diff options
author | Robert Relyea <rrelyea@redhat.com> | 2020-04-14 10:50:06 -0700 |
---|---|---|
committer | Robert Relyea <rrelyea@redhat.com> | 2020-04-14 10:50:06 -0700 |
commit | dc8a52a8c73e0bd35a623a3bb536be4d689e99cc (patch) | |
tree | ad8f44d8ae7bfaee2212ce476ff5309f29d76da3 /tests | |
parent | a7a61840f766e987cd67100f3835fc3f3da91e9e (diff) | |
download | nss-hg-dc8a52a8c73e0bd35a623a3bb536be4d689e99cc.tar.gz |
Bug 1629661 MPConfig calls in SSL initializes policy before NSS is initialized. r=mt
NSS has several config functions that multiprocess servers must call before NSS is initialized to set up shared memory caches between the processes. These functions call ssl_init(), which initializes the ssl policy. The ssl policy initialization, however needs to happen after NSS itself is initialized. Doing so before hand causes (in the best case) policy to be ignored by these servers, and crashes (in the worst case).
Instead, these cache functions should just initialize those things it needs (that is the NSPR ssl error codes).
This patch does:
1) fixes the cache init code to only initialize error codes.
2) fixes the selfserv MP code to 1) be compatible with ssl.sh's selfserv management (at least on Unix), and 2) mimic the way real servers handle the MP_Cache init code (calling NSS_Init after the cache set up).
3) update ssl.sh server policy test to test policy usage on an MP server. This
is only done for non-windows like OS's because they can't catch the kill signal
to force their children to shutdown.
I've verified that the test fails if 2 and 3 are included but 1 is not
(and succeeds if all three are included).
Differential Revision: https://phabricator.services.mozilla.com/D70948
Diffstat (limited to 'tests')
-rwxr-xr-x | tests/ssl/ssl.sh | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh index 718b861a9..d273a29b8 100755 --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh @@ -927,8 +927,18 @@ ssl_policy_selfserv() # Disallow RSA in key exchange explicitly setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR} + SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} + # make sure policy is working in the multiprocess case is working on + # UNIX-like OS's. Other OS's can't properly clean up the child processes + # when our test suite kills the parent, so just use the single process + # self serve for them + if [ "${OS_ARCH}" != "WINNT" -a "${OS_ARCH}" != "WIN95" -a "${OS_ARCH}" != "OS2" ]; then + SERVER_OPTIONS="-M 3 ${SERVER_OPTIONS}" + fi + start_selfserv $CIPHER_SUITES + SERVER_OPTIONS="${SAVE_SERVER_OPTIONS}" VMIN="ssl3" VMAX="tls1.2" |