diff options
| author | wolfbeast <mcwerewolf@gmail.com> | 2018-12-15 01:42:53 +0100 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@gmail.com> | 2018-12-15 01:42:53 +0100 |
| commit | 74cabf7948b2597f5b6a67d6910c844fd1a88ff6 (patch) | |
| tree | db1f30ada487c3831ea8e4e98b2d39edc9e88eea /security/nss/tests/ssl | |
| parent | 09ef48bd005a7f9e97a3fe797a079fcf2b5e58d3 (diff) | |
| download | UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.gz UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.lz UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.xz UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.zip | |
Update NSS to 3.41
Diffstat (limited to 'security/nss/tests/ssl')
| -rwxr-xr-x | security/nss/tests/ssl/ssl.sh | 291 | ||||
| -rw-r--r-- | security/nss/tests/ssl/sslcov.txt | 5 | ||||
| -rw-r--r-- | security/nss/tests/ssl/sslstress.txt | 7 |
3 files changed, 203 insertions, 100 deletions
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh index 9a63bd997..c1730d8d7 100755 --- a/security/nss/tests/ssl/ssl.sh +++ b/security/nss/tests/ssl/ssl.sh @@ -64,9 +64,9 @@ ssl_init() PORT=$(($PORT + $padd)) fi NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} - nss_ssl_run="stapling signed_cert_timestamps cov auth stress dtls" + nss_ssl_run="stapling signed_cert_timestamps cov auth stress dtls scheme" NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} - + # Test case files SSLCOV=${QADIR}/ssl/sslcov.txt SSLAUTH=${QADIR}/ssl/sslauth.txt @@ -210,24 +210,28 @@ start_selfserv() if [ -n "$testname" ] ; then echo "$SCRIPTNAME: $testname ----" fi - sparam=`echo $sparam | sed -e 's;_; ;g'` - if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then + if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec" else ECC_OPTIONS="" fi + if [ -z "$RSA_PSS_CERT" -o "$RSA_PSS_CERT" != "1" ] ; then + RSA_OPTIONS="-n ${HOSTADDR}" + else + RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss" + fi echo "selfserv starting at `date`" - echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" - echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\" + echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\" + echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID}\\" echo " -V ssl3:tls1.2 $verbose -H 1 &" if [ ${fileout} -eq 1 ]; then - ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ - ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \ + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \ > ${SERVEROUTFILE} 2>&1 & RET=$? else - ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ - ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 & + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 & RET=$? fi @@ -270,9 +274,8 @@ ssl_cov() html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" testname="" - sparam="$CIPHER_SUITES" - start_selfserv # Launch the server + start_selfserv $CIPHER_SUITES # Launch the server VMIN="ssl3" VMAX="tls1.1" @@ -283,6 +286,13 @@ ssl_cov() echo "${testname}" | grep "EXPORT" > /dev/null EXP=$? + # RSA-PSS tests are handled in a separate function + case $testname in + *RSA-PSS) + continue + ;; + esac + echo "$SCRIPTNAME: running $testname ----------------------------" VMAX="ssl3" if [ "$testmax" = "TLS10" ]; then @@ -313,6 +323,58 @@ ssl_cov() html "</TABLE><BR>" } +ssl_cov_rsa_pss() +{ + #verbose="-v" + html_head "SSL Cipher Coverage (RSA-PSS) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="" + + if [ "$NORM_EXT" = "Extended Test" ] ; then + echo "$SCRIPTNAME: skipping SSL Cipher Coverage (RSA-PSS) for $NORM_EXT" + return 0 + fi + + RSA_PSS_CERT=1 + NO_ECC_CERTS=1 + start_selfserv $CIPHER_SUITES + RSA_PSS_CERT=0 + NO_ECC_CERTS=0 + + VMIN="tls1.2" + VMAX="tls1.2" + + ignore_blank_lines ${SSLCOV} | \ + while read ectype testmax param testname + do + case $testname in + *RSA-PSS) + ;; + *) + continue + ;; + esac + + echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------" + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + html_msg $ret 0 "${testname}" \ + "produced a returncode of $ret, expected is 0" + done + + kill_selfserv + html "</TABLE><BR>" +} + ############################## ssl_auth ################################ # local shell function to perform SSL Client Authentication tests ######################################################################## @@ -337,7 +399,7 @@ ssl_auth() cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` fi - start_selfserv + start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" echo " ${cparam} < ${REQUEST_FILE}" @@ -370,15 +432,15 @@ ssl_stapling_sub() value=$3 if [ "$NORM_EXT" = "Extended Test" ] ; then - # these tests use the ext_client directory for tstclnt, - # which doesn't contain the required "TestCA" for server cert - # verification, I don't know if it would be OK to add it... - echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - return 0 + # these tests use the ext_client directory for tstclnt, + # which doesn't contain the required "TestCA" for server cert + # verification, I don't know if it would be OK to add it... + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + return 0 fi if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" - return 0 + return 0 fi SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} @@ -395,8 +457,8 @@ ssl_stapling_sub() echo " -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ - -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 + -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? cat ${TMP}/$HOST.tmp.$$ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null @@ -405,7 +467,7 @@ ssl_stapling_sub() # (see commands in ssl_auth html_msg $ret $value "${testname}" \ - "produced a returncode of $ret, expected is $value" + "produced a returncode of $ret, expected is $value" kill_selfserv SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} @@ -419,15 +481,15 @@ ssl_stapling_stress() value=0 if [ "$NORM_EXT" = "Extended Test" ] ; then - # these tests use the ext_client directory for tstclnt, - # which doesn't contain the required "TestCA" for server cert - # verification, I don't know if it would be OK to add it... - echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - return 0 + # these tests use the ext_client directory for tstclnt, + # which doesn't contain the required "TestCA" for server cert + # verification, I don't know if it would be OK to add it... + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + return 0 fi if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" - return 0 + return 0 fi SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} @@ -443,13 +505,13 @@ ssl_stapling_stress() echo " -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}" echo "strsclnt started at `date`" ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \ - -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR} + -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR} ret=$? echo "strsclnt completed at `date`" html_msg $ret $value \ - "${testname}" \ - "produced a returncode of $ret, expected is $value." + "${testname}" \ + "produced a returncode of $ret, expected is $value." kill_selfserv SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} @@ -556,7 +618,7 @@ ssl_stress() sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` fi - start_selfserv + start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` if [ "`uname -n`" = "sjsu" ] ; then echo "debugging disapering selfserv... ps -ef | grep selfserv" @@ -610,56 +672,56 @@ ssl_crl_ssl() if [ "$ectype" = "SNI" ]; then continue else - servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` - pwd=`echo $cparam | grep nss` - user=`echo $cparam | grep TestUser` - _cparam=$cparam - case $servarg in - 1) if [ -z "$pwd" -o -z "$user" ]; then + servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` + pwd=`echo $cparam | grep nss` + user=`echo $cparam | grep TestUser` + _cparam=$cparam + case $servarg in + 1) if [ -z "$pwd" -o -z "$user" ]; then rev_modvalue=0 else - rev_modvalue=254 + rev_modvalue=254 fi ;; - 2) rev_modvalue=254 ;; - 3) if [ -z "$pwd" -o -z "$user" ]; then - rev_modvalue=0 - else - rev_modvalue=1 - fi - ;; - 4) rev_modvalue=1 ;; - esac - TEMP_NUM=0 - while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ] - do - CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}` - TEMP_NUM=`expr $TEMP_NUM + 1` - USER_NICKNAME="TestUser${CURR_SER_NUM}" - cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` - start_selfserv - - echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" - echo " ${cparam} < ${REQUEST_FILE}" - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ - -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? - cat ${TMP}/$HOST.tmp.$$ - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then - modvalue=$rev_modvalue + 2) rev_modvalue=254 ;; + 3) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=1 + fi + ;; + 4) rev_modvalue=1 ;; + esac + TEMP_NUM=0 + while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ] + do + CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}` + TEMP_NUM=`expr $TEMP_NUM + 1` + USER_NICKNAME="TestUser${CURR_SER_NUM}" + cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` + start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then + modvalue=$rev_modvalue testAddMsg="revoked" - else + else testAddMsg="not revoked" - modvalue=$value - fi + modvalue=$value + fi - html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \ - "produced a returncode of $ret, expected is $modvalue" - kill_selfserv - done + html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue" + kill_selfserv + done fi done @@ -702,7 +764,6 @@ ssl_policy() html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" testname="" - sparam="$CIPHER_SUITES" if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized" @@ -712,7 +773,7 @@ ssl_policy() echo "Saving pkcs11.txt" cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav - start_selfserv # Launch the server + start_selfserv $CIPHER_SUITES ignore_blank_lines ${SSLPOLICY} | \ while read value ectype testmax param policy testname @@ -775,7 +836,6 @@ ssl_policy_listsuites() html_head "SSL POLICY LISTSUITES $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" testname="" - sparam="$CIPHER_SUITES" if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized" @@ -815,7 +875,6 @@ ssl_policy_selfserv() html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" testname="" - sparam="$CIPHER_SUITES" if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized" @@ -828,7 +887,7 @@ ssl_policy_selfserv() # Disallow RSA in key exchange explicitly setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR} - start_selfserv # Launch the server + start_selfserv $CIPHER_SUITES VMIN="ssl3" VMAX="tls1.2" @@ -956,7 +1015,7 @@ _EOF_REQUEST_ -p ../tests.pw.928 ret=$? if [ "$ret" -eq 0 ]; then - html_passed "${CU_ACTION}" + html_passed "${CU_ACTION}" return 1 fi start_selfserv @@ -984,8 +1043,7 @@ ssl_crl_cache() echo $? while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ] do - sparam=$SERV_ARG - start_selfserv + start_selfserv `echo $SERV_ARG | sed -e 's,_, ,g'` exec < ${SSLAUTH_TMP} while read ectype value sparam cparam testname do @@ -1013,7 +1071,7 @@ ssl_crl_cache() fi ;; 4) rev_modvalue=1 ;; - esac + esac TEMP_NUM=0 LOADED_GRP=1 while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ] @@ -1030,7 +1088,7 @@ ssl_crl_cache() echo " ${cparam} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ - -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ + -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? cat ${TMP}/$HOST.tmp.$$ @@ -1069,7 +1127,7 @@ ssl_crl_cache() # Restart selfserv to roll back to two initial group 1 crls # TestCA CRL and TestCA-ec CRL kill_selfserv - start_selfserv + start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` fi done kill_selfserv @@ -1106,22 +1164,66 @@ ssl_dtls() -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss < ${REQUEST_FILE} 2>&1 & PID=$! - + sleep 1 - + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" echo " -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE}" ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ - -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE} 2>&1 + -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE} 2>&1 ret=$? html_msg $ret $value "${testname}" \ "produced a returncode of $ret, expected is $value" kill ${PID} - + html "</TABLE><BR>" } +############################ ssl_scheme ################################### +# local shell function to test tstclnt and selfserv handling of signature schemes +######################################################################### +ssl_scheme() +{ + if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" + return 0 + fi + + html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + NO_ECC_CERTS=1 + schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256") + for sscheme in "${schemes[@]}"; do + for cscheme in "${schemes[@]}"; do + testname="ssl_scheme server='$sscheme' client='$cscheme'" + echo "${testname}" + + start_selfserv -V tls1.2:tls1.2 -J "$sscheme" + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -V tls1.2:tls1.2 -J "$cscheme" < ${REQUEST_FILE}" + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" < ${REQUEST_FILE} 2>&1 + ret=$? + # If both schemes include just one option and those options don't + # match, then the test should fail; otherwise, assume that it works. + if [ "${cscheme#*,}" = "$cscheme" -a \ + "${sscheme#*,}" = "$sscheme" -a \ + "$cscheme" != "$sscheme" ]; then + expected=254 + else + expected=0 + fi + html_msg $ret $expected "${testname}" \ + "produced a returncode of $ret, expected is $expected" + kill_selfserv + done + done + NO_ECC_CERTS=0 + + html "</TABLE><BR>" +} ############################## ssl_cleanup ############################# # local shell function to finish this script (no exit since it might be @@ -1152,6 +1254,7 @@ ssl_run() ;; "cov") ssl_cov + ssl_cov_rsa_pss ;; "auth") ssl_auth @@ -1162,6 +1265,9 @@ ssl_run() "dtls") ssl_dtls ;; + "scheme") + ssl_scheme + ;; esac done } @@ -1182,9 +1288,9 @@ ssl_run_all() # in FIPS mode, so cope with that. Note there's also semicolon in here # but it doesn't need escaping/quoting; the shell copes. if [ "${CLIENT_MODE}" = "fips" ]; then - USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser" + USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser" else - USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser" + USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser" fi NORM_EXT="" cd ${CLIENTDIR} @@ -1346,4 +1452,3 @@ ssl_run_tests() ssl_init ssl_run_tests ssl_cleanup - diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt index 1eb7f47de..93f247b96 100644 --- a/security/nss/tests/ssl/sslcov.txt +++ b/security/nss/tests/ssl/sslcov.txt @@ -141,3 +141,8 @@ ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +# +# Test against server with RSA-PSS server certificate +# + ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - RSA-PSS + ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - RSA-PSS diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt index a87eedad7..44794f10f 100644 --- a/security/nss/tests/ssl/sslstress.txt +++ b/security/nss/tests/ssl/sslstress.txt @@ -12,9 +12,6 @@ noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) noECC 0 -u -V_ssl3:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) - noECC 0 -z -V_ssl3:tls1.2_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) - noECC 0 -u_-z -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) - noECC 0 -u_-z -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start) SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) # @@ -24,10 +21,6 @@ noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth, no login) noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) noECC 0 -r_-r_-u -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) - noECC 0 -r_-r_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) - noECC 0 -r_-r_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) - noECC 0 -r_-r_-u_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) - noECC 0 -r_-r_-u_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start) SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) |