposter's key
    88
    9 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     9<VirtualHost _default_:${TEST_PORT}>
    1010 ServerName imposter.example
    1111 GnuTLSEnable On
     
    1515</VirtualHost>
    1616
    17 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     17<VirtualHost _default_:${TEST_PORT}>
    1818 ServerName ${TEST_HOST}
    1919 GnuTLSEnable On
  • test/tests/10_basic_client_verification/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/11_basic_client_verification_fail/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/12_cgi_variables/apache.conf

    r02c8e54 r63468af  
    88</Directory>
    99
    10 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     10<VirtualHost _default_:${TEST_PORT}>
    1111 ServerName ${TEST_HOST}
    1212 GnuTLSEnable On
  • test/tests/13_cgi_variables_no_client_cert/apache.conf

    r02c8e54 r63468af  
    88</Directory>
    99
    10 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     10<VirtualHost _default_:${TEST_PORT}>
    1111 ServerName ${TEST_HOST}
    1212 GnuTLSEnable On
  • test/tests/14_basic_openpgp/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/15_basic_msva/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/16_view-status/apache.conf

    r02c8e54 r63468af  
    99GnuTLSCache dbm cache/gnutls_cache
    1010
    11 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     11<VirtualHost _default_:${TEST_PORT}>
    1212 ServerName ${TEST_HOST}
    1313 GnuTLSEnable On
  • test/tests/16_view-status/gnutls-cli.args

    r02c8e54 r63468af  
    11--x509cafile=authority/x509.pem
    2 --priority=NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL
     2--priority=NONE:+VERS-TLS1.2:+AES-128-CBC:+SHA256:+RSA:+COMP-NULL:+SIGN-RSA-SHA256
  • test/tests/16_view-status/output

    r02c8e54 r63468af  
    1 <dt>using TLS:</dt><dd>yes</dd>
    2 <dt>This TLS Session:</dt><dd>(TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)</dd>
     1<dt>Using TLS:</dt><dd>yes</dd>
     2<dt>Current TLS session:</dt><dd>(TLS1.2)-(RSA)-(AES-128-CBC)-(SHA256)</dd>
    33</dl>
    44</body></html>
  • test/tests/17_cgi_vars_large_cert/apache.conf

    r02c8e54 r63468af  
    88</Directory>
    99
    10 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     10<VirtualHost _default_:${TEST_PORT}>
    1111 ServerName ${TEST_HOST}
    1212 GnuTLSEnable On
  • test/tests/18_client_verification_wrong_cert/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/18_client_verification_wrong_cert/gnutls-cli.args

    r02c8e54 r63468af  
    1 --x509certfile=rogueca/x509.pem
    2 --x509keyfile=rogueca/secret.key
     1--x509certfile=rogueclient/x509.pem
     2--x509keyfile=rogueclient/secret.key
    33--x509cafile=authority/x509.pem
    44--priority=NORMAL
  • test/tests/19_TLS_reverse_proxy/apache.conf

    r02c8e54 r63468af  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     6<VirtualHost _default_:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/19_TLS_reverse_proxy/backend.conf

    r02c8e54 r63468af  
    1 Include ${srcdir}/base_apache.conf
    2 
    3 CustomLog logs/${TEST_NAME}.backend.access.log combined
    4 ErrorLog logs/${TEST_NAME}.backend.error.log
    5 PidFile backend.pid
     1Include ${srcdir}/base_apache.conf
     2Include proxy_backend.conf
    63
    74GnuTLSCache dbm cache/gnutls_cache
    85
    9 <VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
     6<VirtualHost _default_:${BACKEND_PORT}>
    107 ServerName ${BACKEND_HOST}
    118 GnuTLSEnable On
  • test/tests/20_TLS_reverse_proxy_client_auth/apache.conf

    r02c8e54 r63468af  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     6<VirtualHost _default_:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/20_TLS_reverse_proxy_client_auth/backend.conf

    r02c8e54 r63468af  
    1 Include ${srcdir}/base_apache.conf
    2 
    3 CustomLog logs/${TEST_NAME}.backend.access.log combined
    4 ErrorLog logs/${TEST_NAME}.backend.error.log
    5 PidFile backend.pid
     1Include ${srcdir}/base_apache.conf
     2Include proxy_backend.conf
    63
    74GnuTLSCache dbm cache/gnutls_cache
    85
    9 <VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
     6<VirtualHost _default_:${BACKEND_PORT}>
    107 ServerName ${BACKEND_HOST}
    118 GnuTLSEnable On
  • test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf

    r02c8e54 r63468af  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     6<VirtualHost _default_:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf

    r02c8e54 r63468af  
    11Include ${srcdir}/base_apache.conf
    2 
    3 CustomLog logs/${TEST_NAME}.backend.access.log combined
    4 ErrorLog logs/${TEST_NAME}.backend.error.log
    5 PidFile backend.pid
     2Include proxy_backend.conf
    63
    74GnuTLSCache dbm cache/gnutls_cache
    85
    9 <VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
     6<VirtualHost _default_:${BACKEND_PORT}>
    107 ServerName ${BACKEND_HOST}
    118 GnuTLSEnable On
  • test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf

    r02c8e54 r63468af  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     6<VirtualHost _default_:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf

    r02c8e54 r63468af  
    1 Include ${srcdir}/base_apache.conf
    2 
    3 CustomLog logs/${TEST_NAME}.backend.access.log combined
    4 ErrorLog logs/${TEST_NAME}.backend.error.log
    5 PidFile backend.pid
     1Include ${srcdir}/base_apache.conf
     2Include proxy_backend.conf
    63
    74GnuTLSCache dbm cache/gnutls_cache
    85
    9 <VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
     6<VirtualHost _default_:${BACKEND_PORT}>
    107 ServerName ${BACKEND_HOST}
    118 GnuTLSEnable On
  • test/tests/23_TLS_reverse_proxy_mismatched_priorities/apache.conf

    r02c8e54 r63468af  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     6<VirtualHost _default_:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf

    r02c8e54 r63468af  
    1 Include ${srcdir}/base_apache.conf
    2 
    3 CustomLog logs/${TEST_NAME}.backend.access.log combined
    4 ErrorLog logs/${TEST_NAME}.backend.error.log
    5 PidFile backend.pid
     1Include ${srcdir}/base_apache.conf
     2Include proxy_backend.conf
    63
    74GnuTLSCache dbm cache/gnutls_cache
    85
    9 <VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
     6<VirtualHost _default_:${BACKEND_PORT}>
    107 ServerName ${BACKEND_HOST}
    118 GnuTLSEnable On
  • test/tests/24_pkcs11_cert/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 GnuTLSP11Module /usr/lib/softhsm/libsofthsm.so
     5GnuTLSP11Module ${SOFTHSM_LIB}
    66
    7 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     7<VirtualHost _default_:${TEST_PORT}>
    88 ServerName ${TEST_HOST}
    99 GnuTLSEnable On
  • test/tests/Makefile.am

    r02c8e54 r63468af  
    2424        22_TLS_reverse_proxy_crl_revoke/apache.conf 22_TLS_reverse_proxy_crl_revoke/backend.conf 22_TLS_reverse_proxy_crl_revoke/gnutls-cli.args 22_TLS_reverse_proxy_crl_revoke/input 22_TLS_reverse_proxy_crl_revoke/output \
    2525        23_TLS_reverse_proxy_mismatched_priorities/apache.conf 23_TLS_reverse_proxy_mismatched_priorities/backend.conf 23_TLS_reverse_proxy_mismatched_priorities/gnutls-cli.args 23_TLS_reverse_proxy_mismatched_priorities/input 23_TLS_reverse_proxy_mismatched_priorities/output \
    26         24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output 24_pkcs11_cert/softhsm.conf.in
     26        24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output \
     27        25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
     28        26_redirect_HTTP_to_HTTPS/apache.conf
Note: See TracChangeset for help on using the changeset viewer.