|
|
d9580bf |
From 4a53b7021802707a1e0aadfb3f06a1058609fa54 Mon Sep 17 00:00:00 2001
|
|
|
d9580bf |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
d9580bf |
Date: Tue, 26 Feb 2019 16:06:08 +0000
|
|
|
d9580bf |
Subject: [PATCH] Fixes to unit tests so they pass with openssl 1.1.1a
|
|
|
d9580bf |
|
|
|
d9580bf |
---
|
|
|
d9580bf |
gencert.in | 5 +++++
|
|
|
d9580bf |
nss_engine_cipher.h | 2 +-
|
|
|
d9580bf |
test/test.py | 42 +++++++++++++++++++++++++++++-------------
|
|
|
d9580bf |
test/test_cipher.py | 29 ++++++++++++++++++++++++-----
|
|
|
d9580bf |
4 files changed, 59 insertions(+), 19 deletions(-)
|
|
|
d9580bf |
|
|
|
d9580bf |
diff --git a/gencert.in b/gencert.in
|
|
|
d9580bf |
index 659a9fc..d119f04 100755
|
|
|
d9580bf |
--- a/gencert.in
|
|
|
d9580bf |
+++ b/gencert.in
|
|
|
d9580bf |
@@ -38,6 +38,11 @@ getFQDN() {
|
|
|
d9580bf |
echo $maxhost
|
|
|
d9580bf |
return
|
|
|
d9580bf |
fi
|
|
|
d9580bf |
+ hostname=$(python -c 'import socket; print(socket.getfqdn())')
|
|
|
d9580bf |
+ if [ $? == 0 ]; then
|
|
|
d9580bf |
+ echo $hostname
|
|
|
d9580bf |
+ return
|
|
|
d9580bf |
+ fi
|
|
|
d9580bf |
defhost=`hostname`
|
|
|
d9580bf |
if [ -e /usr/bin/host -o -e /bin/host ]; then
|
|
|
d9580bf |
hosthost=`host $defhost | grep -v "not found" | awk '{print $1}'`
|
|
|
d9580bf |
diff --git a/nss_engine_cipher.h b/nss_engine_cipher.h
|
|
|
d9580bf |
index 83321c2..41b1e02 100644
|
|
|
d9580bf |
--- a/nss_engine_cipher.h
|
|
|
d9580bf |
+++ b/nss_engine_cipher.h
|
|
|
d9580bf |
@@ -86,7 +86,7 @@ typedef struct
|
|
|
d9580bf |
#define SSLV3 0x00000002L
|
|
|
d9580bf |
#define TLSV1 SSLV3
|
|
|
d9580bf |
#define TLSV1_2 0x00000004L
|
|
|
d9580bf |
-#define TLSV1_3 0x00000005L
|
|
|
d9580bf |
+#define TLSV1_3 0x00000008L
|
|
|
d9580bf |
|
|
|
d9580bf |
/* the table itself is defined in nss_engine_cipher.c */
|
|
|
d9580bf |
#if 0
|
|
|
d9580bf |
diff --git a/test/test.py b/test/test.py
|
|
|
d9580bf |
index 7160a26..20fd3d2 100644
|
|
|
d9580bf |
--- a/test/test.py
|
|
|
d9580bf |
+++ b/test/test.py
|
|
|
d9580bf |
@@ -1,5 +1,6 @@
|
|
|
d9580bf |
from test_config import Declarative, write_template_file, restart_apache
|
|
|
d9580bf |
from test_config import stop_apache
|
|
|
d9580bf |
+from test_util import run
|
|
|
d9580bf |
from variable import ENABLE_SERVER_DHE
|
|
|
d9580bf |
import ssl
|
|
|
d9580bf |
import requests.exceptions
|
|
|
d9580bf |
@@ -17,6 +18,16 @@ except ImportError:
|
|
|
d9580bf |
from urllib3.packages.ssl_match_hostname import CertificateError
|
|
|
d9580bf |
|
|
|
d9580bf |
|
|
|
d9580bf |
+def www1_defined():
|
|
|
d9580bf |
+ """Dumb test to see if www1.example.com is a known host to see
|
|
|
d9580bf |
+ whether the proxy tests should be executed or not.
|
|
|
d9580bf |
+ """
|
|
|
d9580bf |
+ (out, err, rc) = run(["/usr/bin/ping",
|
|
|
d9580bf |
+ "-w", "2",
|
|
|
d9580bf |
+ "-c", "1", "www1.example.com"])
|
|
|
d9580bf |
+ return rc == 0
|
|
|
d9580bf |
+
|
|
|
d9580bf |
+
|
|
|
d9580bf |
class test_suite1(Declarative):
|
|
|
d9580bf |
@classmethod
|
|
|
d9580bf |
def setUpClass(cls):
|
|
|
d9580bf |
@@ -232,21 +243,26 @@ class test_suite1(Declarative):
|
|
|
d9580bf |
expected=200,
|
|
|
d9580bf |
),
|
|
|
d9580bf |
|
|
|
d9580bf |
- dict(
|
|
|
d9580bf |
- desc='SNI request when SNI is disabled',
|
|
|
d9580bf |
- request=('/index.html',
|
|
|
d9580bf |
- {'host': 'www1.example.com', 'port': 8000}),
|
|
|
d9580bf |
- expected=requests.exceptions.SSLError(),
|
|
|
d9580bf |
- expected_str='doesn\'t match',
|
|
|
d9580bf |
- ),
|
|
|
d9580bf |
+ ]
|
|
|
d9580bf |
|
|
|
d9580bf |
- dict(
|
|
|
d9580bf |
- desc='Reverse proxy request when SNI is disabled',
|
|
|
d9580bf |
- request=('/proxy/index.html', {}),
|
|
|
d9580bf |
- expected=400,
|
|
|
d9580bf |
- ),
|
|
|
d9580bf |
+ if www1_defined():
|
|
|
d9580bf |
+ tests.append(
|
|
|
d9580bf |
+ dict(
|
|
|
d9580bf |
+ desc='SNI request when SNI is disabled',
|
|
|
d9580bf |
+ request=('/index.html',
|
|
|
d9580bf |
+ {'host': 'www1.example.com', 'port': 8000}),
|
|
|
d9580bf |
+ expected=requests.exceptions.SSLError(),
|
|
|
d9580bf |
+ expected_str='doesn\'t match',
|
|
|
d9580bf |
+ ),
|
|
|
d9580bf |
+ )
|
|
|
d9580bf |
|
|
|
d9580bf |
- ]
|
|
|
d9580bf |
+ tests.append(
|
|
|
d9580bf |
+ dict(
|
|
|
d9580bf |
+ desc='Reverse proxy request when SNI is disabled',
|
|
|
d9580bf |
+ request=('/proxy/index.html', {}),
|
|
|
d9580bf |
+ expected=400,
|
|
|
d9580bf |
+ ),
|
|
|
d9580bf |
+ )
|
|
|
d9580bf |
|
|
|
d9580bf |
if ENABLE_SERVER_DHE:
|
|
|
d9580bf |
tests.append(
|
|
|
d9580bf |
diff --git a/test/test_cipher.py b/test/test_cipher.py
|
|
|
d9580bf |
index 69de7dc..0e3c690 100644
|
|
|
d9580bf |
--- a/test/test_cipher.py
|
|
|
d9580bf |
+++ b/test/test_cipher.py
|
|
|
d9580bf |
@@ -45,6 +45,7 @@ CIPHERS_NOT_IN_NSS = [
|
|
|
d9580bf |
'ECDHE-RSA-CAMELLIA128-SHA256',
|
|
|
d9580bf |
'DHE-RSA-CAMELLIA128-SHA256',
|
|
|
d9580bf |
'DHE-RSA-CAMELLIA256-SHA256',
|
|
|
d9580bf |
+ 'TLS_AES_128_CCM_SHA256',
|
|
|
d9580bf |
]
|
|
|
d9580bf |
|
|
|
d9580bf |
CIPHERS_NOT_IN_OPENSSL = [
|
|
|
d9580bf |
@@ -59,7 +60,7 @@ CIPHERS_NOT_IN_OPENSSL = [
|
|
|
d9580bf |
]
|
|
|
d9580bf |
|
|
|
d9580bf |
OPENSSL_CIPHERS_IGNORE = ":-SSLv2:-KRB5:-PSK:-ADH:-DSS:-SEED:-IDEA" \
|
|
|
d9580bf |
- ":-SRP:-AESCCM:-AESCCM8"
|
|
|
d9580bf |
+ ":-SRP:-AESCCM:-AESCCM8:-RC4:-ARIA"
|
|
|
d9580bf |
|
|
|
d9580bf |
if ENABLE_SERVER_DHE == 0:
|
|
|
d9580bf |
OPENSSL_CIPHERS_IGNORE += ':-DH'
|
|
|
d9580bf |
@@ -76,8 +77,13 @@ def openssl_tls13():
|
|
|
d9580bf |
(out, err, rc) = run([openssl, 'ciphers', 'tls1_3'])
|
|
|
d9580bf |
return rc == 0
|
|
|
d9580bf |
|
|
|
d9580bf |
+def openssl_has_ciphersuites():
|
|
|
d9580bf |
+ (out, err, rc) = run(["openssl", "ciphers", "-ciphersuites", "", "AES"])
|
|
|
d9580bf |
+ return rc == 0
|
|
|
d9580bf |
+
|
|
|
d9580bf |
OPENSSL_CHACHA20 = openssl_CHACHA20()
|
|
|
d9580bf |
OPENSSL_TLS13 = openssl_tls13()
|
|
|
d9580bf |
+OPENSSL_HAS_CIPHERSUITES = openssl_has_ciphersuites()
|
|
|
d9580bf |
|
|
|
d9580bf |
tls13_ciphers = [
|
|
|
d9580bf |
'TLS-AES-128-GCM-SHA256',
|
|
|
d9580bf |
@@ -86,12 +92,21 @@ tls13_ciphers = [
|
|
|
d9580bf |
]
|
|
|
d9580bf |
|
|
|
d9580bf |
|
|
|
d9580bf |
-def assert_equal_openssl(ciphers):
|
|
|
d9580bf |
+def assert_equal_openssl(ciphers, tls13=False):
|
|
|
d9580bf |
nss_ciphers = ciphers + ":-EXP:-LOW:-RC4:-EDH"
|
|
|
d9580bf |
ossl_ciphers = ciphers + OPENSSL_CIPHERS_IGNORE
|
|
|
d9580bf |
+
|
|
|
d9580bf |
+ if not tls13 and OPENSSL_HAS_CIPHERSUITES:
|
|
|
d9580bf |
+ # Disable TLSv1.3 ciphers to match default output in openssl ciphers
|
|
|
d9580bf |
+ nss_ciphers = nss_ciphers + ":-TLSv1.3"
|
|
|
d9580bf |
(nss, err, rc) = run([exe, "--o", nss_ciphers])
|
|
|
d9580bf |
assert rc == 0
|
|
|
d9580bf |
- (ossl, err, rc) = run([openssl, "ciphers", ossl_ciphers])
|
|
|
d9580bf |
+ if not tls13 and OPENSSL_HAS_CIPHERSUITES:
|
|
|
d9580bf |
+ # Disable TLSv1.3 ciphers to match previous behavior
|
|
|
d9580bf |
+ cmd = [openssl, "ciphers", "-ciphersuites", "", ossl_ciphers]
|
|
|
d9580bf |
+ else:
|
|
|
d9580bf |
+ cmd = [openssl, "ciphers", ossl_ciphers]
|
|
|
d9580bf |
+ (ossl, err, rc) = run(cmd)
|
|
|
d9580bf |
assert rc == 0
|
|
|
d9580bf |
|
|
|
d9580bf |
nss_list = nss.strip().split(':')
|
|
|
d9580bf |
@@ -134,9 +149,9 @@ def assert_equal_openssl(ciphers):
|
|
|
d9580bf |
elif len(ossl_list) > len(nss_list):
|
|
|
d9580bf |
diff = set(ossl_list) - set(nss_list)
|
|
|
d9580bf |
else:
|
|
|
d9580bf |
- diff = ''
|
|
|
d9580bf |
+ diff = None
|
|
|
d9580bf |
|
|
|
d9580bf |
- assert nss_list == ossl_list, '%r != %r. Difference %r' % (
|
|
|
d9580bf |
+ assert diff is None, '%r != %r. Difference %r' % (
|
|
|
d9580bf |
':'.join(nss_list), ':'.join(ossl_list), diff)
|
|
|
d9580bf |
|
|
|
d9580bf |
|
|
|
d9580bf |
@@ -228,6 +243,10 @@ class test_ciphers(object):
|
|
|
d9580bf |
def test_TLSv12(self):
|
|
|
d9580bf |
assert_equal_openssl("TLSv1.2")
|
|
|
d9580bf |
|
|
|
d9580bf |
+ def test_TLSv13(self):
|
|
|
d9580bf |
+ if OPENSSL_TLS13:
|
|
|
d9580bf |
+ assert_equal_openssl("TLSv1.3", tls13=True)
|
|
|
d9580bf |
+
|
|
|
d9580bf |
def test_NULL(self):
|
|
|
d9580bf |
assert_equal_openssl("NULL")
|
|
|
d9580bf |
|
|
|
d9580bf |
--
|
|
|
d9580bf |
2.20.1
|
|
|
d9580bf |
|