mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1296266 - Land NSS_3_27_BETA1, r=kaie 

--HG--
extra : amend_source : 1408228c898d6683a384508ca2154fc9d8895e81
This commit is contained in:
Franziskus Kiefer 2016-08-19 11:20:21 +02:00
Родитель d8e57bddcc
Коммит d75c53e790
245 изменённых файлов: 27982 добавлений и 25776 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
old-configure.in
Просмотреть файл

@ -2143,7 +2143,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
_USE_SYSTEM_NSS=1 )
if test -n "$_USE_SYSTEM_NSS"; then
AM_PATH_NSS(3.26, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
AM_PATH_NSS(3.27, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
fi
if test -n "$MOZ_SYSTEM_NSS"; then

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
NSS_3_26_RTM
NSS_3_27_BETA1

4
security/nss/automation/buildbot-slave/build.sh
Просмотреть файл

@ -199,7 +199,7 @@ test_nss()
print_log "$ cd ${HGDIR}/nss/tests"
cd ${HGDIR}/nss/tests
print_log "$ ./all.sh"
./all.sh 2>&1 | tee ${LOG_TMP} | grep ${GREP_BUFFER} ": #"
./all.sh 2>&1 | tee ${LOG_TMP} | egrep ${GREP_BUFFER} ": #|^\[.{10}\] "
OUTPUTFILE=${LOG_TMP}
fi
@ -208,7 +208,7 @@ test_nss()
RET=$?
print_log "######## details of detected failures (if any) ########"
grep -B50 FAIL ${OUTPUTFILE}
grep -B50 FAILED ${OUTPUTFILE}
[ $? -eq 1 ] || RET=1
print_result "NSS - tests - ${BITS} bits - ${OPT}" ${RET} 0

4
security/nss/automation/buildbot-slave/startbuild.bat
Просмотреть файл

@ -1,7 +1,7 @@
echo running > ..\buildbot-is-building
echo running: "%MOZILLABUILD%\msys\bin\bash" -c "hg/tinder/buildbot/build.sh %*"
"%MOZILLABUILD%\msys\bin\bash" -c "hg/tinder/buildbot/build.sh %*"
echo running: "%MOZILLABUILD%\msys\bin\bash" -c "hg/nss/automation/buildbot-slave/build.sh %*"
"%MOZILLABUILD%\msys\bin\bash" -c "hg/nss/automation/buildbot-slave/build.sh %*"
if %errorlevel% neq 0 (
set EXITCODE=1

250
security/nss/automation/release/nss-release-helper.py Normal file
Просмотреть файл

@ -0,0 +1,250 @@
#!/usr/bin/python
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
import os
import sys
import datetime
import shutil
import glob
from optparse import OptionParser
from subprocess import check_call
nssutil_h = "lib/util/nssutil.h"
softkver_h = "lib/softoken/softkver.h"
nss_h = "lib/nss/nss.h"
nssckbi_h = "lib/ckfw/builtins/nssckbi.h"
def check_call_noisy(cmd, *args, **kwargs):
print "Executing command:", cmd
check_call(cmd, *args, **kwargs)
o = OptionParser(usage="client.py [options] remove_beta | set_beta | print_library_versions | print_root_ca_version | set_root_ca_version | set_version_to_minor_release | set_version_to_patch_release | set_release_candidate_number | set_4_digit_release_number | create_nss_release_archive")
try:
options, args = o.parse_args()
action = args[0]
except IndexError:
o.print_help()
sys.exit(2)
def exit_with_failure(what):
print "failure: ", what
sys.exit(2)
def check_files_exist():
if (not os.path.exists(nssutil_h) or not os.path.exists(softkver_h)
or not os.path.exists(nss_h) or not os.path.exists(nssckbi_h)):
exit_with_failure("cannot find expected header files, must run from inside NSS hg directory")
def sed_inplace(sed_expression, filename):
backup_file = filename + '.tmp'
check_call_noisy(["sed", "-i.tmp", sed_expression, filename])
os.remove(backup_file)
def toggle_beta_status(is_beta):
check_files_exist()
if (is_beta):
print "adding Beta status to version numbers"
sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"[0-9.]\+\)\" *$/\\1 Beta\"/', nssutil_h)
sed_inplace('s/^\(#define *NSSUTIL_BETA *\)PR_FALSE *$/\\1PR_TRUE/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"[0-9.]\+\" *SOFTOKEN_ECC_STRING\) *$/\\1 \" Beta"/', softkver_h)
sed_inplace('s/^\(#define *SOFTOKEN_BETA *\)PR_FALSE *$/\\1PR_TRUE/', softkver_h)
sed_inplace('s/^\(#define *NSS_VERSION *\"[0-9.]\+\" *_NSS_CUSTOMIZED\) *$/\\1 \" Beta"/', nss_h)
sed_inplace('s/^\(#define *NSS_BETA *\)PR_FALSE *$/\\1PR_TRUE/', nss_h)
else:
print "removing Beta status from version numbers"
sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"[0-9.]\+\) *Beta\" *$/\\1\"/', nssutil_h)
sed_inplace('s/^\(#define *NSSUTIL_BETA *\)PR_TRUE *$/\\1PR_FALSE/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"[0-9.]\+\" *SOFTOKEN_ECC_STRING\) *\" *Beta\" *$/\\1/', softkver_h)
sed_inplace('s/^\(#define *SOFTOKEN_BETA *\)PR_TRUE *$/\\1PR_FALSE/', softkver_h)
sed_inplace('s/^\(#define *NSS_VERSION *\"[0-9.]\+\" *_NSS_CUSTOMIZED\) *\" *Beta\" *$/\\1/', nss_h)
sed_inplace('s/^\(#define *NSS_BETA *\)PR_TRUE *$/\\1PR_FALSE/', nss_h)
print "please run 'hg stat' and 'hg diff' to verify the files have been verified correctly"
def print_beta_versions():
check_call_noisy(["egrep", "#define *NSSUTIL_VERSION|#define *NSSUTIL_BETA", nssutil_h])
check_call_noisy(["egrep", "#define *SOFTOKEN_VERSION|#define *SOFTOKEN_BETA", softkver_h])
check_call_noisy(["egrep", "#define *NSS_VERSION|#define *NSS_BETA", nss_h])
def remove_beta_status():
print "--- removing beta flags. Existing versions were:"
print_beta_versions()
toggle_beta_status(False)
print "--- finished modifications, new versions are:"
print_beta_versions()
def set_beta_status():
print "--- adding beta flags. Existing versions were:"
print_beta_versions()
toggle_beta_status(True)
print "--- finished modifications, new versions are:"
print_beta_versions()
def print_library_versions():
check_files_exist()
check_call_noisy(["egrep", "#define *NSSUTIL_VERSION|#define NSSUTIL_VMAJOR|#define *NSSUTIL_VMINOR|#define *NSSUTIL_VPATCH|#define *NSSUTIL_VBUILD|#define *NSSUTIL_BETA", nssutil_h])
check_call_noisy(["egrep", "#define *SOFTOKEN_VERSION|#define SOFTOKEN_VMAJOR|#define *SOFTOKEN_VMINOR|#define *SOFTOKEN_VPATCH|#define *SOFTOKEN_VBUILD|#define *SOFTOKEN_BETA", softkver_h])
check_call_noisy(["egrep", "#define *NSS_VERSION|#define NSS_VMAJOR|#define *NSS_VMINOR|#define *NSS_VPATCH|#define *NSS_VBUILD|#define *NSS_BETA", nss_h])
def print_root_ca_version():
check_files_exist()
check_call_noisy(["grep", "define *NSS_BUILTINS_LIBRARY_VERSION", nssckbi_h])
def ensure_arguments_after_action(how_many, usage):
if (len(sys.argv) != (2+how_many)):
exit_with_failure("incorrect number of arguments, expected parameters are:\n" + usage)
def set_major_versions(major):
sed_inplace('s/^\(#define *NSSUTIL_VMAJOR *\).*$/\\1' + major + '/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VMAJOR *\).*$/\\1' + major + '/', softkver_h)
sed_inplace('s/^\(#define *NSS_VMAJOR *\).*$/\\1' + major + '/', nss_h)
def set_minor_versions(minor):
sed_inplace('s/^\(#define *NSSUTIL_VMINOR *\).*$/\\1' + minor + '/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VMINOR *\).*$/\\1' + minor + '/', softkver_h)
sed_inplace('s/^\(#define *NSS_VMINOR *\).*$/\\1' + minor + '/', nss_h)
def set_patch_versions(patch):
sed_inplace('s/^\(#define *NSSUTIL_VPATCH *\).*$/\\1' + patch + '/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VPATCH *\).*$/\\1' + patch + '/', softkver_h)
sed_inplace('s/^\(#define *NSS_VPATCH *\).*$/\\1' + patch + '/', nss_h)
def set_build_versions(build):
sed_inplace('s/^\(#define *NSSUTIL_VBUILD *\).*$/\\1' + build + '/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VBUILD *\).*$/\\1' + build + '/', softkver_h)
sed_inplace('s/^\(#define *NSS_VBUILD *\).*$/\\1' + build + '/', nss_h)
def set_full_lib_versions(version):
sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', softkver_h)
sed_inplace('s/^\(#define *NSS_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', nss_h)
def set_root_ca_version():
ensure_arguments_after_action(2, "major_version minor_version")
major = args[1].strip()
minor = args[2].strip()
version = major + '.' + minor
sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION *\"\).*$/\\1' + version + '/', nssckbi_h)
sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION_MAJOR *\).*$/\\1' + major + '/', nssckbi_h)
sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION_MINOR *\).*$/\\1' + minor + '/', nssckbi_h)
def set_all_lib_versions(version, major, minor, patch, build):
set_full_lib_versions(version)
set_major_versions(major)
set_minor_versions(minor)
set_patch_versions(patch)
set_build_versions(build)
def set_version_to_minor_release():
ensure_arguments_after_action(2, "major_version minor_version")
major = args[1].strip()
minor = args[2].strip()
version = major + '.' + minor
patch = "0"
build = "0"
set_all_lib_versions(version, major, minor, patch, build)
def set_version_to_patch_release():
ensure_arguments_after_action(3, "major_version minor_version patch_release")
major = args[1].strip()
minor = args[2].strip()
patch = args[3].strip()
version = major + '.' + minor + '.' + patch
build = "0"
set_all_lib_versions(version, major, minor, patch, build)
def set_release_candidate_number():
ensure_arguments_after_action(1, "release_candidate_number")
build = args[1].strip()
set_build_versions(build)
def set_4_digit_release_number():
ensure_arguments_after_action(4, "major_version minor_version patch_release 4th_digit_release_number")
major = args[1].strip()
minor = args[2].strip()
patch = args[3].strip()
build = args[4].strip()
version = major + '.' + minor + '.' + patch + '.' + build
set_all_lib_versions(version, major, minor, patch, build)
def create_nss_release_archive():
ensure_arguments_after_action(4, "nss_release_version nss_hg_release_tag nspr_release_version path_to_stage_directory")
nssrel = args[1].strip() #e.g. 3.19.3
nssreltag = args[2].strip() #e.g. NSS_3_19_3_RTM
nsprrel = args[3].strip() #e.g. 4.10.8
stagedir = args[4].strip() #e.g. ../stage
nspr_tar = "nspr-" + nsprrel + ".tar.gz"
nsprtar_with_path= stagedir + "/v" + nsprrel + "/src/" + nspr_tar
if (not os.path.exists(nsprtar_with_path)):
exit_with_failure("cannot find nspr archive at expected location " + nsprtar_with_path)
nss_stagedir= stagedir + "/" + nssreltag + "/src"
if (os.path.exists(nss_stagedir)):
exit_with_failure("nss stage directory already exists: " + nss_stagedir)
nss_tar = "nss-" + nssrel + ".tar.gz"
check_call_noisy(["mkdir", "-p", nss_stagedir])
check_call_noisy(["hg", "archive", "-r", nssreltag, "--prefix=nss-" + nssrel + "/nss",
stagedir + "/" + nssreltag + "/src/" + nss_tar, "-X", ".hgtags"])
check_call_noisy(["tar", "-xz", "-C", nss_stagedir, "-f", nsprtar_with_path])
print "changing to directory " + nss_stagedir
os.chdir(nss_stagedir)
check_call_noisy(["tar", "-xz", "-f", nss_tar])
check_call_noisy(["mv", "-i", "nspr-" + nsprrel + "/nspr", "nss-" + nssrel + "/"])
check_call_noisy(["rmdir", "nspr-" + nsprrel])
nss_nspr_tar = "nss-" + nssrel + "-with-nspr-" + nsprrel + ".tar.gz"
check_call_noisy(["tar", "-cz", "--remove-files", "-f", nss_nspr_tar, "nss-" + nssrel])
check_call("sha1sum " + nss_tar + " " + nss_nspr_tar + " > SHA1SUMS", shell=True)
check_call("sha256sum " + nss_tar + " " + nss_nspr_tar + " > SHA256SUMS", shell=True)
print "created directory " + nss_stagedir + " with files:"
check_call_noisy(["ls", "-l"])
if action in ('remove_beta'):
remove_beta_status()
elif action in ('set_beta'):
set_beta_status()
elif action in ('print_library_versions'):
print_library_versions()
elif action in ('print_root_ca_version'):
print_root_ca_version()
elif action in ('set_root_ca_version'):
set_root_ca_version()
# x.y version number - 2 parameters
elif action in ('set_version_to_minor_release'):
set_version_to_minor_release()
# x.y.z version number - 3 parameters
elif action in ('set_version_to_patch_release'):
set_version_to_patch_release()
# change the release candidate number, usually increased by one,
# usually if previous release candiate had a bug
# 1 parameter
elif action in ('set_release_candidate_number'):
set_release_candidate_number()
# use the build/release candiate number in the identifying version number
# 4 parameters
elif action in ('set_4_digit_release_number'):
set_4_digit_release_number()
elif action in ('create_nss_release_archive'):
create_nss_release_archive()
else:
o.print_help()
sys.exit(2)
sys.exit(0)

4
security/nss/.taskcluster.yml → security/nss/automation/taskcluster/decision_task.yml
Просмотреть файл

@ -57,12 +57,14 @@ tasks:
- "tc-treeherder.v2.{{project}}.{{revision}}.{{pushlog_id}}"
payload:
image: "ttaubert/nss-ci:0.0.17"
image: "ttaubert/nss-ci:0.0.22"
env:
TC_OWNER: {{owner}}
TC_SOURCE: {{{source}}}
TC_PROJECT: {{project}}
TC_COMMENT: '{{comment}}'
TC_IMAGE: "ttaubert/nss-ci:0.0.22"
NSS_PUSHLOG_ID: '{{pushlog_id}}'
NSS_HEAD_REPOSITORY: '{{{url}}}'
NSS_HEAD_REVISION: '{{revision}}'

27
security/nss/automation/taskcluster/docker-arm/Dockerfile Normal file
Просмотреть файл

@ -0,0 +1,27 @@
FROM armv7/armhf-ubuntu:16.04
MAINTAINER Tim Taubert <ttaubert@mozilla.com>
RUN useradd -d /home/worker -s /bin/bash -m worker
WORKDIR /home/worker
# Add build and test scripts.
ADD bin /home/worker/bin
RUN chmod +x /home/worker/bin/*
# Install dependencies.
ADD setup.sh /tmp/setup.sh
RUN bash /tmp/setup.sh
# Env variables.
ENV HOME /home/worker
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME worker
ENV HOSTNAME taskcluster-worker
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV HOST localhost
ENV DOMSUF localdomain
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]

20
security/nss/automation/taskcluster/docker-arm/bin/checkout.sh Executable file
Просмотреть файл

@ -0,0 +1,20 @@
#!/usr/bin/env bash
set -v -e -x
if [ $(id -u) = 0 ]; then
# Drop privileges by re-running this script.
exec su worker $0
fi
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1

39
security/nss/automation/taskcluster/docker-arm/setup.sh Executable file
Просмотреть файл

@ -0,0 +1,39 @@
#!/usr/bin/env bash
set -v -e -x
export DEBIAN_FRONTEND=noninteractive
# Update.
apt-get -y update
apt-get -y dist-upgrade
apt_packages=()
apt_packages+=('build-essential')
apt_packages+=('ca-certificates')
apt_packages+=('curl')
apt_packages+=('python-dev')
apt_packages+=('python-pip')
apt_packages+=('python-setuptools')
apt_packages+=('zlib1g-dev')
# Install packages.
apt-get install -y --no-install-recommends ${apt_packages[@]}
# Latest Mercurial.
pip install --upgrade pip
pip install Mercurial
# Compiler options.
update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 30
update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 30
locale-gen en_US.UTF-8
dpkg-reconfigure locales
# Cleanup.
rm -rf ~/.ccache ~/.cache
apt-get autoremove -y
apt-get clean
apt-get autoclean
rm $0

7
security/nss/automation/taskcluster/docker/bin/checkout.sh
Просмотреть файл

@ -12,4 +12,9 @@ REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
hg clone -r $REVISION $REPOSITORY nss
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1

32
security/nss/automation/taskcluster/docker/setup.sh
Просмотреть файл

@ -2,14 +2,21 @@
set -v -e -x
# Update packages.
export DEBIAN_FRONTEND=noninteractive
apt-get -y update && apt-get -y upgrade
# Need this to add keys for PPAs below.
apt-get install -y --no-install-recommends apt-utils
apt_packages=()
apt_packages+=('build-essential')
apt_packages+=('ca-certificates')
apt_packages+=('curl')
apt_packages+=('mercurial')
apt_packages+=('npm')
apt_packages+=('git')
apt_packages+=('valgrind')
apt_packages+=('ninja-build')
apt_packages+=('pkg-config')
apt_packages+=('zlib1g-dev')
# 32-bit builds
@ -17,17 +24,12 @@ apt_packages+=('lib32z1-dev')
apt_packages+=('gcc-multilib')
apt_packages+=('g++-multilib')
# Install prerequisites.
apt-get -y update
export DEBIAN_FRONTEND=noninteractive
apt-get install -y --no-install-recommends curl apt-utils
# Latest Mercurial.
apt_packages+=('mercurial')
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
# Install the first round of packages.
apt-get -y update
apt-get install -y --no-install-recommends ${apt_packages[@]}
# gcc 6
apt_packages=()
# gcc 4.8 and 6
apt_packages+=('g++-6')
apt_packages+=('g++-4.8')
apt_packages+=('g++-6-multilib')
@ -35,7 +37,7 @@ apt_packages+=('g++-4.8-multilib')
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 60C317803A41BA51845E371A1E9377A2BA9EF27F
echo "deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu xenial main" > /etc/apt/sources.list.d/toolchain.list
# Install the second round of packages.
# Install packages.
apt-get -y update
apt-get install -y --no-install-recommends ${apt_packages[@]}
@ -58,11 +60,9 @@ update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 30
locale-gen en_US.UTF-8
dpkg-reconfigure locales
# Install required Node modules.
su -c "npm install flatmap js-yaml merge slugid" worker
# Cleanup.
rm -rf ~/.ccache ~/.cache
apt-get autoremove -y
apt-get clean
apt-get autoclean
rm $0

40
security/nss/automation/taskcluster/graph/arm/_build_base.yml Normal file
Просмотреть файл

@ -0,0 +1,40 @@
---
reruns: 2
task:
created: !from_now 0
deadline: !from_now 24
provisionerId: localprovisioner
workerType: nss-rpi
schedulerId: task-graph-scheduler
metadata:
owner: !env TC_OWNER
source: !env TC_SOURCE
payload:
maxRunTime: 7200
image: ttaubert/nss-rpi-ci:0.0.3
artifacts:
public:
type: directory
path: /home/worker/artifacts
expires: !from_now 24
command:
- "/bin/bash"
- "-c"
- "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
env:
NSS_HEAD_REPOSITORY: !env NSS_HEAD_REPOSITORY
NSS_HEAD_REVISION: !env NSS_HEAD_REVISION
GCC_VERSION: gcc-5
GXX_VERSION: g++-5
extra:
treeherder:
tier: 3 # hide jobs by default
jobKind: build
symbol: B

27
security/nss/automation/taskcluster/graph/arm/_test_base.yml Normal file
Просмотреть файл

@ -0,0 +1,27 @@
---
reruns: 2
task:
created: !from_now 0
deadline: !from_now 24
provisionerId: localprovisioner
workerType: nss-rpi
schedulerId: task-graph-scheduler
metadata:
owner: !env TC_OWNER
source: !env TC_SOURCE
payload:
maxRunTime: 7200
image: ttaubert/nss-rpi-ci:0.0.3
command:
- "/bin/bash"
- "-c"
- "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
extra:
treeherder:
tier: 3 # hide jobs by default
jobKind: test

29
security/nss/automation/taskcluster/graph/arm/build32-debug.yml Normal file
Просмотреть файл

@ -0,0 +1,29 @@
---
- task:
metadata:
name: "Linux 32 (ARM, debug)"
description: "Linux 32 (ARM, debug)"
extra:
treeherder:
build:
platform: linux32
machine:
platform: linux32
collection:
arm-debug: true
tests:
- chains
- cipher
- crmf
- db
- ec
- fips
- gtests
- lowhash
- merge
- sdr
- smime
- ssl
- tools

12
security/nss/automation/taskcluster/graph/build.js
Просмотреть файл

@ -8,13 +8,14 @@ var merge = require("merge");
var yaml = require("js-yaml");
var slugid = require("slugid");
var flatmap = require("flatmap");
var try_syntax = require("./try_syntax");
// Default values for debugging.
var TC_OWNER = process.env.TC_OWNER || "{{tc_owner}}";
var TC_SOURCE = process.env.TC_SOURCE || "{{tc_source}}";
var TC_PROJECT = process.env.TC_PROJECT || "{{tc_project}}";
var TC_COMMENT = process.env.TC_COMMENT || "{{tc_comment}}";
var NSS_PUSHLOG_ID = process.env.NSS_PUSHLOG_ID || "{{nss_pushlog_id}}";
var NSS_HEAD_REPOSITORY = process.env.NSS_HEAD_REPOSITORY || "{{nss_head_repo}}";
var NSS_HEAD_REVISION = process.env.NSS_HEAD_REVISION || "{{nss_head_rev}}";
// Register custom YAML types.
@ -43,7 +44,7 @@ var YAML_SCHEMA = yaml.Schema.create([
},
construct: function (data) {
return process.env[data];
return process.env[data] || "{{" + data.toLowerCase() + "}}";
}
})
]);
@ -170,8 +171,13 @@ function generatePlatformTasks(platform) {
// Construct the task graph.
var graph = {
tasks: flatmap(["linux", "windows", "tools"], generatePlatformTasks)
tasks: flatmap(["linux", "windows", "arm", "tools"], generatePlatformTasks)
};
// Filter tasks when try syntax is given.
if (TC_PROJECT == "nss-try") {
graph.tasks = try_syntax.filterTasks(graph.tasks, TC_COMMENT);
}
// Output the final graph.
process.stdout.write(JSON.stringify(graph, null, 2));

3
security/nss/automation/taskcluster/graph/linux/_build_base.yml
Просмотреть файл

@ -14,7 +14,7 @@ task:
payload:
maxRunTime: 3600
image: ttaubert/nss-ci:0.0.17
image: !env TC_IMAGE
artifacts:
public:
@ -35,4 +35,5 @@ task:
extra:
treeherder:
jobKind: build
symbol: B

6
security/nss/automation/taskcluster/graph/linux/_test_base.yml
Просмотреть файл

@ -14,9 +14,13 @@ task:
payload:
maxRunTime: 3600
image: ttaubert/nss-ci:0.0.17
image: !env TC_IMAGE
command:
- "/bin/bash"
- "-c"
- "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
extra:
treeherder:
jobKind: test

25
security/nss/automation/taskcluster/graph/linux/build32-debug.yml
Просмотреть файл

@ -4,10 +4,6 @@
name: "Linux 32 (debug)"
description: "Linux 32 (debug)"
payload:
env:
NSS_ENABLE_TLS_1_3: 1
extra:
treeherder:
build:
@ -32,23 +28,6 @@
- ssl
- tools
- task:
metadata:
name: "Linux 32 (debug, no TLS 1.3)"
description: "Linux 32 (debug, no TLS 1.3)"
extra:
treeherder:
build:
platform: linux32
machine:
platform: linux32
collection:
debug: true
groupSymbol: Builds
groupName: Various builds
symbol: noTLSv1.3
- task:
metadata:
name: "Linux 32 (debug, clang-3.8)"
@ -56,7 +35,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
GCC_VERSION: clang
GXX_VERSION: clang++
@ -79,7 +57,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
GCC_VERSION: gcc-4.8
GXX_VERSION: g++-4.8
@ -102,7 +79,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
GCC_VERSION: gcc-6
GXX_VERSION: g++-6
@ -126,7 +102,6 @@
payload:
env:
NSS_NO_PKCS11_BYPASS: 1
NSS_ENABLE_TLS_1_3: 1
extra:
treeherder:

26
security/nss/automation/taskcluster/graph/linux/build32-opt.yml
Просмотреть файл

@ -6,7 +6,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
BUILD_OPT: 1
extra:
@ -33,27 +32,6 @@
- ssl
- tools
- task:
metadata:
name: "Linux 32 (opt, no TLS 1.3)"
description: "Linux 32 (opt, no TLS 1.3)"
payload:
env:
BUILD_OPT: 1
extra:
treeherder:
build:
platform: linux32
machine:
platform: linux32
collection:
opt: true
groupSymbol: Builds
groupName: Various builds
symbol: noTLSv1.3
- task:
metadata:
name: "Linux 32 (opt, clang-3.8)"
@ -61,7 +39,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
GCC_VERSION: clang
GXX_VERSION: clang++
BUILD_OPT: 1
@ -85,7 +62,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
GCC_VERSION: gcc-4.8
GXX_VERSION: g++-4.8
BUILD_OPT: 1
@ -109,7 +85,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
GCC_VERSION: gcc-6
GXX_VERSION: g++-6
BUILD_OPT: 1
@ -134,7 +109,6 @@
payload:
env:
NSS_NO_PKCS11_BYPASS: 1
NSS_ENABLE_TLS_1_3: 1
BUILD_OPT: 1
extra:

3
security/nss/automation/taskcluster/graph/linux/build64-asan.yml
Просмотреть файл

@ -8,7 +8,8 @@
env:
GCC_VERSION: clang
GXX_VERSION: clang++
NSS_ENABLE_TLS_1_3: 1
NSS_DISABLE_ARENA_FREE_LIST: 1
NSS_DISABLE_UNLOAD: 1
USE_ASAN: 1
USE_64: 1

28
security/nss/automation/taskcluster/graph/linux/build64-debug.yml
Просмотреть файл

@ -6,7 +6,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
USE_64: 1
extra:
@ -27,34 +26,12 @@
- fips
- gtests
- lowhash
- memleak
- merge
- sdr
- smime
- ssl
- tools
- task:
metadata:
name: "Linux 64 (debug, no TLS 1.3)"
description: "Linux 64 (debug, no TLS 1.3)"
payload:
env:
USE_64: 1
extra:
treeherder:
build:
platform: linux64
machine:
platform: linux64
collection:
debug: true
groupSymbol: Builds
groupName: Various builds
symbol: noTLSv1.3
- task:
metadata:
name: "Linux 64 (debug, clang-3.8)"
@ -62,7 +39,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
GCC_VERSION: clang
GXX_VERSION: clang++
USE_64: 1
@ -86,7 +62,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
GCC_VERSION: gcc-4.8
GXX_VERSION: g++-4.8
USE_64: 1
@ -110,7 +85,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
GCC_VERSION: gcc-6
GXX_VERSION: g++-6
USE_64: 1
@ -135,7 +109,6 @@
payload:
env:
NSS_NO_PKCS11_BYPASS: 1
NSS_ENABLE_TLS_1_3: 1
USE_64: 1
extra:
@ -157,7 +130,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
NSS_DISABLE_LIBPKIX: 1
USE_64: 1

38
security/nss/automation/taskcluster/graph/linux/build64-lsan.yml
Просмотреть файл

@ -1,38 +0,0 @@
---
- task:
metadata:
name: "Linux 64 (LSan, debug)"
description: "Linux 64 (LSan, debug)"
payload:
env:
GCC_VERSION: clang
GXX_VERSION: clang++
NSS_DISABLE_ARENA_FREE_LIST: 1
NSS_DISABLE_UNLOAD: 1
NSS_ENABLE_TLS_1_3: 1
NSS_ENABLE_LSAN: 1
USE_ASAN: 1
USE_64: 1
extra:
treeherder:
build:
platform: linux64
machine:
platform: linux64
collection:
lsan: true
tests:
- chains
- cipher
- db
- ec
- gtests
- lowhash
- merge
- sdr
- smime
- ssl
- tools

27
security/nss/automation/taskcluster/graph/linux/build64-opt.yml
Просмотреть файл

@ -6,7 +6,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
BUILD_OPT: 1
USE_64: 1
@ -34,28 +33,6 @@
- ssl
- tools
- task:
metadata:
name: "Linux 64 (opt, no TLS 1.3)"
description: "Linux 64 (opt, no TLS 1.3)"
payload:
env:
BUILD_OPT: 1
USE_64: 1
extra:
treeherder:
build:
platform: linux64
machine:
platform: linux64
collection:
opt: true
groupSymbol: Builds
groupName: Various builds
symbol: noTLSv1.3
- task:
metadata:
name: "Linux 64 (opt, clang-3.8)"
@ -63,7 +40,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
GCC_VERSION: clang
GXX_VERSION: clang++
BUILD_OPT: 1
@ -88,7 +64,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
GCC_VERSION: gcc-4.8
GXX_VERSION: g++-4.8
BUILD_OPT: 1
@ -113,7 +88,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
GCC_VERSION: gcc-6
GXX_VERSION: g++-6
BUILD_OPT: 1
@ -139,7 +113,6 @@
payload:
env:
NSS_NO_PKCS11_BYPASS: 1
NSS_ENABLE_TLS_1_3: 1
BUILD_OPT: 1
USE_64: 1

15
security/nss/automation/taskcluster/graph/package.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"name": "decision-task",
"version": "0.0.1",
"private": true,
"author": "Tim Taubert <ttaubert@mozilla.com>",
"description": "Decision Task for NSS",
"dependencies": {
"flatmap": "0.0.3",
"intersect": "^1.0.1",
"js-yaml": "^3.6.1",
"merge": "^1.2.0",
"minimist": "^1.2.0",
"slugid": "^1.1.0"
}
}

1
security/nss/automation/taskcluster/graph/tests/chains.yml
Просмотреть файл

@ -5,6 +5,7 @@
description: Chains tests
payload:
maxRunTime: 14400
env:
NSS_TESTS: chains

1
security/nss/automation/taskcluster/graph/tests/crmf.yml
Просмотреть файл

@ -6,6 +6,7 @@
payload:
env:
ASAN_OPTIONS: detect_leaks=0
NSS_TESTS: crmf
extra:

1
security/nss/automation/taskcluster/graph/tests/fips.yml
Просмотреть файл

@ -6,6 +6,7 @@
payload:
env:
ASAN_OPTIONS: detect_leaks=0
NSS_TESTS: fips
extra:

228
security/nss/automation/taskcluster/graph/tests/memleak.yml
Просмотреть файл

@ -1,228 +0,0 @@
---
- task:
metadata:
name: "MemLeak tests (ssl_server, standard)"
description: "MemLeak tests (ssl_server, standard)"
payload:
env:
NSS_MEMLEAK_TESTS: ssl_server
NSS_CYCLES: standard
NSS_TESTS: memleak
extra:
treeherder:
groupSymbol: Server
groupName: MemLeak tests (ssl_server)
symbol: standard
collection:
memleak: true
- task:
metadata:
name: "MemLeak tests (ssl_server, pkix)"
description: "MemLeak tests (ssl_server, pkix)"
payload:
env:
NSS_MEMLEAK_TESTS: ssl_server
NSS_CYCLES: pkix
NSS_TESTS: memleak
extra:
treeherder:
groupSymbol: Server
groupName: MemLeak tests (ssl_server)
symbol: pkix
collection:
memleak: true
- task:
metadata:
name: "MemLeak tests (ssl_server, sharedb)"
description: "MemLeak tests (ssl_server, sharedb)"
payload:
env:
NSS_MEMLEAK_TESTS: ssl_server
NSS_CYCLES: sharedb
NSS_TESTS: memleak
extra:
treeherder:
groupSymbol: Server
groupName: MemLeak tests (ssl_server)
symbol: sharedb
collection:
memleak: true
- task:
metadata:
name: "MemLeak tests (ssl_server, upgradedb)"
description: "MemLeak tests (ssl_server, upgradedb)"
payload:
env:
NSS_MEMLEAK_TESTS: ssl_server
NSS_CYCLES: upgradedb
NSS_TESTS: memleak
extra:
treeherder:
groupSymbol: Server
groupName: MemLeak tests (ssl_server)
symbol: upgradedb
collection:
memleak: true
- task:
metadata:
name: "MemLeak tests (ssl_client, standard)"
description: "MemLeak tests (ssl_client, standard)"
payload:
env:
NSS_MEMLEAK_TESTS: ssl_client
NSS_CYCLES: standard
NSS_TESTS: memleak
extra:
treeherder:
groupSymbol: Client
groupName: MemLeak tests (ssl_client)
symbol: standard
collection:
memleak: true
- task:
metadata:
name: "MemLeak tests (ssl_client, pkix)"
description: "MemLeak tests (ssl_client, pkix)"
payload:
env:
NSS_MEMLEAK_TESTS: ssl_client
NSS_TESTS: memleak
NSS_CYCLES: pkix
extra:
treeherder:
groupSymbol: Client
groupName: MemLeak tests (ssl_client)
symbol: pkix
collection:
memleak: true
- task:
metadata:
name: "MemLeak tests (ssl_client, sharedb)"
description: "MemLeak tests (ssl_client, sharedb)"
payload:
env:
NSS_MEMLEAK_TESTS: ssl_client
NSS_CYCLES: sharedb
NSS_TESTS: memleak
extra:
treeherder:
groupSymbol: Client
groupName: MemLeak tests (ssl_client)
symbol: sharedb
collection:
memleak: true
- task:
metadata:
name: "MemLeak tests (ssl_client, upgradedb)"
description: "MemLeak tests (ssl_client, upgradedb)"
payload:
env:
NSS_MEMLEAK_TESTS: ssl_client
NSS_CYCLES: upgradedb
NSS_TESTS: memleak
extra:
treeherder:
groupSymbol: Client
groupName: MemLeak tests (ssl_client)
symbol: upgradedb
collection:
memleak: true
- task:
metadata:
name: "MemLeak tests (chains, standard)"
description: "MemLeak tests (chains, standard)"
payload:
env:
NSS_MEMLEAK_TESTS: chains
NSS_CYCLES: standard
NSS_TESTS: memleak
extra:
treeherder:
groupSymbol: Chains
groupName: MemLeak tests (chains)
symbol: standard
collection:
memleak: true
- task:
metadata:
name: "MemLeak tests (chains, pkix)"
description: "MemLeak tests (chains, pkix)"
payload:
env:
NSS_MEMLEAK_TESTS: chains
NSS_TESTS: memleak
NSS_CYCLES: pkix
extra:
treeherder:
groupSymbol: Chains
groupName: MemLeak tests (chains)
symbol: pkix
collection:
memleak: true
- task:
metadata:
name: "MemLeak tests (chains, sharedb)"
description: "MemLeak tests (chains, sharedb)"
payload:
env:
NSS_MEMLEAK_TESTS: chains
NSS_CYCLES: sharedb
NSS_TESTS: memleak
extra:
treeherder:
groupSymbol: Chains
groupName: MemLeak tests (chains)
symbol: sharedb
collection:
memleak: true
- task:
metadata:
name: "MemLeak tests (chains, upgradedb)"
description: "MemLeak tests (chains, upgradedb)"
payload:
env:
NSS_MEMLEAK_TESTS: chains
NSS_CYCLES: upgradedb
NSS_TESTS: memleak
extra:
treeherder:
groupSymbol: Chains
groupName: MemLeak tests (chains)
symbol: upgradedb
collection:
memleak: true

2
security/nss/automation/taskcluster/graph/tests/ssl.yml
Просмотреть файл

@ -5,7 +5,7 @@
description: "SSL tests (standard)"
payload:
maxRunTime: 7200
maxRunTime: 14400
env:
NSS_CYCLES: standard
NSS_TESTS: ssl

3
security/nss/automation/taskcluster/graph/tools/_build_base.yml
Просмотреть файл

@ -14,7 +14,7 @@ task:
payload:
maxRunTime: 3600
image: ttaubert/nss-ci:0.0.17
image: !env TC_IMAGE
env:
NSS_HEAD_REPOSITORY: !env NSS_HEAD_REPOSITORY
@ -26,3 +26,4 @@ task:
platform: nss-tools
machine:
platform: nss-tools
jobKind: test

2
security/nss/automation/taskcluster/graph/tools/clang-format.yml
Просмотреть файл

@ -8,7 +8,7 @@
command:
- "/bin/bash"
- "-c"
- "bin/checkout.sh && nss/automation/taskcluster/scripts/run_clang_format.sh nss/lib/ssl"
- "bin/checkout.sh && nss/automation/taskcluster/scripts/run_clang_format.sh"
extra:
treeherder:

1
security/nss/automation/taskcluster/graph/tools/scan-build.yml
Просмотреть файл

@ -19,7 +19,6 @@
env:
GCC_VERSION: clang
GXX_VERSION: clang++
NSS_ENABLE_TLS_1_3: 1
USE_64: 1
extra:

143
security/nss/automation/taskcluster/graph/try_syntax.js Normal file
Просмотреть файл

@ -0,0 +1,143 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
var intersect = require("intersect");
var parse_args = require("minimist");
function parseOptions(opts) {
opts = parse_args(opts.split(/\s+/), {
default: {build: "do", platform: "all", unittests: "none", tools: "none"},
alias: {b: "build", p: "platform", u: "unittests", t: "tools", e: "extra-builds"},
string: ["build", "platform", "unittests", "tools", "extra-builds"]
});
// Parse build types (d=debug, o=opt).
var builds = intersect(opts.build.split(""), ["d", "o"]);
// If the given value is nonsense default to debug and opt builds.
if (builds.length == 0) {
builds = ["d", "o"];
}
// Parse platforms.
var allPlatforms = ["linux", "linux64", "linux64-asan", "win64", "arm"];
var platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms);
// If the given value is nonsense or "none" default to all platforms.
if (platforms.length == 0 && opts.platform != "none") {
platforms = allPlatforms;
}
// Parse unit tests.
var allUnitTests = ["crmf", "chains", "cipher", "db", "ec", "fips", "gtest",
"lowhash", "merge", "sdr", "smime", "tools", "ssl"];
var unittests = intersect(opts.unittests.split(/\s*,\s*/), allUnitTests);
// If the given value is "all" run all tests.
// If it's nonsense then don't run any tests.
if (opts.unittests == "all") {
unittests = allUnitTests;
} else if (unittests.length == 0) {
unittests = [];
}
// Parse tools.
var allTools = ["clang-format", "scan-build"];
var tools = intersect(opts.tools.split(/\s*,\s*/), allTools);
// If the given value is "all" run all tools.
// If it's nonsense then don't run any tools.
if (opts.tools == "all") {
tools = allTools;
} else if (tools.length == 0) {
tools = [];
}
return {
builds: builds,
platforms: platforms,
unittests: unittests,
extra: (opts.e == "all"),
tools: tools
};
}
function filterTasks(tasks, comment) {
// Check for try syntax in changeset comment.
var match = comment.match(/^\s*try:\s*(.*)\s*$/);
if (!match) {
return tasks;
}
var opts = parseOptions(match[1]);
return tasks.filter(function (task) {
var env = task.task.payload.env || {};
var th = task.task.extra.treeherder;
var machine = th.machine.platform;
var coll = th.collection || {};
var found;
// Filter tools. We can immediately return here as those
// are not affected by platform or build type selectors.
if (machine == "nss-tools") {
return opts.tools.some(function (tool) {
var symbol = th.symbol.toLowerCase();
return symbol.startsWith(tool);
});
}
// Filter unit tests.
if (env.NSS_TESTS && env.TC_PARENT_TASK_ID) {
found = opts.unittests.some(function (test) {
var symbol = (th.groupSymbol || th.symbol).toLowerCase();
return symbol.startsWith(test);
});
if (!found) {
return false;
}
}
// Filter extra builds.
if (th.groupSymbol == "Builds" && !opts.extra) {
return false;
}
// Filter by platform.
found = opts.platforms.some(function (platform) {
var aliases = {
"linux": "linux32",
"linux64-asan": "linux64",
"win64": "windows2012-64",
"arm": "linux32"
};
// Check the platform name.
var keep = machine == (aliases[platform] || platform);
// Additional checks.
if (platform == "linux64-asan") {
keep &= coll.asan;
} else if (platform == "arm") {
keep &= (coll["arm-opt"] || coll["arm-debug"]);
} else {
keep &= (coll.opt || coll.debug);
}
return keep;
});
if (!found) {
return false;
}
// Finally, filter by build type.
var isDebug = coll.debug || coll.asan || coll["arm-debug"];
return (isDebug && opts.builds.indexOf("d") > -1) ||
(!isDebug && opts.builds.indexOf("o") > -1);
});
}
module.exports.filterTasks = filterTasks;

3
security/nss/automation/taskcluster/graph/windows/_build_base.yml
Просмотреть файл

@ -21,7 +21,7 @@ task:
expires: !from_now 24
command:
- "hg clone -r %NSS_HEAD_REVISION% %NSS_HEAD_REPOSITORY% nss"
- "bash -c \"hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss || (sleep 2; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss) || (sleep 5; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss)\""
- "bash -c nss/automation/taskcluster/windows/build.sh"
env:
@ -33,4 +33,5 @@ task:
extra:
treeherder:
jobKind: build
symbol: B

4
security/nss/automation/taskcluster/graph/windows/_test_base.yml
Просмотреть файл

@ -18,3 +18,7 @@ task:
command:
- "hg clone -r %NSS_HEAD_REVISION% %NSS_HEAD_REPOSITORY% nss"
- "bash -c nss/automation/taskcluster/windows/run_tests.sh"
extra:
treeherder:
jobKind: test

25
security/nss/automation/taskcluster/graph/windows/build64-debug.yml
Просмотреть файл

@ -6,7 +6,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
USE_64: 1
extra:
@ -19,6 +18,7 @@
debug: true
tests:
- chains
- cipher
- crmf
- db
@ -29,29 +29,9 @@
- merge
- sdr
- smime
- ssl
- tools
- task:
metadata:
name: "Windows 2012 64 (debug, no TLS 1.3)"
description: "Windows 2012 64 (debug, no TLS 1.3)"
payload:
env:
USE_64: 1
extra:
treeherder:
build:
platform: windows2012-64
machine:
platform: windows2012-64
collection:
debug: true
groupSymbol: Builds
groupName: Various builds
symbol: noTLSv1.3
- task:
metadata:
name: "Windows 2012 64 (debug, NSS_NO_PKCS11_BYPASS=1)"
@ -60,7 +40,6 @@
payload:
env:
NSS_NO_PKCS11_BYPASS: 1
NSS_ENABLE_TLS_1_3: 1
USE_64: 1
extra:

26
security/nss/automation/taskcluster/graph/windows/build64-opt.yml
Просмотреть файл

@ -6,7 +6,6 @@
payload:
env:
NSS_ENABLE_TLS_1_3: 1
BUILD_OPT: 1
USE_64: 1
@ -20,6 +19,7 @@
opt: true
tests:
- chains
- cipher
- crmf
- db
@ -30,30 +30,9 @@
- merge
- sdr
- smime
- ssl
- tools
- task:
metadata:
name: "Windows 2012 64 (opt, no TLS 1.3)"
description: "Windows 2012 64 (opt, no TLS 1.3)"
payload:
env:
BUILD_OPT: 1
USE_64: 1
extra:
treeherder:
build:
platform: windows2012-64
machine:
platform: windows2012-64
collection:
opt: true
groupSymbol: Builds
groupName: Various builds
symbol: noTLSv1.3
- task:
metadata:
name: "Windows 2012 64 (opt, NSS_NO_PKCS11_BYPASS=1)"
@ -62,7 +41,6 @@
payload:
env:
NSS_NO_PKCS11_BYPASS: 1
NSS_ENABLE_TLS_1_3: 1
BUILD_OPT: 1
USE_64: 1

10
security/nss/automation/taskcluster/scripts/build.sh
Просмотреть файл

@ -2,9 +2,9 @@
set -v -e -x
if [ $(id -u) = 0 ]; then
source $(dirname $0)/tools.sh
source $(dirname $0)/tools.sh
if [[ $(id -u) -eq 0 ]]; then
# Set compiler.
switch_compilers
@ -13,12 +13,10 @@ if [ $(id -u) = 0 ]; then
fi
# Clone NSPR if needed.
if [ ! -d "nspr" ]; then
hg clone https://hg.mozilla.org/projects/nspr
fi
hg_clone https://hg.mozilla.org/projects/nspr nspr default
# Build.
cd nss && make nss_build_all && cd ..
make -C nss nss_build_all
# Generate certificates.
NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" $(dirname $0)/run_tests.sh

5
security/nss/automation/taskcluster/scripts/extend_task_graph.sh
Просмотреть файл

@ -9,5 +9,8 @@ fi
mkdir -p /home/worker/artifacts
# Install Node.JS dependencies.
cd nss/automation/taskcluster/graph/ && npm install
# Build the task graph definition.
nodejs nss/automation/taskcluster/graph/build.js > /home/worker/artifacts/graph.json
nodejs build.js > /home/worker/artifacts/graph.json

50
security/nss/automation/taskcluster/scripts/run_clang_format.sh
Просмотреть файл

@ -2,20 +2,56 @@
set -v -e -x
if [ $(id -u) = 0 ]; then
if [ $(id -u) -eq 0 ]; then
# Drop privileges by re-running this script.
exec su worker $0 $@
exec su worker $0 "$@"
fi
# Apply clang-format 3.8 on the provided folder and verify that this doesn't change any file.
# If any file differs after formatting, the script eventually exits with 1.
# Any differences between formatted and unformatted files is printed to stdout to give a hint what's wrong.
# Includes a default set of directories.
apply=false
if [ $1 = "--apply" ]; then
apply=true
shift
fi
if [ $# -gt 0 ]; then
dirs=("$@")
else
top=$(dirname $0)/../../..
dirs=( \
"$top/cmd" \
"$top/lib/base" \
"$top/lib/certdb" \
"$top/lib/certhigh" \
"$top/lib/ckfw" \
"$top/lib/crmf" \
"$top/lib/cryptohi" \
"$top/lib/dbm" \
"$top/lib/dev" \
"$top/lib/softoken" \
"$top/lib/ssl" \
"$top/external_tests/common" \
"$top/external_tests/der_gtest" \
"$top/external_tests/pk11_gtest" \
"$top/external_tests/ssl_gtest" \
"$top/external_tests/util_gtest" \
)
fi
STATUS=0
for i in $(find $1 -type f -name '*.[ch]' -print); do
if ! clang-format $i | diff -Naur $i -; then
echo "Sorry, $i is not formatted properly. Please use clang-format 3.8 on your patch before landing."
STATUS=1
fi
for dir in "${dirs[@]}"; do
for i in $(find "$dir" -type f \( -name '*.[ch]' -o -name '*.cc' \) -print); do
if $apply; then
clang-format -i "$i"
elif ! clang-format "$i" | diff -Naur "$i" -; then
echo "Sorry, $i is not formatted properly. Please use clang-format 3.8 on your patch before landing."
STATUS=1
fi
done
done
exit $STATUS

13
security/nss/automation/taskcluster/scripts/tools.sh
Просмотреть файл

@ -14,3 +14,16 @@ switch_compilers() {
exit 1
fi
}
# Usage: hg_clone repo dir [revision=@]
hg_clone() {
repo=$1
dir=$2
rev=${3:-@}
for i in 0 2 5; do
sleep $i
hg clone -r "$rev" "$repo" "$dir" && return
rm -rf "$dir"
done
exit 1
}

8
security/nss/automation/taskcluster/windows/build.sh
Просмотреть файл

@ -6,16 +6,16 @@ set -v -e -x
source $(dirname $0)/setup.sh
# Clone NSPR.
hg clone https://hg.mozilla.org/projects/nspr
hg_clone https://hg.mozilla.org/projects/nspr nspr default
# Build.
cd nss && make nss_build_all
make -C nss nss_build_all
# Generate certificates.
cd tests && NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" ./all.sh
NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" nss/tests/all.sh
# Reset test counter so that test runs pick up our certificates.
cd ../../ && echo 1 > tests_results/security/localhost
echo 1 > tests_results/security/localhost
# Package.
7z a public/build/dist.7z dist tests_results

4
security/nss/automation/taskcluster/windows/releng.manifest
Просмотреть файл

@ -1,8 +1,8 @@
[
{
"version": "Visual Studio 2015 Update 2 / SDK 10.0.10586.0/212",
"size": 332343834,
"digest": "55814aaabcd4aa51fe85918ec02a8c29bc067d41ee79ddcfd628daaba5a06d4241a73a51bf5a8bc69cc762b52551009f44b05e65682c45b4684c17fb2d017c2c",
"size": 332442800,
"digest": "995394a4a515c7cb0f8595f26f5395361a638870dd0bbfcc22193fe1d98a0c47126057d5999cc494f3f3eac5cb49160e79757c468f83ee5797298e286ef6252c",
"algorithm": "sha512",
"filename": "vs2015u2.zip",
"unpack": true

21
security/nss/automation/taskcluster/windows/setup.sh
Просмотреть файл

@ -2,7 +2,20 @@
set -v -e -x
hg clone https://hg.mozilla.org/build/tools
# Usage: hg_clone repo dir [revision=@]
hg_clone() {
repo=$1
dir=$2
rev=${3:-@}
for i in 0 2 5; do
sleep $i
hg clone -r "$rev" "$repo" "$dir" && return
rm -rf "$dir"
done
exit 1
}
hg_clone https://hg.mozilla.org/build/tools tools default
tools/scripts/tooltool/tooltool_wrapper.sh $(dirname $0)/releng.manifest https://api.pub.build.mozilla.org/tooltool/ non-existant-file.sh /c/mozilla-build/python/python.exe /c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok -c /c/builds/tooltool_cache
VSPATH="$(pwd)/vs2015u2"
@ -11,7 +24,7 @@ export WINDOWSSDKDIR="${VSPATH}/SDK"
export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT"
export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x64"
export PATH="${VSPATH}/VC/bin/amd64:${VSPATH}/VC/bin:${VSPATH}/SDK/bin/x64:${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${VSPATH}/DIASDK/bin/amd64:${PATH}"
export PATH="${VSPATH}/VC/bin/amd64:${VSPATH}/VC/bin:${VSPATH}/SDK/bin/x64:${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}"
export INCLUDE="${VSPATH}/VC/include:${VSPATH}/VC/atlmfc/include:${VSPATH}/SDK/Include/ucrt:${VSPATH}/SDK/Include/shared:${VSPATH}/SDK/Include/um:${VSPATH}/SDK/Include/winrt:${VSPATH}/DIASDK/include"
export LIB="${VSPATH}/VC/lib/amd64:${VSPATH}/VC/atlmfc/lib/amd64:${VSPATH}/SDK/lib/ucrt/x64:${VSPATH}/SDK/lib/um/x64:${VSPATH}/DIASDK/lib/amd64"
export INCLUDE="${VSPATH}/VC/include:${VSPATH}/SDK/Include/10.0.10586.0/ucrt:${VSPATH}/SDK/Include/10.0.10586.0/shared:${VSPATH}/SDK/Include/10.0.10586.0/um"
export LIB="${VSPATH}/VC/lib/amd64:${VSPATH}/SDK/lib/10.0.10586.0/ucrt/x64:${VSPATH}/SDK/lib/10.0.10586.0/um/x64"

4
security/nss/cmd/Makefile
Просмотреть файл

@ -16,10 +16,14 @@ endif
ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
BLTEST_SRCDIR =
ECPERF_SRCDIR =
ECTEST_SRCDIR =
FIPSTEST_SRCDIR =
SHLIBSIGN_SRCDIR =
else
BLTEST_SRCDIR = bltest
ECPERF_SRCDIR = ecperf
ECTEST_SRCDIR = ectest
FIPSTEST_SRCDIR = fipstest
SHLIBSIGN_SRCDIR = shlibsign
endif

11
security/nss/cmd/bltest/blapitest.c
Просмотреть файл

@ -1236,8 +1236,7 @@ rsa_PublicKeyOp(void *cx, SECItem *output, const SECItem *input)
RSAPublicKey *pubKey = (RSAPublicKey *)params->pubKey;
SECStatus rv = RSA_PublicKeyOp(pubKey, output->data, input->data);
if (rv == SECSuccess) {
output->len = pubKey->modulus.data[0] ? pubKey->modulus.len :
pubKey->modulus.len - 1;
output->len = pubKey->modulus.data[0] ? pubKey->modulus.len : pubKey->modulus.len - 1;
}
return rv;
}
@ -1249,8 +1248,7 @@ rsa_PrivateKeyOp(void *cx, SECItem *output, const SECItem *input)
RSAPrivateKey *privKey = (RSAPrivateKey *)params->privKey;
SECStatus rv = RSA_PrivateKeyOp(privKey, output->data, input->data);
if (rv == SECSuccess) {
output->len = privKey->modulus.data[0] ? privKey->modulus.len :
privKey->modulus.len - 1;
output->len = privKey->modulus.data[0] ? privKey->modulus.len : privKey->modulus.len - 1;
}
return rv;
}
@ -2849,8 +2847,7 @@ print_td:
ECPrivateKey *key = (ECPrivateKey *)info->params.asymk.privKey;
ECCurveName curveName = key->ecParams.name;
fprintf(stdout, "%12s",
ecCurve_map[curveName] ? ecCurve_map[curveName]->text :
"Unsupported curve");
ecCurve_map[curveName] ? ecCurve_map[curveName]->text : "Unsupported curve");
}
break;
#endif
@ -3161,7 +3158,7 @@ verify_self_test(bltestIO *result, bltestIO *cmp, bltestCipherMode mode,
static SECStatus
ReadFileToItem(PLArenaPool *arena, SECItem *dst, const char *filename)
{
SECItem tmp = {siBuffer, NULL, 0};
SECItem tmp = { siBuffer, NULL, 0 };
PRFileDesc *file;
SECStatus rv;

23
security/nss/cmd/certcgi/certcgi.c
Просмотреть файл

@ -883,8 +883,7 @@ AddAuthKeyID(void *extHandle,
error_out("ERROR: Unable to copy Directory Name");
}
authKeyID->authCertIssuer = genNames;
if (authKeyID->authCertIssuer == NULL && SECFailure ==
PORT_GetError()) {
if (authKeyID->authCertIssuer == NULL && SECFailure == PORT_GetError()) {
error_out("ERROR: Unable to get Issuer General Name for Authority Key ID Extension");
}
authKeyID->authCertSerialNumber = issuerCert->serialNumber;
@ -2035,16 +2034,16 @@ main(int argc, char **argv)
char *pos;
#ifdef OFFLINE
char *form_output = "key=MIIBPTCBpzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7"
"SLqjWBL9Wl11Vlg%0AaMqZCvcQOL%2FnvSqYPPRP0XZy9SoAeyWzQnBOiCm2t8H5mK7r2"
"jnKdAQOmfhjaJil%0A3hNVu3SekHOXF6Ze7bkWa6%2FSGVcY%2FojkydxFSgY43nd1iyd"
"zPQDp8WWLL%2BpVpt%2B%2B%0ATRhFtVXbF0fQI03j9h3BoTgP2lkCAwEAARYDZm9vMA0"
"GCSqGSIb3DQEBBAUAA4GB%0AAJ8UfRKJ0GtG%2B%2BufCC6tAfTzKrq3CTBHnom55EyXc"
"sAsv6WbDqI%2F0rLAPkn2Xo1r%0AnNhtMxIuj441blMt%2Fa3AGLOy5zmC7Qawt8IytvQ"
"ikQ1XTpTBCXevytrmLjCmlURr%0ANJryTM48WaMQHiMiJpbXCqVJC1d%2FpEWBtqvALzZ"
"aOOIy&subject=CN%3D%22test%22%26serial-auto%3Dtrue%26serial_value%3D%"
"26ver-1%3Dtrue%26ver-3%3Dfalse%26caChoiceradio-SignWithDefaultkey%3Dt"
"rue%26caChoiceradio-SignWithRandomChain%3Dfalse%26autoCAs%3D%26caChoi"
"ceradio-SignWithSpecifiedChain%3Dfalse%26manCAs%3D%26%24";
"SLqjWBL9Wl11Vlg%0AaMqZCvcQOL%2FnvSqYPPRP0XZy9SoAeyWzQnBOiCm2t8H5mK7r2"
"jnKdAQOmfhjaJil%0A3hNVu3SekHOXF6Ze7bkWa6%2FSGVcY%2FojkydxFSgY43nd1iyd"
"zPQDp8WWLL%2BpVpt%2B%2B%0ATRhFtVXbF0fQI03j9h3BoTgP2lkCAwEAARYDZm9vMA0"
"GCSqGSIb3DQEBBAUAA4GB%0AAJ8UfRKJ0GtG%2B%2BufCC6tAfTzKrq3CTBHnom55EyXc"
"sAsv6WbDqI%2F0rLAPkn2Xo1r%0AnNhtMxIuj441blMt%2Fa3AGLOy5zmC7Qawt8IytvQ"
"ikQ1XTpTBCXevytrmLjCmlURr%0ANJryTM48WaMQHiMiJpbXCqVJC1d%2FpEWBtqvALzZ"
"aOOIy&subject=CN%3D%22test%22%26serial-auto%3Dtrue%26serial_value%3D%"
"26ver-1%3Dtrue%26ver-3%3Dfalse%26caChoiceradio-SignWithDefaultkey%3Dt"
"rue%26caChoiceradio-SignWithRandomChain%3Dfalse%26autoCAs%3D%26caChoi"
"ceradio-SignWithSpecifiedChain%3Dfalse%26manCAs%3D%26%24";
#else
char *form_output;
#endif

51
security/nss/cmd/certutil/certutil.c
Просмотреть файл

@ -184,7 +184,7 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
SECOidTag hashAlgTag, CERTName *subject, const char *phone, int ascii,
const char *emailAddrs, const char *dnsNames,
certutilExtnList extnList, const char *extGeneric,
/*out*/ SECItem *result)
PRBool pssCertificate, /*out*/ SECItem *result)
{
CERTSubjectPublicKeyInfo *spki;
CERTCertificateRequest *cr;
@ -195,6 +195,12 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
void *extHandle;
SECItem signedReq = { siBuffer, NULL, 0 };
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
SECU_PrintError(progName, "out of memory");
return SECFailure;
}
/* Create info about public key */
spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
if (!spki) {
@ -202,6 +208,13 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
return SECFailure;
}
/* Change cert type to RSA-PSS, if desired. */
if (pssCertificate) {
spki->algorithm.parameters.data = NULL;
rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0);
}
/* Generate certificate request */
cr = CERT_CreateCertificateRequest(subject, spki, NULL);
SECKEY_DestroySubjectPublicKeyInfo(spki);
@ -210,12 +223,6 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
return SECFailure;
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
SECU_PrintError(progName, "out of memory");
return SECFailure;
}
extHandle = CERT_StartCertificateRequestAttributes(cr);
if (extHandle == NULL) {
PORT_FreeArena(arena, PR_FALSE);
@ -2354,6 +2361,7 @@ enum certutilOpts {
opt_DumpExtensionValue,
opt_GenericExtensions,
opt_NewNickname,
opt_Pss,
opt_Help
};
@ -2472,6 +2480,8 @@ static const secuCommandFlag options_init[] =
"extGeneric" },
{ /* opt_NewNickname */ 0, PR_TRUE, 0, PR_FALSE,
"new-n" },
{ /* opt_Pss */ 0, PR_FALSE, 0, PR_FALSE,
"pss" },
};
#define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))
@ -3322,6 +3332,22 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
}
if (certutil.options[opt_Pss].activated) {
if (!certutil.commands[cmd_CertReq].activated &&
!certutil.commands[cmd_CreateAndAddCert].activated) {
PR_fprintf(PR_STDERR,
"%s -%c: --pss only works with -R or -S.\n",
progName, commandToRun);
return 255;
}
if (keytype != rsaKey) {
PR_fprintf(PR_STDERR,
"%s -%c: --pss only works with RSA keys.\n",
progName, commandToRun);
return 255;
}
}
/* If we need a list of extensions convert the flags into list format */
if (certutil.commands[cmd_CertReq].activated ||
certutil.commands[cmd_CreateAndAddCert].activated ||
@ -3409,9 +3435,9 @@ certutil_main(int argc, char **argv, PRBool initialize)
certutil.options[opt_ExtendedEmailAddrs].arg,
certutil.options[opt_ExtendedDNSNames].arg,
certutil_extns,
(certutil.options[opt_GenericExtensions].activated ?
certutil.options[opt_GenericExtensions].arg
(certutil.options[opt_GenericExtensions].activated ? certutil.options[opt_GenericExtensions].arg
: NULL),
certutil.options[opt_Pss].activated,
&certReqDER);
if (rv)
goto shutdown;
@ -3434,9 +3460,9 @@ certutil_main(int argc, char **argv, PRBool initialize)
NULL,
NULL,
nullextnlist,
(certutil.options[opt_GenericExtensions].activated ?
certutil.options[opt_GenericExtensions].arg
(certutil.options[opt_GenericExtensions].activated ? certutil.options[opt_GenericExtensions].arg
: NULL),
certutil.options[opt_Pss].activated,
&certReqDER);
if (rv)
goto shutdown;
@ -3456,8 +3482,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
certutil.commands[cmd_CreateNewCert].activated,
certutil.options[opt_SelfSign].activated,
certutil_extns,
(certutil.options[opt_GenericExtensions].activated ?
certutil.options[opt_GenericExtensions].arg
(certutil.options[opt_GenericExtensions].activated ? certutil.options[opt_GenericExtensions].arg
: NULL),
certVersion,
&certDER);

22
security/nss/cmd/ecperf/ecperf.c
Просмотреть файл

@ -5,8 +5,8 @@
#include "blapi.h"
#include "ec.h"
#include "ecl-curve.h"
#include "nss.h"
#include "secutil.h"
#include "prprf.h"
#include "basicutil.h"
#include "pkcs11.h"
#include "nspr.h"
#include <stdio.h>
@ -86,12 +86,14 @@ static SECOidTag ecCurve_oid_map[] = {
SEC_OID_UNKNOWN, /* ECCurve_WTLS_1 */
SEC_OID_UNKNOWN, /* ECCurve_WTLS_8 */
SEC_OID_UNKNOWN, /* ECCurve_WTLS_9 */
SEC_OID_UNKNOWN /* ECCurve_pastLastCurve */
SEC_OID_UNKNOWN /* ECCurve_pastLastCurve */
};
typedef SECStatus (*op_func)(void *, void *, void *);
typedef SECStatus (*pk11_op_func)(CK_SESSION_HANDLE, void *, void *, void *);
typedef SECItem SECKEYECParams;
typedef struct ThreadDataStr {
op_func op;
void *p1;
@ -710,9 +712,16 @@ main(int argv, char **argc)
usefreebl = 1;
}
rv = NSS_NoDB_Init(NULL);
rv = RNG_RNGInit();
if (rv != SECSuccess) {
SECU_PrintError("Error:", "NSS_NoDB_Init");
SECU_PrintError("Error:", "RNG_RNGInit");
return -1;
}
RNG_SystemInfoForRNG();
rv = SECOID_Init();
if (rv != SECSuccess) {
SECU_PrintError("Error:", "SECOID_Init");
goto cleanup;
}
@ -765,7 +774,8 @@ main(int argv, char **argc)
#endif
cleanup:
rv |= NSS_Shutdown();
rv |= SECOID_Shutdown();
RNG_RNGShutdown();
if (rv != SECSuccess) {
printf("Error: exiting with error value\n");

12
security/nss/cmd/ectest/ectest.c
Просмотреть файл

@ -5,8 +5,9 @@
#include "blapi.h"
#include "ec.h"
#include "ecl-curve.h"
#include "nss.h"
#include "secutil.h"
#include "prprf.h"
#include "basicutil.h"
#include "secder.h"
#include "secitem.h"
#include "nspr.h"
#include <stdio.h>
@ -155,9 +156,10 @@ main(int argv, char **argc)
SECStatus rv = SECSuccess;
int numkats = 0;
int i = 0;
rv = NSS_NoDB_Init(NULL);
rv = SECOID_Init();
if (rv != SECSuccess) {
SECU_PrintError("Error:", "NSS_NoDB_Init");
SECU_PrintError("Error:", "SECOID_Init");
goto cleanup;
}
@ -175,7 +177,7 @@ main(int argv, char **argc)
}
cleanup:
rv |= NSS_Shutdown();
rv |= SECOID_Shutdown();
if (rv != SECSuccess) {
printf("Error: exiting with error value\n");

6
security/nss/cmd/httpserv/httpserv.c
Просмотреть файл

@ -745,10 +745,8 @@ handle_connection(
/* else good status response */
if (!isPost && ocspMethodsAllowed == ocspGetUnknown) {
unknown = PR_TRUE;
nextUpdate = PR_Now() + (PRTime)60 * 60 *
24 * PR_USEC_PER_SEC; /*tomorrow*/
revoDate = PR_Now() - (PRTime)60 * 60 *
24 * PR_USEC_PER_SEC; /*yesterday*/
nextUpdate = PR_Now() + (PRTime)60 * 60 * 24 * PR_USEC_PER_SEC; /*tomorrow*/
revoDate = PR_Now() - (PRTime)60 * 60 * 24 * PR_USEC_PER_SEC; /*yesterday*/
}
}
}

13
security/nss/cmd/lib/basicutil.c
Просмотреть файл

@ -687,13 +687,12 @@ static unsigned char
nibble(char c)
{
c = PORT_Tolower(c);
return (c >= '0' && c <= '9') ? c - '0' :
(c >=
'a' &&
c <=
'f')
? c - 'a' + 10
: -1;
return (c >= '0' && c <= '9') ? c - '0' : (c >=
'a' &&
c <=
'f')
? c - 'a' + 10
: -1;
}
SECStatus

5
security/nss/cmd/libpkix/testutil/testutil.h
Просмотреть файл

@ -229,9 +229,8 @@ extern "C" {
} \
} while (0)
#define PKIX_TEST_ARENAS_ARG(arena) \
(arena ? (PORT_Strcmp(arena, "arenas") ? PKIX_FALSE : (j++, PKIX_TRUE)) : \
PKIX_FALSE)
#define PKIX_TEST_ARENAS_ARG(arena) \
(arena ? (PORT_Strcmp(arena, "arenas") ? PKIX_FALSE : (j++, PKIX_TRUE)) : PKIX_FALSE)
#define PKIX_TEST_ERROR_RECEIVED (pkixTestErrorMsg || pkixTestErrorResult)

4
security/nss/cmd/manifest.mn
Просмотреть файл

@ -22,6 +22,8 @@ endif
ifndef NSS_BUILD_UTIL_ONLY
SOFTOKEN_SRCDIRS = \
$(BLTEST_SRCDIR) \
$(ECPERF_SRCDIR) \
$(ECTEST_SRCDIR) \
$(FIPSTEST_SRCDIR) \
$(LOWHASHTEST_SRCDIR) \
$(SHLIBSIGN_SRCDIR) \
@ -42,8 +44,6 @@ NSS_SRCDIRS = \
dbtest \
derdump \
digest \
ecperf \
ectest \
httpserv \
listsuites \
makepqg \

42
security/nss/cmd/modutil/install.c
Просмотреть файл

@ -406,10 +406,8 @@ Pk11Install_DoInstall(char *jarFile, const char *installDir,
* Show the user security information, allow them to abort or continue
*/
if (Pk11Install_UserVerifyJar(jar, PR_STDOUT,
force ?
PR_FALSE
:
PR_TRUE) &&
force ? PR_FALSE
: PR_TRUE) &&
!force) {
if (feedback) {
PR_fprintf(feedback, msgStrings[USER_ABORT]);
@ -539,7 +537,6 @@ Pk11Install_DoInstall(char *jarFile, const char *installDir,
loser:
if (Pk11Install_valueList) {
Pk11Install_ValueList_delete(Pk11Install_valueList);
PR_Free(Pk11Install_valueList);
Pk11Install_valueList = NULL;
}
if (jar) {
@ -564,8 +561,6 @@ DoInstall(JAR *jar, const char *installDir, const char *tempDir,
{
Pk11Install_File *file;
Pk11Install_Error ret;
char *reldir;
char *dest;
char *modDest;
char *cp;
int i;
@ -580,8 +575,6 @@ DoInstall(JAR *jar, const char *installDir, const char *tempDir,
int errcode;
ret = PK11_INSTALL_UNSPECIFIED;
reldir = NULL;
dest = NULL;
modDest = NULL;
tempname = NULL;
@ -604,11 +597,17 @@ DoInstall(JAR *jar, const char *installDir, const char *tempDir,
// Install all the files
*/
for (i = 0; i < platform->numFiles; i++) {
char *dest;
file = &platform->files[i];
if (file->relativePath) {
PRBool foundMarker = PR_FALSE;
reldir = PR_Strdup(file->relativePath);
char *reldir = PR_Strdup(file->relativePath);
if (!reldir) {
error(PK11_INSTALL_UNSPECIFIED);
goto loser;
}
/* Replace all the markers with the directories for which they stand */
while (1) {
@ -636,12 +635,15 @@ DoInstall(JAR *jar, const char *installDir, const char *tempDir,
/* Has no markers...this isn't really a relative directory */
error(PK11_INSTALL_BOGUS_REL_DIR, file->relativePath);
ret = PK11_INSTALL_BOGUS_REL_DIR;
PR_Free(reldir);
goto loser;
}
dest = reldir;
reldir = NULL;
} else if (file->absolutePath) {
dest = PR_Strdup(file->absolutePath);
} else {
error(PK11_INSTALL_UNSPECIFIED);
goto loser;
}
/* Remember if this is the module file, we'll need to add it later */
@ -685,18 +687,10 @@ DoInstall(JAR *jar, const char *installDir, const char *tempDir,
/* no NSPR command to change permissions? */
#ifdef XP_UNIX
chmod(dest, file->permissions);
(void)chmod(dest, file->permissions);
#endif
/* Memory clean-up tasks */
if (reldir) {
PR_Free(reldir);
reldir = NULL;
}
if (dest) {
PR_Free(dest);
dest = NULL;
}
PR_Free(dest);
}
/* Make sure we found the module file */
if (!modDest) {
@ -777,12 +771,6 @@ DoInstall(JAR *jar, const char *installDir, const char *tempDir,
ret = PK11_INSTALL_SUCCESS;
loser:
if (reldir) {
PR_Free(reldir);
}
if (dest) {
PR_Free(dest);
}
if (modDest) {
PR_Free(modDest);
}

147
security/nss/cmd/modutil/installparse.c
Просмотреть файл

@ -46,85 +46,94 @@ char *Pk11Install_yyerrstr = NULL;
#define STRING 259
#define YYERRCODE 256
/* clang-format on */
short yylhs[] = { -1,
0, 1, 1, 2, 2, 3, 4,
short yylhs[] = {
-1,
0, 1, 1, 2, 2, 3, 4,
};
short yylen[] = { 2,
1, 2, 0, 1, 1, 4, 1,
short yylen[] = {
2,
1, 2, 0, 1, 1, 4, 1,
};
short yydefred[] = { 0,
0, 0, 1, 0, 4, 0, 2, 0, 0, 6,
short yydefred[] = {
0,
0, 0, 1, 0, 4, 0, 2, 0, 0, 6,
};
short yydgoto[] = { 2,
3, 4, 5, 6,
short yydgoto[] = {
2,
3, 4, 5, 6,
};
short yysindex[] = { -257,
0, 0, 0, -257, 0, -252, 0, -257, -251, 0,
short yysindex[] = {
-257,
0, 0, 0, -257, 0, -252, 0, -257, -251, 0,
};
short yyrindex[] = { 6,
1, 0, 0, 3, 0, 0, 0, -250, 0, 0,
short yyrindex[] = {
6,
1, 0, 0, 3, 0, 0, 0, -250, 0, 0,
};
short yygindex[] = { 0,
-4, 0, 0, 0,
short yygindex[] = {
0,
-4, 0, 0, 0,
};
#define YYTABLESIZE 261
short yytable[] = { 7,
5, 1, 3, 9, 8, 3, 10, 3, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 7, 5, 5,
short yytable[] = {
7,
5, 1, 3, 9, 8, 3, 10, 3, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 7, 5, 5,
3,
};
short yycheck[] = { 4,
0, 259, 0, 8, 257, 0, 258, 258, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, 257, 258, 259,
258,
short yycheck[] = {
4,
0, 259, 0, 8, 257, 0, 258, 258, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, 257, 258, 259,
258,
};
/* clang-format on */
#define YYFINAL 2

3
security/nss/cmd/multinit/multinit.c
Просмотреть файл

@ -502,8 +502,7 @@ do_list_certs(const char *progName, int log)
SECU_PrintCertNickname(node, stderr);
if (log) {
fprintf(stderr, "* Slot=%s*\n", cert->slot ?
PK11_GetTokenName(cert->slot)
fprintf(stderr, "* Slot=%s*\n", cert->slot ? PK11_GetTokenName(cert->slot)
: "none");
fprintf(stderr, "* Nickname=%s*\n", cert->nickname);
fprintf(stderr, "* Subject=<%s>*\n", cert->subjectName);

2
security/nss/cmd/p7env/p7env.c
Просмотреть файл

@ -237,7 +237,7 @@ main(int argc, char **argv)
}
/* free certs */
for (rcpt = recipients; rcpt != NULL; ) {
for (rcpt = recipients; rcpt != NULL;) {
struct recipient *next = rcpt->next;
CERT_DestroyCertificate(rcpt->cert);
PORT_Free(rcpt->nickname);

6
security/nss/cmd/pk11util/pk11util.c
Просмотреть файл

@ -1097,10 +1097,8 @@ printArg(Value *ptr, int arg_number)
} else {
constType = getConstFromAttribute(attribute->type);
if (constType != ConstNone) {
CK_ULONG value = (constType == ConstBool) ?
*(CK_BBOOL *)attribute->pValue
:
*(CK_ULONG *)attribute->pValue;
CK_ULONG value = (constType == ConstBool) ? *(CK_BBOOL *)attribute->pValue
: *(CK_ULONG *)attribute->pValue;
printConst(value, constType, 1);
} else {
printf("\n");

12
security/nss/cmd/pk12util/pk12util.c
Просмотреть файл

@ -752,8 +752,7 @@ P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot,
PR_Close(fd);
}
} else if (SECU_PrintSignedData(stdout, dip->der,
(dip->hasKey) ?
"(has private key)"
(dip->hasKey) ? "(has private key)"
: "",
0, (SECU_PPFunc)SECU_PrintCertificate) !=
0) {
@ -982,10 +981,8 @@ main(int argc, char **argv)
slotname = SECU_GetOptionArg(&pk12util, opt_TokenName);
import_file = (pk12util.options[opt_List].activated) ?
SECU_GetOptionArg(&pk12util, opt_List)
:
SECU_GetOptionArg(&pk12util, opt_Import);
import_file = (pk12util.options[opt_List].activated) ? SECU_GetOptionArg(&pk12util, opt_List)
: SECU_GetOptionArg(&pk12util, opt_Import);
export_file = SECU_GetOptionArg(&pk12util, opt_Export);
if (pk12util.options[opt_P12FilePWFile].activated) {
@ -1052,8 +1049,7 @@ main(int argc, char **argv)
}
}
certCipher = PK11_IsFIPS() ? SEC_OID_UNKNOWN :
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
certCipher = PK11_IsFIPS() ? SEC_OID_UNKNOWN : SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
if (pk12util.options[opt_CertCipher].activated) {
char *cipherString = pk12util.options[opt_CertCipher].arg;

12
security/nss/cmd/selfserv/selfserv.c
Просмотреть файл

@ -220,7 +220,7 @@ PrintParameterUsage()
"-A <ca> Nickname of a CA used to sign a stapled cert status\n"
"-U override default ECDHE ephemeral key reuse, 0: refresh, 1: reuse\n"
"-H override default DHE server support, 0: disable, 1: enable, "
" 2: require DH named groups\n"
" 2: require DH named groups\n"
"-W override default DHE server weak parameters support, 0: disable, 1: enable\n"
"-c Restrict ciphers\n"
"-Y prints cipher values allowed for parameter -c and exits\n"
@ -518,8 +518,7 @@ mySSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr,
if (privKey == NULL) {
goto loser; /* Send alert */
}
if (SSL_ConfigServerCert(fd, cert, privKey, NULL, 0)
!= SECSuccess) {
if (SSL_ConfigServerCert(fd, cert, privKey, NULL, 0) != SECSuccess) {
goto loser; /* Send alert */
}
SECKEY_DestroyPrivateKey(privKey);
@ -2015,8 +2014,8 @@ server_main(
}
if (enableALPN) {
PRUint8 alpnVal[] = {0x08,
0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31};
PRUint8 alpnVal[] = { 0x08,
0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 };
rv = SSL_OptionSet(model_sock, SSL_ENABLE_ALPN, PR_TRUE);
if (rv != SECSuccess) {
errExit("error enabling ALPN");
@ -2861,8 +2860,7 @@ main(int argc, char **argv)
if (rv == SECSuccess && logStats) {
loggerThread = PR_CreateThread(PR_SYSTEM_THREAD,
logger, NULL, PR_PRIORITY_NORMAL,
useLocalThreads ?
PR_LOCAL_THREAD
useLocalThreads ? PR_LOCAL_THREAD
: PR_GLOBAL_THREAD,
PR_JOINABLE_THREAD, 0);
if (loggerThread == NULL) {

12
security/nss/cmd/signtool/javascript.c
Просмотреть файл

@ -82,12 +82,9 @@ javascript_fn(char *relpath, char *basedir, char *reldir, char *filename, void *
/* only process inline scripts from .htm, .html, and .shtml*/
if (!(PL_strcaserstr(filename, ".htm") == filename + strlen(filename) -
4) &&
!(PL_strcaserstr(filename, ".html") == filename + strlen(filename) -
5) &&
!(PL_strcaserstr(filename, ".shtml") == filename + strlen(filename) -
6)) {
if (!(PL_strcaserstr(filename, ".htm") == filename + strlen(filename) - 4) &&
!(PL_strcaserstr(filename, ".html") == filename + strlen(filename) - 5) &&
!(PL_strcaserstr(filename, ".shtml") == filename + strlen(filename) - 6)) {
return 0;
}
@ -382,8 +379,7 @@ ProcessTag(FileBuffer *fb, char **errStr)
}
/* fall through */
case GET_ATT_STATE:
if (isspace(curchar) || curchar == '=' || curchar ==
'>') {
if (isspace(curchar) || curchar == '=' || curchar == '>') {
/* end of the current attribute */
curPos = FB_GetPointer(fb) - 2;
if (curPos >= startID) {

15
security/nss/cmd/signtool/sign.c
Просмотреть файл

@ -81,10 +81,8 @@ SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
}
/* rsa/dsa to zip */
sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ?
"dsa"
:
"rsa"));
sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
: "rsa"));
sprintf(fullfn, "%s/%s", tree, tempfn);
JzipAdd(fullfn, tempfn, zipfile, compression_level);
@ -106,10 +104,8 @@ SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
/* Add the rsa/dsa file to the zip archive normally */
if (!xpi_arc) {
/* rsa/dsa to zip */
sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ?
"dsa"
:
"rsa"));
sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
: "rsa"));
sprintf(fullfn, "%s/%s", tree, tempfn);
JzipAdd(fullfn, tempfn, zipfile, compression_level);
}
@ -171,8 +167,7 @@ sign_all_arc_fn(char *relpath, char *basedir, char *reldir, char *filename,
/* Make sure there is one and only one ".arc" in the relative path,
* and that it is at the end of the path (don't sign .arcs within .arcs) */
if ((PL_strcaserstr(relpath, ".arc") == relpath + strlen(relpath) -
4) &&
if ((PL_strcaserstr(relpath, ".arc") == relpath + strlen(relpath) - 4) &&
(PL_strcasestr(relpath, ".arc") == relpath + strlen(relpath) - 4)) {
if (!infop) {

6
security/nss/cmd/signtool/verify.c
Просмотреть файл

@ -212,8 +212,7 @@ verify_global(JAR *jar)
PR_fprintf(outputFD,
" md5 digest on global metainfo: %s\n",
PORT_Memcmp(md5_digest, globaldig->md5, MD5_LENGTH)
?
"no match"
? "no match"
: "match");
}
@ -221,8 +220,7 @@ verify_global(JAR *jar)
PR_fprintf(outputFD,
" sha digest on global metainfo: %s\n",
PORT_Memcmp(sha1_digest, globaldig->sha1, SHA1_LENGTH)
?
"no match"
? "no match"
: "match");
}

9
security/nss/cmd/signtool/zip.c
Просмотреть файл

@ -159,8 +159,7 @@ JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int compression_level)
} else {
nsprErr = NULL;
}
PR_fprintf(errorFD, "%s: %s\n", fullname, nsprErr ? nsprErr :
"");
PR_fprintf(errorFD, "%s: %s\n", fullname, nsprErr ? nsprErr : "");
errorCount++;
if (nsprErr)
PR_Free(nsprErr);
@ -280,8 +279,7 @@ JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int compression_level)
} else {
nsprErr = NULL;
}
PR_fprintf(errorFD, "Writing zip data: %s\n", nsprErr ? nsprErr :
"");
PR_fprintf(errorFD, "Writing zip data: %s\n", nsprErr ? nsprErr : "");
if (nsprErr)
PR_Free(nsprErr);
errorCount++;
@ -297,8 +295,7 @@ JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int compression_level)
} else {
nsprErr = NULL;
}
PR_fprintf(errorFD, "Writing zip data: %s\n", nsprErr ? nsprErr :
"");
PR_fprintf(errorFD, "Writing zip data: %s\n", nsprErr ? nsprErr : "");
if (nsprErr)
PR_Free(nsprErr);
errorCount++;

1
security/nss/cmd/signver/signver.c
Просмотреть файл

@ -84,7 +84,6 @@ enum {
opt_ASCII,
opt_CertDir,
opt_InputDataFile,
opt_ItemNumber,
opt_OutputFile,
opt_InputSigFile,
opt_PrintWhyFailure,

7
security/nss/cmd/tstclnt/tstclnt.c
Просмотреть файл

@ -256,7 +256,8 @@ PrintParameterUsage(void)
fprintf(stderr, "%-20s (Options -4 and -6 cannot be combined.)\n", "");
fprintf(stderr, "%-20s Enable the extended master secret extension [RFC7627]\n", "-G");
fprintf(stderr, "%-20s Require the use of FFDHE supported groups "
"[I-D.ietf-tls-negotiated-ff-dhe]\n", "-H");
"[I-D.ietf-tls-negotiated-ff-dhe]\n",
"-H");
}
static void
@ -1350,6 +1351,8 @@ main(int argc, char **argv)
goto done;
}
SSL_SetPKCS11PinArg(s, &pwdata);
rv = SSL_OptionSet(s, SSL_SECURITY, 1);
if (rv != SECSuccess) {
SECU_PrintError(progName, "error enabling socket");
@ -1500,8 +1503,6 @@ main(int argc, char **argv)
goto done;
}
SSL_SetPKCS11PinArg(s, &pwdata);
serverCertAuth.dbHandle = CERT_GetDefaultCertDB();
SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth);

2
security/nss/coreconf/OS2.mk
Просмотреть файл

@ -20,7 +20,7 @@ PROG_SUFFIX = .exe
CCC = gcc
LINK = gcc
LD = gcc
AR = emxomfar r $@
# Keep AR_FLAGS blank so that we do not have to change rules.mk
AR_FLAGS =

6
security/nss/coreconf/WIN32.mk
Просмотреть файл

@ -13,7 +13,7 @@ DEFAULT_COMPILER = cl
ifdef NS_USE_GCC
CC = gcc
CCC = g++
LINK = ld
LD = ld
AR = ar
AR += cr $@
RANLIB = ranlib
@ -23,7 +23,7 @@ ifdef NS_USE_GCC
else
CC = cl
CCC = cl
LINK = link
LD = link
LDFLAGS += -nologo
AR = lib
AR += -nologo -OUT:$@
@ -219,6 +219,7 @@ ifdef USE_64
ifeq ($(_MSC_VER_GE_11),1)
LDFLAGS += -SUBSYSTEM:CONSOLE,5.02
endif
CPU_ARCH = x86_64
else
DEFINES += -D_X86_
# VS2012 defaults to -arch:SSE2. Use -arch:IA32 to avoid requiring
@ -231,6 +232,7 @@ else
endif
LDFLAGS += -SUBSYSTEM:CONSOLE,5.01
endif
CPU_ARCH = x386
endif
endif
ifeq ($(CPU_ARCH), ALPHA)

8
security/nss/coreconf/arch.mk
Просмотреть файл

@ -206,11 +206,11 @@ ifeq (CYGWIN_NT,$(findstring CYGWIN_NT,$(OS_ARCH)))
endif
endif
#
# If uname -s returns "MINGW32_NT-*", we assume that we are using
# If uname -s returns "MINGW*_NT-*", we assume that we are using
# the uname.exe in the MSYS toolkit.
#
ifeq (MINGW32_NT,$(findstring MINGW32_NT,$(OS_ARCH)))
OS_RELEASE := $(patsubst MINGW32_NT-%,%,$(OS_ARCH))
ifneq (,$(filter MINGW32_NT-% MINGW64_NT-%,$(OS_ARCH)))
OS_RELEASE := $(patsubst MINGW64_NT-%,%,$(patsubst MINGW32_NT-%,%,$(OS_ARCH)))
OS_ARCH = WINNT
USE_MSYS = 1
ifndef CPU_ARCH
@ -218,7 +218,7 @@ ifeq (MINGW32_NT,$(findstring MINGW32_NT,$(OS_ARCH)))
#
# MSYS's uname -m returns "i686" on a Pentium Pro machine.
#
ifneq (,$(findstring 86,$(CPU_ARCH)))
ifneq (,$(filter i%86,$(CPU_ARCH)))
CPU_ARCH = x386
endif
endif

2
security/nss/coreconf/command.mk
Просмотреть файл

@ -11,7 +11,7 @@
AS = $(CC)
ASFLAGS += $(CFLAGS)
CCF = $(CC) $(CFLAGS)
LINK_DLL = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS)
LINK_DLL = $(LD) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS)
CFLAGS = $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \
$(DEFINES) $(INCLUDES) $(XCFLAGS)
PERL = perl

8
security/nss/coreconf/config.mk
Просмотреть файл

@ -217,11 +217,3 @@ NSS_SSL_ENABLE_ZLIB = 1
ifdef NSS_NO_PKCS11_BYPASS
DEFINES += -DNO_PKCS11_BYPASS
endif
# Allow build-time configuration of TLS 1.3 (Experimental)
ifdef NSS_ENABLE_TLS_1_3
ifdef NSS_DISABLE_ECC
$(error Setting NSS_ENABLE_TLS_1_3 and NSS_DISABLE_ECC isn't a good idea.)
endif
DEFINES += -DNSS_ENABLE_TLS_1_3
endif

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

8
security/nss/coreconf/rules.mk
Просмотреть файл

@ -364,7 +364,11 @@ else
# Windows
ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
NEED_ABSOLUTE_PATH := 1
ifdef .PYMAKE
# CURDIR is always an absolute path. If it doesn't start with a /, it's a
# Windows path meaning we're running under MINGW make (as opposed to MSYS
# make), or pymake. In both cases, it's preferable to use a Windows path,
# so use $(CURDIR) as is.
ifeq (,$(filter /%,$(CURDIR)))
PWD := $(CURDIR)
else
PWD := $(shell pwd)
@ -382,7 +386,7 @@ endif
endif
# The quotes allow absolute paths to contain spaces.
core_abspath = "$(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(1)),$(1),$(PWD)/$(1)))"
core_abspath = '$(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(1)),$(1),$(PWD)/$(1)))'
$(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.c
@$(MAKE_OBJDIR)

4
security/nss/external_tests/.clang-format Normal file
Просмотреть файл

@ -0,0 +1,4 @@
---
Language: Cpp
BasedOnStyle: Google
...

11
security/nss/external_tests/common/scoped_ptrs.h
Просмотреть файл

@ -27,12 +27,17 @@ struct ScopedDelete {
void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); }
};
template<class T>
template <class T>
struct ScopedMaybeDelete {
void operator()(T* ptr) { if (ptr) { ScopedDelete del; del(ptr); } }
void operator()(T* ptr) {
if (ptr) {
ScopedDelete del;
del(ptr);
}
}
};
#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped ## x
#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped##x
SCOPED(CERTCertificate);
SCOPED(CERTSubjectPublicKeyInfo);

31
security/nss/external_tests/der_gtest/der_getint_unittest.cc
Просмотреть файл

@ -4,11 +4,11 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <climits>
#include <memory>
#include "nss.h"
#include "pk11pub.h"
#include "secutil.h"
#include <memory>
#include <climits>
#include "gtest/gtest.h"
#include "scoped_ptrs.h"
@ -17,22 +17,20 @@ namespace nss_test {
class DERIntegerDecodingTest : public ::testing::Test {
public:
void TestGetInteger(long number, unsigned char *der_number, unsigned int len)
{
void TestGetInteger(long number, unsigned char *der_number,
unsigned int len) {
SECItem input = {siBuffer, der_number, len};
EXPECT_EQ(number, DER_GetInteger(&input));
}
void GetDerLongMax(unsigned char *der_number, unsigned int len)
{
void GetDerLongMax(unsigned char *der_number, unsigned int len) {
der_number[0] = 0x7F;
for (unsigned int i = 1; i < len; ++i) {
der_number[i] = 0xFF;
}
}
void GetDerLongMin(unsigned char *der_number, unsigned int len)
{
void GetDerLongMin(unsigned char *der_number, unsigned int len) {
der_number[0] = 0x80;
for (unsigned int i = 1; i < len; ++i) {
der_number[i] = 0x00;
@ -80,20 +78,20 @@ TEST_F(DERIntegerDecodingTest, DecodeLongMin) {
TEST_F(DERIntegerDecodingTest, DecodeLongMaxMinus1) {
unsigned char der[sizeof(long)];
GetDerLongMax(der, sizeof(long));
der[sizeof(long)-1] = 0xFE;
TestGetInteger(LONG_MAX-1, der, sizeof(der));
der[sizeof(long) - 1] = 0xFE;
TestGetInteger(LONG_MAX - 1, der, sizeof(der));
}
TEST_F(DERIntegerDecodingTest, DecodeLongMinPlus1) {
unsigned char der[sizeof(long)];
GetDerLongMin(der, sizeof(long));
der[sizeof(long)-1] = 0x01;
TestGetInteger(LONG_MIN+1, der, sizeof(der));
der[sizeof(long) - 1] = 0x01;
TestGetInteger(LONG_MIN + 1, der, sizeof(der));
}
TEST_F(DERIntegerDecodingTest, DecodeLongMinMinus1) {
unsigned char der[sizeof(long)+1];
GetDerLongMax(der, sizeof(long)+1);
unsigned char der[sizeof(long) + 1];
GetDerLongMax(der, sizeof(long) + 1);
der[0] = 0xFF;
der[1] = 0x7F;
TestGetInteger(LONG_MIN, der, sizeof(der));
@ -101,8 +99,8 @@ TEST_F(DERIntegerDecodingTest, DecodeLongMinMinus1) {
}
TEST_F(DERIntegerDecodingTest, DecodeLongMaxPlus1) {
unsigned char der[sizeof(long)+1];
GetDerLongMin(der, sizeof(long)+1);
unsigned char der[sizeof(long) + 1];
GetDerLongMin(der, sizeof(long) + 1);
der[0] = 0x00;
der[1] = 0x80;
TestGetInteger(LONG_MAX, der, sizeof(der));
@ -110,4 +108,3 @@ TEST_F(DERIntegerDecodingTest, DecodeLongMaxPlus1) {
}
} // namespace nss_test

1
security/nss/external_tests/manifest.mn
Просмотреть файл

@ -12,4 +12,5 @@ DIRS = \
util_gtest \
pk11_gtest \
ssl_gtest \
nss_bogo_shim \
$(NULL)

52
security/nss/external_tests/nss_bogo_shim/Makefile Normal file
Просмотреть файл

@ -0,0 +1,52 @@
#! gmake
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#######################################################################
# (1) Include initial platform-independent assignments (MANDATORY). #
#######################################################################
include manifest.mn
#######################################################################
# (2) Include "global" configuration information. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/config.mk
#######################################################################
# (3) Include "component" configuration information. (OPTIONAL) #
#######################################################################
CXXFLAGS += -std=c++0x
#######################################################################
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
include ../common/gtest.mk
CFLAGS += -I$(CORE_DEPTH)/lib/ssl
ifdef NSS_SSL_ENABLE_ZLIB
include $(CORE_DEPTH)/coreconf/zlib.mk
endif
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################

58
security/nss/external_tests/nss_bogo_shim/config.cc Normal file
Просмотреть файл

@ -0,0 +1,58 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "config.h"
#include <cstdlib>
#include <queue>
#include <string>
bool ConfigEntryBase::ParseInternal(std::queue<const char *> *args,
std::string *out) {
if (args->empty()) return false;
*out = args->front();
args->pop();
return true;
}
bool ConfigEntryBase::ParseInternal(std::queue<const char *> *args, int *out) {
if (args->empty()) return false;
char *endptr;
*out = strtol(args->front(), &endptr, 10);
args->pop();
return !*endptr;
}
bool ConfigEntryBase::ParseInternal(std::queue<const char *> *args, bool *out) {
*out = true;
return true;
}
std::string Config::XformFlag(const std::string &arg) {
if (arg.empty()) return "";
if (arg[0] != '-') return "";
return arg.substr(1);
}
Config::Status Config::ParseArgs(int argc, char **argv) {
std::queue<const char *> args;
for (int i = 1; i < argc; ++i) {
args.push(argv[i]);
}
while (!args.empty()) {
auto e = entries_.find(XformFlag(args.front()));
args.pop();
if (e == entries_.end()) {
return kUnknownFlag;
}
if (!e->second->Parse(&args)) return kMalformedArgument;
}
return kOK;
}

89
security/nss/external_tests/nss_bogo_shim/config.h Normal file
Просмотреть файл

@ -0,0 +1,89 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
// Generic command line flags system for NSS BoGo shim. This class
// could actually in principle handle other programs. The flags are
// defined in the consumer code.
#ifndef config_h_
#define config_h_
#include <cassert>
#include <iostream>
#include <map>
#include <queue>
#include <string>
#include <typeinfo>
// Abstract base class for a given config flag.
class ConfigEntryBase {
public:
ConfigEntryBase(const std::string& name, const std::string& type)
: name_(name), type_(type) {}
const std::string& type() const { return type_; }
virtual bool Parse(std::queue<const char*>* args) = 0;
protected:
bool ParseInternal(std::queue<const char*>* args, std::string* out);
bool ParseInternal(std::queue<const char*>* args, int* out);
bool ParseInternal(std::queue<const char*>* args, bool* out);
const std::string name_;
const std::string type_;
};
// Template specializations for the concrete flag types.
template <typename T>
class ConfigEntry : public ConfigEntryBase {
public:
ConfigEntry(const std::string& name, T init)
: ConfigEntryBase(name, typeid(T).name()), value_(init) {}
T get() const { return value_; }
bool Parse(std::queue<const char*>* args) {
return ParseInternal(args, &value_);
}
private:
T value_;
};
// The overall configuration (I.e., the total set of flags).
class Config {
public:
enum Status { kOK, kUnknownFlag, kMalformedArgument, kMissingValue };
Config() : entries_() {}
template <typename T>
void AddEntry(const std::string& name, T init) {
entries_[name] = new ConfigEntry<T>(name, init);
}
Status ParseArgs(int argc, char** argv);
template <typename T>
T get(const std::string& key) const {
auto e = entry(key);
assert(e->type() == typeid(T).name());
return static_cast<const ConfigEntry<T>*>(e)->get();
}
private:
static std::string XformFlag(const std::string& arg);
std::map<std::string, ConfigEntryBase*> entries_;
const ConfigEntryBase* entry(const std::string& key) const {
auto e = entries_.find(key);
if (e == entries_.end()) return nullptr;
return e->second;
}
};
#endif // config_h_

41
security/nss/external_tests/nss_bogo_shim/config.json Normal file
Просмотреть файл

@ -0,0 +1,41 @@
{
"DisabledTests": {
"*HelloRetryRequest*":"HRR hasn't landed yet",
"SecondClientHelloWrongCurve":"HRR hasn't landed yet",
"KeyUpdate":"KeyUpdate Unimplemented",
"ClientAuth-NoFallback-TLS13":"Disagreement about alerts. Bug 1294975",
"ClientAuth-SHA1-Fallback":"Disagreement about alerts. Bug 1294975",
"SendWarningAlerts-TLS13":"NSS needs to trigger on warning alerts",
"*SignatureType-TLS13":"SignatureScheme patch",
"ECDSACurveMismatch-Verify-TLS13":"SignatureScheme patch",
"ServerAuth-NoFallback-TLS13":"PSS",
"NoSupportedCurves":"This tests a non-spec behavior for TLS 1.2 and expects the wrong alert for TLS 1.3",
"SendEmptyRecords":"Tests a non-spec behavior in BoGo where it chokes on too many empty records",
"LargePlaintext":"NSS needs to check for over-long records. Bug 1294978",
"TLS13-RC4-MD5-server":"This fails properly but returns an unexpected error. Not a bug but needs cleanup",
"*VersionTolerance":"BoGo expects us to negotiate 1.3 but we negotiate 1.2 because BoGo didn't send draft version",
"*SSL3*":"NSS disables SSLv3",
"*SSLv3*":"NSS disables SSLv3",
"*AES256*":"Inconsistent support for AES256",
"*AES128-SHA256*":"No support for Suite B ciphers",
"*CHACHA20-POLY1305-OLD*":"Old ChaCha/Poly",
"DuplicateExtension*":"NSS sends unexpected_extension alert",
"WeakDH":"NSS supports 768-bit DH",
"SillyDH":"NSS supports 4097-bit DH",
"SendWarningAlerts":"This appears to be Boring-specific",
"V2ClientHello-WarningAlertPrefix":"Bug 1292893",
"TLS12-AES128-GCM-client":"Bug 1292895",
"*TLS12-AES128-GCM-LargeRecord*":"Bug 1292895",
"Renegotiate-Client-Forbidden-1":"Bug 1292898",
"Renegotiate-Server-Forbidden":"NSS doesn't disable renegotiation by default",
"Renegotiate-Client-NoIgnore":"NSS doesn't disable renegotiation by default",
"StrayHelloRequest*":"NSS doesn't disable renegotiation by default"
},
"ErrorMap" : {
":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP",
":UNKNOWN_CIPHER_RETURNED:":"SSL_ERROR_NO_CYPHER_OVERLAP",
":OLD_SESSION_CIPHER_NOT_RETURNED:":"SSL_ERROR_NO_CYPHER_OVERLAP",
":NO_SHARED_CIPHER:":"SSL_ERROR_NO_CYPHER_OVERLAP"
}
}

20
security/nss/external_tests/nss_bogo_shim/manifest.mn Normal file
Просмотреть файл

@ -0,0 +1,20 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
CORE_DEPTH = ../..
DEPTH = ../..
MODULE = nss
CPPSRCS = \
config.cc \
nsskeys.cc \
nss_bogo_shim.cc \
$(NULL)
REQUIRES = nspr nss libdbm
PROGRAM = nss_bogo_shim
#EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX)
USE_STATIC_LIBS = 1

314
security/nss/external_tests/nss_bogo_shim/nss_bogo_shim.cc Normal file
Просмотреть файл

@ -0,0 +1,314 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "config.h"
#include <cstdlib>
#include <iostream>
#include <memory>
#include "nspr.h"
#include "nss.h"
#include "prio.h"
#include "prnetdb.h"
#include "ssl.h"
#include "sslerr.h"
#include "sslproto.h"
#include "nsskeys.h"
std::string FormatError(PRErrorCode code) {
return std::string(":") + PORT_ErrorToName(code) + ":" + ":" +
PORT_ErrorToString(code);
}
class TestAgent {
public:
TestAgent(const Config& cfg)
: cfg_(cfg),
pr_fd_(nullptr),
ssl_fd_(nullptr),
cert_(nullptr),
key_(nullptr) {}
~TestAgent() {
if (pr_fd_) {
PR_Close(pr_fd_);
}
if (ssl_fd_) {
PR_Close(ssl_fd_);
}
if (key_) {
SECKEY_DestroyPrivateKey(key_);
}
if (cert_) {
CERT_DestroyCertificate(cert_);
}
}
static std::unique_ptr<TestAgent> Create(const Config& cfg) {
std::unique_ptr<TestAgent> agent(new TestAgent(cfg));
if (!agent->Init()) return nullptr;
return agent;
}
bool Init() {
if (!ConnectTcp()) {
return false;
}
if (!SetupKeys()) {
std::cerr << "Couldn't set up keys/certs\n";
return false;
}
if (!SetupOptions()) {
std::cerr << "Couldn't configure socket\n";
return false;
}
SECStatus rv = SSL_ResetHandshake(ssl_fd_, cfg_.get<bool>("server"));
if (rv != SECSuccess) return false;
return true;
}
bool ConnectTcp() {
PRStatus prv;
PRNetAddr addr;
prv = PR_StringToNetAddr("127.0.0.1", &addr);
if (prv != PR_SUCCESS) {
return false;
}
addr.inet.port = PR_htons(cfg_.get<int>("port"));
pr_fd_ = PR_OpenTCPSocket(addr.raw.family);
if (!pr_fd_) return false;
prv = PR_Connect(pr_fd_, &addr, PR_INTERVAL_NO_TIMEOUT);
if (prv != PR_SUCCESS) {
return false;
}
ssl_fd_ = SSL_ImportFD(NULL, pr_fd_);
if (!ssl_fd_) return false;
pr_fd_ = nullptr;
return true;
}
bool SetupKeys() {
SECStatus rv;
if (cfg_.get<std::string>("key-file") != "") {
key_ = ReadPrivateKey(cfg_.get<std::string>("key-file"));
if (!key_) exit(89); // Temporary to handle our inability to handle ECDSA
}
if (cfg_.get<std::string>("cert-file") != "") {
cert_ = ReadCertificate(cfg_.get<std::string>("cert-file"));
if (!cert_) return false;
}
if (cfg_.get<bool>("server")) {
// Server
rv = SSL_ConfigServerCert(ssl_fd_, cert_, key_, nullptr, 0);
if (rv != SECSuccess) {
std::cerr << "Couldn't configure server cert\n";
return false;
}
rv = SSL_ConfigServerSessionIDCache(1024, 0, 0, ".");
if (rv != SECSuccess) {
std::cerr << "Couldn't configure session cache\n";
return false;
}
} else {
// Client.
// Needed because server certs are not entirely valid.
rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook, this);
if (rv != SECSuccess) return false;
if (key_ && cert_) {
rv = SSL_GetClientAuthDataHook(ssl_fd_, GetClientAuthDataHook, this);
if (rv != SECSuccess) return false;
}
}
return true;
}
bool SetupOptions() {
SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
if (rv != SECSuccess) return false;
SSLVersionRange vrange = {SSL_LIBRARY_VERSION_TLS_1_0,
SSL_LIBRARY_VERSION_TLS_1_3};
rv = SSL_VersionRangeSet(ssl_fd_, &vrange);
if (rv != SECSuccess) return false;
rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE, false);
if (rv != SECSuccess) return false;
if (!cfg_.get<bool>("server")) {
// Needed to make resumption work.
rv = SSL_SetURL(ssl_fd_, "server");
if (rv != SECSuccess) return false;
}
rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_TRUE);
if (rv != SECSuccess) return false;
if (!EnableNonExportCiphers()) return false;
return true;
}
bool EnableNonExportCiphers() {
for (size_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
SSLCipherSuiteInfo csinfo;
SECStatus rv = SSL_GetCipherSuiteInfo(SSL_ImplementedCiphers[i], &csinfo,
sizeof(csinfo));
if (rv != SECSuccess) return false;
if (!csinfo.isExportable) {
rv = SSL_CipherPrefSet(ssl_fd_, SSL_ImplementedCiphers[i], PR_TRUE);
if (rv != SECSuccess) {
return false;
}
}
}
return true;
}
// Dummy auth certificate hook.
static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
PRBool checksig, PRBool isServer) {
return SECSuccess;
}
static SECStatus GetClientAuthDataHook(void* self, PRFileDesc* fd,
CERTDistNames* caNames,
CERTCertificate** cert,
SECKEYPrivateKey** privKey) {
TestAgent* a = static_cast<TestAgent*>(self);
*cert = CERT_DupCertificate(a->cert_);
*privKey = SECKEY_CopyPrivateKey(a->key_);
return SECSuccess;
}
SECStatus Handshake() { return SSL_ForceHandshake(ssl_fd_); }
// Implement a trivial echo client/server. Read bytes from the other side,
// flip all the bits, and send them back.
SECStatus ReadWrite() {
for (;;) {
uint8_t block[512];
int32_t rv = PR_Read(ssl_fd_, block, sizeof(block));
if (rv < 0) {
std::cerr << "Failure reading\n";
return SECFailure;
}
if (rv == 0) return SECSuccess;
int32_t len = rv;
for (int32_t i = 0; i < len; ++i) {
block[i] ^= 0xff;
}
rv = PR_Write(ssl_fd_, block, len);
if (rv != len) {
std::cerr << "Write failure\n";
return SECFailure;
}
}
return SECSuccess;
}
SECStatus DoExchange() {
SECStatus rv = Handshake();
if (rv != SECSuccess) {
PRErrorCode err = PR_GetError();
std::cerr << "Handshake failed with error=" << err << FormatError(err)
<< std::endl;
return SECFailure;
}
rv = ReadWrite();
if (rv != SECSuccess) {
PRErrorCode err = PR_GetError();
std::cerr << "ReadWrite failed with error=" << FormatError(err)
<< std::endl;
return SECFailure;
}
return SECSuccess;
}
private:
const Config& cfg_;
PRFileDesc* pr_fd_;
PRFileDesc* ssl_fd_;
CERTCertificate* cert_;
SECKEYPrivateKey* key_;
};
std::unique_ptr<const Config> ReadConfig(int argc, char** argv) {
std::unique_ptr<Config> cfg(new Config());
cfg->AddEntry<int>("port", 0);
cfg->AddEntry<bool>("server", false);
cfg->AddEntry<bool>("resume", false);
cfg->AddEntry<std::string>("key-file", "");
cfg->AddEntry<std::string>("cert-file", "");
auto rv = cfg->ParseArgs(argc, argv);
switch (rv) {
case Config::kOK:
break;
case Config::kUnknownFlag:
exit(89);
break;
default:
exit(1);
}
// Needed to change to std::unique_ptr<const Config>
return std::move(cfg);
}
void RunCycle(std::unique_ptr<const Config>& cfg) {
std::unique_ptr<TestAgent> agent(TestAgent::Create(*cfg));
if (!agent) {
exit(1);
}
SECStatus rv = agent->DoExchange();
if (rv) {
exit(1);
}
}
int main(int argc, char** argv) {
std::unique_ptr<const Config> cfg = ReadConfig(argc, argv);
SECStatus rv = NSS_NoDB_Init(nullptr);
if (rv != SECSuccess) return 1;
rv = NSS_SetDomesticPolicy();
if (rv != SECSuccess) return 1;
// Run a single test cycle.
RunCycle(cfg);
if (cfg->get<bool>("resume")) {
std::cout << "Resuming" << std::endl;
RunCycle(cfg);
}
exit(0);
}

84
security/nss/external_tests/nss_bogo_shim/nsskeys.cc Normal file
Просмотреть файл

@ -0,0 +1,84 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsskeys.h"
#include <cstring>
#include <fstream>
#include <iostream>
#include <string>
#include "cert.h"
#include "keyhi.h"
#include "nspr.h"
#include "nss.h"
#include "nssb64.h"
#include "pk11pub.h"
const std::string kPEMBegin = "-----BEGIN ";
const std::string kPEMEnd = "-----END ";
// Read a PEM file, base64 decode it, and return the result.
static bool ReadPEMFile(const std::string& filename, SECItem* item) {
std::ifstream in(filename);
if (in.bad()) return false;
char buf[1024];
in.getline(buf, sizeof(buf));
if (in.bad()) return false;
if (strncmp(buf, kPEMBegin.c_str(), kPEMBegin.size())) return false;
std::string value = "";
for (;;) {
in.getline(buf, sizeof(buf));
if (in.bad()) return false;
if (!strncmp(buf, kPEMEnd.c_str(), kPEMEnd.size())) break;
value += buf;
}
// Now we have a base64-encoded block.
if (!NSSBase64_DecodeBuffer(nullptr, item, value.c_str(), value.size()))
return false;
return true;
}
SECKEYPrivateKey* ReadPrivateKey(const std::string& file) {
SECItem item = {siBuffer, nullptr, 0};
if (!ReadPEMFile(file, &item)) return nullptr;
SECKEYPrivateKey* privkey = NULL;
PK11SlotInfo* slot = PK11_GetInternalSlot();
SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
slot, &item, nullptr, nullptr, PR_FALSE, PR_FALSE,
KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT | KU_DIGITAL_SIGNATURE,
&privkey, nullptr);
PK11_FreeSlot(slot);
SECITEM_FreeItem(&item, PR_FALSE);
if (rv != SECSuccess) {
// This is probably due to this being an ECDSA key (Bug 1295121).
std::cerr << "Couldn't import key " << PORT_ErrorToString(PORT_GetError())
<< "\n";
return nullptr;
}
return privkey;
}
CERTCertificate* ReadCertificate(const std::string& file) {
SECItem item = {siBuffer, nullptr, 0};
if (!ReadPEMFile(file, &item)) return nullptr;
CERTCertificate* cert = CERT_NewTempCertificate(
CERT_GetDefaultCertDB(), &item, NULL, PR_FALSE, PR_TRUE);
SECITEM_FreeItem(&item, PR_FALSE);
return cert;
}

20
security/nss/external_tests/nss_bogo_shim/nsskeys.h Normal file
Просмотреть файл

@ -0,0 +1,20 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
// Utilities to pull in OpenSSL-formatted keys.
#ifndef nsskeys_h_
#define nsskeys_h_
#include "cert.h"
#include "keyhi.h"
#include <string>
SECKEYPrivateKey* ReadPrivateKey(const std::string& file);
CERTCertificate* ReadCertificate(const std::string& file);
#endif

125
security/nss/external_tests/pk11_gtest/pk11_aeskeywrap_unittest.cc
Просмотреть файл

@ -4,9 +4,9 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <memory>
#include "nss.h"
#include "pk11pub.h"
#include <memory>
#include "gtest/gtest.h"
#include "scoped_ptrs.h"
@ -14,90 +14,65 @@
namespace nss_test {
// Test vectors from https://tools.ietf.org/html/rfc3394#section-4.1 to 4.6
unsigned char kKEK1[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
};
unsigned char kKEK1[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
unsigned char kKD1[] = {
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF
};
unsigned char kKD1[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF};
unsigned char kC1[] = {
0x1F, 0xA6, 0x8B, 0x0A, 0x81, 0x12, 0xB4, 0x47,
0xAE, 0xF3, 0x4B, 0xD8, 0xFB, 0x5A, 0x7B, 0x82,
0x9D, 0x3E, 0x86, 0x23, 0x71, 0xD2, 0xCF, 0xE5
};
unsigned char kC1[] = {0x1F, 0xA6, 0x8B, 0x0A, 0x81, 0x12, 0xB4, 0x47,
0xAE, 0xF3, 0x4B, 0xD8, 0xFB, 0x5A, 0x7B, 0x82,
0x9D, 0x3E, 0x86, 0x23, 0x71, 0xD2, 0xCF, 0xE5};
unsigned char kKEK2[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
};
unsigned char kKEK2[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17};
unsigned char kC2[] = {
0x96, 0x77, 0x8B, 0x25, 0xAE, 0x6C, 0xA4, 0x35,
0xF9, 0x2B, 0x5B, 0x97, 0xC0, 0x50, 0xAE, 0xD2,
0x46, 0x8A, 0xB8, 0xA1, 0x7A, 0xD8, 0x4E, 0x5D
};
unsigned char kC2[] = {0x96, 0x77, 0x8B, 0x25, 0xAE, 0x6C, 0xA4, 0x35,
0xF9, 0x2B, 0x5B, 0x97, 0xC0, 0x50, 0xAE, 0xD2,
0x46, 0x8A, 0xB8, 0xA1, 0x7A, 0xD8, 0x4E, 0x5D};
unsigned char kKEK3[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
};
unsigned char kKEK3[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F};
unsigned char kC3[] = {
0x64, 0xE8, 0xC3, 0xF9, 0xCE, 0x0F, 0x5B, 0xA2,
0x63, 0xE9, 0x77, 0x79, 0x05, 0x81, 0x8A, 0x2A,
0x93, 0xC8, 0x19, 0x1E, 0x7D, 0x6E, 0x8A, 0xE7
};
unsigned char kC3[] = {0x64, 0xE8, 0xC3, 0xF9, 0xCE, 0x0F, 0x5B, 0xA2,
0x63, 0xE9, 0x77, 0x79, 0x05, 0x81, 0x8A, 0x2A,
0x93, 0xC8, 0x19, 0x1E, 0x7D, 0x6E, 0x8A, 0xE7};
unsigned char kKD4[] = {
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
unsigned char kKD4[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
unsigned char kC4[] = {
0x03, 0x1D, 0x33, 0x26, 0x4E, 0x15, 0xD3, 0x32,
0x68, 0xF2, 0x4E, 0xC2, 0x60, 0x74, 0x3E, 0xDC,
0xE1, 0xC6, 0xC7, 0xDD, 0xEE, 0x72, 0x5A, 0x93,
0x6B, 0xA8, 0x14, 0x91, 0x5C, 0x67, 0x62, 0xD2
};
unsigned char kC4[] = {0x03, 0x1D, 0x33, 0x26, 0x4E, 0x15, 0xD3, 0x32,
0x68, 0xF2, 0x4E, 0xC2, 0x60, 0x74, 0x3E, 0xDC,
0xE1, 0xC6, 0xC7, 0xDD, 0xEE, 0x72, 0x5A, 0x93,
0x6B, 0xA8, 0x14, 0x91, 0x5C, 0x67, 0x62, 0xD2};
unsigned char kC5[] = {
0xA8, 0xF9, 0xBC, 0x16, 0x12, 0xC6, 0x8B, 0x3F,
0xF6, 0xE6, 0xF4, 0xFB, 0xE3, 0x0E, 0x71, 0xE4,
0x76, 0x9C, 0x8B, 0x80, 0xA3, 0x2C, 0xB8, 0x95,
0x8C, 0xD5, 0xD1, 0x7D, 0x6B, 0x25, 0x4D, 0xA1
};
unsigned char kC5[] = {0xA8, 0xF9, 0xBC, 0x16, 0x12, 0xC6, 0x8B, 0x3F,
0xF6, 0xE6, 0xF4, 0xFB, 0xE3, 0x0E, 0x71, 0xE4,
0x76, 0x9C, 0x8B, 0x80, 0xA3, 0x2C, 0xB8, 0x95,
0x8C, 0xD5, 0xD1, 0x7D, 0x6B, 0x25, 0x4D, 0xA1};
unsigned char kKD6[] = {
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
};
unsigned char kKD6[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
unsigned char kC6[] = {
0x28, 0xC9, 0xF4, 0x04, 0xC4, 0xB8, 0x10, 0xF4,
0xCB, 0xCC, 0xB3, 0x5C, 0xFB, 0x87, 0xF8, 0x26,
0x3F, 0x57, 0x86, 0xE2, 0xD8, 0x0E, 0xD3, 0x26,
0xCB, 0xC7, 0xF0, 0xE7, 0x1A, 0x99, 0xF4, 0x3B,
0xFB, 0x98, 0x8B, 0x9B, 0x7A, 0x02, 0xDD, 0x21
};
unsigned char kC6[] = {0x28, 0xC9, 0xF4, 0x04, 0xC4, 0xB8, 0x10, 0xF4,
0xCB, 0xCC, 0xB3, 0x5C, 0xFB, 0x87, 0xF8, 0x26,
0x3F, 0x57, 0x86, 0xE2, 0xD8, 0x0E, 0xD3, 0x26,
0xCB, 0xC7, 0xF0, 0xE7, 0x1A, 0x99, 0xF4, 0x3B,
0xFB, 0x98, 0x8B, 0x9B, 0x7A, 0x02, 0xDD, 0x21};
class Pkcs11AESKeyWrapTest : public ::testing::Test {
protected:
CK_MECHANISM_TYPE mechanism = CKM_NSS_AES_KEY_WRAP;
void
WrapUnwrap(unsigned char* kek, unsigned int kekLen, unsigned char* keyData,
unsigned int keyDataLen, unsigned char* expectedCiphertext)
{
void WrapUnwrap(unsigned char* kek, unsigned int kekLen,
unsigned char* keyData, unsigned int keyDataLen,
unsigned char* expectedCiphertext) {
unsigned char wrappedKey[40];
unsigned int wrappedKeyLen;
unsigned char unwrappedKey[40];
@ -108,16 +83,16 @@ class Pkcs11AESKeyWrapTest : public ::testing::Test {
ASSERT_NE(nullptr, slot);
// Import encryption key.
SECItem keyItem = { siBuffer, kek, kekLen };
ScopedPK11SymKey encryptionKey(PK11_ImportSymKey(slot.get(), CKM_NSS_AES_KEY_WRAP,
PK11_OriginUnwrap, CKA_ENCRYPT,
&keyItem, nullptr));
SECItem keyItem = {siBuffer, kek, kekLen};
ScopedPK11SymKey encryptionKey(
PK11_ImportSymKey(slot.get(), CKM_NSS_AES_KEY_WRAP, PK11_OriginUnwrap,
CKA_ENCRYPT, &keyItem, nullptr));
EXPECT_TRUE(!!encryptionKey);
// Wrap key
rv = PK11_Encrypt(encryptionKey.get(), mechanism, nullptr /* param */,
wrappedKey, &wrappedKeyLen, sizeof(wrappedKey),
keyData, keyDataLen);
wrappedKey, &wrappedKeyLen, sizeof(wrappedKey), keyData,
keyDataLen);
EXPECT_EQ(rv, SECSuccess) << "CKM_NSS_AES_KEY_WRAP encrypt failed";
EXPECT_TRUE(!memcmp(expectedCiphertext, wrappedKey, wrappedKeyLen));

216
security/nss/external_tests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
Просмотреть файл

@ -4,10 +4,10 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <memory>
#include "nss.h"
#include "pk11pub.h"
#include "sechash.h"
#include <memory>
#include "gtest/gtest.h"
#include "scoped_ptrs.h"
@ -17,109 +17,103 @@ namespace nss_test {
// ChaCha20/Poly1305 Test Vector 1, RFC 7539
// <http://tools.ietf.org/html/rfc7539#section-2.8.2>
const uint8_t kTestVector1Data[] = {
0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x47, 0x65,
0x6e, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68,
0x65, 0x20, 0x63, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39,
0x39, 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63, 0x6f, 0x75, 0x6c, 0x64,
0x20, 0x6f, 0x66, 0x66, 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f, 0x6e,
0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20, 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f,
0x72, 0x20, 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x2c,
0x20, 0x73, 0x75, 0x6e, 0x73, 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69, 0x74, 0x2e
};
const uint8_t kTestVector1AAD[] = {
0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7
};
0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x47,
0x65, 0x6e, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x6f, 0x66,
0x20, 0x27, 0x39, 0x39, 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66, 0x65, 0x72, 0x20, 0x79,
0x6f, 0x75, 0x20, 0x6f, 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x74, 0x68, 0x65, 0x20,
0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f, 0x75, 0x6c, 0x64, 0x20,
0x62, 0x65, 0x20, 0x69, 0x74, 0x2e};
const uint8_t kTestVector1AAD[] = {0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1,
0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7};
const uint8_t kTestVector1Key[] = {
0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c,
0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99,
0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
};
const uint8_t kTestVector1IV[] = {
0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47
};
0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a,
0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95,
0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f};
const uint8_t kTestVector1IV[] = {0x07, 0x00, 0x00, 0x00, 0x40, 0x41,
0x42, 0x43, 0x44, 0x45, 0x46, 0x47};
const uint8_t kTestVector1CT[] = {
0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb, 0x7b, 0x86, 0xaf, 0xbc, 0x53,
0xef, 0x7e, 0xc2, 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe, 0xa9, 0xe2,
0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6, 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67,
0x12, 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b, 0x1a, 0x71, 0xde, 0x0a,
0x9e, 0x06, 0x0b, 0x29, 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36, 0x92,
0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c, 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09,
0x1b, 0x58, 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94, 0x55, 0x85, 0x80,
0x8b, 0x48, 0x31, 0xd7, 0xbc, 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b, 0x61, 0x16, 0x1a, 0xe1, 0x0b,
0x59, 0x4f, 0x09, 0xe2, 0x6a, 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
};
0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb, 0x7b, 0x86, 0xaf, 0xbc,
0x53, 0xef, 0x7e, 0xc2, 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6, 0x3d, 0xbe, 0xa4, 0x5e,
0x8c, 0xa9, 0x67, 0x12, 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29, 0x05, 0xd6, 0xa5, 0xb6,
0x7e, 0xcd, 0x3b, 0x36, 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58, 0xfa, 0xb3, 0x24, 0xe4,
0xfa, 0xd6, 0x75, 0x94, 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d, 0xe5, 0x76, 0xd2, 0x65,
0x86, 0xce, 0xc6, 0x4b, 0x61, 0x16, 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09,
0xe2, 0x6a, 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91};
// ChaCha20/Poly1305 Test Vector 2, RFC 7539
// <http://tools.ietf.org/html/rfc7539#appendix-A.5>
const uint8_t kTestVector2Data[] = {
0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61, 0x66,
0x74, 0x73, 0x20, 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66, 0x74, 0x20,
0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c,
0x69, 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20, 0x6d, 0x61, 0x78, 0x69,
0x6d, 0x75, 0x6d, 0x20, 0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d, 0x6f,
0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x6d, 0x61, 0x79, 0x20,
0x62, 0x65, 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x2c, 0x20, 0x72,
0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f,
0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x6f,
0x74, 0x68, 0x65, 0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74,
0x73, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65,
0x2e, 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69, 0x6e, 0x61, 0x70, 0x70,
0x72, 0x6f, 0x70, 0x72, 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20, 0x75,
0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44,
0x72, 0x61, 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72, 0x65, 0x66, 0x65,
0x72, 0x65, 0x6e, 0x63, 0x65, 0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61,
0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20, 0x63, 0x69, 0x74, 0x65, 0x20,
0x74, 0x68, 0x65, 0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20, 0x74, 0x68,
0x61, 0x6e, 0x20, 0x61, 0x73, 0x20, 0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72,
0x6b, 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73,
0x2e, 0x2f, 0xe2, 0x80, 0x9d
};
const uint8_t kTestVector2AAD[] = {
0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4e, 0x91
};
0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61,
0x66, 0x74, 0x73, 0x20, 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66,
0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x20,
0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20,
0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20, 0x6f, 0x66, 0x20, 0x73,
0x69, 0x78, 0x20, 0x6d, 0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e,
0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65, 0x20, 0x75, 0x70, 0x64,
0x61, 0x74, 0x65, 0x64, 0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f, 0x62, 0x73, 0x6f, 0x6c,
0x65, 0x74, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65,
0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x20,
0x61, 0x74, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e,
0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69, 0x6e, 0x61, 0x70, 0x70,
0x72, 0x6f, 0x70, 0x72, 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20,
0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72,
0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x20, 0x6d, 0x61, 0x74,
0x65, 0x72, 0x69, 0x61, 0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20,
0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65, 0x6d, 0x20, 0x6f, 0x74,
0x68, 0x65, 0x72, 0x20, 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20,
0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b, 0x20, 0x69, 0x6e, 0x20,
0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80,
0x9d};
const uint8_t kTestVector2AAD[] = {0xf3, 0x33, 0x88, 0x86, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x4e, 0x91};
const uint8_t kTestVector2Key[] = {
0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a, 0xf3, 0x33, 0x88, 0x86, 0x04,
0xf6, 0xb5, 0xf0, 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09, 0x9d, 0xca,
0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
};
const uint8_t kTestVector2IV[] = {
0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
};
0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a, 0xf3, 0x33, 0x88,
0x86, 0x04, 0xf6, 0xb5, 0xf0, 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b,
0x80, 0x09, 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0};
const uint8_t kTestVector2IV[] = {0x00, 0x00, 0x00, 0x00, 0x01, 0x02,
0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
const uint8_t kTestVector2CT[] = {
0x64, 0xa0, 0x86, 0x15, 0x75, 0x86, 0x1a, 0xf4, 0x60, 0xf0, 0x62, 0xc7, 0x9b,
0xe6, 0x43, 0xbd, 0x5e, 0x80, 0x5c, 0xfd, 0x34, 0x5c, 0xf3, 0x89, 0xf1, 0x08,
0x67, 0x0a, 0xc7, 0x6c, 0x8c, 0xb2, 0x4c, 0x6c, 0xfc, 0x18, 0x75, 0x5d, 0x43,
0xee, 0xa0, 0x9e, 0xe9, 0x4e, 0x38, 0x2d, 0x26, 0xb0, 0xbd, 0xb7, 0xb7, 0x3c,
0x32, 0x1b, 0x01, 0x00, 0xd4, 0xf0, 0x3b, 0x7f, 0x35, 0x58, 0x94, 0xcf, 0x33,
0x2f, 0x83, 0x0e, 0x71, 0x0b, 0x97, 0xce, 0x98, 0xc8, 0xa8, 0x4a, 0xbd, 0x0b,
0x94, 0x81, 0x14, 0xad, 0x17, 0x6e, 0x00, 0x8d, 0x33, 0xbd, 0x60, 0xf9, 0x82,
0xb1, 0xff, 0x37, 0xc8, 0x55, 0x97, 0x97, 0xa0, 0x6e, 0xf4, 0xf0, 0xef, 0x61,
0xc1, 0x86, 0x32, 0x4e, 0x2b, 0x35, 0x06, 0x38, 0x36, 0x06, 0x90, 0x7b, 0x6a,
0x7c, 0x02, 0xb0, 0xf9, 0xf6, 0x15, 0x7b, 0x53, 0xc8, 0x67, 0xe4, 0xb9, 0x16,
0x6c, 0x76, 0x7b, 0x80, 0x4d, 0x46, 0xa5, 0x9b, 0x52, 0x16, 0xcd, 0xe7, 0xa4,
0xe9, 0x90, 0x40, 0xc5, 0xa4, 0x04, 0x33, 0x22, 0x5e, 0xe2, 0x82, 0xa1, 0xb0,
0xa0, 0x6c, 0x52, 0x3e, 0xaf, 0x45, 0x34, 0xd7, 0xf8, 0x3f, 0xa1, 0x15, 0x5b,
0x00, 0x47, 0x71, 0x8c, 0xbc, 0x54, 0x6a, 0x0d, 0x07, 0x2b, 0x04, 0xb3, 0x56,
0x4e, 0xea, 0x1b, 0x42, 0x22, 0x73, 0xf5, 0x48, 0x27, 0x1a, 0x0b, 0xb2, 0x31,
0x60, 0x53, 0xfa, 0x76, 0x99, 0x19, 0x55, 0xeb, 0xd6, 0x31, 0x59, 0x43, 0x4e,
0xce, 0xbb, 0x4e, 0x46, 0x6d, 0xae, 0x5a, 0x10, 0x73, 0xa6, 0x72, 0x76, 0x27,
0x09, 0x7a, 0x10, 0x49, 0xe6, 0x17, 0xd9, 0x1d, 0x36, 0x10, 0x94, 0xfa, 0x68,
0xf0, 0xff, 0x77, 0x98, 0x71, 0x30, 0x30, 0x5b, 0xea, 0xba, 0x2e, 0xda, 0x04,
0xdf, 0x99, 0x7b, 0x71, 0x4d, 0x6c, 0x6f, 0x2c, 0x29, 0xa6, 0xad, 0x5c, 0xb4,
0x02, 0x2b, 0x02, 0x70, 0x9b, 0xee, 0xad, 0x9d, 0x67, 0x89, 0x0c, 0xbb, 0x22,
0x39, 0x23, 0x36, 0xfe, 0xa1, 0x85, 0x1f, 0x38
};
0x64, 0xa0, 0x86, 0x15, 0x75, 0x86, 0x1a, 0xf4, 0x60, 0xf0, 0x62, 0xc7,
0x9b, 0xe6, 0x43, 0xbd, 0x5e, 0x80, 0x5c, 0xfd, 0x34, 0x5c, 0xf3, 0x89,
0xf1, 0x08, 0x67, 0x0a, 0xc7, 0x6c, 0x8c, 0xb2, 0x4c, 0x6c, 0xfc, 0x18,
0x75, 0x5d, 0x43, 0xee, 0xa0, 0x9e, 0xe9, 0x4e, 0x38, 0x2d, 0x26, 0xb0,
0xbd, 0xb7, 0xb7, 0x3c, 0x32, 0x1b, 0x01, 0x00, 0xd4, 0xf0, 0x3b, 0x7f,
0x35, 0x58, 0x94, 0xcf, 0x33, 0x2f, 0x83, 0x0e, 0x71, 0x0b, 0x97, 0xce,
0x98, 0xc8, 0xa8, 0x4a, 0xbd, 0x0b, 0x94, 0x81, 0x14, 0xad, 0x17, 0x6e,
0x00, 0x8d, 0x33, 0xbd, 0x60, 0xf9, 0x82, 0xb1, 0xff, 0x37, 0xc8, 0x55,
0x97, 0x97, 0xa0, 0x6e, 0xf4, 0xf0, 0xef, 0x61, 0xc1, 0x86, 0x32, 0x4e,
0x2b, 0x35, 0x06, 0x38, 0x36, 0x06, 0x90, 0x7b, 0x6a, 0x7c, 0x02, 0xb0,
0xf9, 0xf6, 0x15, 0x7b, 0x53, 0xc8, 0x67, 0xe4, 0xb9, 0x16, 0x6c, 0x76,
0x7b, 0x80, 0x4d, 0x46, 0xa5, 0x9b, 0x52, 0x16, 0xcd, 0xe7, 0xa4, 0xe9,
0x90, 0x40, 0xc5, 0xa4, 0x04, 0x33, 0x22, 0x5e, 0xe2, 0x82, 0xa1, 0xb0,
0xa0, 0x6c, 0x52, 0x3e, 0xaf, 0x45, 0x34, 0xd7, 0xf8, 0x3f, 0xa1, 0x15,
0x5b, 0x00, 0x47, 0x71, 0x8c, 0xbc, 0x54, 0x6a, 0x0d, 0x07, 0x2b, 0x04,
0xb3, 0x56, 0x4e, 0xea, 0x1b, 0x42, 0x22, 0x73, 0xf5, 0x48, 0x27, 0x1a,
0x0b, 0xb2, 0x31, 0x60, 0x53, 0xfa, 0x76, 0x99, 0x19, 0x55, 0xeb, 0xd6,
0x31, 0x59, 0x43, 0x4e, 0xce, 0xbb, 0x4e, 0x46, 0x6d, 0xae, 0x5a, 0x10,
0x73, 0xa6, 0x72, 0x76, 0x27, 0x09, 0x7a, 0x10, 0x49, 0xe6, 0x17, 0xd9,
0x1d, 0x36, 0x10, 0x94, 0xfa, 0x68, 0xf0, 0xff, 0x77, 0x98, 0x71, 0x30,
0x30, 0x5b, 0xea, 0xba, 0x2e, 0xda, 0x04, 0xdf, 0x99, 0x7b, 0x71, 0x4d,
0x6c, 0x6f, 0x2c, 0x29, 0xa6, 0xad, 0x5c, 0xb4, 0x02, 0x2b, 0x02, 0x70,
0x9b, 0xee, 0xad, 0x9d, 0x67, 0x89, 0x0c, 0xbb, 0x22, 0x39, 0x23, 0x36,
0xfe, 0xa1, 0x85, 0x1f, 0x38};
class Pkcs11ChaCha20Poly1305Test : public ::testing::Test {
public:
void EncryptDecrypt(PK11SymKey* symKey,
const uint8_t* data, size_t data_len,
const uint8_t* aad, size_t aad_len,
const uint8_t* iv, size_t iv_len,
const uint8_t* ct = nullptr, size_t ct_len = 0)
{
void EncryptDecrypt(PK11SymKey* symKey, const uint8_t* data, size_t data_len,
const uint8_t* aad, size_t aad_len, const uint8_t* iv,
size_t iv_len, const uint8_t* ct = nullptr,
size_t ct_len = 0) {
// Prepare AEAD params.
CK_NSS_AEAD_PARAMS aead_params;
aead_params.pNonce = toUcharPtr(iv);
@ -128,8 +122,8 @@ class Pkcs11ChaCha20Poly1305Test : public ::testing::Test {
aead_params.ulAADLen = aad_len;
aead_params.ulTagLen = 16;
SECItem params = { siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
sizeof(aead_params) };
SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
sizeof(aead_params)};
// Encrypt.
unsigned int outputLen = 0;
@ -202,20 +196,17 @@ class Pkcs11ChaCha20Poly1305Test : public ::testing::Test {
}
}
void EncryptDecrypt(const uint8_t* key, size_t key_len,
const uint8_t* data, size_t data_len,
const uint8_t* aad, size_t aad_len,
const uint8_t* iv, size_t iv_len,
const uint8_t* ct, size_t ct_len)
{
void EncryptDecrypt(const uint8_t* key, size_t key_len, const uint8_t* data,
size_t data_len, const uint8_t* aad, size_t aad_len,
const uint8_t* iv, size_t iv_len, const uint8_t* ct,
size_t ct_len) {
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
SECItem keyItem = { siBuffer, toUcharPtr(key),
static_cast<unsigned int>(key_len) };
SECItem keyItem = {siBuffer, toUcharPtr(key),
static_cast<unsigned int>(key_len)};
// Import key.
ScopedPK11SymKey symKey(PK11_ImportSymKey(slot.get(), mech,
PK11_OriginUnwrap, CKA_ENCRYPT,
&keyItem, nullptr));
ScopedPK11SymKey symKey(PK11_ImportSymKey(
slot.get(), mech, PK11_OriginUnwrap, CKA_ENCRYPT, &keyItem, nullptr));
EXPECT_TRUE(!!symKey);
// Check.
@ -227,17 +218,13 @@ class Pkcs11ChaCha20Poly1305Test : public ::testing::Test {
CK_MECHANISM_TYPE mech = CKM_NSS_CHACHA20_POLY1305;
unsigned char* toUcharPtr(const uint8_t* v) {
return const_cast<unsigned char*>(
static_cast<const unsigned char*>(v));
return const_cast<unsigned char*>(static_cast<const unsigned char*>(v));
}
};
#define ENCRYPT_DECRYPT(v) \
EncryptDecrypt(v ## Key, sizeof(v ## Key), \
v ## Data, sizeof(v ## Data), \
v ## AAD, sizeof(v ## AAD), \
v ## IV, sizeof(v ## IV), \
v ## CT, sizeof(v ## CT));
#define ENCRYPT_DECRYPT(v) \
EncryptDecrypt(v##Key, sizeof(v##Key), v##Data, sizeof(v##Data), v##AAD, \
sizeof(v##AAD), v##IV, sizeof(v##IV), v##CT, sizeof(v##CT));
TEST_F(Pkcs11ChaCha20Poly1305Test, GenerateEncryptDecrypt) {
// Generate a random key.
@ -274,4 +261,3 @@ TEST_F(Pkcs11ChaCha20Poly1305Test, CheckTestVector2) {
}
} // namespace nss_test

42
security/nss/external_tests/pk11_gtest/pk11_pbkdf2_unittest.cc
Просмотреть файл

@ -4,9 +4,9 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <memory>
#include "nss.h"
#include "pk11pub.h"
#include <memory>
#include "gtest/gtest.h"
#include "scoped_ptrs.h"
@ -15,13 +15,12 @@ namespace nss_test {
static unsigned char* ToUcharPtr(std::string& str) {
return const_cast<unsigned char*>(
reinterpret_cast<const unsigned char*>(str.c_str()));
reinterpret_cast<const unsigned char*>(str.c_str()));
}
class Pkcs11Pbkdf2Test : public ::testing::Test {
public:
void Derive(std::vector<uint8_t>& derived, SECOidTag hash_alg)
{
void Derive(std::vector<uint8_t>& derived, SECOidTag hash_alg) {
// Shared between test vectors.
const unsigned int iterations = 4096;
std::string pass("passwordPASSWORDpassword");
@ -49,22 +48,21 @@ class Pkcs11Pbkdf2Test : public ::testing::Test {
private:
bool DeriveBytes(std::string& pass, std::string& salt,
std::vector<uint8_t>& derived, SECOidTag hash_alg,
unsigned int iterations)
{
SECItem passItem = { siBuffer, ToUcharPtr(pass),
static_cast<unsigned int>(pass.length()) };
SECItem saltItem = { siBuffer, ToUcharPtr(salt),
static_cast<unsigned int>(salt.length()) };
unsigned int iterations) {
SECItem passItem = {siBuffer, ToUcharPtr(pass),
static_cast<unsigned int>(pass.length())};
SECItem saltItem = {siBuffer, ToUcharPtr(salt),
static_cast<unsigned int>(salt.length())};
// Set up PBKDF2 params.
ScopedSECAlgorithmID alg_id(
PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, hash_alg, hash_alg,
derived.size(), iterations, &saltItem));
PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, hash_alg, hash_alg,
derived.size(), iterations, &saltItem));
// Derive.
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
ScopedPK11SymKey symKey(
PK11_PBEKeyGen(slot.get(), alg_id.get(), &passItem, false, nullptr));
PK11_PBEKeyGen(slot.get(), alg_id.get(), &passItem, false, nullptr));
SECStatus rv = PK11_ExtractKeyValue(symKey.get());
EXPECT_EQ(rv, SECSuccess);
@ -76,10 +74,10 @@ class Pkcs11Pbkdf2Test : public ::testing::Test {
// RFC 6070 <http://tools.ietf.org/html/rfc6070>
TEST_F(Pkcs11Pbkdf2Test, DeriveKnown1) {
std::vector<uint8_t> derived = {
0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b, 0x80, 0xc8, 0xd8, 0x36,
0x62, 0xc0, 0xe4, 0x4a, 0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70, 0x38
};
std::vector<uint8_t> derived = {0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84,
0x9b, 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0,
0xe4, 0x4a, 0x8b, 0x29, 0x1a, 0x96, 0x4c,
0xf2, 0xf0, 0x70, 0x38};
Derive(derived, SEC_OID_HMAC_SHA1);
}
@ -87,14 +85,12 @@ TEST_F(Pkcs11Pbkdf2Test, DeriveKnown1) {
// https://stackoverflow.com/questions/5130513/pbkdf2-hmac-sha2-test-vectors
TEST_F(Pkcs11Pbkdf2Test, DeriveKnown2) {
std::vector<uint8_t> derived = {
0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8,
0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd, 0x53, 0xe1, 0xc6, 0x35, 0x51, 0x8c,
0x7d, 0xac, 0x47, 0xe9
};
0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8,
0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e,
0xbc, 0x18, 0x00, 0x18, 0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd,
0x53, 0xe1, 0xc6, 0x35, 0x51, 0x8c, 0x7d, 0xac, 0x47, 0xe9};
Derive(derived, SEC_OID_HMAC_SHA256);
}
} // namespace nss_test

181
security/nss/external_tests/pk11_gtest/pk11_prf_unittest.cc
Просмотреть файл

@ -4,9 +4,9 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <memory>
#include "nss.h"
#include "pk11pub.h"
#include <memory>
#include "gtest/gtest.h"
@ -21,141 +21,130 @@ const size_t kPrfSeedSizeTlsPrf = 36;
const size_t kIncorrectSize = 17;
const uint8_t kPmsData[] = {
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,
0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f
};
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f};
const uint8_t kPrfSeed[] = {
0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff,
0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,
0xe8,0xe9,0xea,0xeb,0xec,0xed,0xee,0xef,
0xd0,0xd1,0xd2,0xd3
};
0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb,
0xfc, 0xfd, 0xfe, 0xff, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xd0, 0xd1, 0xd2, 0xd3};
const uint8_t kExpectedOutputEmsSha256[] = {
0x75,0xa7,0xa5,0x98,0xef,0xab,0x90,0xe7,
0x7c,0x67,0x80,0xde,0xab,0x3a,0x11,0xf3,
0x5d,0xb2,0xf8,0x47,0xff,0x09,0x01,0xec,
0xf8,0x93,0x89,0xfc,0x98,0x2e,0x6e,0xf9,
0x2c,0xf5,0x9b,0x04,0x04,0x6f,0xd7,0x28,
0x6e,0xea,0xe3,0x83,0xc4,0x4a,0xff,0x03
};
0x75, 0xa7, 0xa5, 0x98, 0xef, 0xab, 0x90, 0xe7, 0x7c, 0x67, 0x80, 0xde,
0xab, 0x3a, 0x11, 0xf3, 0x5d, 0xb2, 0xf8, 0x47, 0xff, 0x09, 0x01, 0xec,
0xf8, 0x93, 0x89, 0xfc, 0x98, 0x2e, 0x6e, 0xf9, 0x2c, 0xf5, 0x9b, 0x04,
0x04, 0x6f, 0xd7, 0x28, 0x6e, 0xea, 0xe3, 0x83, 0xc4, 0x4a, 0xff, 0x03};
const uint8_t kExpectedOutputEmsTlsPrf[] = {
0x06,0xbf,0x29,0x86,0x5d,0xf3,0x3e,0x38,
0xfd,0xfa,0x91,0x10,0x2a,0x20,0xff,0xd6,
0xb9,0xd5,0x72,0x5a,0x6d,0x42,0x20,0x16,
0xde,0xa4,0xa0,0x51,0xe5,0x53,0xc1,0x28,
0x04,0x99,0xbc,0xb1,0x2c,0x9d,0xe8,0x0b,
0x18,0xa2,0x0e,0x48,0x52,0x8d,0x61,0x13
};
0x06, 0xbf, 0x29, 0x86, 0x5d, 0xf3, 0x3e, 0x38, 0xfd, 0xfa, 0x91, 0x10,
0x2a, 0x20, 0xff, 0xd6, 0xb9, 0xd5, 0x72, 0x5a, 0x6d, 0x42, 0x20, 0x16,
0xde, 0xa4, 0xa0, 0x51, 0xe5, 0x53, 0xc1, 0x28, 0x04, 0x99, 0xbc, 0xb1,
0x2c, 0x9d, 0xe8, 0x0b, 0x18, 0xa2, 0x0e, 0x48, 0x52, 0x8d, 0x61, 0x13};
static unsigned char* toUcharPtr(const uint8_t* v) {
return const_cast<unsigned char*>(
static_cast<const unsigned char *>(v));
return const_cast<unsigned char*>(static_cast<const unsigned char*>(v));
}
class TlsPrfTest : public ::testing::Test {
public:
TlsPrfTest()
: params_({siBuffer, nullptr, 0})
, pms_item_({siBuffer, toUcharPtr(kPmsData), kPmsSize})
, key_mech_(0)
, slot_(nullptr)
, pms_(nullptr)
, ms_(nullptr)
, pms_version_({0, 0}) {}
: params_({siBuffer, nullptr, 0}),
pms_item_({siBuffer, toUcharPtr(kPmsData), kPmsSize}),
key_mech_(0),
slot_(nullptr),
pms_(nullptr),
ms_(nullptr),
pms_version_({0, 0}) {}
~TlsPrfTest() {
if (slot_) { PK11_FreeSlot(slot_); }
if (slot_) {
PK11_FreeSlot(slot_);
}
ClearTempVars();
}
void ClearTempVars() {
if (pms_) { PK11_FreeSymKey(pms_); }
if (ms_) { PK11_FreeSymKey(ms_); }
if (pms_) {
PK11_FreeSymKey(pms_);
}
if (ms_) {
PK11_FreeSymKey(ms_);
}
}
void Init() {
params_.type = siBuffer;
pms_item_.type = siBuffer;
pms_item_.data = const_cast<unsigned char*>(
static_cast<const unsigned char *>(kPmsData));
pms_item_.data =
const_cast<unsigned char*>(static_cast<const unsigned char*>(kPmsData));
slot_ = PK11_GetInternalSlot();
ASSERT_NE(nullptr, slot_);
}
void CheckForError(CK_MECHANISM_TYPE hash_mech,
size_t seed_len,
size_t pms_len,
size_t output_len) {
void CheckForError(CK_MECHANISM_TYPE hash_mech, size_t seed_len,
size_t pms_len, size_t output_len) {
// Error tests don't depend on the derivation mechansim
Inner(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, hash_mech,
seed_len, pms_len, output_len, nullptr, nullptr);
Inner(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, hash_mech, seed_len, pms_len,
output_len, nullptr, nullptr);
}
void ComputeAndVerifyMs(CK_MECHANISM_TYPE derive_mech,
CK_MECHANISM_TYPE hash_mech,
CK_VERSION* version,
CK_MECHANISM_TYPE hash_mech, CK_VERSION* version,
const uint8_t* expected) {
// Infer seed length from mechanism
int seed_len = 0;
switch (hash_mech) {
case CKM_TLS_PRF: seed_len = kPrfSeedSizeTlsPrf; break;
case CKM_SHA256: seed_len = kPrfSeedSizeSha256; break;
default: ASSERT_TRUE(false);
case CKM_TLS_PRF:
seed_len = kPrfSeedSizeTlsPrf;
break;
case CKM_SHA256:
seed_len = kPrfSeedSizeSha256;
break;
default:
ASSERT_TRUE(false);
}
Inner(derive_mech, hash_mech, seed_len,
kPmsSize, 0, version, expected);
Inner(derive_mech, hash_mech, seed_len, kPmsSize, 0, version, expected);
}
// Set output == nullptr to test when errors occur
void Inner(
CK_MECHANISM_TYPE derive_mech,
CK_MECHANISM_TYPE hash_mech,
size_t seed_len,
size_t pms_len,
size_t output_len,
CK_VERSION* version,
const uint8_t* expected) {
void Inner(CK_MECHANISM_TYPE derive_mech, CK_MECHANISM_TYPE hash_mech,
size_t seed_len, size_t pms_len, size_t output_len,
CK_VERSION* version, const uint8_t* expected) {
ClearTempVars();
// Infer the key mechanism from the hash type
switch (hash_mech) {
case CKM_TLS_PRF: key_mech_ = CKM_TLS_KEY_AND_MAC_DERIVE; break;
case CKM_SHA256: key_mech_ = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; break;
default: ASSERT_TRUE(false);
case CKM_TLS_PRF:
key_mech_ = CKM_TLS_KEY_AND_MAC_DERIVE;
break;
case CKM_SHA256:
key_mech_ = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
break;
default:
ASSERT_TRUE(false);
}
// Import the params
CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS master_params = {
hash_mech,
toUcharPtr(kPrfSeed),
static_cast<CK_ULONG>(seed_len),
version
};
hash_mech, toUcharPtr(kPrfSeed), static_cast<CK_ULONG>(seed_len),
version};
params_.data = reinterpret_cast<unsigned char*>(&master_params);
params_.len = sizeof(master_params);
// Import the PMS
pms_item_.len = pms_len;
pms_ = PK11_ImportSymKey(slot_, derive_mech, PK11_OriginUnwrap,
CKA_DERIVE, &pms_item_, NULL);
pms_ = PK11_ImportSymKey(slot_, derive_mech, PK11_OriginUnwrap, CKA_DERIVE,
&pms_item_, NULL);
ASSERT_NE(nullptr, pms_);
// Compute the EMS
ms_ = PK11_DeriveWithFlags(pms_, derive_mech, &params_, key_mech_,
CKA_DERIVE, output_len, CKF_SIGN | CKF_VERIFY);
CKA_DERIVE, output_len, CKF_SIGN | CKF_VERIFY);
// Verify the EMS has the expected value (null or otherwise)
if (!expected) {
@ -166,12 +155,11 @@ class TlsPrfTest : public ::testing::Test {
SECStatus rv = PK11_ExtractKeyValue(ms_);
ASSERT_EQ(SECSuccess, rv);
SECItem *msData = PK11_GetKeyData(ms_);
SECItem* msData = PK11_GetKeyData(ms_);
ASSERT_NE(nullptr, msData);
ASSERT_EQ(kMasterSecretSize, msData->len);
EXPECT_EQ(0,
memcmp(msData->data, expected, kMasterSecretSize));
EXPECT_EQ(0, memcmp(msData->data, expected, kMasterSecretSize));
}
}
@ -179,9 +167,9 @@ class TlsPrfTest : public ::testing::Test {
SECItem params_;
SECItem pms_item_;
CK_MECHANISM_TYPE key_mech_;
PK11SlotInfo *slot_;
PK11SymKey *pms_;
PK11SymKey *ms_;
PK11SlotInfo* slot_;
PK11SymKey* pms_;
PK11SymKey* ms_;
CK_VERSION pms_version_;
};
@ -189,7 +177,8 @@ TEST_F(TlsPrfTest, ExtendedMsParamErr) {
Init();
// This should fail; it's the correct set from which the below are derived
// CheckForError(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, 0);
// CheckForError(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF,
// kPrfSeedSizeTlsPrf, kPmsSize, 0);
// Output key size != 0, SSL3_MASTER_SECRET_LENGTH
CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, kIncorrectSize);
@ -211,40 +200,30 @@ TEST_F(TlsPrfTest, ExtendedMsParamErr) {
// SHA256 3 4
TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) {
Init();
ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
CKM_TLS_PRF,
nullptr,
kExpectedOutputEmsTlsPrf);
ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, CKM_TLS_PRF,
nullptr, kExpectedOutputEmsTlsPrf);
}
TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) {
Init();
ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
CKM_TLS_PRF,
&pms_version_,
kExpectedOutputEmsTlsPrf);
ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF,
&pms_version_, kExpectedOutputEmsTlsPrf);
EXPECT_EQ(0, pms_version_.major);
EXPECT_EQ(1, pms_version_.minor);
}
TEST_F(TlsPrfTest, ExtendedMsDhSha256) {
Init();
ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
CKM_SHA256,
nullptr,
kExpectedOutputEmsSha256);
ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, CKM_SHA256,
nullptr, kExpectedOutputEmsSha256);
}
TEST_F(TlsPrfTest, ExtendedMsRsaSha256) {
Init();
ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
CKM_SHA256,
&pms_version_,
kExpectedOutputEmsSha256);
ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_SHA256,
&pms_version_, kExpectedOutputEmsSha256);
EXPECT_EQ(0, pms_version_.major);
EXPECT_EQ(1, pms_version_.minor);
}
} // namespace nss_test

242
security/nss/external_tests/pk11_gtest/pk11_rsapss_unittest.cc
Просмотреть файл

@ -4,10 +4,10 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <memory>
#include "nss.h"
#include "pk11pub.h"
#include "sechash.h"
#include <memory>
#include "gtest/gtest.h"
#include "scoped_ptrs.h"
@ -17,116 +17,116 @@ namespace nss_test {
// RSA-PSS test vectors, pss-vect.txt, Example 1: A 1024-bit RSA Key Pair
// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
const uint8_t kTestVector1Spki[] = {
0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02,
0x81, 0x81, 0x00, 0xa5, 0x6e, 0x4a, 0x0e, 0x70, 0x10, 0x17, 0x58, 0x9a, 0x51,
0x87, 0xdc, 0x7e, 0xa8, 0x41, 0xd1, 0x56, 0xf2, 0xec, 0x0e, 0x36, 0xad, 0x52,
0xa4, 0x4d, 0xfe, 0xb1, 0xe6, 0x1f, 0x7a, 0xd9, 0x91, 0xd8, 0xc5, 0x10, 0x56,
0xff, 0xed, 0xb1, 0x62, 0xb4, 0xc0, 0xf2, 0x83, 0xa1, 0x2a, 0x88, 0xa3, 0x94,
0xdf, 0xf5, 0x26, 0xab, 0x72, 0x91, 0xcb, 0xb3, 0x07, 0xce, 0xab, 0xfc, 0xe0,
0xb1, 0xdf, 0xd5, 0xcd, 0x95, 0x08, 0x09, 0x6d, 0x5b, 0x2b, 0x8b, 0x6d, 0xf5,
0xd6, 0x71, 0xef, 0x63, 0x77, 0xc0, 0x92, 0x1c, 0xb2, 0x3c, 0x27, 0x0a, 0x70,
0xe2, 0x59, 0x8e, 0x6f, 0xf8, 0x9d, 0x19, 0xf1, 0x05, 0xac, 0xc2, 0xd3, 0xf0,
0xcb, 0x35, 0xf2, 0x92, 0x80, 0xe1, 0x38, 0x6b, 0x6f, 0x64, 0xc4, 0xef, 0x22,
0xe1, 0xe1, 0xf2, 0x0d, 0x0c, 0xe8, 0xcf, 0xfb, 0x22, 0x49, 0xbd, 0x9a, 0x21,
0x37, 0x02, 0x03, 0x01, 0x00, 0x01
};
0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81,
0x89, 0x02, 0x81, 0x81, 0x00, 0xa5, 0x6e, 0x4a, 0x0e, 0x70, 0x10, 0x17,
0x58, 0x9a, 0x51, 0x87, 0xdc, 0x7e, 0xa8, 0x41, 0xd1, 0x56, 0xf2, 0xec,
0x0e, 0x36, 0xad, 0x52, 0xa4, 0x4d, 0xfe, 0xb1, 0xe6, 0x1f, 0x7a, 0xd9,
0x91, 0xd8, 0xc5, 0x10, 0x56, 0xff, 0xed, 0xb1, 0x62, 0xb4, 0xc0, 0xf2,
0x83, 0xa1, 0x2a, 0x88, 0xa3, 0x94, 0xdf, 0xf5, 0x26, 0xab, 0x72, 0x91,
0xcb, 0xb3, 0x07, 0xce, 0xab, 0xfc, 0xe0, 0xb1, 0xdf, 0xd5, 0xcd, 0x95,
0x08, 0x09, 0x6d, 0x5b, 0x2b, 0x8b, 0x6d, 0xf5, 0xd6, 0x71, 0xef, 0x63,
0x77, 0xc0, 0x92, 0x1c, 0xb2, 0x3c, 0x27, 0x0a, 0x70, 0xe2, 0x59, 0x8e,
0x6f, 0xf8, 0x9d, 0x19, 0xf1, 0x05, 0xac, 0xc2, 0xd3, 0xf0, 0xcb, 0x35,
0xf2, 0x92, 0x80, 0xe1, 0x38, 0x6b, 0x6f, 0x64, 0xc4, 0xef, 0x22, 0xe1,
0xe1, 0xf2, 0x0d, 0x0c, 0xe8, 0xcf, 0xfb, 0x22, 0x49, 0xbd, 0x9a, 0x21,
0x37, 0x02, 0x03, 0x01, 0x00, 0x01};
// RSA-PSS test vectors, pss-vect.txt, Example 1.1
const uint8_t kTestVector1Data[] = {
0xcd, 0xc8, 0x7d, 0xa2, 0x23, 0xd7, 0x86, 0xdf, 0x3b, 0x45, 0xe0, 0xbb, 0xbc,
0x72, 0x13, 0x26, 0xd1, 0xee, 0x2a, 0xf8, 0x06, 0xcc, 0x31, 0x54, 0x75, 0xcc,
0x6f, 0x0d, 0x9c, 0x66, 0xe1, 0xb6, 0x23, 0x71, 0xd4, 0x5c, 0xe2, 0x39, 0x2e,
0x1a, 0xc9, 0x28, 0x44, 0xc3, 0x10, 0x10, 0x2f, 0x15, 0x6a, 0x0d, 0x8d, 0x52,
0xc1, 0xf4, 0xc4, 0x0b, 0xa3, 0xaa, 0x65, 0x09, 0x57, 0x86, 0xcb, 0x76, 0x97,
0x57, 0xa6, 0x56, 0x3b, 0xa9, 0x58, 0xfe, 0xd0, 0xbc, 0xc9, 0x84, 0xe8, 0xb5,
0x17, 0xa3, 0xd5, 0xf5, 0x15, 0xb2, 0x3b, 0x8a, 0x41, 0xe7, 0x4a, 0xa8, 0x67,
0x69, 0x3f, 0x90, 0xdf, 0xb0, 0x61, 0xa6, 0xe8, 0x6d, 0xfa, 0xae, 0xe6, 0x44,
0x72, 0xc0, 0x0e, 0x5f, 0x20, 0x94, 0x57, 0x29, 0xcb, 0xeb, 0xe7, 0x7f, 0x06,
0xce, 0x78, 0xe0, 0x8f, 0x40, 0x98, 0xfb, 0xa4, 0x1f, 0x9d, 0x61, 0x93, 0xc0,
0x31, 0x7e, 0x8b, 0x60, 0xd4, 0xb6, 0x08, 0x4a, 0xcb, 0x42, 0xd2, 0x9e, 0x38,
0x08, 0xa3, 0xbc, 0x37, 0x2d, 0x85, 0xe3, 0x31, 0x17, 0x0f, 0xcb, 0xf7, 0xcc,
0x72, 0xd0, 0xb7, 0x1c, 0x29, 0x66, 0x48, 0xb3, 0xa4, 0xd1, 0x0f, 0x41, 0x62,
0x95, 0xd0, 0x80, 0x7a, 0xa6, 0x25, 0xca, 0xb2, 0x74, 0x4f, 0xd9, 0xea, 0x8f,
0xd2, 0x23, 0xc4, 0x25, 0x37, 0x02, 0x98, 0x28, 0xbd, 0x16, 0xbe, 0x02, 0x54,
0x6f, 0x13, 0x0f, 0xd2, 0xe3, 0x3b, 0x93, 0x6d, 0x26, 0x76, 0xe0, 0x8a, 0xed,
0x1b, 0x73, 0x31, 0x8b, 0x75, 0x0a, 0x01, 0x67, 0xd0
};
0xcd, 0xc8, 0x7d, 0xa2, 0x23, 0xd7, 0x86, 0xdf, 0x3b, 0x45, 0xe0, 0xbb,
0xbc, 0x72, 0x13, 0x26, 0xd1, 0xee, 0x2a, 0xf8, 0x06, 0xcc, 0x31, 0x54,
0x75, 0xcc, 0x6f, 0x0d, 0x9c, 0x66, 0xe1, 0xb6, 0x23, 0x71, 0xd4, 0x5c,
0xe2, 0x39, 0x2e, 0x1a, 0xc9, 0x28, 0x44, 0xc3, 0x10, 0x10, 0x2f, 0x15,
0x6a, 0x0d, 0x8d, 0x52, 0xc1, 0xf4, 0xc4, 0x0b, 0xa3, 0xaa, 0x65, 0x09,
0x57, 0x86, 0xcb, 0x76, 0x97, 0x57, 0xa6, 0x56, 0x3b, 0xa9, 0x58, 0xfe,
0xd0, 0xbc, 0xc9, 0x84, 0xe8, 0xb5, 0x17, 0xa3, 0xd5, 0xf5, 0x15, 0xb2,
0x3b, 0x8a, 0x41, 0xe7, 0x4a, 0xa8, 0x67, 0x69, 0x3f, 0x90, 0xdf, 0xb0,
0x61, 0xa6, 0xe8, 0x6d, 0xfa, 0xae, 0xe6, 0x44, 0x72, 0xc0, 0x0e, 0x5f,
0x20, 0x94, 0x57, 0x29, 0xcb, 0xeb, 0xe7, 0x7f, 0x06, 0xce, 0x78, 0xe0,
0x8f, 0x40, 0x98, 0xfb, 0xa4, 0x1f, 0x9d, 0x61, 0x93, 0xc0, 0x31, 0x7e,
0x8b, 0x60, 0xd4, 0xb6, 0x08, 0x4a, 0xcb, 0x42, 0xd2, 0x9e, 0x38, 0x08,
0xa3, 0xbc, 0x37, 0x2d, 0x85, 0xe3, 0x31, 0x17, 0x0f, 0xcb, 0xf7, 0xcc,
0x72, 0xd0, 0xb7, 0x1c, 0x29, 0x66, 0x48, 0xb3, 0xa4, 0xd1, 0x0f, 0x41,
0x62, 0x95, 0xd0, 0x80, 0x7a, 0xa6, 0x25, 0xca, 0xb2, 0x74, 0x4f, 0xd9,
0xea, 0x8f, 0xd2, 0x23, 0xc4, 0x25, 0x37, 0x02, 0x98, 0x28, 0xbd, 0x16,
0xbe, 0x02, 0x54, 0x6f, 0x13, 0x0f, 0xd2, 0xe3, 0x3b, 0x93, 0x6d, 0x26,
0x76, 0xe0, 0x8a, 0xed, 0x1b, 0x73, 0x31, 0x8b, 0x75, 0x0a, 0x01, 0x67,
0xd0};
const uint8_t kTestVector1Sig[] = {
0x90, 0x74, 0x30, 0x8f, 0xb5, 0x98, 0xe9, 0x70, 0x1b, 0x22, 0x94, 0x38, 0x8e,
0x52, 0xf9, 0x71, 0xfa, 0xac, 0x2b, 0x60, 0xa5, 0x14, 0x5a, 0xf1, 0x85, 0xdf,
0x52, 0x87, 0xb5, 0xed, 0x28, 0x87, 0xe5, 0x7c, 0xe7, 0xfd, 0x44, 0xdc, 0x86,
0x34, 0xe4, 0x07, 0xc8, 0xe0, 0xe4, 0x36, 0x0b, 0xc2, 0x26, 0xf3, 0xec, 0x22,
0x7f, 0x9d, 0x9e, 0x54, 0x63, 0x8e, 0x8d, 0x31, 0xf5, 0x05, 0x12, 0x15, 0xdf,
0x6e, 0xbb, 0x9c, 0x2f, 0x95, 0x79, 0xaa, 0x77, 0x59, 0x8a, 0x38, 0xf9, 0x14,
0xb5, 0xb9, 0xc1, 0xbd, 0x83, 0xc4, 0xe2, 0xf9, 0xf3, 0x82, 0xa0, 0xd0, 0xaa,
0x35, 0x42, 0xff, 0xee, 0x65, 0x98, 0x4a, 0x60, 0x1b, 0xc6, 0x9e, 0xb2, 0x8d,
0xeb, 0x27, 0xdc, 0xa1, 0x2c, 0x82, 0xc2, 0xd4, 0xc3, 0xf6, 0x6c, 0xd5, 0x00,
0xf1, 0xff, 0x2b, 0x99, 0x4d, 0x8a, 0x4e, 0x30, 0xcb, 0xb3, 0x3c
};
0x90, 0x74, 0x30, 0x8f, 0xb5, 0x98, 0xe9, 0x70, 0x1b, 0x22, 0x94, 0x38,
0x8e, 0x52, 0xf9, 0x71, 0xfa, 0xac, 0x2b, 0x60, 0xa5, 0x14, 0x5a, 0xf1,
0x85, 0xdf, 0x52, 0x87, 0xb5, 0xed, 0x28, 0x87, 0xe5, 0x7c, 0xe7, 0xfd,
0x44, 0xdc, 0x86, 0x34, 0xe4, 0x07, 0xc8, 0xe0, 0xe4, 0x36, 0x0b, 0xc2,
0x26, 0xf3, 0xec, 0x22, 0x7f, 0x9d, 0x9e, 0x54, 0x63, 0x8e, 0x8d, 0x31,
0xf5, 0x05, 0x12, 0x15, 0xdf, 0x6e, 0xbb, 0x9c, 0x2f, 0x95, 0x79, 0xaa,
0x77, 0x59, 0x8a, 0x38, 0xf9, 0x14, 0xb5, 0xb9, 0xc1, 0xbd, 0x83, 0xc4,
0xe2, 0xf9, 0xf3, 0x82, 0xa0, 0xd0, 0xaa, 0x35, 0x42, 0xff, 0xee, 0x65,
0x98, 0x4a, 0x60, 0x1b, 0xc6, 0x9e, 0xb2, 0x8d, 0xeb, 0x27, 0xdc, 0xa1,
0x2c, 0x82, 0xc2, 0xd4, 0xc3, 0xf6, 0x6c, 0xd5, 0x00, 0xf1, 0xff, 0x2b,
0x99, 0x4d, 0x8a, 0x4e, 0x30, 0xcb, 0xb3, 0x3c};
// RSA-PSS test vectors, pss-vect.txt, Example 10: A 2048-bit RSA Key Pair
// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
const uint8_t kTestVector2Spki[] = {
0x30, 0x82, 0x01, 0x21, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0e, 0x00, 0x30, 0x82,
0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0xa5, 0xdd, 0x86, 0x7a, 0xc4, 0xcb, 0x02,
0xf9, 0x0b, 0x94, 0x57, 0xd4, 0x8c, 0x14, 0xa7, 0x70, 0xef, 0x99, 0x1c, 0x56,
0xc3, 0x9c, 0x0e, 0xc6, 0x5f, 0xd1, 0x1a, 0xfa, 0x89, 0x37, 0xce, 0xa5, 0x7b,
0x9b, 0xe7, 0xac, 0x73, 0xb4, 0x5c, 0x00, 0x17, 0x61, 0x5b, 0x82, 0xd6, 0x22,
0xe3, 0x18, 0x75, 0x3b, 0x60, 0x27, 0xc0, 0xfd, 0x15, 0x7b, 0xe1, 0x2f, 0x80,
0x90, 0xfe, 0xe2, 0xa7, 0xad, 0xcd, 0x0e, 0xef, 0x75, 0x9f, 0x88, 0xba, 0x49,
0x97, 0xc7, 0xa4, 0x2d, 0x58, 0xc9, 0xaa, 0x12, 0xcb, 0x99, 0xae, 0x00, 0x1f,
0xe5, 0x21, 0xc1, 0x3b, 0xb5, 0x43, 0x14, 0x45, 0xa8, 0xd5, 0xae, 0x4f, 0x5e,
0x4c, 0x7e, 0x94, 0x8a, 0xc2, 0x27, 0xd3, 0x60, 0x40, 0x71, 0xf2, 0x0e, 0x57,
0x7e, 0x90, 0x5f, 0xbe, 0xb1, 0x5d, 0xfa, 0xf0, 0x6d, 0x1d, 0xe5, 0xae, 0x62,
0x53, 0xd6, 0x3a, 0x6a, 0x21, 0x20, 0xb3, 0x1a, 0x5d, 0xa5, 0xda, 0xbc, 0x95,
0x50, 0x60, 0x0e, 0x20, 0xf2, 0x7d, 0x37, 0x39, 0xe2, 0x62, 0x79, 0x25, 0xfe,
0xa3, 0xcc, 0x50, 0x9f, 0x21, 0xdf, 0xf0, 0x4e, 0x6e, 0xea, 0x45, 0x49, 0xc5,
0x40, 0xd6, 0x80, 0x9f, 0xf9, 0x30, 0x7e, 0xed, 0xe9, 0x1f, 0xff, 0x58, 0x73,
0x3d, 0x83, 0x85, 0xa2, 0x37, 0xd6, 0xd3, 0x70, 0x5a, 0x33, 0xe3, 0x91, 0x90,
0x09, 0x92, 0x07, 0x0d, 0xf7, 0xad, 0xf1, 0x35, 0x7c, 0xf7, 0xe3, 0x70, 0x0c,
0xe3, 0x66, 0x7d, 0xe8, 0x3f, 0x17, 0xb8, 0xdf, 0x17, 0x78, 0xdb, 0x38, 0x1d,
0xce, 0x09, 0xcb, 0x4a, 0xd0, 0x58, 0xa5, 0x11, 0x00, 0x1a, 0x73, 0x81, 0x98,
0xee, 0x27, 0xcf, 0x55, 0xa1, 0x3b, 0x75, 0x45, 0x39, 0x90, 0x65, 0x82, 0xec,
0x8b, 0x17, 0x4b, 0xd5, 0x8d, 0x5d, 0x1f, 0x3d, 0x76, 0x7c, 0x61, 0x37, 0x21,
0xae, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01
};
0x30, 0x82, 0x01, 0x21, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0e, 0x00,
0x30, 0x82, 0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0xa5, 0xdd, 0x86, 0x7a,
0xc4, 0xcb, 0x02, 0xf9, 0x0b, 0x94, 0x57, 0xd4, 0x8c, 0x14, 0xa7, 0x70,
0xef, 0x99, 0x1c, 0x56, 0xc3, 0x9c, 0x0e, 0xc6, 0x5f, 0xd1, 0x1a, 0xfa,
0x89, 0x37, 0xce, 0xa5, 0x7b, 0x9b, 0xe7, 0xac, 0x73, 0xb4, 0x5c, 0x00,
0x17, 0x61, 0x5b, 0x82, 0xd6, 0x22, 0xe3, 0x18, 0x75, 0x3b, 0x60, 0x27,
0xc0, 0xfd, 0x15, 0x7b, 0xe1, 0x2f, 0x80, 0x90, 0xfe, 0xe2, 0xa7, 0xad,
0xcd, 0x0e, 0xef, 0x75, 0x9f, 0x88, 0xba, 0x49, 0x97, 0xc7, 0xa4, 0x2d,
0x58, 0xc9, 0xaa, 0x12, 0xcb, 0x99, 0xae, 0x00, 0x1f, 0xe5, 0x21, 0xc1,
0x3b, 0xb5, 0x43, 0x14, 0x45, 0xa8, 0xd5, 0xae, 0x4f, 0x5e, 0x4c, 0x7e,
0x94, 0x8a, 0xc2, 0x27, 0xd3, 0x60, 0x40, 0x71, 0xf2, 0x0e, 0x57, 0x7e,
0x90, 0x5f, 0xbe, 0xb1, 0x5d, 0xfa, 0xf0, 0x6d, 0x1d, 0xe5, 0xae, 0x62,
0x53, 0xd6, 0x3a, 0x6a, 0x21, 0x20, 0xb3, 0x1a, 0x5d, 0xa5, 0xda, 0xbc,
0x95, 0x50, 0x60, 0x0e, 0x20, 0xf2, 0x7d, 0x37, 0x39, 0xe2, 0x62, 0x79,
0x25, 0xfe, 0xa3, 0xcc, 0x50, 0x9f, 0x21, 0xdf, 0xf0, 0x4e, 0x6e, 0xea,
0x45, 0x49, 0xc5, 0x40, 0xd6, 0x80, 0x9f, 0xf9, 0x30, 0x7e, 0xed, 0xe9,
0x1f, 0xff, 0x58, 0x73, 0x3d, 0x83, 0x85, 0xa2, 0x37, 0xd6, 0xd3, 0x70,
0x5a, 0x33, 0xe3, 0x91, 0x90, 0x09, 0x92, 0x07, 0x0d, 0xf7, 0xad, 0xf1,
0x35, 0x7c, 0xf7, 0xe3, 0x70, 0x0c, 0xe3, 0x66, 0x7d, 0xe8, 0x3f, 0x17,
0xb8, 0xdf, 0x17, 0x78, 0xdb, 0x38, 0x1d, 0xce, 0x09, 0xcb, 0x4a, 0xd0,
0x58, 0xa5, 0x11, 0x00, 0x1a, 0x73, 0x81, 0x98, 0xee, 0x27, 0xcf, 0x55,
0xa1, 0x3b, 0x75, 0x45, 0x39, 0x90, 0x65, 0x82, 0xec, 0x8b, 0x17, 0x4b,
0xd5, 0x8d, 0x5d, 0x1f, 0x3d, 0x76, 0x7c, 0x61, 0x37, 0x21, 0xae, 0x05,
0x02, 0x03, 0x01, 0x00, 0x01};
// RSA-PSS test vectors, pss-vect.txt, Example 10.1
const uint8_t kTestVector2Data[] = {
0x88, 0x31, 0x77, 0xe5, 0x12, 0x6b, 0x9b, 0xe2, 0xd9, 0xa9, 0x68, 0x03, 0x27,
0xd5, 0x37, 0x0c, 0x6f, 0x26, 0x86, 0x1f, 0x58, 0x20, 0xc4, 0x3d, 0xa6, 0x7a,
0x3a, 0xd6, 0x09
};
0x88, 0x31, 0x77, 0xe5, 0x12, 0x6b, 0x9b, 0xe2, 0xd9, 0xa9,
0x68, 0x03, 0x27, 0xd5, 0x37, 0x0c, 0x6f, 0x26, 0x86, 0x1f,
0x58, 0x20, 0xc4, 0x3d, 0xa6, 0x7a, 0x3a, 0xd6, 0x09};
const uint8_t kTestVector2Sig[] = {
0x82, 0xc2, 0xb1, 0x60, 0x09, 0x3b, 0x8a, 0xa3, 0xc0, 0xf7, 0x52, 0x2b, 0x19,
0xf8, 0x73, 0x54, 0x06, 0x6c, 0x77, 0x84, 0x7a, 0xbf, 0x2a, 0x9f, 0xce, 0x54,
0x2d, 0x0e, 0x84, 0xe9, 0x20, 0xc5, 0xaf, 0xb4, 0x9f, 0xfd, 0xfd, 0xac, 0xe1,
0x65, 0x60, 0xee, 0x94, 0xa1, 0x36, 0x96, 0x01, 0x14, 0x8e, 0xba, 0xd7, 0xa0,
0xe1, 0x51, 0xcf, 0x16, 0x33, 0x17, 0x91, 0xa5, 0x72, 0x7d, 0x05, 0xf2, 0x1e,
0x74, 0xe7, 0xeb, 0x81, 0x14, 0x40, 0x20, 0x69, 0x35, 0xd7, 0x44, 0x76, 0x5a,
0x15, 0xe7, 0x9f, 0x01, 0x5c, 0xb6, 0x6c, 0x53, 0x2c, 0x87, 0xa6, 0xa0, 0x59,
0x61, 0xc8, 0xbf, 0xad, 0x74, 0x1a, 0x9a, 0x66, 0x57, 0x02, 0x28, 0x94, 0x39,
0x3e, 0x72, 0x23, 0x73, 0x97, 0x96, 0xc0, 0x2a, 0x77, 0x45, 0x5d, 0x0f, 0x55,
0x5b, 0x0e, 0xc0, 0x1d, 0xdf, 0x25, 0x9b, 0x62, 0x07, 0xfd, 0x0f, 0xd5, 0x76,
0x14, 0xce, 0xf1, 0xa5, 0x57, 0x3b, 0xaa, 0xff, 0x4e, 0xc0, 0x00, 0x69, 0x95,
0x16, 0x59, 0xb8, 0x5f, 0x24, 0x30, 0x0a, 0x25, 0x16, 0x0c, 0xa8, 0x52, 0x2d,
0xc6, 0xe6, 0x72, 0x7e, 0x57, 0xd0, 0x19, 0xd7, 0xe6, 0x36, 0x29, 0xb8, 0xfe,
0x5e, 0x89, 0xe2, 0x5c, 0xc1, 0x5b, 0xeb, 0x3a, 0x64, 0x75, 0x77, 0x55, 0x92,
0x99, 0x28, 0x0b, 0x9b, 0x28, 0xf7, 0x9b, 0x04, 0x09, 0x00, 0x0b, 0xe2, 0x5b,
0xbd, 0x96, 0x40, 0x8b, 0xa3, 0xb4, 0x3c, 0xc4, 0x86, 0x18, 0x4d, 0xd1, 0xc8,
0xe6, 0x25, 0x53, 0xfa, 0x1a, 0xf4, 0x04, 0x0f, 0x60, 0x66, 0x3d, 0xe7, 0xf5,
0xe4, 0x9c, 0x04, 0x38, 0x8e, 0x25, 0x7f, 0x1c, 0xe8, 0x9c, 0x95, 0xda, 0xb4,
0x8a, 0x31, 0x5d, 0x9b, 0x66, 0xb1, 0xb7, 0x62, 0x82, 0x33, 0x87, 0x6f, 0xf2,
0x38, 0x52, 0x30, 0xd0, 0x70, 0xd0, 0x7e, 0x16, 0x66
};
0x82, 0xc2, 0xb1, 0x60, 0x09, 0x3b, 0x8a, 0xa3, 0xc0, 0xf7, 0x52, 0x2b,
0x19, 0xf8, 0x73, 0x54, 0x06, 0x6c, 0x77, 0x84, 0x7a, 0xbf, 0x2a, 0x9f,
0xce, 0x54, 0x2d, 0x0e, 0x84, 0xe9, 0x20, 0xc5, 0xaf, 0xb4, 0x9f, 0xfd,
0xfd, 0xac, 0xe1, 0x65, 0x60, 0xee, 0x94, 0xa1, 0x36, 0x96, 0x01, 0x14,
0x8e, 0xba, 0xd7, 0xa0, 0xe1, 0x51, 0xcf, 0x16, 0x33, 0x17, 0x91, 0xa5,
0x72, 0x7d, 0x05, 0xf2, 0x1e, 0x74, 0xe7, 0xeb, 0x81, 0x14, 0x40, 0x20,
0x69, 0x35, 0xd7, 0x44, 0x76, 0x5a, 0x15, 0xe7, 0x9f, 0x01, 0x5c, 0xb6,
0x6c, 0x53, 0x2c, 0x87, 0xa6, 0xa0, 0x59, 0x61, 0xc8, 0xbf, 0xad, 0x74,
0x1a, 0x9a, 0x66, 0x57, 0x02, 0x28, 0x94, 0x39, 0x3e, 0x72, 0x23, 0x73,
0x97, 0x96, 0xc0, 0x2a, 0x77, 0x45, 0x5d, 0x0f, 0x55, 0x5b, 0x0e, 0xc0,
0x1d, 0xdf, 0x25, 0x9b, 0x62, 0x07, 0xfd, 0x0f, 0xd5, 0x76, 0x14, 0xce,
0xf1, 0xa5, 0x57, 0x3b, 0xaa, 0xff, 0x4e, 0xc0, 0x00, 0x69, 0x95, 0x16,
0x59, 0xb8, 0x5f, 0x24, 0x30, 0x0a, 0x25, 0x16, 0x0c, 0xa8, 0x52, 0x2d,
0xc6, 0xe6, 0x72, 0x7e, 0x57, 0xd0, 0x19, 0xd7, 0xe6, 0x36, 0x29, 0xb8,
0xfe, 0x5e, 0x89, 0xe2, 0x5c, 0xc1, 0x5b, 0xeb, 0x3a, 0x64, 0x75, 0x77,
0x55, 0x92, 0x99, 0x28, 0x0b, 0x9b, 0x28, 0xf7, 0x9b, 0x04, 0x09, 0x00,
0x0b, 0xe2, 0x5b, 0xbd, 0x96, 0x40, 0x8b, 0xa3, 0xb4, 0x3c, 0xc4, 0x86,
0x18, 0x4d, 0xd1, 0xc8, 0xe6, 0x25, 0x53, 0xfa, 0x1a, 0xf4, 0x04, 0x0f,
0x60, 0x66, 0x3d, 0xe7, 0xf5, 0xe4, 0x9c, 0x04, 0x38, 0x8e, 0x25, 0x7f,
0x1c, 0xe8, 0x9c, 0x95, 0xda, 0xb4, 0x8a, 0x31, 0x5d, 0x9b, 0x66, 0xb1,
0xb7, 0x62, 0x82, 0x33, 0x87, 0x6f, 0xf2, 0x38, 0x52, 0x30, 0xd0, 0x70,
0xd0, 0x7e, 0x16, 0x66};
static unsigned char* toUcharPtr(const uint8_t* v) {
return const_cast<unsigned char*>(
static_cast<const unsigned char*>(v));
return const_cast<unsigned char*>(static_cast<const unsigned char*>(v));
}
class Pkcs11RsaPssTest : public ::testing::Test {
};
class Pkcs11RsaPssTest : public ::testing::Test {};
class Pkcs11RsaPssVectorTest : public Pkcs11RsaPssTest {
public:
@ -139,30 +139,28 @@ class Pkcs11RsaPssVectorTest : public Pkcs11RsaPssTest {
// Set up PSS parameters.
unsigned int hLen = HASH_ResultLenByOidTag(hashOid);
CK_RSA_PKCS_PSS_PARAMS rsaPssParams = { hashMech, mgf, hLen };
SECItem params = { siBuffer,
reinterpret_cast<unsigned char*>(&rsaPssParams),
sizeof(rsaPssParams) };
CK_RSA_PKCS_PSS_PARAMS rsaPssParams = {hashMech, mgf, hLen};
SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&rsaPssParams),
sizeof(rsaPssParams)};
// Import public key.
SECItem spkiItem = { siBuffer, toUcharPtr(spki),
static_cast<unsigned int>(spki_len) };
SECItem spkiItem = {siBuffer, toUcharPtr(spki),
static_cast<unsigned int>(spki_len)};
ScopedCERTSubjectPublicKeyInfo certSpki(
SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));
// Hash the data.
std::vector<uint8_t> hashBuf(hLen);
SECItem hash = { siBuffer, &hashBuf[0],
static_cast<unsigned int>(hashBuf.size()) };
SECStatus rv = PK11_HashBuf(hashOid, hash.data, toUcharPtr(data),
data_len);
SECItem hash = {siBuffer, &hashBuf[0],
static_cast<unsigned int>(hashBuf.size())};
SECStatus rv = PK11_HashBuf(hashOid, hash.data, toUcharPtr(data), data_len);
EXPECT_EQ(rv, SECSuccess);
// Verify.
CK_MECHANISM_TYPE mech = CKM_RSA_PKCS_PSS;
SECItem sigItem = { siBuffer, toUcharPtr(sig),
static_cast<unsigned int>(sig_len) };
SECItem sigItem = {siBuffer, toUcharPtr(sig),
static_cast<unsigned int>(sig_len)};
rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sigItem, &hash,
nullptr);
EXPECT_EQ(rv, SECSuccess);
@ -177,34 +175,33 @@ TEST_F(Pkcs11RsaPssTest, GenerateAndSignAndVerify) {
SECOidTag hashOid = SEC_OID_SHA256;
CK_MECHANISM_TYPE hashMech = CKM_SHA256;
CK_RSA_PKCS_MGF_TYPE mgf = CKG_MGF1_SHA256;
PK11RSAGenParams rsaGenParams = { 1024, 0x10001 };
PK11RSAGenParams rsaGenParams = {1024, 0x10001};
// Generate RSA key pair.
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
SECKEYPublicKey* pubKeyRaw = nullptr;
ScopedSECKEYPrivateKey privKey(PK11_GenerateKeyPair(slot.get(),
CKM_RSA_PKCS_KEY_PAIR_GEN,
&rsaGenParams, &pubKeyRaw,
false, false, nullptr));
ScopedSECKEYPrivateKey privKey(
PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaGenParams,
&pubKeyRaw, false, false, nullptr));
ASSERT_TRUE(!!privKey && pubKeyRaw);
ScopedSECKEYPublicKey pubKey(pubKeyRaw);
// Generate random data to sign.
uint8_t dataBuf[50];
SECItem data = { siBuffer, dataBuf, sizeof(dataBuf) };
SECItem data = {siBuffer, dataBuf, sizeof(dataBuf)};
unsigned int hLen = HASH_ResultLenByOidTag(hashOid);
SECStatus rv = PK11_GenerateRandomOnSlot(slot.get(), data.data, data.len);
EXPECT_EQ(rv, SECSuccess);
// Allocate memory for the signature.
std::vector<uint8_t> sigBuf(PK11_SignatureLen(privKey.get()));
SECItem sig = { siBuffer, &sigBuf[0],
static_cast<unsigned int>(sigBuf.size()) };
SECItem sig = {siBuffer, &sigBuf[0],
static_cast<unsigned int>(sigBuf.size())};
// Set up PSS parameters.
CK_RSA_PKCS_PSS_PARAMS rsaPssParams = { hashMech, mgf, hLen };
SECItem params = { siBuffer, reinterpret_cast<unsigned char*>(&rsaPssParams),
sizeof(rsaPssParams) };
CK_RSA_PKCS_PSS_PARAMS rsaPssParams = {hashMech, mgf, hLen};
SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&rsaPssParams),
sizeof(rsaPssParams)};
// Sign.
CK_MECHANISM_TYPE mech = CKM_RSA_PKCS_PSS;
@ -223,7 +220,7 @@ TEST_F(Pkcs11RsaPssTest, GenerateAndSignAndVerify) {
EXPECT_EQ(rv, SECFailure);
// Verification with original data but the wrong signature must fail.
data.data[0] ^= 0xff; // Revert previous changes.
data.data[0] ^= 0xff; // Revert previous changes.
sig.data[0] ^= 0xff;
rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
nullptr);
@ -243,4 +240,3 @@ TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature2) {
}
} // namespace nss_test

10
security/nss/external_tests/ssl_gtest/Makefile
Просмотреть файл

@ -33,6 +33,12 @@ ifdef NSS_SSL_ENABLE_ZLIB
include $(CORE_DEPTH)/coreconf/zlib.mk
endif
ifdef NSS_DISABLE_TLS_1_3
# Run parameterized tests only, for which we can easily exclude TLS 1.3
CPPSRCS := $(filter-out $(shell grep -l '^TEST_F' $(CPPSRCS)), $(CPPSRCS))
CFLAGS += -DNSS_DISABLE_TLS_1_3
endif
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################
@ -47,7 +53,3 @@ include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################
ifndef NSS_ENABLE_TLS_1_3
CPPSRCS := $(filter-out ssl_0rtt_unittest.cc, $(CPPSRCS))
endif

41
security/nss/external_tests/ssl_gtest/databuffer.h
Просмотреть файл

@ -18,12 +18,14 @@
#include <arpa/inet.h>
#endif
extern bool g_ssl_gtest_verbose;
namespace nss_test {
class DataBuffer {
public:
DataBuffer() : data_(nullptr), len_(0) {}
DataBuffer(const uint8_t *data, size_t len) : data_(nullptr), len_(0) {
DataBuffer(const uint8_t* data, size_t len) : data_(nullptr), len_(0) {
Assign(data, len);
}
explicit DataBuffer(const DataBuffer& other) : data_(nullptr), len_(0) {
@ -44,18 +46,14 @@ class DataBuffer {
len_ = len;
}
void Truncate(size_t len) {
len_ = std::min(len_, len);
}
void Truncate(size_t len) { len_ = std::min(len_, len); }
void Assign(const DataBuffer& other) {
Assign(other.data(), other.len());
}
void Assign(const DataBuffer& other) { Assign(other.data(), other.len()); }
void Assign(const uint8_t* data, size_t len) {
if (data) {
Allocate(len);
memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
memcpy(static_cast<void*>(data_), static_cast<const void*>(data), len);
} else {
assert(len == 0);
data_ = nullptr;
@ -68,9 +66,8 @@ class DataBuffer {
size_t Write(size_t index, const uint8_t* val, size_t count) {
if (index + count > len_) {
size_t newlen = index + count;
uint8_t* tmp = new uint8_t[newlen]; // Always > 0.
memcpy(static_cast<void*>(tmp),
static_cast<const void*>(data_), len_);
uint8_t* tmp = new uint8_t[newlen]; // Always > 0.
memcpy(static_cast<void*>(tmp), static_cast<const void*>(data_), len_);
if (index > len_) {
memset(static_cast<void*>(tmp + len_), 0, index - len_);
}
@ -78,8 +75,8 @@ class DataBuffer {
data_ = tmp;
len_ = newlen;
}
memcpy(static_cast<void*>(data_ + index),
static_cast<const void*>(val), count);
memcpy(static_cast<void*>(data_ + index), static_cast<const void*>(val),
count);
return index + count;
}
@ -117,7 +114,8 @@ class DataBuffer {
Splice(buf.data(), buf.len(), index, remove);
}
void Splice(const uint8_t* ins, size_t ins_len, size_t index, size_t remove = 0) {
void Splice(const uint8_t* ins, size_t ins_len, size_t index,
size_t remove = 0) {
uint8_t* old_value = data_;
size_t old_len = len_;
@ -137,8 +135,7 @@ class DataBuffer {
Write(index, ins, ins_len);
// The tail of the old.
if (tail_len > 0) {
Write(index + ins_len,
old_value + index + remove, tail_len);
Write(index + ins_len, old_value + index + remove, tail_len);
}
delete[] old_value;
@ -146,7 +143,7 @@ class DataBuffer {
void Append(const DataBuffer& buf) { Splice(buf, len_); }
const uint8_t *data() const { return data_; }
const uint8_t* data() const { return data_; }
uint8_t* data() { return data_; }
size_t len() const { return len_; }
bool empty() const { return len_ == 0; }
@ -156,16 +153,12 @@ class DataBuffer {
size_t len_;
};
#ifdef DEBUG
static const size_t kMaxBufferPrint = 10000;
#else
static const size_t kMaxBufferPrint = 32;
#endif
inline std::ostream& operator<<(std::ostream& stream, const DataBuffer& buf) {
stream << "[" << buf.len() << "] ";
for (size_t i = 0; i < buf.len(); ++i) {
if (i >= kMaxBufferPrint) {
if (!g_ssl_gtest_verbose && i >= kMaxBufferPrint) {
stream << "...";
break;
}
@ -178,13 +171,13 @@ inline std::ostream& operator<<(std::ostream& stream, const DataBuffer& buf) {
inline bool operator==(const DataBuffer& a, const DataBuffer& b) {
return (a.empty() && b.empty()) ||
(a.len() == b.len() && 0 == memcmp(a.data(), b.data(), a.len()));
(a.len() == b.len() && 0 == memcmp(a.data(), b.data(), a.len()));
}
inline bool operator!=(const DataBuffer& a, const DataBuffer& b) {
return !(a == b);
}
} // namespace nss_test
} // namespace nss_test
#endif

195
security/nss/external_tests/ssl_gtest/libssl_internals.c
Просмотреть файл

@ -1,4 +1,4 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
@ -13,93 +13,82 @@
#include "ssl.h"
#include "sslimpl.h"
SECStatus
SSLInt_IncrementClientHandshakeVersion(PRFileDesc *fd)
{
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
}
SECStatus SSLInt_IncrementClientHandshakeVersion(PRFileDesc *fd) {
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
}
++ss->clientHelloVersion;
++ss->clientHelloVersion;
return SECSuccess;
return SECSuccess;
}
PRUint32
SSLInt_DetermineKEABits(PRUint16 serverKeyBits, SSLAuthType authAlgorithm) {
// For ECDSA authentication we expect a curve for key exchange with the
// same strength as the one used for the certificate's signature.
if (authAlgorithm == ssl_auth_ecdsa ||
authAlgorithm == ssl_auth_ecdh_rsa ||
authAlgorithm == ssl_auth_ecdh_ecdsa) {
return serverKeyBits;
}
// This function guesses what key exchange strength libssl will choose.
PRUint32 SSLInt_DetermineKEABits(PRUint16 serverKeyBits,
const SSLCipherSuiteInfo *info) {
PRUint32 authBits;
SSLAuthType authAlgorithm = info->authType;
if (authAlgorithm == ssl_auth_ecdsa || authAlgorithm == ssl_auth_ecdh_rsa ||
authAlgorithm == ssl_auth_ecdh_ecdsa) {
authBits = serverKeyBits;
} else {
PORT_Assert(authAlgorithm == ssl_auth_rsa_decrypt ||
authAlgorithm == ssl_auth_rsa_sign);
PRUint32 minKeaBits;
#ifdef NSS_ECC_MORE_THAN_SUITE_B
// P-192 is the smallest curve we want to use.
minKeaBits = 192U;
#else
// P-256 is the smallest supported curve.
minKeaBits = 256U;
#endif
authBits = SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyBits);
}
return PR_MAX(SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyBits), minKeaBits);
// We expect a curve for key exchange to be selected based on the symmetric
// key strength (times 2) or the server key size, whichever is smaller.
PRUint32 targetKeaBits = PR_MIN(info->symKeyBits * 2, authBits);
// P-256 is the preferred curve of minimum size.
return PR_MAX(256U, targetKeaBits);
}
/* Use this function to update the ClientRandom of a client's handshake state
* after replacing its ClientHello message. We for example need to do this
* when replacing an SSLv3 ClientHello with its SSLv2 equivalent. */
SECStatus
SSLInt_UpdateSSLv2ClientRandom(PRFileDesc *fd, uint8_t *rnd, size_t rnd_len,
uint8_t *msg, size_t msg_len)
{
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
}
SECStatus SSLInt_UpdateSSLv2ClientRandom(PRFileDesc *fd, uint8_t *rnd,
size_t rnd_len, uint8_t *msg,
size_t msg_len) {
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
}
SECStatus rv = ssl3_InitState(ss);
if (rv != SECSuccess) {
return rv;
}
SECStatus rv = ssl3_InitState(ss);
if (rv != SECSuccess) {
return rv;
}
rv = ssl3_RestartHandshakeHashes(ss);
if (rv != SECSuccess) {
return rv;
}
rv = ssl3_RestartHandshakeHashes(ss);
if (rv != SECSuccess) {
return rv;
}
// Zero the client_random struct.
PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
// Zero the client_random struct.
PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
// Copy over the challenge bytes.
size_t offset = SSL3_RANDOM_LENGTH - rnd_len;
PORT_Memcpy(&ss->ssl3.hs.client_random.rand[offset], rnd, rnd_len);
// Copy over the challenge bytes.
size_t offset = SSL3_RANDOM_LENGTH - rnd_len;
PORT_Memcpy(&ss->ssl3.hs.client_random.rand[offset], rnd, rnd_len);
// Rehash the SSLv2 client hello message.
return ssl3_UpdateHandshakeHashes(ss, msg, msg_len);
// Rehash the SSLv2 client hello message.
return ssl3_UpdateHandshakeHashes(ss, msg, msg_len);
}
PRBool
SSLInt_ExtensionNegotiated(PRFileDesc *fd, PRUint16 ext)
{
sslSocket *ss = ssl_FindSocket(fd);
return (PRBool)(ss && ssl3_ExtensionNegotiated(ss, ext));
PRBool SSLInt_ExtensionNegotiated(PRFileDesc *fd, PRUint16 ext) {
sslSocket *ss = ssl_FindSocket(fd);
return (PRBool)(ss && ssl3_ExtensionNegotiated(ss, ext));
}
void
SSLInt_ClearSessionTicketKey()
{
void SSLInt_ClearSessionTicketKey() {
ssl3_SessionTicketShutdown(NULL, NULL);
NSS_UnregisterShutdown(ssl3_SessionTicketShutdown, NULL);
}
SECStatus
SSLInt_SetMTU(PRFileDesc *fd, PRUint16 mtu)
{
SECStatus SSLInt_SetMTU(PRFileDesc *fd, PRUint16 mtu) {
sslSocket *ss = ssl_FindSocket(fd);
if (ss) {
ss->ssl3.mtu = mtu;
@ -108,8 +97,7 @@ SSLInt_SetMTU(PRFileDesc *fd, PRUint16 mtu)
return SECFailure;
}
PRInt32 SSLInt_CountTls13CipherSpecs(PRFileDesc *fd)
{
PRInt32 SSLInt_CountTls13CipherSpecs(PRFileDesc *fd) {
PRCList *cur_p;
PRInt32 ct = 0;
@ -119,8 +107,7 @@ PRInt32 SSLInt_CountTls13CipherSpecs(PRFileDesc *fd)
}
for (cur_p = PR_NEXT_LINK(&ss->ssl3.hs.cipherSpecs);
cur_p != &ss->ssl3.hs.cipherSpecs;
cur_p = PR_NEXT_LINK(cur_p)) {
cur_p != &ss->ssl3.hs.cipherSpecs; cur_p = PR_NEXT_LINK(cur_p)) {
++ct;
}
return ct;
@ -129,28 +116,25 @@ PRInt32 SSLInt_CountTls13CipherSpecs(PRFileDesc *fd)
/* Force a timer expiry by backdating when the timer was started.
* We could set the remaining time to 0 but then backoff would not
* work properly if we decide to test it. */
void SSLInt_ForceTimerExpiry(PRFileDesc *fd)
{
void SSLInt_ForceTimerExpiry(PRFileDesc *fd) {
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return;
}
if (!ss->ssl3.hs.rtTimerCb)
return;
if (!ss->ssl3.hs.rtTimerCb) return;
ss->ssl3.hs.rtTimerStarted = PR_IntervalNow() -
PR_MillisecondsToInterval(ss->ssl3.hs.rtTimeoutMs + 1);
ss->ssl3.hs.rtTimerStarted =
PR_IntervalNow() - PR_MillisecondsToInterval(ss->ssl3.hs.rtTimeoutMs + 1);
}
#define CHECK_SECRET(secret) \
if (ss->ssl3.hs.secret) { \
fprintf(stderr, "%s != NULL\n", #secret); \
return PR_FALSE; \
#define CHECK_SECRET(secret) \
if (ss->ssl3.hs.secret) { \
fprintf(stderr, "%s != NULL\n", #secret); \
return PR_FALSE; \
}
PRBool SSLInt_CheckSecretsDestroyed(PRFileDesc *fd)
{
PRBool SSLInt_CheckSecretsDestroyed(PRFileDesc *fd) {
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return PR_FALSE;
@ -165,17 +149,11 @@ PRBool SSLInt_CheckSecretsDestroyed(PRFileDesc *fd)
return PR_TRUE;
}
PRBool sslint_DamageTrafficSecret(PRFileDesc *fd,
size_t offset)
{
PRBool sslint_DamageTrafficSecret(PRFileDesc *fd, size_t offset) {
unsigned char data[32] = {0};
PK11SymKey **keyPtr;
PK11SlotInfo *slot = PK11_GetInternalSlot();
SECItem key_item = {
siBuffer,
data,
sizeof(data)
};
SECItem key_item = {siBuffer, data, sizeof(data)};
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return PR_FALSE;
@ -198,26 +176,17 @@ PRBool sslint_DamageTrafficSecret(PRFileDesc *fd,
return PR_TRUE;
}
PRBool SSLInt_DamageHsTrafficSecret(PRFileDesc *fd)
{
PRBool SSLInt_DamageHsTrafficSecret(PRFileDesc *fd) {
return sslint_DamageTrafficSecret(
fd,
offsetof(SSL3HandshakeState,
hsTrafficSecret));
fd, offsetof(SSL3HandshakeState, hsTrafficSecret));
}
PRBool SSLInt_DamageEarlyTrafficSecret(PRFileDesc *fd)
{
PRBool SSLInt_DamageEarlyTrafficSecret(PRFileDesc *fd) {
return sslint_DamageTrafficSecret(
fd,
offsetof(SSL3HandshakeState,
earlyTrafficSecret));
fd, offsetof(SSL3HandshakeState, earlyTrafficSecret));
}
SECStatus
SSLInt_Set0RttAlpn(PRFileDesc *fd, PRUint8 *data, unsigned int len)
{
SECStatus SSLInt_Set0RttAlpn(PRFileDesc *fd, PRUint8 *data, unsigned int len) {
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
@ -227,9 +196,29 @@ SSLInt_Set0RttAlpn(PRFileDesc *fd, PRUint8 *data, unsigned int len)
if (ss->ssl3.nextProto.data) {
SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
}
if (!SECITEM_AllocItem(NULL, &ss->ssl3.nextProto, len))
return SECFailure;
if (!SECITEM_AllocItem(NULL, &ss->ssl3.nextProto, len)) return SECFailure;
PORT_Memcpy(ss->ssl3.nextProto.data, data, len);
return SECSuccess;
}
PRBool SSLInt_HasCertWithAuthType(PRFileDesc *fd, SSLAuthType authType) {
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return PR_FALSE;
}
return (PRBool)(!!ssl_FindServerCertByAuthType(ss, authType));
}
PRBool SSLInt_SendAlert(PRFileDesc *fd, uint8_t level, uint8_t type) {
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return PR_FALSE;
}
SECStatus rv = SSL3_SendAlert(ss, level, type);
if (rv != SECSuccess) return PR_FALSE;
return PR_TRUE;
}

12
security/nss/external_tests/ssl_gtest/libssl_internals.h
Просмотреть файл

@ -16,11 +16,11 @@
SECStatus SSLInt_IncrementClientHandshakeVersion(PRFileDesc *fd);
PRUint32 SSLInt_DetermineKEABits(PRUint16 serverKeyBits,
SSLAuthType authAlgorithm);
const SSLCipherSuiteInfo *info);
SECStatus SSLInt_UpdateSSLv2ClientRandom(PRFileDesc *fd,
uint8_t *rnd, size_t rnd_len,
uint8_t *msg, size_t msg_len);
SECStatus SSLInt_UpdateSSLv2ClientRandom(PRFileDesc *fd, uint8_t *rnd,
size_t rnd_len, uint8_t *msg,
size_t msg_len);
PRBool SSLInt_ExtensionNegotiated(PRFileDesc *fd, PRUint16 ext);
void SSLInt_ClearSessionTicketKey();
@ -31,5 +31,7 @@ PRBool SSLInt_CheckSecretsDestroyed(PRFileDesc *fd);
PRBool SSLInt_DamageHsTrafficSecret(PRFileDesc *fd);
PRBool SSLInt_DamageEarlyTrafficSecret(PRFileDesc *fd);
SECStatus SSLInt_Set0RttAlpn(PRFileDesc *fd, PRUint8 *data, unsigned int len);
PRBool SSLInt_HasCertWithAuthType(PRFileDesc *fd, SSLAuthType authType);
PRBool SSLInt_SendAlert(PRFileDesc *fd, uint8_t level, uint8_t type);
#endif // ndef libssl_internals_h_
#endif // ndef libssl_internals_h_

4
security/nss/external_tests/ssl_gtest/manifest.mn
Просмотреть файл

@ -15,13 +15,17 @@ CPPSRCS = \
ssl_0rtt_unittest.cc \
ssl_agent_unittest.cc \
ssl_auth_unittest.cc \
ssl_cert_ext_unittest.cc \
ssl_ciphersuite_unittest.cc \
ssl_damage_unittest.cc \
ssl_dhe_unittest.cc \
ssl_drop_unittest.cc \
ssl_ecdh_unittest.cc \
ssl_ems_unittest.cc \
ssl_extension_unittest.cc \
ssl_gtest.cc \
ssl_loopback_unittest.cc \
ssl_record_unittest.cc \
ssl_resumption_unittest.cc \
ssl_skip_unittest.cc \
ssl_staticrsa_unittest.cc \

68
security/nss/external_tests/ssl_gtest/ssl_0rtt_unittest.cc
Просмотреть файл

@ -4,8 +4,8 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "secerr.h"
#include "ssl.h"
#include "secerr.h"
#include "sslerr.h"
#include "sslproto.h"
@ -14,11 +14,11 @@ extern "C" {
#include "libssl_internals.h"
}
#include "scoped_ptrs.h"
#include "tls_parser.h"
#include "tls_filter.h"
#include "tls_connect.h"
#include "gtest_utils.h"
#include "scoped_ptrs.h"
#include "tls_connect.h"
#include "tls_filter.h"
#include "tls_parser.h"
namespace nss_test {
@ -27,12 +27,9 @@ TEST_F(TlsConnectTest, DamageSecretHandleZeroRttClientFinished) {
client_->Set0RttEnabled(true);
server_->Set0RttEnabled(true);
client_->SetPacketFilter(new AfterRecordN(
client_,
server_,
0, // ClientHello.
[this]() {
SSLInt_DamageEarlyTrafficSecret(server_->ssl_fd());
}));
client_, server_,
0, // ClientHello.
[this]() { SSLInt_DamageEarlyTrafficSecret(server_->ssl_fd()); }));
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
@ -108,9 +105,9 @@ TEST_F(TlsConnectTest, TestTls13ZeroRttAlpn) {
ExpectResumption(RESUME_TICKET);
ExpectEarlyDataAccepted(true);
ZeroRttSendReceive(true, [this]() {
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a");
return true;
});
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a");
return true;
});
Handshake();
CheckConnected();
SendReceive();
@ -121,15 +118,15 @@ TEST_F(TlsConnectTest, TestTls13ZeroRttAlpn) {
TEST_F(TlsConnectTest, TestTls13ZeroRttAlpnChangeBoth) {
EnableAlpn();
SetupForZeroRtt();
static const uint8_t alpn[] = { 0x01, 0x62 }; // "b"
static const uint8_t alpn[] = {0x01, 0x62}; // "b"
EnableAlpn(alpn, sizeof(alpn));
client_->Set0RttEnabled(true);
server_->Set0RttEnabled(true);
ExpectResumption(RESUME_TICKET);
ZeroRttSendReceive(false, [this]() {
client_->CheckAlpn(SSL_NEXT_PROTO_NO_SUPPORT);
return false;
});
client_->CheckAlpn(SSL_NEXT_PROTO_NO_SUPPORT);
return false;
});
Handshake();
CheckConnected();
SendReceive();
@ -141,17 +138,17 @@ TEST_F(TlsConnectTest, TestTls13ZeroRttAlpnChangeBoth) {
TEST_F(TlsConnectTest, TestTls13ZeroRttAlpnChangeServer) {
EnableAlpn();
SetupForZeroRtt();
static const uint8_t client_alpn[] = { 0x01, 0x61, 0x01, 0x62 }; // "a", "b"
static const uint8_t server_alpn[] = { 0x01, 0x62 }; // "b"
static const uint8_t client_alpn[] = {0x01, 0x61, 0x01, 0x62}; // "a", "b"
static const uint8_t server_alpn[] = {0x01, 0x62}; // "b"
client_->EnableAlpn(client_alpn, sizeof(client_alpn));
server_->EnableAlpn(server_alpn, sizeof(server_alpn));
client_->Set0RttEnabled(true);
server_->Set0RttEnabled(true);
ExpectResumption(RESUME_TICKET);
ZeroRttSendReceive(false, [this]() {
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a");
return true;
});
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a");
return true;
});
Handshake();
CheckConnected();
SendReceive();
@ -170,13 +167,12 @@ TEST_F(TlsConnectTest, TestTls13ZeroRttNoAlpnServer) {
EnableAlpn();
ExpectResumption(RESUME_TICKET);
ZeroRttSendReceive(true, [this]() {
PRUint8 b[] = {'b'};
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a");
EXPECT_EQ(SECSuccess, SSLInt_Set0RttAlpn(client_->ssl_fd(), b,
sizeof(b)));
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "b");
return true;
});
PRUint8 b[] = {'b'};
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "a");
EXPECT_EQ(SECSuccess, SSLInt_Set0RttAlpn(client_->ssl_fd(), b, sizeof(b)));
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "b");
return true;
});
Handshake();
client_->CheckErrorCode(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
@ -191,14 +187,14 @@ TEST_F(TlsConnectTest, TestTls13ZeroRttNoAlpnClient) {
server_->Set0RttEnabled(true);
ExpectResumption(RESUME_TICKET);
ZeroRttSendReceive(true, [this]() {
PRUint8 b[] = {'b'};
EXPECT_EQ(SECSuccess, SSLInt_Set0RttAlpn(client_->ssl_fd(), b, 1));
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "b");
return true;
});
PRUint8 b[] = {'b'};
EXPECT_EQ(SECSuccess, SSLInt_Set0RttAlpn(client_->ssl_fd(), b, 1));
client_->CheckAlpn(SSL_NEXT_PROTO_EARLY_VALUE, "b");
return true;
});
Handshake();
client_->CheckErrorCode(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
} // namespace nss_test
} // namespace nss_test

246
security/nss/external_tests/ssl_gtest/ssl_agent_unittest.cc
Просмотреть файл

@ -18,94 +18,65 @@
namespace nss_test {
#ifdef NSS_ENABLE_TLS_1_3
// This is a 1-RTT ClientHello with ECDHE and DHE.
const static uint8_t kCannedTls13ClientHello[] = {
0x01, 0x00, 0x01, 0xfc, 0x03, 0x04, 0x77, 0x5c,
0x3a, 0xd8, 0x3f, 0x43, 0x63, 0x98, 0xfa, 0x68,
0xfb, 0x01, 0x39, 0xff, 0x7c, 0x1a, 0x51, 0xa7,
0x92, 0xda, 0x97, 0xf5, 0x15, 0x78, 0xb3, 0xbb,
0x26, 0xa7, 0xed, 0x6f, 0x69, 0x71, 0x00, 0x00,
0x2a, 0xc0, 0x2b, 0xc0, 0x2f, 0xcc, 0xa9, 0xcc,
0xa8, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0,
0x14, 0x00, 0x9e, 0xcc, 0xaa, 0x00, 0x33, 0x00,
0x32, 0x00, 0x39, 0x00, 0x38, 0x00, 0x16, 0x00,
0x13, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x00,
0x05, 0x00, 0x04, 0x01, 0x00, 0x01, 0xa9, 0x00,
0x00, 0x00, 0x0b, 0x00, 0x09, 0x00, 0x00, 0x06,
0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0xff, 0x01,
0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, 0x00,
0x08, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01,
0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0xff,
0x02, 0x00, 0x02, 0x00, 0x0d, 0x00, 0x28, 0x01,
0x4b, 0x01, 0x49, 0x00, 0x17, 0x00, 0x41, 0x04,
0xbf, 0x31, 0xb4, 0x29, 0x96, 0xf4, 0xe6, 0x4a,
0xe3, 0xea, 0x87, 0x05, 0x38, 0x0e, 0x68, 0x02,
0xbc, 0x4a, 0x5d, 0x90, 0xed, 0xe7, 0xaa, 0x8e,
0xb8, 0x42, 0x84, 0xaa, 0x3a, 0x4f, 0x2b, 0xe3,
0x52, 0x9a, 0x9a, 0x76, 0xab, 0xf8, 0x2e, 0x59,
0xea, 0xcd, 0x2b, 0x2f, 0x03, 0x18, 0xd2, 0x0c,
0xc9, 0x07, 0x15, 0xca, 0xe6, 0x61, 0xf7, 0x79,
0x9f, 0xfe, 0xc5, 0x10, 0x40, 0x9e, 0x38, 0x33,
0x01, 0x00, 0x01, 0x00, 0xd8, 0x80, 0x1f, 0x06,
0x9a, 0xbb, 0xf7, 0xbb, 0xd4, 0x5c, 0x75, 0x1d,
0x8e, 0x09, 0x27, 0xad, 0x08, 0xb8, 0x16, 0x0f,
0x4f, 0x50, 0x79, 0xe1, 0x7e, 0xd4, 0x3b, 0xc0,
0x57, 0xcc, 0x00, 0x5e, 0x28, 0xd8, 0xb3, 0x16,
0x7f, 0x36, 0x48, 0x75, 0x8d, 0x03, 0xa4, 0x71,
0x86, 0x06, 0xf0, 0xe7, 0x57, 0x47, 0x35, 0xf0,
0x04, 0xfb, 0xf7, 0x6c, 0x7a, 0xdd, 0x05, 0x93,
0x53, 0x16, 0x12, 0x49, 0xbe, 0x35, 0x67, 0x47,
0x6e, 0x3a, 0x91, 0xef, 0x50, 0x09, 0x14, 0x98,
0x8b, 0x83, 0xc4, 0x62, 0x77, 0xf3, 0x57, 0x53,
0x3f, 0xf4, 0x82, 0xc0, 0x70, 0x25, 0x19, 0x9d,
0x93, 0xe2, 0xb9, 0x7b, 0xb4, 0x83, 0x31, 0xef,
0xd8, 0x3b, 0xd5, 0x25, 0x70, 0x64, 0x29, 0xa2,
0xc2, 0xc5, 0x73, 0x9a, 0xfe, 0x27, 0xca, 0xc0,
0x55, 0x34, 0x91, 0x95, 0x05, 0xbf, 0x5e, 0x54,
0x4d, 0x95, 0x43, 0x3d, 0x54, 0x6a, 0x89, 0x0b,
0x5e, 0xab, 0x08, 0x7b, 0xf8, 0x38, 0x0a, 0x56,
0x51, 0x9d, 0xbc, 0xdd, 0x46, 0xa9, 0xfc, 0x95,
0xe9, 0x75, 0x1c, 0xc8, 0x18, 0x7f, 0xed, 0xa9,
0xca, 0xb6, 0x5e, 0x77, 0x63, 0x33, 0xb1, 0xb5,
0x68, 0xce, 0xa5, 0x98, 0xec, 0x8c, 0x34, 0x98,
0x1c, 0xa9, 0xa5, 0x84, 0xec, 0xe6, 0xba, 0x0b,
0x11, 0xbf, 0x40, 0xa5, 0xf0, 0x3c, 0xd5, 0xd3,
0xac, 0x2f, 0x46, 0xed, 0xab, 0xc0, 0xc1, 0x78,
0x3f, 0x18, 0x64, 0x5b, 0xff, 0x31, 0xeb, 0x74,
0x06, 0x92, 0x42, 0x1e, 0x90, 0xf7, 0xea, 0xa5,
0x02, 0x33, 0x8e, 0x01, 0xe3, 0xfa, 0x70, 0x82,
0xe5, 0xe7, 0x67, 0x8b, 0x96, 0x20, 0x13, 0x2e,
0x65, 0x86, 0xab, 0x28, 0xc8, 0x1b, 0xfe, 0xb4,
0x98, 0xed, 0xa4, 0xa0, 0xee, 0xf9, 0x53, 0x74,
0x30, 0xac, 0x79, 0x2d, 0xf2, 0x92, 0xd0, 0x5e,
0x10, 0xd7, 0xb9, 0x41, 0x00, 0x0d, 0x00, 0x18,
0x00, 0x16, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01,
0x02, 0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03,
0x02, 0x03, 0x05, 0x02, 0x04, 0x02, 0x02, 0x02,
0x00, 0x15, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
0x01, 0x00, 0x01, 0xfc, 0x03, 0x04, 0x77, 0x5c, 0x3a, 0xd8, 0x3f, 0x43,
0x63, 0x98, 0xfa, 0x68, 0xfb, 0x01, 0x39, 0xff, 0x7c, 0x1a, 0x51, 0xa7,
0x92, 0xda, 0x97, 0xf5, 0x15, 0x78, 0xb3, 0xbb, 0x26, 0xa7, 0xed, 0x6f,
0x69, 0x71, 0x00, 0x00, 0x2a, 0xc0, 0x2b, 0xc0, 0x2f, 0xcc, 0xa9, 0xcc,
0xa8, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0x00, 0x9e, 0xcc,
0xaa, 0x00, 0x33, 0x00, 0x32, 0x00, 0x39, 0x00, 0x38, 0x00, 0x16, 0x00,
0x13, 0x00, 0x2f, 0x00, 0x35, 0x00, 0x0a, 0x00, 0x05, 0x00, 0x04, 0x01,
0x00, 0x01, 0xa9, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x09, 0x00, 0x00, 0x06,
0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01,
0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0xff, 0x02, 0x00, 0x02, 0x00,
0x0e, 0x00, 0x28, 0x01, 0x4b, 0x01, 0x49, 0x00, 0x17, 0x00, 0x41, 0x04,
0xbf, 0x31, 0xb4, 0x29, 0x96, 0xf4, 0xe6, 0x4a, 0xe3, 0xea, 0x87, 0x05,
0x38, 0x0e, 0x68, 0x02, 0xbc, 0x4a, 0x5d, 0x90, 0xed, 0xe7, 0xaa, 0x8e,
0xb8, 0x42, 0x84, 0xaa, 0x3a, 0x4f, 0x2b, 0xe3, 0x52, 0x9a, 0x9a, 0x76,
0xab, 0xf8, 0x2e, 0x59, 0xea, 0xcd, 0x2b, 0x2f, 0x03, 0x18, 0xd2, 0x0c,
0xc9, 0x07, 0x15, 0xca, 0xe6, 0x61, 0xf7, 0x79, 0x9f, 0xfe, 0xc5, 0x10,
0x40, 0x9e, 0x38, 0x33, 0x01, 0x00, 0x01, 0x00, 0xd8, 0x80, 0x1f, 0x06,
0x9a, 0xbb, 0xf7, 0xbb, 0xd4, 0x5c, 0x75, 0x1d, 0x8e, 0x09, 0x27, 0xad,
0x08, 0xb8, 0x16, 0x0f, 0x4f, 0x50, 0x79, 0xe1, 0x7e, 0xd4, 0x3b, 0xc0,
0x57, 0xcc, 0x00, 0x5e, 0x28, 0xd8, 0xb3, 0x16, 0x7f, 0x36, 0x48, 0x75,
0x8d, 0x03, 0xa4, 0x71, 0x86, 0x06, 0xf0, 0xe7, 0x57, 0x47, 0x35, 0xf0,
0x04, 0xfb, 0xf7, 0x6c, 0x7a, 0xdd, 0x05, 0x93, 0x53, 0x16, 0x12, 0x49,
0xbe, 0x35, 0x67, 0x47, 0x6e, 0x3a, 0x91, 0xef, 0x50, 0x09, 0x14, 0x98,
0x8b, 0x83, 0xc4, 0x62, 0x77, 0xf3, 0x57, 0x53, 0x3f, 0xf4, 0x82, 0xc0,
0x70, 0x25, 0x19, 0x9d, 0x93, 0xe2, 0xb9, 0x7b, 0xb4, 0x83, 0x31, 0xef,
0xd8, 0x3b, 0xd5, 0x25, 0x70, 0x64, 0x29, 0xa2, 0xc2, 0xc5, 0x73, 0x9a,
0xfe, 0x27, 0xca, 0xc0, 0x55, 0x34, 0x91, 0x95, 0x05, 0xbf, 0x5e, 0x54,
0x4d, 0x95, 0x43, 0x3d, 0x54, 0x6a, 0x89, 0x0b, 0x5e, 0xab, 0x08, 0x7b,
0xf8, 0x38, 0x0a, 0x56, 0x51, 0x9d, 0xbc, 0xdd, 0x46, 0xa9, 0xfc, 0x95,
0xe9, 0x75, 0x1c, 0xc8, 0x18, 0x7f, 0xed, 0xa9, 0xca, 0xb6, 0x5e, 0x77,
0x63, 0x33, 0xb1, 0xb5, 0x68, 0xce, 0xa5, 0x98, 0xec, 0x8c, 0x34, 0x98,
0x1c, 0xa9, 0xa5, 0x84, 0xec, 0xe6, 0xba, 0x0b, 0x11, 0xbf, 0x40, 0xa5,
0xf0, 0x3c, 0xd5, 0xd3, 0xac, 0x2f, 0x46, 0xed, 0xab, 0xc0, 0xc1, 0x78,
0x3f, 0x18, 0x64, 0x5b, 0xff, 0x31, 0xeb, 0x74, 0x06, 0x92, 0x42, 0x1e,
0x90, 0xf7, 0xea, 0xa5, 0x02, 0x33, 0x8e, 0x01, 0xe3, 0xfa, 0x70, 0x82,
0xe5, 0xe7, 0x67, 0x8b, 0x96, 0x20, 0x13, 0x2e, 0x65, 0x86, 0xab, 0x28,
0xc8, 0x1b, 0xfe, 0xb4, 0x98, 0xed, 0xa4, 0xa0, 0xee, 0xf9, 0x53, 0x74,
0x30, 0xac, 0x79, 0x2d, 0xf2, 0x92, 0xd0, 0x5e, 0x10, 0xd7, 0xb9, 0x41,
0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01,
0x02, 0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02, 0x03, 0x05, 0x02,
0x04, 0x02, 0x02, 0x02, 0x00, 0x15, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
const static uint8_t kCannedTls13ServerHello[] = {
0x03, 0x04, 0xe9, 0x01, 0xa0, 0x81, 0x37, 0x97,
0xaa, 0x8c, 0x7e, 0x21, 0x1c, 0x66, 0x3f, 0xa4,
0x0f, 0x4d, 0x74, 0x7a, 0xcd, 0x4b, 0xe1, 0x7f,
0x37, 0x85, 0x14, 0xb5, 0x7e, 0x30, 0x15, 0x91,
0xdf, 0x18, 0xc0, 0x2f, 0x00, 0x49, 0x00, 0x28,
0x00, 0x45, 0x00, 0x17, 0x00, 0x41, 0x04, 0x1a,
0x53, 0x9b, 0x39, 0xe6, 0xda, 0x66, 0xfc, 0x8a,
0x75, 0x68, 0xb7, 0x73, 0xc7, 0x21, 0x1f, 0x01,
0x04, 0x54, 0xb4, 0x99, 0x1f, 0x0b, 0x7e, 0xea,
0x95, 0xec, 0x78, 0x5c, 0x37, 0x7c, 0x31, 0x56,
0x04, 0xc8, 0xbf, 0x79, 0x47, 0x56, 0xb9, 0x87,
0x06, 0xc1, 0xfc, 0x63, 0x09, 0x5d, 0xfc, 0x1a,
0x9e, 0x2b, 0xb9, 0xca, 0xdb, 0x0e, 0x10, 0xec,
0xd5, 0x95, 0x0d, 0x0a, 0x5e, 0x3c, 0xf7
};
0x03, 0x04, 0xe9, 0x01, 0xa0, 0x81, 0x37, 0x97, 0xaa, 0x8c, 0x7e, 0x21,
0x1c, 0x66, 0x3f, 0xa4, 0x0f, 0x4d, 0x74, 0x7a, 0xcd, 0x4b, 0xe1, 0x7f,
0x37, 0x85, 0x14, 0xb5, 0x7e, 0x30, 0x15, 0x91, 0xdf, 0x18, 0xc0, 0x2f,
0x00, 0x49, 0x00, 0x28, 0x00, 0x45, 0x00, 0x17, 0x00, 0x41, 0x04, 0x1a,
0x53, 0x9b, 0x39, 0xe6, 0xda, 0x66, 0xfc, 0x8a, 0x75, 0x68, 0xb7, 0x73,
0xc7, 0x21, 0x1f, 0x01, 0x04, 0x54, 0xb4, 0x99, 0x1f, 0x0b, 0x7e, 0xea,
0x95, 0xec, 0x78, 0x5c, 0x37, 0x7c, 0x31, 0x56, 0x04, 0xc8, 0xbf, 0x79,
0x47, 0x56, 0xb9, 0x87, 0x06, 0xc1, 0xfc, 0x63, 0x09, 0x5d, 0xfc, 0x1a,
0x9e, 0x2b, 0xb9, 0xca, 0xdb, 0x0e, 0x10, 0xec, 0xd5, 0x95, 0x0d, 0x0a,
0x5e, 0x3c, 0xf7};
static const char *k0RttData = "ABCDEF";
#endif
TEST_P(TlsAgentTest, EarlyFinished) {
DataBuffer buffer;
@ -121,7 +92,6 @@ TEST_P(TlsAgentTest, EarlyCertificateVerify) {
SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
}
#ifdef NSS_ENABLE_TLS_1_3
TEST_P(TlsAgentTestClient, CannedHello) {
DataBuffer buffer;
EnsureInit();
@ -129,15 +99,13 @@ TEST_P(TlsAgentTestClient, CannedHello) {
SSL_LIBRARY_VERSION_TLS_1_3);
DataBuffer server_hello_inner(kCannedTls13ServerHello,
sizeof(kCannedTls13ServerHello));
uint16_t wire_version = mode_ == STREAM ?
SSL_LIBRARY_VERSION_TLS_1_3:
TlsVersionToDtlsVersion(SSL_LIBRARY_VERSION_TLS_1_3);
uint16_t wire_version =
mode_ == STREAM ? SSL_LIBRARY_VERSION_TLS_1_3
: TlsVersionToDtlsVersion(SSL_LIBRARY_VERSION_TLS_1_3);
server_hello_inner.Write(0, wire_version, 2);
DataBuffer server_hello;
MakeHandshakeMessage(kTlsHandshakeServerHello,
server_hello_inner.data(),
server_hello_inner.len(),
&server_hello);
MakeHandshakeMessage(kTlsHandshakeServerHello, server_hello_inner.data(),
server_hello_inner.len(), &server_hello);
MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
server_hello.data(), server_hello.len(), &buffer);
ProcessMessage(buffer, TlsAgent::STATE_CONNECTING);
@ -147,25 +115,19 @@ TEST_P(TlsAgentTestClient, EncryptedExtensionsInClear) {
DataBuffer buffer;
DataBuffer server_hello_inner(kCannedTls13ServerHello,
sizeof(kCannedTls13ServerHello));
server_hello_inner.Write(0,
mode_ == STREAM ?
SSL_LIBRARY_VERSION_TLS_1_3:
TlsVersionToDtlsVersion(
SSL_LIBRARY_VERSION_TLS_1_3),
2);
server_hello_inner.Write(
0, mode_ == STREAM ? SSL_LIBRARY_VERSION_TLS_1_3
: TlsVersionToDtlsVersion(SSL_LIBRARY_VERSION_TLS_1_3),
2);
DataBuffer server_hello;
MakeHandshakeMessage(kTlsHandshakeServerHello,
server_hello_inner.data(),
server_hello_inner.len(),
&server_hello);
MakeHandshakeMessage(kTlsHandshakeServerHello, server_hello_inner.data(),
server_hello_inner.len(), &server_hello);
DataBuffer encrypted_extensions;
MakeHandshakeMessage(kTlsHandshakeEncryptedExtensions, nullptr, 0,
&encrypted_extensions, 1);
server_hello.Append(encrypted_extensions);
MakeRecord(kTlsHandshakeType,
SSL_LIBRARY_VERSION_TLS_1_3,
server_hello.data(),
server_hello.len(), &buffer);
MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
server_hello.data(), server_hello.len(), &buffer);
EnsureInit();
agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3,
SSL_LIBRARY_VERSION_TLS_1_3);
@ -180,23 +142,17 @@ TEST_F(TlsAgentStreamTestClient, EncryptedExtensionsInClearTwoPieces) {
sizeof(kCannedTls13ServerHello));
server_hello_inner.Write(0, SSL_LIBRARY_VERSION_TLS_1_3, 2);
DataBuffer server_hello;
MakeHandshakeMessage(kTlsHandshakeServerHello,
server_hello_inner.data(),
server_hello_inner.len(),
&server_hello);
MakeHandshakeMessage(kTlsHandshakeServerHello, server_hello_inner.data(),
server_hello_inner.len(), &server_hello);
DataBuffer encrypted_extensions;
MakeHandshakeMessage(kTlsHandshakeEncryptedExtensions, nullptr, 0,
&encrypted_extensions, 1);
server_hello.Append(encrypted_extensions);
MakeRecord(kTlsHandshakeType,
SSL_LIBRARY_VERSION_TLS_1_3,
server_hello.data(), 20,
&buffer);
MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
server_hello.data(), 20, &buffer);
MakeRecord(kTlsHandshakeType,
SSL_LIBRARY_VERSION_TLS_1_3,
server_hello.data() + 20,
server_hello.len() - 20, &buffer2);
MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
server_hello.data() + 20, server_hello.len() - 20, &buffer2);
EnsureInit();
agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3,
@ -206,7 +162,6 @@ TEST_F(TlsAgentStreamTestClient, EncryptedExtensionsInClearTwoPieces) {
SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
}
TEST_F(TlsAgentDgramTestClient, EncryptedExtensionsInClearTwoPieces) {
DataBuffer buffer;
DataBuffer buffer2;
@ -215,29 +170,23 @@ TEST_F(TlsAgentDgramTestClient, EncryptedExtensionsInClearTwoPieces) {
server_hello_inner.Write(
0, TlsVersionToDtlsVersion(SSL_LIBRARY_VERSION_TLS_1_3), 2);
DataBuffer server_hello_frag1;
MakeHandshakeMessageFragment(kTlsHandshakeServerHello,
server_hello_inner.data(),
server_hello_inner.len(),
&server_hello_frag1, 0,
0, 20);
MakeHandshakeMessageFragment(
kTlsHandshakeServerHello, server_hello_inner.data(),
server_hello_inner.len(), &server_hello_frag1, 0, 0, 20);
DataBuffer server_hello_frag2;
MakeHandshakeMessageFragment(kTlsHandshakeServerHello,
server_hello_inner.data() + 20,
server_hello_inner.len(), &server_hello_frag2, 0,
20, server_hello_inner.len() - 20);
server_hello_inner.data() + 20,
server_hello_inner.len(), &server_hello_frag2, 0,
20, server_hello_inner.len() - 20);
DataBuffer encrypted_extensions;
MakeHandshakeMessage(kTlsHandshakeEncryptedExtensions, nullptr, 0,
&encrypted_extensions, 1);
server_hello_frag2.Append(encrypted_extensions);
MakeRecord(kTlsHandshakeType,
SSL_LIBRARY_VERSION_TLS_1_3,
server_hello_frag1.data(), server_hello_frag1.len(),
&buffer);
MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
server_hello_frag1.data(), server_hello_frag1.len(), &buffer);
MakeRecord(kTlsHandshakeType,
SSL_LIBRARY_VERSION_TLS_1_3,
server_hello_frag2.data(), server_hello_frag2.len(),
&buffer2, 1);
MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
server_hello_frag2.data(), server_hello_frag2.len(), &buffer2, 1);
EnsureInit();
agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3,
@ -256,8 +205,7 @@ TEST_F(TlsAgentStreamTestClient, Set0RttOptionThenWrite) {
auto filter =
new TlsInspectorRecordHandshakeMessage(kTlsHandshakeClientHello);
agent_->SetPacketFilter(filter);
PRInt32 rv = PR_Write(agent_->ssl_fd(),
k0RttData, strlen(k0RttData));
PRInt32 rv = PR_Write(agent_->ssl_fd(), k0RttData, strlen(k0RttData));
EXPECT_EQ(-1, rv);
int32_t err = PORT_GetError();
EXPECT_EQ(PR_WOULD_BLOCK_ERROR, err);
@ -272,8 +220,8 @@ TEST_F(TlsAgentStreamTestClient, Set0RttOptionThenRead) {
agent_->Set0RttEnabled(true);
DataBuffer buffer;
MakeRecord(kTlsApplicationDataType, SSL_LIBRARY_VERSION_TLS_1_3,
reinterpret_cast<const uint8_t *>(k0RttData),
strlen(k0RttData), &buffer);
reinterpret_cast<const uint8_t *>(k0RttData), strlen(k0RttData),
&buffer);
ProcessMessage(buffer, TlsAgent::STATE_ERROR,
SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA);
}
@ -289,24 +237,18 @@ TEST_F(TlsAgentStreamTestServer, Set0RttOptionClientHelloThenRead) {
agent_->Set0RttEnabled(true);
DataBuffer buffer;
MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
kCannedTls13ClientHello, sizeof(kCannedTls13ClientHello),
&buffer);
kCannedTls13ClientHello, sizeof(kCannedTls13ClientHello), &buffer);
ProcessMessage(buffer, TlsAgent::STATE_CONNECTING);
MakeRecord(kTlsApplicationDataType, SSL_LIBRARY_VERSION_TLS_1_3,
reinterpret_cast<const uint8_t *>(k0RttData),
strlen(k0RttData), &buffer);
ProcessMessage(buffer, TlsAgent::STATE_ERROR,
SSL_ERROR_BAD_MAC_READ);
reinterpret_cast<const uint8_t *>(k0RttData), strlen(k0RttData),
&buffer);
ProcessMessage(buffer, TlsAgent::STATE_ERROR, SSL_ERROR_BAD_MAC_READ);
}
#endif
INSTANTIATE_TEST_CASE_P(AgentTests, TlsAgentTest,
::testing::Combine(
TlsAgentTestBase::kTlsRolesAll,
TlsConnectTestBase::kTlsModesStream));
#ifdef NSS_ENABLE_TLS_1_3
INSTANTIATE_TEST_CASE_P(
AgentTests, TlsAgentTest,
::testing::Combine(TlsAgentTestBase::kTlsRolesAll,
TlsConnectTestBase::kTlsModesStream));
INSTANTIATE_TEST_CASE_P(ClientTests, TlsAgentTestClient,
TlsConnectTestBase::kTlsModesAll);
#endif
} // namespace nss_test
} // namespace nss_test

302
security/nss/external_tests/ssl_gtest/ssl_auth_unittest.cc
Просмотреть файл

@ -4,8 +4,8 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "secerr.h"
#include "ssl.h"
#include "secerr.h"
#include "sslerr.h"
#include "sslproto.h"
@ -14,14 +14,20 @@ extern "C" {
#include "libssl_internals.h"
}
#include "scoped_ptrs.h"
#include "tls_parser.h"
#include "tls_filter.h"
#include "tls_connect.h"
#include "gtest_utils.h"
#include "scoped_ptrs.h"
#include "tls_connect.h"
#include "tls_filter.h"
#include "tls_parser.h"
namespace nss_test {
TEST_P(TlsConnectGeneric, ServerAuthBigRsa) {
Reset(TlsAgent::kRsa2048);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
}
TEST_P(TlsConnectGeneric, ClientAuth) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
@ -45,65 +51,157 @@ TEST_P(TlsConnectGeneric, ClientAuthRequestedRejected) {
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
}
TEST_P(TlsConnectGeneric, ClientAuthEcdsa) {
Reset(TlsAgent::kServerEcdsa);
Reset(TlsAgent::kServerEcdsa256);
client_->SetupClientAuth();
server_->RequestClientAuth(true);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
}
TEST_P(TlsConnectGeneric, ClientAuthBigRsa) {
Reset(TlsAgent::kServerRsa, TlsAgent::kRsa2048);
client_->SetupClientAuth();
server_->RequestClientAuth(true);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
}
// Offset is the position in the captured buffer where the signature sits.
static void CheckSigAlgs(TlsInspectorRecordHandshakeMessage* capture,
size_t offset, TlsAgent* peer,
SSLHashType expected_hash, size_t expected_size) {
EXPECT_LT(offset + 2U, capture->buffer().len());
EXPECT_EQ(expected_hash, capture->buffer().data()[offset]);
EXPECT_EQ(ssl_sign_rsa, capture->buffer().data()[offset + 1]);
ScopedCERTCertificate remote_cert(SSL_PeerCertificate(peer->ssl_fd()));
ScopedSECKEYPublicKey remote_key(CERT_ExtractPublicKey(remote_cert.get()));
EXPECT_EQ(expected_size, SECKEY_PublicKeyStrengthInBits(remote_key.get()));
}
// The server should prefer SHA-256 by default, even for the small key size used
// in the default certificate.
TEST_P(TlsConnectTls12, ServerAuthCheckSigAlg) {
EnsureTlsSetup();
auto capture_ske =
new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
server_->SetPacketFilter(capture_ske);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
const DataBuffer& buffer = capture_ske->buffer();
EXPECT_LT(3U, buffer.len());
EXPECT_EQ(3U, buffer.data()[0]) << "curve_type == named_curve";
uint32_t tmp;
EXPECT_TRUE(buffer.Read(1, 2, &tmp)) << "read NamedCurve";
EXPECT_EQ(ssl_grp_ec_secp256r1, tmp);
EXPECT_TRUE(buffer.Read(3, 1, &tmp)) << " read ECPoint";
CheckSigAlgs(capture_ske, 4 + tmp, client_, ssl_hash_sha256, 1024);
}
TEST_P(TlsConnectTls12, ClientAuthCheckSigAlg) {
EnsureTlsSetup();
auto capture_cert_verify =
new TlsInspectorRecordHandshakeMessage(kTlsHandshakeCertificateVerify);
client_->SetPacketFilter(capture_cert_verify);
client_->SetupClientAuth();
server_->RequestClientAuth(true);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
CheckSigAlgs(capture_cert_verify, 0, server_, ssl_hash_sha1, 1024);
}
TEST_P(TlsConnectTls12, ClientAuthBigRsaCheckSigAlg) {
Reset(TlsAgent::kServerRsa, TlsAgent::kRsa2048);
auto capture_cert_verify =
new TlsInspectorRecordHandshakeMessage(kTlsHandshakeCertificateVerify);
client_->SetPacketFilter(capture_cert_verify);
client_->SetupClientAuth();
server_->RequestClientAuth(true);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
CheckSigAlgs(capture_cert_verify, 0, server_, ssl_hash_sha256, 2048);
}
static const SSLSignatureAndHashAlg SignatureEcdsaSha384[] = {
{ssl_hash_sha384, ssl_sign_ecdsa}
};
{ssl_hash_sha384, ssl_sign_ecdsa}};
static const SSLSignatureAndHashAlg SignatureEcdsaSha256[] = {
{ssl_hash_sha256, ssl_sign_ecdsa}
};
{ssl_hash_sha256, ssl_sign_ecdsa}};
static const SSLSignatureAndHashAlg SignatureRsaSha384[] = {
{ssl_hash_sha384, ssl_sign_rsa}
};
{ssl_hash_sha384, ssl_sign_rsa}};
static const SSLSignatureAndHashAlg SignatureRsaSha256[] = {
{ssl_hash_sha256, ssl_sign_rsa}
};
{ssl_hash_sha256, ssl_sign_rsa}};
// When signature algorithms match up, this should connect successfully; even
// for TLS 1.1 and 1.0, where they should be ignored.
TEST_P(TlsConnectGeneric, SignatureAlgorithmServerAuth) {
Reset(TlsAgent::kServerEcdsa384);
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
Reset(TlsAgent::kServerEcdsa);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
}
// Here the client picks a single option, which should work in all versions.
// Defaults on the server include the first option.
TEST_P(TlsConnectGeneric, SignatureAlgorithmClientOnly) {
const SSLSignatureAndHashAlg clientAlgorithms[] = {
{ssl_hash_sha384, ssl_sign_ecdsa},
{ssl_hash_sha384, ssl_sign_rsa}, // supported but unusable
{ssl_hash_md5, ssl_sign_ecdsa} // unsupported and ignored
{ssl_hash_sha384, ssl_sign_ecdsa},
{ssl_hash_sha384, ssl_sign_rsa}, // supported but unusable
{ssl_hash_md5, ssl_sign_ecdsa} // unsupported and ignored
};
Reset(TlsAgent::kServerEcdsa384);
client_->SetSignatureAlgorithms(clientAlgorithms,
PR_ARRAY_SIZE(clientAlgorithms));
Reset(TlsAgent::kServerEcdsa);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
}
// Here the server picks a single option, which should work in all versions.
// Defaults on the client include the provided option.
TEST_P(TlsConnectGeneric, SignatureAlgorithmServerOnly) {
Reset(TlsAgent::kServerEcdsa384);
server_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
Reset(TlsAgent::kServerEcdsa);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
}
// There is no need for overlap on signatures; since we don't actually use the
// signatures for static RSA, this should still connect successfully.
// This should also work in TLS 1.0 and 1.1 where the algorithms aren't used.
// In TlS 1.2, a P-256 cert can be used with SHA-384.
TEST_P(TlsConnectTls12, SignatureSchemeCurveMismatch12) {
Reset(TlsAgent::kServerEcdsa256);
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
}
#ifdef NSS_ENABLE_TLS_1_3
TEST_P(TlsConnectTls13, SignatureAlgorithmServerUnsupported) {
Reset(TlsAgent::kServerEcdsa256); // P-256 cert
server_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
ConnectExpectFail();
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
}
TEST_P(TlsConnectTls13, SignatureAlgorithmClientUnsupported) {
Reset(TlsAgent::kServerEcdsa256); // P-256 cert
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
ConnectExpectFail();
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
}
#endif
// Where there is no overlap on signature schemes, we still connect successfully
// if we aren't going to use a signature.
TEST_P(TlsConnectGenericPre13, SignatureAlgorithmNoOverlapStaticRsa) {
client_->SetSignatureAlgorithms(SignatureRsaSha384,
PR_ARRAY_SIZE(SignatureRsaSha384));
@ -114,20 +212,20 @@ TEST_P(TlsConnectGenericPre13, SignatureAlgorithmNoOverlapStaticRsa) {
CheckKeys(ssl_kea_rsa, ssl_auth_rsa_decrypt);
}
// TODO(ekr@rtfm.com): We need to enable this for 1.3 when we fix
// bug 1287267.
TEST_P(TlsConnectTls12, SignatureAlgorithmNoOverlapEcdsa) {
Reset(TlsAgent::kServerEcdsa);
TEST_P(TlsConnectTls12Plus, SignatureAlgorithmNoOverlapEcdsa) {
Reset(TlsAgent::kServerEcdsa256);
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureAlgorithms(SignatureEcdsaSha256,
PR_ARRAY_SIZE(SignatureEcdsaSha256));
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
}
// Pre 1.2, a mismatch on signature algorithms shouldn't affect anything.
TEST_P(TlsConnectPre12, SignatureAlgorithmNoOverlapEcdsa) {
Reset(TlsAgent::kServerEcdsa);
Reset(TlsAgent::kServerEcdsa256);
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureAlgorithms(SignatureEcdsaSha256,
@ -144,15 +242,11 @@ TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) {
class BeforeFinished : public TlsRecordFilter {
private:
enum HandshakeState {
BEFORE_CCS,
AFTER_CCS,
DONE
};
enum HandshakeState { BEFORE_CCS, AFTER_CCS, DONE };
public:
BeforeFinished(TlsAgent* client, TlsAgent* server,
VoidFunction before_ccs, VoidFunction before_finished)
BeforeFinished(TlsAgent* client, TlsAgent* server, VoidFunction before_ccs,
VoidFunction before_finished)
: client_(client),
server_(server),
before_ccs_(before_ccs),
@ -160,8 +254,9 @@ class BeforeFinished : public TlsRecordFilter {
state_(BEFORE_CCS) {}
protected:
virtual PacketFilter::Action FilterRecord(
const RecordHeader& header, const DataBuffer& body, DataBuffer* out) {
virtual PacketFilter::Action FilterRecord(const RecordHeader& header,
const DataBuffer& body,
DataBuffer* out) {
switch (state_) {
case BEFORE_CCS:
// Awaken when we see the CCS.
@ -223,7 +318,7 @@ class BeforeFinished13 : public PacketFilter {
};
public:
BeforeFinished13(TlsAgent* client, TlsAgent *server,
BeforeFinished13(TlsAgent* client, TlsAgent* server,
VoidFunction before_finished)
: client_(client),
server_(server),
@ -240,8 +335,8 @@ class BeforeFinished13 : public PacketFilter {
SSLInt_SetMTU(server_->ssl_fd(), input.len() - 1));
return DROP;
// Packet 2 is the first part of the server's retransmitted first
// flight. Keep that.
// Packet 2 is the first part of the server's retransmitted first
// flight. Keep that.
case 3:
// Packet 3 is the second part of the server's retransmitted first
@ -258,28 +353,25 @@ class BeforeFinished13 : public PacketFilter {
}
private:
TlsAgent *client_;
TlsAgent *server_;
TlsAgent* client_;
TlsAgent* server_;
VoidFunction before_finished_;
size_t records_;
};
#ifdef NSS_ENABLE_TLS_1_3
// This test uses an AuthCertificateCallback that blocks. A filter is used to
// split the server's first flight into two pieces. Before the second piece is
// processed by the client, SSL_AuthCertificateComplete() is called.
TEST_F(TlsConnectDatagram13, AuthCompleteBeforeFinished) {
client_->SetAuthCertificateCallback(
[](TlsAgent&, PRBool, PRBool) -> SECStatus {
return SECWouldBlock;
});
[](TlsAgent*, PRBool, PRBool) -> SECStatus { return SECWouldBlock; });
server_->SetPacketFilter(new BeforeFinished13(client_, server_, [this]() {
EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
}));
EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
}));
Connect();
}
static void TriggerAuthComplete(PollTarget *target, Event event) {
static void TriggerAuthComplete(PollTarget* target, Event event) {
std::cerr << "client: call SSL_AuthCertificateComplete" << std::endl;
EXPECT_EQ(TIMER_EVENT, event);
TlsAgent* client = static_cast<TlsAgent*>(target);
@ -291,8 +383,8 @@ static void TriggerAuthComplete(PollTarget *target, Event event) {
// will trigger after the Finished message is processed.
TEST_F(TlsConnectDatagram13, AuthCompleteAfterFinished) {
client_->SetAuthCertificateCallback(
[this](TlsAgent&, PRBool, PRBool) -> SECStatus {
Poller::Timer *timer_handle;
[this](TlsAgent*, PRBool, PRBool) -> SECStatus {
Poller::Timer* timer_handle;
// This is really just to unroll the stack.
Poller::Instance()->SetTimer(1U, client_, TriggerAuthComplete,
&timer_handle);
@ -300,13 +392,13 @@ TEST_F(TlsConnectDatagram13, AuthCompleteAfterFinished) {
});
Connect();
}
#endif
TEST_P(TlsConnectGenericPre13, ClientWriteBetweenCCSAndFinishedWithFalseStart) {
client_->EnableFalseStart();
server_->SetPacketFilter(new BeforeFinished(client_, server_, [this]() {
EXPECT_TRUE(client_->can_falsestart_hook_called());
}, [this]() {
server_->SetPacketFilter(new BeforeFinished(
client_, server_,
[this]() { EXPECT_TRUE(client_->can_falsestart_hook_called()); },
[this]() {
// Write something, which used to fail: bug 1235366.
client_->SendData(10);
}));
@ -319,15 +411,17 @@ TEST_P(TlsConnectGenericPre13, ClientWriteBetweenCCSAndFinishedWithFalseStart) {
TEST_P(TlsConnectGenericPre13, AuthCompleteBeforeFinishedWithFalseStart) {
client_->EnableFalseStart();
client_->SetAuthCertificateCallback(
[](TlsAgent&, PRBool, PRBool) -> SECStatus {
return SECWouldBlock;
});
server_->SetPacketFilter(new BeforeFinished(client_, server_, []() {
[](TlsAgent*, PRBool, PRBool) -> SECStatus { return SECWouldBlock; });
server_->SetPacketFilter(new BeforeFinished(
client_, server_,
[]() {
// Do nothing before CCS
}, [this]() {
},
[this]() {
EXPECT_FALSE(client_->can_falsestart_hook_called());
// AuthComplete before Finished still enables false start.
EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
EXPECT_EQ(SECSuccess,
SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
EXPECT_TRUE(client_->can_falsestart_hook_called());
client_->SendData(10);
}));
@ -337,4 +431,88 @@ TEST_P(TlsConnectGenericPre13, AuthCompleteBeforeFinishedWithFalseStart) {
Receive(10);
}
static const SSLExtraServerCertData ServerCertDataRsaPkcs1Decrypt = {
ssl_auth_rsa_decrypt, nullptr, nullptr, nullptr};
static const SSLExtraServerCertData ServerCertDataRsaPkcs1Sign = {
ssl_auth_rsa_sign, nullptr, nullptr, nullptr};
static const SSLExtraServerCertData ServerCertDataRsaPss = {
ssl_auth_rsa_pss, nullptr, nullptr, nullptr};
// Test RSA cert with usage=[signature, encipherment].
TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPkcs1SignAndKEX) {
Reset(TlsAgent::kServerRsa);
PRFileDesc* ssl_fd = agent_->ssl_fd();
EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_decrypt));
EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_sign));
EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
// Configuring for only rsa_sign, rsa_pss, or rsa_decrypt should work.
EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
&ServerCertDataRsaPkcs1Decrypt));
EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
&ServerCertDataRsaPkcs1Sign));
EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
&ServerCertDataRsaPss));
}
// Test RSA cert with usage=[signature].
TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPkcs1Sign) {
Reset(TlsAgent::kServerRsaSign);
PRFileDesc* ssl_fd = agent_->ssl_fd();
EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_decrypt));
EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_sign));
EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
// Configuring for only rsa_decrypt should fail.
EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
&ServerCertDataRsaPkcs1Decrypt));
// Configuring for only rsa_sign or rsa_pss should work.
EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
&ServerCertDataRsaPkcs1Sign));
EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
&ServerCertDataRsaPss));
}
// Test RSA cert with usage=[encipherment].
TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPkcs1KEX) {
Reset(TlsAgent::kServerRsaDecrypt);
PRFileDesc* ssl_fd = agent_->ssl_fd();
EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_decrypt));
EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_sign));
EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
// Configuring for only rsa_sign or rsa_pss should fail.
EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaDecrypt, false,
&ServerCertDataRsaPkcs1Sign));
EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaDecrypt, false,
&ServerCertDataRsaPss));
// Configuring for only rsa_decrypt should work.
EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaDecrypt, false,
&ServerCertDataRsaPkcs1Decrypt));
}
// Test configuring an RSA-PSS cert.
TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPss) {
Reset(TlsAgent::kServerRsaPss);
PRFileDesc* ssl_fd = agent_->ssl_fd();
EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_decrypt));
EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_sign));
EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
// Configuring for only rsa_sign or rsa_decrypt should fail.
EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaPss, false,
&ServerCertDataRsaPkcs1Sign));
EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaPss, false,
&ServerCertDataRsaPkcs1Decrypt));
// Configuring for only rsa_pss should work.
EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaPss, false,
&ServerCertDataRsaPss));
}
}

214
security/nss/external_tests/ssl_gtest/ssl_cert_ext_unittest.cc Normal file
Просмотреть файл

@ -0,0 +1,214 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ssl.h"
#include "sslerr.h"
#include "sslproto.h"
#include <memory>
#include "tls_connect.h"
#include "tls_filter.h"
#include "tls_parser.h"
namespace nss_test {
// Tests for Certificate Transparency (RFC 6962)
// These don't work with TLS 1.3: see bug 1252745.
// Helper class - stores signed certificate timestamps as provided
// by the relevant callbacks on the client.
class SignedCertificateTimestampsExtractor {
public:
SignedCertificateTimestampsExtractor(TlsAgent* client) {
client->SetAuthCertificateCallback(
[&](TlsAgent* agent, bool checksig, bool isServer) -> SECStatus {
const SECItem* scts = SSL_PeerSignedCertTimestamps(agent->ssl_fd());
EXPECT_TRUE(scts);
if (!scts) {
return SECFailure;
}
auth_timestamps_.reset(new DataBuffer(scts->data, scts->len));
return SECSuccess;
});
client->SetHandshakeCallback([&](TlsAgent* agent) {
const SECItem* scts = SSL_PeerSignedCertTimestamps(agent->ssl_fd());
ASSERT_TRUE(scts);
handshake_timestamps_.reset(new DataBuffer(scts->data, scts->len));
});
}
void assertTimestamps(const DataBuffer& timestamps) {
EXPECT_TRUE(auth_timestamps_);
EXPECT_EQ(timestamps, *auth_timestamps_);
EXPECT_TRUE(handshake_timestamps_);
EXPECT_EQ(timestamps, *handshake_timestamps_);
}
private:
std::unique_ptr<DataBuffer> auth_timestamps_;
std::unique_ptr<DataBuffer> handshake_timestamps_;
};
static const uint8_t kSctValue[] = {0x01, 0x23, 0x45, 0x67, 0x89};
static const SECItem kSctItem = {siBuffer, const_cast<uint8_t*>(kSctValue),
sizeof(kSctValue)};
static const DataBuffer kSctBuffer(kSctValue, sizeof(kSctValue));
// Test timestamps extraction during a successful handshake.
TEST_P(TlsConnectGenericPre13, SignedCertificateTimestampsHandshake) {
EnsureTlsSetup();
EXPECT_EQ(SECSuccess, SSL_SetSignedCertTimestamps(server_->ssl_fd(),
&kSctItem, ssl_kea_rsa));
EXPECT_EQ(SECSuccess,
SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
PR_TRUE));
SignedCertificateTimestampsExtractor timestamps_extractor(client_);
Connect();
timestamps_extractor.assertTimestamps(kSctBuffer);
const SECItem* c_timestamps = SSL_PeerSignedCertTimestamps(client_->ssl_fd());
EXPECT_EQ(SECEqual, SECITEM_CompareItem(&kSctItem, c_timestamps));
}
TEST_P(TlsConnectGenericPre13, SignedCertificateTimestampsConfig) {
static const SSLExtraServerCertData kExtraData = {ssl_auth_rsa_sign, nullptr,
nullptr, &kSctItem};
EnsureTlsSetup();
EXPECT_TRUE(
server_->ConfigServerCert(TlsAgent::kServerRsa, true, &kExtraData));
EXPECT_EQ(SECSuccess,
SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
PR_TRUE));
SignedCertificateTimestampsExtractor timestamps_extractor(client_);
Connect();
timestamps_extractor.assertTimestamps(kSctBuffer);
const SECItem* c_timestamps = SSL_PeerSignedCertTimestamps(client_->ssl_fd());
EXPECT_EQ(SECEqual, SECITEM_CompareItem(&kSctItem, c_timestamps));
}
// Test SSL_PeerSignedCertTimestamps returning zero-length SECItem
// when the client / the server / both have not enabled the feature.
TEST_P(TlsConnectGenericPre13, SignedCertificateTimestampsInactiveClient) {
EnsureTlsSetup();
EXPECT_EQ(SECSuccess, SSL_SetSignedCertTimestamps(server_->ssl_fd(),
&kSctItem, ssl_kea_rsa));
SignedCertificateTimestampsExtractor timestamps_extractor(client_);
Connect();
timestamps_extractor.assertTimestamps(DataBuffer());
}
TEST_P(TlsConnectGenericPre13, SignedCertificateTimestampsInactiveServer) {
EnsureTlsSetup();
EXPECT_EQ(SECSuccess,
SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
PR_TRUE));
SignedCertificateTimestampsExtractor timestamps_extractor(client_);
Connect();
timestamps_extractor.assertTimestamps(DataBuffer());
}
TEST_P(TlsConnectGenericPre13, SignedCertificateTimestampsInactiveBoth) {
EnsureTlsSetup();
SignedCertificateTimestampsExtractor timestamps_extractor(client_);
Connect();
timestamps_extractor.assertTimestamps(DataBuffer());
}
// Check that the given agent doesn't have an OCSP response for its peer.
static SECStatus CheckNoOCSP(TlsAgent* agent, bool checksig, bool isServer) {
const SECItemArray* ocsp = SSL_PeerStapledOCSPResponses(agent->ssl_fd());
EXPECT_TRUE(ocsp);
EXPECT_EQ(0U, ocsp->len);
return SECSuccess;
}
static const uint8_t kOcspValue1[] = {1, 2, 3, 4, 5, 6};
static const uint8_t kOcspValue2[] = {7, 8, 9};
static const SECItem kOcspItems[] = {
{siBuffer, const_cast<uint8_t*>(kOcspValue1), sizeof(kOcspValue1)},
{siBuffer, const_cast<uint8_t*>(kOcspValue2), sizeof(kOcspValue2)}};
static const SECItemArray kOcspResponses = {const_cast<SECItem*>(kOcspItems),
PR_ARRAY_SIZE(kOcspItems)};
const static SSLExtraServerCertData kOcspExtraData = {
ssl_auth_rsa_sign, nullptr, &kOcspResponses, nullptr};
TEST_P(TlsConnectGeneric, NoOcsp) {
EnsureTlsSetup();
client_->SetAuthCertificateCallback(CheckNoOCSP);
Connect();
}
// The client doesn't get OCSP stapling unless it asks.
TEST_P(TlsConnectGeneric, OcspNotRequested) {
EnsureTlsSetup();
client_->SetAuthCertificateCallback(CheckNoOCSP);
EXPECT_TRUE(
server_->ConfigServerCert(TlsAgent::kServerRsa, true, &kOcspExtraData));
Connect();
}
// Even if the client asks, the server has nothing unless it is configured.
TEST_P(TlsConnectGeneric, OcspNotProvided) {
EnsureTlsSetup();
EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_OCSP_STAPLING, PR_TRUE));
client_->SetAuthCertificateCallback(CheckNoOCSP);
Connect();
}
TEST_P(TlsConnectGenericPre13, OcspMangled) {
EnsureTlsSetup();
EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_OCSP_STAPLING, PR_TRUE));
EXPECT_TRUE(
server_->ConfigServerCert(TlsAgent::kServerRsa, true, &kOcspExtraData));
static const uint8_t val[] = {1};
auto replacer = new TlsExtensionReplacer(ssl_cert_status_xtn,
DataBuffer(val, sizeof(val)));
server_->SetPacketFilter(replacer);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
TEST_P(TlsConnectGeneric, OcspSuccess) {
EnsureTlsSetup();
EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_OCSP_STAPLING, PR_TRUE));
auto capture_ocsp = new TlsExtensionCapture(ssl_cert_status_xtn);
server_->SetPacketFilter(capture_ocsp);
// The value should be available during the AuthCertificateCallback
client_->SetAuthCertificateCallback([](TlsAgent* agent, bool checksig,
bool isServer) -> SECStatus {
const SECItemArray* ocsp = SSL_PeerStapledOCSPResponses(agent->ssl_fd());
if (!ocsp) {
return SECFailure;
}
EXPECT_EQ(1U, ocsp->len) << "We only provide the first item";
EXPECT_EQ(0, SECITEM_CompareItem(&kOcspItems[0], &ocsp->items[0]));
return SECSuccess;
});
EXPECT_TRUE(
server_->ConfigServerCert(TlsAgent::kServerRsa, true, &kOcspExtraData));
Connect();
// In TLS 1.3, the server doesn't provide a visible ServerHello extension.
// For earlier versions, the extension is just empty.
EXPECT_EQ(0U, capture_ocsp->extension().len());
}
} // namespace nspr_test

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше