summaryrefslogtreecommitdiffstats
path: root/security/nss/tests
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/tests')
-rwxr-xr-xsecurity/nss/tests/all.sh9
-rwxr-xr-xsecurity/nss/tests/bogo/bogo.sh5
-rwxr-xr-xsecurity/nss/tests/common/cleanup.sh3
-rw-r--r--security/nss/tests/common/init.sh6
-rw-r--r--security/nss/tests/common/parsegtestreport.sed1
-rwxr-xr-xsecurity/nss/tests/gtests/gtests.sh8
-rw-r--r--security/nss/tests/interop/interop.sh70
-rwxr-xr-xsecurity/nss/tests/ssl/ssl.sh14
-rwxr-xr-xsecurity/nss/tests/ssl_gtests/ssl_gtests.sh105
-rw-r--r--security/nss/tests/tools/tools.sh64
10 files changed, 234 insertions, 51 deletions
diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh
index 8305e6766..833817f4a 100755
--- a/security/nss/tests/all.sh
+++ b/security/nss/tests/all.sh
@@ -39,6 +39,8 @@
# gtests.sh - Gtest based unit tests for everything else
# bogo.sh - Bogo interop tests (disabled by default)
# https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md
+# interop.sh - Interoperability tests (disabled by default)
+# https://github.com/ekr/tls_interop
#
# NSS testing is now devided to 4 cycles:
# ---------------------------------------
@@ -60,7 +62,6 @@
# -------------------------------------------------------
# BUILT_OPT - use optimized/debug build
# USE_64 - use 64bit/32bit build
-# USE_ASAN - use Address Sanitizer build
#
# Optional environment variables to enable specific NSS features:
# ---------------------------------------------------------------
@@ -272,7 +273,11 @@ run_cycles()
cycles="standard pkix upgradedb sharedb"
CYCLES=${NSS_CYCLES:-$cycles}
-tests="cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+tests="cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
+# Don't run chains tests when we have a gyp build.
+if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then
+ tests="$tests chains"
+fi
TESTS=${NSS_TESTS:-$tests}
ALL_TESTS=${TESTS}
diff --git a/security/nss/tests/bogo/bogo.sh b/security/nss/tests/bogo/bogo.sh
index 7503d230e..26dfb0abb 100755
--- a/security/nss/tests/bogo/bogo.sh
+++ b/security/nss/tests/bogo/bogo.sh
@@ -25,7 +25,7 @@ bogo_init()
BORING=${BORING:=boringssl}
if [ ! -d "$BORING" ]; then
git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
- git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3
+ git -C "$BORING" checkout -q bbfe603519bc54fbc4c8dd87efe1ed385df550b4
fi
SCRIPTNAME="bogo.sh"
@@ -39,9 +39,6 @@ bogo_cleanup()
. common/cleanup.sh
}
-# Need to add go to the PATH.
-export PATH=$PATH:/usr/lib/go-1.6/bin
-
cd "$(dirname "$0")"
SOURCE_DIR="$PWD"/../..
bogo_init
diff --git a/security/nss/tests/common/cleanup.sh b/security/nss/tests/common/cleanup.sh
index 40d8bc40f..40885bc79 100755
--- a/security/nss/tests/common/cleanup.sh
+++ b/security/nss/tests/common/cleanup.sh
@@ -27,6 +27,9 @@ if [ -z "${CLEANUP}" -o "${CLEANUP}" = "${SCRIPTNAME}" ]; then
echo "NSS_AIA_OCSP=${NSS_AIA_OCSP}"
echo "IOPR_HOSTADDR_LIST=${IOPR_HOSTADDR_LIST}"
echo "PKITS_DATA=${PKITS_DATA}"
+ echo "NSS_DISABLE_HW_AES=${NSS_DISABLE_HW_AES}"
+ echo "NSS_DISABLE_PCLMUL=${NSS_DISABLE_PCLMUL}"
+ echo "NSS_DISABLE_AVX=${NSS_DISABLE_AVX}"
echo
echo "Tests summary:"
echo "--------------"
diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh
index 3598e8223..caf3013e6 100644
--- a/security/nss/tests/common/init.sh
+++ b/security/nss/tests/common/init.sh
@@ -180,9 +180,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
}
increase_msg_id()
{
- MSG_ID=`cat ${MSG_ID_FILE}`
- MSG_ID=`expr ${MSG_ID} + 1`
- echo ${MSG_ID} > ${MSG_ID_FILE}
+ MSG_ID=$(( ${MSG_ID} + 1 ))
}
html_passed_ignore_core()
{
@@ -645,9 +643,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
NSS_DEFAULT_DB_TYPE="dbm"
export NSS_DEFAULT_DB_TYPE
- MSG_ID_FILE="${HOSTDIR}/id"
MSG_ID=0
- echo ${MSG_ID} > ${MSG_ID_FILE}
#################################################
# Interoperability testing constatnts
diff --git a/security/nss/tests/common/parsegtestreport.sed b/security/nss/tests/common/parsegtestreport.sed
index d7c6ddada..11bd1d6af 100644
--- a/security/nss/tests/common/parsegtestreport.sed
+++ b/security/nss/tests/common/parsegtestreport.sed
@@ -6,3 +6,4 @@
}
d
: end
+s/"/"/g
diff --git a/security/nss/tests/gtests/gtests.sh b/security/nss/tests/gtests/gtests.sh
index f91349b9e..c785241c4 100755
--- a/security/nss/tests/gtests/gtests.sh
+++ b/security/nss/tests/gtests/gtests.sh
@@ -24,7 +24,7 @@ gtest_init()
{
cd "$(dirname "$1")"
if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
- cd common
+ cd ../common
. ./init.sh
fi
@@ -55,7 +55,8 @@ gtest_start()
GTESTREPORT="$GTESTDIR/report.xml"
PARSED_REPORT="$GTESTDIR/report.parsed"
echo "executing $i"
- ${BINDIR}/$i -d "$GTESTDIR" --gtest_output=xml:"${GTESTREPORT}" \
+ ${BINDIR}/$i "${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \
+ -d "$GTESTDIR" --gtest_output=xml:"${GTESTREPORT}" \
--gtest_filter="${GTESTFILTER-*}"
html_msg $? 0 "$i run successfully"
echo "test output dir: ${GTESTREPORT}"
@@ -82,7 +83,8 @@ gtest_cleanup()
}
################## main #################################################
-GTESTS="der_gtest pk11_gtest util_gtest"
+GTESTS="prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest"
+SOURCE_DIR="$PWD"/../..
gtest_init $0
gtest_start
gtest_cleanup
diff --git a/security/nss/tests/interop/interop.sh b/security/nss/tests/interop/interop.sh
new file mode 100644
index 000000000..59f0cb481
--- /dev/null
+++ b/security/nss/tests/interop/interop.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/interop/interop.sh
+#
+# Script to drive our cross-stack interop tests
+#
+########################################################################
+
+interop_init()
+{
+ SCRIPTNAME="interop.sh"
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+
+ mkdir -p "${HOSTDIR}/interop"
+ cd "${HOSTDIR}/interop"
+ INTEROP=${INTEROP:=tls_interop}
+ if [ ! -d "$INTEROP" ]; then
+ git clone -q https://github.com/mozilla/tls-interop "$INTEROP"
+ fi
+ INTEROP=$(cd "$INTEROP";pwd -P)
+
+ # We use the BoringSSL keyfiles
+ BORING=${BORING:=boringssl}
+ if [ ! -d "$BORING" ]; then
+ git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
+ git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3
+ fi
+ BORING=$(cd "$BORING";pwd -P)
+
+ SCRIPTNAME="interop.sh"
+ html_head "interop test"
+}
+
+interop_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+# Function so we can easily add other stacks
+interop_run()
+{
+ test_name=$1
+ client=$2
+ server=$3
+
+ (cd "$INTEROP";
+ cargo run -- --client "$client" --server "$server" --rootdir "$BORING"/ssl/test/runner/ --test-cases cases.json) 2>interop-${test_name}.errors | tee interop-${test_name}.log
+ html_msg "${PIPESTATUS[0]}" 0 "Interop" "Run successfully"
+ grep -i 'FAILED\|Assertion failure' interop-${test_name}.errors
+ html_msg $? 1 "Interop" "No failures"
+}
+
+cd "$(dirname "$0")"
+SOURCE_DIR="$PWD"/../..
+interop_init
+NSS_SHIM="$BINDIR"/nss_bogo_shim
+BORING_SHIM="$BORING"/build/ssl/test/bssl_shim
+interop_run "nss_nss" ${NSS_SHIM} ${NSS_SHIM}
+interop_cleanup
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh
index b34c9c097..944849ad3 100755
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@@ -1006,7 +1006,7 @@ ssl_run()
do
case "${SSL_RUN}" in
"stapling")
- if [ -nz "$NSS_DISABLE_LIBPKIX" ]; then
+ if [ -z "$NSS_DISABLE_LIBPKIX" ]; then
ssl_stapling
fi
;;
@@ -1038,7 +1038,14 @@ ssl_run_all()
ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
- USER_NICKNAME=TestUser
+ # Exercise PKCS#11 URI parsing. The token actually changes its name
+ # in FIPS mode, so cope with that. Note there's also semicolon in here
+ # but it doesn't need escaping/quoting; the shell copes.
+ if [ "${CLIENT_MODE}" = "fips" ]; then
+ USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser"
+ else
+ USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser"
+ fi
NORM_EXT=""
cd ${CLIENTDIR}
@@ -1051,7 +1058,8 @@ ssl_run_all()
P_R_SERVERDIR=$P_R_EXT_SERVERDIR
P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
- USER_NICKNAME=ExtendedSSLUser
+ # A different URI test; specify CKA_LABEL but not the token.
+ USER_NICKNAME="pkcs11:object=ExtendedSSLUser"
NORM_EXT="Extended Test"
cd ${CLIENTDIR}
diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh
index 9768c5ed9..ac39f212c 100755
--- a/security/nss/tests/ssl_gtests/ssl_gtests.sh
+++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh
@@ -127,23 +127,98 @@ ssl_gtest_start()
fi
SSLGTESTREPORT="${SSLGTESTDIR}/report.xml"
- PARSED_REPORT="${SSLGTESTDIR}/report.parsed"
- echo "executing ssl_gtest"
- ${BINDIR}/ssl_gtest -d "${SSLGTESTDIR}" --gtest_output=xml:"${SSLGTESTREPORT}" \
- --gtest_filter="${GTESTFILTER-*}"
- html_msg $? 0 "ssl_gtest run successfully"
- echo "executing sed to parse the xml report"
- sed -f ${COMMON}/parsegtestreport.sed "${SSLGTESTREPORT}" > "${PARSED_REPORT}"
- echo "processing the parsed report"
- cat "${PARSED_REPORT}" | while read result name; do
- if [ "$result" = "notrun" ]; then
- echo "$name" SKIPPED
- elif [ "$result" = "run" ]; then
- html_passed_ignore_core "$name"
- else
+
+ local nshards=1
+ local prefix=""
+ local postfix=""
+
+ export -f parallel_fallback
+
+ # Determine the number of chunks.
+ if [ -n "$GTESTFILTER" ]; then
+ echo "DEBUG: Not parallelizing ssl_gtests because \$GTESTFILTER is set"
+ elif type parallel 2>/dev/null; then
+ nshards=$(parallel --number-of-cores || 1)
+ fi
+
+ if [ "$nshards" != 1 ]; then
+ local indices=$(for ((i=0; i<$nshards; i++)); do echo $i; done)
+ prefix="parallel -j$nshards --line-buffer --halt soon,fail=1"
+ postfix="\&\& exit 0 \|\| exit 1 ::: $indices"
+ fi
+
+ echo "DEBUG: ssl_gtests will be divided into $nshards chunk(s)"
+
+ # Run tests.
+ ${prefix:-parallel_fallback} \
+ GTEST_SHARD_INDEX={} \
+ GTEST_TOTAL_SHARDS=$nshards \
+ DYLD_LIBRARY_PATH="${DIST}/${OBJDIR}/lib" \
+ ${BINDIR}/ssl_gtest -d "${SSLGTESTDIR}" \
+ --gtest_output=xml:"${SSLGTESTREPORT}.{}" \
+ --gtest_filter="${GTESTFILTER-*}" \
+ $postfix
+
+ html_msg $? 0 "ssl_gtests ran successfully"
+
+ # Parse XML report(s).
+ if type xmllint &>/dev/null; then
+ echo "DEBUG: Using xmllint to parse GTest XML report(s)"
+ parse_report
+ else
+ echo "DEBUG: Falling back to legacy XML report parsing using only sed"
+ parse_report_legacy
+ fi
+}
+
+# Helper function used when 'parallel' isn't available.
+parallel_fallback()
+{
+ eval "${@//\{\}/0}"
+}
+
+parse_report()
+{
+ # Check XML reports for normal test runs and failures.
+ local successes=$(parse_report_xpath "//testcase[@status='run'][count(*)=0]")
+ local failures=$(parse_report_xpath "//failure/..")
+
+ # Print all tests that succeeded.
+ while read result name; do
+ html_passed_ignore_core "$name"
+ done <<< "$successes"
+
+ # Print failing tests.
+ if [ -n "$failures" ]; then
+ printf "\nFAILURES:\n=========\n"
+
+ while read result name; do
html_failed_ignore_core "$name"
+ done <<< "$failures"
+
+ printf "\n"
+ fi
+}
+
+parse_report_xpath()
+{
+ # Query the XML report with the given XPath pattern.
+ xmllint --xpath "$1" "${SSLGTESTREPORT}".* 2>/dev/null | \
+ # Insert newlines to help sed.
+ sed $'s/<testcase/\\\n<testcase/g' | \
+ # Use sed to parse the report.
+ sed -f "${COMMON}/parsegtestreport.sed"
+}
+
+# This legacy report parser can't actually detect failures. It always relied
+# on the binary's exit code. Print the tests we ran to keep the old behavior.
+parse_report_legacy()
+{
+ while read result name && [ -n "$name" ]; do
+ if [ "$result" = "run" ]; then
+ html_passed_ignore_core "$name"
fi
- done
+ done <<< "$(sed -f "${COMMON}/parsegtestreport.sed" "${SSLGTESTREPORT}".*)"
}
ssl_gtest_cleanup()
diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh
index 26abf3e4e..769bafa00 100644
--- a/security/nss/tests/tools/tools.sh
+++ b/security/nss/tests/tools/tools.sh
@@ -29,7 +29,7 @@
"PKCS #12 V2 PBE With SHA-1 and 40 Bit RC4"
export pkcs12v2pbeWithSha1AndTripleDESCBC=\
-"PKCS #12 V2 PBE With SHA-1 and Triple DES-CBC"
+"PKCS #12 V2 PBE With SHA-1 and 3KEY Triple DES-CBC"
export pkcs12v2pbeWithSha1And128BitRc2Cbc=\
"PKCS #12 V2 PBE With SHA-1 and 128 Bit RC2 CBC"
@@ -249,7 +249,7 @@ tools_p12_export_list_import_all_pkcs5pbe_ciphers()
"${pkcs5pbeWithMD5AndDEScbc}" \
"${pkcs5pbeWithSha1AndDEScbc}" \
"DEFAULT"\
- "null"; do
+ "none"; do
export_list_import "${key_cipher}" "${cert_cipher}"
done
done
@@ -273,12 +273,9 @@ tools_p12_export_list_import_all_pkcs5v2_ciphers()
CAMELLIA-256-CBC; do
#---------------------------------------------------------------
-# Bug 452464 - pk12util -o fails when -C option specifies AES or
+# Bug 452464 - pk12util -o fails when -C option specifies
# Camellia ciphers
# FIXME Restore these to the list
-# AES-128-CBC, \
-# AES-192-CBC, \
-# AES-256-CBC, \
# CAMELLIA-128-CBC, \
# CAMELLIA-192-CBC, \
# CAMELLIA-256-CBC, \
@@ -287,7 +284,10 @@ tools_p12_export_list_import_all_pkcs5v2_ciphers()
for cert_cipher in \
RC2-CBC \
DES-EDE3-CBC \
- null; do
+ AES-128-CBC \
+ AES-192-CBC \
+ AES-256-CBC \
+ none; do
export_list_import ${key_cipher} ${cert_cipher}
done
done
@@ -324,8 +324,8 @@ tools_p12_export_list_import_all_pkcs12v2pbe_ciphers()
"${pkcs12v2pbeWithMd5AndDESCBC}" \
"${pkcs12v2pbeWithSha1AndDESCBC}" \
"DEFAULT"\
- "null"; do
- export_list_import "${key_cipher}" "${key_cipher}"
+ "none"; do
+ export_list_import "${key_cipher}" "${cert_cipher}"
done
#done
}
@@ -333,35 +333,60 @@ tools_p12_export_list_import_all_pkcs12v2pbe_ciphers()
#########################################################################
# Export with no encryption on key should fail but on cert should pass
#########################################################################
-tools_p12_export_with_null_ciphers()
+tools_p12_export_with_none_ciphers()
{
- # use null as the key encryption algorithm default for the cert one
+ # use none as the key encryption algorithm default for the cert one
# should fail
echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
- echo " -k ${R_PWFILE} -w ${R_PWFILE} -c null"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -c none"
${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
-k ${R_PWFILE} -w ${R_PWFILE} \
- -c null 2>&1
+ -c none 2>&1
ret=$?
- html_msg $ret 30 "Exporting with [null:default] (pk12util -o)"
+ html_msg $ret 30 "Exporting with [none:default] (pk12util -o)"
check_tmpfile
- # use default as the key encryption algorithm null for the cert one
+ # use default as the key encryption algorithm none for the cert one
# should pass
echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
- echo " -k ${R_PWFILE} -w ${R_PWFILE} -C null"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -C none"
${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
-k ${R_PWFILE} -w ${R_PWFILE} \
- -C null 2>&1
+ -C none 2>&1
ret=$?
- html_msg $ret 0 "Exporting with [default:null] (pk12util -o)"
+ html_msg $ret 0 "Exporting with [default:none] (pk12util -o)"
check_tmpfile
}
#########################################################################
+# Export with invalid cipher should fail
+#########################################################################
+tools_p12_export_with_invalid_ciphers()
+{
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -c INVALID_CIPHER"
+ ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} \
+ -c INVALID_CIPHER 2>&1
+ ret=$?
+ html_msg $ret 30 "Exporting with [INVALID_CIPHER:default] (pk12util -o)"
+ check_tmpfile
+
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -C INVALID_CIPHER"
+ ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} \
+ -C INVALID_CIPHER 2>&1
+ ret=$?
+ html_msg $ret 30 "Exporting with [default:INVALID_CIPHER] (pk12util -o)"
+ check_tmpfile
+
+}
+
+#########################################################################
# Exports using the default key and certificate encryption ciphers.
# Imports from and lists the contents of the p12 file.
# Repeats the test with ECC if enabled.
@@ -407,7 +432,8 @@ tools_p12()
tools_p12_export_list_import_all_pkcs5v2_ciphers
tools_p12_export_list_import_all_pkcs5pbe_ciphers
tools_p12_export_list_import_all_pkcs12v2pbe_ciphers
- tools_p12_export_with_null_ciphers
+ tools_p12_export_with_none_ciphers
+ tools_p12_export_with_invalid_ciphers
}
############################## tools_sign ##############################