Changes in / [086cea9:b674e95] in mod_gnutls


Ignore:
Files:
11 added
8 edited

Legend:

Unmodified
Added
Removed
  • configure.ac

    r086cea9 rb674e95  
    9191AM_CONDITIONAL([DISABLE_FLOCK],
    9292               [test "$enable_flock" = "no" || test "$flock_works" = "no"])
     93
     94# openssl is needed as the responder for OCSP tests
     95AC_PATH_PROG([OPENSSL], [openssl], [no])
     96# OCSP checks with gnutls-cli from GnuTLS versions before 3.3.23 or
     97# 3.4.12 fail if intermediate CAs cannot be status checked, even if
     98# there are no intermediate CAs like in the mod_gnutls test suite
     99# where end entity certificates are directly issued by a root
     100# CA. Release 3.5.0 does not contain the fix, but git commit
     101# cf09cd11fb7416f2bc8e64876d81bbeaf468fd20 which adds the fix still
     102# uses the same version number, so I'm not blocking 0x030500 for the
     103# sake of anyone who might be experimenting with the git version.
     104AC_MSG_CHECKING([for gnutls-cli version supporting OCSP for EE under root CA])
     105AC_PREPROC_IFELSE(
     106        [AC_LANG_SOURCE([[#include "gnutls/gnutls.h"
     107                        #if GNUTLS_VERSION_NUMBER < 0x030317
     108                        #error
     109                        #elif GNUTLS_VERSION_NUMBER >= 0x030400 && GNUTLS_VERSION_NUMBER < 0x03040c
     110                        #error
     111                        #endif
     112                        ]])],
     113        [gnutls_ocsp_ok="yes"],
     114        [gnutls_ocsp_ok="no"],
     115)
     116AC_MSG_RESULT([$gnutls_ocsp_ok])
     117AM_CONDITIONAL([ENABLE_OCSP_TEST], [test "${OPENSSL}" != "no" && test "${gnutls_ocsp_ok}" = "yes"])
    93118
    94119dnl Enable test namespaces? Default is "yes".
     
    216241
    217242dnl Build list of "Listen" statements for Apache
    218 LISTEN_LIST="# Listen addresses for the test servers"
     243LISTEN_LIST="@%:@ Listen addresses for the test servers"
    219244for i in ${TEST_IP}; do
    220245        LISTEN_LIST="${LISTEN_LIST}
    221246Listen ${i}:\${TEST_PORT}"
    222247done
    223 dnl HTTP ports, only active if TEST_HTTP_PORT is defined
     248# Available extra ports, tests can "Define" variables of the listed
     249# names in their apache.conf to enable them.
     250for j in TEST_HTTP_PORT OCSP_PORT; do
    224251LISTEN_LIST="${LISTEN_LIST}
    225 <IfDefine TEST_HTTP_PORT>"
     252<IfDefine ${j}>"
    226253for i in ${TEST_IP}; do
    227254        LISTEN_LIST="${LISTEN_LIST}
    228         Listen ${i}:\${TEST_HTTP_PORT}"
     255        Listen ${i}:\${${j}}"
    229256done
    230257LISTEN_LIST="${LISTEN_LIST}
    231258</IfDefine>"
     259done
    232260AC_SUBST(LISTEN_LIST)
    233261AM_SUBST_NOTMAKE(LISTEN_LIST)
  • test/.gitignore

    r086cea9 rb674e95  
    88authority
    99imposter
     10ocsp-responder
    1011rogueca
    1112rogueclient
     
    2122*.trs
    2223*.lock
     24gen_ocsp_index
    2325pgpcrc
    2426.deps
  • test/Makefile.am

    r086cea9 rb674e95  
    2929        test-24_pkcs11_cert.bash \
    3030        test-25_Disable_TLS_1.0.bash \
    31         test-26_redirect_HTTP_to_HTTPS.bash
     31        test-26_redirect_HTTP_to_HTTPS.bash \
     32        test-27_OCSP_server.bash
    3233
    3334TESTS = $(dist_check_SCRIPTS)
     
    3536check_PROGRAMS = pgpcrc
    3637pgpcrc_SOURCES = pgpcrc.c
     38
     39# build OCSP database tool
     40if ENABLE_OCSP_TEST
     41check_PROGRAMS += gen_ocsp_index
     42gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
     43noinst_HEADERS = cert_helper.h
     44endif
    3745
    3846# Identities in the miniature CA, server, and client environment for
     
    4149pgp_identities = $(shared_identities)
    4250x509_only_identities = rogueclient
     51if ENABLE_OCSP_TEST
     52x509_only_identities += ocsp-responder
     53endif
    4354x509_identities = $(shared_identities) $(x509_only_identities)
    4455identities = $(shared_identities) $(x509_only_identities)
     
    7485
    7586cert_templates = authority.template.in client.template.in \
    76         imposter.template.in rogueca.template rogueclient.template.in \
    77         server.template.in
     87        imposter.template.in ocsp-responder.template rogueca.template \
     88        rogueclient.template.in server.template.in
    7889generated_templates = authority.template client.template \
    7990        imposter.template rogueclient.template server.template
     
    117128endif
    118129
     130# rules to build OCSP database
     131if ENABLE_OCSP_TEST
     132check_DATA += authority/ocsp_index.txt
     133MOSTLYCLEANFILES += authority/ocsp_index.txt authority/ocsp_index.txt.attr
     134authority/ocsp_index.txt: $(x509_tokens) gen_ocsp_index authority/ocsp_index.txt.attr
     135        ./gen_ocsp_index server/x509.pem client/x509.pem > $@
     136
     137authority/ocsp_index.txt.attr: authority/secret.key
     138        echo "unique_subject = no" > $@
     139endif
    119140
    120141# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
     
    159180
    160181# Apache configuration and data files
    161 apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/secret.txt data/test.txt mime.types proxy_mods.conf
     182apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
     183        data/secret.txt data/test.txt mime.types ocsp_server.conf \
     184        proxy_mods.conf
    162185
    163186EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
     
    177200# port for MSVA in test cases that use it
    178201MSVA_PORT ?= 9933
     202# port for OCSP server (Apache vhost if enabled)
     203if ENABLE_OCSP_TEST
     204OCSP_PORT ?= 9936
     205endif
    179206# maximum time to wait for MSVA startup (milliseconds)
    180207TEST_MSVA_MAX_WAIT ?= 10000
     
    202229endif
    203230
     231if ENABLE_OCSP_TEST
     232AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
     233        export OCSP_PORT="$(OCSP_PORT)";
     234endif
     235
    204236if ENABLE_NETNS
    205237AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
  • test/client.template.in

    r086cea9 rb674e95  
    55signing_key
    66encryption_key
     7### ocsp_uri=http://__HOSTNAME__:__OCSP_PORT__/ocsp/
  • test/runtests

    r086cea9 rb674e95  
    189189fi
    190190
     191# check OCSP server
     192if [ -n "${CHECK_OCSP_SERVER}" ]; then
     193    echo "---- Testing OCSP server ----"
     194    ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem
     195    echo "---- OCSP test done ----"
     196fi
     197
    191198# PID file for sleep command (explanation below)
    192199sleep_pidfile="$(mktemp mod_gnutls_test-XXXXXX.pid)"
  • test/server.template.in

    r086cea9 rb674e95  
    55encryption_key
    66dns_name="__HOSTNAME__"
     7### ocsp_uri=http://__HOSTNAME__:__OCSP_PORT__/ocsp/
  • test/test_ca.mk

    r086cea9 rb674e95  
    99%.template: $(srcdir)/%.template.in
    1010        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
     11        if test -n "$(OCSP_PORT)"; then \
     12                sed -i -e 's/^### ocsp/ocsp/' \
     13                        -e s/__OCSP_PORT__/$(OCSP_PORT)/ $@; \
     14        fi
    1115
    1216%.uid: $(srcdir)/%.uid.in
  • test/tests/Makefile.am

    r086cea9 rb674e95  
    2626        24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output \
    2727        25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
    28         26_redirect_HTTP_to_HTTPS/apache.conf
     28        26_redirect_HTTP_to_HTTPS/apache.conf \
     29        27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/output
Note: See TracChangeset for help on using the changeset viewer.