diff options
Diffstat (limited to 'tests')
65 files changed, 417 insertions, 138 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 11a083c637..b04cb081b4 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -515,13 +515,16 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start server-weak-keys.sh if !DISABLE_SYSTEM_CONFIG -dist_check_SCRIPTS += system-override-sig-hash.sh system-override-versions.sh system-override-invalid.sh \ +dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \ + system-override-versions.sh system-override-invalid.sh \ system-override-curves.sh system-override-profiles.sh system-override-tls.sh \ system-override-kx.sh system-override-default-priority-string.sh endif dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh +dist_check_SCRIPTS += dh-fips-approved.sh + if ENABLE_PKCS11 dist_check_SCRIPTS += p11-kit-trust.sh testpkcs11.sh certtool-pkcs11.sh diff --git a/tests/cert-reencoding.sh b/tests/cert-reencoding.sh index aadd6fd1bd..240d336778 100755 --- a/tests/cert-reencoding.sh +++ b/tests/cert-reencoding.sh @@ -57,7 +57,7 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge eval "${GETPORT}" # Port for gnutls-serv diff --git a/tests/cert-tests/alt-chain b/tests/cert-tests/alt-chain index b715416cc0..a2261b3809 100755 --- a/tests/cert-tests/alt-chain +++ b/tests/cert-tests/alt-chain @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge OLD_CA_FILE="${srcdir}/data/alt-chain-old-ca.pem" NEW_CA_FILE="${srcdir}/data/alt-chain-new-ca.pem" diff --git a/tests/cert-tests/cert-critical b/tests/cert-tests/cert-critical index 74f335cb87..f923b29fa4 100755 --- a/tests/cert-tests/cert-critical +++ b/tests/cert-tests/cert-critical @@ -36,7 +36,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge "2017-2-28" \ ${VALGRIND} "${CERTTOOL}" --verify-chain --infile ${srcdir}/data/chain-with-critical-on-root.pem diff --git a/tests/cert-tests/cert-non-digits-time b/tests/cert-tests/cert-non-digits-time index 28880b87ac..9c25c396de 100755 --- a/tests/cert-tests/cert-non-digits-time +++ b/tests/cert-tests/cert-non-digits-time @@ -32,7 +32,7 @@ if ! test -z "${VALGRIND}"; then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi -check_for_datefudge +skip_if_no_datefudge # Check whether certificates with non-digits time fields are accepted datefudge -s "2019-12-19" \ diff --git a/tests/cert-tests/certtool b/tests/cert-tests/certtool index 3494aaacbe..0fd29beea9 100755 --- a/tests/cert-tests/certtool +++ b/tests/cert-tests/certtool @@ -171,7 +171,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge cat "${srcdir}/../certs/cert-ecc256.pem" "${srcdir}/../certs/ca-cert-ecc.pem"|datefudge "2012-11-22" \ ${VALGRIND} "${CERTTOOL}" --verify-chain diff --git a/tests/cert-tests/certtool-eddsa b/tests/cert-tests/certtool-eddsa index c097fbf6c6..7e07822507 100755 --- a/tests/cert-tests/certtool-eddsa +++ b/tests/cert-tests/certtool-eddsa @@ -124,7 +124,7 @@ rm -f "${TMPFILE}" "${TMPFILE2}" rm -f "${KEYFILE}" -check_for_datefudge +skip_if_no_datefudge # Test certificate chain using Ed25519 datefudge "2017-7-6" \ diff --git a/tests/cert-tests/certtool-rsa-pss b/tests/cert-tests/certtool-rsa-pss index aed79ff2e2..654bf34869 100755 --- a/tests/cert-tests/certtool-rsa-pss +++ b/tests/cert-tests/certtool-rsa-pss @@ -210,7 +210,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge "2012-11-22" \ ${VALGRIND} "${CERTTOOL}" --verify --load-ca-certificate "${srcdir}/data/cert-rsa-pss.pem" --infile "${srcdir}/data/cert-rsa-pss.pem" diff --git a/tests/cert-tests/certtool-verify-profiles b/tests/cert-tests/certtool-verify-profiles index a7ebd711ea..a4d738627e 100755 --- a/tests/cert-tests/certtool-verify-profiles +++ b/tests/cert-tests/certtool-verify-profiles @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge echo "Checking chain with insecure leaf" datefudge -s "2019-12-19" \ diff --git a/tests/cert-tests/crl b/tests/cert-tests/crl index 62b320b2bf..f4f97d757b 100755 --- a/tests/cert-tests/crl +++ b/tests/cert-tests/crl @@ -171,7 +171,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2020-01-20 10:00:00" ${VALGRIND} \ "${CERTTOOL}" --generate-crl --load-ca-privkey "${srcdir}/data/template-test.key" \ diff --git a/tests/cert-tests/crq b/tests/cert-tests/crq index 89099cfc0a..1d64dee27e 100755 --- a/tests/cert-tests/crq +++ b/tests/cert-tests/crq @@ -40,7 +40,7 @@ OUTFILE2=out2.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge ${VALGRIND} "${CERTTOOL}" --inder --crq-info --infile "${srcdir}/data/csr-invalid.der" >"${OUTFILE}" 2>&1 rc=$? diff --git a/tests/cert-tests/inhibit-anypolicy b/tests/cert-tests/inhibit-anypolicy index 7e82a20014..ba5e1100f6 100755 --- a/tests/cert-tests/inhibit-anypolicy +++ b/tests/cert-tests/inhibit-anypolicy @@ -36,7 +36,7 @@ SUBCAFILE=inhibit-subca.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2017-04-22" \ "${CERTTOOL}" --generate-self-signed \ diff --git a/tests/cert-tests/invalid-sig b/tests/cert-tests/invalid-sig index bcebf995cb..58134a4d09 100755 --- a/tests/cert-tests/invalid-sig +++ b/tests/cert-tests/invalid-sig @@ -33,14 +33,16 @@ if ! test -x "${CERTTOOL}"; then exit 77 fi +. ${srcdir}/../scripts/common.sh + #check whether a different PKCS #1 signature than the advertized in certificate is tolerated ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig.pem" rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (1) failed" - exit ${rc} + exit 1 fi #check whether a different tbsCertificate than the outer signature algorithm is tolerated @@ -48,9 +50,9 @@ ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig2.pem" rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (2) failed" - exit ${rc} + exit 1 fi #check whether a different tbsCertificate than the outer signature algorithm is tolerated @@ -58,9 +60,9 @@ ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig3.pem" rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (3) failed" - exit ${rc} + exit 1 fi #check whether different parameters in tbsCertificate than the outer signature is tolerated @@ -68,9 +70,9 @@ ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig4.pem" rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (4) failed" - exit ${rc} + exit 1 fi #check whether different RSA-PSS parameters in tbsCertificate than the outer signature is tolerated @@ -78,19 +80,24 @@ ${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/invalid-sig5.p rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (5) failed" - exit ${rc} + exit 1 fi -#this was causing a double free; verify that we receive the expected error code -${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem" -rc=$? - -# We're done. -if test "${rc}" != "1"; then - echo "Verification of invalid signature (6) failed" - exit ${rc} +if check_for_datefudge; then + #this was causing a double free; verify that we receive the expected error code + datefudge -s 2020-01-01 \ + ${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem" + rc=$? + + # We're done. + if test $rc != 1; then + echo "Verification of invalid signature (6) failed" + exit 1 + fi +else + echo "Verification of invalid signature (6) skipped" fi exit 0 diff --git a/tests/cert-tests/krb5-test b/tests/cert-tests/krb5-test index 3eca7d7e31..a6e092cc90 100755 --- a/tests/cert-tests/krb5-test +++ b/tests/cert-tests/krb5-test @@ -34,7 +34,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge if ! test -z "${VALGRIND}"; then ORIG_VALGRIND=${VALGRIND} diff --git a/tests/cert-tests/md5-test b/tests/cert-tests/md5-test index a9635cc1d8..15d6280b1c 100755 --- a/tests/cert-tests/md5-test +++ b/tests/cert-tests/md5-test @@ -34,7 +34,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Test MD5 signatures diff --git a/tests/cert-tests/name-constraints b/tests/cert-tests/name-constraints index f23462117e..3b2370d49a 100755 --- a/tests/cert-tests/name-constraints +++ b/tests/cert-tests/name-constraints @@ -36,7 +36,7 @@ TMPFILE=constraints.$$.pem.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2016-04-22" \ ${VALGRIND} "${CERTTOOL}" --verify-allow-broken -e --infile "${srcdir}/data/name-constraints-ip.pem" diff --git a/tests/cert-tests/othername-test b/tests/cert-tests/othername-test index 38032fee1c..00f93b22dd 100755 --- a/tests/cert-tests/othername-test +++ b/tests/cert-tests/othername-test @@ -33,7 +33,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/cert-tests/pkcs1-pad b/tests/cert-tests/pkcs1-pad index 33663a6a0b..c75ab9e09d 100755 --- a/tests/cert-tests/pkcs1-pad +++ b/tests/cert-tests/pkcs1-pad @@ -34,7 +34,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge TMPFILE1=pkcs1-pad.$$.tmp TMPFILE2=pkcs1-pad-2.$$.tmp diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7 index 35d438107e..23db9e017e 100755 --- a/tests/cert-tests/pkcs7 +++ b/tests/cert-tests/pkcs7 @@ -38,7 +38,7 @@ TMPFILE=tmp-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge if test "${ENABLE_GOST}" = "1" && test "${GNUTLS_FORCE_FIPS_MODE}" != "1" then diff --git a/tests/cert-tests/pkcs7-cat b/tests/cert-tests/pkcs7-cat index 0f5b82df12..6543397431 100755 --- a/tests/cert-tests/pkcs7-cat +++ b/tests/cert-tests/pkcs7-cat @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2016-10-1" \ ${VALGRIND} "${CERTTOOL}" --verify-allow-broken --p7-verify --inder --infile "${srcdir}/data/pkcs7-cat.p7" --load-ca-certificate "${srcdir}/data/pkcs7-cat-ca.pem" rc=$? diff --git a/tests/cert-tests/pkcs7-constraints b/tests/cert-tests/pkcs7-constraints index 8e5b5345d1..6964d26f09 100755 --- a/tests/cert-tests/pkcs7-constraints +++ b/tests/cert-tests/pkcs7-constraints @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge FILE="signing" diff --git a/tests/cert-tests/pkcs7-constraints2 b/tests/cert-tests/pkcs7-constraints2 index 389071e27b..7d1816a33a 100755 --- a/tests/cert-tests/pkcs7-constraints2 +++ b/tests/cert-tests/pkcs7-constraints2 @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge FILE="signing" diff --git a/tests/cert-tests/pkcs7-eddsa b/tests/cert-tests/pkcs7-eddsa index 1fd767bd73..6f235c512b 100755 --- a/tests/cert-tests/pkcs7-eddsa +++ b/tests/cert-tests/pkcs7-eddsa @@ -36,7 +36,7 @@ OUTFILE2=out2-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge KEY="${srcdir}/../certs/ed25519.pem" CERT="${srcdir}/../certs/cert-ed25519.pem" diff --git a/tests/cert-tests/pkcs7-list-sign b/tests/cert-tests/pkcs7-list-sign index 1c4e930e5b..5ca04d8005 100755 --- a/tests/cert-tests/pkcs7-list-sign +++ b/tests/cert-tests/pkcs7-list-sign @@ -37,7 +37,7 @@ OUTFILE2=out2-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Test signing FILE="signing-with-cert-list" ${VALGRIND} "${CERTTOOL}" --p7-sign --load-certificate "${srcdir}/data/pkcs7-chain.pem" --load-privkey "${srcdir}/data/pkcs7-chain-endcert-key.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}" diff --git a/tests/cert-tests/rsa-pss-pad b/tests/cert-tests/rsa-pss-pad index d9a05e4e0f..2c87c750fc 100755 --- a/tests/cert-tests/rsa-pss-pad +++ b/tests/cert-tests/rsa-pss-pad @@ -33,7 +33,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/cert-tests/sha3-test b/tests/cert-tests/sha3-test index dc3cf8f6ba..a4300672c3 100755 --- a/tests/cert-tests/sha3-test +++ b/tests/cert-tests/sha3-test @@ -33,7 +33,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/cert-tests/smime b/tests/cert-tests/smime index dd5514f687..f5e68401cf 100755 --- a/tests/cert-tests/smime +++ b/tests/cert-tests/smime @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # test the --smime-to-p7 functionality ${VAGRLIND} "${CERTTOOL}" --smime-to-p7 --infile "${srcdir}/data/pkcs7.smime" --outfile ${OUTFILE} diff --git a/tests/cert-tests/template-exts-test b/tests/cert-tests/template-exts-test index 32e90f91e3..276ba2f798 100755 --- a/tests/cert-tests/template-exts-test +++ b/tests/cert-tests/template-exts-test @@ -33,7 +33,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test index f7ebefb664..091021315b 100755 --- a/tests/cert-tests/template-test +++ b/tests/cert-tests/template-test @@ -34,7 +34,7 @@ TMPFILE=tmp-tt.pem.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge echo "Running test for ${ac_cv_sizeof_time_t}-byte time_t" diff --git a/tests/cert-tests/tlsfeature-test b/tests/cert-tests/tlsfeature-test index aadbffc26a..fb26f6225b 100755 --- a/tests/cert-tests/tlsfeature-test +++ b/tests/cert-tests/tlsfeature-test @@ -34,7 +34,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # # Test certificate generation diff --git a/tests/certtool-pkcs11.sh b/tests/certtool-pkcs11.sh index 9a599e6146..daba535a4d 100755 --- a/tests/certtool-pkcs11.sh +++ b/tests/certtool-pkcs11.sh @@ -68,7 +68,7 @@ exit_error () { exit 1 } -check_for_datefudge +skip_if_no_datefudge # $1: token # $2: PIN diff --git a/tests/client-sign-md5-rep.c b/tests/client-sign-md5-rep.c index 1c7877fbd5..b1ad46ce92 100644 --- a/tests/client-sign-md5-rep.c +++ b/tests/client-sign-md5-rep.c @@ -468,6 +468,11 @@ void doit(void) int sockets[2]; int err; + /* tls1_hello contains ServerKeyExchange with custom DH + * parameters */ + if (gnutls_fips140_mode_enabled()) + exit(77); + signal(SIGPIPE, SIG_IGN); err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets); diff --git a/tests/dh-fips-approved.sh b/tests/dh-fips-approved.sh new file mode 100755 index 0000000000..136dd15f32 --- /dev/null +++ b/tests/dh-fips-approved.sh @@ -0,0 +1,127 @@ +#!/bin/sh + +# Copyright (C) 2017 Nikos Mavrogiannopoulos +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/> + +srcdir="${srcdir:-.}" +SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" +CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" +unset RETCODE + +if ! test -x "${SERV}"; then + exit 77 +fi + +if ! test -x "${CLI}"; then + exit 77 +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +fi + + +SERV="${SERV} -q" + +. "${srcdir}/scripts/common.sh" + +KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem +CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem +CA1=${srcdir}/../doc/credentials/x509/ca.pem + +ALLOWED_PARAMS=" +rfc3526-group-14-2048 +rfc3526-group-15-3072 +rfc3526-group-16-4096 +rfc3526-group-17-6144 +rfc3526-group-18-8192 +rfc7919-ffdhe2048 +rfc7919-ffdhe3072 +rfc7919-ffdhe4096 +rfc7919-ffdhe6144 +rfc7919-ffdhe8192 +" + +DISALLOWED_PARAMS=" +rfc2409-group-2-1024 +rfc3526-group-5-1536 +rfc5054-1024 +rfc5054-1536 +rfc5054-2048 +rfc5054-3072 +rfc5054-4096 +rfc5054-6144 +rfc5054-8192 +rfc5114-group-22-1024 +rfc5114-group-23-2048 +rfc5114-group-24-2048 +" + +OPTS="--priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-RSA:+AES-128-GCM:-GROUP-ALL" + +for params in $ALLOWED_PARAMS; do + echo "Checking with approved DH params: $params" + + PARAMS=${srcdir}/../doc/credentials/dhparams/${params}.pem + + eval "${GETPORT}" + launch_server $$ ${OPTS} --x509keyfile ${KEY1} --x509certfile ${CERT1} --dhparams ${PARAMS} + PID=$! + wait_server ${PID} + + ${VALGRIND} "${CLI}" ${OPTS} -p "${PORT}" 127.0.0.1 --verify-hostname=localhost --x509cafile ${CA1} </dev/null >/dev/null || \ + fail ${PID} "handshake should have succeeded!" + + kill ${PID} + wait +done + +for params in $DISALLOWED_PARAMS; do + echo "Checking with non-approved DH params: $params" + + PARAMS=${srcdir}/../doc/credentials/dhparams/${params}.pem + + eval "${GETPORT}" + launch_server $$ ${OPTS} --x509keyfile ${KEY1} --x509certfile ${CERT1} --dhparams ${PARAMS} + PID=$! + wait_server ${PID} + + ${VALGRIND} "${CLI}" ${OPTS} -p "${PORT}" 127.0.0.1 --verify-hostname=localhost --x509cafile ${CA1} </dev/null >/dev/null + + RET=$? + + if test $RET -eq 0; then + if test "${GNUTLS_FORCE_FIPS_MODE}" = 1; then + fail ${PID} "handshake should have failed (FIPS mode 1)!" + fi + else + if test "${GNUTLS_FORCE_FIPS_MODE}" != 1; then + fail ${PID} "handshake should have succeeded (FIPS mode 0)!" + fi + fi + + kill ${PID} + wait +done + +exit 0 diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh index 0ab6069b8f..3351764216 100755 --- a/tests/gnutls-cli-debug.sh +++ b/tests/gnutls-cli-debug.sh @@ -48,7 +48,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem diff --git a/tests/gnutls-cli-invalid-crl.sh b/tests/gnutls-cli-invalid-crl.sh index d7383a555b..1a82bfafd3 100755 --- a/tests/gnutls-cli-invalid-crl.sh +++ b/tests/gnutls-cli-invalid-crl.sh @@ -47,7 +47,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge echo "Checking whether connecting to a server but with an invalid CRL provided, returns the expected error" diff --git a/tests/gnutls-cli-self-signed.sh b/tests/gnutls-cli-self-signed.sh index 07cd5824b8..fbb5375bf0 100755 --- a/tests/gnutls-cli-self-signed.sh +++ b/tests/gnutls-cli-self-signed.sh @@ -45,7 +45,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge echo "Checking whether connecting to a self signed certificate returns the expected error" diff --git a/tests/logfile-option.sh b/tests/logfile-option.sh index 1eb7a492f7..8cd8f9b53f 100755 --- a/tests/logfile-option.sh +++ b/tests/logfile-option.sh @@ -96,7 +96,7 @@ kill ${PID} wait if ! test -f ${TMPFILE1};then - echo "Logfile shoule be created!" + echo "Logfile should be created!" exit 1 fi if test -s ${TMPFILE2};then @@ -150,7 +150,7 @@ kill ${PID} wait if ! test -f ${TMPFILE1};then - echo "Logfile shoule be created!" + echo "Logfile should be created!" exit 1 fi if test -s ${TMPFILE2};then diff --git a/tests/mini-x509-2.c b/tests/mini-x509-2.c index e336af8367..c1bc544e7d 100644 --- a/tests/mini-x509-2.c +++ b/tests/mini-x509-2.c @@ -296,6 +296,7 @@ void start(const char *prio) fail("gnutls_x509_crt_export2: %s\n", gnutls_strerror(ret)); exit(1); } + assert(ret == 0); gnutls_x509_crt_deinit(crt); if (scert.size != mcert->size || memcmp(scert.data, mcert->data, mcert->size) != 0) { @@ -331,6 +332,7 @@ void start(const char *prio) fail("gnutls_x509_crt_export2: %s\n", gnutls_strerror(ret)); exit(1); } + assert(ret == 0); gnutls_x509_crt_deinit(crt); if (ccert.size != mcert->size || memcmp(ccert.data, mcert->data, mcert->size) != 0) { diff --git a/tests/ocsp-tests/ocsp-load-chain b/tests/ocsp-tests/ocsp-load-chain index 04de48f7ed..0822bc3d99 100755 --- a/tests/ocsp-tests/ocsp-load-chain +++ b/tests/ocsp-tests/ocsp-load-chain @@ -31,7 +31,7 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge datefudge -s "2017-06-19" \ "${OCSPTOOL}" -e --load-chain "${srcdir}/ocsp-tests/certs/chain-amazon.com.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-amazon.com.der" --verify-allow-broken diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection index 490cc032f0..49c355dda3 100755 --- a/tests/ocsp-tests/ocsp-must-staple-connection +++ b/tests/ocsp-tests/ocsp-must-staple-connection @@ -53,7 +53,7 @@ fi . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge eval "${GETPORT}" # Port for gnutls-serv diff --git a/tests/ocsp-tests/ocsp-test b/tests/ocsp-tests/ocsp-test index 3730175208..bc2641a22e 100755 --- a/tests/ocsp-tests/ocsp-test +++ b/tests/ocsp-tests/ocsp-test @@ -32,7 +32,7 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/ocsp-tests/ocsp-tls-connection b/tests/ocsp-tests/ocsp-tls-connection index bcc77ec2d9..870f4ff78b 100755 --- a/tests/ocsp-tests/ocsp-tls-connection +++ b/tests/ocsp-tests/ocsp-tls-connection @@ -54,7 +54,7 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge eval "${GETPORT}" # Port for gnutls-serv diff --git a/tests/pkcs7-cat.sh b/tests/pkcs7-cat.sh index 2f3b0b0b35..a7a53a431a 100755 --- a/tests/pkcs7-cat.sh +++ b/tests/pkcs7-cat.sh @@ -34,7 +34,7 @@ fi . ${srcdir}/scripts/common.sh -check_for_datefudge +skip_if_no_datefudge #try verification datefudge -s "2010-10-10" \ diff --git a/tests/post-client-hello-change-prio.c b/tests/post-client-hello-change-prio.c index 833a538cf0..be41047a01 100644 --- a/tests/post-client-hello-change-prio.c +++ b/tests/post-client-hello-change-prio.c @@ -43,7 +43,9 @@ const char *override_prio = NULL; static int post_client_hello_callback(gnutls_session_t session) { - assert(gnutls_priority_set_direct(session, override_prio, NULL) >= 0); + if (override_prio) { + assert(gnutls_priority_set_direct(session, override_prio, NULL) >= 0); + } pch_ok = 1; return 0; } @@ -54,7 +56,7 @@ static void tls_log_func(int level, const char *str) } static -void start(const char *name, const char *prio, gnutls_protocol_t exp_version) +void start(const char *name, const char *client_prio, const char *server_prio, int expected) { /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; @@ -83,7 +85,7 @@ void start(const char *name, const char *prio, gnutls_protocol_t exp_version) assert(gnutls_init(&server, GNUTLS_SERVER)>=0); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); - assert(gnutls_priority_set_direct(server, prio, NULL)>=0); + assert(gnutls_priority_set_direct(server, server_prio, NULL)>=0); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); @@ -94,15 +96,24 @@ void start(const char *name, const char *prio, gnutls_protocol_t exp_version) assert(gnutls_init(&client, GNUTLS_CLIENT)>=0); gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); - assert(gnutls_priority_set_direct(client, prio, NULL)>=0); + assert(gnutls_priority_set_direct(client, client_prio, NULL)>=0); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); - HANDSHAKE(client, server); + if (expected > 0) { + int ret; - assert(exp_version == gnutls_protocol_get_version(client)); - assert(exp_version == gnutls_protocol_get_version(server)); + HANDSHAKE(client, server); + + ret = gnutls_protocol_get_version(client); + assert(expected == ret); + + ret = gnutls_protocol_get_version(server); + assert(expected == ret); + } else { + HANDSHAKE_EXPECT(client, server, GNUTLS_E_AGAIN, GNUTLS_E_UNSUPPORTED_VERSION_PACKET); + } gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); @@ -124,9 +135,15 @@ void start(const char *name, const char *prio, gnutls_protocol_t exp_version) void doit(void) { override_prio = "NORMAL"; - start("tls1.2-only", "NORMAL:-VERS-ALL:+VERS-TLS1.2", GNUTLS_TLS1_2); - start("tls1.3-only", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_TLS1_3); - start("default", "NORMAL", GNUTLS_TLS1_3); + start("tls1.2-only", "NORMAL:-VERS-ALL:+VERS-TLS1.2", "NORMAL:-VERS-ALL:+VERS-TLS1.2", GNUTLS_TLS1_2); + start("tls1.3-only", "NORMAL:-VERS-ALL:+VERS-TLS1.3", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_TLS1_3); + start("default", "NORMAL", "NORMAL", GNUTLS_TLS1_3); + override_prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2"; + start("default overriden to TLS1.2-only", "NORMAL", "NORMAL", GNUTLS_TLS1_2); + override_prio = NULL; + start("client tls1.2-only, server tls1.2-disabled", + "NORMAL:-VERS-ALL:+VERS-TLS1.2", "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0", -1); override_prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2"; - start("default overriden to TLS1.2-only", "NORMAL", GNUTLS_TLS1_2); + start("client tls1.2-only, server tls1.2-disabled initially, but allow it afterwards", + "NORMAL:-VERS-ALL:+VERS-TLS1.2", "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0", GNUTLS_TLS1_2); } diff --git a/tests/rsa-md5-collision/rsa-md5-collision.sh b/tests/rsa-md5-collision/rsa-md5-collision.sh index a935804dc0..e319544b73 100755 --- a/tests/rsa-md5-collision/rsa-md5-collision.sh +++ b/tests/rsa-md5-collision/rsa-md5-collision.sh @@ -31,7 +31,7 @@ if ! test -x "${CERTTOOL}"; then fi . ${srcdir}/scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Disable leak detection ASAN_OPTIONS="detect_leaks=0" diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh index 95f8a5298e..6ae19fa586 100644 --- a/tests/scripts/common.sh +++ b/tests/scripts/common.sh @@ -80,7 +80,12 @@ check_for_datefudge() { TSTAMP=`datefudge -s "2006-09-23" "${top_builddir}/tests/datefudge-check" || true` if test "$TSTAMP" != "1158969600" || test "$WINDOWS" = 1; then - echo $TSTAMP + return 1 + fi +} + +skip_if_no_datefudge() { + if ! check_for_datefudge; then echo "You need datefudge to run this test" exit 77 fi diff --git a/tests/server-multi-keys.sh b/tests/server-multi-keys.sh index 3138fb6888..7737ec9b83 100755 --- a/tests/server-multi-keys.sh +++ b/tests/server-multi-keys.sh @@ -46,7 +46,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge echo "Checking whether server can utilize multiple keys" diff --git a/tests/server-weak-keys.sh b/tests/server-weak-keys.sh index 31c51a80bc..1fa14711fb 100755 --- a/tests/server-weak-keys.sh +++ b/tests/server-weak-keys.sh @@ -46,7 +46,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge echo "Checking whether a client will refuse weak but trusted keys" diff --git a/tests/slow/cipher-api-test.c b/tests/slow/cipher-api-test.c index 17872b7a43..a8e4bbf90a 100644 --- a/tests/slow/cipher-api-test.c +++ b/tests/slow/cipher-api-test.c @@ -198,6 +198,70 @@ static void test_aead_cipher2(int algo) return; } +/* Test whether an invalid call to gnutls_aead_cipher_decrypt() is caught */ +static void test_aead_cipher3(int algo) +{ + int ret; + gnutls_aead_cipher_hd_t ch; + uint8_t key16[64]; + uint8_t iv16[32]; + uint8_t auth[32]; + uint8_t ctext[128+32]; + size_t ctext_len; + uint8_t ptext[128]; + size_t ptext_len; + gnutls_datum_t key, iv; + + key.data = key16; + key.size = gnutls_cipher_get_key_size(algo); + assert(key.size <= sizeof(key16)); + + iv.data = iv16; + iv.size = gnutls_cipher_get_iv_size(algo); + assert(iv.size <= sizeof(iv16)); + + memset(iv.data, 0xff, iv.size); + memset(key.data, 0xfe, key.size); + memset(ptext, 0xfa, sizeof(ptext)); + memset(ctext, 0xfa, sizeof(ctext)); + memset(auth, 0xfb, sizeof(auth)); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + ret = global_init(); + if (ret < 0) { + fail("Cannot initialize library\n"); /*errcode 1 */ + } + + ret = + gnutls_aead_cipher_init(&ch, algo, &key); + if (ret < 0) + fail("gnutls_aead_cipher_init failed\n"); /*errcode 1 */ + + ctext_len = sizeof(ctext)-1; + ret = gnutls_aead_cipher_encrypt(ch, iv.data, iv.size, auth, sizeof(auth), + gnutls_cipher_get_tag_size(algo), + ptext, sizeof(ptext)-1, + ctext, &ctext_len); + if (ret < 0) + fail("could not encrypt data\n"); + + ptext_len = 0; + ret = gnutls_aead_cipher_decrypt(ch, iv.data, iv.size, auth, sizeof(auth), + gnutls_cipher_get_tag_size(algo), + ctext, sizeof(ctext)-1, + ptext, &ptext_len); + if (ret >= 0) + fail("succeeded in decrypting data onto a short buffer\n"); + + gnutls_aead_cipher_deinit(ch); + + gnutls_global_deinit(); + return; +} + static void check_status(int status) { if (WEXITSTATUS(status) != 0 || @@ -261,6 +325,25 @@ void start(const char *name, int algo, unsigned aead) test_aead_cipher2(algo); exit(0); } + + /* check test_aead_cipher3 */ + + child = fork(); + if (child < 0) { + perror("fork"); + fail("fork"); + return; + } + + if (child) { + int status; + /* parent */ + wait(&status); + check_status(status); + } else { + test_aead_cipher3(algo); + exit(0); + } } void doit(void) diff --git a/tests/slow/hash-large.c b/tests/slow/hash-large.c index 33dc1df0da..71312ef369 100644 --- a/tests/slow/hash-large.c +++ b/tests/slow/hash-large.c @@ -139,7 +139,7 @@ void doit(void) /* SHA1 */ err = - gnutls_hash_fast(GNUTLS_MAC_SHA1, buf, size, + gnutls_hash_fast(GNUTLS_DIG_SHA1, buf, size, digest); if (err < 0) fail("gnutls_hash_fast(SHA1) failed: %d\n", err); diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index 025f513f78..d6f6ff135b 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -48,6 +48,7 @@ scripts_to_test = chain.sh \ TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) \ LC_ALL="C" \ + PYTHON="$(PYTHON)" \ VALGRIND="$(VALGRIND)" \ top_builddir="$(top_builddir)" \ srcdir="$(srcdir)" \ diff --git a/tests/suite/multi-ticket-reception.sh b/tests/suite/multi-ticket-reception.sh index d84367703c..6c0113e372 100755 --- a/tests/suite/multi-ticket-reception.sh +++ b/tests/suite/multi-ticket-reception.sh @@ -26,6 +26,10 @@ PYPATH="${srcdir}/tls-fuzzer/tlsfuzzer/" CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" unset RETCODE +if test "${PYTHON}" = ":" ; then + exit 77 +fi + if ! test -x "${TLSPY_SERV}"; then exit 77 fi @@ -36,7 +40,7 @@ fi if test "${WINDIR}" != ""; then exit 77 -fi +fi if ! test -z "${VALGRIND}"; then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" @@ -45,7 +49,7 @@ fi . "${srcdir}/../scripts/common.sh" KEY1=${srcdir}/tls-fuzzer/tlslite-ng/tests/serverX509Key.pem -CERT1=${srcdir}/tls-fuzzer/tlsfuzzer/tests/serverX509Cert.pem +CERT1=${srcdir}/tls-fuzzer/tlsfuzzer/tests/serverX509Cert.pem #create links necessary for tlslite to function test -L "${srcdir}/tls-fuzzer/tlsfuzzer/ecdsa" || \ @@ -56,7 +60,7 @@ test -L "${srcdir}/tls-fuzzer/tlsfuzzer/tlslite" || \ echo "Checking whether receiving 1 ticket succeeds (sanity)" eval "${GETPORT}" -PYTHONPATH="${PYPATH}" ${TLSPY_SERV} server --tickets 1 -k ${KEY1} -c ${CERT1} 127.0.0.1:${PORT} & +PYTHONPATH="${PYPATH}" "${PYTHON}" ${TLSPY_SERV} server --tickets 1 -k ${KEY1} -c ${CERT1} 127.0.0.1:${PORT} & PID=$! wait_server ${PID} @@ -70,7 +74,7 @@ wait echo "Checking whether receiving 3 tickets in the same record succeeds" eval "${GETPORT}" -PYTHONPATH="${PYPATH}" ${TLSPY_SERV} server --tickets 3 -k ${KEY1} -c ${CERT1} 127.0.0.1:${PORT} & +PYTHONPATH="${PYPATH}" "${PYTHON}" ${TLSPY_SERV} server --tickets 3 -k ${KEY1} -c ${CERT1} 127.0.0.1:${PORT} & PID=$! wait_server ${PID} @@ -84,7 +88,7 @@ wait echo "Checking whether receiving multiple tickets that span many records succeeds" eval "${GETPORT}" -PYTHONPATH="${PYPATH}" ${TLSPY_SERV} server --tickets 1512 -k ${KEY1} -c ${CERT1} 127.0.0.1:${PORT} & +PYTHONPATH="${PYPATH}" "${PYTHON}" ${TLSPY_SERV} server --tickets 1512 -k ${KEY1} -c ${CERT1} 127.0.0.1:${PORT} & PID=$! wait_server ${PID} diff --git a/tests/suite/testcompat-oldgnutls.sh b/tests/suite/testcompat-oldgnutls.sh index 2ec96b20c2..937bf57050 100755 --- a/tests/suite/testcompat-oldgnutls.sh +++ b/tests/suite/testcompat-oldgnutls.sh @@ -54,7 +54,7 @@ LDPATH=/usr/local/OLDGNUTLS/lib/x86_64-linux-gnu:/usr/local/OLDGNUTLS/usr/lib/x8 . "${srcdir}/../scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge . "${srcdir}/testcompat-common" diff --git a/tests/suite/testcompat-openssl.sh b/tests/suite/testcompat-openssl.sh index bfc59c09ac..b932a599c9 100755 --- a/tests/suite/testcompat-openssl.sh +++ b/tests/suite/testcompat-openssl.sh @@ -54,7 +54,7 @@ export TZ="UTC" # Check for datefudge . "${srcdir}/../scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge timeout 1800 datefudge "2012-09-2" "${srcdir}/testcompat-main-openssl" diff --git a/tests/suite/testcompat-polarssl.sh b/tests/suite/testcompat-polarssl.sh index 1af0099dca..2197a94bf7 100755 --- a/tests/suite/testcompat-polarssl.sh +++ b/tests/suite/testcompat-polarssl.sh @@ -42,7 +42,7 @@ fi # Check for datefudge . "${srcdir}/../scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge cat /proc/cpuinfo|grep "model name"|grep "VIA Esther" >/dev/null 2>&1 if test $? = 0; then diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh index 128873ab23..bc198a02b6 100755 --- a/tests/suite/testcompat-tls13-openssl.sh +++ b/tests/suite/testcompat-tls13-openssl.sh @@ -49,7 +49,7 @@ fi . "${srcdir}/../scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge . "${srcdir}/testcompat-common" diff --git a/tests/suite/tls-fuzzer/gnutls-cert.json b/tests/suite/tls-fuzzer/gnutls-cert.json index 7a5af26e53..6f5874c095 100644 --- a/tests/suite/tls-fuzzer/gnutls-cert.json +++ b/tests/suite/tls-fuzzer/gnutls-cert.json @@ -91,6 +91,8 @@ "-c", "tests/clientX509Cert.pem", "-e", "fuzz empty certificate - overall 7, certs 4, cert 1", "-e", "fuzz empty certificate - overall 8, certs 5, cert 2", + "-e", "sanity - empty client cert", + "-e", "Correct cert followed by an empty one", "-p", "@PORT@"] } ] diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-common.sh b/tests/suite/tls-fuzzer/tls-fuzzer-common.sh index b41f068a07..72ed56df19 100755 --- a/tests/suite/tls-fuzzer/tls-fuzzer-common.sh +++ b/tests/suite/tls-fuzzer/tls-fuzzer-common.sh @@ -33,6 +33,10 @@ if ! test -d "${srcdir}/tls-fuzzer/tlsfuzzer" ; then exit 77 fi +if test "${PYTHON}" = ":" ; then + exit 77 +fi + pushd "${srcdir}/tls-fuzzer/tlsfuzzer" test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa @@ -44,7 +48,7 @@ retval=0 tls_fuzzer_prepare -PYTHONPATH=. python tests/scripts_retention.py ${TMPFILE} ${SERV} 821 +PYTHONPATH=. "${PYTHON}" tests/scripts_retention.py ${TMPFILE} ${SERV} 821 retval=$? rm -f ${TMPFILE} diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer -Subproject ca536d11ac14da2deacbde95f3f0a70a5ce4211 +Subproject 54a1350ae9fa1981062679acb2966e697140c3d diff --git a/tests/system-override-hash.sh b/tests/system-override-hash.sh new file mode 100755 index 0000000000..cb027c2fad --- /dev/null +++ b/tests/system-override-hash.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +# Copyright (C) 2019 Nikos Mavrogiannopoulos +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +: ${builddir=.} +TMPFILE=c.$$.tmp +export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 + +cat <<_EOF_ > ${TMPFILE} +[overrides] + +insecure-hash = sha256 +insecure-hash = sha512 +_EOF_ + +export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" + +"${builddir}/system-override-hash" +rc=$? +rm ${TMPFILE} +exit $rc diff --git a/tests/system-override-profiles.sh b/tests/system-override-profiles.sh index 88ec631798..516ce57e71 100755 --- a/tests/system-override-profiles.sh +++ b/tests/system-override-profiles.sh @@ -41,7 +41,7 @@ fi . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge CERT="${srcdir}/certs/cert-ecc256.pem" KEY="${srcdir}/certs/ecc256.pem" diff --git a/tests/system-override-sig-hash.sh b/tests/system-override-sig.sh index 37980ec584..68bf759048 100755 --- a/tests/system-override-sig-hash.sh +++ b/tests/system-override-sig.sh @@ -20,24 +20,13 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -srcdir="${srcdir:-.}" +: ${builddir=.} TMPFILE=c.$$.tmp export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 cat <<_EOF_ > ${TMPFILE} [overrides] -insecure-hash = sha256 -insecure-hash = sha512 -_EOF_ - -export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" - -${builddir}/system-override-hash - -cat <<_EOF_ > ${TMPFILE} -[overrides] - insecure-sig-for-cert = rsa-sha256 insecure-sig = rsa-sha512 insecure-sig = rsa-sha1 @@ -45,10 +34,7 @@ _EOF_ export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" -${builddir}/system-override-sig -if test $? != 0;then - echo "Could not parse config file" - exit 1 -fi - -exit 0 +"${builddir}/system-override-sig" +rc=$? +rm ${TMPFILE} +exit $rc diff --git a/tests/system-override-tls.sh b/tests/system-override-tls.sh index 6114d76282..54bc190dd9 100755 --- a/tests/system-override-tls.sh +++ b/tests/system-override-tls.sh @@ -40,7 +40,7 @@ fi . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge CERT="${srcdir}/certs/cert-ecc256.pem" KEY="${srcdir}/certs/ecc256.pem" diff --git a/tests/tls13/prf-early.sh b/tests/tls13/prf-early.sh index b19da4cb65..7f62aba8d8 100755 --- a/tests/tls13/prf-early.sh +++ b/tests/tls13/prf-early.sh @@ -23,7 +23,7 @@ builddir="${builddir:-.}" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge datefudge -s 2019-04-12 "${builddir}/tls13/prf-early" "$@" exit $? diff --git a/tests/utils.c b/tests/utils.c index 9186a17571..60cd79b359 100644 --- a/tests/utils.c +++ b/tests/utils.c @@ -50,47 +50,41 @@ int debug = 0; int error_count = 0; int break_on_error = 0; +/* doc/credentials/dhparams/rfc3526-group-14-2048.pem */ const char *pkcs3 = "-----BEGIN DH PARAMETERS-----\n" - "MIGGAoGAtkxw2jlsVCsrfLqxrN+IrF/3W8vVFvDzYbLmxi2GQv9s/PQGWP1d9i22\n" - "P2DprfcJknWt7KhCI1SaYseOQIIIAYP78CfyIpGScW/vS8khrw0rlQiyeCvQgF3O\n" - "GeGOEywcw+oQT4SmFOD7H0smJe2CNyjYpexBXQ/A0mbTF9QKm1cCAQU=\n" + "MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n" + "IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft\n" + "awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n" + "mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n" + "fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n" + "5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==\n" "-----END DH PARAMETERS-----\n"; +/* doc/credentials/dhparams/rfc7919-ffdhe2048.pem */ const char *pkcs3_2048 = "-----BEGIN DH PARAMETERS-----\n" - "MIICDgKCAQEAvVNCqM8M9ZoVYBKEkV2KN8ELHHJ75aTZiK9z6170iKSgbITkOxsd\n" - "aBCLzHZd7d6/2aNofUeuWdDGHm73d8v53ma2HRVCNESeC2LKsEDFG9FjjUeugvfl\n" - "zb85TLZwWT9Lb35Ddhdk7CtxoukjS0/JkCE+8RGzmk5+57N8tNffs4aSSHSe4+cw\n" - "i4wULDxiG2p052czAMP3YR5egWvMuiByhy0vKShiZmOy1/Os5r6E/GUF+298gDjG\n" - "OeaEUF9snrTcoBwB4yNjVSEbuAh5fMd5zFtz2+dzrk9TYZ44u4DQYkgToW05WcmC\n" - "+LG0bLAH6lrJR5OMgyheZEo6F20z/d2yyQKCAQEAtzcuTHW61SFQiDRouk6eD0Yx\n" - "0k1RJdaQdlRf6/Dcc6lEqnbezL90THzvxkBwfJ5jG1VZE7JlVCvLRkBtgb0/6SCf\n" - "MATfEKG2JMOnKsJxvidmKEp4uN32LketXRrrEBl7rS+HABEfKAzqx+J6trBaq25E\n" - "7FVJFsyoa8IL8N8YUWwhE2UuEfmiqQQaeoIUYC/xD2arMXn9N0W84Nyy2S9IL4ct\n" - "e3Azi1Wc8MMfpbxxDRxXCnM2uMkLYWs1lQmcUUX+Uygv3P8lgS+RJ1Pi3+BWMx0S\n" - "ocsZXqOr6dbEF1WOLObQRK7h/MZp80iVUyrBgX0MbVFN9M5i2u4KKTG95VKRtgIC\n" - "AQA=\n" "-----END DH PARAMETERS-----\n"; + "MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" + "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" + "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" + "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" + "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n" + "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==\n" + "-----END DH PARAMETERS-----\n"; +/* doc/credentials/dhparams/rfc7919-ffdhe3072.pem */ const char *pkcs3_3072 = "-----BEGIN DH PARAMETERS-----\n" - "MIIDDgKCAYEAtRUay8nDgwE5dSVzW525wEu/d0vrFolvYJSevxg2myj5S+gr3Fgq\n" - "OGaZc4zrBxkxsELc7GuCqaXSOWL4yobT8N05yGbYWkWRPf4crRMx3P7/Gba9WsmH\n" - "BlL71uPf1IN9CanAlabkhV89RKiYaCpUI19+/sq+N2dO874ToBZCNhxZnTgRZ+po\n" - "Gdr6XWM0lQ8imIKSer0px3ZHI+/5gmyPry35tGpwlbyclJAg3wlTSdnqDcLxq7AF\n" - "OZ23PzC3ij7SFErOX9EFBdS2bjtU47O3OkPc9EIYMEv5nwnXICLHslwVifmURAjV\n" - "LfpObL8LYGN4Gac4tFxuDa0PMg0ES5ADugYBwdRFTAtCy5WOYXINzAAOrH9MommT\n" - "rMkELf7JOCaV2ktBsvTlrgMAXeyqbf2YSG6CGjj4QnUuqPybSgwPru7VlahsS2lo\n" - "qjutBPpgIxS53o97Wi3V5kQedKJiNuIDNnJMFNuTADAM+OYwClTH7ZSwTsxEgVpr\n" - "tMH+WnTI7KTJAoIBgQCrELwIUB4oNbf0x+fIpVndhDpl/WcFc/lDtmiRuym5gWbb\n" - "NPeI+1rdhnS2R3+nCJODFQTcPNMgIJuSu2EnDCSs5xJ2k08SAgSzyxEdjBpY7qJe\n" - "+lJPJ12zhcl0vgcvMhb/YgqVe2MKz0RvnYZPwHM/aJbjYjq/6OpK3fVw4M1ZccBK\n" - "QD4OHK8HOvGU7Wf6kRIcxUlfn15spMCIsrAZQBddWLmQgktsxJNUS+AnaPwTBoOv\n" - "nGCr1vzw8OS1DtS03VCmtqt3otXhJ3D2oCIG6ogxVAKfHR30KIfzZLBfmCjdzHmH\n" - "x4OwYTN1wy5juA438QtiDtcgK60ZqSzQO08ZklRncA/TkkyEH6kPn5KSh/hW9O3D\n" - "KZeAY/KF0/Bc1XNtqPEYFb7Vo3rbTsyjXkICN1Hk9S0OIKL42K7rWBepO9KuddSd\n" - "aXgH9staP0HXCyyW1VAyqo0TwcWDhE/R7IQQGGwGyd4rD0T+ySW/t09ox23O6X8J\n" - "FSp6mOVNcuvhB5U2gW8CAgEA\n" "-----END DH PARAMETERS-----\n"; + "MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" + "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" + "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" + "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" + "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n" + "ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3\n" + "7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32\n" + "nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu\n" + "N///////////AgEC\n" + "-----END DH PARAMETERS-----\n"; void _fail(const char *format, ...) { |