From 74cabf7948b2597f5b6a67d6910c844fd1a88ff6 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sat, 15 Dec 2018 01:42:53 +0100 Subject: Update NSS to 3.41 --- security/nss/tests/all.sh | 7 +- security/nss/tests/bogo/bogo.sh | 8 +- .../nss/tests/cert/TestUser-rsa-pss-interop.p12 | Bin 0 -> 2598 bytes security/nss/tests/cert/cert.sh | 103 ++++++++ security/nss/tests/chains/chains.sh | 26 +- security/nss/tests/chains/scenarios/ipsec.cfg | 61 +++++ security/nss/tests/chains/scenarios/realcerts.cfg | 2 +- security/nss/tests/chains/scenarios/scenarios | 1 + security/nss/tests/common/certsetup.sh | 57 ++++ security/nss/tests/common/init.sh | 44 ++-- security/nss/tests/interop/interop.sh | 44 +++- security/nss/tests/libpkix/certs/PayPalEE.cert | Bin 1376 -> 2012 bytes security/nss/tests/libpkix/certs/PayPalICA.cert | Bin 1205 -> 1210 bytes security/nss/tests/libpkix/vfychain_test.lst | 2 +- security/nss/tests/policy/crypto-policy.txt | 19 ++ security/nss/tests/policy/policy.sh | 58 ++++ security/nss/tests/ssl/ssl.sh | 291 ++++++++++++++------- security/nss/tests/ssl/sslcov.txt | 5 + security/nss/tests/ssl/sslstress.txt | 7 - security/nss/tests/ssl_gtests/ssl_gtests.sh | 56 +--- security/nss/tests/tlsfuzzer/config.json.in | 166 ++++++++++++ security/nss/tests/tlsfuzzer/tlsfuzzer.sh | 110 ++++++++ 22 files changed, 872 insertions(+), 195 deletions(-) create mode 100644 security/nss/tests/cert/TestUser-rsa-pss-interop.p12 create mode 100644 security/nss/tests/chains/scenarios/ipsec.cfg create mode 100644 security/nss/tests/common/certsetup.sh create mode 100644 security/nss/tests/policy/crypto-policy.txt create mode 100644 security/nss/tests/policy/policy.sh create mode 100644 security/nss/tests/tlsfuzzer/config.json.in create mode 100644 security/nss/tests/tlsfuzzer/tlsfuzzer.sh (limited to 'security/nss/tests') diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh index f8a777fb3..5ad0b522e 100755 --- a/security/nss/tests/all.sh +++ b/security/nss/tests/all.sh @@ -37,10 +37,13 @@ # memleak.sh - memory leak testing (optional) # ssl_gtests.sh- Gtest based unit tests for ssl # gtests.sh - Gtest based unit tests for everything else +# policy.sh - Crypto Policy tests # bogo.sh - Bogo interop tests (disabled by default) # https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md # interop.sh - Interoperability tests (disabled by default) # https://github.com/ekr/tls_interop +# tlsfuzzer.sh - tlsfuzzer interop tests (disabled by default) +# https://github.com/tomato42/tlsfuzzer/ # # NSS testing is now devided to 4 cycles: # --------------------------------------- @@ -300,7 +303,7 @@ if [ $NO_INIT_SUPPORT -eq 0 ]; then RUN_FIPS="fips" fi -tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests" +tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy" # Don't run chains tests when we have a gyp build. if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then tests="$tests chains" @@ -315,7 +318,7 @@ if [ $NO_INIT_SUPPORT -eq 0 ]; then fi NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}" -nss_ssl_run="cov auth stapling stress" +nss_ssl_run="cov auth stapling signed_cert_timestamps stress scheme" NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}" # NOTE: diff --git a/security/nss/tests/bogo/bogo.sh b/security/nss/tests/bogo/bogo.sh index 4fccb845b..e3e9c32df 100755 --- a/security/nss/tests/bogo/bogo.sh +++ b/security/nss/tests/bogo/bogo.sh @@ -25,7 +25,7 @@ bogo_init() BORING=${BORING:=boringssl} if [ ! -d "$BORING" ]; then git clone -q https://boringssl.googlesource.com/boringssl "$BORING" - git -C "$BORING" checkout -q ec55dc15d3a39e5f1a58bfd79148729f38f6acb4 + git -C "$BORING" checkout -q 7f4f41fa81c03e0f8ef1ab5b3d1d566b5968f107 fi SCRIPTNAME="bogo.sh" @@ -39,9 +39,9 @@ bogo_cleanup() . common/cleanup.sh } -cd ../ -cwd=$(cd $(dirname $0); pwd -P) -SOURCE_DIR="$cwd"/.. +cd "$(dirname "$0")" +cwd=$(pwd -P) +SOURCE_DIR="$(cd "$cwd"/../..; pwd -P)" bogo_init (cd "$BORING"/ssl/test/runner; GOPATH="$cwd" go test -pipe -shim-path "${BINDIR}"/nss_bogo_shim \ diff --git a/security/nss/tests/cert/TestUser-rsa-pss-interop.p12 b/security/nss/tests/cert/TestUser-rsa-pss-interop.p12 new file mode 100644 index 000000000..f0e8d24d6 Binary files /dev/null and b/security/nss/tests/cert/TestUser-rsa-pss-interop.p12 differ diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh index 34006efd1..b74de9be5 100755 --- a/security/nss/tests/cert/cert.sh +++ b/security/nss/tests/cert/cert.sh @@ -448,6 +448,27 @@ cert_add_cert() fi cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created" + echo "Importing RSA-PSS server certificate" + pk12u -i ${QADIR}/cert/TestUser-rsa-pss-interop.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${PROFILEDIR} + # Let's get the key ID of the imported private key. + KEYID=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \ + grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'` + + CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s RSA-PSS Request" + NEWSERIAL=`expr ${CERTSERIAL} + 30000` + certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}-rsa-pss.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's RSA-PSS Cert -t u,u,u" + certu -A -n "$CERTNAME-rsa-pss" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}-rsa-pss.cert" 2>&1 + cert_log "SUCCESS: $CERTNAME's RSA-PSS Cert Created" + return 0 } @@ -2103,6 +2124,23 @@ cert_test_implicit_db_init() certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert" } +cert_test_token_uri() +{ + echo "$SCRIPTNAME: specify token with PKCS#11 URI" + + CERTIFICATE_DB_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*NSS%20Certificate%20DB.*\)/\1/p'` + BUILTIN_OBJECTS_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*Builtin%20Object%20Token.*\)/\1/p'` + + CU_ACTION="List keys in NSS Certificate DB" + certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${CERTIFICATE_DB_URI} + + # This token shouldn't have any keys + CU_ACTION="List keys in NSS Builtin Objects" + RETEXPECTED=255 + certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${BUILTIN_OBJECTS_URI} + RETEXPECTED=0 +} + check_sign_algo() { certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \ @@ -2475,6 +2513,29 @@ EOF RETEXPECTED=0 } +cert_test_orphan_key_delete() +{ + CU_ACTION="Create orphan key in serverdir" + certu -G -k ec -q nistp256 -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR} + # Let's get the key ID of the first orphan key. + # The output of certutil -K (list keys) isn't well formatted. + # The initial part may or may not contain white space, which + # makes the use of awk to filter the column unreliable. + # To fix that, we remove the initial field using sed, then select the + # column that contains the key ID. + ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \ + sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'` + CU_ACTION="Delete orphan key" + certu -F -f "${R_PWFILE}" -k ${ORPHAN} -d ${PROFILEDIR} + # Ensure that the key is removed + certu -K -f "${R_PWFILE}" -d ${PROFILEDIR} | grep ${ORPHAN} + RET=$? + if [ "$RET" -eq 0 ]; then + html_failed "Deleting orphan key ($RET)" + cert_log "ERROR: Deleting orphan key failed $RET" + fi +} + cert_test_orphan_key_reuse() { CU_ACTION="Create orphan key in serverdir" @@ -2500,6 +2561,43 @@ cert_test_orphan_key_reuse() fi } +cert_test_rsapss_policy() +{ + CERTSERIAL=`expr $CERTSERIAL + 1` + + CERTNAME="TestUser-rsa-pss-policy" + + # Subject certificate: RSA-PSS + # Issuer certificate: RSA + # Signature: RSA-PSS (explicit, with --pss-sign and -Z SHA1) + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}" + + CU_ACTION="Verify $CERTNAME's Cert with Policy" + cp ${PROFILEDIR}/pkcs11.txt pkcs11.txt.orig + cat >> ${PROFILEDIR}/pkcs11.txt << ++EOF++ +library= +name=Policy +config="disallow=SHA1" +++EOF++ + RETEXPECTED=255 + certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}" + RETEXPECTED=0 + cp pkcs11.txt.orig ${PROFILEDIR}/pkcs11.txt +} + ############################## cert_cleanup ############################ # local shell function to finish this script (no exit since it might be # sourced) @@ -2519,6 +2617,7 @@ cert_all_CA cert_test_implicit_db_init cert_extended_ssl cert_ssl +cert_test_orphan_key_delete cert_test_orphan_key_reuse cert_smime_client IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED` @@ -2534,6 +2633,10 @@ cert_test_password cert_test_distrust cert_test_ocspresp cert_test_rsapss +if [ "${TEST_MODE}" = "SHARED_DB" ] ; then + cert_test_rsapss_policy +fi +cert_test_token_uri if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then cert_crl_ssl diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh index 4c3fa57a0..32c7ef54c 100755 --- a/security/nss/tests/chains/chains.sh +++ b/security/nss/tests/chains/chains.sh @@ -51,13 +51,13 @@ is_httpserv_alive() wait_for_httpserv() { echo "trying to connect to httpserv at `date`" - echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v" - ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v + echo "tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v" + ${BINDIR}/tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v if [ $? -ne 0 ]; then sleep 5 echo "retrying to connect to httpserv at `date`" - echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v" - ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v + echo "tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v" + ${BINDIR}/tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v if [ $? -ne 0 ]; then html_failed "Waiting for Server" fi @@ -351,6 +351,12 @@ create_cert_req() EXT_DATA="y -1 y +" + else + CA_FLAG="-2" + EXT_DATA="n +-1 +y " fi @@ -974,8 +980,8 @@ check_ocsp() OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//") OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/") - echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20" - tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20 + echo "tstclnt -4 -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20" + tstclnt -4 -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20 return $? } @@ -1258,6 +1264,12 @@ process_scenario() rm ${AIA_FILES} } +# process ipsec.cfg separately +chains_ipsec() +{ + process_scenario "ipsec.cfg" +} + # process ocspd.cfg separately chains_ocspd() { @@ -1279,6 +1291,7 @@ chains_main() do [ `echo ${LINE} | cut -b 1` != "#" ] || continue + [ ${LINE} != 'ipsec.cfg' ] || continue [ ${LINE} != 'ocspd.cfg' ] || continue [ ${LINE} != 'method.cfg' ] || continue @@ -1292,6 +1305,7 @@ chains_init VERIFY_CLASSIC_ENGINE_TOO= chains_ocspd VERIFY_CLASSIC_ENGINE_TOO=1 +chains_ipsec chains_run_httpserv get chains_method chains_stop_httpserv diff --git a/security/nss/tests/chains/scenarios/ipsec.cfg b/security/nss/tests/chains/scenarios/ipsec.cfg new file mode 100644 index 000000000..811bf9c09 --- /dev/null +++ b/security/nss/tests/chains/scenarios/ipsec.cfg @@ -0,0 +1,61 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario IPsec + +entity Root + type Root + +entity CA1 + type Intermediate + issuer Root + +entity NoKU + type EE + issuer CA1 + +entity DigSig + type EE + issuer CA1 + ku digitalSignature + +entity NonRep + type EE + issuer CA1 + ku nonRepudiation + +entity DigSigNonRepAndExtra + type EE + issuer CA1 + ku digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement + +entity NoMatch + type EE + issuer CA1 + ku keyEncipherment,dataEncipherment,keyAgreement + +db All + +import Root::C,, +import CA1:Root: + +verify NoKU:CA1 + usage 12 + result pass + +verify DigSig:CA1 + usage 12 + result pass + +verify NonRep:CA1 + usage 12 + result pass + +verify DigSigNonRepAndExtra:CA1 + usage 12 + result pass + +verify NoMatch:CA1 + usage 12 + result fail diff --git a/security/nss/tests/chains/scenarios/realcerts.cfg b/security/nss/tests/chains/scenarios/realcerts.cfg index d2a8c7143..305443fc3 100644 --- a/security/nss/tests/chains/scenarios/realcerts.cfg +++ b/security/nss/tests/chains/scenarios/realcerts.cfg @@ -21,7 +21,7 @@ verify TestUser51:x result pass verify PayPalEE:x - policy OID.2.16.840.1.114412.1.1 + policy OID.2.16.840.1.114412.2.1 result pass verify BrAirWaysBadSig:x diff --git a/security/nss/tests/chains/scenarios/scenarios b/security/nss/tests/chains/scenarios/scenarios index d26c3f92e..4eafd9c8d 100644 --- a/security/nss/tests/chains/scenarios/scenarios +++ b/security/nss/tests/chains/scenarios/scenarios @@ -22,3 +22,4 @@ ocsp.cfg crldp.cfg trustanchors.cfg nameconstraints.cfg +ipsec.cfg diff --git a/security/nss/tests/common/certsetup.sh b/security/nss/tests/common/certsetup.sh new file mode 100644 index 000000000..2b5cef840 --- /dev/null +++ b/security/nss/tests/common/certsetup.sh @@ -0,0 +1,57 @@ +# Generate input to certutil +certscript() { + ca=n + while [ $# -gt 0 ]; do + case $1 in + sign) echo 0 ;; + kex) echo 2 ;; + ca) echo 5;echo 6;ca=y ;; + esac; shift + done; + echo 9 + echo n + echo $ca + echo + echo n +} + +# $1: name +# $2: type +# $3+: usages: sign or kex +make_cert() { + name=$1 + type=$2 + + # defaults + type_args=() + trust=',,' + sign=(-x) + sighash=(-Z SHA256) + + case $type in + dsa) type_args=(-g 1024) ;; + rsa) type_args=(-g 1024) ;; + rsa2048) type_args=(-g 2048);type=rsa ;; + rsa8192) type_args=(-g 8192);type=rsa ;; + rsapss) type_args=(-g 1024 --pss);type=rsa ;; + rsapss384) type_args=(-g 1024 --pss);type=rsa;sighash=(-Z SHA384) ;; + rsapss512) type_args=(-g 2048 --pss);type=rsa;sighash=(-Z SHA512) ;; + rsapss_noparam) type_args=(-g 2048 --pss);type=rsa;sighash=() ;; + p256) type_args=(-q nistp256);type=ec ;; + p384) type_args=(-q secp384r1);type=ec ;; + p521) type_args=(-q secp521r1);type=ec ;; + rsa_ca) type_args=(-g 1024);trust='CT,CT,CT';type=rsa ;; + rsa_chain) type_args=(-g 1024);sign=(-c rsa_ca);type=rsa;; + rsapss_ca) type_args=(-g 1024 --pss);trust='CT,CT,CT';type=rsa ;; + rsapss_chain) type_args=(-g 1024);sign=(-c rsa_pss_ca);type=rsa;; + rsa_ca_rsapss_chain) type_args=(-g 1024 --pss-sign);sign=(-c rsa_ca);type=rsa;; + ecdh_rsa) type_args=(-q nistp256);sign=(-c rsa_ca);type=ec ;; + esac + shift 2 + counter=$(($counter + 1)) + certscript $@ | ${BINDIR}/certutil -S \ + -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \ + -n $name -s "CN=$name" -t "$trust" "${sign[@]}" -m "$counter" \ + -w -2 -v 120 -k "$type" "${type_args[@]}" "${sighash[@]}" -1 -2 + html_msg $? 0 "create certificate: $@" +} diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh index 6aa22af8d..2896f1321 100644 --- a/security/nss/tests/common/init.sh +++ b/security/nss/tests/common/init.sh @@ -356,40 +356,34 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then #HOST and DOMSUF are needed for the server cert - DOMAINNAME=`which domainname` - if [ -z "${DOMSUF}" -a $? -eq 0 -a -n "${DOMAINNAME}" ]; then + if [ -z "$DOMSUF" ] && hash domainname 2>/dev/null; then DOMSUF=`domainname` fi + # hostname -d and domainname both return (none) if hostname doesn't + # include a dot. Pretend we didn't get an answer. + if [ "$DOMSUF" = "(none)" ]; then + DOMSUF= + fi - case $HOST in + if [ -z "$HOST" ]; then + HOST=`uname -n` + fi + case "$HOST" in *\.*) - if [ -z "${DOMSUF}" ]; then - DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"` + if [ -z "$DOMSUF" ]; then + DOMSUF="${HOST#*.}" fi - HOST=`echo $HOST | sed -e "s/\..*//"` + HOST="${HOST%%.*}" ;; ?*) ;; *) - HOST=`uname -n` - case $HOST in - *\.*) - if [ -z "${DOMSUF}" ]; then - DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"` - fi - HOST=`echo $HOST | sed -e "s/\..*//"` - ;; - ?*) - ;; - *) - echo "$SCRIPTNAME: Fatal HOST environment variable is not defined." - exit 1 #does not need to be Exit, very early in script - ;; - esac + echo "$SCRIPTNAME: Fatal HOST environment variable is not defined." + exit 1 #does not need to be Exit, very early in script ;; esac - if [ -z "${DOMSUF}" -a "${OS_ARCH}" != "Android" ]; then + if [ -z "$DOMSUF" -a "$OS_ARCH" != "Android" ]; then echo "$SCRIPTNAME: Fatal DOMSUF env. variable is not defined." exit 1 #does not need to be Exit, very early in script fi @@ -397,8 +391,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then #HOSTADDR was a workaround for the dist. stress test, and is probably #not needed anymore (purpose: be able to use IP address for the server #cert instead of PC name which was not in the DNS because of dyn IP address - if [ -z "$USE_IP" -o "$USE_IP" != "TRUE" ] ; then - if [ -z "${DOMSUF}" ]; then + if [ "$USE_IP" != "TRUE" ] ; then + if [ -z "$DOMSUF" ]; then HOSTADDR=${HOST} else HOSTADDR=${HOST}.${DOMSUF} @@ -595,7 +589,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}" P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}" P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}" - P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}" + P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}" fi R_PWFILE=../tests.pw diff --git a/security/nss/tests/interop/interop.sh b/security/nss/tests/interop/interop.sh index 50c8bb3c1..18737c726 100644 --- a/security/nss/tests/interop/interop.sh +++ b/security/nss/tests/interop/interop.sh @@ -24,8 +24,8 @@ interop_init() cd "${HOSTDIR}/interop" INTEROP=${INTEROP:=tls_interop} if [ ! -d "$INTEROP" ]; then - git clone -q https://github.com/ttaubert/tls-interop "$INTEROP" - git -C "$INTEROP" checkout -q d07b28ac32b390dea1c9bcca5c56716247d23e5e + git clone -q https://github.com/mozilla/tls-interop "$INTEROP" + git -C "$INTEROP" checkout -q c00685aa953c49f1e844e614746aadc783e81b19 fi INTEROP=$(cd "$INTEROP";pwd -P) @@ -33,9 +33,34 @@ interop_init() BORING=${BORING:=boringssl} if [ ! -d "$BORING" ]; then git clone -q https://boringssl.googlesource.com/boringssl "$BORING" - git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3 + git -C "$BORING" checkout -q 7f4f41fa81c03e0f8ef1ab5b3d1d566b5968f107 fi BORING=$(cd "$BORING";pwd -P) + mkdir "$BORING/build" + cd "$BORING/build" + + # Build boring explicitly with gcc because it fails on builds where + # CC=clang-5.0, for example on asan-builds. + export CC=gcc + cmake .. + make -j$(nproc) + + # Check out and build OpenSSL. + # Build with "enable-external-tests" to include the shim in the build. + cd "${HOSTDIR}" + OSSL=${OSSL:=openssl} + if [ ! -d "$OSSL" ]; then + git clone -q https://github.com/openssl/openssl.git "$OSSL" + git -C "$OSSL" checkout -q 7d38ca3f8bca58bf7b69e78c1f1ab69e5f429dff + fi + OSSL=$(cd "$OSSL";pwd -P) + cd "$OSSL" + ./config enable-external-tests + make -j$(nproc) + + #Some filenames in the OpenSSL repository contain "core". + #This prevents false positive "core file detected" errors. + detect_core SCRIPTNAME="interop.sh" html_head "interop test" @@ -56,21 +81,26 @@ interop_run() server=$3 (cd "$INTEROP"; - cargo run -- --client "$client" --server "$server" --rootdir "$BORING"/ssl/test/runner/ --test-cases cases.json) 2>interop-${test_name}.errors | tee interop-${test_name}.log + cargo run -- --client "$client" --server "$server" --rootdir "$BORING"/ssl/test/runner/ --test-cases cases.json $4 $5 ) 2>interop-${test_name}.errors | tee interop-${test_name}.log RESULT=${PIPESTATUS[0]} - html_msg "${RESULT}" 0 "Interop" "Run successfully" + html_msg "${RESULT}" 0 "Interop ${test_name}" "Run successfully" if [ $RESULT -ne 0 ]; then cat interop-${test_name}.errors cat interop-${test_name}.log fi grep -i 'FAILED\|Assertion failure' interop-${test_name}.errors - html_msg $? 1 "Interop" "No failures" + html_msg $? 1 "Interop ${test_name}" "No failures" } cd "$(dirname "$0")" -SOURCE_DIR="$PWD"/../.. interop_init NSS_SHIM="$BINDIR"/nss_bogo_shim BORING_SHIM="$BORING"/build/ssl/test/bssl_shim +OSSL_SHIM="$OSSL"/test/ossl_shim/ossl_shim +export LD_LIBRARY_PATH="$LD_LIBRARY_PATH":"$OSSL" interop_run "nss_nss" ${NSS_SHIM} ${NSS_SHIM} +interop_run "bssl_nss" ${BORING_SHIM} ${NSS_SHIM} +interop_run "nss_bssl" ${NSS_SHIM} ${BORING_SHIM} "--client-writes-first" +interop_run "ossl_nss" ${OSSL_SHIM} ${NSS_SHIM} "--force-IPv4" +interop_run "nss_ossl" ${NSS_SHIM} ${OSSL_SHIM} "--client-writes-first" "--force-IPv4" interop_cleanup diff --git a/security/nss/tests/libpkix/certs/PayPalEE.cert b/security/nss/tests/libpkix/certs/PayPalEE.cert index d71fbb501..aef408676 100644 Binary files a/security/nss/tests/libpkix/certs/PayPalEE.cert and b/security/nss/tests/libpkix/certs/PayPalEE.cert differ diff --git a/security/nss/tests/libpkix/certs/PayPalICA.cert b/security/nss/tests/libpkix/certs/PayPalICA.cert index 07e025def..dd14c1b21 100644 Binary files a/security/nss/tests/libpkix/certs/PayPalICA.cert and b/security/nss/tests/libpkix/certs/PayPalICA.cert differ diff --git a/security/nss/tests/libpkix/vfychain_test.lst b/security/nss/tests/libpkix/vfychain_test.lst index 78d6185c3..624c6466d 100644 --- a/security/nss/tests/libpkix/vfychain_test.lst +++ b/security/nss/tests/libpkix/vfychain_test.lst @@ -1,4 +1,4 @@ # Status | Leaf Cert | Policies | Others(undef) 0 TestUser50 undef 0 TestUser51 undef -0 PayPalEE OID.2.16.840.1.114412.1.1 +0 PayPalEE OID.2.16.840.1.114412.2.1 diff --git a/security/nss/tests/policy/crypto-policy.txt b/security/nss/tests/policy/crypto-policy.txt new file mode 100644 index 000000000..9a8c0cd1b --- /dev/null +++ b/security/nss/tests/policy/crypto-policy.txt @@ -0,0 +1,19 @@ +# col 1: expected return value of nss-policy-check +# col 2: policy config statement, using _ instead of space +# col 3: an extended regular expression, expected to match the output +# col 4: description of the test +# +0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy +0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy +0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy +2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value +2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value +2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier +1 disallow=all NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all +1 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-WARN.*NUMBER-OF-HASH No Hashes +1 disallow=ALL_allow=tls-version-min=0:tls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS All TLS versions disabled +1 disallow=ALL_allow=dtls-version-min=0:dtls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS All DTLS versions disabled +1 disallow=ALL_allow=tls-version-min=tls1.2:tls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS Invalid range of TLS versions +1 disallow=ALL_allow=dtls-version-min=tls1.2:dtls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS Invalid range of DTLS versions +1 disallow=ALL_allow=tls-version-min=tls1.1:tls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-TLS-VERSIONS Valid range of TLS versions +1 disallow=ALL_allow=dtls-version-min=tls1.1:dtls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-DTLS-VERSIONS Valid range of DTLS versions diff --git a/security/nss/tests/policy/policy.sh b/security/nss/tests/policy/policy.sh new file mode 100644 index 000000000..228c982a5 --- /dev/null +++ b/security/nss/tests/policy/policy.sh @@ -0,0 +1,58 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/policy/policy.sh +# +# Script to test NSS crypto policy code +# +######################################################################## + +ignore_blank_lines() +{ + LC_ALL=C grep -v '^[[:space:]]*\(#\|$\)' "$1" +} + +policy_run_tests() +{ + html_head "CRYPTO-POLICY" + + POLICY_INPUT=${QADIR}/policy/crypto-policy.txt + + ignore_blank_lines ${POLICY_INPUT} | \ + while read value policy match testname + do + echo "$SCRIPTNAME: running \"$testname\" ----------------------------" + policy=`echo ${policy} | sed -e 's;_; ;g'` + match=`echo ${match} | sed -e 's;_; ;g'` + POLICY_FILE="${TMP}/nss-policy" + + echo "$SCRIPTNAME: policy: \"$policy\"" + + cat > "$POLICY_FILE" << ++EOF++ +library= +name=Policy +NSS=flags=policyOnly,moduleDB +++EOF++ + echo "config=\"${policy}\"" >> "$POLICY_FILE" + echo "" >> "$POLICY_FILE" + + nss-policy-check "$POLICY_FILE" >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + + html_msg $ret $value "\"${testname}\"" \ + "produced a returncode of $ret, expected is $value" + + egrep "${match}" ${TMP}/$HOST.tmp.$$ + ret=$? + html_msg $ret 0 "\"${testname}\" output is expected to match \"${match}\"" + + done +} + +policy_run_tests diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh index 9a63bd997..c1730d8d7 100755 --- a/security/nss/tests/ssl/ssl.sh +++ b/security/nss/tests/ssl/ssl.sh @@ -64,9 +64,9 @@ ssl_init() PORT=$(($PORT + $padd)) fi NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} - nss_ssl_run="stapling signed_cert_timestamps cov auth stress dtls" + nss_ssl_run="stapling signed_cert_timestamps cov auth stress dtls scheme" NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} - + # Test case files SSLCOV=${QADIR}/ssl/sslcov.txt SSLAUTH=${QADIR}/ssl/sslauth.txt @@ -210,24 +210,28 @@ start_selfserv() if [ -n "$testname" ] ; then echo "$SCRIPTNAME: $testname ----" fi - sparam=`echo $sparam | sed -e 's;_; ;g'` - if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then + if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec" else ECC_OPTIONS="" fi + if [ -z "$RSA_PSS_CERT" -o "$RSA_PSS_CERT" != "1" ] ; then + RSA_OPTIONS="-n ${HOSTADDR}" + else + RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss" + fi echo "selfserv starting at `date`" - echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" - echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\" + echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\" + echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID}\\" echo " -V ssl3:tls1.2 $verbose -H 1 &" if [ ${fileout} -eq 1 ]; then - ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ - ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \ + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \ > ${SERVEROUTFILE} 2>&1 & RET=$? else - ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ - ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 & + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 & RET=$? fi @@ -270,9 +274,8 @@ ssl_cov() html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" testname="" - sparam="$CIPHER_SUITES" - start_selfserv # Launch the server + start_selfserv $CIPHER_SUITES # Launch the server VMIN="ssl3" VMAX="tls1.1" @@ -283,6 +286,13 @@ ssl_cov() echo "${testname}" | grep "EXPORT" > /dev/null EXP=$? + # RSA-PSS tests are handled in a separate function + case $testname in + *RSA-PSS) + continue + ;; + esac + echo "$SCRIPTNAME: running $testname ----------------------------" VMAX="ssl3" if [ "$testmax" = "TLS10" ]; then @@ -313,6 +323,58 @@ ssl_cov() html "
" } +ssl_cov_rsa_pss() +{ + #verbose="-v" + html_head "SSL Cipher Coverage (RSA-PSS) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="" + + if [ "$NORM_EXT" = "Extended Test" ] ; then + echo "$SCRIPTNAME: skipping SSL Cipher Coverage (RSA-PSS) for $NORM_EXT" + return 0 + fi + + RSA_PSS_CERT=1 + NO_ECC_CERTS=1 + start_selfserv $CIPHER_SUITES + RSA_PSS_CERT=0 + NO_ECC_CERTS=0 + + VMIN="tls1.2" + VMAX="tls1.2" + + ignore_blank_lines ${SSLCOV} | \ + while read ectype testmax param testname + do + case $testname in + *RSA-PSS) + ;; + *) + continue + ;; + esac + + echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------" + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + html_msg $ret 0 "${testname}" \ + "produced a returncode of $ret, expected is 0" + done + + kill_selfserv + html "
" +} + ############################## ssl_auth ################################ # local shell function to perform SSL Client Authentication tests ######################################################################## @@ -337,7 +399,7 @@ ssl_auth() cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` fi - start_selfserv + start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" echo " ${cparam} < ${REQUEST_FILE}" @@ -370,15 +432,15 @@ ssl_stapling_sub() value=$3 if [ "$NORM_EXT" = "Extended Test" ] ; then - # these tests use the ext_client directory for tstclnt, - # which doesn't contain the required "TestCA" for server cert - # verification, I don't know if it would be OK to add it... - echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - return 0 + # these tests use the ext_client directory for tstclnt, + # which doesn't contain the required "TestCA" for server cert + # verification, I don't know if it would be OK to add it... + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + return 0 fi if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" - return 0 + return 0 fi SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} @@ -395,8 +457,8 @@ ssl_stapling_sub() echo " -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ - -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 + -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? cat ${TMP}/$HOST.tmp.$$ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null @@ -405,7 +467,7 @@ ssl_stapling_sub() # (see commands in ssl_auth html_msg $ret $value "${testname}" \ - "produced a returncode of $ret, expected is $value" + "produced a returncode of $ret, expected is $value" kill_selfserv SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} @@ -419,15 +481,15 @@ ssl_stapling_stress() value=0 if [ "$NORM_EXT" = "Extended Test" ] ; then - # these tests use the ext_client directory for tstclnt, - # which doesn't contain the required "TestCA" for server cert - # verification, I don't know if it would be OK to add it... - echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - return 0 + # these tests use the ext_client directory for tstclnt, + # which doesn't contain the required "TestCA" for server cert + # verification, I don't know if it would be OK to add it... + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + return 0 fi if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" - return 0 + return 0 fi SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} @@ -443,13 +505,13 @@ ssl_stapling_stress() echo " -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}" echo "strsclnt started at `date`" ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \ - -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR} + -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR} ret=$? echo "strsclnt completed at `date`" html_msg $ret $value \ - "${testname}" \ - "produced a returncode of $ret, expected is $value." + "${testname}" \ + "produced a returncode of $ret, expected is $value." kill_selfserv SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} @@ -556,7 +618,7 @@ ssl_stress() sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` fi - start_selfserv + start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` if [ "`uname -n`" = "sjsu" ] ; then echo "debugging disapering selfserv... ps -ef | grep selfserv" @@ -610,56 +672,56 @@ ssl_crl_ssl() if [ "$ectype" = "SNI" ]; then continue else - servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` - pwd=`echo $cparam | grep nss` - user=`echo $cparam | grep TestUser` - _cparam=$cparam - case $servarg in - 1) if [ -z "$pwd" -o -z "$user" ]; then + servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` + pwd=`echo $cparam | grep nss` + user=`echo $cparam | grep TestUser` + _cparam=$cparam + case $servarg in + 1) if [ -z "$pwd" -o -z "$user" ]; then rev_modvalue=0 else - rev_modvalue=254 + rev_modvalue=254 fi ;; - 2) rev_modvalue=254 ;; - 3) if [ -z "$pwd" -o -z "$user" ]; then - rev_modvalue=0 - else - rev_modvalue=1 - fi - ;; - 4) rev_modvalue=1 ;; - esac - TEMP_NUM=0 - while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ] - do - CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}` - TEMP_NUM=`expr $TEMP_NUM + 1` - USER_NICKNAME="TestUser${CURR_SER_NUM}" - cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` - start_selfserv - - echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" - echo " ${cparam} < ${REQUEST_FILE}" - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ - -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? - cat ${TMP}/$HOST.tmp.$$ - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then - modvalue=$rev_modvalue + 2) rev_modvalue=254 ;; + 3) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=1 + fi + ;; + 4) rev_modvalue=1 ;; + esac + TEMP_NUM=0 + while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ] + do + CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}` + TEMP_NUM=`expr $TEMP_NUM + 1` + USER_NICKNAME="TestUser${CURR_SER_NUM}" + cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` + start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then + modvalue=$rev_modvalue testAddMsg="revoked" - else + else testAddMsg="not revoked" - modvalue=$value - fi + modvalue=$value + fi - html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \ - "produced a returncode of $ret, expected is $modvalue" - kill_selfserv - done + html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue" + kill_selfserv + done fi done @@ -702,7 +764,6 @@ ssl_policy() html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" testname="" - sparam="$CIPHER_SUITES" if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized" @@ -712,7 +773,7 @@ ssl_policy() echo "Saving pkcs11.txt" cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav - start_selfserv # Launch the server + start_selfserv $CIPHER_SUITES ignore_blank_lines ${SSLPOLICY} | \ while read value ectype testmax param policy testname @@ -775,7 +836,6 @@ ssl_policy_listsuites() html_head "SSL POLICY LISTSUITES $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" testname="" - sparam="$CIPHER_SUITES" if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized" @@ -815,7 +875,6 @@ ssl_policy_selfserv() html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" testname="" - sparam="$CIPHER_SUITES" if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized" @@ -828,7 +887,7 @@ ssl_policy_selfserv() # Disallow RSA in key exchange explicitly setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR} - start_selfserv # Launch the server + start_selfserv $CIPHER_SUITES VMIN="ssl3" VMAX="tls1.2" @@ -956,7 +1015,7 @@ _EOF_REQUEST_ -p ../tests.pw.928 ret=$? if [ "$ret" -eq 0 ]; then - html_passed "${CU_ACTION}" + html_passed "${CU_ACTION}" return 1 fi start_selfserv @@ -984,8 +1043,7 @@ ssl_crl_cache() echo $? while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ] do - sparam=$SERV_ARG - start_selfserv + start_selfserv `echo $SERV_ARG | sed -e 's,_, ,g'` exec < ${SSLAUTH_TMP} while read ectype value sparam cparam testname do @@ -1013,7 +1071,7 @@ ssl_crl_cache() fi ;; 4) rev_modvalue=1 ;; - esac + esac TEMP_NUM=0 LOADED_GRP=1 while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ] @@ -1030,7 +1088,7 @@ ssl_crl_cache() echo " ${cparam} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ - -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ + -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? cat ${TMP}/$HOST.tmp.$$ @@ -1069,7 +1127,7 @@ ssl_crl_cache() # Restart selfserv to roll back to two initial group 1 crls # TestCA CRL and TestCA-ec CRL kill_selfserv - start_selfserv + start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` fi done kill_selfserv @@ -1106,22 +1164,66 @@ ssl_dtls() -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss < ${REQUEST_FILE} 2>&1 & PID=$! - + sleep 1 - + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" echo " -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE}" ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ - -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE} 2>&1 + -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE} 2>&1 ret=$? html_msg $ret $value "${testname}" \ "produced a returncode of $ret, expected is $value" kill ${PID} - + html "
" } +############################ ssl_scheme ################################### +# local shell function to test tstclnt and selfserv handling of signature schemes +######################################################################### +ssl_scheme() +{ + if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" + return 0 + fi + + html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + NO_ECC_CERTS=1 + schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256") + for sscheme in "${schemes[@]}"; do + for cscheme in "${schemes[@]}"; do + testname="ssl_scheme server='$sscheme' client='$cscheme'" + echo "${testname}" + + start_selfserv -V tls1.2:tls1.2 -J "$sscheme" + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -V tls1.2:tls1.2 -J "$cscheme" < ${REQUEST_FILE}" + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" < ${REQUEST_FILE} 2>&1 + ret=$? + # If both schemes include just one option and those options don't + # match, then the test should fail; otherwise, assume that it works. + if [ "${cscheme#*,}" = "$cscheme" -a \ + "${sscheme#*,}" = "$sscheme" -a \ + "$cscheme" != "$sscheme" ]; then + expected=254 + else + expected=0 + fi + html_msg $ret $expected "${testname}" \ + "produced a returncode of $ret, expected is $expected" + kill_selfserv + done + done + NO_ECC_CERTS=0 + + html "
" +} ############################## ssl_cleanup ############################# # local shell function to finish this script (no exit since it might be @@ -1152,6 +1254,7 @@ ssl_run() ;; "cov") ssl_cov + ssl_cov_rsa_pss ;; "auth") ssl_auth @@ -1162,6 +1265,9 @@ ssl_run() "dtls") ssl_dtls ;; + "scheme") + ssl_scheme + ;; esac done } @@ -1182,9 +1288,9 @@ ssl_run_all() # in FIPS mode, so cope with that. Note there's also semicolon in here # but it doesn't need escaping/quoting; the shell copes. if [ "${CLIENT_MODE}" = "fips" ]; then - USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser" + USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser" else - USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser" + USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser" fi NORM_EXT="" cd ${CLIENTDIR} @@ -1346,4 +1452,3 @@ ssl_run_tests() ssl_init ssl_run_tests ssl_cleanup - diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt index 1eb7f47de..93f247b96 100644 --- a/security/nss/tests/ssl/sslcov.txt +++ b/security/nss/tests/ssl/sslcov.txt @@ -141,3 +141,8 @@ ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +# +# Test against server with RSA-PSS server certificate +# + ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - RSA-PSS + ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - RSA-PSS diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt index a87eedad7..44794f10f 100644 --- a/security/nss/tests/ssl/sslstress.txt +++ b/security/nss/tests/ssl/sslstress.txt @@ -12,9 +12,6 @@ noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) noECC 0 -u -V_ssl3:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) - noECC 0 -z -V_ssl3:tls1.2_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) - noECC 0 -u_-z -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) - noECC 0 -u_-z -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start) SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) # @@ -24,10 +21,6 @@ noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth, no login) noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) noECC 0 -r_-r_-u -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) - noECC 0 -r_-r_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) - noECC 0 -r_-r_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) - noECC 0 -r_-r_-u_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) - noECC 0 -r_-r_-u_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start) SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh index eef77f16f..6c088d8a6 100755 --- a/security/nss/tests/ssl_gtests/ssl_gtests.sh +++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh @@ -19,55 +19,6 @@ # ######################################################################## -# Generate input to certutil -certscript() { - ca=n - while [ $# -gt 0 ]; do - case $1 in - sign) echo 0 ;; - kex) echo 2 ;; - ca) echo 5;echo 6;ca=y ;; - esac; shift - done; - echo 9 - echo n - echo $ca - echo - echo n -} - -# $1: name -# $2: type -# $3+: usages: sign or kex -make_cert() { - name=$1 - type=$2 - unset type_args trust sign - case $type in - dsa) type_args='-g 1024' ;; - rsa) type_args='-g 1024' ;; - rsa2048) type_args='-g 2048';type=rsa ;; - rsa8192) type_args='-g 8192';type=rsa ;; - rsapss) type_args='-g 1024 --pss';type=rsa ;; - p256) type_args='-q nistp256';type=ec ;; - p384) type_args='-q secp384r1';type=ec ;; - p521) type_args='-q secp521r1';type=ec ;; - rsa_ca) type_args='-g 1024';trust='CT,CT,CT';type=rsa ;; - rsa_chain) type_args='-g 1024';sign='-c rsa_ca';type=rsa;; - rsapss_ca) type_args='-g 1024 --pss';trust='CT,CT,CT';type=rsa ;; - rsapss_chain) type_args='-g 1024';sign='-c rsa_pss_ca';type=rsa;; - rsa_ca_rsapss_chain) type_args='-g 1024 --pss-sign';sign='-c rsa_ca';type=rsa;; - ecdh_rsa) type_args='-q nistp256';sign='-c rsa_ca';type=ec ;; - esac - shift 2 - counter=$(($counter + 1)) - certscript $@ | ${BINDIR}/certutil -S \ - -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \ - -n $name -s "CN=$name" -t ${trust:-,,} ${sign:--x} -m $counter \ - -w -2 -v 120 -k $type $type_args -Z SHA256 -1 -2 - html_msg $? 0 "create certificate: $@" -} - ssl_gtest_certs() { mkdir -p "${SSLGTESTDIR}" cd "${SSLGTESTDIR}" @@ -80,6 +31,10 @@ ssl_gtest_certs() { ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1 html_msg $? 0 "create ssl_gtest database" + pushd "${QADIR}" + . common/certsetup.sh + popd + counter=0 make_cert client rsa sign make_cert rsa rsa sign kex @@ -87,6 +42,9 @@ ssl_gtest_certs() { make_cert rsa8192 rsa8192 sign kex make_cert rsa_sign rsa sign make_cert rsa_pss rsapss sign + make_cert rsa_pss384 rsapss384 sign + make_cert rsa_pss512 rsapss512 sign + make_cert rsa_pss_noparam rsapss_noparam sign make_cert rsa_decrypt rsa kex make_cert ecdsa256 p256 sign make_cert ecdsa384 p384 sign diff --git a/security/nss/tests/tlsfuzzer/config.json.in b/security/nss/tests/tlsfuzzer/config.json.in new file mode 100644 index 000000000..051bae2be --- /dev/null +++ b/security/nss/tests/tlsfuzzer/config.json.in @@ -0,0 +1,166 @@ +[ + { + "server_command": [ + "@SELFSERV@", "-w", "nss", "-d", "@SERVERDIR@", + "-V", "tls1.0:", "-H", "1", + "-n", "rsa", + "-n", "rsa-pss", + "-J", "rsa_pss_rsae_sha256,rsa_pss_rsae_sha384,rsa_pss_rsae_sha512,rsa_pss_pss_sha256", + "-u", "-Z", "-p", "@PORT@" + ], + "server_hostname": "@HOSTADDR@", + "server_port": @PORT@, + "tests" : [ + { + "name" : "test-tls13-conversation.py", + "arguments": [ + "-p", "@PORT@" + ] + }, + { + "name" : "test-tls13-count-tickets.py", + "arguments": [ + "-p", "@PORT@", "-t", "1" + ] + }, + { + "name" : "test-tls13-dhe-shared-secret-padding.py", + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1305243", + "arguments": [ + "-p", "@PORT@", + "-e", "TLS 1.3 with x448" + ] + }, + { + "name" : "test-tls13-empty-alert.py", + "arguments": [ + "-p", "@PORT@" + ], + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1471656", + "exp_pass": false + }, + { + "name" : "test-tls13-ffdhe-sanity.py", + "arguments": [ + "-p", "@PORT@" + ] + }, + { + "name" : "test-tls13-finished.py", + "arguments": [ + "-p", "@PORT@" + ], + "comment" : "https://bugzilla.mozilla.org/show_bug.cgi?id=1472747", + "exp_pass": false + }, + { + "name" : "test-tls13-0rtt-garbage.py", + "comment": "the disabled test timeouts because of https://bugzilla.mozilla.org/show_bug.cgi?id=1472747", + "arguments": [ + "-p", "@PORT@", "--cookie", + "-e", "undecryptable record later in handshake together with early_data" + ] + }, + { + "name" : "test-tls13-hrr.py", + "arguments": [ + "-p", "@PORT@", "--cookie" + ] + }, + { + "name" : "test-tls13-legacy-version.py", + "arguments": [ + "-p", "@PORT@" + ], + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1490006", + "exp_pass": false + }, + { + "name" : "test-tls13-nociphers.py", + "arguments": [ + "-p", "@PORT@" + ] + }, + { + "name" : "test-tls13-pkcs-signature.py", + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1489997", + "arguments": [ + "-p", "@PORT@", + "-e", "rsa_pkcs1_sha256 signature", + "-e", "rsa_pkcs1_sha384 signature", + "-e", "rsa_pkcs1_sha512 signature" + ] + }, + { + "name" : "test-tls13-rsa-signatures.py", + "comment": "selfserv can be set up to use multiple certs, but only one for each auth type", + "arguments": [ + "-p", "@PORT@", "-b", + "-e", "tls13 signature rsa_pss_pss_sha384", + "-e", "tls13 signature rsa_pss_pss_sha512" + ] + }, + { + "name" : "test-tls13-rsapss-signatures.py", + "comment": "selfserv can be set up to use multiple certs, but only one to each auth type", + "arguments": [ + "-p", "@PORT@", "-b", + "-e", "tls13 signature rsa_pss_pss_sha384", + "-e", "tls13 signature rsa_pss_pss_sha512" + ] + }, + { + "name" : "test-tls13-record-padding.py", + "arguments": [ + "-p", "@PORT@" + ] + }, + { + "name" : "test-tls13-session-resumption.py", + "arguments": [ + "-p", "@PORT@" + ] + }, + { + "name" : "test-tls13-signature-algorithms.py", + "arguments": [ + "-p", "@PORT@" + ], + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1482386", + "exp_pass": false + }, + { + "name" : "test-tls13-unrecognised-groups.py", + "arguments": [ + "-p", "@PORT@", "--cookie" + ] + }, + { + "name" : "test-tls13-version-negotiation.py", + "comment": "the disabled test timeouts because of https://github.com/tomato42/tlsfuzzer/issues/452", + "arguments": [ + "-p", "@PORT@", + "-e", "SSL 2.0 ClientHello with TLS 1.3 version and TLS 1.3 only ciphersuites" + ] + }, + { + "name" : "test-tls13-zero-length-data.py", + "arguments": [ + "-p", "@PORT@" + ] + }, + { + "name" : "test-dhe-no-shared-secret-padding.py", + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1494221 and SSLv3 cannot be enabled in server", + "arguments": [ + "-p", "@PORT@", + "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 2) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 3) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 0)" + ] + } + ] + } +] diff --git a/security/nss/tests/tlsfuzzer/tlsfuzzer.sh b/security/nss/tests/tlsfuzzer/tlsfuzzer.sh new file mode 100644 index 000000000..ecc146c24 --- /dev/null +++ b/security/nss/tests/tlsfuzzer/tlsfuzzer.sh @@ -0,0 +1,110 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# tests/tlsfuzzer/tlsfuzzer.sh +# +# Script to drive the ssl tlsfuzzer interop unit tests +# +######################################################################## + +tlsfuzzer_certs() +{ + PROFILEDIR=`pwd` + + ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1 + html_msg $? 0 "create tlsfuzzer database" + + pushd "${QADIR}" + . common/certsetup.sh + popd + + counter=0 + make_cert rsa rsa2048 sign kex + make_cert rsa-pss rsapss sign kex +} + +tlsfuzzer_init() +{ + SCRIPTNAME="tlsfuzzer.sh" + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then + cd ../common + . ./init.sh + fi + + mkdir -p "${HOSTDIR}/tlsfuzzer" + pushd "${HOSTDIR}/tlsfuzzer" + tlsfuzzer_certs + + TLSFUZZER=${TLSFUZZER:=tlsfuzzer} + if [ ! -d "$TLSFUZZER" ]; then + # Can't use git-copy.sh here, as tlsfuzzer doesn't have any tags + git clone -q https://github.com/tomato42/tlsfuzzer/ "$TLSFUZZER" + git -C "$TLSFUZZER" checkout a40ce4085052a4da9a05f9149b835a76c194a0c6 + + # We could use tlslite-ng from pip, but the pip command installed + # on TC is too old to support --pre + ${QADIR}/../fuzz/config/git-copy.sh https://github.com/tomato42/tlslite-ng/ v0.8.0-alpha18 tlslite-ng + + pushd "$TLSFUZZER" + ln -s ../tlslite-ng/tlslite tlslite + popd + + # Install tlslite-ng dependencies + ${QADIR}/../fuzz/config/git-copy.sh https://github.com/warner/python-ecdsa master python-ecdsa + ${QADIR}/../fuzz/config/git-copy.sh https://github.com/benjaminp/six master six + + pushd "$TLSFUZZER" + ln -s ../python-ecdsa/src/ecdsa ecdsa + ln -s ../six/six.py . + popd + fi + + # Find usable port + PORT=${PORT-8443} + while true; do + "${BINDIR}/selfserv" -w nss -d "${HOSTDIR}/tlsfuzzer" -n rsa \ + -p "${PORT}" -i selfserv.pid & + [ -f selfserv.pid ] || sleep 5 + if [ -f selfserv.pid ]; then + kill $(cat selfserv.pid) + wait $(cat selfserv.pid) + rm -f selfserv.pid + break + fi + PORT=$(($PORT + 1)) + done + + sed -e "s|@PORT@|${PORT}|g" \ + -e "s|@SELFSERV@|${BINDIR}/selfserv|g" \ + -e "s|@SERVERDIR@|${HOSTDIR}/tlsfuzzer|g" \ + -e "s|@HOSTADDR@|${HOSTADDR}|g" \ + ${QADIR}/tlsfuzzer/config.json.in > ${TLSFUZZER}/config.json + popd + + SCRIPTNAME="tlsfuzzer.sh" + html_head "tlsfuzzer test" +} + +tlsfuzzer_cleanup() +{ + cd ${QADIR} + . common/cleanup.sh +} + +tlsfuzzer_run_tests() +{ + pushd "${HOSTDIR}/tlsfuzzer/${TLSFUZZER}" + PYTHONPATH=. python tests/scripts_retention.py config.json "${BINDIR}/selfserv" + html_msg $? 0 "tlsfuzzer" "Run successfully" + popd +} + +cd "$(dirname "$0")" +tlsfuzzer_init +tlsfuzzer_run_tests +tlsfuzzer_cleanup -- cgit v1.2.3