From 4a53b7021802707a1e0aadfb3f06a1058609fa54 Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Tue, 26 Feb 2019 16:06:08 +0000

Subject: [PATCH] Fixes to unit tests so they pass with openssl 1.1.1a

---

 gencert.in          |  5 +++++

 nss_engine_cipher.h |  2 +-

 test/test.py        | 42 +++++++++++++++++++++++++++++-------------

 test/test_cipher.py | 29 ++++++++++++++++++++++++-----

 4 files changed, 59 insertions(+), 19 deletions(-)

diff --git a/gencert.in b/gencert.in

index 659a9fc..d119f04 100755

--- a/gencert.in

+++ b/gencert.in

@@ -38,6 +38,11 @@ getFQDN() {

                 echo $maxhost

                 return

         fi

+        hostname=$(python -c 'import socket; print(socket.getfqdn())')

+        if [ $? == 0 ]; then

+            echo $hostname

+            return

+        fi

         defhost=`hostname` 

         if [ -e /usr/bin/host -o -e /bin/host ]; then

             hosthost=`host $defhost | grep -v "not found" | awk '{print $1}'`

diff --git a/nss_engine_cipher.h b/nss_engine_cipher.h

index 83321c2..41b1e02 100644

--- a/nss_engine_cipher.h

+++ b/nss_engine_cipher.h

@@ -86,7 +86,7 @@ typedef struct

 #define SSLV3              0x00000002L

 #define TLSV1              SSLV3

 #define TLSV1_2            0x00000004L

-#define TLSV1_3            0x00000005L

+#define TLSV1_3            0x00000008L

 /* the table itself is defined in nss_engine_cipher.c */

 #if 0

diff --git a/test/test.py b/test/test.py

index 7160a26..20fd3d2 100644

--- a/test/test.py

+++ b/test/test.py

@@ -1,5 +1,6 @@

 from test_config import Declarative, write_template_file, restart_apache

 from test_config import stop_apache

+from test_util import run

 from variable import ENABLE_SERVER_DHE

 import ssl

 import requests.exceptions

@@ -17,6 +18,16 @@ except ImportError:

         from urllib3.packages.ssl_match_hostname import CertificateError

+def www1_defined():

+    """Dumb test to see if www1.example.com is a known host to see

+       whether the proxy tests should be executed or not.

+    """

+    (out, err, rc) = run(["/usr/bin/ping",

+                          "-w", "2",

+                          "-c", "1", "www1.example.com"])

+    return rc == 0

+

+

 class test_suite1(Declarative):

     @classmethod

     def setUpClass(cls):

@@ -232,21 +243,26 @@ class test_suite1(Declarative):

             expected=200,

         ),

-        dict(

-            desc='SNI request when SNI is disabled',

-            request=('/index.html',

-                     {'host': 'www1.example.com', 'port': 8000}),

-            expected=requests.exceptions.SSLError(),

-            expected_str='doesn\'t match',

-        ),

+    ]

-        dict(

-            desc='Reverse proxy request when SNI is disabled',

-            request=('/proxy/index.html', {}),

-            expected=400,

-        ),

+    if www1_defined():

+        tests.append(

+            dict(

+                desc='SNI request when SNI is disabled',

+                request=('/index.html',

+                         {'host': 'www1.example.com', 'port': 8000}),

+                expected=requests.exceptions.SSLError(),

+                expected_str='doesn\'t match',

+            ),

+        )

-    ]

+        tests.append(

+            dict(

+                desc='Reverse proxy request when SNI is disabled',

+                request=('/proxy/index.html', {}),

+                expected=400,

+            ),

+        )

     if ENABLE_SERVER_DHE:

         tests.append(

diff --git a/test/test_cipher.py b/test/test_cipher.py

index 69de7dc..0e3c690 100644

--- a/test/test_cipher.py

+++ b/test/test_cipher.py

@@ -45,6 +45,7 @@ CIPHERS_NOT_IN_NSS = [

     'ECDHE-RSA-CAMELLIA128-SHA256',

     'DHE-RSA-CAMELLIA128-SHA256',

     'DHE-RSA-CAMELLIA256-SHA256',

+    'TLS_AES_128_CCM_SHA256',

 ]

 CIPHERS_NOT_IN_OPENSSL = [

@@ -59,7 +60,7 @@ CIPHERS_NOT_IN_OPENSSL = [

 ]

 OPENSSL_CIPHERS_IGNORE = ":-SSLv2:-KRB5:-PSK:-ADH:-DSS:-SEED:-IDEA" \

-    ":-SRP:-AESCCM:-AESCCM8"

+    ":-SRP:-AESCCM:-AESCCM8:-RC4:-ARIA"

 if ENABLE_SERVER_DHE == 0:

     OPENSSL_CIPHERS_IGNORE += ':-DH'

@@ -76,8 +77,13 @@ def openssl_tls13():

     (out, err, rc) = run([openssl, 'ciphers', 'tls1_3'])

     return rc == 0

+def openssl_has_ciphersuites():

+    (out, err, rc) = run(["openssl", "ciphers", "-ciphersuites", "", "AES"])

+    return rc == 0

+

 OPENSSL_CHACHA20 = openssl_CHACHA20()

 OPENSSL_TLS13 = openssl_tls13()

+OPENSSL_HAS_CIPHERSUITES = openssl_has_ciphersuites()

 tls13_ciphers = [

     'TLS-AES-128-GCM-SHA256',

@@ -86,12 +92,21 @@ tls13_ciphers = [

 ]

-def assert_equal_openssl(ciphers):

+def assert_equal_openssl(ciphers, tls13=False):

     nss_ciphers = ciphers + ":-EXP:-LOW:-RC4:-EDH"

     ossl_ciphers = ciphers + OPENSSL_CIPHERS_IGNORE

+

+    if not tls13 and OPENSSL_HAS_CIPHERSUITES:

+        # Disable TLSv1.3 ciphers to match default output in openssl ciphers

+        nss_ciphers = nss_ciphers + ":-TLSv1.3"

     (nss, err, rc) = run([exe, "--o", nss_ciphers])

     assert rc == 0

-    (ossl, err, rc) = run([openssl, "ciphers", ossl_ciphers])

+    if not tls13 and OPENSSL_HAS_CIPHERSUITES:

+        # Disable TLSv1.3 ciphers to match previous behavior

+        cmd = [openssl, "ciphers", "-ciphersuites", "", ossl_ciphers]

+    else:

+        cmd = [openssl, "ciphers", ossl_ciphers]

+    (ossl, err, rc) = run(cmd)

     assert rc == 0

     nss_list = nss.strip().split(':')

@@ -134,9 +149,9 @@ def assert_equal_openssl(ciphers):

     elif len(ossl_list) > len(nss_list):

         diff = set(ossl_list) - set(nss_list)

     else:

-        diff = ''

+        diff = None

-    assert nss_list == ossl_list, '%r != %r. Difference %r' % (

+    assert diff is None, '%r != %r. Difference %r' % (

         ':'.join(nss_list), ':'.join(ossl_list), diff)

@@ -228,6 +243,10 @@ class test_ciphers(object):

     def test_TLSv12(self):

         assert_equal_openssl("TLSv1.2")

+    def test_TLSv13(self):

+        if OPENSSL_TLS13:

+            assert_equal_openssl("TLSv1.3", tls13=True)

+

     def test_NULL(self):

         assert_equal_openssl("NULL")

-- 

2.20.1