That adds a dependency to p11-kit 0.23.10 for the test suite.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
- LSAN_OPTIONS="suppressions=$(pwd)/fuzz/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x4
- LSAN_OPTIONS="suppressions=$(pwd)/fuzz/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x8
- CFLAGS="-fsanitize=address -g -O2" LDFLAGS="-static-libasan"
- dash ./configure --cache-file cache/config.cache --disable-doc --with-default-trust-store-pkcs11="pkcs11:" --disable-guile --enable-destructive-tests
+ dash ./configure --cache-file cache/config.cache --disable-doc --with-default-trust-store-pkcs11="pkcs11:" --disable-guile
- make -j$(nproc)
- - make -C tests check -j$(nproc) TESTS="trust-store" SUBDIRS=.
- - make -C tests check -j$(nproc) TESTS= "destructive/p11-kit-load.sh" SUBDIRS=.
+ - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh" SUBDIRS=.
tags:
- shared
except:
- make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros"
- make -j$(nproc)
- make check -j$(nproc)
- - CFLAGS="-fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" LDFLAGS="-static-libubsan" dash ./configure --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --with-default-trust-store-pkcs11="pkcs11:" --enable-destructive-tests
+ - CFLAGS="-fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" LDFLAGS="-static-libubsan" dash ./configure --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --with-default-trust-store-pkcs11="pkcs11:"
- make -j$(nproc)
- - make -C tests check -j$(nproc) TESTS="trust-store destructive/p11-kit-load.sh" SUBDIRS=.
+ - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh" SUBDIRS=.
tags:
- shared
except:
enable_tests=$enableval, enable_tests=$enable_tools)
AM_CONDITIONAL(ENABLE_TESTS, test "$enable_tests" != "no")
-AC_ARG_ENABLE(destructive-tests,
- AS_HELP_STRING([--enable-destructive-tests], [compile and run tests which touch outside gnutls' code boundary]),
- enable_destructive_tests=$enableval, enable_destructive_tests=no)
-AM_CONDITIONAL(ENABLE_DESTRUCTIVE_TESTS, test "$enable_destructive_tests" != "no")
-
AC_ARG_ENABLE(fuzzer-target,
AS_HELP_STRING([--enable-fuzzer-target], [make a library intended for testing - not production]),
enable_fuzzer_target=$enableval, enable_fuzzer_target=no)
fi
fi
+AM_CONDITIONAL(P11KIT_0_23_10_API, ! $PKG_CONFIG --atleast-version=2.23.10 p11-kit)
+
AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
AC_ARG_WITH(tpm,
Local unistring: ${included_unistring}
Use nettle-mini: ${mini_nettle}
Documentation: ${enable_doc} (manpages: ${enable_manpages})
- Destructive tests: ${enable_destructive_tests}
])
AC_MSG_NOTICE([External hardware support:
if ENABLE_PKCS11
dist_check_SCRIPTS += p11-kit-trust.sh
-if ENABLE_DESTRUCTIVE_TESTS
if HAVE_PKCS11_TRUST_STORE
-dist_check_SCRIPTS += destructive/p11-kit-load.sh
+if P11KIT_0_23_10_API
+dist_check_SCRIPTS += p11-kit-load.sh
indirect_tests += pkcs11/list-tokens
endif
endif
CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}"
DIFF="${DIFF:-diff}"
PKGCONFIG="${PKG_CONFIG:-$(which pkg-config)}"
-TMPDIR="backup.$$.tmp"
TMP_SOFTHSM_DIR="./softhsm-load.$$.tmp"
+P11DIR="p11-kit-conf.$$.tmp"
PIN=1234
PUK=1234
# Create pkcs11.conf with two modules, a trusted (p11-kit-trust)
# and softhsm (not trusted)
-DIR=$(${PKGCONFIG} --var=p11_system_config_modules p11-kit-1)
-if test $? != 0 || test -z ${DIR} || test ${DIR} = '/';then
- echo "Cannot determine p11-kit module config directory"
- exit 1
-fi
-
-mkdir -p ${TMPDIR}
-cp ${DIR}/* ${TMPDIR}
-rm -f ${DIR}/*
+mkdir -p ${P11DIR}
-cat <<_EOF_ >${DIR}/p11-kit-trust.module
+cat <<_EOF_ >${P11DIR}/p11-kit-trust.module
module: p11-kit-trust.so
trust-policy: yes
_EOF_
-cat <<_EOF_ >${DIR}/softhsm.module
+cat <<_EOF_ >${P11DIR}/softhsm.module
module: libsofthsm2.so
_EOF_
exit 1
fi
+FILTERTOKEN="sed s/token=.*//g"
-# Check whether p11tool would list them both
+# Check whether both are listed
-nr=$(${P11TOOL} --list-tokens|grep 'Module:'|sort -u|wc -l)
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l)
+#nr=$(${P11TOOL} --list-tokens|grep 'Module:'|sort -u|wc -l)
if test "$nr" != 2;then
echo "Error: did not find 2 modules ($nr)"
- ${P11TOOL} --list-tokens|grep 'Module:'|sort|uniq
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR}
exit 1
fi
-# Check whether p11tool with a specific provider would list only that
-# That is, check whether p11tool will list the trust module
-# if we only load softhsm (it should as trust modules
-# are always loaded).ould list them both
+## Check whether p11tool with a specific provider would list only that
+## That is, check whether p11tool will list the trust module
+## if we only load softhsm (it should as trust modules
+## are always loaded).ould list them both
+
-nr=$(${P11TOOL} --provider "${SOFTHSM_MODULE}" --list-tokens|grep -c ^Token)
+#nr=$(${P11TOOL} --provider "${SOFTHSM_MODULE}" --list-tokens|grep -c ^Token)
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}"|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 1;then
echo "Error: did not find softhsm modules"
- ${P11TOOL} --list-tokens --provider "${SOFTHSM_MODULE}"
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}"
exit 1
fi
-FILTERTOKEN="sed s/token=.*//g"
# Check whether both modules are found when gnutls_pkcs11_init
# is not called but a pkcs11 operation is called.
-nr=$(${builddir}/pkcs11/list-tokens -d|${FILTERTOKEN}|sort -u|wc -l)
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -d|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 2;then
echo "Error in test 1: did not find 2 modules"
- ${builddir}/pkcs11/list-tokens -d
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -d
exit 1
fi
# Check whether both modules are found when gnutls_pkcs11_init
# is called with the auto flag
-nr=$(${builddir}/pkcs11/list-tokens -a|${FILTERTOKEN}|sort -u|wc -l)
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 2;then
echo "Error in test 2: did not find 2 modules"
- ${builddir}/pkcs11/list-tokens -a
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -a
exit 1
fi
# Check whether only trusted modules are listed when the
# trusted flag is given to gnutls_pkcs11_init().
-nr=$(${builddir}/pkcs11/list-tokens -t|${FILTERTOKEN}|sort -u|wc -l)
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -t|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 1;then
echo "Error in test 3: did not find the trusted module"
- ${builddir}/pkcs11/list-tokens -t
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -t
exit 1
fi
# Check whether only trusted is listed after certificate verification
# is performed.
-nr=$(${builddir}/pkcs11/list-tokens -v|${FILTERTOKEN}|sort -u|wc -l)
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 1;then
echo "Error in test 4: did not find 1 module"
- ${builddir}/pkcs11/list-tokens -v
+ echo xxx
+ GNUTLS_DEBUG_LEVEL=4 P11_KIT_DEBUG=all ${builddir}/pkcs11/list-tokens -o ${P11DIR} -v
exit 1
fi
# Check whether only trusted is listed when gnutls_pkcs11_init
# is called with manual flag and a certificate verification is performed.
-nr=$(${builddir}/pkcs11/list-tokens -m -v|${FILTERTOKEN}|sort -u|wc -l)
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 1;then
echo "Error in test 5: did not find 1 module"
- ${builddir}/pkcs11/list-tokens -m -v
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v
exit 1
fi
# Check whether all modules are listed after certificate verification
# is performed then a PKCS#11 function is called.
-nr=$(${builddir}/pkcs11/list-tokens -v -d|${FILTERTOKEN}|sort -u|wc -l)
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 2;then
echo "Error in test 6: did not find all modules"
- ${builddir}/pkcs11/list-tokens -v -d
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d
exit 1
fi
# Check whether all modules are listed after a private key operation.
-nr=$(${builddir}/pkcs11/list-tokens -p|${FILTERTOKEN}|sort -u|wc -l)
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -p|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 2;then
echo "Error in test 7: did not find all modules"
- ${builddir}/pkcs11/list-tokens -p
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -p
exit 1
fi
-rm -f ${DIR}/*
+rm -f ${P11DIR}/*
rm -rf ${TMP_SOFTHSM_DIR}
-cp ${TMPDIR}/* ${DIR}/
exit 0
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# This file is part of p11-kit.
+#
+# p11-kit is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# p11-kit is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>
+
+#set -e
+
+srcdir="${srcdir:-.}"
+builddir="${builddir:-.}"
+CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}"
+DIFF="${DIFF:-diff}"
+PKGCONFIG="${PKG_CONFIG:-$(which pkg-config)}"
+TMP_SOFTHSM_DIR="./softhsm-load.$$.tmp"
+P11DIR="p11-kit-conf.$$.tmp"
+PIN=1234
+PUK=1234
+
+for lib in ${libdir} ${libdir}/pkcs11 /usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/;do
+ if test -f "${lib}/p11-kit-trust.so"; then
+ TRUST_MODULE="${lib}/p11-kit-trust.so"
+ echo "located ${MODULE}"
+ break
+ fi
+done
+
+for lib in ${libdir} ${libdir}/pkcs11 /usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/ /usr/lib/softhsm/;do
+ if test -f "${lib}/libsofthsm2.so"; then
+ SOFTHSM_MODULE="${lib}/libsofthsm2.so"
+ echo "located ${MODULE}"
+ break
+ fi
+done
+
+${PKGCONFIG} --version >/dev/null || exit 77
+
+${PKGCONFIG} --atleast-version=0.23.10 p11-kit-1
+if test $? != 0;then
+ echo p11-kit 0.23.10 is required
+ exit 77
+fi
+
+if ! test -f "${TRUST_MODULE}"; then
+ echo "p11-kit trust module was not found"
+ exit 77
+fi
+
+if ! test -f "${SOFTHSM_MODULE}"; then
+ echo "softhsm module was not found"
+ exit 77
+fi
+
+# Create pkcs11.conf with two modules, a trusted (p11-kit-trust)
+# and softhsm (not trusted)
+mkdir -p ${P11DIR}
+
+cat <<_EOF_ >${P11DIR}/p11-kit-trust.module
+module: p11-kit-trust.so
+trust-policy: yes
+_EOF_
+
+cat <<_EOF_ >${P11DIR}/softhsm.module
+module: libsofthsm2.so
+_EOF_
+
+# Setup softhsm
+rm -rf ${TMP_SOFTHSM_DIR}
+mkdir -p ${TMP_SOFTHSM_DIR}
+SOFTHSM2_CONF=${TMP_SOFTHSM_DIR}/conf
+export SOFTHSM2_CONF
+echo "objectstore.backend = file" > "${SOFTHSM2_CONF}"
+echo "directories.tokendir = ${TMP_SOFTHSM_DIR}" >> "${SOFTHSM2_CONF}"
+
+softhsm2-util --init-token --slot 0 --label "GnuTLS-Test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null #2>&1
+if test $? != 0; then
+ echo "failed to initialize softhsm"
+ exit 1
+fi
+
+FILTERTOKEN="sed s/token=.*//g"
+
+# Check whether both are listed
+
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l)
+#nr=$(${P11TOOL} --list-tokens|grep 'Module:'|sort -u|wc -l)
+if test "$nr" != 2;then
+ echo "Error: did not find 2 modules ($nr)"
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR}
+ exit 1
+fi
+
+# Check whether whether list-tokens will list the trust module
+# if we only load softhsm. It shouldn't as we only load the
+# trust module when needed (e.g., verification).
+
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}"|${FILTERTOKEN}|sort -u|wc -l)
+if test "$nr" != 1;then
+ echo "Error: did not find softhsm module"
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}"
+ exit 1
+fi
+
+# Check whether both modules are found when gnutls_pkcs11_init
+# is not called but a pkcs11 operation is called.
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -d|${FILTERTOKEN}|sort -u|wc -l)
+if test "$nr" != 2;then
+ echo "Error in test 1: did not find 2 modules"
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -d
+ exit 1
+fi
+
+# Check whether both modules are found when gnutls_pkcs11_init
+# is called with the auto flag
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l)
+if test "$nr" != 2;then
+ echo "Error in test 2: did not find 2 modules"
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -a
+ exit 1
+fi
+
+# Check whether only trusted modules are listed when the
+# trusted flag is given to gnutls_pkcs11_init().
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -t|${FILTERTOKEN}|sort -u|wc -l)
+if test "$nr" != 1;then
+ echo "Error in test 3: did not find the trusted module"
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -t
+ exit 1
+fi
+
+# Check whether only trusted is listed after certificate verification
+# is performed.
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v|${FILTERTOKEN}|sort -u|wc -l)
+if test "$nr" != 1;then
+ echo "Error in test 4: did not find 1 module"
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -v
+ exit 1
+fi
+
+# Check whether only trusted is listed when gnutls_pkcs11_init
+# is called with manual flag and a certificate verification is performed.
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v|${FILTERTOKEN}|sort -u|wc -l)
+if test "$nr" != 1;then
+ echo "Error in test 5: did not find 1 module"
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v
+ exit 1
+fi
+
+# Check whether all modules are listed after certificate verification
+# is performed then a PKCS#11 function is called.
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d|${FILTERTOKEN}|sort -u|wc -l)
+if test "$nr" != 2;then
+ echo "Error in test 6: did not find all modules"
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d
+ exit 1
+fi
+
+# Check whether all modules are listed after a private key operation.
+nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -p|${FILTERTOKEN}|sort -u|wc -l)
+if test "$nr" != 2;then
+ echo "Error in test 7: did not find all modules"
+ ${builddir}/pkcs11/list-tokens -o ${P11DIR} -p
+ exit 1
+fi
+
+rm -f ${P11DIR}/*
+rm -rf ${TMP_SOFTHSM_DIR}
+
+exit 0
#include <gnutls/abstract.h>
#include <getopt.h>
#include <assert.h>
+#define P11_KIT_FUTURE_UNSTABLE_API
+#include <p11-kit/p11-kit.h>
#include "cert-common.h"
/* lists the registered PKCS#11 modules by p11-kit.
int ret;
unsigned i;
int opt;
- char *url;
+ char *url, *mod;
gnutls_x509_trust_list_t tl;
gnutls_x509_crt_t crt;
gnutls_pkcs11_privkey_t key;
unsigned flag = 1;
- unsigned private = 0;
unsigned int status;
ret = gnutls_global_init();
gnutls_global_set_log_function(tls_log_func);
//gnutls_global_set_log_level(4711);
- while((opt = getopt(argc, argv, "mvatdp")) != -1) {
+ while((opt = getopt(argc, argv, "s:o:mvatdp")) != -1) {
switch(opt) {
+ case 'o':
+ mod = strdup(optarg);
+ p11_kit_override_system_files(NULL, NULL, mod, mod, NULL);
+ break;
case 'm':
/* initialize manually - i.e., do no module loading */
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
exit(1);
}
break;
+ case 's':
+ /* load module */
+ ret = gnutls_pkcs11_add_provider(optarg, NULL);
+ if (ret != 0) {
+ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret));
+ exit(1);
+ }
+ break;
case 'd':
/* when call _gnutls_pkcs11_token_get_url() do proper initialization
* if none done */
projects / thirdparty / gnutls.git / commitdiff
