diff options
author | Daiki Ueno <dueno@redhat.com> | 2017-10-10 16:01:30 +0200 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2017-10-10 16:01:30 +0200 |
commit | 7258806839ab32a9ffe634ae70645205605663bf (patch) | |
tree | 31908b59a82e9b13c2a38f923ad9bfab73a01450 | |
parent | 313854678e3a0c70507ec06258449be46190b482 (diff) | |
download | nss-hg-7258806839ab32a9ffe634ae70645205605663bf.tar.gz |
Bug 1416730, selfserv: Call NSS_Initialize early to respect policy in SSL, r=rrelyea
-rw-r--r-- | cmd/selfserv/selfserv.c | 14 | ||||
-rwxr-xr-x | tests/ssl/ssl.sh | 61 |
2 files changed, 63 insertions, 12 deletions
diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c index e3dccf144..f18d4a15d 100644 --- a/cmd/selfserv/selfserv.c +++ b/cmd/selfserv/selfserv.c @@ -2494,6 +2494,13 @@ main(int argc, char **argv) break; } + /* Call the NSS initialization routines */ + rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY); + if (rv != SECSuccess) { + fputs("NSS_Init failed.\n", stderr); + exit(8); + } + /* The -b (bindOnly) option is only used by the ssl.sh test * script on Linux to determine whether a previous selfserv * process has fully died and freed the port. (Bug 129701) @@ -2603,13 +2610,6 @@ main(int argc, char **argv) /* set our password function */ PK11_SetPasswordFunc(SECU_GetModulePassword); - /* Call the NSS initialization routines */ - rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY); - if (rv != SECSuccess) { - fputs("NSS_Init failed.\n", stderr); - exit(8); - } - /* all SSL3 cipher suites are enabled by default. */ if (cipherString) { char *cstringSaved = cipherString; diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh index 4f5bb55bf..580fe16e0 100755 --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh @@ -682,7 +682,8 @@ ssl_crl_ssl() setup_policy() { policy="$1" - OUTFILE=${P_R_CLIENTDIR}/pkcs11.txt + outdir="$2" + OUTFILE="${outdir}/pkcs11.txt" cat > "$OUTFILE" << ++EOF++ library= name=NSS Internal PKCS #11 Module @@ -698,7 +699,7 @@ NSS=trustOrder=100 ++EOF++ echo "******************************Testing with: " - cat ${P_R_CLIENTDIR}/pkcs11.txt + cat "$OUTFILE" echo "******************************" } @@ -745,7 +746,7 @@ ssl_policy() # load the policy policy=`echo ${policy} | sed -e 's;_; ;g'` - setup_policy "$policy" + setup_policy "$policy" ${P_R_CLIENTDIR} echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" @@ -799,7 +800,7 @@ ssl_policy_listsuites() cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav # Disallow all explicitly - setup_policy "disallow=all" + setup_policy "disallow=all" ${P_R_CLIENTDIR} RET_EXP=1 list_enabled_suites | grep '^TLS_' RET=$? @@ -807,7 +808,7 @@ ssl_policy_listsuites() "produced a returncode of $RET, expected is $RET_EXP" # Disallow RSA in key exchange explicitly - setup_policy "disallow=rsa/ssl-key-exchange" + setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_CLIENTDIR} RET_EXP=1 list_enabled_suites | grep '^TLS_RSA_' RET=$? @@ -819,6 +820,55 @@ ssl_policy_listsuites() html "</TABLE><BR>" } +############################## ssl_policy_selfserv ##################### +# local shell function to perform SSL Policy tests, using selfserv +######################################################################## +ssl_policy_selfserv() +{ + #verbose="-v" + html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="" + sparam="$CIPHER_SUITES" + + if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then + html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized" + return 1; + fi + + echo "Saving pkcs11.txt" + cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav + + # Disallow RSA in key exchange explicitly + setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR} + + start_selfserv # Launch the server + + VMIN="ssl3" + VMAX="tls1.2" + + # Try to connect to the server with a ciphersuite using RSA in key exchange + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + RET_EXP=254 + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + RET=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt + + kill_selfserv + html "</TABLE><BR>" +} + ############################# is_revoked ############################### # local shell function to check if certificate is revoked ######################################################################## @@ -1206,6 +1256,7 @@ ssl_run_tests() "policy") if [ "${TEST_MODE}" = "SHARED_DB" ] ; then ssl_policy_listsuites + ssl_policy_selfserv ssl_policy fi ;; |