summaryrefslogtreecommitdiffstats
path: root/security/nss/tests
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-12-15 01:42:53 +0100
committerwolfbeast <mcwerewolf@gmail.com>2018-12-15 01:42:53 +0100
commit74cabf7948b2597f5b6a67d6910c844fd1a88ff6 (patch)
treedb1f30ada487c3831ea8e4e98b2d39edc9e88eea /security/nss/tests
parent09ef48bd005a7f9e97a3fe797a079fcf2b5e58d3 (diff)
downloadUXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar
UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.gz
UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.lz
UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.xz
UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.zip
Update NSS to 3.41
Diffstat (limited to 'security/nss/tests')
-rwxr-xr-xsecurity/nss/tests/all.sh7
-rwxr-xr-xsecurity/nss/tests/bogo/bogo.sh8
-rw-r--r--security/nss/tests/cert/TestUser-rsa-pss-interop.p12bin0 -> 2598 bytes
-rwxr-xr-xsecurity/nss/tests/cert/cert.sh103
-rwxr-xr-xsecurity/nss/tests/chains/chains.sh26
-rw-r--r--security/nss/tests/chains/scenarios/ipsec.cfg61
-rw-r--r--security/nss/tests/chains/scenarios/realcerts.cfg2
-rw-r--r--security/nss/tests/chains/scenarios/scenarios1
-rw-r--r--security/nss/tests/common/certsetup.sh57
-rw-r--r--security/nss/tests/common/init.sh44
-rw-r--r--security/nss/tests/interop/interop.sh44
-rw-r--r--security/nss/tests/libpkix/certs/PayPalEE.certbin1376 -> 2012 bytes
-rw-r--r--security/nss/tests/libpkix/certs/PayPalICA.certbin1205 -> 1210 bytes
-rw-r--r--security/nss/tests/libpkix/vfychain_test.lst2
-rw-r--r--security/nss/tests/policy/crypto-policy.txt19
-rw-r--r--security/nss/tests/policy/policy.sh58
-rwxr-xr-xsecurity/nss/tests/ssl/ssl.sh291
-rw-r--r--security/nss/tests/ssl/sslcov.txt5
-rw-r--r--security/nss/tests/ssl/sslstress.txt7
-rwxr-xr-xsecurity/nss/tests/ssl_gtests/ssl_gtests.sh56
-rw-r--r--security/nss/tests/tlsfuzzer/config.json.in166
-rw-r--r--security/nss/tests/tlsfuzzer/tlsfuzzer.sh110
22 files changed, 872 insertions, 195 deletions
diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh
index f8a777fb3..5ad0b522e 100755
--- a/security/nss/tests/all.sh
+++ b/security/nss/tests/all.sh
@@ -37,10 +37,13 @@
# memleak.sh - memory leak testing (optional)
# ssl_gtests.sh- Gtest based unit tests for ssl
# gtests.sh - Gtest based unit tests for everything else
+# policy.sh - Crypto Policy tests
# bogo.sh - Bogo interop tests (disabled by default)
# https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md
# interop.sh - Interoperability tests (disabled by default)
# https://github.com/ekr/tls_interop
+# tlsfuzzer.sh - tlsfuzzer interop tests (disabled by default)
+# https://github.com/tomato42/tlsfuzzer/
#
# NSS testing is now devided to 4 cycles:
# ---------------------------------------
@@ -300,7 +303,7 @@ if [ $NO_INIT_SUPPORT -eq 0 ]; then
RUN_FIPS="fips"
fi
-tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
+tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy"
# Don't run chains tests when we have a gyp build.
if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then
tests="$tests chains"
@@ -315,7 +318,7 @@ if [ $NO_INIT_SUPPORT -eq 0 ]; then
fi
NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}"
-nss_ssl_run="cov auth stapling stress"
+nss_ssl_run="cov auth stapling signed_cert_timestamps stress scheme"
NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}"
# NOTE:
diff --git a/security/nss/tests/bogo/bogo.sh b/security/nss/tests/bogo/bogo.sh
index 4fccb845b..e3e9c32df 100755
--- a/security/nss/tests/bogo/bogo.sh
+++ b/security/nss/tests/bogo/bogo.sh
@@ -25,7 +25,7 @@ bogo_init()
BORING=${BORING:=boringssl}
if [ ! -d "$BORING" ]; then
git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
- git -C "$BORING" checkout -q ec55dc15d3a39e5f1a58bfd79148729f38f6acb4
+ git -C "$BORING" checkout -q 7f4f41fa81c03e0f8ef1ab5b3d1d566b5968f107
fi
SCRIPTNAME="bogo.sh"
@@ -39,9 +39,9 @@ bogo_cleanup()
. common/cleanup.sh
}
-cd ../
-cwd=$(cd $(dirname $0); pwd -P)
-SOURCE_DIR="$cwd"/..
+cd "$(dirname "$0")"
+cwd=$(pwd -P)
+SOURCE_DIR="$(cd "$cwd"/../..; pwd -P)"
bogo_init
(cd "$BORING"/ssl/test/runner;
GOPATH="$cwd" go test -pipe -shim-path "${BINDIR}"/nss_bogo_shim \
diff --git a/security/nss/tests/cert/TestUser-rsa-pss-interop.p12 b/security/nss/tests/cert/TestUser-rsa-pss-interop.p12
new file mode 100644
index 000000000..f0e8d24d6
--- /dev/null
+++ b/security/nss/tests/cert/TestUser-rsa-pss-interop.p12
Binary files differ
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
index 34006efd1..b74de9be5 100755
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -448,6 +448,27 @@ cert_add_cert()
fi
cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
+ echo "Importing RSA-PSS server certificate"
+ pk12u -i ${QADIR}/cert/TestUser-rsa-pss-interop.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${PROFILEDIR}
+ # Let's get the key ID of the imported private key.
+ KEYID=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
+ grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'`
+
+ CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s RSA-PSS Request"
+ NEWSERIAL=`expr ${CERTSERIAL} + 30000`
+ certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}-rsa-pss.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's RSA-PSS Cert -t u,u,u"
+ certu -A -n "$CERTNAME-rsa-pss" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}-rsa-pss.cert" 2>&1
+ cert_log "SUCCESS: $CERTNAME's RSA-PSS Cert Created"
+
return 0
}
@@ -2103,6 +2124,23 @@ cert_test_implicit_db_init()
certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert"
}
+cert_test_token_uri()
+{
+ echo "$SCRIPTNAME: specify token with PKCS#11 URI"
+
+ CERTIFICATE_DB_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*NSS%20Certificate%20DB.*\)/\1/p'`
+ BUILTIN_OBJECTS_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*Builtin%20Object%20Token.*\)/\1/p'`
+
+ CU_ACTION="List keys in NSS Certificate DB"
+ certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${CERTIFICATE_DB_URI}
+
+ # This token shouldn't have any keys
+ CU_ACTION="List keys in NSS Builtin Objects"
+ RETEXPECTED=255
+ certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${BUILTIN_OBJECTS_URI}
+ RETEXPECTED=0
+}
+
check_sign_algo()
{
certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
@@ -2475,6 +2513,29 @@ EOF
RETEXPECTED=0
}
+cert_test_orphan_key_delete()
+{
+ CU_ACTION="Create orphan key in serverdir"
+ certu -G -k ec -q nistp256 -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR}
+ # Let's get the key ID of the first orphan key.
+ # The output of certutil -K (list keys) isn't well formatted.
+ # The initial <key-number> part may or may not contain white space, which
+ # makes the use of awk to filter the column unreliable.
+ # To fix that, we remove the initial <number> field using sed, then select the
+ # column that contains the key ID.
+ ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
+ sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'`
+ CU_ACTION="Delete orphan key"
+ certu -F -f "${R_PWFILE}" -k ${ORPHAN} -d ${PROFILEDIR}
+ # Ensure that the key is removed
+ certu -K -f "${R_PWFILE}" -d ${PROFILEDIR} | grep ${ORPHAN}
+ RET=$?
+ if [ "$RET" -eq 0 ]; then
+ html_failed "Deleting orphan key ($RET)"
+ cert_log "ERROR: Deleting orphan key failed $RET"
+ fi
+}
+
cert_test_orphan_key_reuse()
{
CU_ACTION="Create orphan key in serverdir"
@@ -2500,6 +2561,43 @@ cert_test_orphan_key_reuse()
fi
}
+cert_test_rsapss_policy()
+{
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ CERTNAME="TestUser-rsa-pss-policy"
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explicit, with --pss-sign and -Z SHA1)
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}"
+
+ CU_ACTION="Verify $CERTNAME's Cert with Policy"
+ cp ${PROFILEDIR}/pkcs11.txt pkcs11.txt.orig
+ cat >> ${PROFILEDIR}/pkcs11.txt << ++EOF++
+library=
+name=Policy
+config="disallow=SHA1"
+++EOF++
+ RETEXPECTED=255
+ certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ RETEXPECTED=0
+ cp pkcs11.txt.orig ${PROFILEDIR}/pkcs11.txt
+}
+
############################## cert_cleanup ############################
# local shell function to finish this script (no exit since it might be
# sourced)
@@ -2519,6 +2617,7 @@ cert_all_CA
cert_test_implicit_db_init
cert_extended_ssl
cert_ssl
+cert_test_orphan_key_delete
cert_test_orphan_key_reuse
cert_smime_client
IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
@@ -2534,6 +2633,10 @@ cert_test_password
cert_test_distrust
cert_test_ocspresp
cert_test_rsapss
+if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+ cert_test_rsapss_policy
+fi
+cert_test_token_uri
if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
cert_crl_ssl
diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh
index 4c3fa57a0..32c7ef54c 100755
--- a/security/nss/tests/chains/chains.sh
+++ b/security/nss/tests/chains/chains.sh
@@ -51,13 +51,13 @@ is_httpserv_alive()
wait_for_httpserv()
{
echo "trying to connect to httpserv at `date`"
- echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
- ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+ echo "tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+ ${BINDIR}/tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
if [ $? -ne 0 ]; then
sleep 5
echo "retrying to connect to httpserv at `date`"
- echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
- ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+ echo "tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+ ${BINDIR}/tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
if [ $? -ne 0 ]; then
html_failed "Waiting for Server"
fi
@@ -352,6 +352,12 @@ create_cert_req()
-1
y
"
+ else
+ CA_FLAG="-2"
+ EXT_DATA="n
+-1
+y
+"
fi
process_crldp
@@ -974,8 +980,8 @@ check_ocsp()
OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
- echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
- tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
+ echo "tstclnt -4 -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
+ tstclnt -4 -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
return $?
}
@@ -1258,6 +1264,12 @@ process_scenario()
rm ${AIA_FILES}
}
+# process ipsec.cfg separately
+chains_ipsec()
+{
+ process_scenario "ipsec.cfg"
+}
+
# process ocspd.cfg separately
chains_ocspd()
{
@@ -1279,6 +1291,7 @@ chains_main()
do
[ `echo ${LINE} | cut -b 1` != "#" ] || continue
+ [ ${LINE} != 'ipsec.cfg' ] || continue
[ ${LINE} != 'ocspd.cfg' ] || continue
[ ${LINE} != 'method.cfg' ] || continue
@@ -1292,6 +1305,7 @@ chains_init
VERIFY_CLASSIC_ENGINE_TOO=
chains_ocspd
VERIFY_CLASSIC_ENGINE_TOO=1
+chains_ipsec
chains_run_httpserv get
chains_method
chains_stop_httpserv
diff --git a/security/nss/tests/chains/scenarios/ipsec.cfg b/security/nss/tests/chains/scenarios/ipsec.cfg
new file mode 100644
index 000000000..811bf9c09
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ipsec.cfg
@@ -0,0 +1,61 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario IPsec
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+
+entity NoKU
+ type EE
+ issuer CA1
+
+entity DigSig
+ type EE
+ issuer CA1
+ ku digitalSignature
+
+entity NonRep
+ type EE
+ issuer CA1
+ ku nonRepudiation
+
+entity DigSigNonRepAndExtra
+ type EE
+ issuer CA1
+ ku digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+
+entity NoMatch
+ type EE
+ issuer CA1
+ ku keyEncipherment,dataEncipherment,keyAgreement
+
+db All
+
+import Root::C,,
+import CA1:Root:
+
+verify NoKU:CA1
+ usage 12
+ result pass
+
+verify DigSig:CA1
+ usage 12
+ result pass
+
+verify NonRep:CA1
+ usage 12
+ result pass
+
+verify DigSigNonRepAndExtra:CA1
+ usage 12
+ result pass
+
+verify NoMatch:CA1
+ usage 12
+ result fail
diff --git a/security/nss/tests/chains/scenarios/realcerts.cfg b/security/nss/tests/chains/scenarios/realcerts.cfg
index d2a8c7143..305443fc3 100644
--- a/security/nss/tests/chains/scenarios/realcerts.cfg
+++ b/security/nss/tests/chains/scenarios/realcerts.cfg
@@ -21,7 +21,7 @@ verify TestUser51:x
result pass
verify PayPalEE:x
- policy OID.2.16.840.1.114412.1.1
+ policy OID.2.16.840.1.114412.2.1
result pass
verify BrAirWaysBadSig:x
diff --git a/security/nss/tests/chains/scenarios/scenarios b/security/nss/tests/chains/scenarios/scenarios
index d26c3f92e..4eafd9c8d 100644
--- a/security/nss/tests/chains/scenarios/scenarios
+++ b/security/nss/tests/chains/scenarios/scenarios
@@ -22,3 +22,4 @@ ocsp.cfg
crldp.cfg
trustanchors.cfg
nameconstraints.cfg
+ipsec.cfg
diff --git a/security/nss/tests/common/certsetup.sh b/security/nss/tests/common/certsetup.sh
new file mode 100644
index 000000000..2b5cef840
--- /dev/null
+++ b/security/nss/tests/common/certsetup.sh
@@ -0,0 +1,57 @@
+# Generate input to certutil
+certscript() {
+ ca=n
+ while [ $# -gt 0 ]; do
+ case $1 in
+ sign) echo 0 ;;
+ kex) echo 2 ;;
+ ca) echo 5;echo 6;ca=y ;;
+ esac; shift
+ done;
+ echo 9
+ echo n
+ echo $ca
+ echo
+ echo n
+}
+
+# $1: name
+# $2: type
+# $3+: usages: sign or kex
+make_cert() {
+ name=$1
+ type=$2
+
+ # defaults
+ type_args=()
+ trust=',,'
+ sign=(-x)
+ sighash=(-Z SHA256)
+
+ case $type in
+ dsa) type_args=(-g 1024) ;;
+ rsa) type_args=(-g 1024) ;;
+ rsa2048) type_args=(-g 2048);type=rsa ;;
+ rsa8192) type_args=(-g 8192);type=rsa ;;
+ rsapss) type_args=(-g 1024 --pss);type=rsa ;;
+ rsapss384) type_args=(-g 1024 --pss);type=rsa;sighash=(-Z SHA384) ;;
+ rsapss512) type_args=(-g 2048 --pss);type=rsa;sighash=(-Z SHA512) ;;
+ rsapss_noparam) type_args=(-g 2048 --pss);type=rsa;sighash=() ;;
+ p256) type_args=(-q nistp256);type=ec ;;
+ p384) type_args=(-q secp384r1);type=ec ;;
+ p521) type_args=(-q secp521r1);type=ec ;;
+ rsa_ca) type_args=(-g 1024);trust='CT,CT,CT';type=rsa ;;
+ rsa_chain) type_args=(-g 1024);sign=(-c rsa_ca);type=rsa;;
+ rsapss_ca) type_args=(-g 1024 --pss);trust='CT,CT,CT';type=rsa ;;
+ rsapss_chain) type_args=(-g 1024);sign=(-c rsa_pss_ca);type=rsa;;
+ rsa_ca_rsapss_chain) type_args=(-g 1024 --pss-sign);sign=(-c rsa_ca);type=rsa;;
+ ecdh_rsa) type_args=(-q nistp256);sign=(-c rsa_ca);type=ec ;;
+ esac
+ shift 2
+ counter=$(($counter + 1))
+ certscript $@ | ${BINDIR}/certutil -S \
+ -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
+ -n $name -s "CN=$name" -t "$trust" "${sign[@]}" -m "$counter" \
+ -w -2 -v 120 -k "$type" "${type_args[@]}" "${sighash[@]}" -1 -2
+ html_msg $? 0 "create certificate: $@"
+}
diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh
index 6aa22af8d..2896f1321 100644
--- a/security/nss/tests/common/init.sh
+++ b/security/nss/tests/common/init.sh
@@ -356,40 +356,34 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
#HOST and DOMSUF are needed for the server cert
- DOMAINNAME=`which domainname`
- if [ -z "${DOMSUF}" -a $? -eq 0 -a -n "${DOMAINNAME}" ]; then
+ if [ -z "$DOMSUF" ] && hash domainname 2>/dev/null; then
DOMSUF=`domainname`
fi
+ # hostname -d and domainname both return (none) if hostname doesn't
+ # include a dot. Pretend we didn't get an answer.
+ if [ "$DOMSUF" = "(none)" ]; then
+ DOMSUF=
+ fi
- case $HOST in
+ if [ -z "$HOST" ]; then
+ HOST=`uname -n`
+ fi
+ case "$HOST" in
*\.*)
- if [ -z "${DOMSUF}" ]; then
- DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"`
+ if [ -z "$DOMSUF" ]; then
+ DOMSUF="${HOST#*.}"
fi
- HOST=`echo $HOST | sed -e "s/\..*//"`
+ HOST="${HOST%%.*}"
;;
?*)
;;
*)
- HOST=`uname -n`
- case $HOST in
- *\.*)
- if [ -z "${DOMSUF}" ]; then
- DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"`
- fi
- HOST=`echo $HOST | sed -e "s/\..*//"`
- ;;
- ?*)
- ;;
- *)
- echo "$SCRIPTNAME: Fatal HOST environment variable is not defined."
- exit 1 #does not need to be Exit, very early in script
- ;;
- esac
+ echo "$SCRIPTNAME: Fatal HOST environment variable is not defined."
+ exit 1 #does not need to be Exit, very early in script
;;
esac
- if [ -z "${DOMSUF}" -a "${OS_ARCH}" != "Android" ]; then
+ if [ -z "$DOMSUF" -a "$OS_ARCH" != "Android" ]; then
echo "$SCRIPTNAME: Fatal DOMSUF env. variable is not defined."
exit 1 #does not need to be Exit, very early in script
fi
@@ -397,8 +391,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
#HOSTADDR was a workaround for the dist. stress test, and is probably
#not needed anymore (purpose: be able to use IP address for the server
#cert instead of PC name which was not in the DNS because of dyn IP address
- if [ -z "$USE_IP" -o "$USE_IP" != "TRUE" ] ; then
- if [ -z "${DOMSUF}" ]; then
+ if [ "$USE_IP" != "TRUE" ] ; then
+ if [ -z "$DOMSUF" ]; then
HOSTADDR=${HOST}
else
HOSTADDR=${HOST}.${DOMSUF}
@@ -595,7 +589,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}"
- P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}"
+ P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}"
fi
R_PWFILE=../tests.pw
diff --git a/security/nss/tests/interop/interop.sh b/security/nss/tests/interop/interop.sh
index 50c8bb3c1..18737c726 100644
--- a/security/nss/tests/interop/interop.sh
+++ b/security/nss/tests/interop/interop.sh
@@ -24,8 +24,8 @@ interop_init()
cd "${HOSTDIR}/interop"
INTEROP=${INTEROP:=tls_interop}
if [ ! -d "$INTEROP" ]; then
- git clone -q https://github.com/ttaubert/tls-interop "$INTEROP"
- git -C "$INTEROP" checkout -q d07b28ac32b390dea1c9bcca5c56716247d23e5e
+ git clone -q https://github.com/mozilla/tls-interop "$INTEROP"
+ git -C "$INTEROP" checkout -q c00685aa953c49f1e844e614746aadc783e81b19
fi
INTEROP=$(cd "$INTEROP";pwd -P)
@@ -33,9 +33,34 @@ interop_init()
BORING=${BORING:=boringssl}
if [ ! -d "$BORING" ]; then
git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
- git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3
+ git -C "$BORING" checkout -q 7f4f41fa81c03e0f8ef1ab5b3d1d566b5968f107
fi
BORING=$(cd "$BORING";pwd -P)
+ mkdir "$BORING/build"
+ cd "$BORING/build"
+
+ # Build boring explicitly with gcc because it fails on builds where
+ # CC=clang-5.0, for example on asan-builds.
+ export CC=gcc
+ cmake ..
+ make -j$(nproc)
+
+ # Check out and build OpenSSL.
+ # Build with "enable-external-tests" to include the shim in the build.
+ cd "${HOSTDIR}"
+ OSSL=${OSSL:=openssl}
+ if [ ! -d "$OSSL" ]; then
+ git clone -q https://github.com/openssl/openssl.git "$OSSL"
+ git -C "$OSSL" checkout -q 7d38ca3f8bca58bf7b69e78c1f1ab69e5f429dff
+ fi
+ OSSL=$(cd "$OSSL";pwd -P)
+ cd "$OSSL"
+ ./config enable-external-tests
+ make -j$(nproc)
+
+ #Some filenames in the OpenSSL repository contain "core".
+ #This prevents false positive "core file detected" errors.
+ detect_core
SCRIPTNAME="interop.sh"
html_head "interop test"
@@ -56,21 +81,26 @@ interop_run()
server=$3
(cd "$INTEROP";
- cargo run -- --client "$client" --server "$server" --rootdir "$BORING"/ssl/test/runner/ --test-cases cases.json) 2>interop-${test_name}.errors | tee interop-${test_name}.log
+ cargo run -- --client "$client" --server "$server" --rootdir "$BORING"/ssl/test/runner/ --test-cases cases.json $4 $5 ) 2>interop-${test_name}.errors | tee interop-${test_name}.log
RESULT=${PIPESTATUS[0]}
- html_msg "${RESULT}" 0 "Interop" "Run successfully"
+ html_msg "${RESULT}" 0 "Interop ${test_name}" "Run successfully"
if [ $RESULT -ne 0 ]; then
cat interop-${test_name}.errors
cat interop-${test_name}.log
fi
grep -i 'FAILED\|Assertion failure' interop-${test_name}.errors
- html_msg $? 1 "Interop" "No failures"
+ html_msg $? 1 "Interop ${test_name}" "No failures"
}
cd "$(dirname "$0")"
-SOURCE_DIR="$PWD"/../..
interop_init
NSS_SHIM="$BINDIR"/nss_bogo_shim
BORING_SHIM="$BORING"/build/ssl/test/bssl_shim
+OSSL_SHIM="$OSSL"/test/ossl_shim/ossl_shim
+export LD_LIBRARY_PATH="$LD_LIBRARY_PATH":"$OSSL"
interop_run "nss_nss" ${NSS_SHIM} ${NSS_SHIM}
+interop_run "bssl_nss" ${BORING_SHIM} ${NSS_SHIM}
+interop_run "nss_bssl" ${NSS_SHIM} ${BORING_SHIM} "--client-writes-first"
+interop_run "ossl_nss" ${OSSL_SHIM} ${NSS_SHIM} "--force-IPv4"
+interop_run "nss_ossl" ${NSS_SHIM} ${OSSL_SHIM} "--client-writes-first" "--force-IPv4"
interop_cleanup
diff --git a/security/nss/tests/libpkix/certs/PayPalEE.cert b/security/nss/tests/libpkix/certs/PayPalEE.cert
index d71fbb501..aef408676 100644
--- a/security/nss/tests/libpkix/certs/PayPalEE.cert
+++ b/security/nss/tests/libpkix/certs/PayPalEE.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/PayPalICA.cert b/security/nss/tests/libpkix/certs/PayPalICA.cert
index 07e025def..dd14c1b21 100644
--- a/security/nss/tests/libpkix/certs/PayPalICA.cert
+++ b/security/nss/tests/libpkix/certs/PayPalICA.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/vfychain_test.lst b/security/nss/tests/libpkix/vfychain_test.lst
index 78d6185c3..624c6466d 100644
--- a/security/nss/tests/libpkix/vfychain_test.lst
+++ b/security/nss/tests/libpkix/vfychain_test.lst
@@ -1,4 +1,4 @@
# Status | Leaf Cert | Policies | Others(undef)
0 TestUser50 undef
0 TestUser51 undef
-0 PayPalEE OID.2.16.840.1.114412.1.1
+0 PayPalEE OID.2.16.840.1.114412.2.1
diff --git a/security/nss/tests/policy/crypto-policy.txt b/security/nss/tests/policy/crypto-policy.txt
new file mode 100644
index 000000000..9a8c0cd1b
--- /dev/null
+++ b/security/nss/tests/policy/crypto-policy.txt
@@ -0,0 +1,19 @@
+# col 1: expected return value of nss-policy-check
+# col 2: policy config statement, using _ instead of space
+# col 3: an extended regular expression, expected to match the output
+# col 4: description of the test
+#
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
+0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
+2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
+2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
+2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
+1 disallow=all NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all
+1 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-WARN.*NUMBER-OF-HASH No Hashes
+1 disallow=ALL_allow=tls-version-min=0:tls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS All TLS versions disabled
+1 disallow=ALL_allow=dtls-version-min=0:dtls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS All DTLS versions disabled
+1 disallow=ALL_allow=tls-version-min=tls1.2:tls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS Invalid range of TLS versions
+1 disallow=ALL_allow=dtls-version-min=tls1.2:dtls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS Invalid range of DTLS versions
+1 disallow=ALL_allow=tls-version-min=tls1.1:tls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-TLS-VERSIONS Valid range of TLS versions
+1 disallow=ALL_allow=dtls-version-min=tls1.1:dtls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-DTLS-VERSIONS Valid range of DTLS versions
diff --git a/security/nss/tests/policy/policy.sh b/security/nss/tests/policy/policy.sh
new file mode 100644
index 000000000..228c982a5
--- /dev/null
+++ b/security/nss/tests/policy/policy.sh
@@ -0,0 +1,58 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/policy/policy.sh
+#
+# Script to test NSS crypto policy code
+#
+########################################################################
+
+ignore_blank_lines()
+{
+ LC_ALL=C grep -v '^[[:space:]]*\(#\|$\)' "$1"
+}
+
+policy_run_tests()
+{
+ html_head "CRYPTO-POLICY"
+
+ POLICY_INPUT=${QADIR}/policy/crypto-policy.txt
+
+ ignore_blank_lines ${POLICY_INPUT} | \
+ while read value policy match testname
+ do
+ echo "$SCRIPTNAME: running \"$testname\" ----------------------------"
+ policy=`echo ${policy} | sed -e 's;_; ;g'`
+ match=`echo ${match} | sed -e 's;_; ;g'`
+ POLICY_FILE="${TMP}/nss-policy"
+
+ echo "$SCRIPTNAME: policy: \"$policy\""
+
+ cat > "$POLICY_FILE" << ++EOF++
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+++EOF++
+ echo "config=\"${policy}\"" >> "$POLICY_FILE"
+ echo "" >> "$POLICY_FILE"
+
+ nss-policy-check "$POLICY_FILE" >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+
+ html_msg $ret $value "\"${testname}\"" \
+ "produced a returncode of $ret, expected is $value"
+
+ egrep "${match}" ${TMP}/$HOST.tmp.$$
+ ret=$?
+ html_msg $ret 0 "\"${testname}\" output is expected to match \"${match}\""
+
+ done
+}
+
+policy_run_tests
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh
index 9a63bd997..c1730d8d7 100755
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@@ -64,9 +64,9 @@ ssl_init()
PORT=$(($PORT + $padd))
fi
NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
- nss_ssl_run="stapling signed_cert_timestamps cov auth stress dtls"
+ nss_ssl_run="stapling signed_cert_timestamps cov auth stress dtls scheme"
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
-
+
# Test case files
SSLCOV=${QADIR}/ssl/sslcov.txt
SSLAUTH=${QADIR}/ssl/sslauth.txt
@@ -210,24 +210,28 @@ start_selfserv()
if [ -n "$testname" ] ; then
echo "$SCRIPTNAME: $testname ----"
fi
- sparam=`echo $sparam | sed -e 's;_; ;g'`
- if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
+ if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec"
else
ECC_OPTIONS=""
fi
+ if [ -z "$RSA_PSS_CERT" -o "$RSA_PSS_CERT" != "1" ] ; then
+ RSA_OPTIONS="-n ${HOSTADDR}"
+ else
+ RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss"
+ fi
echo "selfserv starting at `date`"
- echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
- echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
+ echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\"
+ echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID}\\"
echo " -V ssl3:tls1.2 $verbose -H 1 &"
if [ ${fileout} -eq 1 ]; then
- ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \
+ ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \
> ${SERVEROUTFILE} 2>&1 &
RET=$?
else
- ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 &
+ ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 &
RET=$?
fi
@@ -270,9 +274,8 @@ ssl_cov()
html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
testname=""
- sparam="$CIPHER_SUITES"
- start_selfserv # Launch the server
+ start_selfserv $CIPHER_SUITES # Launch the server
VMIN="ssl3"
VMAX="tls1.1"
@@ -283,6 +286,13 @@ ssl_cov()
echo "${testname}" | grep "EXPORT" > /dev/null
EXP=$?
+ # RSA-PSS tests are handled in a separate function
+ case $testname in
+ *RSA-PSS)
+ continue
+ ;;
+ esac
+
echo "$SCRIPTNAME: running $testname ----------------------------"
VMAX="ssl3"
if [ "$testmax" = "TLS10" ]; then
@@ -313,6 +323,58 @@ ssl_cov()
html "</TABLE><BR>"
}
+ssl_cov_rsa_pss()
+{
+ #verbose="-v"
+ html_head "SSL Cipher Coverage (RSA-PSS) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ testname=""
+
+ if [ "$NORM_EXT" = "Extended Test" ] ; then
+ echo "$SCRIPTNAME: skipping SSL Cipher Coverage (RSA-PSS) for $NORM_EXT"
+ return 0
+ fi
+
+ RSA_PSS_CERT=1
+ NO_ECC_CERTS=1
+ start_selfserv $CIPHER_SUITES
+ RSA_PSS_CERT=0
+ NO_ECC_CERTS=0
+
+ VMIN="tls1.2"
+ VMAX="tls1.2"
+
+ ignore_blank_lines ${SSLCOV} | \
+ while read ectype testmax param testname
+ do
+ case $testname in
+ *RSA-PSS)
+ ;;
+ *)
+ continue
+ ;;
+ esac
+
+ echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------"
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ html_msg $ret 0 "${testname}" \
+ "produced a returncode of $ret, expected is 0"
+ done
+
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+
############################## ssl_auth ################################
# local shell function to perform SSL Client Authentication tests
########################################################################
@@ -337,7 +399,7 @@ ssl_auth()
cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
fi
- start_selfserv
+ start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
echo " ${cparam} < ${REQUEST_FILE}"
@@ -370,15 +432,15 @@ ssl_stapling_sub()
value=$3
if [ "$NORM_EXT" = "Extended Test" ] ; then
- # these tests use the ext_client directory for tstclnt,
- # which doesn't contain the required "TestCA" for server cert
- # verification, I don't know if it would be OK to add it...
- echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
- return 0
+ # these tests use the ext_client directory for tstclnt,
+ # which doesn't contain the required "TestCA" for server cert
+ # verification, I don't know if it would be OK to add it...
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ return 0
fi
if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
- return 0
+ return 0
fi
SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
@@ -395,8 +457,8 @@ ssl_stapling_sub()
echo " -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
- -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \
- >${TMP}/$HOST.tmp.$$ 2>&1
+ -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
@@ -405,7 +467,7 @@ ssl_stapling_sub()
# (see commands in ssl_auth
html_msg $ret $value "${testname}" \
- "produced a returncode of $ret, expected is $value"
+ "produced a returncode of $ret, expected is $value"
kill_selfserv
SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
@@ -419,15 +481,15 @@ ssl_stapling_stress()
value=0
if [ "$NORM_EXT" = "Extended Test" ] ; then
- # these tests use the ext_client directory for tstclnt,
- # which doesn't contain the required "TestCA" for server cert
- # verification, I don't know if it would be OK to add it...
- echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
- return 0
+ # these tests use the ext_client directory for tstclnt,
+ # which doesn't contain the required "TestCA" for server cert
+ # verification, I don't know if it would be OK to add it...
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ return 0
fi
if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
- return 0
+ return 0
fi
SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
@@ -443,13 +505,13 @@ ssl_stapling_stress()
echo " -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}"
echo "strsclnt started at `date`"
${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
- -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}
+ -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}
ret=$?
echo "strsclnt completed at `date`"
html_msg $ret $value \
- "${testname}" \
- "produced a returncode of $ret, expected is $value."
+ "${testname}" \
+ "produced a returncode of $ret, expected is $value."
kill_selfserv
SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
@@ -556,7 +618,7 @@ ssl_stress()
sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
fi
- start_selfserv
+ start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
if [ "`uname -n`" = "sjsu" ] ; then
echo "debugging disapering selfserv... ps -ef | grep selfserv"
@@ -610,56 +672,56 @@ ssl_crl_ssl()
if [ "$ectype" = "SNI" ]; then
continue
else
- servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
- pwd=`echo $cparam | grep nss`
- user=`echo $cparam | grep TestUser`
- _cparam=$cparam
- case $servarg in
- 1) if [ -z "$pwd" -o -z "$user" ]; then
+ servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+ pwd=`echo $cparam | grep nss`
+ user=`echo $cparam | grep TestUser`
+ _cparam=$cparam
+ case $servarg in
+ 1) if [ -z "$pwd" -o -z "$user" ]; then
rev_modvalue=0
else
- rev_modvalue=254
+ rev_modvalue=254
fi
;;
- 2) rev_modvalue=254 ;;
- 3) if [ -z "$pwd" -o -z "$user" ]; then
- rev_modvalue=0
- else
- rev_modvalue=1
- fi
- ;;
- 4) rev_modvalue=1 ;;
- esac
- TEMP_NUM=0
- while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
- do
- CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
- TEMP_NUM=`expr $TEMP_NUM + 1`
- USER_NICKNAME="TestUser${CURR_SER_NUM}"
- cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
- start_selfserv
-
- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
- echo " ${cparam} < ${REQUEST_FILE}"
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
- -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
- >${TMP}/$HOST.tmp.$$ 2>&1
- ret=$?
- cat ${TMP}/$HOST.tmp.$$
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
- modvalue=$rev_modvalue
+ 2) rev_modvalue=254 ;;
+ 3) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=1
+ fi
+ ;;
+ 4) rev_modvalue=1 ;;
+ esac
+ TEMP_NUM=0
+ while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
+ do
+ CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
+ TEMP_NUM=`expr $TEMP_NUM + 1`
+ USER_NICKNAME="TestUser${CURR_SER_NUM}"
+ cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+ start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo " ${cparam} < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+ -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
+ modvalue=$rev_modvalue
testAddMsg="revoked"
- else
+ else
testAddMsg="not revoked"
- modvalue=$value
- fi
+ modvalue=$value
+ fi
- html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
- "produced a returncode of $ret, expected is $modvalue"
- kill_selfserv
- done
+ html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue"
+ kill_selfserv
+ done
fi
done
@@ -702,7 +764,6 @@ ssl_policy()
html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
testname=""
- sparam="$CIPHER_SUITES"
if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized"
@@ -712,7 +773,7 @@ ssl_policy()
echo "Saving pkcs11.txt"
cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
- start_selfserv # Launch the server
+ start_selfserv $CIPHER_SUITES
ignore_blank_lines ${SSLPOLICY} | \
while read value ectype testmax param policy testname
@@ -775,7 +836,6 @@ ssl_policy_listsuites()
html_head "SSL POLICY LISTSUITES $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
testname=""
- sparam="$CIPHER_SUITES"
if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized"
@@ -815,7 +875,6 @@ ssl_policy_selfserv()
html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
testname=""
- sparam="$CIPHER_SUITES"
if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
@@ -828,7 +887,7 @@ ssl_policy_selfserv()
# Disallow RSA in key exchange explicitly
setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR}
- start_selfserv # Launch the server
+ start_selfserv $CIPHER_SUITES
VMIN="ssl3"
VMAX="tls1.2"
@@ -956,7 +1015,7 @@ _EOF_REQUEST_
-p ../tests.pw.928
ret=$?
if [ "$ret" -eq 0 ]; then
- html_passed "${CU_ACTION}"
+ html_passed "${CU_ACTION}"
return 1
fi
start_selfserv
@@ -984,8 +1043,7 @@ ssl_crl_cache()
echo $?
while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
do
- sparam=$SERV_ARG
- start_selfserv
+ start_selfserv `echo $SERV_ARG | sed -e 's,_, ,g'`
exec < ${SSLAUTH_TMP}
while read ectype value sparam cparam testname
do
@@ -1013,7 +1071,7 @@ ssl_crl_cache()
fi
;;
4) rev_modvalue=1 ;;
- esac
+ esac
TEMP_NUM=0
LOADED_GRP=1
while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
@@ -1030,7 +1088,7 @@ ssl_crl_cache()
echo " ${cparam} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
- -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+ -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$
@@ -1069,7 +1127,7 @@ ssl_crl_cache()
# Restart selfserv to roll back to two initial group 1 crls
# TestCA CRL and TestCA-ec CRL
kill_selfserv
- start_selfserv
+ start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
fi
done
kill_selfserv
@@ -1106,22 +1164,66 @@ ssl_dtls()
-d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss < ${REQUEST_FILE} 2>&1 &
PID=$!
-
+
sleep 1
-
+
echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
echo " -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE}"
${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
- -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE} 2>&1
+ -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE} 2>&1
ret=$?
html_msg $ret $value "${testname}" \
"produced a returncode of $ret, expected is $value"
kill ${PID}
-
+
html "</TABLE><BR>"
}
+############################ ssl_scheme ###################################
+# local shell function to test tstclnt and selfserv handling of signature schemes
+#########################################################################
+ssl_scheme()
+{
+ if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ return 0
+ fi
+
+ html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ NO_ECC_CERTS=1
+ schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256")
+ for sscheme in "${schemes[@]}"; do
+ for cscheme in "${schemes[@]}"; do
+ testname="ssl_scheme server='$sscheme' client='$cscheme'"
+ echo "${testname}"
+
+ start_selfserv -V tls1.2:tls1.2 -J "$sscheme"
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " -V tls1.2:tls1.2 -J "$cscheme" < ${REQUEST_FILE}"
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" < ${REQUEST_FILE} 2>&1
+ ret=$?
+ # If both schemes include just one option and those options don't
+ # match, then the test should fail; otherwise, assume that it works.
+ if [ "${cscheme#*,}" = "$cscheme" -a \
+ "${sscheme#*,}" = "$sscheme" -a \
+ "$cscheme" != "$sscheme" ]; then
+ expected=254
+ else
+ expected=0
+ fi
+ html_msg $ret $expected "${testname}" \
+ "produced a returncode of $ret, expected is $expected"
+ kill_selfserv
+ done
+ done
+ NO_ECC_CERTS=0
+
+ html "</TABLE><BR>"
+}
############################## ssl_cleanup #############################
# local shell function to finish this script (no exit since it might be
@@ -1152,6 +1254,7 @@ ssl_run()
;;
"cov")
ssl_cov
+ ssl_cov_rsa_pss
;;
"auth")
ssl_auth
@@ -1162,6 +1265,9 @@ ssl_run()
"dtls")
ssl_dtls
;;
+ "scheme")
+ ssl_scheme
+ ;;
esac
done
}
@@ -1182,9 +1288,9 @@ ssl_run_all()
# in FIPS mode, so cope with that. Note there's also semicolon in here
# but it doesn't need escaping/quoting; the shell copes.
if [ "${CLIENT_MODE}" = "fips" ]; then
- USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser"
+ USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser"
else
- USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser"
+ USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser"
fi
NORM_EXT=""
cd ${CLIENTDIR}
@@ -1346,4 +1452,3 @@ ssl_run_tests()
ssl_init
ssl_run_tests
ssl_cleanup
-
diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt
index 1eb7f47de..93f247b96 100644
--- a/security/nss/tests/ssl/sslcov.txt
+++ b/security/nss/tests/ssl/sslcov.txt
@@ -141,3 +141,8 @@
ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+#
+# Test against server with RSA-PSS server certificate
+#
+ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - RSA-PSS
+ ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - RSA-PSS
diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt
index a87eedad7..44794f10f 100644
--- a/security/nss/tests/ssl/sslstress.txt
+++ b/security/nss/tests/ssl/sslstress.txt
@@ -12,9 +12,6 @@
noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
noECC 0 -u -V_ssl3:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
- noECC 0 -z -V_ssl3:tls1.2_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
- noECC 0 -u_-z -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
- noECC 0 -u_-z -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
#
@@ -24,10 +21,6 @@
noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth, no login)
noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
noECC 0 -r_-r_-u -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
- noECC 0 -r_-r_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
- noECC 0 -r_-r_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
- noECC 0 -r_-r_-u_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
- noECC 0 -r_-r_-u_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh
index eef77f16f..6c088d8a6 100755
--- a/security/nss/tests/ssl_gtests/ssl_gtests.sh
+++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh
@@ -19,55 +19,6 @@
#
########################################################################
-# Generate input to certutil
-certscript() {
- ca=n
- while [ $# -gt 0 ]; do
- case $1 in
- sign) echo 0 ;;
- kex) echo 2 ;;
- ca) echo 5;echo 6;ca=y ;;
- esac; shift
- done;
- echo 9
- echo n
- echo $ca
- echo
- echo n
-}
-
-# $1: name
-# $2: type
-# $3+: usages: sign or kex
-make_cert() {
- name=$1
- type=$2
- unset type_args trust sign
- case $type in
- dsa) type_args='-g 1024' ;;
- rsa) type_args='-g 1024' ;;
- rsa2048) type_args='-g 2048';type=rsa ;;
- rsa8192) type_args='-g 8192';type=rsa ;;
- rsapss) type_args='-g 1024 --pss';type=rsa ;;
- p256) type_args='-q nistp256';type=ec ;;
- p384) type_args='-q secp384r1';type=ec ;;
- p521) type_args='-q secp521r1';type=ec ;;
- rsa_ca) type_args='-g 1024';trust='CT,CT,CT';type=rsa ;;
- rsa_chain) type_args='-g 1024';sign='-c rsa_ca';type=rsa;;
- rsapss_ca) type_args='-g 1024 --pss';trust='CT,CT,CT';type=rsa ;;
- rsapss_chain) type_args='-g 1024';sign='-c rsa_pss_ca';type=rsa;;
- rsa_ca_rsapss_chain) type_args='-g 1024 --pss-sign';sign='-c rsa_ca';type=rsa;;
- ecdh_rsa) type_args='-q nistp256';sign='-c rsa_ca';type=ec ;;
- esac
- shift 2
- counter=$(($counter + 1))
- certscript $@ | ${BINDIR}/certutil -S \
- -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
- -n $name -s "CN=$name" -t ${trust:-,,} ${sign:--x} -m $counter \
- -w -2 -v 120 -k $type $type_args -Z SHA256 -1 -2
- html_msg $? 0 "create certificate: $@"
-}
-
ssl_gtest_certs() {
mkdir -p "${SSLGTESTDIR}"
cd "${SSLGTESTDIR}"
@@ -80,6 +31,10 @@ ssl_gtest_certs() {
${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1
html_msg $? 0 "create ssl_gtest database"
+ pushd "${QADIR}"
+ . common/certsetup.sh
+ popd
+
counter=0
make_cert client rsa sign
make_cert rsa rsa sign kex
@@ -87,6 +42,9 @@ ssl_gtest_certs() {
make_cert rsa8192 rsa8192 sign kex
make_cert rsa_sign rsa sign
make_cert rsa_pss rsapss sign
+ make_cert rsa_pss384 rsapss384 sign
+ make_cert rsa_pss512 rsapss512 sign
+ make_cert rsa_pss_noparam rsapss_noparam sign
make_cert rsa_decrypt rsa kex
make_cert ecdsa256 p256 sign
make_cert ecdsa384 p384 sign
diff --git a/security/nss/tests/tlsfuzzer/config.json.in b/security/nss/tests/tlsfuzzer/config.json.in
new file mode 100644
index 000000000..051bae2be
--- /dev/null
+++ b/security/nss/tests/tlsfuzzer/config.json.in
@@ -0,0 +1,166 @@
+[
+ {
+ "server_command": [
+ "@SELFSERV@", "-w", "nss", "-d", "@SERVERDIR@",
+ "-V", "tls1.0:", "-H", "1",
+ "-n", "rsa",
+ "-n", "rsa-pss",
+ "-J", "rsa_pss_rsae_sha256,rsa_pss_rsae_sha384,rsa_pss_rsae_sha512,rsa_pss_pss_sha256",
+ "-u", "-Z", "-p", "@PORT@"
+ ],
+ "server_hostname": "@HOSTADDR@",
+ "server_port": @PORT@,
+ "tests" : [
+ {
+ "name" : "test-tls13-conversation.py",
+ "arguments": [
+ "-p", "@PORT@"
+ ]
+ },
+ {
+ "name" : "test-tls13-count-tickets.py",
+ "arguments": [
+ "-p", "@PORT@", "-t", "1"
+ ]
+ },
+ {
+ "name" : "test-tls13-dhe-shared-secret-padding.py",
+ "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1305243",
+ "arguments": [
+ "-p", "@PORT@",
+ "-e", "TLS 1.3 with x448"
+ ]
+ },
+ {
+ "name" : "test-tls13-empty-alert.py",
+ "arguments": [
+ "-p", "@PORT@"
+ ],
+ "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1471656",
+ "exp_pass": false
+ },
+ {
+ "name" : "test-tls13-ffdhe-sanity.py",
+ "arguments": [
+ "-p", "@PORT@"
+ ]
+ },
+ {
+ "name" : "test-tls13-finished.py",
+ "arguments": [
+ "-p", "@PORT@"
+ ],
+ "comment" : "https://bugzilla.mozilla.org/show_bug.cgi?id=1472747",
+ "exp_pass": false
+ },
+ {
+ "name" : "test-tls13-0rtt-garbage.py",
+ "comment": "the disabled test timeouts because of https://bugzilla.mozilla.org/show_bug.cgi?id=1472747",
+ "arguments": [
+ "-p", "@PORT@", "--cookie",
+ "-e", "undecryptable record later in handshake together with early_data"
+ ]
+ },
+ {
+ "name" : "test-tls13-hrr.py",
+ "arguments": [
+ "-p", "@PORT@", "--cookie"
+ ]
+ },
+ {
+ "name" : "test-tls13-legacy-version.py",
+ "arguments": [
+ "-p", "@PORT@"
+ ],
+ "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1490006",
+ "exp_pass": false
+ },
+ {
+ "name" : "test-tls13-nociphers.py",
+ "arguments": [
+ "-p", "@PORT@"
+ ]
+ },
+ {
+ "name" : "test-tls13-pkcs-signature.py",
+ "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1489997",
+ "arguments": [
+ "-p", "@PORT@",
+ "-e", "rsa_pkcs1_sha256 signature",
+ "-e", "rsa_pkcs1_sha384 signature",
+ "-e", "rsa_pkcs1_sha512 signature"
+ ]
+ },
+ {
+ "name" : "test-tls13-rsa-signatures.py",
+ "comment": "selfserv can be set up to use multiple certs, but only one for each auth type",
+ "arguments": [
+ "-p", "@PORT@", "-b",
+ "-e", "tls13 signature rsa_pss_pss_sha384",
+ "-e", "tls13 signature rsa_pss_pss_sha512"
+ ]
+ },
+ {
+ "name" : "test-tls13-rsapss-signatures.py",
+ "comment": "selfserv can be set up to use multiple certs, but only one to each auth type",
+ "arguments": [
+ "-p", "@PORT@", "-b",
+ "-e", "tls13 signature rsa_pss_pss_sha384",
+ "-e", "tls13 signature rsa_pss_pss_sha512"
+ ]
+ },
+ {
+ "name" : "test-tls13-record-padding.py",
+ "arguments": [
+ "-p", "@PORT@"
+ ]
+ },
+ {
+ "name" : "test-tls13-session-resumption.py",
+ "arguments": [
+ "-p", "@PORT@"
+ ]
+ },
+ {
+ "name" : "test-tls13-signature-algorithms.py",
+ "arguments": [
+ "-p", "@PORT@"
+ ],
+ "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1482386",
+ "exp_pass": false
+ },
+ {
+ "name" : "test-tls13-unrecognised-groups.py",
+ "arguments": [
+ "-p", "@PORT@", "--cookie"
+ ]
+ },
+ {
+ "name" : "test-tls13-version-negotiation.py",
+ "comment": "the disabled test timeouts because of https://github.com/tomato42/tlsfuzzer/issues/452",
+ "arguments": [
+ "-p", "@PORT@",
+ "-e", "SSL 2.0 ClientHello with TLS 1.3 version and TLS 1.3 only ciphersuites"
+ ]
+ },
+ {
+ "name" : "test-tls13-zero-length-data.py",
+ "arguments": [
+ "-p", "@PORT@"
+ ]
+ },
+ {
+ "name" : "test-dhe-no-shared-secret-padding.py",
+ "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1494221 and SSLv3 cannot be enabled in server",
+ "arguments": [
+ "-p", "@PORT@",
+ "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
+ "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
+ "-e", "Protocol (3, 2) in SSLv2 compatible ClientHello",
+ "-e", "Protocol (3, 3) in SSLv2 compatible ClientHello",
+ "-e", "Protocol (3, 0)"
+ ]
+ }
+ ]
+ }
+]
diff --git a/security/nss/tests/tlsfuzzer/tlsfuzzer.sh b/security/nss/tests/tlsfuzzer/tlsfuzzer.sh
new file mode 100644
index 000000000..ecc146c24
--- /dev/null
+++ b/security/nss/tests/tlsfuzzer/tlsfuzzer.sh
@@ -0,0 +1,110 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/tlsfuzzer/tlsfuzzer.sh
+#
+# Script to drive the ssl tlsfuzzer interop unit tests
+#
+########################################################################
+
+tlsfuzzer_certs()
+{
+ PROFILEDIR=`pwd`
+
+ ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1
+ html_msg $? 0 "create tlsfuzzer database"
+
+ pushd "${QADIR}"
+ . common/certsetup.sh
+ popd
+
+ counter=0
+ make_cert rsa rsa2048 sign kex
+ make_cert rsa-pss rsapss sign kex
+}
+
+tlsfuzzer_init()
+{
+ SCRIPTNAME="tlsfuzzer.sh"
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+
+ mkdir -p "${HOSTDIR}/tlsfuzzer"
+ pushd "${HOSTDIR}/tlsfuzzer"
+ tlsfuzzer_certs
+
+ TLSFUZZER=${TLSFUZZER:=tlsfuzzer}
+ if [ ! -d "$TLSFUZZER" ]; then
+ # Can't use git-copy.sh here, as tlsfuzzer doesn't have any tags
+ git clone -q https://github.com/tomato42/tlsfuzzer/ "$TLSFUZZER"
+ git -C "$TLSFUZZER" checkout a40ce4085052a4da9a05f9149b835a76c194a0c6
+
+ # We could use tlslite-ng from pip, but the pip command installed
+ # on TC is too old to support --pre
+ ${QADIR}/../fuzz/config/git-copy.sh https://github.com/tomato42/tlslite-ng/ v0.8.0-alpha18 tlslite-ng
+
+ pushd "$TLSFUZZER"
+ ln -s ../tlslite-ng/tlslite tlslite
+ popd
+
+ # Install tlslite-ng dependencies
+ ${QADIR}/../fuzz/config/git-copy.sh https://github.com/warner/python-ecdsa master python-ecdsa
+ ${QADIR}/../fuzz/config/git-copy.sh https://github.com/benjaminp/six master six
+
+ pushd "$TLSFUZZER"
+ ln -s ../python-ecdsa/src/ecdsa ecdsa
+ ln -s ../six/six.py .
+ popd
+ fi
+
+ # Find usable port
+ PORT=${PORT-8443}
+ while true; do
+ "${BINDIR}/selfserv" -w nss -d "${HOSTDIR}/tlsfuzzer" -n rsa \
+ -p "${PORT}" -i selfserv.pid &
+ [ -f selfserv.pid ] || sleep 5
+ if [ -f selfserv.pid ]; then
+ kill $(cat selfserv.pid)
+ wait $(cat selfserv.pid)
+ rm -f selfserv.pid
+ break
+ fi
+ PORT=$(($PORT + 1))
+ done
+
+ sed -e "s|@PORT@|${PORT}|g" \
+ -e "s|@SELFSERV@|${BINDIR}/selfserv|g" \
+ -e "s|@SERVERDIR@|${HOSTDIR}/tlsfuzzer|g" \
+ -e "s|@HOSTADDR@|${HOSTADDR}|g" \
+ ${QADIR}/tlsfuzzer/config.json.in > ${TLSFUZZER}/config.json
+ popd
+
+ SCRIPTNAME="tlsfuzzer.sh"
+ html_head "tlsfuzzer test"
+}
+
+tlsfuzzer_cleanup()
+{
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+tlsfuzzer_run_tests()
+{
+ pushd "${HOSTDIR}/tlsfuzzer/${TLSFUZZER}"
+ PYTHONPATH=. python tests/scripts_retention.py config.json "${BINDIR}/selfserv"
+ html_msg $? 0 "tlsfuzzer" "Run successfully"
+ popd
+}
+
+cd "$(dirname "$0")"
+tlsfuzzer_init
+tlsfuzzer_run_tests
+tlsfuzzer_cleanup