diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-02-06 11:46:26 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-02-06 11:46:26 +0100 |
commit | f017b749ea9f1586d2308504553d40bf4cc5439d (patch) | |
tree | c6033924a0de9be1ab140596e305898c651bf57e /security/nss/tests | |
parent | 7c728b3c7680662fc4e92b5d03697b8339560b08 (diff) | |
download | UXP-f017b749ea9f1586d2308504553d40bf4cc5439d.tar UXP-f017b749ea9f1586d2308504553d40bf4cc5439d.tar.gz UXP-f017b749ea9f1586d2308504553d40bf4cc5439d.tar.lz UXP-f017b749ea9f1586d2308504553d40bf4cc5439d.tar.xz UXP-f017b749ea9f1586d2308504553d40bf4cc5439d.zip |
Update NSS to 3.32.1-RTM
Diffstat (limited to 'security/nss/tests')
-rwxr-xr-x | security/nss/tests/all.sh | 9 | ||||
-rwxr-xr-x | security/nss/tests/bogo/bogo.sh | 5 | ||||
-rwxr-xr-x | security/nss/tests/common/cleanup.sh | 3 | ||||
-rw-r--r-- | security/nss/tests/common/init.sh | 6 | ||||
-rw-r--r-- | security/nss/tests/common/parsegtestreport.sed | 1 | ||||
-rwxr-xr-x | security/nss/tests/gtests/gtests.sh | 8 | ||||
-rw-r--r-- | security/nss/tests/interop/interop.sh | 70 | ||||
-rwxr-xr-x | security/nss/tests/ssl/ssl.sh | 14 | ||||
-rwxr-xr-x | security/nss/tests/ssl_gtests/ssl_gtests.sh | 105 | ||||
-rw-r--r-- | security/nss/tests/tools/tools.sh | 64 |
10 files changed, 234 insertions, 51 deletions
diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh index 8305e6766..833817f4a 100755 --- a/security/nss/tests/all.sh +++ b/security/nss/tests/all.sh @@ -39,6 +39,8 @@ # gtests.sh - Gtest based unit tests for everything else # bogo.sh - Bogo interop tests (disabled by default) # https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md +# interop.sh - Interoperability tests (disabled by default) +# https://github.com/ekr/tls_interop # # NSS testing is now devided to 4 cycles: # --------------------------------------- @@ -60,7 +62,6 @@ # ------------------------------------------------------- # BUILT_OPT - use optimized/debug build # USE_64 - use 64bit/32bit build -# USE_ASAN - use Address Sanitizer build # # Optional environment variables to enable specific NSS features: # --------------------------------------------------------------- @@ -272,7 +273,11 @@ run_cycles() cycles="standard pkix upgradedb sharedb" CYCLES=${NSS_CYCLES:-$cycles} -tests="cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +tests="cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests" +# Don't run chains tests when we have a gyp build. +if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then + tests="$tests chains" +fi TESTS=${NSS_TESTS:-$tests} ALL_TESTS=${TESTS} diff --git a/security/nss/tests/bogo/bogo.sh b/security/nss/tests/bogo/bogo.sh index 7503d230e..26dfb0abb 100755 --- a/security/nss/tests/bogo/bogo.sh +++ b/security/nss/tests/bogo/bogo.sh @@ -25,7 +25,7 @@ bogo_init() BORING=${BORING:=boringssl} if [ ! -d "$BORING" ]; then git clone -q https://boringssl.googlesource.com/boringssl "$BORING" - git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3 + git -C "$BORING" checkout -q bbfe603519bc54fbc4c8dd87efe1ed385df550b4 fi SCRIPTNAME="bogo.sh" @@ -39,9 +39,6 @@ bogo_cleanup() . common/cleanup.sh } -# Need to add go to the PATH. -export PATH=$PATH:/usr/lib/go-1.6/bin - cd "$(dirname "$0")" SOURCE_DIR="$PWD"/../.. bogo_init diff --git a/security/nss/tests/common/cleanup.sh b/security/nss/tests/common/cleanup.sh index 40d8bc40f..40885bc79 100755 --- a/security/nss/tests/common/cleanup.sh +++ b/security/nss/tests/common/cleanup.sh @@ -27,6 +27,9 @@ if [ -z "${CLEANUP}" -o "${CLEANUP}" = "${SCRIPTNAME}" ]; then echo "NSS_AIA_OCSP=${NSS_AIA_OCSP}" echo "IOPR_HOSTADDR_LIST=${IOPR_HOSTADDR_LIST}" echo "PKITS_DATA=${PKITS_DATA}" + echo "NSS_DISABLE_HW_AES=${NSS_DISABLE_HW_AES}" + echo "NSS_DISABLE_PCLMUL=${NSS_DISABLE_PCLMUL}" + echo "NSS_DISABLE_AVX=${NSS_DISABLE_AVX}" echo echo "Tests summary:" echo "--------------" diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh index 3598e8223..caf3013e6 100644 --- a/security/nss/tests/common/init.sh +++ b/security/nss/tests/common/init.sh @@ -180,9 +180,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then } increase_msg_id() { - MSG_ID=`cat ${MSG_ID_FILE}` - MSG_ID=`expr ${MSG_ID} + 1` - echo ${MSG_ID} > ${MSG_ID_FILE} + MSG_ID=$(( ${MSG_ID} + 1 )) } html_passed_ignore_core() { @@ -645,9 +643,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then NSS_DEFAULT_DB_TYPE="dbm" export NSS_DEFAULT_DB_TYPE - MSG_ID_FILE="${HOSTDIR}/id" MSG_ID=0 - echo ${MSG_ID} > ${MSG_ID_FILE} ################################################# # Interoperability testing constatnts diff --git a/security/nss/tests/common/parsegtestreport.sed b/security/nss/tests/common/parsegtestreport.sed index d7c6ddada..11bd1d6af 100644 --- a/security/nss/tests/common/parsegtestreport.sed +++ b/security/nss/tests/common/parsegtestreport.sed @@ -6,3 +6,4 @@ } d : end +s/"/"/g diff --git a/security/nss/tests/gtests/gtests.sh b/security/nss/tests/gtests/gtests.sh index f91349b9e..c785241c4 100755 --- a/security/nss/tests/gtests/gtests.sh +++ b/security/nss/tests/gtests/gtests.sh @@ -24,7 +24,7 @@ gtest_init() { cd "$(dirname "$1")" if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then - cd common + cd ../common . ./init.sh fi @@ -55,7 +55,8 @@ gtest_start() GTESTREPORT="$GTESTDIR/report.xml" PARSED_REPORT="$GTESTDIR/report.parsed" echo "executing $i" - ${BINDIR}/$i -d "$GTESTDIR" --gtest_output=xml:"${GTESTREPORT}" \ + ${BINDIR}/$i "${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \ + -d "$GTESTDIR" --gtest_output=xml:"${GTESTREPORT}" \ --gtest_filter="${GTESTFILTER-*}" html_msg $? 0 "$i run successfully" echo "test output dir: ${GTESTREPORT}" @@ -82,7 +83,8 @@ gtest_cleanup() } ################## main ################################################# -GTESTS="der_gtest pk11_gtest util_gtest" +GTESTS="prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest" +SOURCE_DIR="$PWD"/../.. gtest_init $0 gtest_start gtest_cleanup diff --git a/security/nss/tests/interop/interop.sh b/security/nss/tests/interop/interop.sh new file mode 100644 index 000000000..59f0cb481 --- /dev/null +++ b/security/nss/tests/interop/interop.sh @@ -0,0 +1,70 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# tests/interop/interop.sh +# +# Script to drive our cross-stack interop tests +# +######################################################################## + +interop_init() +{ + SCRIPTNAME="interop.sh" + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then + cd ../common + . ./init.sh + fi + + mkdir -p "${HOSTDIR}/interop" + cd "${HOSTDIR}/interop" + INTEROP=${INTEROP:=tls_interop} + if [ ! -d "$INTEROP" ]; then + git clone -q https://github.com/mozilla/tls-interop "$INTEROP" + fi + INTEROP=$(cd "$INTEROP";pwd -P) + + # We use the BoringSSL keyfiles + BORING=${BORING:=boringssl} + if [ ! -d "$BORING" ]; then + git clone -q https://boringssl.googlesource.com/boringssl "$BORING" + git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3 + fi + BORING=$(cd "$BORING";pwd -P) + + SCRIPTNAME="interop.sh" + html_head "interop test" +} + +interop_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +# Function so we can easily add other stacks +interop_run() +{ + test_name=$1 + client=$2 + server=$3 + + (cd "$INTEROP"; + cargo run -- --client "$client" --server "$server" --rootdir "$BORING"/ssl/test/runner/ --test-cases cases.json) 2>interop-${test_name}.errors | tee interop-${test_name}.log + html_msg "${PIPESTATUS[0]}" 0 "Interop" "Run successfully" + grep -i 'FAILED\|Assertion failure' interop-${test_name}.errors + html_msg $? 1 "Interop" "No failures" +} + +cd "$(dirname "$0")" +SOURCE_DIR="$PWD"/../.. +interop_init +NSS_SHIM="$BINDIR"/nss_bogo_shim +BORING_SHIM="$BORING"/build/ssl/test/bssl_shim +interop_run "nss_nss" ${NSS_SHIM} ${NSS_SHIM} +interop_cleanup diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh index b34c9c097..944849ad3 100755 --- a/security/nss/tests/ssl/ssl.sh +++ b/security/nss/tests/ssl/ssl.sh @@ -1006,7 +1006,7 @@ ssl_run() do case "${SSL_RUN}" in "stapling") - if [ -nz "$NSS_DISABLE_LIBPKIX" ]; then + if [ -z "$NSS_DISABLE_LIBPKIX" ]; then ssl_stapling fi ;; @@ -1038,7 +1038,14 @@ ssl_run_all() ORIG_P_R_SERVERDIR=$P_R_SERVERDIR ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR - USER_NICKNAME=TestUser + # Exercise PKCS#11 URI parsing. The token actually changes its name + # in FIPS mode, so cope with that. Note there's also semicolon in here + # but it doesn't need escaping/quoting; the shell copes. + if [ "${CLIENT_MODE}" = "fips" ]; then + USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser" + else + USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser" + fi NORM_EXT="" cd ${CLIENTDIR} @@ -1051,7 +1058,8 @@ ssl_run_all() P_R_SERVERDIR=$P_R_EXT_SERVERDIR P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR - USER_NICKNAME=ExtendedSSLUser + # A different URI test; specify CKA_LABEL but not the token. + USER_NICKNAME="pkcs11:object=ExtendedSSLUser" NORM_EXT="Extended Test" cd ${CLIENTDIR} diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh index 9768c5ed9..ac39f212c 100755 --- a/security/nss/tests/ssl_gtests/ssl_gtests.sh +++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh @@ -127,23 +127,98 @@ ssl_gtest_start() fi SSLGTESTREPORT="${SSLGTESTDIR}/report.xml" - PARSED_REPORT="${SSLGTESTDIR}/report.parsed" - echo "executing ssl_gtest" - ${BINDIR}/ssl_gtest -d "${SSLGTESTDIR}" --gtest_output=xml:"${SSLGTESTREPORT}" \ - --gtest_filter="${GTESTFILTER-*}" - html_msg $? 0 "ssl_gtest run successfully" - echo "executing sed to parse the xml report" - sed -f ${COMMON}/parsegtestreport.sed "${SSLGTESTREPORT}" > "${PARSED_REPORT}" - echo "processing the parsed report" - cat "${PARSED_REPORT}" | while read result name; do - if [ "$result" = "notrun" ]; then - echo "$name" SKIPPED - elif [ "$result" = "run" ]; then - html_passed_ignore_core "$name" - else + + local nshards=1 + local prefix="" + local postfix="" + + export -f parallel_fallback + + # Determine the number of chunks. + if [ -n "$GTESTFILTER" ]; then + echo "DEBUG: Not parallelizing ssl_gtests because \$GTESTFILTER is set" + elif type parallel 2>/dev/null; then + nshards=$(parallel --number-of-cores || 1) + fi + + if [ "$nshards" != 1 ]; then + local indices=$(for ((i=0; i<$nshards; i++)); do echo $i; done) + prefix="parallel -j$nshards --line-buffer --halt soon,fail=1" + postfix="\&\& exit 0 \|\| exit 1 ::: $indices" + fi + + echo "DEBUG: ssl_gtests will be divided into $nshards chunk(s)" + + # Run tests. + ${prefix:-parallel_fallback} \ + GTEST_SHARD_INDEX={} \ + GTEST_TOTAL_SHARDS=$nshards \ + DYLD_LIBRARY_PATH="${DIST}/${OBJDIR}/lib" \ + ${BINDIR}/ssl_gtest -d "${SSLGTESTDIR}" \ + --gtest_output=xml:"${SSLGTESTREPORT}.{}" \ + --gtest_filter="${GTESTFILTER-*}" \ + $postfix + + html_msg $? 0 "ssl_gtests ran successfully" + + # Parse XML report(s). + if type xmllint &>/dev/null; then + echo "DEBUG: Using xmllint to parse GTest XML report(s)" + parse_report + else + echo "DEBUG: Falling back to legacy XML report parsing using only sed" + parse_report_legacy + fi +} + +# Helper function used when 'parallel' isn't available. +parallel_fallback() +{ + eval "${@//\{\}/0}" +} + +parse_report() +{ + # Check XML reports for normal test runs and failures. + local successes=$(parse_report_xpath "//testcase[@status='run'][count(*)=0]") + local failures=$(parse_report_xpath "//failure/..") + + # Print all tests that succeeded. + while read result name; do + html_passed_ignore_core "$name" + done <<< "$successes" + + # Print failing tests. + if [ -n "$failures" ]; then + printf "\nFAILURES:\n=========\n" + + while read result name; do html_failed_ignore_core "$name" + done <<< "$failures" + + printf "\n" + fi +} + +parse_report_xpath() +{ + # Query the XML report with the given XPath pattern. + xmllint --xpath "$1" "${SSLGTESTREPORT}".* 2>/dev/null | \ + # Insert newlines to help sed. + sed $'s/<testcase/\\\n<testcase/g' | \ + # Use sed to parse the report. + sed -f "${COMMON}/parsegtestreport.sed" +} + +# This legacy report parser can't actually detect failures. It always relied +# on the binary's exit code. Print the tests we ran to keep the old behavior. +parse_report_legacy() +{ + while read result name && [ -n "$name" ]; do + if [ "$result" = "run" ]; then + html_passed_ignore_core "$name" fi - done + done <<< "$(sed -f "${COMMON}/parsegtestreport.sed" "${SSLGTESTREPORT}".*)" } ssl_gtest_cleanup() diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh index 26abf3e4e..769bafa00 100644 --- a/security/nss/tests/tools/tools.sh +++ b/security/nss/tests/tools/tools.sh @@ -29,7 +29,7 @@ "PKCS #12 V2 PBE With SHA-1 and 40 Bit RC4" export pkcs12v2pbeWithSha1AndTripleDESCBC=\ -"PKCS #12 V2 PBE With SHA-1 and Triple DES-CBC" +"PKCS #12 V2 PBE With SHA-1 and 3KEY Triple DES-CBC" export pkcs12v2pbeWithSha1And128BitRc2Cbc=\ "PKCS #12 V2 PBE With SHA-1 and 128 Bit RC2 CBC" @@ -249,7 +249,7 @@ tools_p12_export_list_import_all_pkcs5pbe_ciphers() "${pkcs5pbeWithMD5AndDEScbc}" \ "${pkcs5pbeWithSha1AndDEScbc}" \ "DEFAULT"\ - "null"; do + "none"; do export_list_import "${key_cipher}" "${cert_cipher}" done done @@ -273,12 +273,9 @@ tools_p12_export_list_import_all_pkcs5v2_ciphers() CAMELLIA-256-CBC; do #--------------------------------------------------------------- -# Bug 452464 - pk12util -o fails when -C option specifies AES or +# Bug 452464 - pk12util -o fails when -C option specifies # Camellia ciphers # FIXME Restore these to the list -# AES-128-CBC, \ -# AES-192-CBC, \ -# AES-256-CBC, \ # CAMELLIA-128-CBC, \ # CAMELLIA-192-CBC, \ # CAMELLIA-256-CBC, \ @@ -287,7 +284,10 @@ tools_p12_export_list_import_all_pkcs5v2_ciphers() for cert_cipher in \ RC2-CBC \ DES-EDE3-CBC \ - null; do + AES-128-CBC \ + AES-192-CBC \ + AES-256-CBC \ + none; do export_list_import ${key_cipher} ${cert_cipher} done done @@ -324,8 +324,8 @@ tools_p12_export_list_import_all_pkcs12v2pbe_ciphers() "${pkcs12v2pbeWithMd5AndDESCBC}" \ "${pkcs12v2pbeWithSha1AndDESCBC}" \ "DEFAULT"\ - "null"; do - export_list_import "${key_cipher}" "${key_cipher}" + "none"; do + export_list_import "${key_cipher}" "${cert_cipher}" done #done } @@ -333,35 +333,60 @@ tools_p12_export_list_import_all_pkcs12v2pbe_ciphers() ######################################################################### # Export with no encryption on key should fail but on cert should pass ######################################################################### -tools_p12_export_with_null_ciphers() +tools_p12_export_with_none_ciphers() { - # use null as the key encryption algorithm default for the cert one + # use none as the key encryption algorithm default for the cert one # should fail echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" - echo " -k ${R_PWFILE} -w ${R_PWFILE} -c null" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -c none" ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ -k ${R_PWFILE} -w ${R_PWFILE} \ - -c null 2>&1 + -c none 2>&1 ret=$? - html_msg $ret 30 "Exporting with [null:default] (pk12util -o)" + html_msg $ret 30 "Exporting with [none:default] (pk12util -o)" check_tmpfile - # use default as the key encryption algorithm null for the cert one + # use default as the key encryption algorithm none for the cert one # should pass echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" - echo " -k ${R_PWFILE} -w ${R_PWFILE} -C null" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -C none" ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ -k ${R_PWFILE} -w ${R_PWFILE} \ - -C null 2>&1 + -C none 2>&1 ret=$? - html_msg $ret 0 "Exporting with [default:null] (pk12util -o)" + html_msg $ret 0 "Exporting with [default:none] (pk12util -o)" check_tmpfile } ######################################################################### +# Export with invalid cipher should fail +######################################################################### +tools_p12_export_with_invalid_ciphers() +{ + echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -c INVALID_CIPHER" + ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ + -k ${R_PWFILE} -w ${R_PWFILE} \ + -c INVALID_CIPHER 2>&1 + ret=$? + html_msg $ret 30 "Exporting with [INVALID_CIPHER:default] (pk12util -o)" + check_tmpfile + + echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -C INVALID_CIPHER" + ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ + -k ${R_PWFILE} -w ${R_PWFILE} \ + -C INVALID_CIPHER 2>&1 + ret=$? + html_msg $ret 30 "Exporting with [default:INVALID_CIPHER] (pk12util -o)" + check_tmpfile + +} + +######################################################################### # Exports using the default key and certificate encryption ciphers. # Imports from and lists the contents of the p12 file. # Repeats the test with ECC if enabled. @@ -407,7 +432,8 @@ tools_p12() tools_p12_export_list_import_all_pkcs5v2_ciphers tools_p12_export_list_import_all_pkcs5pbe_ciphers tools_p12_export_list_import_all_pkcs12v2pbe_ciphers - tools_p12_export_with_null_ciphers + tools_p12_export_with_none_ciphers + tools_p12_export_with_invalid_ciphers } ############################## tools_sign ############################## |