gnutls/gnutls-3.7.0-test-fixes.patch
DistroBaker 4cec910829 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/gnutls.git#70bde1a03dde2a0335db58f9c2ce45b66f283967
2021-02-11 17:06:03 +00:00

196 lines
6.4 KiB
Diff

From c815f725448af8d023818a968e1296946ceb0f1c Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Mon, 21 Dec 2020 09:36:47 -0500
Subject: [PATCH 1/2] tests: Fix tpmtool_test due to changes in trousers
Recent changes to trousers now require an ownership of root:tss for
the tcsd config file, older ones requires tss:tss. So, start tcsd
using trial and error with either one of these ownership configurations
until one works.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
tests/tpmtool_test.sh | 37 +++++++++++++++++++++++++++----------
1 file changed, 27 insertions(+), 10 deletions(-)
diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh
index eba502612..77fe17e59 100755
--- a/tests/tpmtool_test.sh
+++ b/tests/tpmtool_test.sh
@@ -138,6 +138,7 @@ start_tcsd()
local tcsd_conf=$workdir/tcsd.conf
local tcsd_system_ps_file=$workdir/system_ps_file
local tcsd_pidfile=$workdir/tcsd.pid
+ local owner
start_swtpm "$workdir"
[ $? -ne 0 ] && return 1
@@ -146,20 +147,36 @@ start_tcsd()
port = $TCSD_LISTEN_PORT
system_ps_file = $tcsd_system_ps_file
_EOF_
+ # older versions of trousers require tss:tss ownership of the
+ # config file, later ones root:tss
+ for owner in tss root; do
+ if [ "$owner" = "tss" ]; then
+ chmod 0600 $tcsd_conf
+ else
+ chmod 0640 $tcsd_conf
+ fi
+ chown $owner:tss $tcsd_conf
- chown tss:tss $tcsd_conf
- chmod 0600 $tcsd_conf
+ bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
+ BASH_PID=$!
- bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
- BASH_PID=$!
+ if wait_for_file $tcsd_pidfile 3; then
+ echo "Could not get TCSD's PID file"
+ return 1
+ fi
- if wait_for_file $tcsd_pidfile 3; then
- echo "Could not get TCSD's PID file"
- return 1
- fi
+ sleep 0.5
+ TCSD_PID=$(cat $tcsd_pidfile)
+ kill -0 "${TCSD_PID}"
+ if [ $? -ne 0 ]; then
+ # Try again with other owner
+ continue
+ fi
+ return 0
+ done
- TCSD_PID=$(cat $tcsd_pidfile)
- return 0
+ echo "TCSD could not be started"
+ return 1
}
stop_tcsd()
--
2.29.2
From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Dec 2020 16:16:53 +0100
Subject: [PATCH 2/2] testpkcs11: use datefudge to trick certificate expiry
The certificates stored in tests/testpkcs11-certs expired on
2020-12-13. To avoid verification failure due to that, use datefudge
to set custom date when calling gnutls-cli, gnutls-serv, and certtool.
Based on the patch by Andreas Metzler:
https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/testpkcs11.sh | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
index 38b9585bc..09a627477 100755
--- a/tests/testpkcs11.sh
+++ b/tests/testpkcs11.sh
@@ -67,6 +67,8 @@ have_ed25519=0
P11TOOL="${VALGRIND} ${P11TOOL} --batch"
SERV="${SERV} -q"
+TESTDATE=2020-12-01
+
. ${srcdir}/scripts/common.sh
rm -f "${LOGFILE}"
@@ -79,6 +81,8 @@ exit_error () {
exit 1
}
+skip_if_no_datefudge
+
# $1: token
# $2: PIN
# $3: filename
@@ -523,6 +527,7 @@ write_certificate_test () {
pubkey="$5"
echo -n "* Generating client certificate... "
+ datefudge -s "$TESTDATE" \
"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
@@ -900,7 +905,9 @@ use_certificate_test () {
echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
# start server
eval "${GETPORT}"
- launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \
+ launch_bare_server datefudge -s "$TESTDATE" \
+ $VALGRIND $SERV $DEBUG -p "$PORT" \
+ ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" \
--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
@@ -908,13 +915,16 @@ use_certificate_test () {
wait_server ${PID}
# connect to server using SC
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
fail ${PID} "Connection should have failed!"
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
fail ${PID} "Connection (with files) should have succeeded!"
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
--x509keyfile="${token};object=gnutls-client;object-type=private" \
--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
--
2.29.2
From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 9 Feb 2021 15:26:07 +0100
Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority
settings
When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many
places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging
system that runs the test in a restricted environment. Unsetting it
after a temporary use forces the remaining part of the test to use the
default system priority, which might not be the intention of the user.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/gnutls-cli-debug.sh | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh
index a73910dea..3c3e2214e 100755
--- a/tests/gnutls-cli-debug.sh
+++ b/tests/gnutls-cli-debug.sh
@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE}
tls-disabled-cipher = CAMELLIA-128-CBC
tls-disabled-cipher = CAMELLIA-256-CBC
_EOF_
-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \
timeout 1800 datefudge "2017-08-9" \
"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
-unset GNUTLS_SYSTEM_PRIORITY_FILE
-
kill ${PID}
wait
--
2.29.2