tests/cve-2009-1416
tests/dane
tests/dane-strcodes
-tests/datefudge-check
tests/dh-compute
tests/dh-params
tests/dhepskself
AM_MISSING_PROG([ASN1PARSER], [asn1Parser])
AM_MISSING_PROG([PERL], [perl])
+AC_CHECK_PROGS([FAKETIME], [faketime])
+AS_IF([test -n "$FAKETIME"], [FAKETIME_F_OPT="-f"; AC_SUBST([FAKETIME_F_OPT])], [
+ AC_CHECK_PROGS([DATEFUDGE], [datefudge])
+ AS_IF([test -n "$DATEFUDGE"], [
+ FAKETIME_F_OPT="-s"
+ AC_SUBST([FAKETIME], [$DATEFUDGE])
+ AC_SUBST([FAKETIME_F_OPT])
+ ])
+])
+
+AC_MSG_CHECKING([whether faketime program works])
+AC_RUN_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <stdio.h>
+ #include <stdlib.h>
+ #include <time.h>
+ ]],
+ [[time_t t = time(NULL);
+ struct tm *tmp = localtime(&t);
+ char outstr[200];
+ if (!tmp) return 0;
+ if (!strftime(outstr, sizeof(outstr), "%s", tmp)) return 0;
+ puts(outstr);
+ return 0;
+ ]])],
+ [AS_IF([test `TZ=UTC $FAKETIME $FAKETIME_F_OPT "2006-09-23 00:00:00" ./conftest$EXEEXT` = "1158969600"], [
+ ac_cv_faketime_works=yes
+ ], [
+ ac_cv_faketime_works=no
+ ])],
+ [ac_cv_faketime_works=no],
+ [ac_cv_faketime_works=cross-compiling])
+
+AC_MSG_RESULT([$ac_cv_faketime_works])
+AC_SUBST([ac_cv_faketime_works])
+
AC_ARG_ENABLE(bash-tests,
AS_HELP_STRING([--disable-bash-tests], [skip some tests that badly need bash]),
enable_bash_tests=$enableval, enable_bash_tests=yes)
endif
endif
-if !WINDOWS
-indirect_tests += datefudge-check
-noinst_PROGRAMS = datefudge-check
-endif
-
check_PROGRAMS = $(cpptests) $(ctests) $(indirect_tests)
TESTS = $(cpptests) $(ctests) $(dist_check_SCRIPTS)
TESTS_ENVIRONMENT += ENABLE_GOST=0
endif
+TESTS_ENVIRONMENT += \
+ FAKETIME="$(FAKETIME)" \
+ FAKETIME_F_OPT="$(FAKETIME_F_OPT)" \
+ ac_cv_faketime_works="$(ac_cv_faketime_works)"
+
TEST_EXTENSIONS = .sh
SH_LOG_COMPILER = $(SHELL)
# Start OpenSSL TLS server
#
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${OPENSSL}" s_server -cert ${SERVER_CERT_FILE} -key ${SERVER_KEY_FILE} \
-CAfile ${CA_FILE} -port ${PORT} -Verify 1 -verify_return_error -www
SERVER_PID="${!}"
wait_server "${SERVER_PID}"
-gnutls_timewrapper_standalone static "${TESTDATE}" \
+"$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
"${CLI}" --x509certfile ${CLIENT_CERT_FILE} \
--x509keyfile ${CLIENT_KEY_FILE} --x509cafile=${CA_FILE} \
--port="${PORT}" localhost </dev/null
TESTS_ENVIRONMENT += DISABLE_BASH_TESTS=1
endif
+TESTS_ENVIRONMENT += \
+ FAKETIME="$(FAKETIME)" \
+ FAKETIME_F_OPT="$(FAKETIME_F_OPT)" \
+ ac_cv_faketime_works="$(ac_cv_faketime_works)"
+
AM_VALGRINDFLAGS = --suppressions=$(srcdir)/suppressions.valgrind
LOG_COMPILER = $(LOG_VALGRIND)
NEW_CA_FILE="${srcdir}/data/alt-chain-new-ca.pem"
echo ""
-gnutls_timewrapper_standalone static "2017-05-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2017-05-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --load-ca-certificate ${OLD_CA_FILE} --verify-hostname www.google.com --verify --infile "${srcdir}/data/alt-chain.pem" >${OUTFILE}
rc=$?
fi
echo ""
-gnutls_timewrapper_standalone static "2017-05-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2017-05-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --load-ca-certificate ${NEW_CA_FILE} --verify-hostname www.google.com --verify --infile "${srcdir}/data/alt-chain.pem" >${OUTFILE}
rc=$?
skip_if_no_datefudge
-gnutls_timewrapper_standalone "2017-2-28" \
+"$FAKETIME" "2017-2-28" \
${VALGRIND} "${CERTTOOL}" --verify-chain --infile ${srcdir}/data/chain-with-critical-on-root.pem
rc=$?
exit 1
fi
-gnutls_timewrapper_standalone "2017-2-28" \
+"$FAKETIME" "2017-2-28" \
${VALGRIND} "${CERTTOOL}" --verify-chain --infile ${srcdir}/data/chain-with-critical-on-endcert.pem
rc=$?
exit 1
fi
-gnutls_timewrapper_standalone "2017-2-28" \
+"$FAKETIME" "2017-2-28" \
${VALGRIND} "${CERTTOOL}" --verify-chain --infile ${srcdir}/data/chain-with-critical-on-intermediate.pem
rc=$?
skip_if_no_datefudge
# Check whether certificates with non-digits time fields are accepted
-gnutls_timewrapper_standalone static "2019-12-19 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2019-12-19 00:00:00" \
${VALGRIND}"${CERTTOOL}" --verify --load-ca-certificate "${srcdir}/data/cert-with-non-digits-time-ca.pem" --infile "${srcdir}/data/cert-with-non-digits-time.pem"
rc=$?
skip_if_no_datefudge
# Test certificate chain using Ed25519
-gnutls_timewrapper_standalone "2017-7-6" \
+"$FAKETIME" "2017-7-6" \
${VALGRIND} "${CERTTOOL}" --verify-chain --infile ${srcdir}/data/chain-eddsa.pem
if test $? != 0; then
skip_if_no_datefudge
-gnutls_timewrapper_standalone "2012-11-22" \
+"$FAKETIME" "2012-11-22" \
${VALGRIND} "${CERTTOOL}" --verify --load-ca-certificate "${srcdir}/data/cert-rsa-pss.pem" --infile "${srcdir}/data/cert-rsa-pss.pem"
rc=$?
skip_if_no_datefudge
echo "Checking chain with insecure leaf"
-gnutls_timewrapper_standalone static "2019-12-19 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2019-12-19 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-chain --verify-profile=medium --infile "${srcdir}/data/chain-512-leaf.pem" >${OUTFILE}
rc=$?
fi
echo "Checking chain with insecure subca"
-gnutls_timewrapper_standalone static "2019-12-19 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2019-12-19 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-chain --verify-profile=medium --infile "${srcdir}/data/chain-512-subca.pem" >${OUTFILE}
rc=$?
echo "Checking chain with insecure ca"
-gnutls_timewrapper_standalone static "2019-12-19 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2019-12-19 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-chain --verify-profile=medium --infile "${srcdir}/data/chain-512-ca.pem" >${OUTFILE}
rc=$?
skip_if_no_datefudge
-cat "${srcdir}/../certs/cert-ecc256.pem" "${srcdir}/../certs/ca-cert-ecc.pem"|gnutls_timewrapper_standalone "2012-11-22" \
+cat "${srcdir}/../certs/cert-ecc256.pem" "${srcdir}/../certs/ca-cert-ecc.pem"|"$FAKETIME" "2012-11-22" \
${VALGRIND} "${CERTTOOL}" --verify-chain
rc=$?
skip_if_no_datefudge
-gnutls_timewrapper_standalone static "2020-01-20 10:00:00" ${VALGRIND} \
+"$FAKETIME" "$FAKETIME_F_OPT" "2020-01-20 10:00:00" ${VALGRIND} \
"${CERTTOOL}" --generate-crl --load-ca-privkey "${srcdir}/data/template-test.key" \
--load-ca-certificate "${srcdir}/data/template-test.pem" \
--load-certificate "${srcdir}/data/ca-certs.pem" --template \
if test "${ac_cv_sizeof_time_t}" = 8;then
# we should test that on systems which have 64-bit time_t
- gnutls_timewrapper_standalone static "2138-01-20 10:00:00" ${VALGRIND} \
+ "$FAKETIME" "$FAKETIME_F_OPT" "2138-01-20 10:00:00" ${VALGRIND} \
"${CERTTOOL}" --generate-crl --load-ca-privkey "${srcdir}/data/template-test.key" \
--load-ca-certificate "${srcdir}/data/template-test.pem" \
--load-certificate "${srcdir}/data/ca-certs.pem" --template \
rm -f "${OUTFILE}"
# check whether the honor_crq_extension option works
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-request \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-tlsfeature.tmpl" \
exit 1
fi
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-certificate \
--load-ca-privkey "${srcdir}/data/template-test.key" \
--load-ca-certificate "${srcdir}/data/template-tlsfeature.pem" \
N
__EOF__
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
setsid \
"${CERTTOOL}" -q \
--load-privkey "${srcdir}/data/template-test.key" \
fi
# check whether the generation with extension works
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-request \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/arb-extensions.tmpl" \
fi
# Generate certificate from CRQ with no explicit extensions
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-certificate \
--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
--load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
fi
# Generate certificate from CRQ with CRQ extensions
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-certificate \
--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
--load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
fi
# Generate certificate from CRQ with explicit extensions
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-certificate \
--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
--load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
skip_if_no_datefudge
-gnutls_timewrapper_standalone static "2017-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2017-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/key-ca.pem" \
--template "${srcdir}/templates/inhibit-anypolicy.tmpl" \
echo ca > $TEMPLFILE
echo "cn = sub-CA" >> $TEMPLFILE
-gnutls_timewrapper_standalone static "2017-04-23 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2017-04-23 00:00:00" \
"${CERTTOOL}" -d 2 --generate-certificate --template $TEMPLFILE \
--load-ca-privkey "${srcdir}/data/key-ca.pem" \
--load-ca-certificate $CAFILE \
cat $SUBCAFILE $CAFILE > ${TMPFILE}
# we do not support the inhibit any policy extension for verification
-gnutls_timewrapper_standalone static "2017-04-25 00:00:00" "${CERTTOOL}" --verify-chain --infile ${TMPFILE}
+"$FAKETIME" "$FAKETIME_F_OPT" "2017-04-25 00:00:00" "${CERTTOOL}" --verify-chain --infile ${TMPFILE}
rc=$?
if test "$rc" != "0"; then
echo "Verification failed unexpectedly ($rc)"
skip_if_no_datefudge
#this was causing a double free; verify that we receive the expected error code
-gnutls_timewrapper_standalone static "2020-01-01 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2020-01-01 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem"
rc=$?
# time set using faketime/datefudge could have changed since the generation
# (if example the system was busy)
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-krb5name.tmpl" \
cp "${srcdir}/templates/template-krb5name.tmpl" ${TMPLFILE}
echo "krb5_principal = 'xxxxxxxxxxxxxx'" >>${TMPLFILE}
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
${VALGRIND} "${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template ${TMPLFILE} \
cp "${srcdir}/templates/template-krb5name.tmpl" ${TMPLFILE}
echo "krb5_principal = 'comp1/comp2/comp3/comp4/comp5/comp6/comp7/comp8/comp9/comp10@REALM.COM'" >>${TMPLFILE}
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
${VALGRIND} "${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template ${TMPLFILE} \
# Test MD5 signatures
-gnutls_timewrapper_standalone static "2016-04-15 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2016-04-15 00:00:00" \
"${CERTTOOL}" --verify-chain --infile "${srcdir}/data/chain-md5.pem" >/dev/null 2>&1
rc=$?
if test "${rc}" != "1"; then
exit ${rc}
fi
-gnutls_timewrapper_standalone static "2016-04-15 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2016-04-15 00:00:00" \
"${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/data/chain-md5.pem" >/dev/null 2>&1
rc=$?
if test "${rc}" != "0"; then
skip_if_no_datefudge
-gnutls_timewrapper_standalone static "2016-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2016-04-22 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-allow-broken -e --infile "${srcdir}/data/name-constraints-ip.pem"
rc=$?
# time set using faketime/datefudge could have changed since the generation
# (if example the system was busy)
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-othername.tmpl" \
exit ${rc}
fi
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-othername-xmpp.tmpl" \
EXPECT1=2002
-gnutls_timewrapper_standalone "2006-09-23" "${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/data/pkcs1-pad-ok.pem" | tee $TMPFILE1 >/dev/null 2>&1
-gnutls_timewrapper_standalone "2006-09-23" "${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken.pem" | tee $TMPFILE2 >/dev/null 2>&1
+"$FAKETIME" "2006-09-23" "${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/data/pkcs1-pad-ok.pem" | tee $TMPFILE1 >/dev/null 2>&1
+"$FAKETIME" "2006-09-23" "${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken.pem" | tee $TMPFILE2 >/dev/null 2>&1
out1oks=`grep 'Verified.' $TMPFILE1 | wc -l | tr -d " "`
out2oks=`grep 'Verified.' $TMPFILE2 | wc -l | tr -d " "`
EXPECT2=2002
-gnutls_timewrapper_standalone "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-ok2.pem" | tee $TMPFILE1 >/dev/null 2>&1
-gnutls_timewrapper_standalone "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken2.pem" | tee $TMPFILE2 >/dev/null 2>&1
+"$FAKETIME" "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-ok2.pem" | tee $TMPFILE1 >/dev/null 2>&1
+"$FAKETIME" "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken2.pem" | tee $TMPFILE2 >/dev/null 2>&1
out1oks=`grep 'Verified.' $TMPFILE1 | wc -l | tr -d " "`
out2oks=`grep 'Verified.' $TMPFILE2 | wc -l | tr -d " "`
# by Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann.
-gnutls_timewrapper_standalone "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken3.pem" | tee $TMPFILE1 >/dev/null 2>&1
+"$FAKETIME" "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken3.pem" | tee $TMPFILE1 >/dev/null 2>&1
out1oks=`grep 'Verified.' $TMPFILE1 | wc -l | tr -d " "`
out1fails=`grep 'Not verified.' $TMPFILE1 | wc -l | tr -d " "`
. ${srcdir}/../scripts/common.sh
skip_if_no_datefudge
-gnutls_timewrapper_standalone static "2016-10-01 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2016-10-01 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-allow-broken --p7-verify --inder --infile "${srcdir}/data/pkcs7-cat.p7" --load-ca-certificate "${srcdir}/data/pkcs7-cat-ca.pem"
rc=$?
FILE="signing-verify-no-purpose"
echo ""
echo "test: $FILE"
-gnutls_timewrapper_standalone static "2015-01-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2015-01-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
rc=$?
FILE="signing-verify-valid-purpose"
echo ""
echo "test: $FILE"
-gnutls_timewrapper_standalone static "2015-01-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2015-01-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
rc=$?
FILE="signing-verify-invalid-purpose"
echo ""
echo "test: $FILE"
-gnutls_timewrapper_standalone static "2015-01-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2015-01-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.1 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
rc=$?
FILE="signing-verify-invalid-date-1"
echo ""
echo "test: $FILE"
-gnutls_timewrapper_standalone static "2011-01-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2011-01-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
rc=$?
FILE="signing-verify-invalid-date-2"
echo ""
echo "test: $FILE"
-gnutls_timewrapper_standalone static "2018-01-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2018-01-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
rc=$?
FILE="signing-verify-no-purpose"
echo ""
echo "test: $FILE"
-gnutls_timewrapper_standalone static "2015-01-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2015-01-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
rc=$?
FILE="signing-verify-valid-purpose"
echo ""
echo "test: $FILE"
-gnutls_timewrapper_standalone static "2015-01-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2015-01-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
rc=$?
FILE="signing-verify-invalid-purpose"
echo ""
echo "test: $FILE"
-gnutls_timewrapper_standalone static "2015-01-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2015-01-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.1 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
rc=$?
FILE="signing-verify-invalid-date-1"
echo ""
echo "test: $FILE"
-gnutls_timewrapper_standalone static "2011-01-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2011-01-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
rc=$?
FILE="signing-verify-invalid-date-2"
echo ""
echo "test: $FILE"
-gnutls_timewrapper_standalone static "2018-01-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2018-01-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
rc=$?
for FILE in full.p7b openssl.p7b openssl-keyid.p7b; do
# check validation with date prior to CA issuance
-gnutls_timewrapper_standalone static "2011-01-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2011-01-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
rc=$?
fi
# check validation with date prior to intermediate cert issuance
-env TZ=UTC gnutls_timewrapper_standalone static "2011-05-28 08:38:00" \
+env TZ=UTC "$FAKETIME" "$FAKETIME_F_OPT" "2011-05-28 08:38:00" \
${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
rc=$?
fi
# check validation with date after intermediate cert issuance
-gnutls_timewrapper_standalone static "2038-10-13 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2038-10-13 00:00:00" \
${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
rc=$?
# Test PSS signatures on certificate
for i in sha256 sha384 sha512;do
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed --key-type rsa-pss \
--load-privkey "${srcdir}/data/privkey1.pem" \
--template "${srcdir}/templates/template-test.tmpl" \
exit ${rc}
fi
-gnutls_timewrapper_standalone static "2007-04-25 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-25 00:00:00" \
"${CERTTOOL}" --load-ca-certificate "${TMPFILE}" --verify --infile "${TMPFILE}" >/dev/null 2>&1
rc=$?
if test "${rc}" != "0"; then
# Test SHA3 signatures
for i in sha3-224 sha3-256 sha3-384 sha3-512;do
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-test.tmpl" \
exit ${rc}
fi
-gnutls_timewrapper_standalone static "2007-04-25 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-25 00:00:00" \
"${CERTTOOL}" --load-ca-certificate "${TMPFILE}" --verify --infile "${TMPFILE}" >/dev/null 2>&1
rc=$?
if test "${rc}" != "0"; then
# Test SHA3 signatures with ECDSA
for i in sha3-224 sha3-256 sha3-384 sha3-512;do
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test-ecc.key" \
--template "${srcdir}/templates/template-test.tmpl" \
exit ${rc}
fi
-gnutls_timewrapper_standalone static "2007-04-25 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-25 00:00:00" \
"${CERTTOOL}" --load-ca-certificate "${TMPFILE}" --verify --infile "${TMPFILE}" >/dev/null 2>&1
rc=$?
if test "${rc}" != "0"; then
fi
-gnutls_timewrapper_standalone static "2017-04-06 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2017-04-06 00:00:00" \
${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" <"${OUTFILE}"
rc=$?
skip_if_no_datefudge
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/arb-extensions.tmpl" \
rm -f "$OUTFILE"
# Test adding critical extensions only
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/crit-extensions.tmpl" \
rm -f "$OUTFILE"
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-request \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/arb-extensions.tmpl" \
skip_if_no_datefudge
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/simple-policy.tmpl" \
# time set using faketime/datefudge could have changed since the generation
# (if example the system was busy)
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-test.tmpl" \
rm -f ${TMPFILE}
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-utf8.tmpl" \
rm -f ${TMPFILE}
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-dn.tmpl" \
echo "Running test for certificate generation with --generate-self-signed"
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-certificate \
--load-privkey "${srcdir}/data/template-test.key" \
--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
rm -f ${TMPFILE}
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-dn-err.tmpl" \
rm -f ${TMPFILE}
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-overflow.tmpl" \
# The following test works in 64-bit systems
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-overflow2.tmpl" \
fi
rm -f ${TMPFILE}
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-date.tmpl" \
rm -f ${TMPFILE}
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-dates-after2038.tmpl" \
# Test name constraints generation
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-nc.tmpl" \
# Test the GeneralizedTime support
if test "${ac_cv_sizeof_time_t}" = 8;then
# we should test that on systems which have 64-bit time_t.
- gnutls_timewrapper_standalone static "2051-04-22 00:00:00" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "2051-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-generalized.tmpl" \
# Test unique ID field generation
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-unique.tmpl" \
# Test generation with very long dns names
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-long-dns.tmpl" \
# Test generation with larger serial number
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-long-serial.tmpl" \
#
# Test certificate generation
#
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-self-signed \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-tlsfeature.tmpl" \
# Test certificate request generation
#
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-request \
--load-privkey "${srcdir}/data/template-test.key" \
--template "${srcdir}/templates/template-tlsfeature.tmpl" \
#
# Test certificate generation after a request
#
-gnutls_timewrapper_standalone static "2007-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2007-04-22 00:00:00" \
"${CERTTOOL}" --generate-certificate \
--load-privkey "${srcdir}/data/template-test.key" \
--load-ca-privkey "${srcdir}/data/template-test.key" \
file=$2
echo -n "* Verifying a certificate... "
- gnutls_timewrapper_standalone static "2015-10-10 00:00:00" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "2015-10-10 00:00:00" \
$CERTTOOL ${ADDITIONAL_PARAM} --verify --load-ca-certificate "$url" --infile "$file" >>"${TMPFILE}" 2>&1
if test $? = 0; then
echo ok
+++ /dev/null
-/*
- * Copyright (C) 2019 Red Hat
- *
- * Author: Daiki Ueno
- *
- * This file is part of GnuTLS.
- *
- * GnuTLS is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * GnuTLS is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program. If not, see <https://www.gnu.org/licenses/>
- */
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <time.h>
-
-int main(void)
-{
- char outstr[200];
- time_t t;
- struct tm *tmp;
-
- t = time(NULL);
- tmp = localtime(&t);
- if (tmp == NULL) {
- perror("localtime");
- exit(EXIT_FAILURE);
- }
-
- if (strftime(outstr, sizeof(outstr), "%s", tmp) == 0) {
- fprintf(stderr, "strftime returned 0");
- exit(EXIT_FAILURE);
- }
-
- puts(outstr);
- exit(EXIT_SUCCESS);
-}
PID=$!
wait_server ${PID}
-gnutls_timewrapper_standalone "2017-08-9" timeout 1800 \
+"$FAKETIME" "2017-08-9" timeout 1800 \
"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
kill ${PID}
PID=$!
wait_server ${PID}
-gnutls_timewrapper_standalone "2017-08-9" timeout 1800 \
+"$FAKETIME" "2017-08-9" timeout 1800 \
"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
kill ${PID}
PID=$!
wait_server ${PID}
-gnutls_timewrapper_standalone "2017-08-9" timeout 1800 \
+"$FAKETIME" "2017-08-9" timeout 1800 \
"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
kill ${PID}
_EOF_
GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \
-gnutls_timewrapper_standalone "2017-08-9" timeout 1800 \
+"$FAKETIME" "2017-08-9" timeout 1800 \
"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
kill ${PID}
PID=$!
wait_server ${PID}
- gnutls_timewrapper_standalone "2017-08-9" timeout 1800 \
+ "$FAKETIME" "2017-08-9" timeout 1800 \
"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
kill ${PID}
PID=$!
wait_server ${PID}
-gnutls_timewrapper_standalone "2018-9-19" \
+"$FAKETIME" "2018-9-19" \
${VALGRIND} "${CLI}" -p "${PORT}" localhost --x509crlfile ${CRLFILE} --x509cafile ${CAFILE} >${TMPFILE} 2>&1 </dev/null && \
fail ${PID} "1. handshake should have failed!"
PID=$!
wait_server ${PID}
-gnutls_timewrapper_standalone "2018-1-1" \
+"$FAKETIME" "2018-1-1" \
${VALGRIND} "${CLI}" -p "${PORT}" localhost >${TMPFILE} 2>&1 </dev/null && \
fail ${PID} "1. handshake should have failed!"
skip_if_no_datefudge
-gnutls_timewrapper_standalone static "2017-06-19 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2017-06-19 00:00:00" \
"${OCSPTOOL}" -e --load-chain "${srcdir}/ocsp-tests/certs/chain-amazon.com.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-amazon.com.der" --verify-allow-broken
rc=$?
exit ${rc}
fi
-gnutls_timewrapper_standalone static "2017-06-19 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2017-06-19 00:00:00" \
"${OCSPTOOL}" -e --load-chain "${srcdir}/ocsp-tests/certs/chain-amazon.com-unsorted.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-amazon.com.der" --verify-allow-broken
rc=$?
fi
# verify an OCSP response using ECDSA
-gnutls_timewrapper_standalone static "2017-06-29 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2017-06-29 00:00:00" \
"${OCSPTOOL}" -d 6 -e --load-chain "${srcdir}/ocsp-tests/certs/chain-akamai.com.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-akamai.com.der"
rc=$?
echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
# Generate certificates with the random port
-gnutls_timewrapper_standalone static "${CERTDATE}" ${CERTTOOL} \
+"$FAKETIME" "$FAKETIME_F_OPT" "${CERTDATE}" ${CERTTOOL} \
--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
--load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
# Generate certificates with the random port (with mandatory stapling extension)
echo "tls_feature = 5" >>"$TEMPLATE_FILE"
-gnutls_timewrapper_standalone static "${CERTDATE}" ${CERTTOOL} \
+"$FAKETIME" "$FAKETIME_F_OPT" "${CERTDATE}" ${CERTTOOL} \
--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
--load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
# SO_REUSEADDR usage.
PORT=${OCSP_PORT}
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${OPENSSL}" ocsp -index "${INDEXFILE}" -text \
-port "${OCSP_PORT}" \
-rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" \
t=0
while test "${t}" -lt "${SERVER_START_TIMEOUT}"; do
# Run a test request to make sure the server works
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
${VALGRIND} "${OCSPTOOL}" --ask \
--load-cert "${SERVER_CERT_FILE}" \
--load-issuer "${srcdir}/ocsp-tests/certs/ca.pem" \
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${SERV}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
--x509certfile="${SERVER_CERT_FILE}" \
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- gnutls_timewrapper_standalone static "${TESTDATE}" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
"${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${SERV}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
--x509certfile="${SERVER_CERT_FILE}" \
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- gnutls_timewrapper_standalone static "${TESTDATE}" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
"${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${SERV}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
--x509certfile="${SERVER_CERT_FILE}" \
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- gnutls_timewrapper_standalone static "${TESTDATE}" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
"${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${SERV}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
--x509certfile="${SERVER_CERT_FILE}" \
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- gnutls_timewrapper_standalone static "${TESTDATE}" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
"${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
# Generate an OCSP response which expires in 2 days and use it after
# a month. gnutls server doesn't send such a staple to clients.
${VALGRIND} ${OCSPTOOL} --generate-request --load-issuer "${srcdir}/ocsp-tests/certs/ocsp-server.pem" --load-cert "${SERVER_CERT_FILE}" --outfile "${OCSP_REQ_FILE}"
-gnutls_timewrapper_standalone static "${EXP_OCSP_DATE}" \
+"$FAKETIME" "$FAKETIME_F_OPT" "${EXP_OCSP_DATE}" \
${OPENSSL} ocsp -index "${INDEXFILE}" -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" -CA "${srcdir}/ocsp-tests/certs/ca.pem" -reqin "${OCSP_REQ_FILE}" -respout "${OCSP_RESPONSE_FILE}" -ndays 2
eval "${GETPORT}"
echo "=== Test 5.1: Server with valid certificate - expired staple (ignoring errors) ==="
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${SERV}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
--x509certfile="${SERVER_CERT_FILE}" \
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- gnutls_timewrapper_standalone static "${TESTDATE}" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
"${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
rm -f "${OCSP_RESPONSE_FILE}"
${VALGRIND} ${OCSPTOOL} --generate-request --load-issuer "${srcdir}/ocsp-tests/certs/ocsp-server.pem" --load-cert "${SERVER_CERT_FILE}" --outfile "${OCSP_REQ_FILE}"
-gnutls_timewrapper_standalone static "${EXP_OCSP_DATE}" \
+"$FAKETIME" "$FAKETIME_F_OPT" "${EXP_OCSP_DATE}" \
${OPENSSL} ocsp -index ${INDEXFILE} -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" -CA "${srcdir}/ocsp-tests/certs/ca.pem" -reqin "${OCSP_REQ_FILE}" -respout "${OCSP_RESPONSE_FILE}"
eval "${GETPORT}"
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${SERV}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
--x509certfile="${SERVER_CERT_FILE}" \
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- gnutls_timewrapper_standalone static "${TESTDATE}" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
"${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${SERV}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
--x509certfile="${SERVER_CERT_FILE}" \
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- gnutls_timewrapper_standalone static "${TESTDATE}" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
"${CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${SERV}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
--x509certfile="${SERVER_CERT_NO_EXT_FILE}" \
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- gnutls_timewrapper_standalone static "${TESTDATE}" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
"${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
TLS_SERVER_PORT=$PORT
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${SERV}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
--x509certfile="${SERVER_CERT_FILE}" \
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- gnutls_timewrapper_standalone static "${TESTDATE}" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
"${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
verify_response ()
{
echo "verifying ${sample_dir}/${1} using ${trusted}"
- gnutls_timewrapper_standalone static "${date}" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "${date}" \
"${OCSPTOOL}" --infile="${sample_dir}/${1}" \
--verify-response --load-trust="${trusted}"
return $?
# time set using faketime/datefudge could have changed since the generation
# (if example the system was busy)
-gnutls_timewrapper_standalone static "2016-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2016-04-22 00:00:00" \
"${OCSPTOOL}" -e --load-signer "${srcdir}/ocsp-tests/certs/ca.pem" --infile "${srcdir}/ocsp-tests/response1.der"
rc=$?
exit ${rc}
fi
-gnutls_timewrapper_standalone static "2016-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2016-04-22 00:00:00" \
"${OCSPTOOL}" -e --load-signer "${srcdir}/ocsp-tests/certs/ocsp-server.pem" --infile "${srcdir}/ocsp-tests/response2.der"
rc=$?
exit ${rc}
fi
-gnutls_timewrapper_standalone static "2016-04-22 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2016-04-22 00:00:00" \
"${OCSPTOOL}" -e --load-signer "${srcdir}/ocsp-tests/certs/ca.pem" --infile "${srcdir}/ocsp-tests/response2.der" -d 4
rc=$?
echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
# Generate certificates with the random port
-gnutls_timewrapper_standalone static "${CERTDATE}" ${CERTTOOL} \
+"$FAKETIME" "$FAKETIME_F_OPT" "${CERTDATE}" ${CERTTOOL} \
--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
--load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
# SO_REUSEADDR usage.
PORT=${OCSP_PORT}
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${OPENSSL}" ocsp -index "${srcdir}/ocsp-tests/certs/ocsp_index.txt" -text \
-port "${OCSP_PORT}" \
-rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" \
t=0
while test "${t}" -lt "${SERVER_START_TIMEOUT}"; do
# Run a test request to make sure the server works
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
${VALGRIND} "${OCSPTOOL}" --ask \
--load-cert "${SERVER_CERT_FILE}" \
--load-issuer "${srcdir}/ocsp-tests/certs/ca.pem"
PORT=${TLS_SERVER_PORT}
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${SERV}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
--x509certfile="${SERVER_CERT_FILE}" \
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- gnutls_timewrapper_standalone static "${TESTDATE}" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
"${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
# Generate certificates with the random port
-gnutls_timewrapper_standalone static "${CERTDATE}" ${CERTTOOL} \
+"$FAKETIME" "$FAKETIME_F_OPT" "${CERTDATE}" ${CERTTOOL} \
--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
--load-privkey "${srcdir}/ocsp-tests/certs/server_bad.key" \
TLS_SERVER_PORT=$PORT
launch_bare_server \
- gnutls_timewrapper_standalone "${TESTDATE}" \
+ "$FAKETIME" "${TESTDATE}" \
"${SERV}" --echo --disable-client-cert \
--x509keyfile="${srcdir}/ocsp-tests/certs/server_bad.key" \
--x509certfile="${SERVER_CERT_FILE}" \
wait_for_port "${TLS_SERVER_PORT}"
echo "test 123456" | \
- gnutls_timewrapper_standalone static "${TESTDATE}" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "${TESTDATE}" \
"${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
--port="${TLS_SERVER_PORT}" localhost
rc=$?
skip_if_no_datefudge
#try verification
-gnutls_timewrapper_standalone static "2010-10-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2010-10-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-allow-broken --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/pkcs7-cat-ca.pem"
rc=$?
exit 1
fi
-gnutls_timewrapper_standalone static "2016-10-10 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2016-10-10 00:00:00" \
${VALGRIND} "${CERTTOOL}" --verify-allow-broken --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/pkcs7-cat-ca.pem"
rc=$?
ASAN_OPTIONS="detect_leaks=0"
export ASAN_OPTIONS
-gnutls_timewrapper_standalone static "2006-10-01 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2006-10-01 00:00:00" \
"${CERTTOOL}" --verify-chain --outfile "$TMPFILE1" --infile "${srcdir}/rsa-md5-collision/colliding-chain-md5-1.pem"
if test $? = 0;then
echo "Verification on chain1 succeeded"
fi
-gnutls_timewrapper_standalone static "2006-10-01 00:00:00" \
+"$FAKETIME" "$FAKETIME_F_OPT" "2006-10-01 00:00:00" \
"${CERTTOOL}" --verify-chain --outfile "$TMPFILE2" --infile "${srcdir}/rsa-md5-collision/colliding-chain-md5-2.pem"
if test $? = 0;then
echo "Verification on chain2 succeeded"
'
skip_if_no_datefudge() {
- # Prefer faketime, fall back to datefudge.
- # Allow datefudge/faketime to be manually selected by setting env-var
- if test -z "${GNUTLS_TIMEWRAPPER_CMD}" ; then
- if test "$WINDOWS" = 1; then
- exit 77
- fi
-
- TSTAMP=`faketime -f "2006-09-23 00:00:00" "${top_builddir}/tests/datefudge-check" || true`
- if test "$TSTAMP" = "1158969600"; then
- GNUTLS_TIMEWRAPPER_CMD=faketime
- else
- TSTAMP=`datefudge -s "2006-09-23 00:00:00" "${top_builddir}/tests/datefudge-check" || true`
- if test "$TSTAMP" = "1158969600"; then
- GNUTLS_TIMEWRAPPER_CMD=datefudge
- else
- echo "You need faketime/datefudge to run this test"
- exit 77
- fi
- fi
+ if test "$ac_cv_faketime_works" != yes; then
+ exit 77
fi
}
-gnutls_timewrapper_standalone() {
- if test -z "${GNUTLS_TIMEWRAPPER_CMD}" ; then
- echo "Missing invocation of skip_if_no_datefudge()"
- exit 1
- fi
-
- if [ "$1" = "static" ] ; then
- shift
- case ${GNUTLS_TIMEWRAPPER_CMD} in
- faketime)
- faketime -f "$@"
- ;;
- datefudge)
- datefudge -s "$@"
- ;;
- *)
- echo "GNUTLS_TIMEWRAPPER_CMD ${GNUTLS_TIMEWRAPPER_CMD} invalid" 1>&2
- exit 1
- ;;
- esac
- else
- ${GNUTLS_TIMEWRAPPER_CMD} "$@"
- fi
-}
-
-
fail() {
PID="$1"
shift
PID=$!
wait_server ${PID}
-gnutls_timewrapper_standalone "2017-08-9" timeout 1800 \
+"$FAKETIME" "2017-08-9" timeout 1800 \
"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA" </dev/null || \
fail ${PID} "1. handshake with RSA should have succeeded!"
-gnutls_timewrapper_standalone "2017-08-9" timeout 1800 \
+"$FAKETIME" "2017-08-9" timeout 1800 \
"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-ECDSA" </dev/null || \
fail ${PID} "2. handshake with ECC should have succeeded!"
-gnutls_timewrapper_standalone "2017-08-9" timeout 1800 \
+"$FAKETIME" "2017-08-9" timeout 1800 \
"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-SHA256" --save-cert ${TMPFILE} </dev/null || \
fail ${PID} "3. handshake with RSA should have succeeded!"
fail ${PID} "3. the certificate used by server was not the expected"
fi
-gnutls_timewrapper_standalone "2017-08-9" timeout 1800 \
+"$FAKETIME" "2017-08-9" timeout 1800 \
"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA:+SIGN-RSA-SHA256:+SIGN-RSA-PSS-RSAE-SHA256" --save-cert ${TMPFILE} </dev/null || \
fail ${PID} "4. handshake with RSA should have succeeded!"
# check whether the server used the RSA-PSS certificate when we asked for RSA-PSS signature
-gnutls_timewrapper_standalone "2017-08-9" timeout 1800 \
+"$FAKETIME" "2017-08-9" timeout 1800 \
"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256" --save-cert ${TMPFILE} </dev/null || \
fail ${PID} "4. handshake with RSA-PSS and SHA256 should have succeeded!"
PID=$!
wait_server ${PID}
-gnutls_timewrapper_standalone "2019-12-20" timeout 1800 \
+"$FAKETIME" "2019-12-20" timeout 1800 \
"${CLI}" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 </dev/null && \
fail ${PID} "1. handshake with RSA should have failed!"
-gnutls_timewrapper_standalone "2019-12-20" timeout 1800 \
+"$FAKETIME" "2019-12-20" timeout 1800 \
"${CLI}" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL </dev/null && \
fail ${PID} "2. handshake with RSA should have failed!"
TESTS_ENVIRONMENT += ENABLE_SSL3=1
endif
+TESTS_ENVIRONMENT += \
+ FAKETIME="$(FAKETIME)" \
+ FAKETIME_F_OPT="$(FAKETIME_F_OPT)" \
+ ac_cv_faketime_works="$(ac_cv_faketime_works)"
+
if ENABLE_TLS13_INTEROP
scripts_to_test += \
testcompat-openssl-tls13-cli.sh \
skip_if_no_datefudge
-gnutls_timewrapper_standalone "2012-09-02" timeout 1800 \
+"$FAKETIME" "2012-09-02" timeout 1800 \
"${srcdir}/testcompat-openssl-cli-common.sh" ":%COMPAT"
ret=$?
skip_if_no_datefudge
-gnutls_timewrapper_standalone "2012-09-02" timeout 1800 \
+"$FAKETIME" "2012-09-02" timeout 1800 \
"${srcdir}/testcompat-openssl-cli-common.sh" ":%NO_ETM"
ret=$?
skip_if_no_datefudge
-gnutls_timewrapper_standalone "2012-09-02" timeout 1800 \
+"$FAKETIME" "2012-09-02" timeout 1800 \
"${srcdir}/testcompat-openssl-cli-common.sh"
ret=$?
skip_if_no_datefudge
-gnutls_timewrapper_standalone "2012-09-02" timeout 1800 \
+"$FAKETIME" "2012-09-02" timeout 1800 \
"${srcdir}/testcompat-openssl-serv-common.sh" ":%COMPAT"
ret=$?
skip_if_no_datefudge
-gnutls_timewrapper_standalone "2012-09-02" timeout 1800 \
+"$FAKETIME" "2012-09-02" timeout 1800 \
"${srcdir}/testcompat-openssl-serv-common.sh" ":%NO_ETM"
ret=$?
skip_if_no_datefudge
-gnutls_timewrapper_standalone "2012-09-02" timeout 1800 \
+"$FAKETIME" "2012-09-02" timeout 1800 \
"${srcdir}/testcompat-openssl-serv-common.sh" ":%DISABLE_SAFE_RENEGOTIATION"
ret=$?
skip_if_no_datefudge
-gnutls_timewrapper_standalone "2012-09-02" timeout 1800 \
+"$FAKETIME" "2012-09-02" timeout 1800 \
"${srcdir}/testcompat-openssl-serv-common.sh" ":%NO_TICKETS"
ret=$?
skip_if_no_datefudge
-gnutls_timewrapper_standalone "2012-09-02" timeout 1800 \
+"$FAKETIME" "2012-09-02" timeout 1800 \
"${srcdir}/testcompat-openssl-serv-common.sh" ":%SAFE_RENEGOTIATION"
ret=$?
skip_if_no_datefudge
-gnutls_timewrapper_standalone "2012-09-02" timeout 1800 \
+"$FAKETIME" "2012-09-02" timeout 1800 \
"${srcdir}/testcompat-openssl-serv-common.sh"
ret=$?
exit 77
fi
-gnutls_timewrapper_standalone "2012-09-02" timeout 1800 \
+"$FAKETIME" "2012-09-02" timeout 1800 \
"${srcdir}/testcompat-polarssl-serv-common.sh" ":%COMPAT"
ret=$?
exit 77
fi
-gnutls_timewrapper_standalone "2012-09-02" timeout 1800 \
+"$FAKETIME" "2012-09-02" timeout 1800 \
"${srcdir}/testcompat-polarssl-serv-common.sh" ":%NO_ETM"
ret=$?
exit 77
fi
-gnutls_timewrapper_standalone "2012-09-02" timeout 1800 \
+"$FAKETIME" "2012-09-02" timeout 1800 \
"${srcdir}/testcompat-polarssl-serv-common.sh"
ret=$?
export GNUTLS_DEBUG_LEVEL=3
unset GNUTLS_SYSTEM_PRIORITY_FILE
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
fail "expected connection to succeed (1)"
export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
fail "expected connection to succeed (2)"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_MEDIUM --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
fail "expected connection to succeed (3)"
unset GNUTLS_SYSTEM_PRIORITY_FILE
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
fail "expected connection to succeed (1)"
export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null &&
fail "expected connection to fail (1)"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_MEDIUM --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null &&
fail "expected connection to fail (2)"
#successful case, test whether the ciphers we disable below work
echo "Sanity testing"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CIPHER-ALL:+AES-128-GCM:-GROUP-ALL:+GROUP-FFDHE2048 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
fail ${PID} "stage1: expected connection to succeed (1)"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:-MAC-ALL:+SHA1 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
fail ${PID} "stage1: expected connection to succeed (2)"
echo "Testing TLS1.3"
echo " * sanity"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
fail ${PID} "stage2: expected connection to succeed (1)"
echo " * fallback to good options"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE3072 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
fail ${PID} "stage2: expected connection to succeed (2)"
echo " * disabled cipher"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CIPHER-ALL:+AES-128-GCM --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null && #>/dev/null &&
fail ${PID} "stage2: expected connection to fail (1)"
echo " * disabled group"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-GROUP-ALL:+GROUP-FFDHE2048 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null &&
fail ${PID} "stage2: expected connection to fail (2)"
echo "Testing TLS1.2"
echo " * sanity"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
fail ${PID} "stage3: expected connection to succeed (1)"
echo " * fallback to good options"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:+AES-256-GCM:-MAC-ALL:+SHA1:+AEAD --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
fail ${PID} "stage3: expected connection to succeed (2)"
echo " * disabled cipher"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CBC --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null &&
fail ${PID} "stage3: expected connection to fail (1)"
echo " * disabled MAC"
-gnutls_timewrapper_standalone "2017-11-22" \
+"$FAKETIME" "2017-11-22" \
"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA1 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null &&
fail ${PID} "stage3: expected connection to fail (2)"
pubkey="$5"
echo -n "* Generating client certificate... "
- gnutls_timewrapper_standalone static "$TESTDATE" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "$TESTDATE" \
"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
# start server
eval "${GETPORT}"
- launch_bare_server gnutls_timewrapper_standalone static "$TESTDATE" \
+ launch_bare_server "$FAKETIME" "$FAKETIME_F_OPT" "$TESTDATE" \
$VALGRIND $SERV $DEBUG -p "$PORT" \
${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" \
wait_server ${PID}
# connect to server using SC
- gnutls_timewrapper_standalone static "$TESTDATE" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
fail ${PID} "Connection should have failed!"
- gnutls_timewrapper_standalone static "$TESTDATE" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
fail ${PID} "Connection (with files) should have succeeded!"
- gnutls_timewrapper_standalone static "$TESTDATE" \
+ "$FAKETIME" "$FAKETIME_F_OPT" "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
--x509keyfile="${token};object=gnutls-client;object-type=private" \
--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
projects / thirdparty / gnutls.git / commitdiff
