Add support for conditionally ignoring the system policy
This commit is contained in:
parent
4d5d729ef7
commit
80580e8121
|
@ -0,0 +1,22 @@
|
|||
--- ./lib/nss/nssinit.c.ignore_system_policy 2016-06-06 07:57:54.924457084 -0700
|
||||
+++ ./lib/nss/nssinit.c 2016-06-06 08:01:27.753830455 -0700
|
||||
@@ -678,17 +678,18 @@
|
||||
dbpath = NULL;
|
||||
}
|
||||
if (dbpath) {
|
||||
nss_FindExternalRoot(dbpath, secmodName);
|
||||
}
|
||||
}
|
||||
}
|
||||
#ifdef POLICY_FILE
|
||||
- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
|
||||
+ if (!PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY") &&
|
||||
+ PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
|
||||
SECMODModule *module = SECMOD_LoadModule(
|
||||
"name=\"Policy File\" "
|
||||
"parameters=\"configdir='sql:" POLICY_PATH "' "
|
||||
"secmod='" POLICY_FILE "' "
|
||||
"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
|
||||
"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
|
||||
parent, PR_TRUE);
|
||||
if (module) {
|
50
nss.spec
50
nss.spec
|
@ -4,6 +4,9 @@
|
|||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
|
||||
|
||||
# uncomment to make nss ignore the system policy file
|
||||
#%global nss_ignore_system_policy 1
|
||||
|
||||
# solution taken from icedtea-web.spec
|
||||
%define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el
|
||||
%ifarch %{multilib_arches}
|
||||
|
@ -21,7 +24,7 @@ Name: nss
|
|||
Version: 3.24.0
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 2.3%{?dist}
|
||||
Release: 2.4%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
|
@ -93,18 +96,22 @@ Patch49: nss-skip-bltest-and-fipstest.patch
|
|||
Patch50: iquote.patch
|
||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
# TODO: file a bug usptream
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch59: nss-check-policy-file.patch
|
||||
Patch60: nss-pem-unitialized-vars.path
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569
|
||||
Patch61: mozbz1277569backport.patch
|
||||
# Upstream: https://git.fedorahosted.org/cgit/nss-pem.git/commit/
|
||||
# TODO: file a bug usptream
|
||||
# Upstream commit that caused problems with gtests
|
||||
# https://git.fedorahosted.org/cgit/nss-pem.git/commit/
|
||||
Patch62: nss-skip-util-gtest.patch
|
||||
# TODO: file a bug usptream when enough tests are run
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch63: tests-check-policy-file.patch
|
||||
# TODO: file a bug usptream when enough tests are run
|
||||
Patch64: tests-data-adjust-for-policy.patch
|
||||
# TODO: Under test and could be merged with nss-check-policy-file.patch
|
||||
Patch64: nss-conditionally-ignore-system-policy.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch65: tests-data-adjust-for-policy.patch
|
||||
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
@ -194,7 +201,7 @@ pushd nss
|
|||
%patch61 -p1 -b .compatibility
|
||||
%patch62 -p0 -b .skip_util_gtest
|
||||
%patch63 -p1 -b .check_policy
|
||||
%patch64 -p1 -b .expected_result
|
||||
%patch64 -p0 -b .ignore_system_policy
|
||||
popd
|
||||
|
||||
#########################################################
|
||||
|
@ -231,13 +238,6 @@ done
|
|||
######## Remove portions that need to statically link with libnssutil.a
|
||||
%{__rm} -rf ./nss/external_tests/util_gtests
|
||||
|
||||
pushd nss/tests/ssl
|
||||
# Create versions of ssauth.txt, sslcov.txt and sslstress.txt that disable
|
||||
# tests for non policy compliant ciphers.
|
||||
cat sslauth.txt| sed -r "s/^([^#].*EXPORT|^[^#].*MD5)/#disabled \1/" > sslauth.noPolicy.txt
|
||||
cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*_WITH_DES_*)/#disabled \1/" > sslcov.noPolicy.txt
|
||||
cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*with MD5)/#disabled \1/" > sslstress.noPolicy.txt
|
||||
popd
|
||||
|
||||
%build
|
||||
|
||||
|
@ -319,6 +319,17 @@ export POLICY_FILE="nss.config"
|
|||
# location of the policy file
|
||||
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
||||
|
||||
# to keep nss from loading the policy file
|
||||
%if %{nss_ignore_system_policy}
|
||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||
%else
|
||||
# system policy is enforced
|
||||
pushd nss
|
||||
# change some sslauth.txt entries to expect failure when enforcing policy
|
||||
patch -p1 -b .expected_result < %{PATCH65}
|
||||
popd
|
||||
%endif
|
||||
|
||||
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
|
||||
# need nss/lib/util/verref.h which is exported privately,
|
||||
# copy the one we saved during prep so it they can find it.
|
||||
|
@ -425,6 +436,11 @@ export NSS_BLTEST_NOT_AVAILABLE=1
|
|||
# needed for the fips mangling test
|
||||
export SOFTOKEN_LIB_DIR=%{_libdir}
|
||||
|
||||
# tests need to know we kept nss from loading the policy file
|
||||
%if %{nss_ignore_system_policy}
|
||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||
%endif
|
||||
|
||||
# End -- copied from the build section
|
||||
|
||||
# enable the following line to force a test failure
|
||||
|
@ -468,7 +484,8 @@ pushd ./nss/tests/
|
|||
|
||||
# don't need to run all the tests when testing packaging
|
||||
# nss_cycles: standard pkix upgradedb sharedb
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
|
||||
# TODO: Add ssl_gtests when we rebase to nss-3.25
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains pk11_gtests der_gtests"
|
||||
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
|
||||
# nss_ssl_run: cov auth stress
|
||||
#
|
||||
|
@ -815,6 +832,9 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Jun 13 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.4
|
||||
- Add support for conditionally ignoring the system policy
|
||||
|
||||
* Fri Jun 03 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.3
|
||||
- Apply the patch that was last introduced
|
||||
- Renumber and reorder some of the patches
|
||||
|
|
|
@ -0,0 +1,79 @@
|
|||
diff -up ./tests/ssl/sslauth.txt.expect_other ./tests/ssl/sslauth.txt
|
||||
--- ./tests/ssl/sslauth.txt.expect_other 2016-06-04 12:39:37.866869160 -0700
|
||||
+++ ./tests/ssl/sslauth.txt 2016-06-04 16:00:45.007632304 -0700
|
||||
@@ -9,17 +9,17 @@
|
||||
# ECC value params params
|
||||
# ------- ------ ------ ------ ---------------
|
||||
noECC 0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth)
|
||||
- noECC 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
|
||||
+ noECC 1 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
|
||||
noECC 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth)
|
||||
- noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
|
||||
- noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
|
||||
+ noECC 1 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
|
||||
+ noECC 1 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
|
||||
noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth)
|
||||
- noECC 254 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
|
||||
- noECC 254 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
|
||||
- noECC 254 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
|
||||
- noECC 254 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
|
||||
- noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
|
||||
- noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
|
||||
+ noECC 1 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
|
||||
+ noECC 1 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
|
||||
+ noECC 1 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
|
||||
+ noECC 1 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
|
||||
+ noECC 1 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
|
||||
+ noECC 1 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
|
||||
noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth)
|
||||
noECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password)
|
||||
noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth)
|
||||
@@ -32,9 +32,9 @@
|
||||
noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Require client auth on 2nd hs (client does not provide auth)
|
||||
noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Require client auth on 2nd hs (bad password)
|
||||
noECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Require client auth on 2nd hs (client auth)
|
||||
- noECC 254 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
|
||||
- noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
|
||||
- noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
|
||||
+ noECC 1 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
|
||||
+ noECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
|
||||
+ noECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
|
||||
noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth)
|
||||
noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
|
||||
noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
|
||||
@@ -43,11 +43,11 @@
|
||||
#
|
||||
ECC 0 -r -w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password)
|
||||
ECC 0 -r -w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth)
|
||||
- ECC 254 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
|
||||
+ ECC 1 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
|
||||
ECC 0 -r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth)
|
||||
ECC 0 -r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password)
|
||||
ECC 0 -r -V_:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth)
|
||||
- ECC 254 -r_-r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
|
||||
+ ECC 1 -r_-r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
|
||||
ECC 0 -r_-r -V_:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth)
|
||||
ECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password)
|
||||
ECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth)
|
||||
@@ -57,17 +57,17 @@
|
||||
ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
|
||||
ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
|
||||
ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
|
||||
- ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
|
||||
- ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
|
||||
+ ECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
|
||||
+ ECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
|
||||
ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
|
||||
- ECC 254 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
|
||||
+ ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
|
||||
#
|
||||
# SNI Tests
|
||||
#
|
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
|
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
|
||||
- SNI 254 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
|
||||
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
|
||||
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
|
||||
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
|
||||
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
|
@ -1,35 +1,40 @@
|
|||
diff -up ./tests/ssl/sslauth.txt.check_policy ./tests/ssl/sslauth.txt
|
||||
diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
|
||||
--- ./tests/ssl/ssl.sh.check_policy 2016-05-17 00:58:45.000000000 -0700
|
||||
+++ ./tests/ssl/ssl.sh 2016-05-28 15:45:07.645964005 -0700
|
||||
@@ -61,10 +61,19 @@ ssl_init()
|
||||
+++ ./tests/ssl/ssl.sh 2016-06-10 10:06:40.715661079 -0700
|
||||
@@ -56,16 +56,24 @@
|
||||
}
|
||||
fi
|
||||
|
||||
PORT=${PORT-8443}
|
||||
NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
|
||||
nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
|
||||
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
|
||||
|
||||
+ NSS_POLICY_FILE=[ -f ${POLICY_PATH}/${POLICY_FILE} ] \
|
||||
+ ? "${POLICY_PATH}/${POLICY_FILE}" \
|
||||
+ : ""
|
||||
+ # Means that will use test data that compliant with policy
|
||||
+ # and will invoke selfserv nd tstclnt with the proper range
|
||||
+ ADJUST_FOR_POLICY=[ -n "${NSS_POLICY_FILE}" -a -z "${NSS_IGNORE_SYSTEM_POLICY}" ] \
|
||||
+ ? "1" \
|
||||
+ : ""
|
||||
# Test case files
|
||||
- SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
- SSLAUTH=${QADIR}/ssl/sslauth.txt
|
||||
- SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
+ if [ -n ${NSS_POLICY_FILE} ]; then
|
||||
+ SSLAUTH=${QADIR}/ssl/sslauth.byPolicy.txt
|
||||
+ SSLCOV=${QADIR}/ssl/sslcov.byPolicy.txt
|
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.byPolicy.txt
|
||||
+ else
|
||||
+ SSLAUTH=${QADIR}/ssl/sslauth.txt
|
||||
+ SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
+ fi
|
||||
SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
SSLAUTH=${QADIR}/ssl/sslauth.txt
|
||||
SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
|
||||
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
|
||||
|
||||
@@ -122,7 +131,11 @@ is_selfserv_alive()
|
||||
#temparary files
|
||||
@@ -117,17 +125,21 @@
|
||||
if [ "${OS_ARCH}" = "WINNT" ] && \
|
||||
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
|
||||
PID=${SHELL_SERVERPID}
|
||||
else
|
||||
PID=`cat ${SERVERPID}`
|
||||
fi
|
||||
|
||||
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
|
||||
+ if [ -n ${NSS_POLICY_FILE}" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ if [ -n "${ADJUST_FOR_POLICY}" ] && [ ${EXP} -eq 0 ]; then
|
||||
+ echo "No server to kill"
|
||||
+ else
|
||||
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
|
||||
|
@ -37,11 +42,21 @@ diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
|
|||
|
||||
echo "selfserv with PID ${PID} found at `date`"
|
||||
}
|
||||
@@ -145,7 +158,11 @@ wait_for_selfserv()
|
||||
|
||||
########################### wait_for_selfserv ##########################
|
||||
# local shell function to wait until selfserver is running and initialized
|
||||
########################################################################
|
||||
wait_for_selfserv()
|
||||
@@ -140,17 +152,21 @@
|
||||
if [ $? -ne 0 ]; then
|
||||
sleep 5
|
||||
echo "retrying to connect to selfserv at `date`"
|
||||
echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
|
||||
echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
|
||||
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
|
||||
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
|
||||
if [ $? -ne 0 ]; then
|
||||
+ if [ -n ${NSS_POLICY_FILE} ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ if [ -n "${ADJUST_FOR_POLICY}" ] && [ ${EXP} -eq 0 ]; then
|
||||
+ html_passed "Server never started"
|
||||
+ else
|
||||
html_failed "Waiting for Server"
|
||||
|
@ -49,12 +64,31 @@ diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
|
|||
fi
|
||||
fi
|
||||
is_selfserv_alive
|
||||
@@ -216,15 +233,16 @@ start_selfserv()
|
||||
}
|
||||
|
||||
########################### kill_selfserv ##############################
|
||||
# local shell function to kill the selfserver after the tests are done
|
||||
########################################################################
|
||||
@@ -208,28 +224,35 @@
|
||||
[ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
|
||||
ECC_OPTIONS="-e ${HOSTADDR}-ec"
|
||||
else
|
||||
ECC_OPTIONS=""
|
||||
fi
|
||||
if [ "$1" = "mixed" ]; then
|
||||
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
|
||||
fi
|
||||
+
|
||||
+ if [ -n "${ADJUST_FOR_POLICY}" ]; then
|
||||
+ VMIN_OPT="-V tls1.0:"
|
||||
+ else
|
||||
+ VMIN_OPT=""
|
||||
+ fi
|
||||
+
|
||||
echo "selfserv starting at `date`"
|
||||
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
|
||||
echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
|
||||
- echo " $verbose -H 1 &"
|
||||
+ VMIN_OPT=[ -n ${NSS_POLICY_FILE} ] ? "-V ssl3:" : ""
|
||||
+ echo " $verbose -H 1 ${VMIN_OPT} &"
|
||||
if [ ${fileout} -eq 1 ]; then
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
|
@ -69,16 +103,30 @@ diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
|
|||
RET=$?
|
||||
fi
|
||||
|
||||
@@ -275,6 +293,12 @@ ssl_cov()
|
||||
# The PID $! returned by the MKS or Cygwin shell is not the PID of
|
||||
# the real background process, but rather the PID of a helper
|
||||
# process (sh.exe). MKS's kill command has a bug: invoking kill
|
||||
# on the helper process does not terminate the real background
|
||||
# process. Our workaround has been to have selfserv save its PID
|
||||
@@ -270,16 +293,21 @@
|
||||
VMAX="tls1.1"
|
||||
|
||||
exec < ${SSLCOV}
|
||||
while read ectype testmax param testname
|
||||
do
|
||||
echo "${testname}" | grep "EXPORT" > /dev/null
|
||||
EXP=$?
|
||||
|
||||
+ # trace these types of tests when build has policy enabled
|
||||
+ if [ -n ${NSS_POLICY_FILE} ] &&
|
||||
+ [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ] || ${SSL3} -eq 0 ]]; then
|
||||
+ echo "exp/ssl2/ssl3 test should fail: (NSS_NO_SSL2,EXP,SSL2,SSL3)=(${NSS_NO_SSL2},${EXP},${SSL2},${SSL3})"
|
||||
+ if [ -n "${ADJUST_FOR_POLICY}" ] && [ ${EXP} -eq 0 ]; then
|
||||
+ echo "$testname has legacy ciphers"
|
||||
+ fi
|
||||
+
|
||||
if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
|
||||
echo "$SCRIPTNAME: skipping $testname (ECC only)"
|
||||
elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$EXP" -eq 0 ] ; then
|
||||
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
|
||||
elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
|
||||
echo "$SCRIPTNAME: running $testname ----------------------------"
|
||||
VMAX="ssl3"
|
||||
if [ "$testmax" = "TLS10" ]; then
|
||||
|
|
Loading…
Reference in New Issue