summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartin Thomson <martin.thomson@gmail.com>2016-04-22 16:42:53 +1000
committerMartin Thomson <martin.thomson@gmail.com>2016-04-22 16:42:53 +1000
commite19a94be9d54e3c8745825795358a568250b599b (patch)
tree9c925be3a0c1b6b7042bc2ed4c61012e45ad43ce
parent81780069e02170981c3317ed8ba3107dc0352f03 (diff)
downloadnss-hg-e19a94be9d54e3c8745825795358a568250b599b.tar.gz
Bug 1237514 - Fix test fixtures for ssl_gtests, r=franziskus
Diffstat
-rw-r--r--external_tests/ssl_gtest/ssl_extension_unittest.cc4
-rw-r--r--external_tests/ssl_gtest/ssl_loopback_unittest.cc77
-rw-r--r--external_tests/ssl_gtest/ssl_skip_unittest.cc6
-rw-r--r--external_tests/ssl_gtest/tls_agent.cc15
-rw-r--r--external_tests/ssl_gtest/tls_agent.h20
-rw-r--r--external_tests/ssl_gtest/tls_connect.cc24
-rw-r--r--external_tests/ssl_gtest/tls_connect.h10
-rw-r--r--lib/ssl/sslcert.c3
-rwxr-xr-xtests/ssl_gtests/ssl_gtests.sh78
9 files changed, 129 insertions, 108 deletions
diff --git a/external_tests/ssl_gtest/ssl_extension_unittest.cc b/external_tests/ssl_gtest/ssl_extension_unittest.cc
index a9e235e36..acbf6859f 100644
--- a/external_tests/ssl_gtest/ssl_extension_unittest.cc
+++ b/external_tests/ssl_gtest/ssl_extension_unittest.cc
@@ -555,7 +555,7 @@ TEST_P(TlsExtensionTestPre13, SignedCertificateTimestampsHandshake) {
server_->StartConnect();
ASSERT_EQ(SECSuccess,
SSL_SetSignedCertTimestamps(server_->ssl_fd(),
- &si_timestamps, server_->kea()));
+ &si_timestamps, ssl_kea_rsa));
client_->StartConnect();
ASSERT_EQ(SECSuccess,
@@ -577,7 +577,7 @@ TEST_P(TlsExtensionTestPre13, SignedCertificateTimestampsInactiveClient) {
server_->StartConnect();
ASSERT_EQ(SECSuccess,
SSL_SetSignedCertTimestamps(server_->ssl_fd(),
- &si_timestamps, server_->kea()));
+ &si_timestamps, ssl_kea_rsa));
client_->StartConnect();
diff --git a/external_tests/ssl_gtest/ssl_loopback_unittest.cc b/external_tests/ssl_gtest/ssl_loopback_unittest.cc
index a098d1203..41d0d6372 100644
--- a/external_tests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/external_tests/ssl_gtest/ssl_loopback_unittest.cc
@@ -122,16 +122,14 @@ TEST_P(TlsConnectGeneric, Connect) {
TEST_P(TlsConnectGeneric, ConnectEcdsa) {
SetExpectedVersion(std::get<1>(GetParam()));
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdsa);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
}
TEST_P(TlsConnectGenericPre13, ConnectEcdh) {
SetExpectedVersion(std::get<1>(GetParam()));
- // ECDH_ cipher suites can use an ECDSA cert (NSS doesn't care that we
- // shouldn't, which this shamelessly exploits).
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdhEcdsa);
DisableDheAndEcdheCiphers();
EnableSomeEcdhCiphers();
@@ -139,6 +137,15 @@ TEST_P(TlsConnectGenericPre13, ConnectEcdh) {
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdh_ecdsa);
}
+TEST_P(TlsConnectGenericPre13, ConnectEcdhWithoutDisablingSuites) {
+ SetExpectedVersion(std::get<1>(GetParam()));
+ Reset(TlsAgent::kServerEcdhEcdsa);
+ EnableSomeEcdhCiphers();
+
+ Connect();
+ CheckKeys(ssl_kea_ecdh, ssl_auth_ecdh_ecdsa);
+}
+
TEST_P(TlsConnectStreamPre13, ConnectRC4) {
ConnectWithCipherSuite(TLS_RSA_WITH_RC4_128_SHA);
}
@@ -153,7 +160,7 @@ TEST_P(TlsConnectGenericPre13, ConnectResumed) {
ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
Connect();
- ResetRsa();
+ Reset();
ExpectResumption(RESUME_SESSIONID);
Connect();
}
@@ -163,7 +170,7 @@ TEST_P(TlsConnectGeneric, ConnectClientCacheDisabled) {
Connect();
SendReceive();
- ResetRsa();
+ Reset();
ExpectResumption(RESUME_NONE);
Connect();
SendReceive();
@@ -174,7 +181,7 @@ TEST_P(TlsConnectGeneric, ConnectServerCacheDisabled) {
Connect();
SendReceive();
- ResetRsa();
+ Reset();
ExpectResumption(RESUME_NONE);
Connect();
SendReceive();
@@ -185,7 +192,7 @@ TEST_P(TlsConnectGeneric, ConnectSessionCacheDisabled) {
Connect();
SendReceive();
- ResetRsa();
+ Reset();
ExpectResumption(RESUME_NONE);
Connect();
SendReceive();
@@ -197,7 +204,7 @@ TEST_P(TlsConnectGeneric, ConnectResumeSupportBoth) {
Connect();
SendReceive();
- ResetRsa();
+ Reset();
ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
ExpectResumption(RESUME_TICKET);
Connect();
@@ -211,7 +218,7 @@ TEST_P(TlsConnectGeneric, ConnectResumeClientTicketServerBoth) {
Connect();
SendReceive();
- ResetRsa();
+ Reset();
ConfigureSessionCache(RESUME_TICKET, RESUME_BOTH);
ExpectResumption(RESUME_NONE);
Connect();
@@ -224,7 +231,7 @@ TEST_P(TlsConnectGeneric, ConnectResumeClientBothTicketServerTicket) {
Connect();
SendReceive();
- ResetRsa();
+ Reset();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
ExpectResumption(RESUME_TICKET);
Connect();
@@ -238,7 +245,7 @@ TEST_P(TlsConnectGenericPre13, ConnectResumeClientServerTicketOnly) {
Connect();
SendReceive();
- ResetRsa();
+ Reset();
ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
ExpectResumption(RESUME_NONE);
Connect();
@@ -250,7 +257,7 @@ TEST_P(TlsConnectGenericPre13, ConnectResumeClientBothServerNone) {
Connect();
SendReceive();
- ResetRsa();
+ Reset();
ConfigureSessionCache(RESUME_BOTH, RESUME_NONE);
ExpectResumption(RESUME_NONE);
Connect();
@@ -262,7 +269,7 @@ TEST_P(TlsConnectGenericPre13, ConnectResumeClientNoneServerBoth) {
Connect();
SendReceive();
- ResetRsa();
+ Reset();
ConfigureSessionCache(RESUME_NONE, RESUME_BOTH);
ExpectResumption(RESUME_NONE);
Connect();
@@ -279,7 +286,7 @@ TEST_P(TlsConnectGenericPre13, ConnectResumeWithHigherVersion) {
SSL_LIBRARY_VERSION_TLS_1_1);
Connect();
- ResetRsa();
+ Reset();
EnsureTlsSetup();
SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_2);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
@@ -296,7 +303,7 @@ TEST_P(TlsConnectGeneric, ConnectResumeClientBothTicketServerTicketForget) {
Connect();
SendReceive();
- ResetRsa();
+ Reset();
ClearServerCache();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
ExpectResumption(RESUME_NONE);
@@ -318,7 +325,7 @@ TEST_P(TlsConnectGeneric, ServerSNICertSwitch) {
Connect();
ScopedCERTCertificate cert1(SSL_PeerCertificate(client_->ssl_fd()));
- ResetRsa();
+ Reset();
EnsureTlsSetup();
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
@@ -331,11 +338,11 @@ TEST_P(TlsConnectGeneric, ServerSNICertSwitch) {
}
TEST_P(TlsConnectGeneric, ServerSNICertTypeSwitch) {
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdsa);
Connect();
ScopedCERTCertificate cert1(SSL_PeerCertificate(client_->ssl_fd()));
- ResetEcdsa();
+ Reset();
EnsureTlsSetup();
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
@@ -374,7 +381,7 @@ TEST_P(TlsConnectGeneric, ClientAuthRequestedRejected) {
TEST_P(TlsConnectGeneric, ClientAuthEcdsa) {
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdsa);
client_->SetupClientAuth();
server_->RequestClientAuth(true);
Connect();
@@ -401,7 +408,7 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmServerAuth) {
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdsa);
Connect();
}
@@ -415,7 +422,7 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmClientOnly) {
};
client_->SetSignatureAlgorithms(clientAlgorithms,
PR_ARRAY_SIZE(clientAlgorithms));
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdsa);
Connect();
}
@@ -424,7 +431,7 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmClientOnly) {
TEST_P(TlsConnectGeneric, SignatureAlgorithmServerOnly) {
server_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdsa);
Connect();
}
@@ -450,7 +457,7 @@ TEST_P(TlsConnectGenericPre13, ConnectStaticRSA) {
// Signature algorithms governs both verification and generation of signatures.
// With ECDSA, we need to at least have a common signature algorithm configured.
TEST_P(TlsConnectTls12, SignatureAlgorithmNoOverlapEcdsa) {
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdsa);
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureAlgorithms(SignatureEcdsaSha256,
@@ -460,7 +467,7 @@ TEST_P(TlsConnectTls12, SignatureAlgorithmNoOverlapEcdsa) {
// Pre 1.2, a mismatch on signature algorithms shouldn't affect anything.
TEST_P(TlsConnectPre12, SignatureAlgorithmNoOverlapEcdsa) {
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdsa);
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureAlgorithms(SignatureEcdsaSha256,
@@ -639,7 +646,7 @@ TEST_P(TlsConnectGenericPre13, ConnectEcdheTwiceReuseKey) {
EXPECT_TRUE(dhe1.Parse(i1->buffer()));
// Restart
- ResetRsa();
+ Reset();
TlsInspectorRecordHandshakeMessage* i2 =
new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
server_->SetPacketFilter(i2);
@@ -671,7 +678,7 @@ TEST_P(TlsConnectGenericPre13, ConnectEcdheTwiceNewKey) {
EXPECT_TRUE(dhe1.Parse(i1->buffer()));
// Restart
- ResetRsa();
+ Reset();
server_->EnsureTlsSetup();
rv = SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
EXPECT_EQ(SECSuccess, rv);
@@ -705,7 +712,7 @@ TEST_P(TlsChaCha20Poly1305Test, SendReceiveChaCha20Poly1305EcdheRsa) {
}
TEST_P(TlsChaCha20Poly1305Test, SendReceiveChaCha20Poly1305EcdheEcdsa) {
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdsa);
ConnectWithCipherSuite(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
}
@@ -750,7 +757,7 @@ TEST_P(TlsConnectStream, ShortRead) {
TEST_P(TlsConnectGenericPre13, ConnectExtendedMasterSecret) {
EnableExtendedMasterSecret();
Connect();
- ResetRsa();
+ Reset();
ExpectResumption(RESUME_SESSIONID);
EnableExtendedMasterSecret();
Connect();
@@ -805,7 +812,7 @@ TEST_P(TlsConnectGenericPre13, ConnectExtendedMasterSecretECDHE) {
EnableExtendedMasterSecret();
Connect();
- ResetRsa();
+ Reset();
EnableExtendedMasterSecret();
ExpectResumption(RESUME_SESSIONID);
Connect();
@@ -816,7 +823,7 @@ TEST_P(TlsConnectGenericPre13, ConnectExtendedMasterSecretTicket) {
EnableExtendedMasterSecret();
Connect();
- ResetRsa();
+ Reset();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
EnableExtendedMasterSecret();
@@ -843,7 +850,7 @@ TEST_P(TlsConnectGenericPre13,
EnableExtendedMasterSecret();
Connect();
- ResetRsa();
+ Reset();
server_->EnableExtendedMasterSecret();
auto alert_recorder = new TlsAlertRecorder();
server_->SetPacketFilter(alert_recorder);
@@ -858,7 +865,7 @@ TEST_P(TlsConnectGenericPre13,
ExpectExtendedMasterSecret(false);
Connect();
- ResetRsa();
+ Reset();
EnableExtendedMasterSecret();
ExpectResumption(RESUME_NONE);
Connect();
@@ -1000,7 +1007,7 @@ TEST_F(TlsConnectTest, TestTls13ResumptionTwice) {
uint16_t original_suite;
EXPECT_TRUE(client_->cipher_suite(&original_suite));
- ResetRsa();
+ Reset();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
TlsExtensionCapture *c1 =
new TlsExtensionCapture(kTlsExtensionPreSharedKey);
@@ -1016,7 +1023,7 @@ TEST_F(TlsConnectTest, TestTls13ResumptionTwice) {
ASSERT_GE(psk1.len(), 0UL);
ASSERT_TRUE(!!client_->peer_cert());
- ResetRsa();
+ Reset();
ClearStats();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
TlsExtensionCapture *c2 =
diff --git a/external_tests/ssl_gtest/ssl_skip_unittest.cc b/external_tests/ssl_gtest/ssl_skip_unittest.cc
index 86d019da7..1730510ac 100644
--- a/external_tests/ssl_gtest/ssl_skip_unittest.cc
+++ b/external_tests/ssl_gtest/ssl_skip_unittest.cc
@@ -120,7 +120,7 @@ TEST_P(TlsSkipTest, SkipCertificateEcdhe) {
}
TEST_P(TlsSkipTest, SkipCertificateEcdsa) {
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdsa);
ServerSkipTest(new TlsHandshakeSkipFilter(kTlsHandshakeCertificate));
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
}
@@ -131,7 +131,7 @@ TEST_P(TlsSkipTest, SkipServerKeyExchange) {
}
TEST_P(TlsSkipTest, SkipServerKeyExchangeEcdsa) {
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdsa);
ServerSkipTest(new TlsHandshakeSkipFilter(kTlsHandshakeServerKeyExchange));
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
}
@@ -145,7 +145,7 @@ TEST_P(TlsSkipTest, SkipCertAndKeyExch) {
}
TEST_P(TlsSkipTest, SkipCertAndKeyExchEcdsa) {
- ResetEcdsa();
+ Reset(TlsAgent::kServerEcdsa);
auto chain = new ChainedPacketFilter();
chain->Add(new TlsHandshakeSkipFilter(kTlsHandshakeCertificate));
chain->Add(new TlsHandshakeSkipFilter(kTlsHandshakeServerKeyExchange));
diff --git a/external_tests/ssl_gtest/tls_agent.cc b/external_tests/ssl_gtest/tls_agent.cc
index bb9afbd2a..2afd3cf92 100644
--- a/external_tests/ssl_gtest/tls_agent.cc
+++ b/external_tests/ssl_gtest/tls_agent.cc
@@ -27,10 +27,17 @@ namespace nss_test {
const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
-TlsAgent::TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea)
+const std::string TlsAgent::kClient = "client"; // both sign and encrypt
+const std::string TlsAgent::kServerRsa = "rsa"; // both sign and encrypt
+const std::string TlsAgent::kServerRsaSign = "rsa_sign";
+const std::string TlsAgent::kServerRsaDecrypt = "rsa_decrypt";
+const std::string TlsAgent::kServerEcdsa = "ecdsa";
+const std::string TlsAgent::kServerEcdhRsa = "ecdh_rsa"; // not supported yet
+const std::string TlsAgent::kServerEcdhEcdsa = "ecdh_ecdsa";
+
+TlsAgent::TlsAgent(const std::string& name, Role role, Mode mode)
: name_(name),
mode_(mode),
- kea_(kea),
server_key_bits_(0),
pr_fd_(nullptr),
adapter_(nullptr),
@@ -694,8 +701,8 @@ static const std::string kTlsRolesAllArr[] = {"CLIENT", "SERVER"};
void TlsAgentTestBase::Init() {
agent_ = new TlsAgent(
- role_ == TlsAgent::CLIENT ? "client" : "server",
- role_, mode_, kea_);
+ role_ == TlsAgent::CLIENT ? TlsAgent::kClient : TlsAgent::kServerRsa,
+ role_, mode_);
agent_->Init();
fd_ = DummyPrSocket::CreateFD("dummy", mode_);
agent_->adapter()->SetPeer(
diff --git a/external_tests/ssl_gtest/tls_agent.h b/external_tests/ssl_gtest/tls_agent.h
index e1b524eeb..5bc41e99a 100644
--- a/external_tests/ssl_gtest/tls_agent.h
+++ b/external_tests/ssl_gtest/tls_agent.h
@@ -49,7 +49,15 @@ class TlsAgent : public PollTarget {
enum Role { CLIENT, SERVER };
enum State { STATE_INIT, STATE_CONNECTING, STATE_CONNECTED, STATE_ERROR };
- TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea);
+ static const std::string kClient; // the client key is sign only
+ static const std::string kServerRsa; // both sign and encrypt
+ static const std::string kServerRsaSign;
+ static const std::string kServerRsaDecrypt;
+ static const std::string kServerEcdsa;
+ static const std::string kServerEcdhEcdsa;
+ static const std::string kServerEcdhRsa; // not supported yet
+
+ TlsAgent(const std::string& name, Role role, Mode mode);
virtual ~TlsAgent();
bool Init() {
@@ -126,8 +134,6 @@ class TlsAgent : public PollTarget {
State state() const { return state_; }
- SSLKEAType kea() const { return kea_; }
-
const CERTCertificate* peer_cert() const {
return SSL_PeerCertificate(ssl_fd_);
}
@@ -286,7 +292,6 @@ class TlsAgent : public PollTarget {
const std::string name_;
Mode mode_;
- SSLKEAType kea_;
uint16_t server_key_bits_;
PRFileDesc* pr_fd_;
DummyPrSocket* adapter_;
@@ -321,10 +326,9 @@ class TlsAgentTestBase : public ::testing::Test {
TlsAgentTestBase(TlsAgent::Role role,
Mode mode) : agent_(nullptr),
- fd_(nullptr),
- role_(role),
- mode_(mode),
- kea_(ssl_kea_rsa) {}
+ fd_(nullptr),
+ role_(role),
+ mode_(mode) {}
~TlsAgentTestBase() {
delete agent_;
if (fd_) {
diff --git a/external_tests/ssl_gtest/tls_connect.cc b/external_tests/ssl_gtest/tls_connect.cc
index ff3cbe45b..97c42e8ad 100644
--- a/external_tests/ssl_gtest/tls_connect.cc
+++ b/external_tests/ssl_gtest/tls_connect.cc
@@ -105,8 +105,8 @@ static std::string VersionString(uint16_t version) {
TlsConnectTestBase::TlsConnectTestBase(Mode mode, uint16_t version)
: mode_(mode),
- client_(new TlsAgent("client", TlsAgent::CLIENT, mode_, ssl_kea_rsa)),
- server_(new TlsAgent("server", TlsAgent::SERVER, mode_, ssl_kea_rsa)),
+ client_(new TlsAgent(TlsAgent::kClient, TlsAgent::CLIENT, mode_)),
+ server_(new TlsAgent(TlsAgent::kServerRsa, TlsAgent::SERVER, mode_)),
version_(version),
expected_resumption_mode_(RESUME_NONE),
session_ids_(),
@@ -164,24 +164,22 @@ void TlsConnectTestBase::Init() {
}
}
-void TlsConnectTestBase::Reset(const std::string& server_name, SSLKEAType kea) {
+void TlsConnectTestBase::Reset() {
+ // Take a copy of the name because it's about to disappear.
+ std::string name = server_->name();
+ Reset(name);
+}
+
+void TlsConnectTestBase::Reset(const std::string& server_name) {
delete client_;
delete server_;
- client_ = new TlsAgent("client", TlsAgent::CLIENT, mode_, kea);
- server_ = new TlsAgent(server_name, TlsAgent::SERVER, mode_, kea);
+ client_ = new TlsAgent(TlsAgent::kClient, TlsAgent::CLIENT, mode_);
+ server_ = new TlsAgent(server_name, TlsAgent::SERVER, mode_);
Init();
}
-void TlsConnectTestBase::ResetRsa() {
- Reset("server", ssl_kea_rsa);
-}
-
-void TlsConnectTestBase::ResetEcdsa() {
- Reset("ecdsa", ssl_kea_ecdh);
-}
-
void TlsConnectTestBase::ExpectResumption(SessionResumptionMode expected) {
expected_resumption_mode_ = expected;
if (expected != RESUME_NONE) {
diff --git a/external_tests/ssl_gtest/tls_connect.h b/external_tests/ssl_gtest/tls_connect.h
index 70b6c9ba9..98645aada 100644
--- a/external_tests/ssl_gtest/tls_connect.h
+++ b/external_tests/ssl_gtest/tls_connect.h
@@ -50,13 +50,12 @@ class TlsConnectTestBase : public ::testing::Test {
void ClearStats();
// Clear the server session cache.
void ClearServerCache();
- // Re-initialize client and server with the default RSA cert.
- void ResetRsa();
- // Re-initialize client and server with an ECDSA cert on the server
- // and some ECDHE suites.
- void ResetEcdsa();
// Make sure TLS is configured for a connection.
void EnsureTlsSetup();
+ // Reset
+ void Reset();
+ // Reset, and update the server name
+ void Reset(const std::string& server_name);
// Run the handshake.
void Handshake();
@@ -95,7 +94,6 @@ class TlsConnectTestBase : public ::testing::Test {
std::vector<std::vector<uint8_t>> session_ids_;
private:
- void Reset(const std::string& server_name, SSLKEAType kea);
void CheckResumption(SessionResumptionMode expected);
void CheckExtendedMasterSecret();
diff --git a/lib/ssl/sslcert.c b/lib/ssl/sslcert.c
index a1f0ca74d..7fc887660 100644
--- a/lib/ssl/sslcert.c
+++ b/lib/ssl/sslcert.c
@@ -140,7 +140,8 @@ SECStatus
ssl_OneTimeCertSetup(sslSocket *ss, const sslServerCert *sc)
{
/* Generate a step-down RSA key. */
- if (sc->certType.authType == ssl_auth_rsa_sign && sc->serverKeyBits > 512 &&
+ if (sc->certType.authType == ssl_auth_rsa_decrypt &&
+ sc->serverKeyBits > 512 &&
!ss->opt.noStepDown && !ss->stepDownKeyPair) {
if (ssl3_CreateRSAStepDownKeys(ss) != SECSuccess) {
return SECFailure;
diff --git a/tests/ssl_gtests/ssl_gtests.sh b/tests/ssl_gtests/ssl_gtests.sh
index 0197029bd..3af562d66 100755
--- a/tests/ssl_gtests/ssl_gtests.sh
+++ b/tests/ssl_gtests/ssl_gtests.sh
@@ -18,6 +18,40 @@
# NOTE .... unexpected behavior
#
########################################################################
+
+# Generate input to certutil
+certscript() {
+ while [ $# -gt 0 ]; do
+ case $1 in
+ sign) echo 0 ;;
+ kex) echo 2 ;;
+ esac; shift
+ done;
+ echo 9
+ echo n
+ echo n
+ echo
+ echo n
+}
+
+# $1: name
+# $2: type
+# $3+: usages: sign or kex
+make_cert() {
+ name=$1
+ type=$2
+ case $type in
+ rsa) type_args='-g 1024' ;;
+ ec) type_args='-q nistp256' ;;
+ esac
+ shift 2
+ certscript $@ | ${BINDIR}/certutil -S \
+ -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
+ -n $name -s "CN=$name" -t C,C,C -x -m 1 -w -2 -v 120 \
+ -k $type $type_args -Z SHA256 -1 -2
+ html_msg $? 0 "create certificate: $@"
+}
+
ssl_gtest_certs() {
mkdir -p "${SSLGTESTDIR}"
cd "${SSLGTESTDIR}"
@@ -30,42 +64,14 @@ ssl_gtest_certs() {
${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1
html_msg $? 0 "create ssl_gtest database"
- ${BINDIR}/certutil -S -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
- -n server -s "CN=server" -t C,C,C -x -m 1 -w -2 -v 120 \
- -k rsa -g 1024 -Z SHA256 -1 -2 <<CERTSCRIPT
-0
-2
-9
-n
-n
-
-n
-CERTSCRIPT
- html_msg $? 0 "create ssl_gtest server certificate"
-
- ${BINDIR}/certutil -S -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
- -n client -s "CN=client" -t C,C,C -x -m 1 -w -2 -v 120 \
- -k rsa -g 1024 -Z SHA256 -1 -2 <<CERTSCRIPT
-0
-9
-n
-n
-
-n
-CERTSCRIPT
- html_msg $? 0 "create ssl_gtest client certificate"
-
- ${BINDIR}/certutil -S -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
- -n ecdsa -s "CN=ecdsa" -t C,C,C -x -m 1 -w -2 -v 120 \
- -k ec -q nistp256 -Z SHA256 -1 -2 <<CERTSCRIPT
-0
-9
-n
-n
-
-n
-CERTSCRIPT
- html_msg $? 0 "create ssl_gtest ECDSA certificate"
+ make_cert client rsa sign
+ # Server certs are named by type
+ make_cert rsa rsa sign kex
+ make_cert rsa_sign rsa sign
+ make_cert rsa_decrypt rsa kex
+ make_cert ecdsa ec sign
+ make_cert ecdh_ecdsa ec kex
+ # TODO ecdh_rsa
}
############################## ssl_gtest_init ##########################
View Lorry Controller Status