diff options
author | Moonchild <moonchild@palemoon.org> | 2020-12-23 19:02:52 +0000 |
---|---|---|
committer | Moonchild <moonchild@palemoon.org> | 2020-12-23 19:02:52 +0000 |
commit | 029bcfe189eae5eebbaf58ccff4e1200dd78b228 (patch) | |
tree | 1c226a334ea1a88e2d1c6f949c9320eb0c3bff59 /security/nss/tests/ssl/ssl.sh | |
parent | 149d2ffa779826cb48a381099858e76e4624d471 (diff) | |
download | uxp-029bcfe189eae5eebbaf58ccff4e1200dd78b228.tar.gz |
Issue #1693 - Update NSS to 3.59.1.1
This updates to MoonchildProductions/NSS@bd49b2b88 in the repo created for our
consumption of the library.
Diffstat (limited to 'security/nss/tests/ssl/ssl.sh')
-rwxr-xr-x | security/nss/tests/ssl/ssl.sh | 95 |
1 files changed, 86 insertions, 9 deletions
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh index d8892ed87c..7e74397c9a 100755 --- a/security/nss/tests/ssl/ssl.sh +++ b/security/nss/tests/ssl/ssl.sh @@ -413,15 +413,6 @@ ssl_auth() echo "${testname}" | grep "TLS 1.3" > /dev/null TLS13=$? - # Currently TLS 1.3 tests are known to fail under FIPS mode, - # because HKDF is implemented using the PKCS #11 functions - # prohibited under FIPS mode. - if [ "${TLS13}" -eq 0 ] && \ - [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then - echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" - continue - fi - if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then @@ -895,6 +886,7 @@ ssl_policy_listsuites() cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav # Disallow all explicitly + testname="listsuites with all cipher disallowed by policy" setup_policy "disallow=all" ${P_R_CLIENTDIR} RET_EXP=1 list_enabled_suites | grep '^TLS_' @@ -903,6 +895,7 @@ ssl_policy_listsuites() "produced a returncode of $RET, expected is $RET_EXP" # Disallow RSA in key exchange explicitly + testname="listsuites with rsa cipher disallowed by policy" setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_CLIENTDIR} RET_EXP=1 list_enabled_suites | grep '^TLS_RSA_' @@ -910,11 +903,83 @@ ssl_policy_listsuites() html_msg $RET $RET_EXP "${testname}" \ "produced a returncode of $RET, expected is $RET_EXP" + # allow by policy, but disable by default + testname="listsuites with all ciphers enabled by policy but disabled by default" + setup_policy "allow=all disable=all" ${P_R_CLIENTDIR} + RET_EXP=1 + list_enabled_suites | grep '^TLS_' + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + # allow by policy, but disable by default just rsa-kea + testname="listsuites with all ciphers enabled by policy but rsa disabled by default" + setup_policy "allow=all disable=rsa/ssl-key-exchange" ${P_R_CLIENTDIR} + RET_EXP=1 + list_enabled_suites | grep '^TLS_RSA_' + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + # list_enabled_suites tries to set a policy value explicitly, This will + # cause list_enabled_suites to fail if we lock the policy + testname="listsuites with policy locked" + setup_policy "allow=all flags=policy-lock" ${P_R_CLIENTDIR} + RET_EXP=1 + SSL_DIR="${P_R_CLIENTDIR}" ${BINDIR}/listsuites + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt html "</TABLE><BR>" } +ssl_policy_pkix_ocsp() +{ + #verbose="-v" + html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"} + NSS_ENABLE_PKIX_VERIFY="1" + export NSS_ENABLE_PKIX_VERIFY + + testname="" + + if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then + html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized" + return 1; + fi + + echo "Saving pkcs11.txt" + cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav + + # Disallow sha1 explicitly. This will test if we are trying to verify the sha1 signature + # on the GlobalSign root during OCSP processing + setup_policy "disallow=sha1" ${P_R_SERVERDIR} + RET_EXP=0 + echo " vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out" + vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out + # make sure we have the domain mismatch, not bad signature error + echo "grep 12276 ${P_R_SERVERDIR}/vfy.out" + grep 12276 ${P_R_SERVERDIR}/vfy.out + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + if [ "${PKIX_SAVE}" = "unset" ]; then + unset NSS_ENABLE_PKIX_VERIFY + else + NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE} + export NSS_ENABLE_PKIX_VERIFY + fi + cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt + + html "</TABLE><BR>" + +} + ############################## ssl_policy_selfserv ##################### # local shell function to perform SSL Policy tests, using selfserv ######################################################################## @@ -934,10 +999,21 @@ ssl_policy_selfserv() cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav # Disallow RSA in key exchange explicitly + testname="Disallow RSA key exchange explicitly" setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR} + SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} + # make sure policy is working in the multiprocess case is working on + # UNIX-like OS's. Other OS's can't properly clean up the child processes + # when our test suite kills the parent, so just use the single process + # self serve for them + if [ "${OS_ARCH}" != "WINNT" -a "${OS_ARCH}" != "WIN95" -a "${OS_ARCH}" != "OS2" ]; then + SERVER_OPTIONS="-M 3 ${SERVER_OPTIONS}" + fi + start_selfserv $CIPHER_SUITES + SERVER_OPTIONS="${SAVE_SERVER_OPTIONS}" VMIN="ssl3" VMAX="tls1.2" @@ -1521,6 +1597,7 @@ ssl_run_tests() if [ "${TEST_MODE}" = "SHARED_DB" ] ; then ssl_policy_listsuites ssl_policy_selfserv + ssl_policy_pkix_ocsp ssl_policy fi ;; |