Compare commits
30 Commits
master
...
private-em
Author | SHA1 | Date | |
---|---|---|---|
|
da7272436c | ||
|
91a8b7f9ac | ||
|
0ee7d5581e | ||
|
80580e8121 | ||
|
4d5d729ef7 | ||
|
b485416766 | ||
|
a2429f74e9 | ||
|
730400b5b4 | ||
|
a7a8471319 | ||
|
9c7caeef40 | ||
|
740fc1b4ad | ||
|
d9e7eed2ac | ||
|
00af478fbf | ||
|
9d9301fe73 | ||
|
2cf5b75cb2 | ||
|
5cc547f486 | ||
|
b42c989b2d | ||
|
5a2c8f6060 | ||
|
4d367c3b32 | ||
|
26507f9bc4 | ||
|
b24394dfb6 | ||
|
7a07302aa1 | ||
|
fdebbfede8 | ||
|
f693c60ed3 | ||
|
09040cd82a | ||
|
dc93f45359 | ||
|
681808b309 | ||
|
dc39923fc1 | ||
|
1d382f933e | ||
|
4da77f592d |
111
listsuites-do-queries.patch
Normal file
111
listsuites-do-queries.patch
Normal file
@ -0,0 +1,111 @@
|
|||||||
|
--- ./cmd/listsuites/listsuites.c.do_queries 2016-05-17 00:58:45.000000000 -0700
|
||||||
|
+++ ./cmd/listsuites/listsuites.c 2016-06-23 09:39:10.563925342 -0700
|
||||||
|
@@ -7,19 +7,48 @@
|
||||||
|
*
|
||||||
|
* Try: ./listsuites | grep -v : | sort -b +4rn -5 +1 -2 +2 -3 +3 -4 +5r -6
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include "secport.h"
|
||||||
|
#include "ssl.h"
|
||||||
|
+#include "plgetopt.h"
|
||||||
|
+#include "secutil.h"
|
||||||
|
+#include "utilpars.h"
|
||||||
|
+#include "nspr.h"
|
||||||
|
+#include "nss.h"
|
||||||
|
+
|
||||||
|
+static const char *progName = "listsuites";
|
||||||
|
+char *ignoreVar;
|
||||||
|
+
|
||||||
|
+static char *policy_file_path(char *path)
|
||||||
|
+{
|
||||||
|
+ return (PR_Access(path, PR_ACCESS_READ_OK) == PR_SUCCESS) ? path : "";
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static char *ignore_system_policy_value(char *var)
|
||||||
|
+{
|
||||||
|
+ ignoreVar = PR_GetEnvSecure(var);
|
||||||
|
+ return ignoreVar != NULL ? ignoreVar : "";
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void Usage(const char *progName)
|
||||||
|
+{
|
||||||
|
+ fprintf(stderr,
|
||||||
|
+ "\nList cipher suites or parse a policy file or query\n"
|
||||||
|
+ "Usage: %s [-i policy_file] file to parse (default is list)\n",
|
||||||
|
+ progName);
|
||||||
|
+ exit(1);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
|
||||||
|
int
|
||||||
|
-main(int argc, char **argv)
|
||||||
|
+list_suites(void)
|
||||||
|
{
|
||||||
|
const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
|
||||||
|
int i;
|
||||||
|
int errCount = 0;
|
||||||
|
|
||||||
|
fputs("This version of libSSL supports these cipher suites:\n\n", stdout);
|
||||||
|
|
||||||
|
/* disable all the SSL3 cipher suites */
|
||||||
|
@@ -56,8 +85,58 @@
|
||||||
|
info.effectiveKeyBits, info.macAlgorithmName,
|
||||||
|
enabled ? "Enabled" : "Disabled",
|
||||||
|
info.isFIPS ? "FIPS" : "",
|
||||||
|
info.isExportable ? "Export" : "Domestic",
|
||||||
|
info.nonStandard ? "nonStandard" : "");
|
||||||
|
}
|
||||||
|
return errCount;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+main(int argc, char **argv)
|
||||||
|
+{
|
||||||
|
+ PLOptState *optstate = NULL;
|
||||||
|
+ PLOptStatus status;
|
||||||
|
+ SECStatus rv;
|
||||||
|
+ FILE *inFile;
|
||||||
|
+ char *ev, *path;
|
||||||
|
+
|
||||||
|
+ optstate = PL_CreateOptState(argc, argv, "?hi:p:q:lL");
|
||||||
|
+ while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
|
||||||
|
+ switch (optstate->option) {
|
||||||
|
+ case '?':
|
||||||
|
+ case 'h':
|
||||||
|
+ Usage(progName);
|
||||||
|
+ break;
|
||||||
|
+ case 'p':
|
||||||
|
+ path = (char *)optstate->value;
|
||||||
|
+ fprintf(stdout, "%s=%s\n", path, policy_file_path(path));
|
||||||
|
+ break;
|
||||||
|
+ case 'q':
|
||||||
|
+ ev = (char *)optstate->value;
|
||||||
|
+ fprintf(stdout, "%s=%s\n", ev, ignore_system_policy_value(ev));
|
||||||
|
+ break;
|
||||||
|
+ case 'i':
|
||||||
|
+ rv = SECSuccess;
|
||||||
|
+ inFile = fopen(optstate->value, "r");
|
||||||
|
+ if (!inFile) {
|
||||||
|
+ fprintf(stderr,
|
||||||
|
+ "%s: unable to open \"%s\" for reading\n",
|
||||||
|
+ progName, optstate->value);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ rv = SECFailure;/*ParseCryptoPolicy(optstate->value);*/
|
||||||
|
+ fclose(inFile);
|
||||||
|
+ return (rv == SECSuccess) ? 0 : 1;
|
||||||
|
+ break;
|
||||||
|
+ case 'l':
|
||||||
|
+ case 'L':
|
||||||
|
+ return list_suites();
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ Usage(progName);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
@ -1,7 +1,6 @@
|
|||||||
diff --git a/lib/nss/config.mk b/lib/nss/config.mk
|
--- ./lib/nss/config.mk.check_policy_file 2016-07-12 09:11:01.198867052 -0700
|
||||||
--- a/lib/nss/config.mk
|
+++ ./lib/nss/config.mk 2016-07-12 09:15:58.739946540 -0700
|
||||||
+++ b/lib/nss/config.mk
|
@@ -99,8 +99,15 @@
|
||||||
@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \
|
|
||||||
ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
|
ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
|
||||||
ifndef NS_USE_GCC
|
ifndef NS_USE_GCC
|
||||||
# Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
|
# Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
|
||||||
@ -12,12 +11,14 @@ diff --git a/lib/nss/config.mk b/lib/nss/config.mk
|
|||||||
endif
|
endif
|
||||||
+
|
+
|
||||||
+ifdef POLICY_FILE
|
+ifdef POLICY_FILE
|
||||||
|
+ifndef POLICY_PATH
|
||||||
|
+$(error You must define POLICY_PATH if you set POLICY_FILE)
|
||||||
|
+endif
|
||||||
+DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
|
+DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
|
||||||
+endif
|
+endif
|
||||||
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
--- ./lib/nss/nssinit.c.check_policy_file 2016-06-20 10:11:28.000000000 -0700
|
||||||
--- a/lib/nss/nssinit.c
|
+++ ./lib/nss/nssinit.c 2016-07-12 09:18:14.821671331 -0700
|
||||||
+++ b/lib/nss/nssinit.c
|
@@ -330,47 +330,47 @@
|
||||||
@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath,
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* see nss_Init for definitions of the various options.
|
* see nss_Init for definitions of the various options.
|
||||||
@ -69,7 +70,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
|||||||
lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
|
lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
|
||||||
if (lconfigdir == NULL) {
|
if (lconfigdir == NULL) {
|
||||||
goto loser;
|
goto loser;
|
||||||
@@ -427,24 +427,26 @@ loser:
|
@@ -427,24 +427,24 @@
|
||||||
if (lsecmodName) PORT_Free(lsecmodName);
|
if (lsecmodName) PORT_Free(lsecmodName);
|
||||||
if (lupdateDir) PORT_Free(lupdateDir);
|
if (lupdateDir) PORT_Free(lupdateDir);
|
||||||
if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
|
if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
|
||||||
@ -81,13 +82,11 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
|||||||
- SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
|
- SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
|
||||||
+ module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
|
+ module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
|
||||||
PR_smprintf_free(moduleSpec);
|
PR_smprintf_free(moduleSpec);
|
||||||
if (module) {
|
- if (module) {
|
||||||
- if (module->loaded) rv=SECSuccess;
|
- if (module->loaded) rv=SECSuccess;
|
||||||
- SECMOD_DestroyModule(module);
|
+ if (module && !module->loaded) {
|
||||||
+ if (!module->loaded) {
|
SECMOD_DestroyModule(module);
|
||||||
+ SECMOD_DestroyModule(module);
|
+ return NULL;
|
||||||
+ module = NULL;
|
|
||||||
+ }
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
- return rv;
|
- return rv;
|
||||||
@ -100,10 +99,23 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
|||||||
* configdir - base directory where all the cert, key, and module datbases live.
|
* configdir - base directory where all the cert, key, and module datbases live.
|
||||||
* certPrefix - prefix added to the beginning of the cert database example: "
|
* certPrefix - prefix added to the beginning of the cert database example: "
|
||||||
* "https-server1-"
|
* "https-server1-"
|
||||||
@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch
|
@@ -509,41 +509,44 @@
|
||||||
|
return PR_FAILURE;
|
||||||
|
}
|
||||||
|
return PR_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static SECStatus
|
||||||
|
nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
|
||||||
|
- const char *secmodName, const char *updateDir,
|
||||||
|
+ const char *secmodName, const char *updateDir,
|
||||||
|
const char *updCertPrefix, const char *updKeyPrefix,
|
||||||
|
const char *updateID, const char *updateName,
|
||||||
NSSInitContext ** initContextPtr,
|
NSSInitContext ** initContextPtr,
|
||||||
NSSInitParameters *initParams,
|
NSSInitParameters *initParams,
|
||||||
PRBool readOnly, PRBool noCertDB,
|
- PRBool readOnly, PRBool noCertDB,
|
||||||
|
+ PRBool readOnly, PRBool noCertDB,
|
||||||
PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
|
PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
|
||||||
PRBool optimizeSpace, PRBool noSingleThreadedModules,
|
PRBool optimizeSpace, PRBool noSingleThreadedModules,
|
||||||
PRBool allowAlreadyInitializedModules,
|
PRBool allowAlreadyInitializedModules,
|
||||||
@ -117,9 +129,26 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
|||||||
char *configStrings = NULL;
|
char *configStrings = NULL;
|
||||||
char *configName = NULL;
|
char *configName = NULL;
|
||||||
PRBool passwordRequired = PR_FALSE;
|
PRBool passwordRequired = PR_FALSE;
|
||||||
|
+#ifdef POLICY_FILE
|
||||||
|
+ char *ignoreVar;
|
||||||
|
+#endif
|
||||||
|
|
||||||
/* if we are trying to init with a traditional NSS_Init call, maintain
|
/* if we are trying to init with a traditional NSS_Init call, maintain
|
||||||
@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch
|
* the traditional idempotent behavior. */
|
||||||
|
if (!initContextPtr && nssIsInitted) {
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
/* make sure our lock and condition variable are initialized one and only
|
||||||
|
* one time */
|
||||||
|
if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
|
||||||
|
return SECFailure;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* if we haven't done basic initialization, single thread the
|
||||||
|
@@ -630,23 +633,23 @@
|
||||||
configStrings = pk11_config_strings;
|
configStrings = pk11_config_strings;
|
||||||
configName = pk11_config_name;
|
configName = pk11_config_name;
|
||||||
passwordRequired = pk11_password_required;
|
passwordRequired = pk11_password_required;
|
||||||
@ -129,10 +158,12 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
|||||||
* to init with noCertDB and noModDB */
|
* to init with noCertDB and noModDB */
|
||||||
if (!(isReallyInitted && noCertDB && noModDB)) {
|
if (!(isReallyInitted && noCertDB && noModDB)) {
|
||||||
- rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
|
- rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
|
||||||
|
- updateDir, updCertPrefix, updKeyPrefix, updateID,
|
||||||
+ parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
|
+ parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
|
||||||
updateDir, updCertPrefix, updKeyPrefix, updateID,
|
+ updateDir, updCertPrefix, updKeyPrefix, updateID,
|
||||||
updateName, configName, configStrings, passwordRequired,
|
updateName, configName, configStrings, passwordRequired,
|
||||||
readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
|
- readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
|
||||||
|
+ readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
|
||||||
(initContextPtr != NULL));
|
(initContextPtr != NULL));
|
||||||
|
|
||||||
- if (rv != SECSuccess) {
|
- if (rv != SECSuccess) {
|
||||||
@ -145,7 +176,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
|||||||
/* finish up initialization */
|
/* finish up initialization */
|
||||||
if (!isReallyInitted) {
|
if (!isReallyInitted) {
|
||||||
if (SECOID_Init() != SECSuccess) {
|
if (SECOID_Init() != SECSuccess) {
|
||||||
@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch
|
@@ -675,17 +678,40 @@
|
||||||
* path. Skip it */
|
* path. Skip it */
|
||||||
dbpath = NULL;
|
dbpath = NULL;
|
||||||
}
|
}
|
||||||
@ -156,6 +187,11 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
|||||||
}
|
}
|
||||||
-
|
-
|
||||||
+#ifdef POLICY_FILE
|
+#ifdef POLICY_FILE
|
||||||
|
+ /* Load the system crypto policy file if it exists,
|
||||||
|
+ * unless the NSS_IGNORE_SYSTEM_POLICY environment
|
||||||
|
+ * variable has been set to 1. */
|
||||||
|
+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
|
||||||
|
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
|
||||||
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
|
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
|
||||||
+ SECMODModule *module = SECMOD_LoadModule(
|
+ SECMODModule *module = SECMOD_LoadModule(
|
||||||
+ "name=\"Policy File\" "
|
+ "name=\"Policy File\" "
|
||||||
@ -172,6 +208,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
|||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
pk11sdr_Init();
|
pk11sdr_Init();
|
||||||
cert_CreateSubjectKeyIDHashTable();
|
cert_CreateSubjectKeyIDHashTable();
|
||||||
@ -181,7 +218,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
|||||||
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
||||||
|
|
||||||
if (pkixError != NULL) {
|
if (pkixError != NULL) {
|
||||||
@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch
|
@@ -716,32 +742,38 @@
|
||||||
nssIsInInit--;
|
nssIsInInit--;
|
||||||
/* now that we are inited, all waiters can move forward */
|
/* now that we are inited, all waiters can move forward */
|
||||||
PZ_NotifyAllCondVar(nssInitCondition);
|
PZ_NotifyAllCondVar(nssInitCondition);
|
||||||
|
63
nss-conditionally-ignore-system-policy.patch
Normal file
63
nss-conditionally-ignore-system-policy.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
--- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700
|
||||||
|
+++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700
|
||||||
|
@@ -529,16 +529,19 @@
|
||||||
|
{
|
||||||
|
SECMODModule *parent = NULL;
|
||||||
|
PKIX_UInt32 actualMinorVersion = 0;
|
||||||
|
PKIX_Error *pkixError = NULL;
|
||||||
|
PRBool isReallyInitted;
|
||||||
|
char *configStrings = NULL;
|
||||||
|
char *configName = NULL;
|
||||||
|
PRBool passwordRequired = PR_FALSE;
|
||||||
|
+#ifdef POLICY_FILE
|
||||||
|
+ char *ignoreVar;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/* if we are trying to init with a traditional NSS_Init call, maintain
|
||||||
|
* the traditional idempotent behavior. */
|
||||||
|
if (!initContextPtr && nssIsInitted) {
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* make sure our lock and condition variable are initialized one and only
|
||||||
|
@@ -678,32 +681,38 @@
|
||||||
|
dbpath = NULL;
|
||||||
|
}
|
||||||
|
if (dbpath) {
|
||||||
|
nss_FindExternalRoot(dbpath, secmodName);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#ifdef POLICY_FILE
|
||||||
|
- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
|
||||||
|
+ /* Load the system crypo policy file if it exists,
|
||||||
|
+ * unless the NSS_IGNORE_SYSTEM_POLICY environment
|
||||||
|
+ * variable has been set to 1. */
|
||||||
|
+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
|
||||||
|
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
|
||||||
|
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
|
||||||
|
SECMODModule *module = SECMOD_LoadModule(
|
||||||
|
"name=\"Policy File\" "
|
||||||
|
"parameters=\"configdir='sql:" POLICY_PATH "' "
|
||||||
|
"secmod='" POLICY_FILE "' "
|
||||||
|
"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
|
||||||
|
"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
|
||||||
|
- parent, PR_TRUE);
|
||||||
|
+ parent, PR_TRUE);
|
||||||
|
if (module) {
|
||||||
|
PRBool isLoaded = module->loaded;
|
||||||
|
SECMOD_DestroyModule(module);
|
||||||
|
if (!isLoaded) {
|
||||||
|
goto loser;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
pk11sdr_Init();
|
||||||
|
cert_CreateSubjectKeyIDHashTable();
|
||||||
|
|
||||||
|
pkixError = PKIX_Initialize
|
||||||
|
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
|
||||||
|
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
diff -up ./nss/cmd/manifest.mn.skip_ecperf ./nss/cmd/manifest.mn
|
diff -up ./cmd/manifest.mn.skip_ecperf ./cmd/manifest.mn
|
||||||
--- ./nss/cmd/manifest.mn.noecperf 2016-06-24 08:04:53.891106841 -0700
|
--- ./cmd/manifest.mn.noecperf 2016-06-24 08:04:53.891106841 -0700
|
||||||
+++ ./nss/cmd/manifest.mn 2016-06-24 08:06:57.186887403 -0700
|
+++ ./cmd/manifest.mn 2016-06-24 08:06:57.186887403 -0700
|
||||||
@@ -42,7 +42,6 @@ NSS_SRCDIRS = \
|
@@ -42,7 +42,6 @@ NSS_SRCDIRS = \
|
||||||
dbtest \
|
dbtest \
|
||||||
derdump \
|
derdump \
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
|
diff -up ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest ./external_tests/manifest.mn
|
||||||
--- ./external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700
|
--- ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest 2016-06-20 10:11:28.000000000 -0700
|
||||||
+++ ./external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700
|
+++ ./external_tests/manifest.mn 2016-06-26 10:09:55.429858648 -0700
|
||||||
@@ -8,7 +8,6 @@ DEPTH = ..
|
@@ -9,7 +9,4 @@ DIRS = \
|
||||||
DIRS = \
|
|
||||||
google_test \
|
google_test \
|
||||||
|
common \
|
||||||
der_gtest \
|
der_gtest \
|
||||||
- util_gtest \
|
- util_gtest \
|
||||||
pk11_gtest \
|
- pk11_gtest \
|
||||||
ssl_gtest \
|
- ssl_gtest \
|
||||||
$(NULL)
|
$(NULL)
|
||||||
|
74
nss.spec
74
nss.spec
@ -21,7 +21,7 @@ Name: nss
|
|||||||
Version: 3.25.0
|
Version: 3.25.0
|
||||||
# for Rawhide, please always use release >= 2
|
# for Rawhide, please always use release >= 2
|
||||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||||
Release: 2%{?dist}
|
Release: 6%{?dist}
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -92,16 +92,15 @@ Patch49: nss-skip-bltest-and-fipstest.patch
|
|||||||
Patch50: iquote.patch
|
Patch50: iquote.patch
|
||||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||||
# TODO: file a bug usptream
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||||
Patch59: nss-check-policy-file.patch
|
Patch59: nss-check-policy-file.patch
|
||||||
# TODO: file a bug usptream
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||||
|
Patch60: nss-conditionally-ignore-system-policy.patch
|
||||||
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
|
||||||
Patch62: nss-skip-util-gtest.patch
|
Patch62: nss-skip-util-gtest.patch
|
||||||
# TODO: file a bug usptream when enough tests are run
|
# TODO: file a bug upstream similar to the one for rsaperf
|
||||||
Patch63: tests-check-policy-file.patch
|
|
||||||
# TODO: file a bug usptream when enough tests are run
|
|
||||||
Patch64: tests-data-adjust-for-policy.patch
|
|
||||||
# TODO: file a bug upstream
|
|
||||||
Patch70: nss-skip-ecperf.patch
|
Patch70: nss-skip-ecperf.patch
|
||||||
|
Patch71: listsuites-do-queries.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Network Security Services (NSS) is a set of libraries designed to
|
Network Security Services (NSS) is a set of libraries designed to
|
||||||
@ -177,7 +176,6 @@ low level services.
|
|||||||
%patch2 -p0 -b .relro
|
%patch2 -p0 -b .relro
|
||||||
%patch3 -p0 -b .transitional
|
%patch3 -p0 -b .transitional
|
||||||
%patch16 -p0 -b .539183
|
%patch16 -p0 -b .539183
|
||||||
# link pem against buildroot's freebl, essential when mixing and matching
|
|
||||||
%patch40 -p0 -b .noocsptest
|
%patch40 -p0 -b .noocsptest
|
||||||
%patch47 -p0 -b .templates
|
%patch47 -p0 -b .templates
|
||||||
%patch49 -p0 -b .skipthem
|
%patch49 -p0 -b .skipthem
|
||||||
@ -185,12 +183,10 @@ low level services.
|
|||||||
%patch58 -p0 -b .1185708_3des
|
%patch58 -p0 -b .1185708_3des
|
||||||
pushd nss
|
pushd nss
|
||||||
%patch59 -p1 -b .check_policy_file
|
%patch59 -p1 -b .check_policy_file
|
||||||
#%patch62 -p0 -b .skip_util_gtest
|
%patch62 -p0 -b .skip_util_gtest
|
||||||
%patch63 -p1 -b .check_policy
|
%patch70 -p1 -b .skip_ecperf
|
||||||
%patch64 -p1 -b .expected_result
|
%patch71 -p1 -b .do_queries
|
||||||
popd
|
popd
|
||||||
# temporary
|
|
||||||
%patch70 -p0 -b .skip_ecperf
|
|
||||||
|
|
||||||
#########################################################
|
#########################################################
|
||||||
# Higher-level libraries and test tools need access to
|
# Higher-level libraries and test tools need access to
|
||||||
@ -202,9 +198,11 @@ popd
|
|||||||
# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
|
# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
|
||||||
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
|
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
|
||||||
%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
|
%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
|
||||||
# TODO: similar problem as descrived above
|
# similar problem to the one described above
|
||||||
# ./nss/lib/freebl/ec.h, ./nss/lib/freebl/ecl/ecl-curve.h
|
# ./nss/lib/freebl/ec.h, ./nss/lib/freebl/ecl/ecl-curve.h
|
||||||
# the last one requires that NSS_ECC_MORE_THAN_SUITE_B not be defined
|
# the last one requires that NSS_ECC_MORE_THAN_SUITE_B not be defined
|
||||||
|
%{__cp} ./nss/lib/freebl/ec.h ./nss/cmd/ecperf
|
||||||
|
%{__cp} ./nss/lib/freebl/ecl/ecl-curve.h ./nss/cmd/ecperf
|
||||||
|
|
||||||
# Before removing util directory we must save verref.h
|
# Before removing util directory we must save verref.h
|
||||||
# as it will be needed later during the build phase.
|
# as it will be needed later during the build phase.
|
||||||
@ -224,19 +222,9 @@ popd
|
|||||||
######## Remove portions that need to statically link with libnssutil.a
|
######## Remove portions that need to statically link with libnssutil.a
|
||||||
%{__rm} -rf ./nss/external_tests/util_gtests
|
%{__rm} -rf ./nss/external_tests/util_gtests
|
||||||
|
|
||||||
pushd nss/tests/ssl
|
|
||||||
# Create versions of ssauth.txt, sslcov.txt and sslstress.txt that disable
|
|
||||||
# tests for non policy compliant ciphers.
|
|
||||||
cat sslauth.txt| sed -r "s/^([^#].*EXPORT|^[^#].*MD5)/#disabled \1/" > sslauth.noPolicy.txt
|
|
||||||
cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*_WITH_DES_*)/#disabled \1/" > sslcov.noPolicy.txt
|
|
||||||
cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*with MD5)/#disabled \1/" > sslstress.noPolicy.txt
|
|
||||||
popd
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
# TODO: remove this when we solve the problems
|
|
||||||
export NSS_DISABLE_GTESTS=1
|
|
||||||
|
|
||||||
NSS_NO_PKCS11_BYPASS=1
|
NSS_NO_PKCS11_BYPASS=1
|
||||||
export NSS_NO_PKCS11_BYPASS
|
export NSS_NO_PKCS11_BYPASS
|
||||||
|
|
||||||
@ -244,7 +232,7 @@ FREEBL_NO_DEPEND=1
|
|||||||
export FREEBL_NO_DEPEND
|
export FREEBL_NO_DEPEND
|
||||||
|
|
||||||
# Enable compiler optimizations and disable debugging code
|
# Enable compiler optimizations and disable debugging code
|
||||||
export BUILD_OPT=1
|
#export BUILD_OPT=1
|
||||||
|
|
||||||
# Uncomment to disable optimizations
|
# Uncomment to disable optimizations
|
||||||
#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
|
#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
|
||||||
@ -308,8 +296,7 @@ export NSS_BLTEST_NOT_AVAILABLE=1
|
|||||||
%{__make} -C ./nss/lib/dbm
|
%{__make} -C ./nss/lib/dbm
|
||||||
|
|
||||||
# Set the policy file location
|
# Set the policy file location
|
||||||
# if set NSS will always check for the policy file and load it if it exists
|
# if set NSS will always check for the policy file and load if it exists
|
||||||
# TODO: restore the POLICY_FILE and POLICY_PATH exports
|
|
||||||
export POLICY_FILE="nss.config"
|
export POLICY_FILE="nss.config"
|
||||||
# location of the policy file
|
# location of the policy file
|
||||||
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
||||||
@ -399,14 +386,10 @@ fi
|
|||||||
|
|
||||||
# Begin -- copied from the build section
|
# Begin -- copied from the build section
|
||||||
|
|
||||||
# inform the ssl test scripts that policy is enabled
|
|
||||||
export POLICY_FILE="nss.config"
|
|
||||||
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
|
||||||
|
|
||||||
FREEBL_NO_DEPEND=1
|
FREEBL_NO_DEPEND=1
|
||||||
export FREEBL_NO_DEPEND
|
export FREEBL_NO_DEPEND
|
||||||
|
|
||||||
export BUILD_OPT=1
|
#export BUILD_OPT=1
|
||||||
|
|
||||||
%ifnarch noarch
|
%ifnarch noarch
|
||||||
%if 0%{__isa_bits} == 64
|
%if 0%{__isa_bits} == 64
|
||||||
@ -422,6 +405,8 @@ export SOFTOKEN_LIB_DIR=%{_libdir}
|
|||||||
|
|
||||||
# End -- copied from the build section
|
# End -- copied from the build section
|
||||||
|
|
||||||
|
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||||
|
|
||||||
# enable the following line to force a test failure
|
# enable the following line to force a test failure
|
||||||
# find ./nss -name \*.chk | xargs rm -f
|
# find ./nss -name \*.chk | xargs rm -f
|
||||||
|
|
||||||
@ -466,13 +451,13 @@ pushd ./nss/tests/
|
|||||||
# the full list from all.sh is:
|
# the full list from all.sh is:
|
||||||
# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||||
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
|
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
|
||||||
# nss_ssl_run: cov auth stress
|
# nss_ssl_run: cov auth stapling stress
|
||||||
#
|
#
|
||||||
# Uncomment these lines if you need to temporarily
|
# Uncomment these lines if you need to temporarily
|
||||||
# disable some test suites for faster test builds
|
# disable some test suites for faster test builds
|
||||||
# global nss_ssl_tests "normal_fips"
|
# % define nss_ssl_tests "normal_fips"
|
||||||
# global nss_ssl_run "cov auth"
|
# % define nss_ssl_run "cov"
|
||||||
|
|
||||||
SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`
|
SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`
|
||||||
|
|
||||||
@ -810,12 +795,27 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 12 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
|
||||||
|
- Cherry-pick merge from master branch
|
||||||
|
- Add support for conditionally ignoring the system policy (#1157720)
|
||||||
|
- Remove unneeded test scripts patches in order to run more tests
|
||||||
|
- Remove unneeded test data modifications from the spec file
|
||||||
|
- Remove obsolete patch and spurious lines from the spec file (#1347336)
|
||||||
|
- Add support to listsuites to list ciphers allowed by policy
|
||||||
|
- Incorporate some upstream review suggestions
|
||||||
|
|
||||||
|
* Sun Jun 26 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-3
|
||||||
|
- Cleanup spec file and patches and add references to bugs filed upstream
|
||||||
|
|
||||||
* Fri Jun 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-2
|
* Fri Jun 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-2
|
||||||
- Rebase to nss 3.25
|
- Rebase to nss 3.25
|
||||||
|
|
||||||
* Thu Jun 16 2016 Kamil Dudka <kdudka@redhat.com> - 3.24.0-3
|
* Thu Jun 16 2016 Kamil Dudka <kdudka@redhat.com> - 3.24.0-3
|
||||||
- decouple nss-pem from the nss package (#1347336)
|
- decouple nss-pem from the nss package (#1347336)
|
||||||
|
|
||||||
|
* Mon Jun 13 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.4
|
||||||
|
- Add support for conditionally ignoring the system policy
|
||||||
|
|
||||||
* Fri Jun 03 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.3
|
* Fri Jun 03 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.3
|
||||||
- Apply the patch that was last introduced
|
- Apply the patch that was last introduced
|
||||||
- Renumber and reorder some of the patches
|
- Renumber and reorder some of the patches
|
||||||
|
79
sslauth-data-change-expected.patch
Normal file
79
sslauth-data-change-expected.patch
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
diff -up ./tests/ssl/sslauth.txt.expect_other ./tests/ssl/sslauth.txt
|
||||||
|
--- ./tests/ssl/sslauth.txt.expect_other 2016-06-04 12:39:37.866869160 -0700
|
||||||
|
+++ ./tests/ssl/sslauth.txt 2016-06-04 16:00:45.007632304 -0700
|
||||||
|
@@ -9,17 +9,17 @@
|
||||||
|
# ECC value params params
|
||||||
|
# ------- ------ ------ ------ ---------------
|
||||||
|
noECC 0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth)
|
||||||
|
- noECC 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
|
||||||
|
+ noECC 1 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
|
||||||
|
noECC 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth)
|
||||||
|
- noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
|
||||||
|
- noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
|
||||||
|
+ noECC 1 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
|
||||||
|
+ noECC 1 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
|
||||||
|
noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth)
|
||||||
|
- noECC 254 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
|
||||||
|
- noECC 254 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
|
||||||
|
- noECC 254 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
|
||||||
|
- noECC 254 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
|
||||||
|
- noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
|
||||||
|
- noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
|
||||||
|
+ noECC 1 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
|
||||||
|
+ noECC 1 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
|
||||||
|
+ noECC 1 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
|
||||||
|
+ noECC 1 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
|
||||||
|
+ noECC 1 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
|
||||||
|
+ noECC 1 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
|
||||||
|
noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth)
|
||||||
|
noECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password)
|
||||||
|
noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth)
|
||||||
|
@@ -32,9 +32,9 @@
|
||||||
|
noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Require client auth on 2nd hs (client does not provide auth)
|
||||||
|
noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Require client auth on 2nd hs (bad password)
|
||||||
|
noECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Require client auth on 2nd hs (client auth)
|
||||||
|
- noECC 254 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
|
||||||
|
- noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
|
||||||
|
- noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
|
||||||
|
+ noECC 1 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
|
||||||
|
+ noECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
|
||||||
|
+ noECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
|
||||||
|
noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth)
|
||||||
|
noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
|
||||||
|
noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
|
||||||
|
@@ -43,11 +43,11 @@
|
||||||
|
#
|
||||||
|
ECC 0 -r -w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password)
|
||||||
|
ECC 0 -r -w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth)
|
||||||
|
- ECC 254 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
|
||||||
|
+ ECC 1 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
|
||||||
|
ECC 0 -r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth)
|
||||||
|
ECC 0 -r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password)
|
||||||
|
ECC 0 -r -V_:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth)
|
||||||
|
- ECC 254 -r_-r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
|
||||||
|
+ ECC 1 -r_-r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
|
||||||
|
ECC 0 -r_-r -V_:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth)
|
||||||
|
ECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password)
|
||||||
|
ECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth)
|
||||||
|
@@ -57,17 +57,17 @@
|
||||||
|
ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
|
||||||
|
ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
|
||||||
|
ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
|
||||||
|
- ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
|
||||||
|
- ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
|
||||||
|
+ ECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
|
||||||
|
+ ECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
|
||||||
|
ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
|
||||||
|
- ECC 254 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
|
||||||
|
+ ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
|
||||||
|
#
|
||||||
|
# SNI Tests
|
||||||
|
#
|
||||||
|
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
|
||||||
|
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||||
|
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
|
||||||
|
- SNI 254 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
|
||||||
|
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
|
||||||
|
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
|
||||||
|
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
|
||||||
|
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
@ -1,35 +1,40 @@
|
|||||||
diff -up ./tests/ssl/sslauth.txt.check_policy ./tests/ssl/sslauth.txt
|
|
||||||
diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
|
|
||||||
--- ./tests/ssl/ssl.sh.check_policy 2016-05-17 00:58:45.000000000 -0700
|
--- ./tests/ssl/ssl.sh.check_policy 2016-05-17 00:58:45.000000000 -0700
|
||||||
+++ ./tests/ssl/ssl.sh 2016-05-28 15:45:07.645964005 -0700
|
+++ ./tests/ssl/ssl.sh 2016-06-10 10:06:40.715661079 -0700
|
||||||
@@ -61,10 +61,19 @@ ssl_init()
|
@@ -56,16 +56,24 @@
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
PORT=${PORT-8443}
|
||||||
|
NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
|
||||||
nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
|
nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
|
||||||
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
|
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
|
||||||
|
|
||||||
+ NSS_POLICY_FILE=[ -f ${POLICY_PATH}/${POLICY_FILE} ] \
|
+ NSS_POLICY_FILE=[ -f ${POLICY_PATH}/${POLICY_FILE} ] \
|
||||||
+ ? "${POLICY_PATH}/${POLICY_FILE}" \
|
+ ? "${POLICY_PATH}/${POLICY_FILE}" \
|
||||||
|
+ : ""
|
||||||
|
+ # Means that will use test data that compliant with policy
|
||||||
|
+ # and will invoke selfserv nd tstclnt with the proper range
|
||||||
|
+ ADJUST_FOR_POLICY=[ -n "${NSS_POLICY_FILE}" -a -z "${NSS_IGNORE_SYSTEM_POLICY}" ] \
|
||||||
|
+ ? "1" \
|
||||||
+ : ""
|
+ : ""
|
||||||
# Test case files
|
# Test case files
|
||||||
- SSLCOV=${QADIR}/ssl/sslcov.txt
|
SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||||
- SSLAUTH=${QADIR}/ssl/sslauth.txt
|
SSLAUTH=${QADIR}/ssl/sslauth.txt
|
||||||
- SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||||
+ if [ -n ${NSS_POLICY_FILE} ]; then
|
|
||||||
+ SSLAUTH=${QADIR}/ssl/sslauth.byPolicy.txt
|
|
||||||
+ SSLCOV=${QADIR}/ssl/sslcov.byPolicy.txt
|
|
||||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.byPolicy.txt
|
|
||||||
+ else
|
|
||||||
+ SSLAUTH=${QADIR}/ssl/sslauth.txt
|
|
||||||
+ SSLCOV=${QADIR}/ssl/sslcov.txt
|
|
||||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
|
||||||
+ fi
|
|
||||||
SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
|
SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
|
||||||
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
|
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
|
||||||
|
|
||||||
@@ -122,7 +131,11 @@ is_selfserv_alive()
|
#temparary files
|
||||||
|
@@ -117,17 +125,21 @@
|
||||||
|
if [ "${OS_ARCH}" = "WINNT" ] && \
|
||||||
|
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
|
||||||
|
PID=${SHELL_SERVERPID}
|
||||||
|
else
|
||||||
|
PID=`cat ${SERVERPID}`
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
|
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
|
||||||
+ if [ -n ${NSS_POLICY_FILE}" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
+ if [ -n "${ADJUST_FOR_POLICY}" ] && [ ${EXP} -eq 0 ]; then
|
||||||
+ echo "No server to kill"
|
+ echo "No server to kill"
|
||||||
+ else
|
+ else
|
||||||
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
|
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
|
||||||
@ -37,11 +42,21 @@ diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
|
|||||||
|
|
||||||
echo "selfserv with PID ${PID} found at `date`"
|
echo "selfserv with PID ${PID} found at `date`"
|
||||||
}
|
}
|
||||||
@@ -145,7 +158,11 @@ wait_for_selfserv()
|
|
||||||
|
########################### wait_for_selfserv ##########################
|
||||||
|
# local shell function to wait until selfserver is running and initialized
|
||||||
|
########################################################################
|
||||||
|
wait_for_selfserv()
|
||||||
|
@@ -140,17 +152,21 @@
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
sleep 5
|
||||||
|
echo "retrying to connect to selfserv at `date`"
|
||||||
|
echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
|
||||||
|
echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
|
||||||
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
|
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
|
||||||
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
|
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
+ if [ -n ${NSS_POLICY_FILE} ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
+ if [ -n "${ADJUST_FOR_POLICY}" ] && [ ${EXP} -eq 0 ]; then
|
||||||
+ html_passed "Server never started"
|
+ html_passed "Server never started"
|
||||||
+ else
|
+ else
|
||||||
html_failed "Waiting for Server"
|
html_failed "Waiting for Server"
|
||||||
@ -49,12 +64,31 @@ diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
is_selfserv_alive
|
is_selfserv_alive
|
||||||
@@ -216,15 +233,16 @@ start_selfserv()
|
}
|
||||||
|
|
||||||
|
########################### kill_selfserv ##############################
|
||||||
|
# local shell function to kill the selfserver after the tests are done
|
||||||
|
########################################################################
|
||||||
|
@@ -208,28 +224,35 @@
|
||||||
|
[ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
|
||||||
|
ECC_OPTIONS="-e ${HOSTADDR}-ec"
|
||||||
|
else
|
||||||
|
ECC_OPTIONS=""
|
||||||
|
fi
|
||||||
|
if [ "$1" = "mixed" ]; then
|
||||||
|
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
|
||||||
|
fi
|
||||||
|
+
|
||||||
|
+ if [ -n "${ADJUST_FOR_POLICY}" ]; then
|
||||||
|
+ VMIN_OPT="-V tls1.0:"
|
||||||
|
+ else
|
||||||
|
+ VMIN_OPT=""
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
echo "selfserv starting at `date`"
|
echo "selfserv starting at `date`"
|
||||||
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
|
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
|
||||||
echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
|
echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
|
||||||
- echo " $verbose -H 1 &"
|
- echo " $verbose -H 1 &"
|
||||||
+ VMIN_OPT=[ -n ${NSS_POLICY_FILE} ] ? "-V ssl3:" : ""
|
|
||||||
+ echo " $verbose -H 1 ${VMIN_OPT} &"
|
+ echo " $verbose -H 1 ${VMIN_OPT} &"
|
||||||
if [ ${fileout} -eq 1 ]; then
|
if [ ${fileout} -eq 1 ]; then
|
||||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||||
@ -69,16 +103,30 @@ diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
|
|||||||
RET=$?
|
RET=$?
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -275,6 +293,12 @@ ssl_cov()
|
# The PID $! returned by the MKS or Cygwin shell is not the PID of
|
||||||
|
# the real background process, but rather the PID of a helper
|
||||||
|
# process (sh.exe). MKS's kill command has a bug: invoking kill
|
||||||
|
# on the helper process does not terminate the real background
|
||||||
|
# process. Our workaround has been to have selfserv save its PID
|
||||||
|
@@ -270,16 +293,21 @@
|
||||||
|
VMAX="tls1.1"
|
||||||
|
|
||||||
|
exec < ${SSLCOV}
|
||||||
|
while read ectype testmax param testname
|
||||||
|
do
|
||||||
echo "${testname}" | grep "EXPORT" > /dev/null
|
echo "${testname}" | grep "EXPORT" > /dev/null
|
||||||
EXP=$?
|
EXP=$?
|
||||||
|
|
||||||
+ # trace these types of tests when build has policy enabled
|
+ # trace these types of tests when build has policy enabled
|
||||||
+ if [ -n ${NSS_POLICY_FILE} ] &&
|
+ if [ -n "${ADJUST_FOR_POLICY}" ] && [ ${EXP} -eq 0 ]; then
|
||||||
+ [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ] || ${SSL3} -eq 0 ]]; then
|
+ echo "$testname has legacy ciphers"
|
||||||
+ echo "exp/ssl2/ssl3 test should fail: (NSS_NO_SSL2,EXP,SSL2,SSL3)=(${NSS_NO_SSL2},${EXP},${SSL2},${SSL3})"
|
|
||||||
+ fi
|
+ fi
|
||||||
+
|
+
|
||||||
if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
|
if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
|
||||||
echo "$SCRIPTNAME: skipping $testname (ECC only)"
|
echo "$SCRIPTNAME: skipping $testname (ECC only)"
|
||||||
elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$EXP" -eq 0 ] ; then
|
elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$EXP" -eq 0 ] ; then
|
||||||
|
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
|
||||||
|
elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
|
||||||
|
echo "$SCRIPTNAME: running $testname ----------------------------"
|
||||||
|
VMAX="ssl3"
|
||||||
|
if [ "$testmax" = "TLS10" ]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user