diff options
| author | Daiki Ueno <dueno@redhat.com> | 2019-04-08 17:30:27 +0200 |
|---|---|---|
| committer | Daiki Ueno <dueno@redhat.com> | 2019-04-08 17:30:27 +0200 |
| commit | 0db82c2f13c9518b594a8ec09b103c1306ea3ea8 (patch) | |
| tree | 29d87e46b9516a1eea0029cb7faece15dd5a59ac /tests | |
| parent | 0151b2ce26b409ab041e1a08ba4bd905cd565dc5 (diff) | |
| download | nss-hg-0db82c2f13c9518b594a8ec09b103c1306ea3ea8.tar.gz | |
Bug 1532312, add -E option to selfserv/tstclnt to enable post-handshake auth, r=mt
Reviewers: mt
Reviewed By: mt
Bug #: 1532312
Differential Revision: https://phabricator.services.mozilla.com/D21936
Diffstat (limited to 'tests')
| -rwxr-xr-x | tests/ssl/ssl.sh | 28 | ||||
| -rw-r--r-- | tests/ssl/sslauth.txt | 4 |
2 files changed, 28 insertions, 4 deletions
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh index 525855e10..3c3d4206b 100755 --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh @@ -220,18 +220,20 @@ start_selfserv() else RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss" fi + SERVER_VMIN=${SERVER_VMIN-ssl3} + SERVER_VMAX=${SERVER_VMAX-tls1.2} echo "selfserv starting at `date`" echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\" echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID}\\" - echo " -V ssl3:tls1.2 $verbose -H 1 &" + echo " -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 &" if [ ${fileout} -eq 1 ]; then ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ - ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \ + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 \ > ${SERVEROUTFILE} 2>&1 & RET=$? else ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ - ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 & + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 & RET=$? fi @@ -388,6 +390,8 @@ ssl_auth() do echo "${testname}" | grep "don't require client auth" > /dev/null CAUTH=$? + echo "${testname}" | grep "TLS 1.3" > /dev/null + TLS13=$? if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" @@ -399,6 +403,13 @@ ssl_auth() cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` fi + # SSL3 cannot be used with TLS 1.3 + unset SERVER_VMIN + unset SERVER_VMAX + if [ $TLS13 -eq 0 ] ; then + SERVER_VMIN=tls1.0 + SERVER_VMAX=tls1.3 + fi start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" @@ -669,9 +680,18 @@ ssl_crl_ssl() ignore_blank_lines ${SSLAUTH} | \ while read ectype value sparam cparam testname do + echo "${testname}" | grep "TLS 1.3" > /dev/null + TLS13=$? if [ "$ectype" = "SNI" ]; then continue else + # SSL3 cannot be used with TLS 1.3 + unset SERVER_VMIN + unset SERVER_VMAX + if [ $TLS13 -eq 0 ] ; then + SERVER_VMIN=tls1.0 + SERVER_VMAX=tls1.3 + fi servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` pwd=`echo $cparam | grep nss` user=`echo $cparam | grep TestUser` @@ -1039,7 +1059,7 @@ ssl_crl_cache() rm -f ${SSLAUTH_TMP} echo ${SSLAUTH_TMP} - grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP} + grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus | grep -v 'post hs' > ${SSLAUTH_TMP} echo $? while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ] do diff --git a/tests/ssl/sslauth.txt b/tests/ssl/sslauth.txt index 82d1ddea4..a84630f06 100644 --- a/tests/ssl/sslauth.txt +++ b/tests/ssl/sslauth.txt @@ -38,6 +38,10 @@ noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth) noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password) noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth) + noECC 0 -r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Request don't require client auth on post hs (client auth) + noECC 0 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Require client auth on post hs (client auth) + noECC 0 -r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Request don't require client auth on post hs (client does not provide auth) + noECC 1 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Require client auth on post hs (client does not provide auth) # # Use EC cert for client authentication # |