From 4a53b7021802707a1e0aadfb3f06a1058609fa54 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 26 Feb 2019 16:06:08 +0000
Subject: [PATCH] Fixes to unit tests so they pass with openssl 1.1.1a
---
gencert.in | 5 +++++
nss_engine_cipher.h | 2 +-
test/test.py | 42 +++++++++++++++++++++++++++++-------------
test/test_cipher.py | 29 ++++++++++++++++++++++++-----
4 files changed, 59 insertions(+), 19 deletions(-)
diff --git a/gencert.in b/gencert.in
index 659a9fc..d119f04 100755
--- a/gencert.in
+++ b/gencert.in
@@ -38,6 +38,11 @@ getFQDN() {
echo $maxhost
return
fi
+ hostname=$(python -c 'import socket; print(socket.getfqdn())')
+ if [ $? == 0 ]; then
+ echo $hostname
+ return
+ fi
defhost=`hostname`
if [ -e /usr/bin/host -o -e /bin/host ]; then
hosthost=`host $defhost | grep -v "not found" | awk '{print $1}'`
diff --git a/nss_engine_cipher.h b/nss_engine_cipher.h
index 83321c2..41b1e02 100644
--- a/nss_engine_cipher.h
+++ b/nss_engine_cipher.h
@@ -86,7 +86,7 @@ typedef struct
#define SSLV3 0x00000002L
#define TLSV1 SSLV3
#define TLSV1_2 0x00000004L
-#define TLSV1_3 0x00000005L
+#define TLSV1_3 0x00000008L
/* the table itself is defined in nss_engine_cipher.c */
#if 0
diff --git a/test/test.py b/test/test.py
index 7160a26..20fd3d2 100644
--- a/test/test.py
+++ b/test/test.py
@@ -1,5 +1,6 @@
from test_config import Declarative, write_template_file, restart_apache
from test_config import stop_apache
+from test_util import run
from variable import ENABLE_SERVER_DHE
import ssl
import requests.exceptions
@@ -17,6 +18,16 @@ except ImportError:
from urllib3.packages.ssl_match_hostname import CertificateError
+def www1_defined():
+ """Dumb test to see if www1.example.com is a known host to see
+ whether the proxy tests should be executed or not.
+ """
+ (out, err, rc) = run(["/usr/bin/ping",
+ "-w", "2",
+ "-c", "1", "www1.example.com"])
+ return rc == 0
+
+
class test_suite1(Declarative):
@classmethod
def setUpClass(cls):
@@ -232,21 +243,26 @@ class test_suite1(Declarative):
expected=200,
),
- dict(
- desc='SNI request when SNI is disabled',
- request=('/index.html',
- {'host': 'www1.example.com', 'port': 8000}),
- expected=requests.exceptions.SSLError(),
- expected_str='doesn\'t match',
- ),
+ ]
- dict(
- desc='Reverse proxy request when SNI is disabled',
- request=('/proxy/index.html', {}),
- expected=400,
- ),
+ if www1_defined():
+ tests.append(
+ dict(
+ desc='SNI request when SNI is disabled',
+ request=('/index.html',
+ {'host': 'www1.example.com', 'port': 8000}),
+ expected=requests.exceptions.SSLError(),
+ expected_str='doesn\'t match',
+ ),
+ )
- ]
+ tests.append(
+ dict(
+ desc='Reverse proxy request when SNI is disabled',
+ request=('/proxy/index.html', {}),
+ expected=400,
+ ),
+ )
if ENABLE_SERVER_DHE:
tests.append(
diff --git a/test/test_cipher.py b/test/test_cipher.py
index 69de7dc..0e3c690 100644
--- a/test/test_cipher.py
+++ b/test/test_cipher.py
@@ -45,6 +45,7 @@ CIPHERS_NOT_IN_NSS = [
'ECDHE-RSA-CAMELLIA128-SHA256',
'DHE-RSA-CAMELLIA128-SHA256',
'DHE-RSA-CAMELLIA256-SHA256',
+ 'TLS_AES_128_CCM_SHA256',
]
CIPHERS_NOT_IN_OPENSSL = [
@@ -59,7 +60,7 @@ CIPHERS_NOT_IN_OPENSSL = [
]
OPENSSL_CIPHERS_IGNORE = ":-SSLv2:-KRB5:-PSK:-ADH:-DSS:-SEED:-IDEA" \
- ":-SRP:-AESCCM:-AESCCM8"
+ ":-SRP:-AESCCM:-AESCCM8:-RC4:-ARIA"
if ENABLE_SERVER_DHE == 0:
OPENSSL_CIPHERS_IGNORE += ':-DH'
@@ -76,8 +77,13 @@ def openssl_tls13():
(out, err, rc) = run([openssl, 'ciphers', 'tls1_3'])
return rc == 0
+def openssl_has_ciphersuites():
+ (out, err, rc) = run(["openssl", "ciphers", "-ciphersuites", "", "AES"])
+ return rc == 0
+
OPENSSL_CHACHA20 = openssl_CHACHA20()
OPENSSL_TLS13 = openssl_tls13()
+OPENSSL_HAS_CIPHERSUITES = openssl_has_ciphersuites()
tls13_ciphers = [
'TLS-AES-128-GCM-SHA256',
@@ -86,12 +92,21 @@ tls13_ciphers = [
]
-def assert_equal_openssl(ciphers):
+def assert_equal_openssl(ciphers, tls13=False):
nss_ciphers = ciphers + ":-EXP:-LOW:-RC4:-EDH"
ossl_ciphers = ciphers + OPENSSL_CIPHERS_IGNORE
+
+ if not tls13 and OPENSSL_HAS_CIPHERSUITES:
+ # Disable TLSv1.3 ciphers to match default output in openssl ciphers
+ nss_ciphers = nss_ciphers + ":-TLSv1.3"
(nss, err, rc) = run([exe, "--o", nss_ciphers])
assert rc == 0
- (ossl, err, rc) = run([openssl, "ciphers", ossl_ciphers])
+ if not tls13 and OPENSSL_HAS_CIPHERSUITES:
+ # Disable TLSv1.3 ciphers to match previous behavior
+ cmd = [openssl, "ciphers", "-ciphersuites", "", ossl_ciphers]
+ else:
+ cmd = [openssl, "ciphers", ossl_ciphers]
+ (ossl, err, rc) = run(cmd)
assert rc == 0
nss_list = nss.strip().split(':')
@@ -134,9 +149,9 @@ def assert_equal_openssl(ciphers):
elif len(ossl_list) > len(nss_list):
diff = set(ossl_list) - set(nss_list)
else:
- diff = ''
+ diff = None
- assert nss_list == ossl_list, '%r != %r. Difference %r' % (
+ assert diff is None, '%r != %r. Difference %r' % (
':'.join(nss_list), ':'.join(ossl_list), diff)
@@ -228,6 +243,10 @@ class test_ciphers(object):
def test_TLSv12(self):
assert_equal_openssl("TLSv1.2")
+ def test_TLSv13(self):
+ if OPENSSL_TLS13:
+ assert_equal_openssl("TLSv1.3", tls13=True)
+
def test_NULL(self):
assert_equal_openssl("NULL")
--
2.20.1