Merge branch 'private-emaldona-upstream-experiment' into private-emaldona-crypto-policy-work
This commit is contained in:
commit
82cee71d15
34
nss.spec
34
nss.spec
|
@ -5,7 +5,7 @@
|
|||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
|
||||
|
||||
# uncomment to make nss ignore the system policy file
|
||||
#%global nss_ignore_system_policy 1
|
||||
%global nss_ignore_system_policy 1
|
||||
|
||||
# solution taken from icedtea-web.spec
|
||||
%define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el
|
||||
|
@ -75,8 +75,6 @@ Source24: cert9.db.xml
|
|||
Source25: key3.db.xml
|
||||
Source26: key4.db.xml
|
||||
Source27: secmod.db.xml
|
||||
# needs to be updated as we rebase and the system crypto policies evolve
|
||||
Source28: adjust4policy.txt
|
||||
|
||||
Patch2: add-relro-linker-option.patch
|
||||
Patch3: renegotiate-transitional.patch
|
||||
|
@ -100,14 +98,19 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
|||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch59: nss-check-policy-file.patch
|
||||
# TODO: file a bug usptream
|
||||
# Upstream commit that caused problems with gtests
|
||||
# https://git.fedorahosted.org/cgit/nss-pem.git/commit/
|
||||
Patch62: nss-skip-util-gtest.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch63: tests-check-policy-file.patch
|
||||
# TODO: Under test and could be merged with nss-check-policy-file.patch
|
||||
Patch64: nss-conditionally-ignore-system-policy.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch65: tests-data-adjust-for-policy.patch
|
||||
# TODO: file a bug upstream
|
||||
Patch70: nss-skip-ecperf.patch
|
||||
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
support cross-platform development of security-enabled client and
|
||||
|
@ -192,7 +195,6 @@ pushd nss
|
|||
#%patch62 -p0 -b .skip_util_gtest
|
||||
%patch63 -p1 -b .check_policy
|
||||
%patch64 -p0 -b .ignore_system_policy
|
||||
#%patch65 -p1 -b .expected_result
|
||||
popd
|
||||
# temporary
|
||||
%patch70 -p0 -b .skip_ecperf
|
||||
|
@ -315,6 +317,12 @@ export POLICY_PATH="/etc/crypto-policies/back-ends"
|
|||
# to keep nss from loading the policy file
|
||||
%if %{nss_ignore_system_policy}
|
||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||
%else
|
||||
# system policy is enforced
|
||||
pushd nss
|
||||
# change some sslauth.txt entries to expect failure when enforcing policy
|
||||
patch -p1 -b .expected_result < %{PATCH65}
|
||||
popd
|
||||
%endif
|
||||
|
||||
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
|
||||
|
@ -423,27 +431,13 @@ export NSS_BLTEST_NOT_AVAILABLE=1
|
|||
# needed for the fips mangling test
|
||||
export SOFTOKEN_LIB_DIR=%{_libdir}
|
||||
|
||||
# inform tests we kept nss from loading the policy file
|
||||
# tests need to know we kept nss from loading the policy file
|
||||
%if %{nss_ignore_system_policy}
|
||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||
%endif
|
||||
|
||||
# End -- copied from the build section
|
||||
|
||||
# ****************************************************************
|
||||
# Patching the test data here is more upstream friendly and
|
||||
# eventually should be incorporated into what ssl.sh init does.
|
||||
%if %{nss_ignore_system_policy}
|
||||
# no need to patch the test data
|
||||
%else
|
||||
# expected results on some sslauth tests depend on whether
|
||||
# the system crypto policy is being enforced or not.
|
||||
pushd nss
|
||||
patch -p1 < %{SOURCE28}
|
||||
popd
|
||||
%endif
|
||||
# ****************************************************************
|
||||
|
||||
# enable the following line to force a test failure
|
||||
# find ./nss -name \*.chk | xargs rm -f
|
||||
|
||||
|
@ -485,9 +479,9 @@ pushd ./nss/tests/
|
|||
|
||||
# don't need to run all the tests when testing packaging
|
||||
# nss_cycles: standard pkix upgradedb sharedb
|
||||
# TODO: Add ssl_gtests when we rebase to nss-3.25 or higher
|
||||
# the full list from all.sh is:
|
||||
# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
# TODO: Add ssl_gtests when we rebase to nss-3.25
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
|
||||
# nss_ssl_run: cov auth stress
|
||||
|
|
|
@ -0,0 +1,79 @@
|
|||
diff -up ./tests/ssl/sslauth.txt.expect_other ./tests/ssl/sslauth.txt
|
||||
--- ./tests/ssl/sslauth.txt.expect_other 2016-06-04 12:39:37.866869160 -0700
|
||||
+++ ./tests/ssl/sslauth.txt 2016-06-04 16:00:45.007632304 -0700
|
||||
@@ -9,17 +9,17 @@
|
||||
# ECC value params params
|
||||
# ------- ------ ------ ------ ---------------
|
||||
noECC 0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth)
|
||||
- noECC 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
|
||||
+ noECC 1 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
|
||||
noECC 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth)
|
||||
- noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
|
||||
- noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
|
||||
+ noECC 1 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
|
||||
+ noECC 1 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
|
||||
noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth)
|
||||
- noECC 254 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
|
||||
- noECC 254 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
|
||||
- noECC 254 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
|
||||
- noECC 254 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
|
||||
- noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
|
||||
- noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
|
||||
+ noECC 1 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
|
||||
+ noECC 1 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
|
||||
+ noECC 1 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
|
||||
+ noECC 1 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
|
||||
+ noECC 1 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
|
||||
+ noECC 1 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
|
||||
noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth)
|
||||
noECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password)
|
||||
noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth)
|
||||
@@ -32,9 +32,9 @@
|
||||
noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Require client auth on 2nd hs (client does not provide auth)
|
||||
noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Require client auth on 2nd hs (bad password)
|
||||
noECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Require client auth on 2nd hs (client auth)
|
||||
- noECC 254 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
|
||||
- noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
|
||||
- noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
|
||||
+ noECC 1 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
|
||||
+ noECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
|
||||
+ noECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
|
||||
noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth)
|
||||
noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
|
||||
noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
|
||||
@@ -43,11 +43,11 @@
|
||||
#
|
||||
ECC 0 -r -w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password)
|
||||
ECC 0 -r -w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth)
|
||||
- ECC 254 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
|
||||
+ ECC 1 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
|
||||
ECC 0 -r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth)
|
||||
ECC 0 -r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password)
|
||||
ECC 0 -r -V_:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth)
|
||||
- ECC 254 -r_-r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
|
||||
+ ECC 1 -r_-r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
|
||||
ECC 0 -r_-r -V_:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth)
|
||||
ECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password)
|
||||
ECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth)
|
||||
@@ -57,17 +57,17 @@
|
||||
ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
|
||||
ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
|
||||
ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
|
||||
- ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
|
||||
- ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
|
||||
+ ECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
|
||||
+ ECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
|
||||
ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
|
||||
- ECC 254 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
|
||||
+ ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
|
||||
#
|
||||
# SNI Tests
|
||||
#
|
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
|
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
|
||||
- SNI 254 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
|
||||
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
|
||||
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
|
||||
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
|
||||
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
Loading…
Reference in New Issue