summaryrefslogtreecommitdiffstats
path: root/security/nss/gtests/nss_bogo_shim
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/gtests/nss_bogo_shim')
-rw-r--r--security/nss/gtests/nss_bogo_shim/Makefile52
-rw-r--r--security/nss/gtests/nss_bogo_shim/config.cc58
-rw-r--r--security/nss/gtests/nss_bogo_shim/config.h93
-rw-r--r--security/nss/gtests/nss_bogo_shim/config.json68
-rw-r--r--security/nss/gtests/nss_bogo_shim/manifest.mn20
-rw-r--r--security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc431
-rw-r--r--security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp79
-rw-r--r--security/nss/gtests/nss_bogo_shim/nsskeys.cc84
-rw-r--r--security/nss/gtests/nss_bogo_shim/nsskeys.h20
9 files changed, 905 insertions, 0 deletions
diff --git a/security/nss/gtests/nss_bogo_shim/Makefile b/security/nss/gtests/nss_bogo_shim/Makefile
new file mode 100644
index 000000000..fd6426d89
--- /dev/null
+++ b/security/nss/gtests/nss_bogo_shim/Makefile
@@ -0,0 +1,52 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY). #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL) #
+#######################################################################
+
+CXXFLAGS += -std=c++0x
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL). #
+#######################################################################
+
+include ../common/gtest.mk
+
+CFLAGS += -I$(CORE_DEPTH)/lib/ssl
+
+ifdef NSS_SSL_ENABLE_ZLIB
+include $(CORE_DEPTH)/coreconf/zlib.mk
+endif
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL) #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL). #
+#######################################################################
+
+
diff --git a/security/nss/gtests/nss_bogo_shim/config.cc b/security/nss/gtests/nss_bogo_shim/config.cc
new file mode 100644
index 000000000..2e6f7f775
--- /dev/null
+++ b/security/nss/gtests/nss_bogo_shim/config.cc
@@ -0,0 +1,58 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include "config.h"
+
+#include <cstdlib>
+#include <queue>
+#include <string>
+
+bool ConfigEntryBase::ParseInternal(std::queue<const char *> *args,
+ std::string *out) {
+ if (args->empty()) return false;
+ *out = args->front();
+ args->pop();
+ return true;
+}
+
+bool ConfigEntryBase::ParseInternal(std::queue<const char *> *args, int *out) {
+ if (args->empty()) return false;
+
+ char *endptr;
+ *out = strtol(args->front(), &endptr, 10);
+ args->pop();
+
+ return !*endptr;
+}
+
+bool ConfigEntryBase::ParseInternal(std::queue<const char *> *args, bool *out) {
+ *out = true;
+ return true;
+}
+
+std::string Config::XformFlag(const std::string &arg) {
+ if (arg.empty()) return "";
+
+ if (arg[0] != '-') return "";
+
+ return arg.substr(1);
+}
+
+Config::Status Config::ParseArgs(int argc, char **argv) {
+ std::queue<const char *> args;
+ for (int i = 1; i < argc; ++i) {
+ args.push(argv[i]);
+ }
+ while (!args.empty()) {
+ auto e = entries_.find(XformFlag(args.front()));
+ args.pop();
+ if (e == entries_.end()) {
+ return kUnknownFlag;
+ }
+ if (!e->second->Parse(&args)) return kMalformedArgument;
+ }
+
+ return kOK;
+}
diff --git a/security/nss/gtests/nss_bogo_shim/config.h b/security/nss/gtests/nss_bogo_shim/config.h
new file mode 100644
index 000000000..3764783bc
--- /dev/null
+++ b/security/nss/gtests/nss_bogo_shim/config.h
@@ -0,0 +1,93 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// Generic command line flags system for NSS BoGo shim. This class
+// could actually in principle handle other programs. The flags are
+// defined in the consumer code.
+
+#ifndef config_h_
+#define config_h_
+
+#include <cassert>
+
+#include <iostream>
+#include <map>
+#include <memory>
+#include <queue>
+#include <string>
+#include <typeinfo>
+
+// Abstract base class for a given config flag.
+class ConfigEntryBase {
+ public:
+ ConfigEntryBase(const std::string& name, const std::string& type)
+ : name_(name), type_(type) {}
+
+ virtual ~ConfigEntryBase() {}
+
+ const std::string& type() const { return type_; }
+ virtual bool Parse(std::queue<const char*>* args) = 0;
+
+ protected:
+ bool ParseInternal(std::queue<const char*>* args, std::string* out);
+ bool ParseInternal(std::queue<const char*>* args, int* out);
+ bool ParseInternal(std::queue<const char*>* args, bool* out);
+
+ const std::string name_;
+ const std::string type_;
+};
+
+// Template specializations for the concrete flag types.
+template <typename T>
+class ConfigEntry : public ConfigEntryBase {
+ public:
+ ConfigEntry(const std::string& name, T init)
+ : ConfigEntryBase(name, typeid(T).name()), value_(init) {}
+ T get() const { return value_; }
+
+ bool Parse(std::queue<const char*>* args) {
+ return ParseInternal(args, &value_);
+ }
+
+ private:
+ T value_;
+};
+
+// The overall configuration (I.e., the total set of flags).
+class Config {
+ public:
+ enum Status { kOK, kUnknownFlag, kMalformedArgument, kMissingValue };
+
+ Config() : entries_() {}
+
+ template <typename T>
+ void AddEntry(const std::string& name, T init) {
+ entries_[name] = std::unique_ptr<ConfigEntryBase>(
+ new ConfigEntry<T>(name, init));
+ }
+
+ Status ParseArgs(int argc, char** argv);
+
+ template <typename T>
+ T get(const std::string& key) const {
+ auto e = entry(key);
+ assert(e->type() == typeid(T).name());
+ return static_cast<const ConfigEntry<T>*>(e)->get();
+ }
+
+ private:
+ static std::string XformFlag(const std::string& arg);
+
+ std::map<std::string, std::unique_ptr<ConfigEntryBase>> entries_;
+
+ const ConfigEntryBase* entry(const std::string& key) const {
+ auto e = entries_.find(key);
+ if (e == entries_.end()) return nullptr;
+ return e->second.get();
+ }
+};
+
+#endif // config_h_
diff --git a/security/nss/gtests/nss_bogo_shim/config.json b/security/nss/gtests/nss_bogo_shim/config.json
new file mode 100644
index 000000000..0a6864f73
--- /dev/null
+++ b/security/nss/gtests/nss_bogo_shim/config.json
@@ -0,0 +1,68 @@
+{
+ "DisabledTests": {
+ "### These tests break whenever we rev versions, so just leave them here for easy uncommenting":"",
+ "#*TLS13*":"(NSS=18, BoGo=16)",
+ "#*HelloRetryRequest*":"(NSS=18, BoGo=16)",
+ "#*KeyShare*":"(NSS=18, BoGo=16)",
+ "#*EncryptedExtensions*":"(NSS=18, BoGo=16)",
+ "#*ServerHelloSignatureAlgorithms*":"(NSS=18, BoGo=16)",
+ "#*SecondClientHello*":"(NSS=18, BoGo=16)",
+ "#*IgnoreClientVersionOrder*":"(NSS=18, BoGo=16)",
+ "Resume-Server-BinderWrongLength":"Alert disagreement (Bug 1317633)",
+ "Resume-Server-NoPSKBinder":"Alert disagreement (Bug 1317633)",
+ "CheckRecordVersion-TLS*":"Bug 1317634",
+ "GREASE-Server-TLS13":"BoringSSL GREASEs without a flag, but we ignore it",
+ "TLS13-ExpectNoSessionTicketOnBadKEMode-Server":"Bug in NSS. Don't send ticket when not permitted by KE modes (Bug 1317635)",
+ "Resume-Server-InvalidPSKBinder":"(Bogo incorrectly expects 'illegal_parameter')",
+ "FallbackSCSV-VersionMatch":"Draft version mismatch (NSS=15, BoGo=14)",
+ "*KeyUpdate*":"KeyUpdate Unimplemented",
+ "ClientAuth-NoFallback-TLS13":"Disagreement about alerts. Bug 1294975",
+ "ClientAuth-SHA1-Fallback":"Disagreement about alerts. Bug 1294975",
+ "SendWarningAlerts-TLS13":"NSS needs to trigger on warning alerts",
+ "NoSupportedCurves":"This tests a non-spec behavior for TLS 1.2 and expects the wrong alert for TLS 1.3",
+ "SendEmptyRecords":"Tests a non-spec behavior in BoGo where it chokes on too many empty records",
+ "LargePlaintext":"NSS needs to check for over-long records. Bug 1294978",
+ "TLS13-RC4-MD5-server":"This fails properly but returns an unexpected error. Not a bug but needs cleanup",
+ "*VersionTolerance":"BoGo expects us to negotiate 1.3 but we negotiate 1.2 because BoGo didn't send draft version",
+ "*SSL3*":"NSS disables SSLv3",
+ "*SSLv3*":"NSS disables SSLv3",
+ "*AES256*":"Inconsistent support for AES256",
+ "*AES128-SHA256*":"No support for Suite B ciphers",
+ "*CHACHA20-POLY1305-OLD*":"Old ChaCha/Poly",
+ "DuplicateExtension*":"NSS sends unexpected_extension alert",
+ "WeakDH":"NSS supports 768-bit DH",
+ "SillyDH":"NSS supports 4097-bit DH",
+ "SendWarningAlerts":"This appears to be Boring-specific",
+ "V2ClientHello-WarningAlertPrefix":"Bug 1292893",
+ "TLS12-AES128-GCM-client":"Bug 1292895",
+ "*TLS12-AES128-GCM-LargeRecord*":"Bug 1292895",
+ "Renegotiate-Client-Forbidden-1":"Bug 1292898",
+ "Renegotiate-Server-Forbidden":"NSS doesn't disable renegotiation by default",
+ "Renegotiate-Client-NoIgnore":"NSS doesn't disable renegotiation by default",
+ "StrayHelloRequest*":"NSS doesn't disable renegotiation by default",
+ "NoSupportedCurves-TLS13":"wanted SSL_ERROR_NO_CYPHER_OVERLAP, got missing extension error",
+ "FragmentedClientVersion":"received a malformed Client Hello handshake message",
+ "UnofferedExtension-Client-TLS13":"nss updated/broken",
+ "UnknownExtension-Client-TLS13":"nss updated/broken",
+ "WrongMessageType-TLS13-EncryptedExtensions":"nss updated/broken",
+ "WrongMessageType-TLS13-CertificateRequest":"nss updated/broken",
+ "WrongMessageType-TLS13-ServerCertificateVerify":"nss updated/broken",
+ "WrongMessageType-TLS13-ServerCertificate":"nss updated/broken",
+ "WrongMessageType-TLS13-ServerFinished":"nss updated/broken",
+ "EncryptedExtensionsWithKeyShare":"nss updated/broken",
+ "EmptyEncryptedExtensions":"nss updated/broken",
+ "ClientAuth-SHA1-Fallback-RSA":"We fail when the sig_algs_ext is empty",
+ "Downgrade-TLS12-*":"NSS implements downgrade detection",
+ "TrailingMessageData-*": "Bug 1304575",
+ "DuplicateKeyShares":"Bug 1304578",
+ "Resume-Server-TLS13-TLS13":"Bug 1314351"
+ },
+ "ErrorMap" : {
+ ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP",
+ ":UNKNOWN_CIPHER_RETURNED:":"SSL_ERROR_NO_CYPHER_OVERLAP",
+ ":OLD_SESSION_CIPHER_NOT_RETURNED:":"SSL_ERROR_RX_MALFORMED_SERVER_HELLO",
+ ":NO_SHARED_CIPHER:":"SSL_ERROR_NO_CYPHER_OVERLAP",
+ ":DIGEST_CHECK_FAILED:":"SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE"
+ }
+}
+
diff --git a/security/nss/gtests/nss_bogo_shim/manifest.mn b/security/nss/gtests/nss_bogo_shim/manifest.mn
new file mode 100644
index 000000000..2d60ddea3
--- /dev/null
+++ b/security/nss/gtests/nss_bogo_shim/manifest.mn
@@ -0,0 +1,20 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../..
+DEPTH = ../..
+MODULE = nss
+
+CPPSRCS = \
+ config.cc \
+ nsskeys.cc \
+ nss_bogo_shim.cc \
+ $(NULL)
+
+REQUIRES = nspr nss libdbm
+
+PROGRAM = nss_bogo_shim
+#EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX)
+
+USE_STATIC_LIBS = 1
diff --git a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
new file mode 100644
index 000000000..a128cbb05
--- /dev/null
+++ b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
@@ -0,0 +1,431 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include "config.h"
+
+#include <cstdlib>
+#include <iostream>
+#include <memory>
+#include "nspr.h"
+#include "nss.h"
+#include "prio.h"
+#include "prnetdb.h"
+#include "ssl.h"
+#include "sslerr.h"
+#include "sslproto.h"
+
+#include "nsskeys.h"
+
+static const char* kVersionDisableFlags[] = {
+ "no-ssl3",
+ "no-tls1",
+ "no-tls11",
+ "no-tls12",
+ "no-tls13"
+};
+
+bool exitCodeUnimplemented = false;
+
+std::string FormatError(PRErrorCode code) {
+ return std::string(":") + PORT_ErrorToName(code) + ":" + ":" +
+ PORT_ErrorToString(code);
+}
+
+class TestAgent {
+ public:
+ TestAgent(const Config& cfg)
+ : cfg_(cfg),
+ pr_fd_(nullptr),
+ ssl_fd_(nullptr),
+ cert_(nullptr),
+ key_(nullptr) {}
+
+ ~TestAgent() {
+ if (pr_fd_) {
+ PR_Close(pr_fd_);
+ }
+
+ if (ssl_fd_) {
+ PR_Close(ssl_fd_);
+ }
+
+ if (key_) {
+ SECKEY_DestroyPrivateKey(key_);
+ }
+
+ if (cert_) {
+ CERT_DestroyCertificate(cert_);
+ }
+ }
+
+ static std::unique_ptr<TestAgent> Create(const Config& cfg) {
+ std::unique_ptr<TestAgent> agent(new TestAgent(cfg));
+
+ if (!agent->Init()) return nullptr;
+
+ return agent;
+ }
+
+ bool Init() {
+ if (!ConnectTcp()) {
+ return false;
+ }
+
+ if (!SetupKeys()) {
+ std::cerr << "Couldn't set up keys/certs\n";
+ return false;
+ }
+
+ if (!SetupOptions()) {
+ std::cerr << "Couldn't configure socket\n";
+ return false;
+ }
+
+ SECStatus rv = SSL_ResetHandshake(ssl_fd_, cfg_.get<bool>("server"));
+ if (rv != SECSuccess) return false;
+
+ return true;
+ }
+
+ bool ConnectTcp() {
+ PRStatus prv;
+ PRNetAddr addr;
+
+ prv = PR_StringToNetAddr("127.0.0.1", &addr);
+ if (prv != PR_SUCCESS) {
+ return false;
+ }
+ addr.inet.port = PR_htons(cfg_.get<int>("port"));
+
+ pr_fd_ = PR_OpenTCPSocket(addr.raw.family);
+ if (!pr_fd_) return false;
+
+ prv = PR_Connect(pr_fd_, &addr, PR_INTERVAL_NO_TIMEOUT);
+ if (prv != PR_SUCCESS) {
+ return false;
+ }
+
+ ssl_fd_ = SSL_ImportFD(NULL, pr_fd_);
+ if (!ssl_fd_) return false;
+ pr_fd_ = nullptr;
+
+ return true;
+ }
+
+ bool SetupKeys() {
+ SECStatus rv;
+
+ if (cfg_.get<std::string>("key-file") != "") {
+ key_ = ReadPrivateKey(cfg_.get<std::string>("key-file"));
+ if (!key_) {
+ // Temporary to handle our inability to handle ECDSA.
+ exitCodeUnimplemented = true;
+ return false;
+ }
+ }
+ if (cfg_.get<std::string>("cert-file") != "") {
+ cert_ = ReadCertificate(cfg_.get<std::string>("cert-file"));
+ if (!cert_) return false;
+ }
+ if (cfg_.get<bool>("server")) {
+ // Server
+ rv = SSL_ConfigServerCert(ssl_fd_, cert_, key_, nullptr, 0);
+ if (rv != SECSuccess) {
+ std::cerr << "Couldn't configure server cert\n";
+ return false;
+ }
+ } else {
+ // Client.
+
+ // Needed because server certs are not entirely valid.
+ rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook, this);
+ if (rv != SECSuccess) return false;
+
+ if (key_ && cert_) {
+ rv = SSL_GetClientAuthDataHook(ssl_fd_, GetClientAuthDataHook, this);
+ if (rv != SECSuccess) return false;
+ }
+ }
+
+ return true;
+ }
+
+ bool GetVersionRange(SSLVersionRange* range_out, SSLProtocolVariant variant) {
+ SSLVersionRange supported;
+ if (SSL_VersionRangeGetSupported(variant, &supported) != SECSuccess) {
+ return false;
+ }
+
+ auto max_allowed = static_cast<uint16_t>(cfg_.get<int>("max-version"));
+ if (variant == ssl_variant_datagram) {
+ // For DTLS this is the wire version; adjust if needed.
+ switch (max_allowed) {
+ case SSL_LIBRARY_VERSION_DTLS_1_0_WIRE:
+ max_allowed = SSL_LIBRARY_VERSION_DTLS_1_0;
+ break;
+ case SSL_LIBRARY_VERSION_DTLS_1_2_WIRE:
+ max_allowed = SSL_LIBRARY_VERSION_DTLS_1_2;
+ break;
+ case SSL_LIBRARY_VERSION_DTLS_1_3_WIRE:
+ max_allowed = SSL_LIBRARY_VERSION_DTLS_1_3;
+ break;
+ case 0xffff: // No maximum specified.
+ break;
+ default:
+ // Unrecognized DTLS version.
+ return false;
+ }
+ }
+
+ max_allowed = std::min(max_allowed, supported.max);
+
+ bool found_min = false;
+ bool found_max = false;
+ // Ignore -no-ssl3, because SSLv3 is never supported.
+ for (size_t i = 1; i < PR_ARRAY_SIZE(kVersionDisableFlags); ++i) {
+ auto version =
+ static_cast<uint16_t>(SSL_LIBRARY_VERSION_TLS_1_0 + (i - 1));
+ if (variant == ssl_variant_datagram) {
+ // In DTLS mode, the -no-tlsN flags refer to DTLS versions,
+ // but NSS wants the corresponding TLS versions.
+ if (version == SSL_LIBRARY_VERSION_TLS_1_1) {
+ // DTLS 1.1 doesn't exist.
+ continue;
+ }
+ if (version == SSL_LIBRARY_VERSION_TLS_1_0) {
+ version = SSL_LIBRARY_VERSION_DTLS_1_0;
+ }
+ }
+
+ if (version < supported.min) {
+ continue;
+ }
+ if (version > max_allowed) {
+ break;
+ }
+
+ const bool allowed = !cfg_.get<bool>(kVersionDisableFlags[i]);
+
+ if (!found_min && allowed) {
+ found_min = true;
+ range_out->min = version;
+ }
+ if (found_min && !found_max) {
+ if (allowed) {
+ range_out->max = version;
+ } else {
+ found_max = true;
+ }
+ }
+ if (found_max && allowed) {
+ // Discontiguous range.
+ return false;
+ }
+ }
+
+ // Iff found_min is still false, no usable version was found.
+ return found_min;
+ }
+
+ bool SetupOptions() {
+ SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
+ if (rv != SECSuccess) return false;
+
+ SSLVersionRange vrange;
+ if (!GetVersionRange(&vrange, ssl_variant_stream)) return false;
+
+ rv = SSL_VersionRangeSet(ssl_fd_, &vrange);
+ if (rv != SECSuccess) return false;
+
+ rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE, false);
+ if (rv != SECSuccess) return false;
+
+ if (!cfg_.get<bool>("server")) {
+ // Needed to make resumption work.
+ rv = SSL_SetURL(ssl_fd_, "server");
+ if (rv != SECSuccess) return false;
+ }
+
+ rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_TRUE);
+ if (rv != SECSuccess) return false;
+
+ if (!EnableNonExportCiphers()) return false;
+
+ return true;
+ }
+
+ bool EnableNonExportCiphers() {
+ for (size_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
+ SSLCipherSuiteInfo csinfo;
+
+ SECStatus rv = SSL_GetCipherSuiteInfo(SSL_ImplementedCiphers[i], &csinfo,
+ sizeof(csinfo));
+ if (rv != SECSuccess) {
+ return false;
+ }
+
+ rv = SSL_CipherPrefSet(ssl_fd_, SSL_ImplementedCiphers[i], PR_TRUE);
+ if (rv != SECSuccess) {
+ return false;
+ }
+ }
+ return true;
+ }
+
+ // Dummy auth certificate hook.
+ static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
+ PRBool checksig, PRBool isServer) {
+ return SECSuccess;
+ }
+
+ static SECStatus GetClientAuthDataHook(void* self, PRFileDesc* fd,
+ CERTDistNames* caNames,
+ CERTCertificate** cert,
+ SECKEYPrivateKey** privKey) {
+ TestAgent* a = static_cast<TestAgent*>(self);
+ *cert = CERT_DupCertificate(a->cert_);
+ *privKey = SECKEY_CopyPrivateKey(a->key_);
+ return SECSuccess;
+ }
+
+ SECStatus Handshake() { return SSL_ForceHandshake(ssl_fd_); }
+
+ // Implement a trivial echo client/server. Read bytes from the other side,
+ // flip all the bits, and send them back.
+ SECStatus ReadWrite() {
+ for (;;) {
+ uint8_t block[512];
+ int32_t rv = PR_Read(ssl_fd_, block, sizeof(block));
+ if (rv < 0) {
+ std::cerr << "Failure reading\n";
+ return SECFailure;
+ }
+ if (rv == 0) return SECSuccess;
+
+ int32_t len = rv;
+ for (int32_t i = 0; i < len; ++i) {
+ block[i] ^= 0xff;
+ }
+
+ rv = PR_Write(ssl_fd_, block, len);
+ if (rv != len) {
+ std::cerr << "Write failure\n";
+ return SECFailure;
+ }
+ }
+ return SECSuccess;
+ }
+
+ SECStatus DoExchange() {
+ SECStatus rv = Handshake();
+ if (rv != SECSuccess) {
+ PRErrorCode err = PR_GetError();
+ std::cerr << "Handshake failed with error=" << err << FormatError(err)
+ << std::endl;
+ return SECFailure;
+ }
+
+ rv = ReadWrite();
+ if (rv != SECSuccess) {
+ PRErrorCode err = PR_GetError();
+ std::cerr << "ReadWrite failed with error=" << FormatError(err)
+ << std::endl;
+ return SECFailure;
+ }
+
+ return SECSuccess;
+ }
+
+ private:
+ const Config& cfg_;
+ PRFileDesc* pr_fd_;
+ PRFileDesc* ssl_fd_;
+ CERTCertificate* cert_;
+ SECKEYPrivateKey* key_;
+};
+
+std::unique_ptr<const Config> ReadConfig(int argc, char** argv) {
+ std::unique_ptr<Config> cfg(new Config());
+
+ cfg->AddEntry<int>("port", 0);
+ cfg->AddEntry<bool>("server", false);
+ cfg->AddEntry<int>("resume-count", 0);
+ cfg->AddEntry<std::string>("key-file", "");
+ cfg->AddEntry<std::string>("cert-file", "");
+ cfg->AddEntry<int>("max-version", 0xffff);
+ for (auto flag : kVersionDisableFlags) {
+ cfg->AddEntry<bool>(flag, false);
+ }
+
+ auto rv = cfg->ParseArgs(argc, argv);
+ switch (rv) {
+ case Config::kOK:
+ break;
+ case Config::kUnknownFlag:
+ exitCodeUnimplemented = true;
+ default:
+ return nullptr;
+ }
+
+ // Needed to change to std::unique_ptr<const Config>
+ return std::move(cfg);
+}
+
+
+bool RunCycle(std::unique_ptr<const Config>& cfg) {
+ std::unique_ptr<TestAgent> agent(TestAgent::Create(*cfg));
+ return agent && agent->DoExchange() == SECSuccess;
+}
+
+int GetExitCode(bool success) {
+ if (exitCodeUnimplemented) {
+ return 89;
+ }
+
+ if (success) {
+ return 0;
+ }
+
+ return 1;
+}
+
+int main(int argc, char** argv) {
+ std::unique_ptr<const Config> cfg = ReadConfig(argc, argv);
+ if (!cfg) {
+ return GetExitCode(false);
+ }
+
+ if (cfg->get<bool>("server")) {
+ if (SSL_ConfigServerSessionIDCache(1024, 0, 0, ".") != SECSuccess) {
+ std::cerr << "Couldn't configure session cache\n";
+ return 1;
+ }
+ }
+
+ if (NSS_NoDB_Init(nullptr) != SECSuccess) {
+ return 1;
+ }
+
+ // Run a single test cycle.
+ bool success = RunCycle(cfg);
+
+ int resume_count = cfg->get<int>("resume-count");
+ while (success && resume_count-- > 0) {
+ std::cout << "Resuming" << std::endl;
+ success = RunCycle(cfg);
+ }
+
+ SSL_ClearSessionCache();
+
+ if (cfg->get<bool>("server")) {
+ SSL_ShutdownServerSessionIDCache();
+ }
+
+ if (NSS_Shutdown() != SECSuccess) {
+ success = false;
+ }
+
+ return GetExitCode(success);
+}
diff --git a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp
new file mode 100644
index 000000000..f4f94e94b
--- /dev/null
+++ b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp
@@ -0,0 +1,79 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+ 'includes': [
+ '../../coreconf/config.gypi'
+ ],
+ 'targets': [
+ {
+ 'target_name': 'nss_bogo_shim',
+ 'type': 'executable',
+ 'sources': [
+ 'config.cc',
+ 'nss_bogo_shim.cc',
+ 'nsskeys.cc'
+ ],
+ 'dependencies': [
+ '<(DEPTH)/exports.gyp:nss_exports',
+ '<(DEPTH)/lib/util/util.gyp:nssutil3',
+ '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3',
+ '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
+ '<(DEPTH)/lib/softoken/softoken.gyp:softokn',
+ '<(DEPTH)/lib/smime/smime.gyp:smime',
+ '<(DEPTH)/lib/ssl/ssl.gyp:ssl',
+ '<(DEPTH)/lib/nss/nss.gyp:nss_static',
+ '<(DEPTH)/cmd/lib/lib.gyp:sectool',
+ '<(DEPTH)/lib/pkcs12/pkcs12.gyp:pkcs12',
+ '<(DEPTH)/lib/pkcs7/pkcs7.gyp:pkcs7',
+ '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
+ '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
+ '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap',
+ '<(DEPTH)/lib/softoken/softoken.gyp:softokn',
+ '<(DEPTH)/lib/certdb/certdb.gyp:certdb',
+ '<(DEPTH)/lib/pki/pki.gyp:nsspki',
+ '<(DEPTH)/lib/dev/dev.gyp:nssdev',
+ '<(DEPTH)/lib/base/base.gyp:nssb',
+ '<(DEPTH)/lib/freebl/freebl.gyp:freebl',
+ '<(DEPTH)/lib/nss/nss.gyp:nss_static',
+ '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap',
+ '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
+ '<(DEPTH)/lib/zlib/zlib.gyp:nss_zlib'
+ ],
+ 'conditions': [
+ [ 'disable_dbm==0', {
+ 'dependencies': [
+ '<(DEPTH)/lib/dbm/src/src.gyp:dbm',
+ ],
+ }],
+ [ 'disable_libpkix==0', {
+ 'dependencies': [
+ '<(DEPTH)/lib/libpkix/pkix/certsel/certsel.gyp:pkixcertsel',
+ '<(DEPTH)/lib/libpkix/pkix/checker/checker.gyp:pkixchecker',
+ '<(DEPTH)/lib/libpkix/pkix/crlsel/crlsel.gyp:pkixcrlsel',
+ '<(DEPTH)/lib/libpkix/pkix/params/params.gyp:pkixparams',
+ '<(DEPTH)/lib/libpkix/pkix/results/results.gyp:pkixresults',
+ '<(DEPTH)/lib/libpkix/pkix/store/store.gyp:pkixstore',
+ '<(DEPTH)/lib/libpkix/pkix/top/top.gyp:pkixtop',
+ '<(DEPTH)/lib/libpkix/pkix/util/util.gyp:pkixutil',
+ '<(DEPTH)/lib/libpkix/pkix_pl_nss/system/system.gyp:pkixsystem',
+ '<(DEPTH)/lib/libpkix/pkix_pl_nss/module/module.gyp:pkixmodule',
+ '<(DEPTH)/lib/libpkix/pkix_pl_nss/pki/pki.gyp:pkixpki',
+ ],
+ }],
+ ],
+ }
+ ],
+ 'target_defaults': {
+ 'defines': [
+ 'NSS_USE_STATIC_LIBS'
+ ],
+ 'include_dirs': [
+ '../../lib/ssl'
+ ],
+ },
+ 'variables': {
+ 'module': 'nss',
+ 'use_static_libs': 1
+ }
+}
diff --git a/security/nss/gtests/nss_bogo_shim/nsskeys.cc b/security/nss/gtests/nss_bogo_shim/nsskeys.cc
new file mode 100644
index 000000000..1b5e15bee
--- /dev/null
+++ b/security/nss/gtests/nss_bogo_shim/nsskeys.cc
@@ -0,0 +1,84 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsskeys.h"
+
+#include <cstring>
+
+#include <fstream>
+#include <iostream>
+#include <string>
+
+#include "cert.h"
+#include "keyhi.h"
+#include "nspr.h"
+#include "nss.h"
+#include "nssb64.h"
+#include "pk11pub.h"
+
+const std::string kPEMBegin = "-----BEGIN ";
+const std::string kPEMEnd = "-----END ";
+
+// Read a PEM file, base64 decode it, and return the result.
+static bool ReadPEMFile(const std::string& filename, SECItem* item) {
+ std::ifstream in(filename);
+ if (in.bad()) return false;
+
+ char buf[1024];
+ in.getline(buf, sizeof(buf));
+ if (in.bad()) return false;
+
+ if (strncmp(buf, kPEMBegin.c_str(), kPEMBegin.size())) return false;
+
+ std::string value = "";
+ for (;;) {
+ in.getline(buf, sizeof(buf));
+ if (in.bad()) return false;
+
+ if (!strncmp(buf, kPEMEnd.c_str(), kPEMEnd.size())) break;
+
+ value += buf;
+ }
+
+ // Now we have a base64-encoded block.
+ if (!NSSBase64_DecodeBuffer(nullptr, item, value.c_str(), value.size()))
+ return false;
+
+ return true;
+}
+
+SECKEYPrivateKey* ReadPrivateKey(const std::string& file) {
+ SECItem item = {siBuffer, nullptr, 0};
+
+ if (!ReadPEMFile(file, &item)) return nullptr;
+ SECKEYPrivateKey* privkey = NULL;
+ PK11SlotInfo* slot = PK11_GetInternalSlot();
+ SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
+ slot, &item, nullptr, nullptr, PR_FALSE, PR_FALSE,
+ KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT | KU_DIGITAL_SIGNATURE,
+ &privkey, nullptr);
+ PK11_FreeSlot(slot);
+ SECITEM_FreeItem(&item, PR_FALSE);
+ if (rv != SECSuccess) {
+ // This is probably due to this being an ECDSA key (Bug 1295121).
+ std::cerr << "Couldn't import key " << PORT_ErrorToString(PORT_GetError())
+ << "\n";
+ return nullptr;
+ }
+
+ return privkey;
+}
+
+CERTCertificate* ReadCertificate(const std::string& file) {
+ SECItem item = {siBuffer, nullptr, 0};
+
+ if (!ReadPEMFile(file, &item)) return nullptr;
+
+ CERTCertificate* cert = CERT_NewTempCertificate(
+ CERT_GetDefaultCertDB(), &item, NULL, PR_FALSE, PR_TRUE);
+ SECITEM_FreeItem(&item, PR_FALSE);
+ return cert;
+}
diff --git a/security/nss/gtests/nss_bogo_shim/nsskeys.h b/security/nss/gtests/nss_bogo_shim/nsskeys.h
new file mode 100644
index 000000000..45e56c353
--- /dev/null
+++ b/security/nss/gtests/nss_bogo_shim/nsskeys.h
@@ -0,0 +1,20 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// Utilities to pull in OpenSSL-formatted keys.
+
+#ifndef nsskeys_h_
+#define nsskeys_h_
+
+#include "cert.h"
+#include "keyhi.h"
+
+#include <string>
+
+SECKEYPrivateKey* ReadPrivateKey(const std::string& file);
+CERTCertificate* ReadCertificate(const std::string& file);
+
+#endif