diff options
author | Martin Thomson <martin.thomson@gmail.com> | 2016-04-22 16:42:53 +1000 |
---|---|---|
committer | Martin Thomson <martin.thomson@gmail.com> | 2016-04-22 16:42:53 +1000 |
commit | e19a94be9d54e3c8745825795358a568250b599b (patch) | |
tree | 9c925be3a0c1b6b7042bc2ed4c61012e45ad43ce | |
parent | 81780069e02170981c3317ed8ba3107dc0352f03 (diff) | |
download | nss-hg-e19a94be9d54e3c8745825795358a568250b599b.tar.gz |
Bug 1237514 - Fix test fixtures for ssl_gtests, r=franziskus
-rw-r--r-- | external_tests/ssl_gtest/ssl_extension_unittest.cc | 4 | ||||
-rw-r--r-- | external_tests/ssl_gtest/ssl_loopback_unittest.cc | 77 | ||||
-rw-r--r-- | external_tests/ssl_gtest/ssl_skip_unittest.cc | 6 | ||||
-rw-r--r-- | external_tests/ssl_gtest/tls_agent.cc | 15 | ||||
-rw-r--r-- | external_tests/ssl_gtest/tls_agent.h | 20 | ||||
-rw-r--r-- | external_tests/ssl_gtest/tls_connect.cc | 24 | ||||
-rw-r--r-- | external_tests/ssl_gtest/tls_connect.h | 10 | ||||
-rw-r--r-- | lib/ssl/sslcert.c | 3 | ||||
-rwxr-xr-x | tests/ssl_gtests/ssl_gtests.sh | 78 |
9 files changed, 129 insertions, 108 deletions
diff --git a/external_tests/ssl_gtest/ssl_extension_unittest.cc b/external_tests/ssl_gtest/ssl_extension_unittest.cc index a9e235e36..acbf6859f 100644 --- a/external_tests/ssl_gtest/ssl_extension_unittest.cc +++ b/external_tests/ssl_gtest/ssl_extension_unittest.cc @@ -555,7 +555,7 @@ TEST_P(TlsExtensionTestPre13, SignedCertificateTimestampsHandshake) { server_->StartConnect(); ASSERT_EQ(SECSuccess, SSL_SetSignedCertTimestamps(server_->ssl_fd(), - &si_timestamps, server_->kea())); + &si_timestamps, ssl_kea_rsa)); client_->StartConnect(); ASSERT_EQ(SECSuccess, @@ -577,7 +577,7 @@ TEST_P(TlsExtensionTestPre13, SignedCertificateTimestampsInactiveClient) { server_->StartConnect(); ASSERT_EQ(SECSuccess, SSL_SetSignedCertTimestamps(server_->ssl_fd(), - &si_timestamps, server_->kea())); + &si_timestamps, ssl_kea_rsa)); client_->StartConnect(); diff --git a/external_tests/ssl_gtest/ssl_loopback_unittest.cc b/external_tests/ssl_gtest/ssl_loopback_unittest.cc index a098d1203..41d0d6372 100644 --- a/external_tests/ssl_gtest/ssl_loopback_unittest.cc +++ b/external_tests/ssl_gtest/ssl_loopback_unittest.cc @@ -122,16 +122,14 @@ TEST_P(TlsConnectGeneric, Connect) { TEST_P(TlsConnectGeneric, ConnectEcdsa) { SetExpectedVersion(std::get<1>(GetParam())); - ResetEcdsa(); + Reset(TlsAgent::kServerEcdsa); Connect(); CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa); } TEST_P(TlsConnectGenericPre13, ConnectEcdh) { SetExpectedVersion(std::get<1>(GetParam())); - // ECDH_ cipher suites can use an ECDSA cert (NSS doesn't care that we - // shouldn't, which this shamelessly exploits). - ResetEcdsa(); + Reset(TlsAgent::kServerEcdhEcdsa); DisableDheAndEcdheCiphers(); EnableSomeEcdhCiphers(); @@ -139,6 +137,15 @@ TEST_P(TlsConnectGenericPre13, ConnectEcdh) { CheckKeys(ssl_kea_ecdh, ssl_auth_ecdh_ecdsa); } +TEST_P(TlsConnectGenericPre13, ConnectEcdhWithoutDisablingSuites) { + SetExpectedVersion(std::get<1>(GetParam())); + Reset(TlsAgent::kServerEcdhEcdsa); + EnableSomeEcdhCiphers(); + + Connect(); + CheckKeys(ssl_kea_ecdh, ssl_auth_ecdh_ecdsa); +} + TEST_P(TlsConnectStreamPre13, ConnectRC4) { ConnectWithCipherSuite(TLS_RSA_WITH_RC4_128_SHA); } @@ -153,7 +160,7 @@ TEST_P(TlsConnectGenericPre13, ConnectResumed) { ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID); Connect(); - ResetRsa(); + Reset(); ExpectResumption(RESUME_SESSIONID); Connect(); } @@ -163,7 +170,7 @@ TEST_P(TlsConnectGeneric, ConnectClientCacheDisabled) { Connect(); SendReceive(); - ResetRsa(); + Reset(); ExpectResumption(RESUME_NONE); Connect(); SendReceive(); @@ -174,7 +181,7 @@ TEST_P(TlsConnectGeneric, ConnectServerCacheDisabled) { Connect(); SendReceive(); - ResetRsa(); + Reset(); ExpectResumption(RESUME_NONE); Connect(); SendReceive(); @@ -185,7 +192,7 @@ TEST_P(TlsConnectGeneric, ConnectSessionCacheDisabled) { Connect(); SendReceive(); - ResetRsa(); + Reset(); ExpectResumption(RESUME_NONE); Connect(); SendReceive(); @@ -197,7 +204,7 @@ TEST_P(TlsConnectGeneric, ConnectResumeSupportBoth) { Connect(); SendReceive(); - ResetRsa(); + Reset(); ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); ExpectResumption(RESUME_TICKET); Connect(); @@ -211,7 +218,7 @@ TEST_P(TlsConnectGeneric, ConnectResumeClientTicketServerBoth) { Connect(); SendReceive(); - ResetRsa(); + Reset(); ConfigureSessionCache(RESUME_TICKET, RESUME_BOTH); ExpectResumption(RESUME_NONE); Connect(); @@ -224,7 +231,7 @@ TEST_P(TlsConnectGeneric, ConnectResumeClientBothTicketServerTicket) { Connect(); SendReceive(); - ResetRsa(); + Reset(); ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); ExpectResumption(RESUME_TICKET); Connect(); @@ -238,7 +245,7 @@ TEST_P(TlsConnectGenericPre13, ConnectResumeClientServerTicketOnly) { Connect(); SendReceive(); - ResetRsa(); + Reset(); ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET); ExpectResumption(RESUME_NONE); Connect(); @@ -250,7 +257,7 @@ TEST_P(TlsConnectGenericPre13, ConnectResumeClientBothServerNone) { Connect(); SendReceive(); - ResetRsa(); + Reset(); ConfigureSessionCache(RESUME_BOTH, RESUME_NONE); ExpectResumption(RESUME_NONE); Connect(); @@ -262,7 +269,7 @@ TEST_P(TlsConnectGenericPre13, ConnectResumeClientNoneServerBoth) { Connect(); SendReceive(); - ResetRsa(); + Reset(); ConfigureSessionCache(RESUME_NONE, RESUME_BOTH); ExpectResumption(RESUME_NONE); Connect(); @@ -279,7 +286,7 @@ TEST_P(TlsConnectGenericPre13, ConnectResumeWithHigherVersion) { SSL_LIBRARY_VERSION_TLS_1_1); Connect(); - ResetRsa(); + Reset(); EnsureTlsSetup(); SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_2); client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1, @@ -296,7 +303,7 @@ TEST_P(TlsConnectGeneric, ConnectResumeClientBothTicketServerTicketForget) { Connect(); SendReceive(); - ResetRsa(); + Reset(); ClearServerCache(); ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); ExpectResumption(RESUME_NONE); @@ -318,7 +325,7 @@ TEST_P(TlsConnectGeneric, ServerSNICertSwitch) { Connect(); ScopedCERTCertificate cert1(SSL_PeerCertificate(client_->ssl_fd())); - ResetRsa(); + Reset(); EnsureTlsSetup(); ConfigureSessionCache(RESUME_NONE, RESUME_NONE); @@ -331,11 +338,11 @@ TEST_P(TlsConnectGeneric, ServerSNICertSwitch) { } TEST_P(TlsConnectGeneric, ServerSNICertTypeSwitch) { - ResetEcdsa(); + Reset(TlsAgent::kServerEcdsa); Connect(); ScopedCERTCertificate cert1(SSL_PeerCertificate(client_->ssl_fd())); - ResetEcdsa(); + Reset(); EnsureTlsSetup(); ConfigureSessionCache(RESUME_NONE, RESUME_NONE); @@ -374,7 +381,7 @@ TEST_P(TlsConnectGeneric, ClientAuthRequestedRejected) { TEST_P(TlsConnectGeneric, ClientAuthEcdsa) { - ResetEcdsa(); + Reset(TlsAgent::kServerEcdsa); client_->SetupClientAuth(); server_->RequestClientAuth(true); Connect(); @@ -401,7 +408,7 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmServerAuth) { PR_ARRAY_SIZE(SignatureEcdsaSha384)); server_->SetSignatureAlgorithms(SignatureEcdsaSha384, PR_ARRAY_SIZE(SignatureEcdsaSha384)); - ResetEcdsa(); + Reset(TlsAgent::kServerEcdsa); Connect(); } @@ -415,7 +422,7 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmClientOnly) { }; client_->SetSignatureAlgorithms(clientAlgorithms, PR_ARRAY_SIZE(clientAlgorithms)); - ResetEcdsa(); + Reset(TlsAgent::kServerEcdsa); Connect(); } @@ -424,7 +431,7 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmClientOnly) { TEST_P(TlsConnectGeneric, SignatureAlgorithmServerOnly) { server_->SetSignatureAlgorithms(SignatureEcdsaSha384, PR_ARRAY_SIZE(SignatureEcdsaSha384)); - ResetEcdsa(); + Reset(TlsAgent::kServerEcdsa); Connect(); } @@ -450,7 +457,7 @@ TEST_P(TlsConnectGenericPre13, ConnectStaticRSA) { // Signature algorithms governs both verification and generation of signatures. // With ECDSA, we need to at least have a common signature algorithm configured. TEST_P(TlsConnectTls12, SignatureAlgorithmNoOverlapEcdsa) { - ResetEcdsa(); + Reset(TlsAgent::kServerEcdsa); client_->SetSignatureAlgorithms(SignatureEcdsaSha384, PR_ARRAY_SIZE(SignatureEcdsaSha384)); server_->SetSignatureAlgorithms(SignatureEcdsaSha256, @@ -460,7 +467,7 @@ TEST_P(TlsConnectTls12, SignatureAlgorithmNoOverlapEcdsa) { // Pre 1.2, a mismatch on signature algorithms shouldn't affect anything. TEST_P(TlsConnectPre12, SignatureAlgorithmNoOverlapEcdsa) { - ResetEcdsa(); + Reset(TlsAgent::kServerEcdsa); client_->SetSignatureAlgorithms(SignatureEcdsaSha384, PR_ARRAY_SIZE(SignatureEcdsaSha384)); server_->SetSignatureAlgorithms(SignatureEcdsaSha256, @@ -639,7 +646,7 @@ TEST_P(TlsConnectGenericPre13, ConnectEcdheTwiceReuseKey) { EXPECT_TRUE(dhe1.Parse(i1->buffer())); // Restart - ResetRsa(); + Reset(); TlsInspectorRecordHandshakeMessage* i2 = new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange); server_->SetPacketFilter(i2); @@ -671,7 +678,7 @@ TEST_P(TlsConnectGenericPre13, ConnectEcdheTwiceNewKey) { EXPECT_TRUE(dhe1.Parse(i1->buffer())); // Restart - ResetRsa(); + Reset(); server_->EnsureTlsSetup(); rv = SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE); EXPECT_EQ(SECSuccess, rv); @@ -705,7 +712,7 @@ TEST_P(TlsChaCha20Poly1305Test, SendReceiveChaCha20Poly1305EcdheRsa) { } TEST_P(TlsChaCha20Poly1305Test, SendReceiveChaCha20Poly1305EcdheEcdsa) { - ResetEcdsa(); + Reset(TlsAgent::kServerEcdsa); ConnectWithCipherSuite(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256); } @@ -750,7 +757,7 @@ TEST_P(TlsConnectStream, ShortRead) { TEST_P(TlsConnectGenericPre13, ConnectExtendedMasterSecret) { EnableExtendedMasterSecret(); Connect(); - ResetRsa(); + Reset(); ExpectResumption(RESUME_SESSIONID); EnableExtendedMasterSecret(); Connect(); @@ -805,7 +812,7 @@ TEST_P(TlsConnectGenericPre13, ConnectExtendedMasterSecretECDHE) { EnableExtendedMasterSecret(); Connect(); - ResetRsa(); + Reset(); EnableExtendedMasterSecret(); ExpectResumption(RESUME_SESSIONID); Connect(); @@ -816,7 +823,7 @@ TEST_P(TlsConnectGenericPre13, ConnectExtendedMasterSecretTicket) { EnableExtendedMasterSecret(); Connect(); - ResetRsa(); + Reset(); ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); EnableExtendedMasterSecret(); @@ -843,7 +850,7 @@ TEST_P(TlsConnectGenericPre13, EnableExtendedMasterSecret(); Connect(); - ResetRsa(); + Reset(); server_->EnableExtendedMasterSecret(); auto alert_recorder = new TlsAlertRecorder(); server_->SetPacketFilter(alert_recorder); @@ -858,7 +865,7 @@ TEST_P(TlsConnectGenericPre13, ExpectExtendedMasterSecret(false); Connect(); - ResetRsa(); + Reset(); EnableExtendedMasterSecret(); ExpectResumption(RESUME_NONE); Connect(); @@ -1000,7 +1007,7 @@ TEST_F(TlsConnectTest, TestTls13ResumptionTwice) { uint16_t original_suite; EXPECT_TRUE(client_->cipher_suite(&original_suite)); - ResetRsa(); + Reset(); ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); TlsExtensionCapture *c1 = new TlsExtensionCapture(kTlsExtensionPreSharedKey); @@ -1016,7 +1023,7 @@ TEST_F(TlsConnectTest, TestTls13ResumptionTwice) { ASSERT_GE(psk1.len(), 0UL); ASSERT_TRUE(!!client_->peer_cert()); - ResetRsa(); + Reset(); ClearStats(); ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); TlsExtensionCapture *c2 = diff --git a/external_tests/ssl_gtest/ssl_skip_unittest.cc b/external_tests/ssl_gtest/ssl_skip_unittest.cc index 86d019da7..1730510ac 100644 --- a/external_tests/ssl_gtest/ssl_skip_unittest.cc +++ b/external_tests/ssl_gtest/ssl_skip_unittest.cc @@ -120,7 +120,7 @@ TEST_P(TlsSkipTest, SkipCertificateEcdhe) { } TEST_P(TlsSkipTest, SkipCertificateEcdsa) { - ResetEcdsa(); + Reset(TlsAgent::kServerEcdsa); ServerSkipTest(new TlsHandshakeSkipFilter(kTlsHandshakeCertificate)); client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH); } @@ -131,7 +131,7 @@ TEST_P(TlsSkipTest, SkipServerKeyExchange) { } TEST_P(TlsSkipTest, SkipServerKeyExchangeEcdsa) { - ResetEcdsa(); + Reset(TlsAgent::kServerEcdsa); ServerSkipTest(new TlsHandshakeSkipFilter(kTlsHandshakeServerKeyExchange)); client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); } @@ -145,7 +145,7 @@ TEST_P(TlsSkipTest, SkipCertAndKeyExch) { } TEST_P(TlsSkipTest, SkipCertAndKeyExchEcdsa) { - ResetEcdsa(); + Reset(TlsAgent::kServerEcdsa); auto chain = new ChainedPacketFilter(); chain->Add(new TlsHandshakeSkipFilter(kTlsHandshakeCertificate)); chain->Add(new TlsHandshakeSkipFilter(kTlsHandshakeServerKeyExchange)); diff --git a/external_tests/ssl_gtest/tls_agent.cc b/external_tests/ssl_gtest/tls_agent.cc index bb9afbd2a..2afd3cf92 100644 --- a/external_tests/ssl_gtest/tls_agent.cc +++ b/external_tests/ssl_gtest/tls_agent.cc @@ -27,10 +27,17 @@ namespace nss_test { const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"}; -TlsAgent::TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea) +const std::string TlsAgent::kClient = "client"; // both sign and encrypt +const std::string TlsAgent::kServerRsa = "rsa"; // both sign and encrypt +const std::string TlsAgent::kServerRsaSign = "rsa_sign"; +const std::string TlsAgent::kServerRsaDecrypt = "rsa_decrypt"; +const std::string TlsAgent::kServerEcdsa = "ecdsa"; +const std::string TlsAgent::kServerEcdhRsa = "ecdh_rsa"; // not supported yet +const std::string TlsAgent::kServerEcdhEcdsa = "ecdh_ecdsa"; + +TlsAgent::TlsAgent(const std::string& name, Role role, Mode mode) : name_(name), mode_(mode), - kea_(kea), server_key_bits_(0), pr_fd_(nullptr), adapter_(nullptr), @@ -694,8 +701,8 @@ static const std::string kTlsRolesAllArr[] = {"CLIENT", "SERVER"}; void TlsAgentTestBase::Init() { agent_ = new TlsAgent( - role_ == TlsAgent::CLIENT ? "client" : "server", - role_, mode_, kea_); + role_ == TlsAgent::CLIENT ? TlsAgent::kClient : TlsAgent::kServerRsa, + role_, mode_); agent_->Init(); fd_ = DummyPrSocket::CreateFD("dummy", mode_); agent_->adapter()->SetPeer( diff --git a/external_tests/ssl_gtest/tls_agent.h b/external_tests/ssl_gtest/tls_agent.h index e1b524eeb..5bc41e99a 100644 --- a/external_tests/ssl_gtest/tls_agent.h +++ b/external_tests/ssl_gtest/tls_agent.h @@ -49,7 +49,15 @@ class TlsAgent : public PollTarget { enum Role { CLIENT, SERVER }; enum State { STATE_INIT, STATE_CONNECTING, STATE_CONNECTED, STATE_ERROR }; - TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea); + static const std::string kClient; // the client key is sign only + static const std::string kServerRsa; // both sign and encrypt + static const std::string kServerRsaSign; + static const std::string kServerRsaDecrypt; + static const std::string kServerEcdsa; + static const std::string kServerEcdhEcdsa; + static const std::string kServerEcdhRsa; // not supported yet + + TlsAgent(const std::string& name, Role role, Mode mode); virtual ~TlsAgent(); bool Init() { @@ -126,8 +134,6 @@ class TlsAgent : public PollTarget { State state() const { return state_; } - SSLKEAType kea() const { return kea_; } - const CERTCertificate* peer_cert() const { return SSL_PeerCertificate(ssl_fd_); } @@ -286,7 +292,6 @@ class TlsAgent : public PollTarget { const std::string name_; Mode mode_; - SSLKEAType kea_; uint16_t server_key_bits_; PRFileDesc* pr_fd_; DummyPrSocket* adapter_; @@ -321,10 +326,9 @@ class TlsAgentTestBase : public ::testing::Test { TlsAgentTestBase(TlsAgent::Role role, Mode mode) : agent_(nullptr), - fd_(nullptr), - role_(role), - mode_(mode), - kea_(ssl_kea_rsa) {} + fd_(nullptr), + role_(role), + mode_(mode) {} ~TlsAgentTestBase() { delete agent_; if (fd_) { diff --git a/external_tests/ssl_gtest/tls_connect.cc b/external_tests/ssl_gtest/tls_connect.cc index ff3cbe45b..97c42e8ad 100644 --- a/external_tests/ssl_gtest/tls_connect.cc +++ b/external_tests/ssl_gtest/tls_connect.cc @@ -105,8 +105,8 @@ static std::string VersionString(uint16_t version) { TlsConnectTestBase::TlsConnectTestBase(Mode mode, uint16_t version) : mode_(mode), - client_(new TlsAgent("client", TlsAgent::CLIENT, mode_, ssl_kea_rsa)), - server_(new TlsAgent("server", TlsAgent::SERVER, mode_, ssl_kea_rsa)), + client_(new TlsAgent(TlsAgent::kClient, TlsAgent::CLIENT, mode_)), + server_(new TlsAgent(TlsAgent::kServerRsa, TlsAgent::SERVER, mode_)), version_(version), expected_resumption_mode_(RESUME_NONE), session_ids_(), @@ -164,24 +164,22 @@ void TlsConnectTestBase::Init() { } } -void TlsConnectTestBase::Reset(const std::string& server_name, SSLKEAType kea) { +void TlsConnectTestBase::Reset() { + // Take a copy of the name because it's about to disappear. + std::string name = server_->name(); + Reset(name); +} + +void TlsConnectTestBase::Reset(const std::string& server_name) { delete client_; delete server_; - client_ = new TlsAgent("client", TlsAgent::CLIENT, mode_, kea); - server_ = new TlsAgent(server_name, TlsAgent::SERVER, mode_, kea); + client_ = new TlsAgent(TlsAgent::kClient, TlsAgent::CLIENT, mode_); + server_ = new TlsAgent(server_name, TlsAgent::SERVER, mode_); Init(); } -void TlsConnectTestBase::ResetRsa() { - Reset("server", ssl_kea_rsa); -} - -void TlsConnectTestBase::ResetEcdsa() { - Reset("ecdsa", ssl_kea_ecdh); -} - void TlsConnectTestBase::ExpectResumption(SessionResumptionMode expected) { expected_resumption_mode_ = expected; if (expected != RESUME_NONE) { diff --git a/external_tests/ssl_gtest/tls_connect.h b/external_tests/ssl_gtest/tls_connect.h index 70b6c9ba9..98645aada 100644 --- a/external_tests/ssl_gtest/tls_connect.h +++ b/external_tests/ssl_gtest/tls_connect.h @@ -50,13 +50,12 @@ class TlsConnectTestBase : public ::testing::Test { void ClearStats(); // Clear the server session cache. void ClearServerCache(); - // Re-initialize client and server with the default RSA cert. - void ResetRsa(); - // Re-initialize client and server with an ECDSA cert on the server - // and some ECDHE suites. - void ResetEcdsa(); // Make sure TLS is configured for a connection. void EnsureTlsSetup(); + // Reset + void Reset(); + // Reset, and update the server name + void Reset(const std::string& server_name); // Run the handshake. void Handshake(); @@ -95,7 +94,6 @@ class TlsConnectTestBase : public ::testing::Test { std::vector<std::vector<uint8_t>> session_ids_; private: - void Reset(const std::string& server_name, SSLKEAType kea); void CheckResumption(SessionResumptionMode expected); void CheckExtendedMasterSecret(); diff --git a/lib/ssl/sslcert.c b/lib/ssl/sslcert.c index a1f0ca74d..7fc887660 100644 --- a/lib/ssl/sslcert.c +++ b/lib/ssl/sslcert.c @@ -140,7 +140,8 @@ SECStatus ssl_OneTimeCertSetup(sslSocket *ss, const sslServerCert *sc) { /* Generate a step-down RSA key. */ - if (sc->certType.authType == ssl_auth_rsa_sign && sc->serverKeyBits > 512 && + if (sc->certType.authType == ssl_auth_rsa_decrypt && + sc->serverKeyBits > 512 && !ss->opt.noStepDown && !ss->stepDownKeyPair) { if (ssl3_CreateRSAStepDownKeys(ss) != SECSuccess) { return SECFailure; diff --git a/tests/ssl_gtests/ssl_gtests.sh b/tests/ssl_gtests/ssl_gtests.sh index 0197029bd..3af562d66 100755 --- a/tests/ssl_gtests/ssl_gtests.sh +++ b/tests/ssl_gtests/ssl_gtests.sh @@ -18,6 +18,40 @@ # NOTE .... unexpected behavior # ######################################################################## + +# Generate input to certutil +certscript() { + while [ $# -gt 0 ]; do + case $1 in + sign) echo 0 ;; + kex) echo 2 ;; + esac; shift + done; + echo 9 + echo n + echo n + echo + echo n +} + +# $1: name +# $2: type +# $3+: usages: sign or kex +make_cert() { + name=$1 + type=$2 + case $type in + rsa) type_args='-g 1024' ;; + ec) type_args='-q nistp256' ;; + esac + shift 2 + certscript $@ | ${BINDIR}/certutil -S \ + -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \ + -n $name -s "CN=$name" -t C,C,C -x -m 1 -w -2 -v 120 \ + -k $type $type_args -Z SHA256 -1 -2 + html_msg $? 0 "create certificate: $@" +} + ssl_gtest_certs() { mkdir -p "${SSLGTESTDIR}" cd "${SSLGTESTDIR}" @@ -30,42 +64,14 @@ ssl_gtest_certs() { ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1 html_msg $? 0 "create ssl_gtest database" - ${BINDIR}/certutil -S -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \ - -n server -s "CN=server" -t C,C,C -x -m 1 -w -2 -v 120 \ - -k rsa -g 1024 -Z SHA256 -1 -2 <<CERTSCRIPT -0 -2 -9 -n -n - -n -CERTSCRIPT - html_msg $? 0 "create ssl_gtest server certificate" - - ${BINDIR}/certutil -S -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \ - -n client -s "CN=client" -t C,C,C -x -m 1 -w -2 -v 120 \ - -k rsa -g 1024 -Z SHA256 -1 -2 <<CERTSCRIPT -0 -9 -n -n - -n -CERTSCRIPT - html_msg $? 0 "create ssl_gtest client certificate" - - ${BINDIR}/certutil -S -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \ - -n ecdsa -s "CN=ecdsa" -t C,C,C -x -m 1 -w -2 -v 120 \ - -k ec -q nistp256 -Z SHA256 -1 -2 <<CERTSCRIPT -0 -9 -n -n - -n -CERTSCRIPT - html_msg $? 0 "create ssl_gtest ECDSA certificate" + make_cert client rsa sign + # Server certs are named by type + make_cert rsa rsa sign kex + make_cert rsa_sign rsa sign + make_cert rsa_decrypt rsa kex + make_cert ecdsa ec sign + make_cert ecdh_ecdsa ec kex + # TODO ecdh_rsa } ############################## ssl_gtest_init ########################## |