Bug 1416730, selfserv: Call NSS_Initialize early to respect policy in SSL, r=rrelyea

author: Daiki Ueno <dueno@redhat.com> 2017-10-10 16:01:30 +0200
committer: Daiki Ueno <dueno@redhat.com> 2017-10-10 16:01:30 +0200
commit: 7258806839ab32a9ffe634ae70645205605663bf (patch)
tree: 31908b59a82e9b13c2a38f923ad9bfab73a01450
parent: 313854678e3a0c70507ec06258449be46190b482 (diff)
download: nss-hg-7258806839ab32a9ffe634ae70645205605663bf.tar.gz
2 files changed, 63 insertions, 12 deletions
diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c
index e3dccf144..f18d4a15d 100644
--- a/cmd/selfserv/selfserv.c
+++ b/cmd/selfserv/selfserv.c
@@ -2494,6 +2494,13 @@ main(int argc, char **argv)
             break;
     }
 
+    /* Call the NSS initialization routines */
+    rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
+    if (rv != SECSuccess) {
+        fputs("NSS_Init failed.\n", stderr);
+        exit(8);
+    }
+
     /* The -b (bindOnly) option is only used by the ssl.sh test
      * script on Linux to determine whether a previous selfserv
      * process has fully died and freed the port.  (Bug 129701)
@@ -2603,13 +2610,6 @@ main(int argc, char **argv)
     /* set our password function */
     PK11_SetPasswordFunc(SECU_GetModulePassword);
 
-    /* Call the NSS initialization routines */
-    rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
-    if (rv != SECSuccess) {
-        fputs("NSS_Init failed.\n", stderr);
-        exit(8);
-    }
-
     /* all SSL3 cipher suites are enabled by default. */
     if (cipherString) {
         char *cstringSaved = cipherString;
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
index 4f5bb55bf..580fe16e0 100755
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
@@ -682,7 +682,8 @@ ssl_crl_ssl()
 setup_policy()
 {
   policy="$1"
-  OUTFILE=${P_R_CLIENTDIR}/pkcs11.txt
+  outdir="$2"
+  OUTFILE="${outdir}/pkcs11.txt"
   cat > "$OUTFILE" << ++EOF++
 library=
 name=NSS Internal PKCS #11 Module
@@ -698,7 +699,7 @@ NSS=trustOrder=100
 ++EOF++
 
   echo "******************************Testing with: "
-  cat ${P_R_CLIENTDIR}/pkcs11.txt
+  cat "$OUTFILE"
   echo "******************************"
 }
 
@@ -745,7 +746,7 @@ ssl_policy()
 
           # load the policy
           policy=`echo ${policy} | sed -e 's;_; ;g'`
-          setup_policy "$policy"
+          setup_policy "$policy" ${P_R_CLIENTDIR}
 
           echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
           echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
@@ -799,7 +800,7 @@ ssl_policy_listsuites()
   cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
 
   # Disallow all explicitly
-  setup_policy "disallow=all" 
+  setup_policy "disallow=all" ${P_R_CLIENTDIR}
   RET_EXP=1
   list_enabled_suites | grep '^TLS_'
   RET=$?
@@ -807,7 +808,7 @@ ssl_policy_listsuites()
            "produced a returncode of $RET, expected is $RET_EXP"
 
   # Disallow RSA in key exchange explicitly
-  setup_policy "disallow=rsa/ssl-key-exchange"
+  setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_CLIENTDIR}
   RET_EXP=1
   list_enabled_suites | grep '^TLS_RSA_'
   RET=$?
@@ -819,6 +820,55 @@ ssl_policy_listsuites()
   html "</TABLE><BR>"
 }
 
+############################## ssl_policy_selfserv #####################
+# local shell function to perform SSL Policy tests, using selfserv
+########################################################################
+ssl_policy_selfserv()
+{
+  #verbose="-v"
+  html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+  testname=""
+  sparam="$CIPHER_SUITES"
+
+  if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
+      html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
+      return 1;
+  fi
+
+  echo "Saving pkcs11.txt"
+  cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav
+
+  # Disallow RSA in key exchange explicitly
+  setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR}
+
+  start_selfserv # Launch the server
+
+  VMIN="ssl3"
+  VMAX="tls1.2"
+
+  # Try to connect to the server with a ciphersuite using RSA in key exchange
+  echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+  echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+  RET_EXP=254
+  ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+          -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+          >${TMP}/$HOST.tmp.$$  2>&1
+  RET=$?
+  cat ${TMP}/$HOST.tmp.$$
+  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+  html_msg $RET $RET_EXP "${testname}" \
+           "produced a returncode of $RET, expected is $RET_EXP"
+
+  cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
+
+  kill_selfserv
+  html "</TABLE><BR>"
+}
+
 ############################# is_revoked ###############################
 # local shell function to check if certificate is revoked
 ########################################################################
@@ -1206,6 +1256,7 @@ ssl_run_tests()
         "policy")
             if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
                 ssl_policy_listsuites
+                ssl_policy_selfserv
                 ssl_policy
             fi
             ;;
author	Daiki Ueno <dueno@redhat.com>	2017-10-10 16:01:30 +0200
committer	Daiki Ueno <dueno@redhat.com>	2017-10-10 16:01:30 +0200
commit	7258806839ab32a9ffe634ae70645205605663bf (patch)
tree	31908b59a82e9b13c2a38f923ad9bfab73a01450
parent	313854678e3a0c70507ec06258449be46190b482 (diff)
download	nss-hg-7258806839ab32a9ffe634ae70645205605663bf.tar.gz