summaryrefslogtreecommitdiffstats
path: root/tests/system-override-curves-allowlist.sh
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 07:33:12 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 07:33:12 +0000
commit36082a2fe36ecd800d784ae44c14f1f18c66a7e9 (patch)
tree6c68e0c0097987aff85a01dabddd34b862309a7c /tests/system-override-curves-allowlist.sh
parentInitial commit. (diff)
downloadgnutls28-upstream.tar.xz
gnutls28-upstream.zip
Adding upstream version 3.7.9.upstream/3.7.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/system-override-curves-allowlist.sh')
-rwxr-xr-xtests/system-override-curves-allowlist.sh211
1 files changed, 211 insertions, 0 deletions
diff --git a/tests/system-override-curves-allowlist.sh b/tests/system-override-curves-allowlist.sh
new file mode 100755
index 0000000..8c273aa
--- /dev/null
+++ b/tests/system-override-curves-allowlist.sh
@@ -0,0 +1,211 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>
+
+: ${srcdir=.}
+: ${builddir=.}
+: ${SERV=../src/gnutls-serv${EXEEXT}}
+: ${CLI=../src/gnutls-cli${EXEEXT}}
+: ${CERTTOOL=../src/certtool${EXEEXT}}
+: ${GREP=grep}
+: ${DIFF=diff}
+: ${SED=sed}
+: ${CAT=cat}
+TMPFILE_KEY=key.$$.pem.tmp
+TMPFILE_CONFIG=config.$$.pem.tmp
+TMPFILE_INPUT_SCRIPT=input.$$.script.tmp
+TMPFILE_OBSERVED_LOG=observed.$$.log.tmp
+TMPFILE_EXPECTED_LOG=expected.$$.log.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+for tool in "${CERTTOOL}" "${SERV}" "${CLI}"; do
+ if ! test -x "$tool"; then
+ exit 77
+ fi
+done
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+if test "${WINDIR}" != ""; then
+ exit 77
+fi
+
+. "${srcdir}/scripts/common.sh"
+
+# This test doesn't work in FIPS mode
+if test -n "${GNUTLS_FORCE_FIPS_MODE}" && test "${GNUTLS_FORCE_FIPS_MODE}" != 0; then
+ exit 77
+fi
+
+cleanup() {
+ rm -f "${TMPFILE_KEY}" "${TMPFILE_INPUT_SCRIPT}"
+ rm -f "${TMPFILE_OBSERVED_LOG}" "${TMPFILE_EXPECTED_LOG}"
+}
+trap cleanup 1 15 2 EXIT
+
+# Set up a reasonable but minimal configuration file using allowlisting
+# allowing just a few curves.
+# We intentionally add stray spaces and tabs to check our parser
+cat <<_EOF_ > ${TMPFILE_CONFIG}
+[global]
+override-mode = allowlist
+
+[overrides]
+ enabled-curve= seCp384r1
+enabled-curve =X448
+_EOF_
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE_CONFIG}"
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+export INITIALLY_ENABLED_CURVES="SECP384R1 X448"
+export INITIALLY_DISABLED_CURVES="SECP256R1 SECP521R1 X25519"
+EXAMPLE_DISABLED_PRIORITY=NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1:+CURVE-X25519
+
+export GNUTLS_DEBUG_LEVEL=3
+
+
+# --list output
+
+"${CLI}" --list|grep ^Groups >"${TMPFILE_OBSERVED_LOG}"
+cat "${TMPFILE_OBSERVED_LOG}"
+for curve in ${INITIALLY_DISABLED_CURVES}; do
+ if grep -i "$curve" "${TMPFILE_OBSERVED_LOG}"; then
+ echo "Found disabled curve $curve within --list output"
+ exit 1
+ fi
+done
+
+for curve in ${INITIALLY_ENABLED_CURVES}; do
+ if ! grep -i "$curve" ${TMPFILE_OBSERVED_LOG};then
+ echo "Could not found $curve within --list output"
+ exit 1
+ fi
+done
+
+
+# TLS: try whether a client connection with a disabled curve will succeed
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --priority ${EXAMPLE_DISABLED_PRIORITY} --insecure --logfile ${TMPFILE_OBSERVED_LOG} </dev/null >/dev/null ||
+ fail "expected connection to succeed (1)"
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE_CONFIG}"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority ${EXAMPLE_DISABLED_PRIORITY} --insecure --logfile ${TMPFILE_OBSERVED_LOG} </dev/null >/dev/null &&
+ fail "expected connection to fail (2)"
+
+kill ${PID}
+wait
+
+# TLS: try whether a server connection with a disabled curve will succeed
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --priority ${EXAMPLE_DISABLED_PRIORITY} --insecure --logfile ${TMPFILE_OBSERVED_LOG} </dev/null >/dev/null &&
+ fail "expected connection to fail (2)"
+
+kill ${PID}
+wait
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE_CONFIG}"
+
+
+# Key generation using certtool
+
+for curve in ${INITIALLY_ENABLED_CURVES}; do
+ key_type=ecdsa
+ test $curve = X448 && key_type=x448
+ test $curve = X25519 && key_type=x25519
+ ${VALGRIND} ${CERTTOOL} \
+ --generate-privkey --key-type=$key_type --curve=$curve \
+ --outfile "${TMPFILE_KEY}"
+ EX=$?
+ if test $EX != 0; then
+ echo "key generation using $curve has failed ($EX)"
+ exit $EX
+ fi
+done
+
+for curve in ${INITIALLY_DISABLED_CURVES}; do
+ key_type=ecdsa
+ test $curve = X448 && key_type=x448
+ test $curve = X25519 && key_type=x25519
+ ${VALGRIND} ${CERTTOOL} \
+ --generate-privkey --key-type=$key_type --curve=$curve \
+ --outfile "${TMPFILE_KEY}" > ${TMPFILE_OBSERVED_LOG} 2>&1
+ EX=$?
+ if test $EX != 1; then
+ echo "key generation using $curve has succeeded unexpectedly"
+ exit $EX
+ fi
+ if ! ${GREP} -Fqx "Unsupported curve: $curve" "${TMPFILE_OBSERVED_LOG}"
+ then
+ ${CAT} "${TMPFILE_OBSERVED_LOG}"
+ echo "'Unsupported curve: $curve' not found in the output"
+ exit 1
+ fi
+done
+
+
+# Test key generation and gnutls_ecc_curve_set_enabled
+# using system-override-curves-allowlist.c
+
+${CAT} > "${TMPFILE_EXPECTED_LOG}" <<EOF
+disableable: SECP384R1
+disableable: X448
+reenableable: SECP256R1
+reenableable: SECP521R1
+reenableable: X25519
+EOF
+
+${VALGRIND} "${builddir}/system-override-curves-allowlist" \
+ > ${TMPFILE_OBSERVED_LOG}
+EX=$?
+if test $EX != 0; then
+ ${CAT} ${TMPFILE_OBSERVED_LOG}
+ echo "system-override-curves-allowlist(.c) failed with $EX"
+ exit $EX
+fi
+${DIFF} "${TMPFILE_EXPECTED_LOG}" "${TMPFILE_OBSERVED_LOG}"
+EX=$?
+if test $EX != 0; then
+ echo "system-override-curves-allowlist(.c) produced unexpected output"
+ exit 1
+fi
+
+exit 0