File: 712

package info (click to toggle)
pcp 7.1.0-1
  • links: PTS
  • area: main
  • in suites: forky, sid
  • size: 252,748 kB
  • sloc: ansic: 1,483,656; sh: 182,366; xml: 160,462; cpp: 83,813; python: 24,980; perl: 18,327; yacc: 6,877; lex: 2,864; makefile: 2,738; awk: 165; fortran: 60; java: 52
file content (144 lines) | stat: -rwxr-xr-x 4,477 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
 
#!/bin/sh
# PCP QA Test No. 712
# Exercise encrypted communications between pmcd/clients
#
# Debugging notes:
#   When this fails in TLS negotiation it is very hard to debug.
#   There is special debugging magic between libpcp and libssl
#   that needs to be activated.
#   1. add -D auth,tls,desperate to /etc/pcp/pmcd/pmcd.options
#   2. run this test
#   3. start dredging through /var/log/pmcd/pmcd.log.prev (.prev will
#      be the one that was active when this test was run) ... in
#      particular look for blocks of diagnostics that begin
#      Received Record or Sent Record these are the dumps of the TLS
#      handshake messages (including the cipher negotiations and the
#      certificates)
#
# Copyright (c) 2012-2013,2022 Red Hat.
# Copyright (c) 2023 Ken McDonell.
#

seq=`basename $0`
echo "QA output created by $seq"

. ./common.secure

_check_tls

_cleanup()
{
    _restore_config $PCP_TLSCONF_PATH
    unset PCP_SECURE_SOCKETS
    _service pmcd restart 2>&1 | _filter_pcp_restart
    _wait_for_pmcd
    _restore_auto_restart pmcd
    _service pmlogger restart 2>&1 | _filter_pcp_restart
    _wait_for_pmlogger
    _restore_auto_restart pmlogger

    $sudo rm -rf $tmp.*
}

status=1	# failure is the default!
trap "_cleanup; exit \$status" 0 1 2 3 15

if [ ! -f .rnd ]
then
    echo "Creating random bytes in .rnd" >>$seq_full
    openssl rand -writerand .rnd
fi

_save_config $PCP_TLSCONF_PATH
_stop_auto_restart pmcd
_stop_auto_restart pmlogger
if ! _service pmlogger stop 2>&1; then _exit 1; fi \
| _filter_pcp_stop
_wait_pmlogger_end || _exit 1
if ! _service pmcd stop 2>&1; then _exit 1; fi \
| _filter_pcp_stop
_wait_pmcd_end || _exit 1

_filter_tls()
{
    sed \
	-e 's/value [0-9][0-9]*/value NUMBER/' \
	-e '/pminfo([0-9][0-9]*)/s//pminfo(PID)/' \
	-e "s/host \"$hostname\"/host LOCALHOST/g" \
	-e 's/^\[[A-Z].. [A-Z]..  *[0-9][0-9]* ..:..:..]/[DATE]/' \
    #end
}

# real QA test starts here
_setup_tls
original=$PCP_TLSCONF_PATH
cp $original $tmp.tls.orig

if ! _service pmcd start || ! _wait_for_pmcd
then
    echo "--- cert & key files and sum by user $PCP_USER"
    for file in $tmp.tls/*
    do
	ls -l $file
	sudo -u $PCP_USER sum $file
    done
    echo "--- openssl.log from key & cert setup"
    cat $tmp.tls/openssl.log
    _exit 1
fi | _filter_pcp_start

echo
echo "checking client, generic certificate.  should pass..."
PCP_SECURE_SOCKETS=1; export PCP_SECURE_SOCKETS
yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq_full | _filter_tls

echo
echo "checking client, no certificate verify.  should pass..." | tee -a $seq_full
PCP_SECURE_SOCKETS=1; export PCP_SECURE_SOCKETS
PCP_TLSCONF_PATH=/dev/null; export PCP_TLSCONF_PATH
yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq_full | _filter_tls
PCP_TLSCONF_PATH=$original; export PCP_TLSCONF_PATH

echo
echo "checking client, verify certificate setup.  should pass..." | tee -a $seq_full
cp $tmp.tls.orig $tmp.tls.conf
echo "tls-verify-clients = true" >> $tmp.tls.conf
$sudo cp $tmp.tls.conf $PCP_TLSCONF_PATH
PCP_SECURE_SOCKETS=1; export PCP_SECURE_SOCKETS
yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq_full | _filter_tls

echo
echo "checking client, server certificate only.  should fail..." | tee -a $seq_full
cp $tmp.tls.orig $tmp.tls.conf
sed -i -e 's/pcp.key/server.key/g' $tmp.tls.conf
sed -i -e 's/pcp.crt/server.crt/g' $tmp.tls.conf
unset PCP_SECURE_SOCKETS
if ! _service pmcd start; then _exit 1; fi \
| _filter_pcp_start
_wait_for_pmcd || _exit 1
$sudo cp $tmp.tls.conf $PCP_TLSCONF_PATH
PCP_TLSCONF_PATH=$original; export PCP_TLSCONF_PATH
PCP_SECURE_SOCKETS=1; export PCP_SECURE_SOCKETS
yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq_full | _filter_tls

# check mode where separate client/server certificates are used
#cp $tmp.tls.orig $tmp.tls.conf
#sed -i -e 's/pcp.key/server.key/g' $tmp.tls.conf
#sed -i -e 's/pcp.crt/server.crt/g' $tmp.tls.conf
#echo "tls-client-key-file = $here/tls.conf/client.key" >> $tmp.tls.conf
#echo "tls-client-cert-file = $here/tls.conf/client.crt" >> $tmp.tls.conf
#echo "tls-verify-clients = true" >> $tmp.tls.conf
#$sudo cp $tmp.tls.conf $PCP_TLSCONF_PATH

#unset PCP_SECURE_SOCKETS
#_service pmcd start | _filter_pcp_start
#_wait_for_pmcd

#echo
#echo "checking both client and server certificates.  should pass..." | tee -a $seq_full
#PCP_SECURE_SOCKETS=1; export PCP_SECURE_SOCKETS
#yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq_full | _filter_tls

# success, all done
status=0
exit