: ${srcdir=.}
: ${SERV=../src/gnutls-serv${EXEEXT}}
: ${CLI=../src/gnutls-cli${EXEEXT}}
-TMPFILE=config.$$.tmp
-TMPFILE2=log.$$.tmp
+: ${CERTTOOL=../src/certtool${EXEEXT}}
+: ${GREP=grep}
+: ${DIFF=diff}
+: ${SED=sed}
+: ${CAT=cat}
+TMPFILE_KEY=key.$$.pem.tmp
+TMPFILE_CONFIG=config.$$.pem.tmp
+TMPFILE_INPUT_SCRIPT=input.$$.script.tmp
+TMPFILE_OBSERVED_LOG=observed.$$.log.tmp
+TMPFILE_EXPECTED_LOG=expected.$$.log.tmp
export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
-if ! test -x "${SERV}"; then
- exit 77
-fi
+for tool in "${CERTTOOL}" "${SERV}" "${CLI}"; do
+ if ! test -x "$tool"; then
+ exit 77
+ fi
+done
-if ! test -x "${CLI}"; then
- exit 77
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
fi
if test "${WINDIR}" != ""; then
exit 77
fi
+cleanup() {
+ rm -f "${TMPFILE_KEY}" "${TMPFILE_INPUT_SCRIPT}"
+ rm -f "${TMPFILE_OBSERVED_LOG}" "${TMPFILE_EXPECTED_LOG}"
+}
+trap cleanup 1 15 2 EXIT
+
+# Set up a reasonable but minimal configuration file using allowlisting
+# allowing just a few curves.
# We intentionally add stray spaces and tabs to check our parser
-cat <<_EOF_ > ${TMPFILE}
+cat <<_EOF_ > ${TMPFILE_CONFIG}
[global]
-override-mode = allowlist
+override-mode = allowlist
[overrides]
-enabled-curve = secp384r1
+ enabled-curve= seCp384r1
_EOF_
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE_CONFIG}"
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+INITIALLY_ENABLED_CURVES="SECP384R1"
+INITIALLY_DISABLED_CURVES="SECP256R1 SECP521R1 X25519 X448"
+EXAMPLE_DISABLED_PRIORITY=NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1
-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
export GNUTLS_DEBUG_LEVEL=3
-"${CLI}" --list|grep ^Groups >${TMPFILE2}
-cat ${TMPFILE2}
-if grep -i "SECP256R1" ${TMPFILE2} || grep -i "SECP521R1" ${TMPFILE2};then
- echo "Found disabled curve with --list"
- exit 1
-fi
-
-if ! grep -i "SECP384R1" ${TMPFILE2};then
- echo "Could not found secp384r1"
- exit 1
-fi
+"${CLI}" --list|grep ^Groups >"${TMPFILE_OBSERVED_LOG}"
+cat "${TMPFILE_OBSERVED_LOG}"
+for curve in ${INITIALLY_DISABLED_CURVES}; do
+ if grep -i "$curve" "${TMPFILE_OBSERVED_LOG}"; then
+ echo "Found disabled curve $curve within --list output"
+ exit 1
+ fi
+done
+
+for curve in ${INITIALLY_ENABLED_CURVES}; do
+ if ! grep -i "$curve" ${TMPFILE_OBSERVED_LOG};then
+ echo "Could not found $curve within --list output"
+ exit 1
+ fi
+done
# Try whether a client connection with a disabled curve will succeed.
PID=$!
wait_server ${PID}
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null ||
+${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --priority ${EXAMPLE_DISABLED_PRIORITY} --insecure --logfile ${TMPFILE_OBSERVED_LOG} </dev/null >/dev/null ||
fail "expected connection to succeed (1)"
-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE_CONFIG}"
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority ${EXAMPLE_DISABLED_PRIORITY} --insecure --logfile ${TMPFILE_OBSERVED_LOG} </dev/null >/dev/null &&
fail "expected connection to fail (2)"
kill ${PID}
unset GNUTLS_SYSTEM_PRIORITY_FILE
-"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --priority ${EXAMPLE_DISABLED_PRIORITY} --insecure --logfile ${TMPFILE_OBSERVED_LOG} </dev/null >/dev/null &&
fail "expected connection to fail (2)"
kill ${PID}
projects / thirdparty / gnutls.git / commitdiff
