diff options
| author | Daiki Ueno <dueno@redhat.com> | 2017-10-10 16:01:30 +0200 |
|---|---|---|
| committer | Daiki Ueno <dueno@redhat.com> | 2017-10-10 16:01:30 +0200 |
| commit | 7258806839ab32a9ffe634ae70645205605663bf (patch) | |
| tree | 31908b59a82e9b13c2a38f923ad9bfab73a01450 /tests | |
| parent | 313854678e3a0c70507ec06258449be46190b482 (diff) | |
| download | nss-hg-7258806839ab32a9ffe634ae70645205605663bf.tar.gz | |
Bug 1416730, selfserv: Call NSS_Initialize early to respect policy in SSL, r=rrelyea
Diffstat (limited to 'tests')
| -rwxr-xr-x | tests/ssl/ssl.sh | 61 |
1 files changed, 56 insertions, 5 deletions
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh index 4f5bb55bf..580fe16e0 100755 --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh @@ -682,7 +682,8 @@ ssl_crl_ssl() setup_policy() { policy="$1" - OUTFILE=${P_R_CLIENTDIR}/pkcs11.txt + outdir="$2" + OUTFILE="${outdir}/pkcs11.txt" cat > "$OUTFILE" << ++EOF++ library= name=NSS Internal PKCS #11 Module @@ -698,7 +699,7 @@ NSS=trustOrder=100 ++EOF++ echo "******************************Testing with: " - cat ${P_R_CLIENTDIR}/pkcs11.txt + cat "$OUTFILE" echo "******************************" } @@ -745,7 +746,7 @@ ssl_policy() # load the policy policy=`echo ${policy} | sed -e 's;_; ;g'` - setup_policy "$policy" + setup_policy "$policy" ${P_R_CLIENTDIR} echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" @@ -799,7 +800,7 @@ ssl_policy_listsuites() cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav # Disallow all explicitly - setup_policy "disallow=all" + setup_policy "disallow=all" ${P_R_CLIENTDIR} RET_EXP=1 list_enabled_suites | grep '^TLS_' RET=$? @@ -807,7 +808,7 @@ ssl_policy_listsuites() "produced a returncode of $RET, expected is $RET_EXP" # Disallow RSA in key exchange explicitly - setup_policy "disallow=rsa/ssl-key-exchange" + setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_CLIENTDIR} RET_EXP=1 list_enabled_suites | grep '^TLS_RSA_' RET=$? @@ -819,6 +820,55 @@ ssl_policy_listsuites() html "</TABLE><BR>" } +############################## ssl_policy_selfserv ##################### +# local shell function to perform SSL Policy tests, using selfserv +######################################################################## +ssl_policy_selfserv() +{ + #verbose="-v" + html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="" + sparam="$CIPHER_SUITES" + + if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then + html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized" + return 1; + fi + + echo "Saving pkcs11.txt" + cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav + + # Disallow RSA in key exchange explicitly + setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR} + + start_selfserv # Launch the server + + VMIN="ssl3" + VMAX="tls1.2" + + # Try to connect to the server with a ciphersuite using RSA in key exchange + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + RET_EXP=254 + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + RET=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt + + kill_selfserv + html "</TABLE><BR>" +} + ############################# is_revoked ############################### # local shell function to check if certificate is revoked ######################################################################## @@ -1206,6 +1256,7 @@ ssl_run_tests() "policy") if [ "${TEST_MODE}" = "SHARED_DB" ] ; then ssl_policy_listsuites + ssl_policy_selfserv ssl_policy fi ;; |