diff options
author | Martin Thomson <martin.thomson@gmail.com> | 2017-01-26 06:41:37 +0900 |
---|---|---|
committer | Martin Thomson <martin.thomson@gmail.com> | 2017-01-26 06:41:37 +0900 |
commit | 1aaea1ef4ff9a9d5e77badd418b07060bb0e9de1 (patch) | |
tree | 740e79d5dc03ad0df0535b775a621d618fa1c569 /gtests/ssl_gtest/tls_connect.cc | |
parent | 4b6df262a3d4f54e4a1f631d1e4c8973e9b22d86 (diff) | |
download | nss-hg-1aaea1ef4ff9a9d5e77badd418b07060bb0e9de1.tar.gz |
Bug 1325035 - Streamline session ticket key wrapping, r=ttaubert
Differential Revision: https://nss-review.dev.mozaws.net/D127
Diffstat (limited to 'gtests/ssl_gtest/tls_connect.cc')
-rw-r--r-- | gtests/ssl_gtest/tls_connect.cc | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/gtests/ssl_gtest/tls_connect.cc b/gtests/ssl_gtest/tls_connect.cc index 2b122e5cb..dd50056db 100644 --- a/gtests/ssl_gtest/tls_connect.cc +++ b/gtests/ssl_gtest/tls_connect.cc @@ -13,6 +13,7 @@ extern "C" { #include "databuffer.h" #include "gtest_utils.h" +#include "scoped_ptrs.h" #include "sslproto.h" extern std::string g_working_dir_path; @@ -345,6 +346,13 @@ void TlsConnectTestBase::CheckKeys(SSLKEAType kea_type, scheme = ssl_sig_none; break; case ssl_auth_rsa_sign: + if (version_ >= SSL_LIBRARY_VERSION_TLS_1_2) { + scheme = ssl_sig_rsa_pss_sha256; + } else { + scheme = ssl_sig_rsa_pkcs1_sha256; + } + break; + case ssl_auth_rsa_pss: scheme = ssl_sig_rsa_pss_sha256; break; case ssl_auth_ecdsa: @@ -390,6 +398,7 @@ void TlsConnectTestBase::ConnectExpectFailOneSide(TlsAgent::Role failing_side) { } void TlsConnectTestBase::ConfigureVersion(uint16_t version) { + version_ = version; client_->SetVersionRange(version, version); server_->SetVersionRange(version, version); } @@ -440,10 +449,16 @@ void TlsConnectTestBase::ConfigureSessionCache(SessionResumptionMode client, client_->ConfigureSessionCache(client); server_->ConfigureSessionCache(server); if ((server & RESUME_TICKET) != 0) { - // This is an abomination. NSS encrypts session tickets with the server's - // RSA public key. That means we need the server to have an RSA certificate - // even if it won't be used for the connection. - server_->ConfigServerCert(TlsAgent::kServerRsaDecrypt); + ScopedCERTCertificate cert; + ScopedSECKEYPrivateKey privKey; + ASSERT_TRUE(TlsAgent::LoadCertificate(TlsAgent::kServerRsaDecrypt, &cert, + &privKey)); + + ScopedSECKEYPublicKey pubKey(CERT_ExtractPublicKey(cert.get())); + ASSERT_TRUE(pubKey); + + EXPECT_EQ(SECSuccess, + SSL_SetSessionTicketKeyPair(pubKey.get(), privKey.get())); } } |