#include <socket.h>
/* Gnulib portability files. */
+#include "parse-datetime.h"
#include "sockets.h"
static void cmd_parser(int argc, char **argv);
exit(1);
}
+ if (ENABLED_OPT(ATTIME)) {
+ struct timespec r;
+
+ if (!parse_datetime(&r, OPT_ARG(ATTIME), NULL)) {
+ fprintf(stderr,
+ "%s option value %s is not a valid time\n",
+ "attime", OPT_ARG(ATTIME));
+ exit(1);
+ }
+ set_system_time(&r);
+ }
+
gnutls_global_set_log_function(tls_log_func);
gnutls_global_set_log_level(debug);
#include <read-file.h>
#include <getpass.h>
#include <minmax.h>
+#include "parse-datetime.h"
#include "sockets.h"
#include "benchmark.h"
exit(1);
}
+ if (ENABLED_OPT(ATTIME)) {
+ struct timespec r;
+
+ if (!parse_datetime(&r, OPT_ARG(ATTIME), NULL)) {
+ fprintf(stderr,
+ "%s option value %s is not a valid time\n",
+ "attime", OPT_ARG(ATTIME));
+ exit(1);
+ }
+ set_system_time(&r);
+ }
+
if (hostname == NULL) {
fprintf(stderr, "No hostname given\n");
exit(1);
"description": "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)",
"detail": "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.",
"argument-type": "string"
+ },
+ {
+ "long-option": "attime",
+ "description": "Perform validation at the timestamp instead of the system time",
+ "detail": "timestamp is an instance in time encoded as Unix time or in a human\n readable timestring such as \"29 Feb 2004\", \"2004-02-29\".\nFull documentation available at \n<https://www.gnu.org/software/coreutils/manual/html_node/Date-input-formats.html>\nor locally via info '(coreutils) date invocation'.",
+ "argument-name": "timestamp",
+ "argument-type": "string"
}
]
}
]
-}
\ No newline at end of file
+}
"description": "Enable automatic retrieval of missing CA certificates",
"detail": "This option enables the client to automatically retrieve the missing intermediate CA certificates in the certificate chain, based on the Authority Information Access (AIA) extension.",
"disable-prefix": "no-"
+ },
+ {
+ "long-option": "attime",
+ "description": "Perform validation at the timestamp instead of the system time",
+ "detail": "timestamp is an instance in time encoded as Unix time or in a human\n readable timestring such as \"29 Feb 2004\", \"2004-02-29\".\nFull documentation available at \n<https://www.gnu.org/software/coreutils/manual/html_node/Date-input-formats.html>\nor locally via info '(coreutils) date invocation'.",
+ "argument-name": "timestamp",
+ "argument-type": "string"
}
]
}
"long-option": "timeout",
"description": "The timeout period for server",
"argument-type": "number"
+ },
+ {
+ "long-option": "attime",
+ "description": "Perform validation at the timestamp instead of the system time",
+ "detail": "timestamp is an instance in time encoded as Unix time or in a human\n readable timestring such as \"29 Feb 2004\", \"2004-02-29\".\nFull documentation available at \n<https://www.gnu.org/software/coreutils/manual/html_node/Date-input-formats.html>\nor locally via info '(coreutils) date invocation'.",
+ "argument-name": "timestamp",
+ "argument-type": "string"
}
]
}
#include "gl_linked_list.h"
#include "gl_xlist.h"
#include "minmax.h"
+#include "parse-datetime.h"
#include "read-file.h"
#include "sockets.h"
#include "xalloc.h"
fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret));
exit(1);
}
+
+ if (ENABLED_OPT(ATTIME)) {
+ struct timespec r;
+
+ if (!parse_datetime(&r, OPT_ARG(ATTIME), NULL)) {
+ fprintf(stderr,
+ "%s option value %s is not a valid time\n",
+ "attime", OPT_ARG(ATTIME));
+ exit(1);
+ }
+ set_system_time(&r);
+ }
+
#ifdef ENABLE_PKCS11
if (HAVE_OPT(PROVIDER)) {
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
SERVER_PID="${!}"
wait_server "${SERVER_PID}"
-"$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
- "${CLI}" --x509certfile ${CLIENT_CERT_FILE} \
+"${CLI}" --attime "${TESTDATE}" --x509certfile ${CLIENT_CERT_FILE} \
--x509keyfile ${CLIENT_KEY_FILE} --x509cafile=${CA_FILE} \
--port="${PORT}" localhost </dev/null
rc=$?
. "${srcdir}/scripts/common.sh"
-skip_if_no_datefudge
-
KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
PID=$!
wait_server ${PID}
-"$FAKETIME" "2017-08-9" timeout 1800 \
-"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+timeout 1800 \
+"${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
kill ${PID}
wait
PID=$!
wait_server ${PID}
-"$FAKETIME" "2017-08-9" timeout 1800 \
-"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+timeout 1800 \
+"${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
kill ${PID}
wait
PID=$!
wait_server ${PID}
-"$FAKETIME" "2017-08-9" timeout 1800 \
-"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+timeout 1800 \
+"${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
kill ${PID}
wait
_EOF_
GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \
-"$FAKETIME" "2017-08-9" timeout 1800 \
-"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+timeout 1800 \
+"${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
kill ${PID}
wait
PID=$!
wait_server ${PID}
- "$FAKETIME" "2017-08-9" timeout 1800 \
- "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+ timeout 1800 \
+ "${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
kill ${PID}
wait
. "${srcdir}/scripts/common.sh"
-skip_if_no_datefudge
-
echo "Checking whether connecting to a server but with an invalid CRL provided, returns the expected error"
cat <<__EOF__ >${TMPFILE}
PID=$!
wait_server ${PID}
-"$FAKETIME" "2018-9-19" \
-${VALGRIND} "${CLI}" -p "${PORT}" localhost --x509crlfile ${CRLFILE} --x509cafile ${CAFILE} >${TMPFILE} 2>&1 </dev/null && \
+${VALGRIND} "${CLI}" --attime "2018-9-19" -p "${PORT}" localhost --x509crlfile ${CRLFILE} --x509cafile ${CAFILE} >${TMPFILE} 2>&1 </dev/null && \
fail ${PID} "1. handshake should have failed!"
. "${srcdir}/scripts/common.sh"
-skip_if_no_datefudge
-
echo "Checking whether connecting to a self signed certificate returns the expected error"
cat <<__EOF__ >${TMPFILE}
PID=$!
wait_server ${PID}
-"$FAKETIME" "2018-1-1" \
-${VALGRIND} "${CLI}" -p "${PORT}" localhost >${TMPFILE} 2>&1 </dev/null && \
+${VALGRIND} "${CLI}" --attime "2018-1-1" -p "${PORT}" localhost >${TMPFILE} 2>&1 </dev/null && \
fail ${PID} "1. handshake should have failed!"
# Generate certificates with the random port
${CERTTOOL} \
- --attime "${CERTDATE}" \
+ --attime "${CERTDATE}" \
--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
--load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
echo "tls_feature = 5" >>"$TEMPLATE_FILE"
${CERTTOOL} \
- --attime "${CERTDATE}" \
+ --attime "${CERTDATE}" \
--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
--load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- "$FAKETIME" "${TESTDATE}" \
- "${SERV}" --echo --disable-client-cert \
- --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
- --x509certfile="${SERVER_CERT_FILE}" \
- --port="${TLS_SERVER_PORT}"
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}"
TLS_SERVER_PID="${!}"
wait_server $TLS_SERVER_PID
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
- "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
- --port="${TLS_SERVER_PORT}" localhost
+ "${CLI}" --attime "${TESTDATE}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
rc=$?
if test "${rc}" != "1"; then
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- "$FAKETIME" "${TESTDATE}" \
- "${SERV}" --echo --disable-client-cert \
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
--x509certfile="${SERVER_CERT_FILE}" \
--port="${TLS_SERVER_PORT}" \
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
- "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
- --port="${TLS_SERVER_PORT}" localhost
+ "${CLI}" --attime "${TESTDATE}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
rc=$?
if test "${rc}" != "0"; then
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- "$FAKETIME" "${TESTDATE}" \
- "${SERV}" --echo --disable-client-cert \
- --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
- --x509certfile="${SERVER_CERT_FILE}" \
- --port="${TLS_SERVER_PORT}" \
- --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
TLS_SERVER_PID="${!}"
wait_server $TLS_SERVER_PID
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
- "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
- --port="${TLS_SERVER_PORT}" localhost
+ "${CLI}" --attime "${TESTDATE}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
rc=$?
if test "${rc}" != "1"; then
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- "$FAKETIME" "${TESTDATE}" \
- "${SERV}" --echo --disable-client-cert \
- --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
- --x509certfile="${SERVER_CERT_FILE}" \
- --port="${TLS_SERVER_PORT}" \
- --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
TLS_SERVER_PID="${!}"
wait_server $TLS_SERVER_PID
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
- "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
- --port="${TLS_SERVER_PORT}" localhost
+ "${CLI}" --attime "${TESTDATE}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
rc=$?
if test "${rc}" != "1"; then
echo "=== Test 5.1: Server with valid certificate - expired staple (ignoring errors) ==="
launch_bare_server \
- "$FAKETIME" "${TESTDATE}" \
- "${SERV}" --echo --disable-client-cert \
- --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
- --x509certfile="${SERVER_CERT_FILE}" \
- --port="${TLS_SERVER_PORT}" \
- --ignore-ocsp-response-errors \
- --ocsp-response="${OCSP_RESPONSE_FILE}"
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ignore-ocsp-response-errors \
+ --ocsp-response="${OCSP_RESPONSE_FILE}"
TLS_SERVER_PID="${!}"
wait_server $TLS_SERVER_PID
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
- "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
- --port="${TLS_SERVER_PORT}" localhost
+ "${CLI}" --attime "${TESTDATE}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
rc=$?
if test "${rc}" != "1"; then
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- "$FAKETIME" "${TESTDATE}" \
- "${SERV}" --echo --disable-client-cert \
- --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
- --x509certfile="${SERVER_CERT_FILE}" \
- --port="${TLS_SERVER_PORT}" \
- --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
TLS_SERVER_PID="${!}"
wait_server $TLS_SERVER_PID
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
- "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
- --port="${TLS_SERVER_PORT}" localhost
+ "${CLI}" --attime "${TESTDATE}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
rc=$?
if test "${rc}" != "1"; then
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- "$FAKETIME" "${TESTDATE}" \
- "${SERV}" --echo --disable-client-cert \
- --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
- --x509certfile="${SERVER_CERT_FILE}" \
- --port="${TLS_SERVER_PORT}" \
- --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
TLS_SERVER_PID="${!}"
wait_server $TLS_SERVER_PID
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
- "${CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
- --port="${TLS_SERVER_PORT}" localhost
+ "${CLI}" --attime "${TESTDATE}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
rc=$?
if test "${rc}" != "0"; then
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- "$FAKETIME" "${TESTDATE}" \
- "${SERV}" --echo --disable-client-cert \
- --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
- --x509certfile="${SERVER_CERT_NO_EXT_FILE}" \
- --port="${TLS_SERVER_PORT}" \
- --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_NO_EXT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
TLS_SERVER_PID="${!}"
wait_server $TLS_SERVER_PID
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
- "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
- --port="${TLS_SERVER_PORT}" localhost
+ "${CLI}" --attime "${TESTDATE}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
rc=$?
if test "${rc}" != "0"; then
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- "$FAKETIME" "${TESTDATE}" \
- "${SERV}" --echo --disable-client-cert \
- --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
- --x509certfile="${SERVER_CERT_FILE}" \
- --port="${TLS_SERVER_PORT}" \
- --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
TLS_SERVER_PID="${!}"
wait_server $TLS_SERVER_PID
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
- "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
- --port="${TLS_SERVER_PORT}" localhost
+ "${CLI}" --attime "${TESTDATE}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
rc=$?
if test "${rc}" = "0"; then
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- "$FAKETIME" "${TESTDATE}" \
- "${SERV}" --echo --disable-client-cert \
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
--x509certfile="${SERVER_CERT_FILE}" \
--port="${TLS_SERVER_PORT}"
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
- "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ "${CLI}" --attime "${TESTDATE}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
TLS_SERVER_PORT=$PORT
launch_bare_server \
- "$FAKETIME" "${TESTDATE}" \
- "${SERV}" --echo --disable-client-cert \
+ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_bad.key" \
--x509certfile="${SERVER_CERT_FILE}" \
--port="${TLS_SERVER_PORT}"
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
- "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ "${CLI}" --attime "${TESTDATE}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
. "${srcdir}/scripts/common.sh"
-skip_if_no_datefudge
-
echo "Checking whether server can utilize multiple keys"
KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
PID=$!
wait_server ${PID}
-"$FAKETIME" "2017-08-9" timeout 1800 \
-"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA" </dev/null || \
+"${CLI}" --attime "2017-08-9" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA" </dev/null || \
fail ${PID} "1. handshake with RSA should have succeeded!"
-"$FAKETIME" "2017-08-9" timeout 1800 \
-"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-ECDSA" </dev/null || \
+"${CLI}" --attime "2017-08-9" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-ECDSA" </dev/null || \
fail ${PID} "2. handshake with ECC should have succeeded!"
-"$FAKETIME" "2017-08-9" timeout 1800 \
-"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-SHA256" --save-cert ${TMPFILE} </dev/null || \
+"${CLI}" --attime "2017-08-9" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-SHA256" --save-cert ${TMPFILE} </dev/null || \
fail ${PID} "3. handshake with RSA should have succeeded!"
cmp ${TMPFILE} ${CERT1}
fail ${PID} "3. the certificate used by server was not the expected"
fi
-"$FAKETIME" "2017-08-9" timeout 1800 \
-"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA:+SIGN-RSA-SHA256:+SIGN-RSA-PSS-RSAE-SHA256" --save-cert ${TMPFILE} </dev/null || \
+"${CLI}" --attime "2017-08-9" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA:+SIGN-RSA-SHA256:+SIGN-RSA-PSS-RSAE-SHA256" --save-cert ${TMPFILE} </dev/null || \
fail ${PID} "4. handshake with RSA should have succeeded!"
# check whether the server used the RSA-PSS certificate when we asked for RSA-PSS signature
-"$FAKETIME" "2017-08-9" timeout 1800 \
-"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256" --save-cert ${TMPFILE} </dev/null || \
+"${CLI}" --attime "2017-08-9" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256" --save-cert ${TMPFILE} </dev/null || \
fail ${PID} "4. handshake with RSA-PSS and SHA256 should have succeeded!"
cmp ${TMPFILE} ${CERT3}
. "${srcdir}/scripts/common.sh"
-skip_if_no_datefudge
-
echo "Checking whether a client will refuse weak but trusted keys"
KEY1=${srcdir}/certs/rsa-512.pem
PID=$!
wait_server ${PID}
-"$FAKETIME" "2019-12-20" timeout 1800 \
-"${CLI}" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 </dev/null && \
+"${CLI}" --attime "2019-12-20" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 </dev/null && \
fail ${PID} "1. handshake with RSA should have failed!"
-"$FAKETIME" "2019-12-20" timeout 1800 \
-"${CLI}" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL </dev/null && \
+"${CLI}" --attime "2019-12-20" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL </dev/null && \
fail ${PID} "2. handshake with RSA should have failed!"
kill ${PID}
. "${srcdir}/scripts/common.sh"
-skip_if_no_datefudge
-
CERT="${srcdir}/certs/cert-ecc256.pem"
KEY="${srcdir}/certs/ecc256.pem"
export GNUTLS_DEBUG_LEVEL=3
unset GNUTLS_SYSTEM_PRIORITY_FILE
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
fail "expected connection to succeed (1)"
export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
fail "expected connection to succeed (2)"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_MEDIUM --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_MEDIUM --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
fail "expected connection to succeed (3)"
# failure case, 384 bit min-profile, 256 bit key
unset GNUTLS_SYSTEM_PRIORITY_FILE
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
fail "expected connection to succeed (1)"
export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null &&
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null &&
fail "expected connection to fail (1)"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_MEDIUM --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null &&
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_MEDIUM --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null &&
fail "expected connection to fail (2)"
kill ${PID}
. "${srcdir}/scripts/common.sh"
-skip_if_no_datefudge
-
CERT="${srcdir}/certs/cert-ecc256.pem"
KEY="${srcdir}/certs/ecc256.pem"
#successful case, test whether the ciphers we disable below work
echo "Sanity testing"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CIPHER-ALL:+AES-128-GCM:-GROUP-ALL:+GROUP-FFDHE2048 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CIPHER-ALL:+AES-128-GCM:-GROUP-ALL:+GROUP-FFDHE2048 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
fail ${PID} "stage1: expected connection to succeed (1)"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:-MAC-ALL:+SHA1 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:-MAC-ALL:+SHA1 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
fail ${PID} "stage1: expected connection to succeed (2)"
cat <<_EOF_ > ${TMPFILE}
echo "Testing TLS1.3"
echo " * sanity"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
fail ${PID} "stage2: expected connection to succeed (1)"
echo " * fallback to good options"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE3072 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE3072 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
fail ${PID} "stage2: expected connection to succeed (2)"
echo " * disabled cipher"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CIPHER-ALL:+AES-128-GCM --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null && #>/dev/null &&
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CIPHER-ALL:+AES-128-GCM --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null && #>/dev/null &&
fail ${PID} "stage2: expected connection to fail (1)"
echo " * disabled group"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-GROUP-ALL:+GROUP-FFDHE2048 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null &&
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:-GROUP-ALL:+GROUP-FFDHE2048 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null &&
fail ${PID} "stage2: expected connection to fail (2)"
echo "Testing TLS1.2"
echo " * sanity"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
fail ${PID} "stage3: expected connection to succeed (1)"
echo " * fallback to good options"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:+AES-256-GCM:-MAC-ALL:+SHA1:+AEAD --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:+AES-256-GCM:-MAC-ALL:+SHA1:+AEAD --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
fail ${PID} "stage3: expected connection to succeed (2)"
echo " * disabled cipher"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CBC --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null &&
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CBC --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null &&
fail ${PID} "stage3: expected connection to fail (1)"
echo " * disabled MAC"
-"$FAKETIME" "2017-11-22" \
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA1 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null &&
+"${CLI}" --attime "2017-11-22" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA1 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null &&
fail ${PID} "stage3: expected connection to fail (2)"
exit 1
}
-skip_if_no_datefudge
-
# $1: token
# $2: PIN
# $3: filename
echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
# start server
eval "${GETPORT}"
- launch_bare_server "$FAKETIME" "$FAKETIME_F_OPT" "$TESTDATE" \
- $VALGRIND $SERV $DEBUG -p "$PORT" \
+ launch_bare_server $VALGRIND $SERV $DEBUG --attime "$TESTDATE" -p "$PORT" \
${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" \
--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
wait_server ${PID}
# connect to server using SC
- "$FAKETIME" "$FAKETIME_F_OPT" "$TESTDATE" \
- ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
+ ${VALGRIND} "${CLI}" --attime "$TESTDATE" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
fail ${PID} "Connection should have failed!"
- "$FAKETIME" "$FAKETIME_F_OPT" "$TESTDATE" \
- ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
+ ${VALGRIND} "${CLI}" --attime "$TESTDATE" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
fail ${PID} "Connection (with files) should have succeeded!"
- "$FAKETIME" "$FAKETIME_F_OPT" "$TESTDATE" \
- ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
+ ${VALGRIND} "${CLI}" --attime "$TESTDATE" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
--x509keyfile="${token};object=gnutls-client;object-type=private" \
--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
fail ${PID} "Connection (with SC) should have succeeded!"
projects / thirdparty / gnutls.git / commitdiff
