diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-03-02 09:38:55 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-03-02 09:46:27 +0100 |
| commit | 8bc71dc0ed272c10b6430a678858b8e973828cf8 (patch) | |
| tree | ba39ce59100efd126720c1a57439d2079555b488 | |
| parent | 803f2e10748995c6386bb54cad4ceaca6bd1c1b3 (diff) | |
| download | gnutls-tmp-simplify-nettle-check.tar.gz | |
tests: eliminated destructive teststmp-simplify-nettle-check
That adds a dependency to p11-kit 0.23.10 for the test suite.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | .gitlab-ci.yml | 9 | ||||
| -rw-r--r-- | configure.ac | 8 | ||||
| -rw-r--r-- | tests/Makefile.am | 4 | ||||
| -rw-r--r--[-rwxr-xr-x] | tests/destructive/p11-kit-load.sh | 71 | ||||
| -rwxr-xr-x | tests/p11-kit-load.sh | 181 | ||||
| -rw-r--r-- | tests/pkcs11/list-tokens.c | 19 |
6 files changed, 238 insertions, 54 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f2be618ab0..eca9b6bdd4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -185,10 +185,9 @@ asan.Fedora.x86_64: - LSAN_OPTIONS="suppressions=$(pwd)/fuzz/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x4 - LSAN_OPTIONS="suppressions=$(pwd)/fuzz/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x8 - CFLAGS="-fsanitize=address -g -O2" LDFLAGS="-static-libasan" - dash ./configure --cache-file cache/config.cache --disable-doc --with-default-trust-store-pkcs11="pkcs11:" --disable-guile --enable-destructive-tests + dash ./configure --cache-file cache/config.cache --disable-doc --with-default-trust-store-pkcs11="pkcs11:" --disable-guile - make -j$(nproc) - - make -C tests check -j$(nproc) TESTS="trust-store" SUBDIRS=. - - make -C tests check -j$(nproc) TESTS= "destructive/p11-kit-load.sh" SUBDIRS=. + - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh" SUBDIRS=. tags: - shared except: @@ -420,9 +419,9 @@ ubsan-Werror.Fedora.x86_64: - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros" - make -j$(nproc) - make check -j$(nproc) - - CFLAGS="-fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" LDFLAGS="-static-libubsan" dash ./configure --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --with-default-trust-store-pkcs11="pkcs11:" --enable-destructive-tests + - CFLAGS="-fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" LDFLAGS="-static-libubsan" dash ./configure --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --with-default-trust-store-pkcs11="pkcs11:" - make -j$(nproc) - - make -C tests check -j$(nproc) TESTS="trust-store destructive/p11-kit-load.sh" SUBDIRS=. + - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh" SUBDIRS=. tags: - shared except: diff --git a/configure.ac b/configure.ac index 18be369534..e6b63a97d4 100644 --- a/configure.ac +++ b/configure.ac @@ -255,11 +255,6 @@ AC_ARG_ENABLE(tests, enable_tests=$enableval, enable_tests=$enable_tools) AM_CONDITIONAL(ENABLE_TESTS, test "$enable_tests" != "no") -AC_ARG_ENABLE(destructive-tests, - AS_HELP_STRING([--enable-destructive-tests], [compile and run tests which touch outside gnutls' code boundary]), - enable_destructive_tests=$enableval, enable_destructive_tests=no) -AM_CONDITIONAL(ENABLE_DESTRUCTIVE_TESTS, test "$enable_destructive_tests" != "no") - AC_ARG_ENABLE(fuzzer-target, AS_HELP_STRING([--enable-fuzzer-target], [make a library intended for testing - not production]), enable_fuzzer_target=$enableval, enable_fuzzer_target=no) @@ -616,6 +611,8 @@ if test "$with_p11_kit" != "no"; then fi fi +AM_CONDITIONAL(P11KIT_0_23_10_API, ! $PKG_CONFIG --atleast-version=2.23.10 p11-kit) + AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no") AC_ARG_WITH(tpm, @@ -974,7 +971,6 @@ AC_MSG_NOTICE([summary of build options: Local unistring: ${included_unistring} Use nettle-mini: ${mini_nettle} Documentation: ${enable_doc} (manpages: ${enable_manpages}) - Destructive tests: ${enable_destructive_tests} ]) AC_MSG_NOTICE([External hardware support: diff --git a/tests/Makefile.am b/tests/Makefile.am index 27d971232b..755743e253 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -388,9 +388,9 @@ dist_check_SCRIPTS += gnutls-cli-self-signed.sh if ENABLE_PKCS11 dist_check_SCRIPTS += p11-kit-trust.sh -if ENABLE_DESTRUCTIVE_TESTS if HAVE_PKCS11_TRUST_STORE -dist_check_SCRIPTS += destructive/p11-kit-load.sh +if P11KIT_0_23_10_API +dist_check_SCRIPTS += p11-kit-load.sh indirect_tests += pkcs11/list-tokens endif endif diff --git a/tests/destructive/p11-kit-load.sh b/tests/destructive/p11-kit-load.sh index d961aa55be..8f3bff80f5 100755..100644 --- a/tests/destructive/p11-kit-load.sh +++ b/tests/destructive/p11-kit-load.sh @@ -25,8 +25,8 @@ P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}" CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" PKGCONFIG="${PKG_CONFIG:-$(which pkg-config)}" -TMPDIR="backup.$$.tmp" TMP_SOFTHSM_DIR="./softhsm-load.$$.tmp" +P11DIR="p11-kit-conf.$$.tmp" PIN=1234 PUK=1234 @@ -65,22 +65,14 @@ fi # Create pkcs11.conf with two modules, a trusted (p11-kit-trust) # and softhsm (not trusted) -DIR=$(${PKGCONFIG} --var=p11_system_config_modules p11-kit-1) -if test $? != 0 || test -z ${DIR} || test ${DIR} = '/';then - echo "Cannot determine p11-kit module config directory" - exit 1 -fi - -mkdir -p ${TMPDIR} -cp ${DIR}/* ${TMPDIR} -rm -f ${DIR}/* +mkdir -p ${P11DIR} -cat <<_EOF_ >${DIR}/p11-kit-trust.module +cat <<_EOF_ >${P11DIR}/p11-kit-trust.module module: p11-kit-trust.so trust-policy: yes _EOF_ -cat <<_EOF_ >${DIR}/softhsm.module +cat <<_EOF_ >${P11DIR}/softhsm.module module: libsofthsm2.so _EOF_ @@ -98,93 +90,96 @@ if test $? != 0; then exit 1 fi +FILTERTOKEN="sed s/token=.*//g" -# Check whether p11tool would list them both +# Check whether both are listed -nr=$(${P11TOOL} --list-tokens|grep 'Module:'|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l) +#nr=$(${P11TOOL} --list-tokens|grep 'Module:'|sort -u|wc -l) if test "$nr" != 2;then echo "Error: did not find 2 modules ($nr)" - ${P11TOOL} --list-tokens|grep 'Module:'|sort|uniq + ${builddir}/pkcs11/list-tokens -o ${P11DIR} exit 1 fi -# Check whether p11tool with a specific provider would list only that -# That is, check whether p11tool will list the trust module -# if we only load softhsm (it should as trust modules -# are always loaded).ould list them both +## Check whether p11tool with a specific provider would list only that +## That is, check whether p11tool will list the trust module +## if we only load softhsm (it should as trust modules +## are always loaded).ould list them both + -nr=$(${P11TOOL} --provider "${SOFTHSM_MODULE}" --list-tokens|grep -c ^Token) +#nr=$(${P11TOOL} --provider "${SOFTHSM_MODULE}" --list-tokens|grep -c ^Token) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}"|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 1;then echo "Error: did not find softhsm modules" - ${P11TOOL} --list-tokens --provider "${SOFTHSM_MODULE}" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}" exit 1 fi -FILTERTOKEN="sed s/token=.*//g" # Check whether both modules are found when gnutls_pkcs11_init # is not called but a pkcs11 operation is called. -nr=$(${builddir}/pkcs11/list-tokens -d|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -d|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 2;then echo "Error in test 1: did not find 2 modules" - ${builddir}/pkcs11/list-tokens -d + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -d exit 1 fi # Check whether both modules are found when gnutls_pkcs11_init # is called with the auto flag -nr=$(${builddir}/pkcs11/list-tokens -a|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 2;then echo "Error in test 2: did not find 2 modules" - ${builddir}/pkcs11/list-tokens -a + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -a exit 1 fi # Check whether only trusted modules are listed when the # trusted flag is given to gnutls_pkcs11_init(). -nr=$(${builddir}/pkcs11/list-tokens -t|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -t|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 1;then echo "Error in test 3: did not find the trusted module" - ${builddir}/pkcs11/list-tokens -t + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -t exit 1 fi # Check whether only trusted is listed after certificate verification # is performed. -nr=$(${builddir}/pkcs11/list-tokens -v|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 1;then echo "Error in test 4: did not find 1 module" - ${builddir}/pkcs11/list-tokens -v + echo xxx + GNUTLS_DEBUG_LEVEL=4 P11_KIT_DEBUG=all ${builddir}/pkcs11/list-tokens -o ${P11DIR} -v exit 1 fi # Check whether only trusted is listed when gnutls_pkcs11_init # is called with manual flag and a certificate verification is performed. -nr=$(${builddir}/pkcs11/list-tokens -m -v|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 1;then echo "Error in test 5: did not find 1 module" - ${builddir}/pkcs11/list-tokens -m -v + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v exit 1 fi # Check whether all modules are listed after certificate verification # is performed then a PKCS#11 function is called. -nr=$(${builddir}/pkcs11/list-tokens -v -d|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 2;then echo "Error in test 6: did not find all modules" - ${builddir}/pkcs11/list-tokens -v -d + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d exit 1 fi # Check whether all modules are listed after a private key operation. -nr=$(${builddir}/pkcs11/list-tokens -p|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -p|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 2;then echo "Error in test 7: did not find all modules" - ${builddir}/pkcs11/list-tokens -p + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -p exit 1 fi -rm -f ${DIR}/* +rm -f ${P11DIR}/* rm -rf ${TMP_SOFTHSM_DIR} -cp ${TMPDIR}/* ${DIR}/ exit 0 diff --git a/tests/p11-kit-load.sh b/tests/p11-kit-load.sh new file mode 100755 index 0000000000..2a306fa886 --- /dev/null +++ b/tests/p11-kit-load.sh @@ -0,0 +1,181 @@ +#!/bin/sh + +# Copyright (C) 2017 Red Hat, Inc. +# +# This file is part of p11-kit. +# +# p11-kit is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# p11-kit is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/> + +#set -e + +srcdir="${srcdir:-.}" +builddir="${builddir:-.}" +CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff}" +PKGCONFIG="${PKG_CONFIG:-$(which pkg-config)}" +TMP_SOFTHSM_DIR="./softhsm-load.$$.tmp" +P11DIR="p11-kit-conf.$$.tmp" +PIN=1234 +PUK=1234 + +for lib in ${libdir} ${libdir}/pkcs11 /usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/;do + if test -f "${lib}/p11-kit-trust.so"; then + TRUST_MODULE="${lib}/p11-kit-trust.so" + echo "located ${MODULE}" + break + fi +done + +for lib in ${libdir} ${libdir}/pkcs11 /usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/ /usr/lib/softhsm/;do + if test -f "${lib}/libsofthsm2.so"; then + SOFTHSM_MODULE="${lib}/libsofthsm2.so" + echo "located ${MODULE}" + break + fi +done + +${PKGCONFIG} --version >/dev/null || exit 77 + +${PKGCONFIG} --atleast-version=0.23.10 p11-kit-1 +if test $? != 0;then + echo p11-kit 0.23.10 is required + exit 77 +fi + +if ! test -f "${TRUST_MODULE}"; then + echo "p11-kit trust module was not found" + exit 77 +fi + +if ! test -f "${SOFTHSM_MODULE}"; then + echo "softhsm module was not found" + exit 77 +fi + +# Create pkcs11.conf with two modules, a trusted (p11-kit-trust) +# and softhsm (not trusted) +mkdir -p ${P11DIR} + +cat <<_EOF_ >${P11DIR}/p11-kit-trust.module +module: p11-kit-trust.so +trust-policy: yes +_EOF_ + +cat <<_EOF_ >${P11DIR}/softhsm.module +module: libsofthsm2.so +_EOF_ + +# Setup softhsm +rm -rf ${TMP_SOFTHSM_DIR} +mkdir -p ${TMP_SOFTHSM_DIR} +SOFTHSM2_CONF=${TMP_SOFTHSM_DIR}/conf +export SOFTHSM2_CONF +echo "objectstore.backend = file" > "${SOFTHSM2_CONF}" +echo "directories.tokendir = ${TMP_SOFTHSM_DIR}" >> "${SOFTHSM2_CONF}" + +softhsm2-util --init-token --slot 0 --label "GnuTLS-Test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null #2>&1 +if test $? != 0; then + echo "failed to initialize softhsm" + exit 1 +fi + +FILTERTOKEN="sed s/token=.*//g" + +# Check whether both are listed + +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l) +#nr=$(${P11TOOL} --list-tokens|grep 'Module:'|sort -u|wc -l) +if test "$nr" != 2;then + echo "Error: did not find 2 modules ($nr)" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} + exit 1 +fi + +# Check whether whether list-tokens will list the trust module +# if we only load softhsm. It shouldn't as we only load the +# trust module when needed (e.g., verification). + +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}"|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 1;then + echo "Error: did not find softhsm module" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}" + exit 1 +fi + +# Check whether both modules are found when gnutls_pkcs11_init +# is not called but a pkcs11 operation is called. +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -d|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 2;then + echo "Error in test 1: did not find 2 modules" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -d + exit 1 +fi + +# Check whether both modules are found when gnutls_pkcs11_init +# is called with the auto flag +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 2;then + echo "Error in test 2: did not find 2 modules" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -a + exit 1 +fi + +# Check whether only trusted modules are listed when the +# trusted flag is given to gnutls_pkcs11_init(). +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -t|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 1;then + echo "Error in test 3: did not find the trusted module" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -t + exit 1 +fi + +# Check whether only trusted is listed after certificate verification +# is performed. +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 1;then + echo "Error in test 4: did not find 1 module" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -v + exit 1 +fi + +# Check whether only trusted is listed when gnutls_pkcs11_init +# is called with manual flag and a certificate verification is performed. +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 1;then + echo "Error in test 5: did not find 1 module" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v + exit 1 +fi + +# Check whether all modules are listed after certificate verification +# is performed then a PKCS#11 function is called. +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 2;then + echo "Error in test 6: did not find all modules" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d + exit 1 +fi + +# Check whether all modules are listed after a private key operation. +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -p|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 2;then + echo "Error in test 7: did not find all modules" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -p + exit 1 +fi + +rm -f ${P11DIR}/* +rm -rf ${TMP_SOFTHSM_DIR} + +exit 0 diff --git a/tests/pkcs11/list-tokens.c b/tests/pkcs11/list-tokens.c index cc4326d901..2bfe65c836 100644 --- a/tests/pkcs11/list-tokens.c +++ b/tests/pkcs11/list-tokens.c @@ -35,6 +35,8 @@ #include <gnutls/abstract.h> #include <getopt.h> #include <assert.h> +#define P11_KIT_FUTURE_UNSTABLE_API +#include <p11-kit/p11-kit.h> #include "cert-common.h" /* lists the registered PKCS#11 modules by p11-kit. @@ -55,12 +57,11 @@ int main(int argc, char **argv) int ret; unsigned i; int opt; - char *url; + char *url, *mod; gnutls_x509_trust_list_t tl; gnutls_x509_crt_t crt; gnutls_pkcs11_privkey_t key; unsigned flag = 1; - unsigned private = 0; unsigned int status; ret = gnutls_global_init(); @@ -72,8 +73,12 @@ int main(int argc, char **argv) gnutls_global_set_log_function(tls_log_func); //gnutls_global_set_log_level(4711); - while((opt = getopt(argc, argv, "mvatdp")) != -1) { + while((opt = getopt(argc, argv, "s:o:mvatdp")) != -1) { switch(opt) { + case 'o': + mod = strdup(optarg); + p11_kit_override_system_files(NULL, NULL, mod, mod, NULL); + break; case 'm': /* initialize manually - i.e., do no module loading */ ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); @@ -82,6 +87,14 @@ int main(int argc, char **argv) exit(1); } break; + case 's': + /* load module */ + ret = gnutls_pkcs11_add_provider(optarg, NULL); + if (ret != 0) { + fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret)); + exit(1); + } + break; case 'd': /* when call _gnutls_pkcs11_token_get_url() do proper initialization * if none done */ |