TestOpenSSLConf.java

rjung Wed, 11 Apr 2018 21:39:07 -0700

Author: rjung
Date: Thu Apr 12 04:38:45 2018
New Revision: 1828946

URL: http://svn.apache.org/viewvc?rev=1828946&view=rev
Log:
- add utility functions to TesterSupport to access
  OpenSSL library availability and version number.
- use the new version number access to fix test
  for OpenSSLConf for older version of OpenSSL
  (before 1.1.1-pre3).


Modified:
    tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
    tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java

Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?rev=1828946&r1=1828945&r2=1828946&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java Thu Apr 12 
04:38:45 2018
@@ -50,6 +50,9 @@ import org.apache.catalina.core.AprLifec
 import org.apache.catalina.core.StandardServer;
 import org.apache.catalina.startup.TesterMapRealm;
 import org.apache.catalina.startup.Tomcat;
+import org.apache.tomcat.jni.Library;
+import org.apache.tomcat.jni.LibraryNotFoundError;
+import org.apache.tomcat.jni.SSL;
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.descriptor.web.SecurityCollection;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
@@ -67,6 +70,8 @@ public final class TesterSupport {
     public static final String JKS_KEY_PASS = "tomcatpass";
     public static final String LOCALHOST_CERT_PEM = SSL_DIR + 
"localhost-cert.pem";
     public static final String LOCALHOST_KEY_PEM = SSL_DIR + 
"localhost-key.pem";
+    public static final boolean OPENSSL_AVAILABLE;
+    public static final int OPENSSL_VERSION;
 
     public static final String ROLE = "testrole";
 
@@ -74,6 +79,29 @@ public final class TesterSupport {
     private static String lastUsage = "NONE";
     private static Principal[] lastRequestedIssuers = new Principal[0];
 
+    static {
+        boolean available = false;
+        int version = 0;
+        try {
+            Library.initialize(null);
+            available = true;
+            version = SSL.version();
+            Library.terminate();
+        } catch (Exception | LibraryNotFoundError ex) {
+            // Ignore
+        }
+        OPENSSL_AVAILABLE = available;
+        OPENSSL_VERSION = version;
+    }
+
+    public static boolean isOpensslAvailable() {
+        return OPENSSL_AVAILABLE;
+    }
+
+    public static int getOpensslVersion() {
+        return OPENSSL_VERSION;
+    }
+
     public static void initSsl(Tomcat tomcat) {
         initSsl(tomcat, LOCALHOST_JKS, null, null);
     }

Modified: 
tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java?rev=1828946&r1=1828945&r2=1828946&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java 
(original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java 
Thu Apr 12 04:38:45 2018
@@ -35,11 +35,20 @@ import org.apache.tomcat.util.net.Tester
 public class TestOpenSSLConf extends TomcatBaseTest {
 
     private static final String ENABLED_CIPHER = "AES256-SHA256";
-    private static final String[] EXPECTED_CIPHERS = {"AES256-SHA256"};
+    private static final String[] EXPECTED_CIPHERS = {ENABLED_CIPHER};
     private static final String[] ENABLED_PROTOCOLS = {"TLSv1.1"};
-    private static final String[] DISABLED_PROTOCOLS = {"SSLv3", "TLSv1", 
"TLSv1.2", "TLSv1.3"};
+    private static final String[] DISABLED_PROTOCOLS = {"SSLv3", "TLSv1", 
"TLSv1.2"};
+    private static final String[] DISABLED_PROTOCOLS_TLS13 = {"TLSv1.3"};
+    // Test behavior needs to adjust for OpenSSL 1.1.1-pre3 and above
+    private static final int OPENSSL_TLS13_SUPPORT_MIN_VERSION = 0x10101003;
 
-    public SSLHostConfig initOpenSSLConfCmdCipher(String... commands) throws 
Exception {
+    private static int OPENSSL_VERSION = TesterSupport.getOpensslVersion();;
+
+    private static boolean hasTLS13() {
+        return OPENSSL_VERSION >= OPENSSL_TLS13_SUPPORT_MIN_VERSION;
+    }
+
+    public SSLHostConfig initOpenSSLConfCmd(String... commands) throws 
Exception {
         Assert.assertNotNull(commands);
         Assert.assertTrue("Invalid length", commands.length % 2 == 0);
 
@@ -78,9 +87,15 @@ public class TestOpenSSLConf extends Tom
 
     @Test
     public void testOpenSSLConfCmdCipher() throws Exception {
-        // Ensure TLSv1.3 ciphers aren't returned
-        SSLHostConfig sslHostConfig = initOpenSSLConfCmdCipher("CipherString", 
ENABLED_CIPHER,
-                "CipherSuites", "");
+        log.info("Found OpenSSL version 0x" + 
Integer.toHexString(OPENSSL_VERSION));
+        SSLHostConfig sslHostConfig;
+        if (hasTLS13()) {
+            // Ensure TLSv1.3 ciphers aren't returned
+            sslHostConfig = initOpenSSLConfCmd("CipherString", ENABLED_CIPHER,
+                                               "CipherSuites", "");
+        } else {
+            sslHostConfig = initOpenSSLConfCmd("CipherString", ENABLED_CIPHER);
+        }
         String[] ciphers = sslHostConfig.getEnabledCiphers();
         Assert.assertThat("Wrong HostConfig ciphers", ciphers,
                 CoreMatchers.is(EXPECTED_CIPHERS));
@@ -91,15 +106,23 @@ public class TestOpenSSLConf extends Tom
 
     @Test
     public void testOpenSSLConfCmdProtocol() throws Exception {
+        log.info("Found OpenSSL version 0x" + 
Integer.toHexString(OPENSSL_VERSION));
         Set<String> disabledProtocols = new 
HashSet<>(Arrays.asList(DISABLED_PROTOCOLS));
         StringBuilder sb = new StringBuilder();
         for (String protocol : DISABLED_PROTOCOLS) {
             sb.append(",").append("-").append(protocol);
         }
+        if (hasTLS13()) {
+            // Also disable TLSv1.3
+            for (String protocol : DISABLED_PROTOCOLS_TLS13) {
+                sb.append(",").append("-").append(protocol);
+                disabledProtocols.add(protocol);
+            }
+        }
         for (String protocol : ENABLED_PROTOCOLS) {
             sb.append(",").append(protocol);
         }
-        SSLHostConfig sslHostConfig = initOpenSSLConfCmdCipher("Protocol", 
sb.substring(1));
+        SSLHostConfig sslHostConfig = initOpenSSLConfCmd("Protocol", 
sb.substring(1));
         String[] protocols = sslHostConfig.getEnabledProtocols();
         for (String protocol : protocols) {
             Assert.assertFalse("Protocol " + protocol + " is not allowed",



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1828946 - in /tomcat/trunk/test/org/apache/tomcat/util/net: TesterSupport.java openssl/TestOpenSSLConf.java

Reply via email to