summaryrefslogtreecommitdiffstats
path: root/security/nss/gtests/nss_bogo_shim
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-08-14 07:52:35 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-08-14 16:42:52 +0200
commitab1060037931158d3a8bf4c8f9f6cb4dbfe916e9 (patch)
tree5e4677e52b9a349602f04135a44b3000c8baa97b /security/nss/gtests/nss_bogo_shim
parentf44e99950fc25d16a3cdaffe26dadf7b58a9d38c (diff)
downloadUXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.gz
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.lz
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.xz
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.zip
Update NSS to 3.38
- Added HACL*Poly1305 32-bit (INRIA/Microsoft) - Updated to final TLS 1.3 draft version (28) - Removed TLS 1.3 prerelease draft limit check - Removed NPN code - Enabled dev/urandom-only RNG on Linux with NSS_SEED_ONLY_DEV_URANDOM for non-standard environments - Fixed several bugs with TLS 1.3 negotiation - Updated internal certificate store - Added support for the TLS Record Size Limit Extension. - Fixed CVE-2018-0495 - Various security fixes in the ASN.1 code.
Diffstat (limited to 'security/nss/gtests/nss_bogo_shim')
-rw-r--r--security/nss/gtests/nss_bogo_shim/config.cc35
-rw-r--r--security/nss/gtests/nss_bogo_shim/config.h17
-rw-r--r--security/nss/gtests/nss_bogo_shim/config.json74
-rw-r--r--security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc59
4 files changed, 97 insertions, 88 deletions
diff --git a/security/nss/gtests/nss_bogo_shim/config.cc b/security/nss/gtests/nss_bogo_shim/config.cc
index 2e6f7f775..603bb6029 100644
--- a/security/nss/gtests/nss_bogo_shim/config.cc
+++ b/security/nss/gtests/nss_bogo_shim/config.cc
@@ -9,26 +9,37 @@
#include <queue>
#include <string>
-bool ConfigEntryBase::ParseInternal(std::queue<const char *> *args,
- std::string *out) {
- if (args->empty()) return false;
- *out = args->front();
- args->pop();
+bool ConfigEntryBase::ParseInternal(std::queue<const char *> &args,
+ std::vector<int> &out) {
+ if (args.empty()) return false;
+
+ char *endptr;
+ out.push_back(strtol(args.front(), &endptr, 10));
+ args.pop();
+
+ return !*endptr;
+}
+
+bool ConfigEntryBase::ParseInternal(std::queue<const char *> &args,
+ std::string &out) {
+ if (args.empty()) return false;
+ out = args.front();
+ args.pop();
return true;
}
-bool ConfigEntryBase::ParseInternal(std::queue<const char *> *args, int *out) {
- if (args->empty()) return false;
+bool ConfigEntryBase::ParseInternal(std::queue<const char *> &args, int &out) {
+ if (args.empty()) return false;
char *endptr;
- *out = strtol(args->front(), &endptr, 10);
- args->pop();
+ out = strtol(args.front(), &endptr, 10);
+ args.pop();
return !*endptr;
}
-bool ConfigEntryBase::ParseInternal(std::queue<const char *> *args, bool *out) {
- *out = true;
+bool ConfigEntryBase::ParseInternal(std::queue<const char *> &args, bool &out) {
+ out = true;
return true;
}
@@ -51,7 +62,7 @@ Config::Status Config::ParseArgs(int argc, char **argv) {
if (e == entries_.end()) {
return kUnknownFlag;
}
- if (!e->second->Parse(&args)) return kMalformedArgument;
+ if (!e->second->Parse(args)) return kMalformedArgument;
}
return kOK;
diff --git a/security/nss/gtests/nss_bogo_shim/config.h b/security/nss/gtests/nss_bogo_shim/config.h
index 822df65b3..0e7fb5ed5 100644
--- a/security/nss/gtests/nss_bogo_shim/config.h
+++ b/security/nss/gtests/nss_bogo_shim/config.h
@@ -23,18 +23,19 @@
// Abstract base class for a given config flag.
class ConfigEntryBase {
public:
- ConfigEntryBase(const std::string& name, const std::string& type)
- : name_(name), type_(type) {}
+ ConfigEntryBase(const std::string& nm, const std::string& typ)
+ : name_(nm), type_(typ) {}
virtual ~ConfigEntryBase() {}
const std::string& type() const { return type_; }
- virtual bool Parse(std::queue<const char*>* args) = 0;
+ virtual bool Parse(std::queue<const char*>& args) = 0;
protected:
- bool ParseInternal(std::queue<const char*>* args, std::string* out);
- bool ParseInternal(std::queue<const char*>* args, int* out);
- bool ParseInternal(std::queue<const char*>* args, bool* out);
+ bool ParseInternal(std::queue<const char*>& args, std::vector<int>& out);
+ bool ParseInternal(std::queue<const char*>& args, std::string& out);
+ bool ParseInternal(std::queue<const char*>& args, int& out);
+ bool ParseInternal(std::queue<const char*>& args, bool& out);
const std::string name_;
const std::string type_;
@@ -48,8 +49,8 @@ class ConfigEntry : public ConfigEntryBase {
: ConfigEntryBase(name, typeid(T).name()), value_(init) {}
T get() const { return value_; }
- bool Parse(std::queue<const char*>* args) {
- return ParseInternal(args, &value_);
+ bool Parse(std::queue<const char*>& args) {
+ return ParseInternal(args, value_);
}
private:
diff --git a/security/nss/gtests/nss_bogo_shim/config.json b/security/nss/gtests/nss_bogo_shim/config.json
index 03f875466..6dc155bef 100644
--- a/security/nss/gtests/nss_bogo_shim/config.json
+++ b/security/nss/gtests/nss_bogo_shim/config.json
@@ -1,69 +1,16 @@
{
"DisabledTests": {
"### These tests break whenever we rev versions, so just leave them here for easy uncommenting":"",
- "SendWarningAlerts-Pass":"BoringSSL updated",
- "SendBogusAlertType":"BoringSSL updated",
- "SendEmptyRecords-Pass":"BoringSSL updated",
- "ExtraCompressionMethods-TLS12":"BoringSSL updated",
- "SendSNIWarningAlert":"BoringSSL updated",
- "NoNullCompression-TLS12":"BoringSSL updated",
- "InvalidCompressionMethod":"BoringSSL updated",
- "SupportTicketsWithSessionID":"BoringSSL updated",
- "NoSharedCipher":"BoringSSL updated",
- "ServerHelloBogusCipher":"BoringSSL updated",
- "ClientHelloVersionTooHigh":"BoringSSL updated",
- "ServerAuth-SignatureType":"BoringSSL updated",
- "ECDSACurveMismatch-Verify-TLS12":"BoringSSL updated",
- "UnknownExtension-Client":"BoringSSL updated",
- "UnofferedExtension-Client":"BoringSSL updated",
- "SendClientVersion-RSA":"BoringSSL updated",
- "SupportedCurves-ServerHello-TLS12":"BoringSSL updated",
- "Basic-Client*Sync":"BoringSSL updated",
- "Resume-Client-CipherMismatch":"BoringSSL updated",
- "ClientAuth-SignatureType":"BoringSSL updated",
- "Agree-Digest-Default":"BoringSSL updated",
- "Basic-Server*Sync":"BoringSSL updated",
- "ClientAuth-*-Sync":"BoringSSL updated",
- "RSA-PSS-Default*":"BoringSSL updated",
- "Renegotiate-Server-NoExt*":"BoringSSL updated",
- "Downgrade-TLS12*":"BoringSSL updated",
- "MaxCBCPadding":"BoringSSL updated",
- "UnknownCipher":"BoringSSL updated",
- "LargeMessage":"BoringSSL updated",
- "NoCommonCurves":"BoringSSL updated",
- "UnknownCurve":"BoringSSL updated",
- "SessionTicketsDisabled*":"BoringSSL updated",
- "BadFinished-*":"BoringSSL updated",
- "ServerSkipCertificateVerify":"BoringSSL updated",
- "*VersionTolerance":"BoringSSL updated",
- "ConflictingVersionNegotiation*":"BoringSSL updated",
- "Ed25519DefaultDisable*":"BoringSSL updated",
- "*SHA1-Fallback*":"BoringSSL updated",
- "ExtendedMasterSecret-NoToNo*":"BoringSSL updated",
- "ServerNameExtensionClientMissing*":"BoringSSL updated",
- "NoClientCertificate*":"BoringSSL updated",
- "ServerCipherFilter*":"BoringSSL updated",
- "*FallbackSCSV*":"BoringSSL updated",
- "LooseInitialRecordVersion*":"BoringSSL updated",
- "ALPNClient*":"BoringSSL updated",
- "MinimumVersion*":"BoringSSL updated",
- "VersionNegotiation*":"BoringSSL updated",
- "*Client-ClientAuth*":"BoringSSL updated",
- "*Server-ClientAuth*":"BoringSSL updated",
- "NoExtendedMasterSecret*":"BoringSSL updated",
- "PointFormat*":"BoringSSL updated",
- "*Sync-SplitHandshakeRecords*":"BoringSSL updated",
- "*Sync-PackHandshakeFlight*":"BoringSSL updated",
- "TicketSessionIDLength*":"BoringSSL updated",
- "*LargeRecord*":"BoringSSL updated",
- "WrongMessageType-NewSessionTicket":"BoringSSL updated",
- "WrongMessageType*Certificate*":"BoringSSL updated",
- "WrongMessageType*Client*":"BoringSSL updated",
- "WrongMessageType*Server*":"BoringSSL updated",
- "WrongMessageType*DTLS":"BoringSSL updated",
- "GarbageCertificate*":"BoringSSL updated",
- "EmptyExtensions*":"BoringSSL updated",
- "*OmitExtensions*":"BoringSSL updated",
+ "ServerBogusVersion":"Check that SH.legacy_version=TLS12 when the server picks TLS 1.3 (Bug 1443761)",
+ "DummyPQPadding-Server*":"Boring is testing a dummy PQ padding extension",
+ "VerifyPreferences-Enforced":"NSS sends alerts in response to errors in protected handshake messages in the clear",
+ "Draft-Downgrade-Server":"Boring implements a draft downgrade sentinel used for measurements.",
+ "FilterExtraAlgorithms":"NSS doesn't allow sending unsupported signature algorithms",
+ "SendBogusAlertType":"Unexpected TLS alerts should abort connections (Bug 1438263)",
+ "VerifyPreferences-Ed25519":"Add Ed25519 support (Bug 1325335)",
+ "Ed25519DefaultDisable*":"Add Ed25519 support (Bug 1325335)",
+ "ServerCipherFilter*":"Add Ed25519 support (Bug 1325335)",
+ "GarbageCertificate*":"Send bad_certificate alert when certificate parsing fails (Bug 1441565)",
"SupportedVersionSelection-TLS12":"Should maybe reject TLS 1.2 in SH.supported_versions (Bug 1438266)",
"*TLS13*":"(NSS=19, BoGo=18)",
"*HelloRetryRequest*":"(NSS=19, BoGo=18)",
@@ -108,7 +55,6 @@
"WrongMessageType-TLS13-ServerCertificateVerify":"nss updated/broken",
"WrongMessageType-TLS13-ServerCertificate":"nss updated/broken",
"WrongMessageType-TLS13-ServerFinished":"nss updated/broken",
- "EncryptedExtensionsWithKeyShare":"nss updated/broken",
"EmptyEncryptedExtensions":"nss updated/broken",
"TrailingMessageData-*": "Bug 1304575",
"DuplicateKeyShares":"Bug 1304578",
diff --git a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
index e12714e8d..72dbd5771 100644
--- a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
+++ b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
@@ -5,6 +5,7 @@
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "config.h"
+#include <algorithm>
#include <cstdlib>
#include <iostream>
#include <memory>
@@ -90,9 +91,14 @@ class TestAgent {
PRStatus prv;
PRNetAddr addr;
- prv = PR_StringToNetAddr("127.0.0.1", &addr);
+ // Try IPv6 first.
+ prv = PR_StringToNetAddr("::1", &addr);
if (prv != PR_SUCCESS) {
- return false;
+ // If that fails, try IPv4.
+ prv = PR_StringToNetAddr("127.0.0.1", &addr);
+ if (prv != PR_SUCCESS) {
+ return false;
+ }
}
addr.inet.port = PR_htons(cfg_.get<int>("port"));
@@ -256,7 +262,11 @@ class TestAgent {
}
bool SetupOptions() {
- SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
+ SECStatus rv =
+ SSL_OptionSet(ssl_fd_, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
+ if (rv != SECSuccess) return false;
+
+ rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
if (rv != SECSuccess) return false;
SSLVersionRange vrange;
@@ -287,6 +297,26 @@ class TestAgent {
if (rv != SECSuccess) return false;
}
+ // Set supported signature schemes.
+ auto sign_prefs = cfg_.get<std::vector<int>>("signing-prefs");
+ auto verify_prefs = cfg_.get<std::vector<int>>("verify-prefs");
+ if (sign_prefs.empty()) {
+ sign_prefs = verify_prefs;
+ } else if (!verify_prefs.empty()) {
+ return false; // Both shouldn't be set.
+ }
+ if (!sign_prefs.empty()) {
+ std::vector<SSLSignatureScheme> sig_schemes;
+ std::transform(
+ sign_prefs.begin(), sign_prefs.end(), std::back_inserter(sig_schemes),
+ [](int scheme) { return static_cast<SSLSignatureScheme>(scheme); });
+
+ rv = SSL_SignatureSchemePrefSet(
+ ssl_fd_, sig_schemes.data(),
+ static_cast<unsigned int>(sig_schemes.size()));
+ if (rv != SECSuccess) return false;
+ }
+
if (cfg_.get<bool>("fallback-scsv")) {
rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
if (rv != SECSuccess) return false;
@@ -410,7 +440,7 @@ class TestAgent {
size_t left = sizeof(block);
while (left) {
- int32_t rv = PR_Read(ssl_fd_, block, left);
+ rv = PR_Read(ssl_fd_, block, left);
if (rv < 0) {
std::cerr << "Failure reading\n";
return SECFailure;
@@ -481,6 +511,24 @@ class TestAgent {
}
}
+ auto sig_alg = cfg_.get<int>("expect-peer-signature-algorithm");
+ if (sig_alg) {
+ SSLChannelInfo info;
+ rv = SSL_GetChannelInfo(ssl_fd_, &info, sizeof(info));
+ if (rv != SECSuccess) {
+ PRErrorCode err = PR_GetError();
+ std::cerr << "SSL_GetChannelInfo failed with error=" << FormatError(err)
+ << std::endl;
+ return SECFailure;
+ }
+
+ auto expected = static_cast<SSLSignatureScheme>(sig_alg);
+ if (info.signatureScheme != expected) {
+ std::cerr << "Unexpected signature scheme" << std::endl;
+ return SECFailure;
+ }
+ }
+
return SECSuccess;
}
@@ -513,6 +561,9 @@ std::unique_ptr<const Config> ReadConfig(int argc, char** argv) {
cfg->AddEntry<bool>("verify-peer", false);
cfg->AddEntry<std::string>("advertise-alpn", "");
cfg->AddEntry<std::string>("expect-alpn", "");
+ cfg->AddEntry<std::vector<int>>("signing-prefs", std::vector<int>());
+ cfg->AddEntry<std::vector<int>>("verify-prefs", std::vector<int>());
+ cfg->AddEntry<int>("expect-peer-signature-algorithm", 0);
auto rv = cfg->ParseArgs(argc, argv);
switch (rv) {