Changeset f5342b1 in mod_gnutls for test


Ignore:
Timestamp:
Apr 16, 2018, 8:42:39 PM (3 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, upstream
Children:
300ae82, f4ac9ccd
Parents:
e105d3e (diff), 2a912c3 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

New upstream version 0.8.3

Location:
test
Files:
4 added
1 deleted
31 edited
1 moved

Legend:

Unmodified
Added
Removed
  • test/Makefile.am

    re105d3e rf5342b1  
    3232        test-27_OCSP_server.bash
    3333
     34TEST_EXTENSIONS = .bash
    3435TESTS = $(dist_check_SCRIPTS)
    3536
    36 check_PROGRAMS = pgpcrc
     37check_PROGRAMS = pgpcrc gnutls_openpgp_support
    3738pgpcrc_SOURCES = pgpcrc.c
     39gnutls_openpgp_support_SOURCES = gnutls_openpgp_support.c
     40gnutls_openpgp_support_CFLAGS = $(LIBGNUTLS_CFLAGS)
     41gnutls_openpgp_support_LDFLAGS = $(LIBGNUTLS_LIBS)
    3842
    3943# build OCSP database tool
     
    4145check_PROGRAMS += gen_ocsp_index
    4246gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
     47gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
    4348gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
    4449noinst_HEADERS = cert_helper.h
     
    109114# necessary.
    110115MOSTLYCLEANFILES += */*.pgp */*.pgp.raw */*.gpg */*.gpg~ */gpg.conf \
    111         authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/*
     116        authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/* \
     117        authority/tofu.db
    112118# GnuPG random pool, no need to regenerate on every build
    113119CLEANFILES += authority/random_seed
     120
     121# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
     122# identity) while creating the PGP certificates. This target is called
     123# by both "check-local" and "mostlyclean-local": The former because
     124# agent processes are started while preparing for "check" and are no
     125# longer needed afterwards, the latter to make sure they are gone
     126# along with their certificates.
     127stop-gnupg-agent:
     128        for id in $(pgp_identities) $(msva_home); do \
     129                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
     130        done
     131
     132check-local: stop-gnupg-agent
    114133
    115134# Delete lock files for test servers on "mostlyclean" target.
     
    124143        mkdir -p -m 0700 $(dir $@)
    125144        GNUPGHOME=$(dir $@) gpg --import < $<
    126         printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
     145        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
    127146        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
    128147        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
     
    171190        mkdir -p $(extra_dirs)
    172191
    173 .PHONY: make-test-dirs clean-softhsm2-db
    174 
    175 mostlyclean-local: clean-softhsm2-db
     192.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
     193
     194
     195mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
    176196        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
    177197if USE_MSVA
     
    179199endif
    180200
     201# Delete test data directories, and wait for test services to
     202# exit. The reason for the wait is that Apache instances may take some
     203# time to exit and delete their PID files. Occasionally some PID files
     204# where still around during "distcheck" runs by the time the target
     205# checked if the build directory was really empty after "distclean",
     206# breaking the build. Delaying "clean-local" until PID files are gone
     207# avoids this issue, and the timeout will expose actually unclean
     208# stops.
    181209clean-local:
    182210        -rmdir $(identities) || true
     
    185213        -rmdir $(msva_home) || true
    186214endif
     215        wait=0; \
     216        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
     217                wait=$$(($$wait + 1)); \
     218                echo "waiting for test services to exit ($$wait seconds)"; \
     219                sleep 1; \
     220        done
    187221
    188222# Apache configuration and data files
    189223apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
    190         data/secret.txt data/test.txt mime.types ocsp_server.conf \
     224        data/secret.txt data/test.txt ffdhe3072.pem mime.types \
    191225        proxy_mods.conf
    192226
    193227EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
    194         common.bash proxy_backend.bash runtests server-crl.template \
     228        apache_service.bash common.bash runtests server-crl.template \
    195229        softhsm.bash
    196230
     
    199233# Lockfile for the proxy backend Apache process (if any)
    200234backend_lockfile = ./backend.lock
    201 # Maximum wait time in seconds for flock to aquire instance lock
    202 # files, or Apache to remove its PID file
    203 lock_wait = 30
     235# Lockfile for the OCSP server Apache process (if any)
     236ocsp_lockfile = ./ocsp.lock
    204237
    205238# port for the main Apache server
     
    207240# port for MSVA in test cases that use it
    208241MSVA_PORT ?= 9933
    209 # port for OCSP server (Apache vhost if enabled)
     242# port for TLS proxy backend server
     243BACKEND_PORT ?= 9934
     244# port for the OCSP responder
    210245if ENABLE_OCSP_TEST
    211246OCSP_PORT ?= 9936
    212247endif
    213248# maximum time to wait for MSVA startup (milliseconds)
    214 TEST_MSVA_MAX_WAIT ?= 10000
     249TEST_SERVICE_MAX_WAIT ?= 10000
    215250# wait loop time for MSVA startup (milliseconds)
    216 TEST_MSVA_WAIT ?= 400
    217 # seconds for the HTTP request to be sent and responded to
    218 TEST_QUERY_DELAY ?= 30
     251TEST_SERVICE_WAIT ?= 400
    219252
    220253AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
    221254        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
    222         export TEST_LOCK_WAIT="$(lock_wait)"; \
     255        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
    223256        export TEST_HOST="@TEST_HOST@"; \
    224257        export TEST_PORT="$(TEST_PORT)"; \
    225258        export MSVA_PORT="$(MSVA_PORT)"; \
    226         export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
    227         export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
    228         export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
     259        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
     260        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
     261        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
    229262        export BACKEND_HOST="@TEST_HOST@"; \
     263        export BACKEND_PORT="$(BACKEND_PORT)"; \
    230264        export HTTP_CLI="@HTTP_CLI@";
    231265
     
    245279        export USE_TEST_NAMESPACE=1;
    246280endif
    247 # Without flock tests must not run in parallel. Otherwise set lock files.
     281# Without flock tests must not run in parallel, and PID files are used
     282# to prevent conflicts between server instances. Otherwise set lock
     283# files for flock.
    248284if DISABLE_FLOCK
     285AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
     286        export BACKEND_LOCK="backend.pid"; \
     287        export OCSP_LOCK="ocsp.pid";
    249288.NOTPARALLEL:
    250289else
    251290AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
    252291        export TEST_LOCK="$(test_lockfile)"; \
    253         export BACKEND_LOCK="$(backend_lockfile)";
     292        export BACKEND_LOCK="$(backend_lockfile)"; \
     293        export OCSP_LOCK="$(ocsp_lockfile)";
    254294endif
    255295
  • test/README

    re105d3e rf5342b1  
    130130 * If a machine is particularly slow or under heavy load, it's
    131131   possible that these tests will fail for timing
    132    reasons. [TEST_QUERY_DELAY (seconds for the HTTP request to be sent
    133    and responded to)]
     132   reasons. [TEST_QUERY_TIMEOUT (timeout for the HTTPS request in
     133   seconds)]
    134134
    135135The first two of these issues are avoided when the tests are isolated
  • test/apache-conf/netns.conf.in

    re105d3e rf5342b1  
    11# This file contains options that are different depending on whether
    22# tests use namespaces or not.
    3 Mutex   @MUTEX_TYPE@    default
     3@MUTEX_CONF@
    44PidFile apache2@PID_AFFIX@.pid
  • test/base_apache.conf

    re105d3e rf5342b1  
    11ServerRoot ${PWD}
     2DefaultRuntimeDir cache/
    23
    34LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
  • test/common.bash

    re105d3e rf5342b1  
    1515        sleep 1
    1616    done
     17}
     18
     19
     20
     21# Usage: verbose_log [...]
     22#
     23# If VERBOSE is not empty, write a log message prefixed with the name
     24# of the calling function. The function is defined to a no-op
     25# otherwise.
     26if [ -n "${VERBOSE}" ]; then
     27    function verbose_log
     28    {
     29        echo "${FUNCNAME[1]}: ${@}"
     30    }
     31else
     32    function verbose_log
     33    {
     34        return
     35    }
     36fi
     37
     38
     39
     40# Usage: wait_ready COMMAND [TIMEOUT] [STEP]
     41#
     42# Wait until COMMAND terminates with success (zero exit code), or
     43# until the TIMEOUT (in milliseconds) expires. TIMEOUT defaults to
     44# $TEST_SERVICE_MAX_WAIT if unset. A TIMEOUT of zero means to try
     45# once.
     46#
     47# COMMAND is retried every STEP milliseconds, the default is
     48# $TEST_SERVICE_WAIT. Note that the last try may happen a little after
     49# TIMEOUT expires if STEP does not evenly divide it.
     50function wait_ready
     51{
     52    local command="${1}"
     53    if [ -z "${2}" ]; then
     54        local -i timeout="${TEST_SERVICE_MAX_WAIT}"
     55    else
     56        local -i timeout="${2}"
     57    fi
     58    local -i step="${3}"
     59    [ ${step} -gt 0 ] || step="${TEST_SERVICE_WAIT}"
     60    # convert step to seconds because that's what "sleep" needs
     61    local sec_step="$((${step} / 1000)).$((${step} % 1000))"
     62
     63    verbose_log "Waiting for \"${command}\" ..."
     64    local -i waited=0
     65    until eval "${command}"; do
     66        if [ "${waited}" -ge "${timeout}" ]; then
     67            echo "${FUNCNAME[0]}: Timed out waiting for \"${command}\"" \
     68                 "to succeed (waited ${waited} ms)." >&2
     69            return 1
     70        fi
     71        waited=$((waited + step));
     72        sleep "${sec_step}"
     73        verbose_log "waiting (${waited} ms)"
     74    done
     75    verbose_log "done (waited ${waited} ms)"
    1776}
    1877
  • test/ocsp_server.conf.in

    re105d3e rf5342b1  
     1Define  OCSP_PORT       ${OCSP_PORT}
     2Define  TEST_PORT       ${OCSP_PORT}
     3
     4Include ${srcdir}/base_apache.conf
     5
    16Include         ${srcdir}/cgi_module.conf
    27LoadModule      env_module              ${AP_LIBEXECDIR}/mod_env.so
    38LoadModule      rewrite_module          ${AP_LIBEXECDIR}/mod_rewrite.so
     9
     10# separate log and PID file
     11CustomLog       logs/${TEST_NAME}.ocsp.access.log combined
     12ErrorLog        logs/${TEST_NAME}.ocsp.error.log
     13PidFile         ocsp@PID_AFFIX@.pid
     14
    415<IfDefine !OCSP_INDEX>
    516        # Default index file, define OCSP_INDEX in the test specific
  • test/proxy_backend.conf.in

    re105d3e rf5342b1  
     1# redefine TEST_PORT before loading the base config
     2Define  TEST_PORT       ${BACKEND_PORT}
     3Include ${srcdir}/base_apache.conf
     4
    15# common options for proxy backend servers
    26CustomLog       logs/${TEST_NAME}.backend.access.log combined
  • test/runtests

    re105d3e rf5342b1  
    77set -e
    88. ${srcdir}/common.bash
     9. ${srcdir}/apache_service.bash
    910netns_reexec ${@}
    1011
     
    1718    testid=${srcdir}/tests/"$(printf "%02d" "$testid")"_*
    1819fi
     20testdir="$(realpath ${testid})"
    1921
    2022BADVARS=0
    21 for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
     23for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_TIMEOUT TEST_SERVICE_WAIT \
    2224                 MSVA_PORT; do
    2325    if [ ! -v "$v" ]; then
     
    3436function pinpoint_error()
    3537{
    36     echo "${1} failed at line ${2}!" >&2
    37 }
    38 trap 'pinpoint_error ${BASH_SOURCE} ${LINENO}' ERR
     38    echo "Command \"${BASH_COMMAND}\" failed. Call trace:" >&2
     39    local stack=0
     40    while caller $((stack++)) >&2; do true; done
     41}
     42trap 'pinpoint_error' ERR
    3943
    4044function stop_msva()
     
    8993        if [ -n "${pid}" ] && ps -p "${pid}"; then
    9094            kill "${pid}"
     95        else
     96            echo "No running process with PID ${pid} (${pidfile})."
    9197        fi
    9298        rm "${pidfile}"
     
    96102function apache_down_err() {
    97103    printf "FAILURE: %s\n" "$TEST_NAME"
    98     ${APACHE2} -f "${t}/apache.conf" -k stop || true
     104    ${APACHE2} -f "${testdir}/apache.conf" -k stop || true
    99105    if [ -e output ]; then
    100106        printf "\ngnutls-cli outputs:\n"
    101107        diff_output_filter_headers "output" "$output" || true
     108    fi
     109
     110    if [ -r "${testdir}/backend.conf" ]; then
     111        apache_service "${testdir}" "backend.conf" stop || true
     112    fi
     113
     114    if [ -r "${testdir}/ocsp.conf" ]; then
     115        apache_service "${testdir}" "ocsp.conf" stop || true
    102116    fi
    103117
     
    123137
    124138    printf "TESTING: initial MSVA verification\n"
    125     # set to 0 if MSVA is up
    126     ret=1
    127139    export MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT"
    128140
    129     # convert TEST_MSVA_WAIT to seconds because that's what "sleep" expects
    130     TEST_MSVA_SLEEP="$((${TEST_MSVA_WAIT} / 1000)).$((${TEST_MSVA_WAIT} % 1000))"
    131     # wait at most TEST_MSVA_MAX_WAIT milliseconds for MSVA to get ready
    132     waited=0
    133     until [ ${ret} -eq 0 ] \
    134               || [ ${waited} -ge ${TEST_MSVA_MAX_WAIT} ]; do
    135         if msva-query-agent https "$(cat client.uid)" x509pem client < client/x509.pem
    136         then
    137             ret=0
    138         else
    139             echo "MSVA not ready yet"
    140         fi
    141         sleep "${TEST_MSVA_SLEEP}"
    142         waited=$((${waited} + ${TEST_MSVA_WAIT}))
    143     done
    144 
     141    msva_test_cmd="msva-query-agent https \"$(cat client.uid)\" x509pem client < client/x509.pem"
    145142    # check if MSVA is up, fail if not
    146     if [ ${ret} -eq 0 ]; then
     143    if wait_ready "${msva_test_cmd}"; then
    147144        printf "\nSUCCESS: initial MSVA verification\n"
    148145    else
     
    152149fi
    153150
    154 TEST_PID="apache2.pid"
    155151# configure locking for the Apache process
    156152if [ -n "${USE_TEST_NAMESPACE}" ]; then
    157153    echo "Using namespaces to isolate tests, no need for locking."
    158154    flock_cmd=""
    159 elif [ -n "${TEST_LOCK}" ]; then
     155elif [ -n "${FLOCK}" ]; then
    160156    flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
    161157else
    162158    echo "Locking disabled, using wait based on Apache PID file."
    163     wait_pid_gone "${TEST_PID}"
     159    wait_pid_gone "${TEST_LOCK}"
    164160    flock_cmd=""
    165161fi
    166162
    167 t="$(realpath ${testid})"
    168163export srcdir="$(realpath ${srcdir})"
    169 export TEST_NAME="$(basename "$t")"
     164export TEST_NAME="$(basename "${testdir}")"
    170165output="outputs/${TEST_NAME}.output"
    171166rm -f "$output"
    172167
    173 if [ -e ${t}/fail.* ]; then
     168if [ -e ${testdir}/fail.* ]; then
    174169    EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)"
    175170else
     
    179174trap apache_down_err EXIT
    180175if [ -n "${USE_MSVA}" ]; then
    181     MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \
    182                                         ${flock_cmd} \
    183                                         ${APACHE2} -f "${t}/apache.conf" -k start \
    184         || [ -e "${t}/fail.server" ]
    185 else
    186     ${flock_cmd} \
    187         ${APACHE2} -f "${t}/apache.conf" -k start \
    188         || [ -e "${t}/fail.server" ]
     176    export MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT"
     177fi
     178
     179# If VERBOSE is enabled, log the HTTPD build configuration
     180if [ -n "${VERBOSE}" ]; then
     181    ${APACHE2} -f "${srcdir}/base_apache.conf" -V
     182fi
     183
     184# Start OCSP responder, if configured
     185if [ -r "${testdir}/ocsp.conf" ]; then
     186    apache_service "${testdir}" "ocsp.conf" start "${OCSP_LOCK}"
     187    CHECK_OCSP_SERVER="true"
     188    if [ -n "${VERBOSE}" ]; then
     189        echo "OCSP index for the test CA:"
     190        cat authority/ocsp_index.txt
     191    fi
     192fi
     193
     194# Start proxy backend server, if configured
     195if [ -r "${testdir}/backend.conf" ]; then
     196    apache_service "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
     197fi
     198
     199if ! ${flock_cmd} ${APACHE2} -f "${testdir}/apache.conf" -k start; then
     200    if [ -e "${testdir}/fail.server" ]; then
     201        echo "Apache HTTPD failed to start as expected."
     202        exit 0
     203    else
     204        echo "Apache HTTPD unexpectedly failed to start."
     205        exit 1
     206    fi
    189207fi
    190208
     
    195213    fi
    196214    echo "---- Testing OCSP server ----"
    197     ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp}
     215    wait_ready "ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp}"
    198216    echo "---- OCSP test done ----"
    199217fi
     
    212230# end with CRLF as required by RFC 7230, Section 3.1.1 regardless of
    213231# the line ends in the input file.
    214 if (sed -r "s/__HOSTNAME__/${TEST_HOST}/;s/\r?$/\r/" <${t}/input && \
    215            run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
    216        gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
     232if (sed -r "s/__HOSTNAME__/${TEST_HOST}/;s/\r?$/\r/" <${testdir}/input && \
     233           run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_TIMEOUT}" &) | \
     234       gnutls-cli -p "${TEST_PORT}" $(cat ${testdir}/gnutls-cli.args) "${TEST_HOST}" \
    217235       | tee "$output" && test "${PIPESTATUS[1]}" -eq 0;
    218236then
    219     if [ -e ${t}/fail* ]; then
    220         printf "%s should have failed but succeeded\n" "$(basename "$t")" >&2
     237    if [ -e ${testdir}/fail* ]; then
     238        printf "%s should have failed but succeeded\n" "$(basename "$testdir")" >&2
    221239        exit 1
    222240    fi
    223241else
    224     if [ ! -e ${t}/fail* ]; then
    225         printf "%s should have succeeded but failed\n" "$(basename "$t")" >&2
     242    if [ ! -e ${testdir}/fail* ]; then
     243        printf "%s should have succeeded but failed\n" "$(basename "$testdir")" >&2
    226244        exit 1
    227245    fi
     
    231249unset sleep_pidfile
    232250
    233 if [ -e ${t}/output ] ; then
    234     diff_output_filter_headers "${t}/output" "$output" >&2
     251if [ -e ${testdir}/output ] ; then
     252    diff_output_filter_headers "${testdir}/output" "$output" >&2
    235253fi
    236254if [ -n "${USE_MSVA}" ]; then
     
    239257    trap - EXIT
    240258fi
    241 ${APACHE2} -f "${t}/apache.conf" -k stop || [ -e ${t}/fail.server ]
     259${APACHE2} -f "${testdir}/apache.conf" -k stop || [ -e ${testdir}/fail.server ]
    242260printf "SUCCESS: %s\n" "$TEST_NAME"
     261
     262if [ -r "${testdir}/backend.conf" ]; then
     263    apache_service "${testdir}" "backend.conf" stop || true
     264fi
     265
     266if [ -r "${testdir}/ocsp.conf" ]; then
     267    apache_service "${testdir}" "ocsp.conf" stop || true
     268fi
    243269
    244270if [ -n "${USE_MSVA}" ]; then
  • test/test-14_basic_openpgp.bash

    re105d3e rf5342b1  
    11#!/bin/bash
     2./gnutls_openpgp_support || exit $?
    23${srcdir}/runtests t-14
  • test/test-19_TLS_reverse_proxy.bash

    re105d3e rf5342b1  
    11#!/bin/bash
    2 
    3 set -e
    4 : ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    7 
    8 testdir="${srcdir}/tests/19_TLS_reverse_proxy"
    9 . $(dirname ${0})/proxy_backend.bash
    10 
    11 function stop_backend
    12 {
    13     backend_apache "${testdir}" "backend.conf" stop
    14 }
    15 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
    16 trap stop_backend EXIT
    17 
    182${srcdir}/runtests t-19
    19 
    20 backend_apache "${testdir}" "backend.conf" stop
    21 trap - EXIT
  • test/test-20_TLS_reverse_proxy_client_auth.bash

    re105d3e rf5342b1  
    11#!/bin/bash
    2 
    3 set -e
    4 : ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    7 
    8 testdir="${srcdir}/tests/20_TLS_reverse_proxy_client_auth"
    9 . $(dirname ${0})/proxy_backend.bash
    10 
    11 function stop_backend
    12 {
    13     backend_apache "${testdir}" "backend.conf" stop
    14 }
    15 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
    16 trap stop_backend EXIT
    17 
    182${srcdir}/runtests t-20
    19 
    20 backend_apache "${testdir}" "backend.conf" stop
    21 trap - EXIT
  • test/test-21_TLS_reverse_proxy_wrong_cert.bash

    re105d3e rf5342b1  
    11#!/bin/bash
    2 
    3 set -e
    4 : ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    7 
    8 testdir="${srcdir}/tests/21_TLS_reverse_proxy_wrong_cert"
    9 . $(dirname ${0})/proxy_backend.bash
    10 
    11 function stop_backend
    12 {
    13     backend_apache "${testdir}" "backend.conf" stop
    14 }
    15 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
    16 trap stop_backend EXIT
    17 
    182${srcdir}/runtests t-21
    19 
    20 backend_apache "${testdir}" "backend.conf" stop
    21 trap - EXIT
  • test/test-22_TLS_reverse_proxy_crl_revoke.bash

    re105d3e rf5342b1  
    11#!/bin/bash
    2 
    3 set -e
    4 : ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    7 
    8 testdir="${srcdir}/tests/22_TLS_reverse_proxy_crl_revoke"
    9 . $(dirname ${0})/proxy_backend.bash
    10 
    11 function stop_backend
    12 {
    13     backend_apache "${testdir}" "backend.conf" stop
    14 }
    15 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
    16 trap stop_backend EXIT
    17 
    182${srcdir}/runtests t-22
    19 
    20 backend_apache "${testdir}" "backend.conf" stop
    21 trap - EXIT
  • test/test-23_TLS_reverse_proxy_mismatched_priorities.bash

    re105d3e rf5342b1  
    11#!/bin/bash
    2 
    3 set -e
    4 : ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    7 
    8 testdir="${srcdir}/tests/23_TLS_reverse_proxy_mismatched_priorities"
    9 . $(dirname ${0})/proxy_backend.bash
    102
    113# This test checks if server and proxy priorities are applied
     
    135# back end server is configured not to use TLS 1.2. The proxy request
    146# must fail and the client must receive an error message to pass.
    15 
    16 function stop_backend
    17 {
    18     backend_apache "${testdir}" "backend.conf" stop
    19 }
    20 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
    21 trap stop_backend EXIT
    22 
    237${srcdir}/runtests t-23
    24 
    25 backend_apache "${testdir}" "backend.conf" stop
    26 trap - EXIT
  • test/test-26_redirect_HTTP_to_HTTPS.bash

    re105d3e rf5342b1  
    1111testdir="${srcdir}/tests/26_redirect_HTTP_to_HTTPS"
    1212TEST_NAME="$(basename ${testdir})"
    13 . $(dirname ${0})/proxy_backend.bash
     13. $(dirname ${0})/apache_service.bash
    1414
    1515: ${TEST_HTTP_PORT:="9935"}
     
    1717
    1818# "Proxy backend" functions are used to start the only instance needed
    19 # here without "runtests". We have to override BACKEND_PID and
    20 # BACKEND_PORT to make them match what a runtests-based test would
    21 # use.
    22 export BACKEND_PID="apache2.pid"
     19# here without "runtests". We have to override BACKEND_PORT to make it
     20# match what a runtests-based test would use.
    2321export BACKEND_PORT="${TEST_PORT}"
    2422function stop_backend
    2523{
    26     backend_apache "${testdir}" "apache.conf" stop
     24    apache_service "${testdir}" "apache.conf" stop
    2725}
    28 backend_apache "${testdir}" "apache.conf" start "${TEST_LOCK}"
     26apache_service "${testdir}" "apache.conf" start "${TEST_LOCK}"
    2927trap stop_backend EXIT
    3028
     
    4846grep "Current TLS session: (TLS" "${output}"
    4947
    50 backend_apache "${testdir}" "apache.conf" stop
     48apache_service "${testdir}" "apache.conf" stop
    5149trap - EXIT
  • test/test-27_OCSP_server.bash

    re105d3e rf5342b1  
    44# Skip if OCSP tests are not enabled
    55[ -n "${OCSP_PORT}" ] || exit 77
    6 
    7 # trigger OCSP server test in the runtests script
    8 export CHECK_OCSP_SERVER="true"
    9 echo "OCSP index for the test CA:"
    10 cat authority/ocsp_index.txt
    116
    127${srcdir}/runtests t-27
  • test/test_ca.mk

    re105d3e rf5342b1  
    4848%/cert.pgp: %/minimal.pgp authority/minimal.pgp
    4949        if test -r $@; then rm $@; fi
    50         GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
    51         GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
    52         GNUPGHOME=authority $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
     50        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --import $<
     51        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
     52        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
    5353
    5454# special cases for the authorities' root certs:
  • test/tests/06_verify_sni_a/apache.conf

    re105d3e rf5342b1  
    22
    33GnuTLSCache dbm cache/gnutls_cache
    4 
    5 NameVirtualHost _default_:${TEST_PORT}
    64
    75<VirtualHost _default_:${TEST_PORT}>
  • test/tests/07_verify_sni_b/apache.conf

    re105d3e rf5342b1  
    22
    33GnuTLSCache dbm cache/gnutls_cache
    4 
    5 NameVirtualHost _default_:${TEST_PORT}
    64
    75# trying in a different order from 06_verify_sni_a
  • test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf

    re105d3e rf5342b1  
    22
    33GnuTLSCache dbm cache/gnutls_cache
    4 
    5 NameVirtualHost _default_:${TEST_PORT}
    64
    75<VirtualHost _default_:${TEST_PORT}>
  • test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf

    re105d3e rf5342b1  
    22
    33GnuTLSCache dbm cache/gnutls_cache
    4 
    5 NameVirtualHost _default_:${TEST_PORT}
    64
    75# In this order, clients with no SNI should get the imposter's key
  • test/tests/12_cgi_variables/apache.conf

    re105d3e rf5342b1  
    1313 GnuTLSCertificateFile server/x509.pem
    1414 GnuTLSKeyFile server/secret.key
     15 GnuTLSDHFile ${srcdir}/ffdhe3072.pem
    1516 GnuTLSPriorities NORMAL
    1617 GnuTLSClientCAFile authority/x509.pem
  • test/tests/12_cgi_variables/output

    re105d3e rf5342b1  
    88RFC822NAME:test0@modgnutls.test
    99
    10 DH prime bits: 2048
     10DH prime bits: 3072
    1111- Peer has closed the GnuTLS connection
  • test/tests/17_cgi_vars_large_cert/apache.conf

    re105d3e rf5342b1  
    1313 GnuTLSCertificateFile server/x509.pem
    1414 GnuTLSKeyFile server/secret.key
     15 GnuTLSDHFile ${srcdir}/ffdhe3072.pem
    1516 GnuTLSPriorities NORMAL
    1617 GnuTLSClientCAFile authority/x509.pem
  • test/tests/17_cgi_vars_large_cert/output

    re105d3e rf5342b1  
    88RFC822NAME:test0@modgnutls.test
    99
    10 DH prime bits: 2048
     10DH prime bits: 3072
    1111- Peer has closed the GnuTLS connection
  • test/tests/19_TLS_reverse_proxy/backend.conf

    re105d3e rf5342b1  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${PWD}/proxy_backend.conf
    32
    43GnuTLSCache dbm cache/gnutls_cache
  • test/tests/20_TLS_reverse_proxy_client_auth/backend.conf

    re105d3e rf5342b1  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${PWD}/proxy_backend.conf
    32
    43GnuTLSCache dbm cache/gnutls_cache
  • test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf

    re105d3e rf5342b1  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${PWD}/proxy_backend.conf
    32
    43GnuTLSCache dbm cache/gnutls_cache
  • test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf

    re105d3e rf5342b1  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${PWD}/proxy_backend.conf
    32
    43GnuTLSCache dbm cache/gnutls_cache
  • test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf

    re105d3e rf5342b1  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${PWD}/proxy_backend.conf
    32
    43GnuTLSCache dbm cache/gnutls_cache
  • test/tests/27_OCSP_server/apache.conf

    re105d3e rf5342b1  
    1 Define  OCSP_PORT       ${OCSP_PORT}
    2 
    31Include ${srcdir}/base_apache.conf
    4 Include ${srcdir}/ocsp_server.conf
    5 GnuTLSCache dbm cache/gnutls_cache
     2GnuTLSCache dbm cache/gnutls_cache_${TEST_NAME}
    63
    74<VirtualHost _default_:${TEST_PORT}>
  • test/tests/Makefile.am

    re105d3e rf5342b1  
    2727        25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
    2828        26_redirect_HTTP_to_HTTPS/apache.conf \
    29         27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/output
     29        27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/ocsp.conf 27_OCSP_server/output
Note: See TracChangeset for help on using the changeset viewer.