From c815f725448af8d023818a968e1296946ceb0f1c Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 21 Dec 2020 09:36:47 -0500 Subject: [PATCH 1/2] tests: Fix tpmtool_test due to changes in trousers Recent changes to trousers now require an ownership of root:tss for the tcsd config file, older ones requires tss:tss. So, start tcsd using trial and error with either one of these ownership configurations until one works. Signed-off-by: Stefan Berger --- tests/tpmtool_test.sh | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh index eba502612..77fe17e59 100755 --- a/tests/tpmtool_test.sh +++ b/tests/tpmtool_test.sh @@ -138,6 +138,7 @@ start_tcsd() local tcsd_conf=$workdir/tcsd.conf local tcsd_system_ps_file=$workdir/system_ps_file local tcsd_pidfile=$workdir/tcsd.pid + local owner start_swtpm "$workdir" [ $? -ne 0 ] && return 1 @@ -146,20 +147,36 @@ start_tcsd() port = $TCSD_LISTEN_PORT system_ps_file = $tcsd_system_ps_file _EOF_ + # older versions of trousers require tss:tss ownership of the + # config file, later ones root:tss + for owner in tss root; do + if [ "$owner" = "tss" ]; then + chmod 0600 $tcsd_conf + else + chmod 0640 $tcsd_conf + fi + chown $owner:tss $tcsd_conf - chown tss:tss $tcsd_conf - chmod 0600 $tcsd_conf + bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & + BASH_PID=$! - bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & - BASH_PID=$! + if wait_for_file $tcsd_pidfile 3; then + echo "Could not get TCSD's PID file" + return 1 + fi - if wait_for_file $tcsd_pidfile 3; then - echo "Could not get TCSD's PID file" - return 1 - fi + sleep 0.5 + TCSD_PID=$(cat $tcsd_pidfile) + kill -0 "${TCSD_PID}" + if [ $? -ne 0 ]; then + # Try again with other owner + continue + fi + return 0 + done - TCSD_PID=$(cat $tcsd_pidfile) - return 0 + echo "TCSD could not be started" + return 1 } stop_tcsd() -- 2.29.2 From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 28 Dec 2020 16:16:53 +0100 Subject: [PATCH 2/2] testpkcs11: use datefudge to trick certificate expiry The certificates stored in tests/testpkcs11-certs expired on 2020-12-13. To avoid verification failure due to that, use datefudge to set custom date when calling gnutls-cli, gnutls-serv, and certtool. Based on the patch by Andreas Metzler: https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121 Signed-off-by: Daiki Ueno --- tests/testpkcs11.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh index 38b9585bc..09a627477 100755 --- a/tests/testpkcs11.sh +++ b/tests/testpkcs11.sh @@ -67,6 +67,8 @@ have_ed25519=0 P11TOOL="${VALGRIND} ${P11TOOL} --batch" SERV="${SERV} -q" +TESTDATE=2020-12-01 + . ${srcdir}/scripts/common.sh rm -f "${LOGFILE}" @@ -79,6 +81,8 @@ exit_error () { exit 1 } +skip_if_no_datefudge + # $1: token # $2: PIN # $3: filename @@ -523,6 +527,7 @@ write_certificate_test () { pubkey="$5" echo -n "* Generating client certificate... " + datefudge -s "$TESTDATE" \ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1 @@ -900,7 +905,9 @@ use_certificate_test () { echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " # start server eval "${GETPORT}" - launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \ + launch_bare_server datefudge -s "$TESTDATE" \ + $VALGRIND $SERV $DEBUG -p "$PORT" \ + ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \ --x509keyfile="$keyfile" --x509cafile="${cafile}" \ --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 @@ -908,13 +915,16 @@ use_certificate_test () { wait_server ${PID} # connect to server using SC + datefudge -s "$TESTDATE" \ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 && \ fail ${PID} "Connection should have failed!" + datefudge -s "$TESTDATE" \ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ fail ${PID} "Connection (with files) should have succeeded!" + datefudge -s "$TESTDATE" \ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ --x509keyfile="${token};object=gnutls-client;object-type=private" \ --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ -- 2.29.2 From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 9 Feb 2021 15:26:07 +0100 Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority settings When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging system that runs the test in a restricted environment. Unsetting it after a temporary use forces the remaining part of the test to use the default system priority, which might not be the intention of the user. Signed-off-by: Daiki Ueno --- tests/gnutls-cli-debug.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh index a73910dea..3c3e2214e 100755 --- a/tests/gnutls-cli-debug.sh +++ b/tests/gnutls-cli-debug.sh @@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE} tls-disabled-cipher = CAMELLIA-128-CBC tls-disabled-cipher = CAMELLIA-256-CBC _EOF_ -export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" +GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \ timeout 1800 datefudge "2017-08-9" \ "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" -unset GNUTLS_SYSTEM_PRIORITY_FILE - kill ${PID} wait -- 2.29.2