roytam1/UXP
1
0
Fork 0
mirror of https://github.com/roytam1/UXP.git synced 2026-05-26 13:58:49 +00:00
Code Issues Projects Releases Wiki Activity

Update NSS to 3.38

Browse Source 
- Added HACL*Poly1305 32-bit (INRIA/Microsoft)
- Updated to final TLS 1.3 draft version (28)
- Removed TLS 1.3 prerelease draft limit check
- Removed NPN code
- Enabled dev/urandom-only RNG on Linux with NSS_SEED_ONLY_DEV_URANDOM for non-standard environments
- Fixed several bugs with TLS 1.3 negotiation
- Updated internal certificate store
- Added support for the TLS Record Size Limit Extension.
- Fixed CVE-2018-0495
- Various security fixes in the ASN.1 code.
This commit is contained in:
wolfbeast
2018-08-14 07:52:35 +02:00
committed by Roy Tam
parent 0d5d154158
commit d36d4eb674
197 changed files with 4880 additions and 7152 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CLOBBER
+1 -1
View File
@@ -22,4 +22,4 @@
# changes to stick? As of bug 928195, this shouldn't be necessary! Please
# don't change CLOBBER for WebIDL changes any more.
Clobber for updating NSPR+NSS
Clobber required for updating NSS to 3.38 (poly1305 symbol changes)
config/external/nss/nss.symbols
Vendored
+11 -5
View File
@@ -271,7 +271,6 @@ NSS_IsInitialized
NSS_OptionSet
NSS_NoDB_Init
NSS_SecureMemcmp
NSS_SecureMemcmpZero
NSS_SetAlgorithmPolicy
NSS_SetDomesticPolicy
NSS_Shutdown
@@ -490,7 +489,6 @@ PORT_UCS2_ASCIIConversion_Util
PORT_UCS2_UTF8Conversion
PORT_UCS2_UTF8Conversion_Util
PORT_ZAlloc
PORT_ZAllocAlignedOffset_Util
PORT_ZAlloc_Util
PORT_ZFree_Util
SEC_AnyTemplate_Util @DATA@
@@ -725,9 +723,17 @@ VFY_VerifyDataWithAlgorithmID
VFY_VerifyDigestDirect
_SGN_VerifyPKCS1DigestInfo
__PK11_SetCertificateNickname
# These symbols are not used by Firefox itself, but are used by Java's security
# libraries, which in turn are used by Java applets/plugins/etc. Provide them
# to make Java code happy.
# These symbols are not used by applications but are possibly used across
# NSS library boundaries.
NSS_SecureMemcmpZero
PORT_ZAllocAlignedOffset_Util
CERT_FindCertByNicknameOrEmailAddrCX
SECKEY_GetPrivateKeyType
SEC_DerSignDataWithAlgorithmID
SEC_CreateSignatureAlgorithmParameters
# These symbols are not used by applicatons themselves, but are used by
# Java's security libraries, which in turn are used by Java
# applets/plugins/etc. Provide them to make Java code happy.
NSS_VersionCheck
NSS_Initialize
#ifdef NSS_EXTRA_SYMBOLS_FILE
security/nss/TAG-INFO
+1 -1
View File
@@ -1 +1 @@
NSS_3_36_4_RTM
NSS_3_38_RTM
security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
+4
View File
@@ -0,0 +1,4 @@
1 Added function:
'function SECStatus SECITEM_MakeItem(PLArenaPool*, SECItem*, unsigned char*, unsigned int)' {SECITEM_MakeItem@@NSSUTIL_3.38}
security/nss/automation/abi-check/expected-report-libssl3.so.txt
-28
View File
@@ -1,28 +0,0 @@
1 function with some indirect sub-type change:
[C]'function SECStatus SSL_GetChannelInfo(PRFileDesc*, SSLChannelInfo*, PRUintn)' at sslinfo.c:12:1 has some indirect sub-type changes:
parameter 2 of type 'SSLChannelInfo*' has sub-type changes:
in pointed to type 'typedef SSLChannelInfo' at sslt.h:318:1:
underlying type 'struct SSLChannelInfoStr' at sslt.h:251:1 changed:
type size hasn't changed
1 data member change:
type of 'SSLSignatureScheme SSLChannelInfoStr::signatureScheme' changed:
underlying type 'enum __anonymous_enum__' at sslt.h:115:1 changed:
type size hasn't changed
3 enumerator deletions:
'__anonymous_enum__::ssl_sig_rsa_pss_sha256' value '2052'
'__anonymous_enum__::ssl_sig_rsa_pss_sha384' value '2053'
'__anonymous_enum__::ssl_sig_rsa_pss_sha512' value '2054'
6 enumerator insertions:
'__anonymous_enum__::ssl_sig_rsa_pss_rsae_sha256' value '2052'
'__anonymous_enum__::ssl_sig_rsa_pss_rsae_sha384' value '2053'
'__anonymous_enum__::ssl_sig_rsa_pss_rsae_sha512' value '2054'
'__anonymous_enum__::ssl_sig_rsa_pss_pss_sha256' value '2057'
'__anonymous_enum__::ssl_sig_rsa_pss_pss_sha384' value '2058'
'__anonymous_enum__::ssl_sig_rsa_pss_pss_sha512' value '2059'
security/nss/automation/abi-check/previous-nss-release
+1 -1
View File
@@ -1 +1 @@
NSS_3_35_BRANCH
NSS_3_37_BRANCH
security/nss/automation/taskcluster/docker-hacl/Dockerfile
+3 -3
View File
@@ -5,11 +5,11 @@ MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
# the original F* formula with Daniel Fabian
# Pinned versions of HACL* (F* and KreMLin are pinned as submodules)
ENV haclrepo https://github.com/franziskuskiefer/hacl-star.git
ENV haclrepo https://github.com/mitls/hacl-star.git
# Define versions of dependencies
ENV opamv 4.04.2
ENV haclversion 668d6cf274c33bbe2e951e3a84b73f2b6442a51f
ENV opamv 4.05.0
ENV haclversion 1da331f9ef30e13269e45ae73bbe4a4bca679ae6
# Install required packages and set versions
ADD setup.sh /tmp/setup.sh
security/nss/automation/taskcluster/docker-hacl/setup-user.sh
-1
View File
@@ -16,7 +16,6 @@ git -C hacl-star checkout ${haclversion}
# This caches the extracted c code (pins the HACL* version). All we need to do
# on CI now is comparing the code in this docker image with the one in NSS.
opam config exec -- make -C hacl-star prepare -j$(nproc)
make -C hacl-star verify-nss -j$(nproc)
make -C hacl-star -f Makefile.build snapshots/nss -j$(nproc)
KOPTS="-funroll-loops 5" make -C hacl-star/code/curve25519 test -j$(nproc)
make -C hacl-star/code/salsa-family test -j$(nproc)
security/nss/automation/taskcluster/docker-saw/Dockerfile
+1 -1
View File
@@ -1,4 +1,4 @@
FROM ubuntu:latest
FROM ubuntu:16.04
MAINTAINER Tim Taubert <ttaubert@mozilla.com>
RUN useradd -d /home/worker -s /bin/bash -m worker
security/nss/automation/taskcluster/docker/Dockerfile
-3
View File
@@ -12,9 +12,6 @@ RUN chmod +x /home/worker/bin/*
ADD setup.sh /tmp/setup.sh
RUN bash /tmp/setup.sh
# Change user.
USER worker
# Env variables.
ENV HOME /home/worker
ENV SHELL /bin/bash
security/nss/automation/taskcluster/graph/src/extend.js
+17 -5
View File
@@ -995,13 +995,13 @@ async function scheduleTools() {
}));
queue.scheduleTask(merge(base, {
symbol: "scan-build-5.0",
name: "scan-build-5.0",
image: LINUX_IMAGE,
symbol: "scan-build",
name: "scan-build",
image: FUZZ_IMAGE,
env: {
USE_64: "1",
CC: "clang-5.0",
CCC: "clang++-5.0",
CC: "clang",
CCC: "clang++",
},
artifacts: {
public: {
@@ -1092,5 +1092,17 @@ async function scheduleTools() {
]
}));
queue.scheduleTask(merge(base, {
symbol: "Coverage",
name: "Coverage",
image: FUZZ_IMAGE,
features: ["allowPtrace"],
command: [
"/bin/bash",
"-c",
"bin/checkout.sh && nss/automation/taskcluster/scripts/gen_coverage_report.sh"
]
}));
return queue.submit();
}
security/nss/automation/taskcluster/graph/src/try_syntax.js
+1 -1
View File
@@ -51,7 +51,7 @@ function parseOptions(opts) {
}
// Parse tools.
let allTools = ["clang-format", "scan-build", "hacl", "saw", "abi"];
let allTools = ["clang-format", "scan-build", "hacl", "saw", "abi", "coverage"];
let tools = intersect(opts.tools.split(/\s*,\s*/), allTools);
// If the given value is "all" run all tools.
security/nss/automation/taskcluster/scripts/gen_coverage_report.sh
+12
View File
@@ -0,0 +1,12 @@
#!/usr/bin/env bash
source $(dirname "$0")/tools.sh
# Clone NSPR.
hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
out=/home/worker/artifacts
mkdir -p $out
# Generate coverage report.
cd nss && ./mach coverage --outdir=$out ssl_gtests
security/nss/automation/taskcluster/scripts/run_hacl.sh
+2 -2
View File
@@ -12,8 +12,8 @@ set -e -x -v
# The extracted C code from HACL* is already generated and the HACL* tests were
# successfully executed.
# Verify Poly1305 (doesn't work in docker image build)
make verify -C ~/hacl-star/code/poly1305 -j$(nproc)
# Verify HACL*. Taskcluster fails when we do this in the image build.
make -C hacl-star verify-nss -j$(nproc)
# Add license header to specs
spec_files=($(find ~/hacl-star/specs -type f -name '*.fst'))
security/nss/automation/taskcluster/scripts/tools.sh
+5
View File
@@ -3,11 +3,16 @@
set -v -e -x
if [[ $(id -u) -eq 0 ]]; then
# Stupid Docker. It works without sometimes... But not always.
echo "127.0.0.1 localhost.localdomain" >> /etc/hosts
# Drop privileges by re-running this script.
# Note: this mangles arguments, better to avoid running scripts as root.
exec su worker -c "$0 $*"
fi
export PATH="${PATH}:/home/worker/.cargo/bin/:/usr/lib/go-1.6/bin"
# Usage: hg_clone repo dir [revision=@]
hg_clone() {
repo=$1
security/nss/cmd/bltest/blapitest.c
+3 -3
View File
@@ -3724,7 +3724,7 @@ main(int argc, char **argv)
/* test the RSA_PopulatePrivateKey function */
if (bltest.commands[cmd_RSAPopulate].activated) {
unsigned int keySize = 1024;
unsigned long exponent = 65537;
unsigned long keyExponent = 65537;
int rounds = 1;
int ret = -1;
@@ -3735,12 +3735,12 @@ main(int argc, char **argv)
rounds = PORT_Atoi(bltest.options[opt_Rounds].arg);
}
if (bltest.options[opt_Exponent].activated) {
exponent = PORT_Atoi(bltest.options[opt_Exponent].arg);
keyExponent = PORT_Atoi(bltest.options[opt_Exponent].arg);
}
for (i = 0; i < rounds; i++) {
printf("Running RSA Populate test round %d\n", i);
ret = doRSAPopulateTest(keySize, exponent);
ret = doRSAPopulateTest(keySize, keyExponent);
if (ret != 0) {
break;
}
security/nss/cmd/certutil/certutil.c
+113 -43
View File
@@ -36,9 +36,11 @@
#include "certdb.h"
#include "nss.h"
#include "certutil.h"
#include "basicutil.h"
#include "ssl.h"
#define MIN_KEY_BITS 512
/* MAX_KEY_BITS should agree with MAX_RSA_MODULUS in freebl */
/* MAX_KEY_BITS should agree with RSA_MAX_MODULUS_BITS in freebl */
#define MAX_KEY_BITS 8192
#define DEFAULT_KEY_BITS 2048
@@ -447,7 +449,8 @@ ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot,
}
static SECStatus
DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii)
DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii,
PRBool simpleSelfSigned)
{
CERTCertificate *the_cert;
CERTCertificateList *chain;
@@ -458,6 +461,14 @@ DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii)
SECU_PrintError(progName, "Could not find: %s\n", name);
return SECFailure;
}
if (simpleSelfSigned &&
SECEqual == SECITEM_CompareItem(&the_cert->derIssuer,
&the_cert->derSubject)) {
printf("\"%s\" [%s]\n\n", the_cert->nickname, the_cert->subjectName);
CERT_DestroyCertificate(the_cert);
return SECSuccess;
}
chain = CERT_CertChainFromCert(the_cert, 0, PR_TRUE);
CERT_DestroyCertificate(the_cert);
if (!chain) {
@@ -782,17 +793,17 @@ ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
fprintf(stdout, "%s: certificate is valid\n", progName);
GEN_BREAK(SECSuccess)
} else {
char *name;
char *nick;
CERTVerifyLogNode *node;
node = log->head;
while (node) {
if (node->cert->nickname != NULL) {
name = node->cert->nickname;
nick = node->cert->nickname;
} else {
name = node->cert->subjectName;
nick = node->cert->subjectName;
}
fprintf(stderr, "%s : %s\n", name,
fprintf(stderr, "%s : %s\n", nick,
SECU_Strerror(node->error));
CERT_DestroyCertificate(node->cert);
node = node->next;
@@ -845,7 +856,7 @@ SECItemToHex(const SECItem *item, char *dst)
}
static const char *const keyTypeName[] = {
"null", "rsa", "dsa", "fortezza", "dh", "kea", "ec"
"null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss"
};
#define MAX_CKA_ID_BIN_LEN 20
@@ -999,7 +1010,7 @@ DeleteKey(char *nickname, secuPWData *pwdata)
slot = PK11_GetInternalKeySlot();
if (PK11_NeedLogin(slot)) {
SECStatus rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
if (rv != SECSuccess) {
SECU_PrintError(progName, "could not authenticate to token %s.",
PK11_GetTokenName(slot));
@@ -1066,7 +1077,7 @@ PrintBuildFlags()
}
static void
PrintSyntax(char *progName)
PrintSyntax()
{
#define FPS fprintf(stderr,
FPS "Type %s -H for more detailed descriptions\n", progName);
@@ -1115,7 +1126,9 @@ PrintSyntax(char *progName)
FPS "\t%s --build-flags\n", progName);
FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
progName);
FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName);
FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n"
"\t\t [--simple-self-signed]\n",
progName);
FPS "\t%s -R -s subj -o cert-request-file [-d certdir] [-P dbprefix] [-p phone] [-a]\n"
"\t\t [-7 emailAddrs] [-k key-type-or-id] [-h token-name] [-f pwfile]\n"
"\t\t [-g key-size] [-Z hashAlg]\n",
@@ -1542,6 +1555,8 @@ luO(enum usage_level ul, const char *command)
" -P dbprefix");
FPS "%-20s force the database to open R/W\n",
" -X");
FPS "%-20s don't search for a chain if issuer name equals subject name\n",
" --simple-self-signed");
FPS "\n");
}
@@ -1560,7 +1575,7 @@ luR(enum usage_level ul, const char *command)
" -o output-req");
FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
" -k key-type-or-id");
FPS "%-20s or nickname of the cert key to use \n",
FPS "%-20s or nickname of the cert key to use, or key id obtained using -K\n",
"");
FPS "%-20s Name of token in which to generate key (default is internal)\n",
" -h token-name");
@@ -1838,7 +1853,7 @@ luBuildFlags(enum usage_level ul, const char *command)
}
static void
LongUsage(char *progName, enum usage_level ul, const char *command)
LongUsage(enum usage_level ul, const char *command)
{
luA(ul, command);
luB(ul, command);
@@ -1866,14 +1881,14 @@ LongUsage(char *progName, enum usage_level ul, const char *command)
}
static void
Usage(char *progName)
Usage()
{
PR_fprintf(PR_STDERR,
"%s - Utility to manipulate NSS certificate databases\n\n"
"Usage: %s <command> -d <database-directory> <options>\n\n"
"Valid commands:\n",
progName, progName);
LongUsage(progName, usage_selected, NULL);
LongUsage(usage_selected, NULL);
PR_fprintf(PR_STDERR, "\n"
"%s -H <command> : Print available options for the given command\n"
"%s -H : Print complete help output of all commands and options\n"
@@ -2269,10 +2284,10 @@ flagArray opFlagsArray[] =
{ NAME_SIZE(verify_recover), CKF_VERIFY_RECOVER },
{ NAME_SIZE(wrap), CKF_WRAP },
{ NAME_SIZE(unwrap), CKF_UNWRAP },
{ NAME_SIZE(derive), CKF_DERIVE },
{ NAME_SIZE(derive), CKF_DERIVE }
};
int opFlagsCount = sizeof(opFlagsArray) / sizeof(flagArray);
int opFlagsCount = PR_ARRAY_SIZE(opFlagsArray);
flagArray attrFlagsArray[] =
{
@@ -2286,14 +2301,13 @@ flagArray attrFlagsArray[] =
{ NAME_SIZE(insensitive), PK11_ATTR_INSENSITIVE },
{ NAME_SIZE(extractable), PK11_ATTR_EXTRACTABLE },
{ NAME_SIZE(unextractable), PK11_ATTR_UNEXTRACTABLE }
};
int attrFlagsCount = sizeof(attrFlagsArray) / sizeof(flagArray);
int attrFlagsCount = PR_ARRAY_SIZE(attrFlagsArray);
#define MAX_STRING 30
CK_ULONG
GetFlags(char *flagsString, flagArray *flagArray, int count)
GetFlags(char *flagsString, flagArray *flags, int count)
{
CK_ULONG flagsValue = strtol(flagsString, NULL, 0);
int i;
@@ -2303,10 +2317,10 @@ GetFlags(char *flagsString, flagArray *flagArray, int count)
}
while (*flagsString) {
for (i = 0; i < count; i++) {
if (strncmp(flagsString, flagArray[i].name, flagArray[i].nameSize) ==
if (strncmp(flagsString, flags[i].name, flags[i].nameSize) ==
0) {
flagsValue |= flagArray[i].value;
flagsString += flagArray[i].nameSize;
flagsValue |= flags[i].value;
flagsString += flags[i].nameSize;
if (*flagsString != 0) {
flagsString++;
}
@@ -2499,6 +2513,7 @@ enum certutilOpts {
opt_NewNickname,
opt_Pss,
opt_PssSign,
opt_SimpleSelfSigned,
opt_Help
};
@@ -2623,6 +2638,8 @@ static const secuCommandFlag options_init[] =
"pss" },
{ /* opt_PssSign */ 0, PR_FALSE, 0, PR_FALSE,
"pss-sign" },
{ /* opt_SimpleSelfSigned */ 0, PR_FALSE, 0, PR_FALSE,
"simple-self-signed" },
};
#define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))
@@ -2691,14 +2708,13 @@ certutil_main(int argc, char **argv, PRBool initialize)
rv = SECU_ParseCommandLine(argc, argv, progName, &certutil);
if (rv != SECSuccess)
Usage(progName);
Usage();
if (certutil.commands[cmd_PrintSyntax].activated) {
PrintSyntax(progName);
PrintSyntax();
}
if (certutil.commands[cmd_PrintHelp].activated) {
int i;
char buf[2];
const char *command = NULL;
for (i = 0; i < max_cmd; i++) {
@@ -2715,7 +2731,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
break;
}
}
LongUsage(progName, (command ? usage_selected : usage_all), command);
LongUsage((command ? usage_selected : usage_all), command);
exit(1);
}
@@ -2823,7 +2839,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
if (certutil.options[opt_DBPrefix].arg) {
certPrefix = certutil.options[opt_DBPrefix].arg;
} else {
Usage(progName);
Usage();
}
}
@@ -2832,7 +2848,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
if (certutil.options[opt_SourcePrefix].arg) {
srcCertPrefix = certutil.options[opt_SourcePrefix].arg;
} else {
Usage(progName);
Usage();
}
}
@@ -2916,7 +2932,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
return 255;
}
if (commandsEntered == 0) {
Usage(progName);
Usage();
}
if (certutil.commands[cmd_ListCerts].activated ||
@@ -3124,6 +3140,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
initialized = PR_TRUE;
SECU_RegisterDynamicOids();
/* Ensure the SSL error code table has been registered. Bug 1460284. */
SSL_OptionSetDefault(-1, 0);
}
certHandle = CERT_GetDefaultCertDB();
@@ -3350,7 +3368,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
if (certutil.commands[cmd_DumpChain].activated) {
rv = DumpChain(certHandle, name,
certutil.options[opt_ASCIIForIO].activated);
certutil.options[opt_ASCIIForIO].activated,
certutil.options[opt_SimpleSelfSigned].activated);
goto shutdown;
}
/* XXX needs work */
@@ -3444,37 +3463,80 @@ certutil_main(int argc, char **argv, PRBool initialize)
keycert = CERT_FindCertByNicknameOrEmailAddr(certHandle, keysource);
if (!keycert) {
keycert = PK11_FindCertFromNickname(keysource, NULL);
if (!keycert) {
SECU_PrintError(progName,
"%s is neither a key-type nor a nickname", keysource);
}
if (keycert) {
privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
} else {
PLArenaPool *arena = NULL;
SECItem keyidItem = { 0 };
char *keysourcePtr = keysource;
/* Interpret keysource as CKA_ID */
if (PK11_NeedLogin(slot)) {
rv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
if (rv != SECSuccess) {
SECU_PrintError(progName, "could not authenticate to token %s.",
PK11_GetTokenName(slot));
return SECFailure;
}
}
if (0 == PL_strncasecmp("0x", keysource, 2)) {
keysourcePtr = keysource + 2; // skip leading "0x"
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
SECU_PrintError(progName, "unable to allocate arena");
return SECFailure;
}
if (SECU_HexString2SECItem(arena, &keyidItem, keysourcePtr)) {
privkey = PK11_FindKeyByKeyID(slot, &keyidItem, &pwdata);
}
PORT_FreeArena(arena, PR_FALSE);
}
privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
if (privkey)
pubkey = CERT_ExtractPublicKey(keycert);
if (!privkey) {
SECU_PrintError(
progName,
"%s is neither a key-type nor a nickname nor a key-id", keysource);
return SECFailure;
}
pubkey = SECKEY_ConvertToPublicKey(privkey);
if (!pubkey) {
SECU_PrintError(progName,
"Could not get keys from cert %s", keysource);
if (keycert) {
CERT_DestroyCertificate(keycert);
}
rv = SECFailure;
CERT_DestroyCertificate(keycert);
goto shutdown;
}
keytype = privkey->keyType;
/* On CertReq for renewal if no subject has been
* specified obtain it from the certificate.
*/
if (certutil.commands[cmd_CertReq].activated && !subject) {
subject = CERT_AsciiToName(keycert->subjectName);
if (!subject) {
SECU_PrintError(progName,
"Could not get subject from certificate %s", keysource);
CERT_DestroyCertificate(keycert);
if (keycert) {
subject = CERT_AsciiToName(keycert->subjectName);
if (!subject) {
SECU_PrintError(
progName,
"Could not get subject from certificate %s",
keysource);
CERT_DestroyCertificate(keycert);
rv = SECFailure;
goto shutdown;
}
} else {
SECU_PrintError(progName, "Subject name not provided");
rv = SECFailure;
goto shutdown;
}
}
CERT_DestroyCertificate(keycert);
if (keycert) {
CERT_DestroyCertificate(keycert);
}
} else {
privkey =
CERTUTIL_GeneratePrivateKey(keytype, slot, keysize,
@@ -3537,6 +3599,14 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
}
if (certutil.options[opt_SimpleSelfSigned].activated &&
!certutil.commands[cmd_DumpChain].activated) {
PR_fprintf(PR_STDERR,
"%s -%c: --simple-self-signed only works with -O.\n",
progName, commandToRun);
return 255;
}
/* If we need a list of extensions convert the flags into list format */
if (certutil.commands[cmd_CertReq].activated ||
certutil.commands[cmd_CreateAndAddCert].activated ||
security/nss/cmd/crlutil/crlutil.c
+7 -7
View File
@@ -770,7 +770,7 @@ loser:
}
static void
Usage(char *progName)
Usage()
{
fprintf(stderr,
"Usage: %s -L [-n nickname] [-d keydir] [-P dbprefix] [-t crlType]\n"
@@ -908,7 +908,7 @@ main(int argc, char **argv)
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
Usage(progName);
Usage();
break;
case 'T':
@@ -1038,17 +1038,17 @@ main(int argc, char **argv)
}
if (deleteCRL && !nickName)
Usage(progName);
Usage();
if (importCRL && !inFile)
Usage(progName);
Usage();
if (showFileCRL && !inFile)
Usage(progName);
Usage();
if ((generateCRL && !nickName) ||
(modifyCRL && !inFile && !nickName))
Usage(progName);
Usage();
if (!(listCRL || deleteCRL || importCRL || showFileCRL || generateCRL ||
modifyCRL || test || erase))
Usage(progName);
Usage();
if (listCRL || showFileCRL) {
readonly = PR_TRUE;
security/nss/cmd/crmftest/testcrmf.c
-1
View File
@@ -577,7 +577,6 @@ Decode(void)
printf("WARNING: The DER contained %d messages.\n", numMsgs);
}
for (i = 0; i < numMsgs; i++) {
SECStatus rv;
printf("crmftest: Processing cert request %d\n", i);
certReqMsg = CRMF_CertReqMessagesGetCertReqMsgAtIndex(certReqMsgs, i);
if (certReqMsg == NULL) {
security/nss/cmd/dbtest/dbtest.c
+3 -4
View File
@@ -58,7 +58,7 @@ getPassword(PK11SlotInfo *slot, PRBool retry, void *arg)
}
static void
Usage(const char *progName)
Usage()
{
printf("Usage: %s [-r] [-f] [-i] [-d dbdir ] \n",
progName);
@@ -96,7 +96,7 @@ main(int argc, char **argv)
switch (optstate->option) {
case 'h':
default:
Usage(progName);
Usage();
break;
case 'r':
@@ -122,7 +122,7 @@ main(int argc, char **argv)
}
PL_DestroyOptState(optstate);
if (optstatus == PL_OPT_BAD)
Usage(progName);
Usage();
if (dbDir) {
char *tmp = dbDir;
@@ -181,7 +181,6 @@ main(int argc, char **argv)
ret = SUCCESS;
if (doInitTest) {
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
SECStatus rv;
int passwordSuccess = 0;
int type = CKM_DES3_CBC;
SECItem keyid = { 0, NULL, 0 };
security/nss/cmd/httpserv/httpserv.c
+4 -6
View File
@@ -682,6 +682,7 @@ handle_connection(
}
if (arena) {
PORT_FreeArena(arena, PR_FALSE);
arena = NULL;
}
if (!request || !request->tbsRequest ||
!request->tbsRequest->requestList ||
@@ -753,11 +754,11 @@ handle_connection(
{
PRTime now = PR_Now();
PLArenaPool *arena = NULL;
CERTOCSPSingleResponse *sr;
CERTOCSPSingleResponse **singleResponses;
SECItem *ocspResponse;
PORT_Assert(!arena);
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (unknown) {
@@ -787,8 +788,8 @@ handle_connection(
} else {
PR_Write(ssl_sock, outOcspHeader, strlen(outOcspHeader));
PR_Write(ssl_sock, ocspResponse->data, ocspResponse->len);
PORT_FreeArena(arena, PR_FALSE);
}
PORT_FreeArena(arena, PR_FALSE);
}
CERT_DestroyOCSPRequest(request);
break;
@@ -1357,7 +1358,6 @@ main(int argc, char **argv)
caRevoIter = &caRevoInfos->link;
do {
PRFileDesc *inFile;
int rv = SECFailure;
SECItem crlDER;
crlDER.data = NULL;
@@ -1413,11 +1413,9 @@ main(int argc, char **argv)
if (provideOcsp) {
if (caRevoInfos) {
PRCList *caRevoIter;
caRevoIter = &caRevoInfos->link;
do {
caRevoInfo *revoInfo = (caRevoInfo *)caRevoIter;
revoInfo = (caRevoInfo *)caRevoIter;
if (revoInfo->nickname)
PORT_Free(revoInfo->nickname);
if (revoInfo->crlFilename)
security/nss/cmd/lib/secutil.c
+4 -4
View File
@@ -1528,9 +1528,9 @@ SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m,
unsigned int i;
for (i = 0; i < c->serialNumber.len; ++i) {
unsigned char *chardata = (unsigned char *)(c->serialNumber.data);
unsigned char c = *(chardata + i);
unsigned char ch = *(chardata + i);
fprintf(out, "\\x%02x", c);
fprintf(out, "\\x%02x", ch);
}
fprintf(out, "\" }\n");
}
@@ -3137,7 +3137,7 @@ typedef enum {
static int
secu_PrintSignedDataSigOpt(FILE *out, SECItem *der, const char *m,
int level, SECU_PPFunc inner,
SignatureOptionType withSignature)
SignatureOptionType signatureOption)
{
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
CERTSignedData *sd;
@@ -3164,7 +3164,7 @@ secu_PrintSignedDataSigOpt(FILE *out, SECItem *der, const char *m,
}
rv = (*inner)(out, &sd->data, "Data", level + 1);
if (withSignature) {
if (signatureOption == withSignature) {
SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm",
level + 1);
DER_ConvertBitString(&sd->signature);
security/nss/cmd/listsuites/listsuites.c
-2
View File
@@ -64,9 +64,7 @@ main(int argc, char **argv)
/* disable all the SSL3 cipher suites */
for (i = 0; i < SSL_NumImplementedCiphers; i++) {
PRUint16 suite = cipherSuites[i];
SECStatus rv;
PRBool enabled;
PRErrorCode err;
SSLCipherSuiteInfo info;
rv = SSL_CipherPrefGetDefault(suite, &enabled);
security/nss/cmd/lowhashtest/lowhashtest.c
+2 -2
View File
@@ -390,7 +390,7 @@ testSHA512(NSSLOWInitContext *initCtx)
}
static void
Usage(char *progName)
Usage()
{
fprintf(stderr, "Usage: %s [algorithm]\n",
progName);
@@ -436,7 +436,7 @@ main(int argc, char **argv)
rv += testSHA512(initCtx);
} else {
SECU_PrintError(progName, "Unsupported hash type %s\n", argv[0]);
Usage(progName);
Usage();
}
NSSLOW_Shutdown(initCtx);
security/nss/cmd/modutil/install-ds.c
+5 -5
View File
@@ -88,11 +88,11 @@ static const char* errString[] = {
static char* PR_Strdup(const char* str);
#define PAD(x) \
{ \
int i; \
for (i = 0; i < x; i++) \
printf(" "); \
#define PAD(x) \
{ \
int pad_i; \
for (pad_i = 0; pad_i < (x); pad_i++) \
printf(" "); \
}
#define PADINC 4
security/nss/cmd/mpitests/mpi-test.c
+7 -7
View File
@@ -375,14 +375,14 @@ void reason(char *fmt, ...);
char g_intbuf[4096]; /* buffer for integer comparison */
char a_intbuf[4096]; /* buffer for integer comparison */
int g_verbose = 1; /* print out reasons for failure? */
int res;
#define IFOK(x) \
{ \
if (MP_OKAY > (res = (x))) { \
reason("test %s failed: error %d\n", #x, res); \
return 1; \
} \
#define IFOK(x) \
{ \
int ifok_res = (x); \
if (MP_OKAY > ifok_res) { \
reason("test %s failed: error %d\n", #x, ifok_res); \
return 1; \
} \
}
int
security/nss/cmd/ocspclnt/ocspclnt.c
+12 -12
View File
@@ -38,7 +38,7 @@
char *program_name;
static void
synopsis(char *program_name)
synopsis(char *progname)
{
PRFileDesc *pr_stderr;
@@ -46,44 +46,44 @@ synopsis(char *program_name)
PR_fprintf(pr_stderr, "Usage:");
PR_fprintf(pr_stderr,
"\t%s -p [-d <dir>]\n",
program_name);
progname);
PR_fprintf(pr_stderr,
"\t%s -P [-d <dir>]\n",
program_name);
progname);
PR_fprintf(pr_stderr,
"\t%s -r <name> [-a] [-L] [-s <name>] [-d <dir>]\n",
program_name);
progname);
PR_fprintf(pr_stderr,
"\t%s -R <name> [-a] [-l <location>] [-s <name>] [-d <dir>]\n",
program_name);
progname);
PR_fprintf(pr_stderr,
"\t%s -S <name> [-a] [-l <location> -t <name>]\n",
program_name);
progname);
PR_fprintf(pr_stderr,
"\t\t [-s <name>] [-w <time>] [-d <dir>]\n");
PR_fprintf(pr_stderr,
"\t%s -V <name> [-a] -u <usage> [-l <location> -t <name>]\n",
program_name);
progname);
PR_fprintf(pr_stderr,
"\t\t [-s <name>] [-w <time>] [-d <dir>]\n");
}
static void
short_usage(char *program_name)
short_usage(char *progname)
{
PR_fprintf(PR_STDERR,
"Type %s -H for more detailed descriptions\n",
program_name);
synopsis(program_name);
progname);
synopsis(progname);
}
static void
long_usage(char *program_name)
long_usage(char *progname)
{
PRFileDesc *pr_stderr;
pr_stderr = PR_STDERR;
synopsis(program_name);
synopsis(progname);
PR_fprintf(pr_stderr, "\nCommands (must specify exactly one):\n");
PR_fprintf(pr_stderr,
" %-13s Pretty-print a binary request read from stdin\n",
security/nss/cmd/ocspresp/ocspresp.c
+3 -3
View File
@@ -194,8 +194,8 @@ main(int argc, char **argv)
&obtainedSignerCert, caCert));
#ifdef DEBUG
{
SECStatus rv = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
obtainedSignerCert, now);
rv = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
obtainedSignerCert, now);
PORT_Assert(rv == SECFailure);
PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE);
}
@@ -211,7 +211,7 @@ main(int argc, char **argv)
decodedFail = CERT_DecodeOCSPResponse(encodedFail);
#ifdef DEBUG
{
SECStatus rv = CERT_GetOCSPResponseStatus(decodedFail);
rv = CERT_GetOCSPResponseStatus(decodedFail);
PORT_Assert(rv == SECFailure);
PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER);
}
security/nss/cmd/pk12util/pk12util.c
+6 -6
View File
@@ -28,7 +28,7 @@ static PRBool pk12uForceUnicode;
PRIntn pk12uErrno = 0;
static void
Usage(char *progName)
Usage()
{
#define FPS PR_fprintf(PR_STDERR,
FPS "Usage: %s -i importfile [-d certdir] [-P dbprefix] [-h tokenname]\n",
@@ -1020,26 +1020,26 @@ main(int argc, char **argv)
rv = SECU_ParseCommandLine(argc, argv, progName, &pk12util);
if (rv != SECSuccess)
Usage(progName);
Usage();
pk12_debugging = pk12util.options[opt_Debug].activated;
if ((pk12util.options[opt_Import].activated +
pk12util.options[opt_Export].activated +
pk12util.options[opt_List].activated) != 1) {
Usage(progName);
Usage();
}
if (pk12util.options[opt_Export].activated &&
!pk12util.options[opt_Nickname].activated) {
Usage(progName);
Usage();
}
rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode);
if (rv != SECSuccess) {
SECU_PrintError(progName,
"Failed to get NSS_PKCS12_DECODE_FORCE_UNICODE option");
Usage(progName);
Usage();
}
pk12uForceUnicode = forceUnicode;
@@ -1144,7 +1144,7 @@ main(int argc, char **argv)
P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw);
} else {
Usage(progName);
Usage();
pk12uErrno = PK12UERR_USAGE;
}
security/nss/cmd/pk1sign/pk1sign.c
+1 -1
View File
@@ -178,7 +178,7 @@ loser:
SECKEY_DestroyPrivateKey(privKey);
}
if (data) {
PORT_Free(data);
PR_Free(data);
}
PORT_FreeArena(arena, PR_FALSE);
security/nss/cmd/rsaperf/rsaperf.c
+16 -16
View File
@@ -313,7 +313,7 @@ main(int argc, char **argv)
char *slotname = NULL;
long keybits = 0;
RSAOp fn;
void *rsaKey = NULL;
void *rsaKeyPtr = NULL;
PLOptState *optstate;
PLOptStatus optstatus;
long iters = DEFAULT_ITERS;
@@ -464,7 +464,7 @@ main(int argc, char **argv)
if (doPub) {
/* do public key ops */
fn = (RSAOp)PK11_PublicKeyOp;
rsaKey = (void *)pubHighKey;
rsaKeyPtr = (void *)pubHighKey;
kh = PK11_ImportPublicKey(cert->slot, pubHighKey, PR_FALSE);
if (CK_INVALID_HANDLE == kh) {
@@ -489,7 +489,7 @@ main(int argc, char **argv)
fn = (RSAOp)PK11_PrivateKeyOp;
keys.privKey = privHighKey;
keys.pubKey = pubHighKey;
rsaKey = (void *)&keys;
rsaKeyPtr = (void *)&keys;
printf("Using PKCS#11 for RSA decryption with token %s.\n",
PK11_GetTokenName(privHighKey->pkcs11Slot));
}
@@ -537,13 +537,13 @@ main(int argc, char **argv)
if (doPub) {
/* do public key operations */
fn = (RSAOp)PK11_PublicKeyOp;
rsaKey = (void *)pubHighKey;
rsaKeyPtr = (void *)pubHighKey;
} else {
/* do private key operations */
fn = (RSAOp)PK11_PrivateKeyOp;
keys.privKey = privHighKey;
keys.pubKey = pubHighKey;
rsaKey = (void *)&keys;
rsaKeyPtr = (void *)&keys;
}
} else
@@ -574,7 +574,7 @@ main(int argc, char **argv)
pe.data = &pubEx[0];
pe.type = siBuffer;
rsaKey = RSA_NewKey(keybits, &pe);
rsaKeyPtr = RSA_NewKey(keybits, &pe);
fprintf(stderr, "Keygen completed.\n");
} else {
/* use a hardcoded key */
@@ -589,31 +589,31 @@ main(int argc, char **argv)
if (doPub) {
/* do public key operations */
fn = (RSAOp)RSA_PublicKeyOp;
if (rsaKey) {
if (rsaKeyPtr) {
/* convert the RSAPrivateKey to RSAPublicKey */
pubKeyStr.arena = NULL;
pubKeyStr.modulus = ((RSAPrivateKey *)rsaKey)->modulus;
pubKeyStr.modulus = ((RSAPrivateKey *)rsaKeyPtr)->modulus;
pubKeyStr.publicExponent =
((RSAPrivateKey *)rsaKey)->publicExponent;
rsaKey = &pubKeyStr;
((RSAPrivateKey *)rsaKeyPtr)->publicExponent;
rsaKeyPtr = &pubKeyStr;
} else {
/* convert NSSLOWKeyPublicKey to RSAPublicKey */
rsaKey = (void *)(&pubKey->u.rsa);
rsaKeyPtr = (void *)(&pubKey->u.rsa);
}
PORT_Assert(rsaKey);
PORT_Assert(rsaKeyPtr);
} else {
/* do private key operations */
fn = (RSAOp)RSA_PrivateKeyOp;
if (privKey) {
/* convert NSSLOWKeyPrivateKey to RSAPrivateKey */
rsaKey = (void *)(&privKey->u.rsa);
rsaKeyPtr = (void *)(&privKey->u.rsa);
}
PORT_Assert(rsaKey);
PORT_Assert(rsaKeyPtr);
}
}
memset(buf, 1, sizeof buf);
rv = fn(rsaKey, buf2, buf);
rv = fn(rsaKeyPtr, buf2, buf);
if (rv != SECSuccess) {
PRErrorCode errNum;
const char *errStr = NULL;
@@ -638,7 +638,7 @@ main(int argc, char **argv)
runDataArr[i]->fn = fn;
runDataArr[i]->buf = buf;
runDataArr[i]->doIters = &doIters;
runDataArr[i]->rsaKey = rsaKey;
runDataArr[i]->rsaKey = rsaKeyPtr;
runDataArr[i]->seconds = seconds;
runDataArr[i]->iters = iters;
threadsArr[i] =
security/nss/cmd/selfserv/selfserv.c
+21 -38
View File
@@ -57,7 +57,7 @@
int NumSidCacheEntries = 1024;
static int handle_connection(PRFileDesc *, PRFileDesc *, int);
static int handle_connection(PRFileDesc *, PRFileDesc *);
static const char envVarName[] = { SSL_ENV_VAR_NAME };
static const char inheritableSockName[] = { "SELFSERV_LISTEN_SOCKET" };
@@ -509,7 +509,6 @@ typedef struct jobStr {
PRCList link;
PRFileDesc *tcp_sock;
PRFileDesc *model_sock;
int requestCert;
} JOB;
static PZLock *qLock; /* this lock protects all data immediately below */
@@ -541,7 +540,7 @@ setupJobs(int maxJobs)
return SECSuccess;
}
typedef int startFn(PRFileDesc *a, PRFileDesc *b, int c);
typedef int startFn(PRFileDesc *a, PRFileDesc *b);
typedef enum { rs_idle = 0,
rs_running = 1,
@@ -550,7 +549,6 @@ typedef enum { rs_idle = 0,
typedef struct perThreadStr {
PRFileDesc *a;
PRFileDesc *b;
int c;
int rv;
startFn *startFunc;
PRThread *prThread;
@@ -564,7 +562,7 @@ thread_wrapper(void *arg)
{
perThread *slot = (perThread *)arg;
slot->rv = (*slot->startFunc)(slot->a, slot->b, slot->c);
slot->rv = (*slot->startFunc)(slot->a, slot->b);
/* notify the thread exit handler. */
PZ_Lock(qLock);
@@ -575,7 +573,7 @@ thread_wrapper(void *arg)
}
int
jobLoop(PRFileDesc *a, PRFileDesc *b, int c)
jobLoop(PRFileDesc *a, PRFileDesc *b)
{
PRCList *myLink = 0;
JOB *myJob;
@@ -595,8 +593,7 @@ jobLoop(PRFileDesc *a, PRFileDesc *b, int c)
/* myJob will be null when stopping is true and jobQ is empty */
if (!myJob)
break;
handle_connection(myJob->tcp_sock, myJob->model_sock,
myJob->requestCert);
handle_connection(myJob->tcp_sock, myJob->model_sock);
PZ_Lock(qLock);
PR_APPEND_LINK(myLink, &freeJobs);
PZ_NotifyCondVar(freeListNotEmptyCv);
@@ -609,7 +606,6 @@ launch_threads(
startFn *startFunc,
PRFileDesc *a,
PRFileDesc *b,
int c,
PRBool local)
{
int i;
@@ -645,7 +641,6 @@ launch_threads(
slot->state = rs_running;
slot->a = a;
slot->b = b;
slot->c = c;
slot->startFunc = startFunc;
slot->prThread = PR_CreateThread(PR_USER_THREAD,
thread_wrapper, slot, PR_PRIORITY_NORMAL,
@@ -893,8 +888,7 @@ int /* returns count */
int
do_writes(
PRFileDesc *ssl_sock,
PRFileDesc *model_sock,
int requestCert)
PRFileDesc *model_sock)
{
int sent = 0;
int count = 0;
@@ -925,8 +919,7 @@ do_writes(
static int
handle_fdx_connection(
PRFileDesc *tcp_sock,
PRFileDesc *model_sock,
int requestCert)
PRFileDesc *model_sock)
{
PRFileDesc *ssl_sock = NULL;
SECStatus result;
@@ -960,8 +953,7 @@ handle_fdx_connection(
lockedVars_AddToCount(&lv, 1);
/* Attempt to launch the writer thread. */
result = launch_thread(do_writes, ssl_sock, (PRFileDesc *)&lv,
requestCert);
result = launch_thread(do_writes, ssl_sock, (PRFileDesc *)&lv);
if (result == SECSuccess)
do {
@@ -1093,7 +1085,7 @@ makeCorruptedOCSPResponse(PLArenaPool *arena)
}
SECItemArray *
makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm,
makeSignedOCSPResponse(PLArenaPool *arena,
CERTCertificate *cert, secuPWData *pwdata)
{
SECItemArray *result = NULL;
@@ -1117,7 +1109,7 @@ makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm,
nextUpdate = now + (PRTime)60 * 60 * 24 * PR_USEC_PER_SEC; /* plus 1 day */
switch (osm) {
switch (ocspStaplingMode) {
case osm_good:
case osm_badsig:
sr = CERT_CreateOCSPSingleResponseGood(arena, cid, now,
@@ -1150,7 +1142,7 @@ makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm,
singleResponses[1] = NULL;
ocspResponse = CERT_CreateEncodedOCSPSuccessResponse(arena,
(osm == osm_badsig)
(ocspStaplingMode == osm_badsig)
? NULL
: ca,
ocspResponderID_byName, now, singleResponses,
@@ -1175,7 +1167,7 @@ makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm,
}
void
setupCertStatus(PLArenaPool *arena, enum ocspStaplingModeEnum ocspStaplingMode,
setupCertStatus(PLArenaPool *arena,
CERTCertificate *cert, int index, secuPWData *pwdata)
{
if (ocspStaplingMode == osm_random) {
@@ -1213,7 +1205,7 @@ setupCertStatus(PLArenaPool *arena, enum ocspStaplingModeEnum ocspStaplingMode,
case osm_unknown:
case osm_badsig:
multiOcspResponses =
makeSignedOCSPResponse(arena, ocspStaplingMode, cert,
makeSignedOCSPResponse(arena, cert,
pwdata);
break;
case osm_corrupted:
@@ -1236,10 +1228,7 @@ setupCertStatus(PLArenaPool *arena, enum ocspStaplingModeEnum ocspStaplingMode,
}
int
handle_connection(
PRFileDesc *tcp_sock,
PRFileDesc *model_sock,
int requestCert)
handle_connection(PRFileDesc *tcp_sock, PRFileDesc *model_sock)
{
PRFileDesc *ssl_sock = NULL;
PRFileDesc *local_file_fd = NULL;
@@ -1272,7 +1261,6 @@ handle_connection(
VLOG(("selfserv: handle_connection: starting\n"));
if (useModelSocket && model_sock) {
SECStatus rv;
ssl_sock = SSL_ImportFD(model_sock, tcp_sock);
if (!ssl_sock) {
errWarn("SSL_ImportFD with model");
@@ -1588,8 +1576,7 @@ sigusr1_handler(int sig)
SECStatus
do_accepts(
PRFileDesc *listen_sock,
PRFileDesc *model_sock,
int requestCert)
PRFileDesc *model_sock)
{
PRNetAddr addr;
PRErrorCode perr;
@@ -1659,7 +1646,6 @@ do_accepts(
JOB *myJob = (JOB *)myLink;
myJob->tcp_sock = tcp_sock;
myJob->model_sock = model_sock;
myJob->requestCert = requestCert;
}
PR_APPEND_LINK(myLink, &jobQ);
@@ -1818,7 +1804,6 @@ handshakeCallback(PRFileDesc *fd, void *client_data)
void
server_main(
PRFileDesc *listen_sock,
int requestCert,
SECKEYPrivateKey **privKey,
CERTCertificate **cert,
const char *expectedHostNameVal)
@@ -2021,7 +2006,7 @@ server_main(
/* end of ssl configuration. */
/* Now, do the accepting, here in the main thread. */
rv = do_accepts(listen_sock, model_sock, requestCert);
rv = do_accepts(listen_sock, model_sock);
terminateWorkerThreads();
@@ -2654,9 +2639,8 @@ main(int argc, char **argv)
}
}
if (cipher > 0) {
SECStatus status;
status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED);
if (status != SECSuccess)
rv = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED);
if (rv != SECSuccess)
SECU_PrintError(progName, "SSL_CipherPrefSet()");
} else {
fprintf(stderr,
@@ -2684,7 +2668,7 @@ main(int argc, char **argv)
exit(11);
}
if (privKey[i]->keyType != ecKey)
setupCertStatus(certStatusArena, ocspStaplingMode, cert[i], i, &pwdata);
setupCertStatus(certStatusArena, cert[i], i, &pwdata);
}
if (configureWeakDHE > 0) {
@@ -2697,7 +2681,7 @@ main(int argc, char **argv)
}
/* allocate the array of thread slots, and launch the worker threads. */
rv = launch_threads(&jobLoop, 0, 0, requestCert, useLocalThreads);
rv = launch_threads(&jobLoop, 0, 0, useLocalThreads);
if (rv == SECSuccess && logStats) {
loggerThread = PR_CreateThread(PR_SYSTEM_THREAD,
@@ -2712,7 +2696,7 @@ main(int argc, char **argv)
}
if (rv == SECSuccess) {
server_main(listen_sock, requestCert, privKey, cert,
server_main(listen_sock, privKey, cert,
expectedHostNameVal);
}
@@ -2731,7 +2715,6 @@ cleanup:
}
{
int i;
for (i = 0; i < certNicknameIndex; i++) {
if (cert[i]) {
CERT_DestroyCertificate(cert[i]);
security/nss/cmd/shlibsign/shlibsign.c
+1 -1
View File
@@ -148,7 +148,7 @@ writeItem(PRFileDesc *fd, CK_VOID_PTR pValue,
return PR_FAILURE;
}
bytesWritten = PR_Write(fd, pValue, ulValueLen);
if (bytesWritten != ulValueLen) {
if (bytesWritten < 0 || (CK_ULONG)bytesWritten != ulValueLen) {
lperror(file);
return PR_FAILURE;
}
security/nss/cmd/signtool/javascript.c
+5 -3
View File
@@ -1300,7 +1300,6 @@ extract_js(char *filename)
* Now we have a stream of tags and text. Go through and deal with each.
*/
for (curitem = head; curitem; curitem = curitem->next) {
TagItem *tagp = NULL;
AVPair *pairp = NULL;
char *src = NULL, *id = NULL, *codebase = NULL;
PRBool hasEventHandler = PR_FALSE;
@@ -1669,11 +1668,14 @@ loser:
* Returns PR_SUCCESS if the directory is present, PR_FAILURE otherwise.
*/
static PRStatus
ensureExists(char *base, char *path)
ensureExists(char *basepath, char *path)
{
char fn[FNSIZE];
PRDir *dir;
sprintf(fn, "%s/%s", base, path);
int c = snprintf(fn, sizeof(fn), "%s/%s", basepath, path);
if (c >= sizeof(fn)) {
return PR_FAILURE;
}
/*PR_fprintf(outputFD, "Trying to open directory %s.\n", fn);*/
security/nss/cmd/signtool/sign.c
+34 -34
View File
@@ -175,16 +175,16 @@ typedef struct {
*
*/
int
SignAllArc(char *jartree, char *keyName, int javascript, char *metafile,
char *install_script, int optimize, PRBool recurse)
SignAllArc(char *jartree, char *keyName, int javascript, char *metafilename,
char *install_script, int optimize_level, PRBool recurse)
{
SignArcInfo info;
info.keyName = keyName;
info.javascript = javascript;
info.metafile = metafile;
info.metafile = metafilename;
info.install_script = install_script;
info.optimize = optimize;
info.optimize = optimize_level;
return foreach (jartree, "", sign_all_arc_fn, recurse,
PR_TRUE /*include dirs*/, (void *)&info);
@@ -194,7 +194,7 @@ static int
sign_all_arc_fn(char *relpath, char *basedir, char *reldir, char *filename,
void *arg)
{
char *zipfile = NULL;
char *zipfilename = NULL;
char *arc = NULL, *archive = NULL;
int retval = 0;
SignArcInfo *infop = (SignArcInfo *)arg;
@@ -212,8 +212,8 @@ sign_all_arc_fn(char *relpath, char *basedir, char *reldir, char *filename,
}
archive = PR_smprintf("%s/%s", basedir, relpath);
zipfile = PL_strdup(archive);
arc = PORT_Strrchr(zipfile, '.');
zipfilename = PL_strdup(archive);
arc = PORT_Strrchr(zipfilename, '.');
if (arc == NULL) {
PR_fprintf(errorFD, "%s: Internal failure\n", PROGRAM_NAME);
@@ -225,17 +225,17 @@ sign_all_arc_fn(char *relpath, char *basedir, char *reldir, char *filename,
PL_strcpy(arc, ".jar");
if (verbosity >= 0) {
PR_fprintf(outputFD, "\nsigning: %s\n", zipfile);
PR_fprintf(outputFD, "\nsigning: %s\n", zipfilename);
}
retval = SignArchive(archive, infop->keyName, zipfile,
retval = SignArchive(archive, infop->keyName, zipfilename,
infop->javascript, infop->metafile, infop->install_script,
infop->optimize, PR_TRUE /* recurse */);
}
finish:
if (archive)
PR_Free(archive);
if (zipfile)
PR_Free(zipfile);
if (zipfilename)
PR_Free(zipfilename);
return retval;
}
@@ -707,8 +707,8 @@ SignFile(FILE *outFile, FILE *inFile, CERTCertificate *cert)
static int
generate_SF_file(char *manifile, char *who)
{
FILE *sf;
FILE *mf;
FILE *sfFile;
FILE *mfFile;
long r1, r2, r3;
char whofile[FNSIZE];
char *buf, *name = NULL;
@@ -718,12 +718,12 @@ generate_SF_file(char *manifile, char *who)
strcpy(whofile, who);
if ((mf = fopen(manifile, "rb")) == NULL) {
if ((mfFile = fopen(manifile, "rb")) == NULL) {
perror(manifile);
exit(ERRX);
}
if ((sf = fopen(whofile, "wb")) == NULL) {
if ((sfFile = fopen(whofile, "wb")) == NULL) {
perror(who);
exit(ERRX);
}
@@ -736,11 +736,11 @@ generate_SF_file(char *manifile, char *who)
if (buf == NULL || name == NULL)
out_of_memory();
fprintf(sf, "Signature-Version: 1.0\n");
fprintf(sf, "Created-By: %s\n", CREATOR);
fprintf(sf, "Comments: %s\n", BREAKAGE);
fprintf(sfFile, "Signature-Version: 1.0\n");
fprintf(sfFile, "Created-By: %s\n", CREATOR);
fprintf(sfFile, "Comments: %s\n", BREAKAGE);
if (fgets(buf, BUFSIZ, mf) == NULL) {
if (fgets(buf, BUFSIZ, mfFile) == NULL) {
PR_fprintf(errorFD, "%s: empty manifest file!\n", PROGRAM_NAME);
errorCount++;
exit(ERRX);
@@ -752,15 +752,15 @@ generate_SF_file(char *manifile, char *who)
exit(ERRX);
}
fseek(mf, 0L, SEEK_SET);
fseek(mfFile, 0L, SEEK_SET);
/* Process blocks of headers, and calculate their hashen */
while (1) {
/* Beginning range */
r1 = ftell(mf);
r1 = ftell(mfFile);
if (fgets(name, BUFSIZ, mf) == NULL)
if (fgets(name, BUFSIZ, mfFile) == NULL)
break;
line++;
@@ -774,46 +774,46 @@ generate_SF_file(char *manifile, char *who)
}
r2 = r1;
while (fgets(buf, BUFSIZ, mf)) {
while (fgets(buf, BUFSIZ, mfFile)) {
if (*buf == 0 || *buf == '\n' || *buf == '\r')
break;
line++;
/* Ending range for hashing */
r2 = ftell(mf);
r2 = ftell(mfFile);
}
r3 = ftell(mf);
r3 = ftell(mfFile);
if (r1) {
fprintf(sf, "\n");
fprintf(sf, "%s", name);
fprintf(sfFile, "\n");
fprintf(sfFile, "%s", name);
}
calculate_MD5_range(mf, r1, r2, &dig);
calculate_MD5_range(mfFile, r1, r2, &dig);
if (optimize == 0) {
fprintf(sf, "Digest-Algorithms: MD5 SHA1\n");
fprintf(sfFile, "Digest-Algorithms: MD5 SHA1\n");
md5 = BTOA_DataToAscii(dig.md5, MD5_LENGTH);
fprintf(sf, "MD5-Digest: %s\n", md5);
fprintf(sfFile, "MD5-Digest: %s\n", md5);
PORT_Free(md5);
}
sha1 = BTOA_DataToAscii(dig.sha1, SHA1_LENGTH);
fprintf(sf, "SHA1-Digest: %s\n", sha1);
fprintf(sfFile, "SHA1-Digest: %s\n", sha1);
PORT_Free(sha1);
/* restore normalcy after changing offset position */
fseek(mf, r3, SEEK_SET);
fseek(mfFile, r3, SEEK_SET);
}
PORT_Free(buf);
PORT_Free(name);
fclose(sf);
fclose(mf);
fclose(sfFile);
fclose(mfFile);
return 0;
}
security/nss/cmd/signtool/zip.c
+2 -2
View File
@@ -129,7 +129,7 @@ handle_zerror(int err, char *msg)
* been opened with JzipOpen.
*/
int
JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int compression_level)
JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int lvl)
{
ZIPentry *entry;
PRFileDesc *readfp;
@@ -319,7 +319,7 @@ JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int compression_level)
* It causes zlib to leave out its headers and footers, which don't
* work in PKZIP files.
*/
err = deflateInit2(&zstream, compression_level, Z_DEFLATED,
err = deflateInit2(&zstream, lvl, Z_DEFLATED,
-MAX_WBITS, 8 /*default*/, Z_DEFAULT_STRATEGY);
if (err != Z_OK) {
handle_zerror(err, zstream.msg);
security/nss/cmd/smimetools/cmsutil.c
+18 -19
View File
@@ -68,7 +68,7 @@ DigestFile(PLArenaPool *poolp, SECItem ***digests, SECItem *input,
}
static void
Usage(char *progName)
Usage(void)
{
fprintf(stderr,
"Usage: %s [-C|-D|-E|-O|-S] [<options>] [-d dbdir] [-u certusage]\n"
@@ -280,7 +280,6 @@ decode(FILE *out, SECItem *input, const struct decodeOptionsStr *decodeOptions)
** or might be an invalid message, such as a QA test message
** or a message from an attacker.
*/
SECStatus rv;
rv = NSS_CMSSignedData_VerifyCertsOnly(sigd,
decodeOptions->options->certHandle,
decodeOptions->options->certUsage);
@@ -1127,7 +1126,7 @@ main(int argc, char **argv)
fprintf(stderr,
"%s: option -G only supported with option -S.\n",
progName);
Usage(progName);
Usage();
exit(1);
}
signOptions.signingTime = PR_TRUE;
@@ -1137,7 +1136,7 @@ main(int argc, char **argv)
fprintf(stderr,
"%s: option -H only supported with option -S.\n",
progName);
Usage(progName);
Usage();
exit(1);
}
decodeOptions.suppressContent = PR_TRUE;
@@ -1167,7 +1166,7 @@ main(int argc, char **argv)
fprintf(stderr,
"%s: option -N only supported with option -S.\n",
progName);
Usage(progName);
Usage();
exit(1);
}
signOptions.nickname = PORT_Strdup(optstate->value);
@@ -1180,7 +1179,7 @@ main(int argc, char **argv)
fprintf(stderr,
"%s: option -P only supported with option -S.\n",
progName);
Usage(progName);
Usage();
exit(1);
}
signOptions.smimeProfile = PR_TRUE;
@@ -1193,7 +1192,7 @@ main(int argc, char **argv)
fprintf(stderr,
"%s: option -T only supported with option -S.\n",
progName);
Usage(progName);
Usage();
exit(1);
}
signOptions.detached = PR_TRUE;
@@ -1203,7 +1202,7 @@ main(int argc, char **argv)
fprintf(stderr,
"%s: option -Y only supported with option -S.\n",
progName);
Usage(progName);
Usage();
exit(1);
}
signOptions.encryptionKeyPreferenceNick = strdup(optstate->value);
@@ -1214,7 +1213,7 @@ main(int argc, char **argv)
fprintf(stderr,
"%s: option -b only supported with option -D.\n",
progName);
Usage(progName);
Usage();
exit(1);
}
batch = PR_TRUE;
@@ -1225,7 +1224,7 @@ main(int argc, char **argv)
fprintf(stderr,
"%s: option -c only supported with option -D.\n",
progName);
Usage(progName);
Usage();
exit(1);
}
contentFile = PR_Open(optstate->value, PR_RDONLY, 006600);
@@ -1261,7 +1260,7 @@ main(int argc, char **argv)
fprintf(stderr,
"%s: option -h only supported with option -D.\n",
progName);
Usage(progName);
Usage();
exit(1);
}
decodeOptions.headerLevel = atoi(optstate->value);
@@ -1288,7 +1287,7 @@ main(int argc, char **argv)
fprintf(stderr,
"%s: option -k only supported with option -D.\n",
progName);
Usage(progName);
Usage();
exit(1);
}
decodeOptions.keepCerts = PR_TRUE;
@@ -1299,7 +1298,7 @@ main(int argc, char **argv)
fprintf(stderr,
"%s: option -n only supported with option -D.\n",
progName);
Usage(progName);
Usage();
exit(1);
}
decodeOptions.suppressContent = PR_TRUE;
@@ -1315,7 +1314,7 @@ main(int argc, char **argv)
case 'p':
if (!optstate->value) {
fprintf(stderr, "%s: option -p must have a value.\n", progName);
Usage(progName);
Usage();
exit(1);
}
@@ -1325,7 +1324,7 @@ main(int argc, char **argv)
case 'f':
if (!optstate->value) {
fprintf(stderr, "%s: option -f must have a value.\n", progName);
Usage(progName);
Usage();
exit(1);
}
@@ -1335,7 +1334,7 @@ main(int argc, char **argv)
case 'r':
if (!optstate->value) {
fprintf(stderr, "%s: option -r must have a value.\n", progName);
Usage(progName);
Usage();
exit(1);
}
envelopeOptions.recipients = ptrarray;
@@ -1368,11 +1367,11 @@ main(int argc, char **argv)
}
}
if (status == PL_OPT_BAD)
Usage(progName);
Usage();
PL_DestroyOptState(optstate);
if (mode == UNKNOWN)
Usage(progName);
Usage();
if (mode != CERTSONLY && !batch) {
rv = SECU_FileToItem(&input, inFile);
@@ -1529,7 +1528,7 @@ main(int argc, char **argv)
break;
default:
fprintf(stderr, "One of options -D, -S or -E must be set.\n");
Usage(progName);
Usage();
exitstatus = 1;
}
security/nss/cmd/strsclnt/strsclnt.c
+7 -9
View File
@@ -137,7 +137,7 @@ SECItem bigBuf;
fprintf
static void
Usage(const char *progName)
Usage(void)
{
fprintf(stderr,
"Usage: %s [-n nickname] [-p port] [-d dbdir] [-c connections]\n"
@@ -260,7 +260,6 @@ void
printSecurityInfo(PRFileDesc *fd)
{
CERTCertificate *cert = NULL;
SSL3Statistics *ssl3stats = SSL_GetStatistics();
SECStatus result;
SSLChannelInfo channel;
SSLCipherSuiteInfo suite;
@@ -1095,7 +1094,6 @@ client_main(
while (0 != (ndx = *cipherString)) {
const char *startCipher = cipherString++;
int cipher = 0;
SECStatus rv;
if (ndx == ':') {
cipher = hexchar_to_int(*cipherString++);
@@ -1353,7 +1351,7 @@ main(int argc, char **argv)
enabledVersions, &enabledVersions) !=
SECSuccess) {
fprintf(stderr, "Bad version specified.\n");
Usage(progName);
Usage();
}
break;
@@ -1431,27 +1429,27 @@ main(int argc, char **argv)
case 0: /* positional parameter */
if (hostName) {
Usage(progName);
Usage();
}
hostName = PL_strdup(optstate->value);
break;
default:
case '?':
Usage(progName);
Usage();
break;
}
}
PL_DestroyOptState(optstate);
if (!hostName || status == PL_OPT_BAD)
Usage(progName);
Usage();
if (fullhs != NO_FULLHS_PERCENTAGE && (fullhs < 0 || fullhs > 100 || NoReuse))
Usage(progName);
Usage();
if (port == 0)
Usage(progName);
Usage();
if (fileName)
readBigFile(fileName);
security/nss/cmd/symkeyutil/symkeyutil.c
+3 -2
View File
@@ -1034,10 +1034,10 @@ main(int argc, char **argv)
char *targetName = symKeyUtil.options[opt_TargetToken].arg;
PK11SymKey *newKey;
PK11SymKey *symKey = FindKey(slot, name, &keyID, &pwdata);
char *keyName = PK11_GetSymKeyNickname(symKey);
char *keyName;
if (!symKey) {
char *keyName = keyID.data ? BufToHex(&keyID) : PORT_Strdup(name);
keyName = keyID.data ? BufToHex(&keyID) : PORT_Strdup(name);
PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",
progName, keyName, PK11_GetTokenName(slot));
PORT_Free(keyName);
@@ -1061,6 +1061,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, "%s: Couldn't move the key \n", progName);
goto shutdown;
}
keyName = PK11_GetSymKeyNickname(symKey);
if (keyName) {
rv = PK11_SetSymKeyNickname(newKey, keyName);
if (rv != SECSuccess) {
security/nss/cmd/tstclnt/tstclnt.c
+101 -124
View File
@@ -51,6 +51,7 @@
#define MAX_WAIT_FOR_SERVER 600
#define WAIT_INTERVAL 100
#define ZERO_RTT_MAX (2 << 16)
#define EXIT_CODE_HANDSHAKE_FAILED 254
@@ -99,6 +100,7 @@ int renegotiationsDone = 0;
PRBool initializedServerSessionCache = PR_FALSE;
static char *progName;
static const char *requestFile;
secuPWData pwdata = { PW_NONE, 0 };
@@ -172,7 +174,7 @@ printSecurityInfo(PRFileDesc *fd)
}
static void
PrintUsageHeader(const char *progName)
PrintUsageHeader()
{
fprintf(stderr,
"Usage: %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
@@ -186,7 +188,7 @@ PrintUsageHeader(const char *progName)
}
static void
PrintParameterUsage(void)
PrintParameterUsage()
{
fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n"
"%-20s handshake, 2nd_hs_name - at second handshake.\n"
@@ -259,17 +261,17 @@ PrintParameterUsage(void)
}
static void
Usage(const char *progName)
Usage()
{
PrintUsageHeader(progName);
PrintUsageHeader();
PrintParameterUsage();
exit(1);
}
static void
PrintCipherUsage(const char *progName)
PrintCipherUsage()
{
PrintUsageHeader(progName);
PrintUsageHeader();
fprintf(stderr, "%-20s Letter(s) chosen from the following list\n",
"-c ciphers");
fprintf(stderr,
@@ -303,7 +305,7 @@ milliPause(PRUint32 milli)
}
void
disableAllSSLCiphers(void)
disableAllSSLCiphers()
{
const PRUint16 *cipherSuites = SSL_GetImplementedCiphers();
int i = SSL_GetNumImplementedCiphers();
@@ -711,12 +713,18 @@ void
thread_main(void *arg)
{
PRFileDesc *ps = (PRFileDesc *)arg;
PRFileDesc *std_in = PR_GetSpecialFD(PR_StandardInput);
PRFileDesc *std_in;
int wc, rc;
char buf[256];
if (requestFile) {
std_in = PR_Open(requestFile, PR_RDONLY, 0);
} else {
std_in = PR_GetSpecialFD(PR_StandardInput);
}
#ifdef WIN32
{
if (!requestFile) {
/* Put stdin into O_BINARY mode
** or else incoming \r\n's will become \n's.
*/
@@ -737,6 +745,9 @@ thread_main(void *arg)
wc = PR_Send(ps, buf, rc, 0, maxInterval);
} while (wc == rc);
PR_Close(ps);
if (requestFile) {
PR_Close(std_in);
}
}
#endif
@@ -844,7 +855,7 @@ separateReqHeader(const PRFileDesc *outFd, const char *buf, const int nb,
} else if (((c) >= 'A') && ((c) <= 'F')) { \
i = (c) - 'A' + 10; \
} else { \
Usage(progName); \
Usage(); \
}
static SECStatus
@@ -915,22 +926,22 @@ char *hs1SniHostName = NULL;
char *hs2SniHostName = NULL;
PRUint16 portno = 443;
int override = 0;
char *requestString = NULL;
PRInt32 requestStringLen = 0;
PRBool requestSent = PR_FALSE;
PRBool enableZeroRtt = PR_FALSE;
PRUint8 *zeroRttData;
unsigned int zeroRttLen = 0;
PRBool enableAltServerHello = PR_FALSE;
PRBool useDTLS = PR_FALSE;
PRBool actAsServer = PR_FALSE;
PRBool stopAfterHandshake = PR_FALSE;
PRBool requestToExit = PR_FALSE;
char *versionString = NULL;
PRBool handshakeComplete = PR_FALSE;
static int
writeBytesToServer(PRFileDesc *s, const char *buf, int nb)
writeBytesToServer(PRFileDesc *s, const PRUint8 *buf, int nb)
{
SECStatus rv;
const char *bufp = buf;
const PRUint8 *bufp = buf;
PRPollDesc pollDesc;
pollDesc.in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT;
@@ -944,12 +955,20 @@ writeBytesToServer(PRFileDesc *s, const char *buf, int nb)
if (cc < 0) {
PRErrorCode err = PR_GetError();
if (err != PR_WOULD_BLOCK_ERROR) {
SECU_PrintError(progName,
"write to SSL socket failed");
SECU_PrintError(progName, "write to SSL socket failed");
return 254;
}
cc = 0;
}
FPRINTF(stderr, "%s: %d bytes written\n", progName, cc);
if (enableZeroRtt && !handshakeComplete) {
if (zeroRttLen + cc > ZERO_RTT_MAX) {
SECU_PrintError(progName, "too much early data to save");
return -1;
}
PORT_Memcpy(zeroRttData + zeroRttLen, bufp, cc);
zeroRttLen += cc;
}
bufp += cc;
nb -= cc;
if (nb <= 0)
@@ -969,8 +988,7 @@ writeBytesToServer(PRFileDesc *s, const char *buf, int nb)
progName);
cc = PR_Poll(&pollDesc, 1, PR_INTERVAL_NO_TIMEOUT);
if (cc < 0) {
SECU_PrintError(progName,
"PR_Poll failed");
SECU_PrintError(progName, "PR_Poll failed");
return -1;
}
FPRINTF(stderr,
@@ -993,7 +1011,7 @@ handshakeCallback(PRFileDesc *fd, void *client_data)
SSL_ReHandshake(fd, (renegotiationsToDo < 2));
++renegotiationsDone;
}
if (requestString && requestSent) {
if (zeroRttLen) {
/* This data was sent in 0-RTT. */
SSLChannelInfo info;
SECStatus rv;
@@ -1003,29 +1021,30 @@ handshakeCallback(PRFileDesc *fd, void *client_data)
return;
if (!info.earlyDataAccepted) {
FPRINTF(stderr, "Early data rejected. Re-sending\n");
writeBytesToServer(fd, requestString, requestStringLen);
FPRINTF(stderr, "Early data rejected. Re-sending %d bytes\n",
zeroRttLen);
writeBytesToServer(fd, zeroRttData, zeroRttLen);
zeroRttLen = 0;
}
}
if (stopAfterHandshake) {
requestToExit = PR_TRUE;
}
handshakeComplete = PR_TRUE;
}
#define REQUEST_WAITING (requestString && !requestSent)
static SECStatus
installServerCertificate(PRFileDesc *s, char *nickname)
installServerCertificate(PRFileDesc *s, char *nick)
{
CERTCertificate *cert;
SECKEYPrivateKey *privKey = NULL;
if (!nickname) {
if (!nick) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
cert = PK11_FindCertFromNickname(nickname, &pwdata);
cert = PK11_FindCertFromNickname(nick, &pwdata);
if (cert == NULL) {
return SECFailure;
}
@@ -1129,20 +1148,19 @@ connectToServer(PRFileDesc *s, PRPollDesc *pollset)
}
static int
run(void)
run()
{
int headerSeparatorPtrnId = 0;
int error = 0;
SECStatus rv;
PRStatus status;
PRInt32 filesReady;
int npds;
PRFileDesc *s = NULL;
PRFileDesc *std_out;
PRPollDesc pollset[2];
PRPollDesc pollset[2] = { { 0 }, { 0 } };
PRBool wrStarted = PR_FALSE;
requestSent = PR_FALSE;
handshakeComplete = PR_FALSE;
/* Create socket */
if (useDTLS) {
@@ -1225,19 +1243,18 @@ run(void)
cipherString++;
} else {
if (!isalpha(ndx))
Usage(progName);
Usage();
ndx = tolower(ndx) - 'a';
if (ndx < PR_ARRAY_SIZE(ssl3CipherSuites)) {
cipher = ssl3CipherSuites[ndx];
}
}
if (cipher > 0) {
SECStatus status;
status = SSL_CipherPrefSet(s, cipher, SSL_ALLOWED);
if (status != SECSuccess)
rv = SSL_CipherPrefSet(s, cipher, SSL_ALLOWED);
if (rv != SECSuccess)
SECU_PrintError(progName, "SSL_CipherPrefSet()");
} else {
Usage(progName);
Usage();
}
}
PORT_Free(cstringSaved);
@@ -1394,7 +1411,6 @@ run(void)
/* Try to connect to the server */
rv = connectToServer(s, pollset);
if (rv != SECSuccess) {
;
error = 1;
goto done;
}
@@ -1406,13 +1422,18 @@ run(void)
pollset[SSOCK_FD].in_flags |= (clientSpeaksFirst ? 0 : PR_POLL_READ);
else
pollset[SSOCK_FD].in_flags |= PR_POLL_READ;
pollset[STDIN_FD].fd = PR_GetSpecialFD(PR_StandardInput);
if (!REQUEST_WAITING) {
pollset[STDIN_FD].in_flags = PR_POLL_READ;
npds = 2;
if (requestFile) {
pollset[STDIN_FD].fd = PR_Open(requestFile, PR_RDONLY, 0);
if (!pollset[STDIN_FD].fd) {
fprintf(stderr, "%s: unable to open input file: %s\n",
progName, requestFile);
error = 1;
goto done;
}
} else {
npds = 1;
pollset[STDIN_FD].fd = PR_GetSpecialFD(PR_StandardInput);
}
pollset[STDIN_FD].in_flags = PR_POLL_READ;
std_out = PR_GetSpecialFD(PR_StandardOutput);
#if defined(WIN32) || defined(OS2)
@@ -1458,10 +1479,9 @@ run(void)
requestToExit = PR_FALSE;
FPRINTF(stderr, "%s: ready...\n", progName);
while (!requestToExit &&
((pollset[SSOCK_FD].in_flags | pollset[STDIN_FD].in_flags) ||
REQUEST_WAITING)) {
char buf[4000]; /* buffer for stdin */
int nb; /* num bytes read from stdin. */
(pollset[SSOCK_FD].in_flags || pollset[STDIN_FD].in_flags)) {
PRUint8 buf[4000]; /* buffer for stdin */
int nb; /* num bytes read from stdin. */
rv = restartHandshakeAfterServerCertIfNeeded(s, &serverCertAuth,
override);
@@ -1475,7 +1495,8 @@ run(void)
pollset[STDIN_FD].out_flags = 0;
FPRINTF(stderr, "%s: about to call PR_Poll !\n", progName);
filesReady = PR_Poll(pollset, npds, PR_INTERVAL_NO_TIMEOUT);
filesReady = PR_Poll(pollset, PR_ARRAY_SIZE(pollset),
PR_INTERVAL_NO_TIMEOUT);
if (filesReady < 0) {
SECU_PrintError(progName, "select failed");
error = 1;
@@ -1497,14 +1518,6 @@ run(void)
"%s: PR_Poll returned 0x%02x for socket out_flags.\n",
progName, pollset[SSOCK_FD].out_flags);
}
if (REQUEST_WAITING) {
error = writeBytesToServer(s, requestString, requestStringLen);
if (error) {
goto done;
}
requestSent = PR_TRUE;
pollset[SSOCK_FD].in_flags = PR_POLL_READ;
}
if (pollset[STDIN_FD].out_flags & PR_POLL_READ) {
/* Read from stdin and write to socket */
nb = PR_Read(pollset[STDIN_FD].fd, buf, sizeof(buf));
@@ -1518,6 +1531,8 @@ run(void)
} else if (nb == 0) {
/* EOF on stdin, stop polling stdin for read. */
pollset[STDIN_FD].in_flags = 0;
if (actAsServer)
requestToExit = PR_TRUE;
} else {
error = writeBytesToServer(s, buf, nb);
if (error) {
@@ -1532,12 +1547,12 @@ run(void)
"%s: PR_Poll returned 0x%02x for socket out_flags.\n",
progName, pollset[SSOCK_FD].out_flags);
}
if ((pollset[SSOCK_FD].out_flags & PR_POLL_READ) ||
(pollset[SSOCK_FD].out_flags & PR_POLL_ERR)
#ifdef PR_POLL_HUP
|| (pollset[SSOCK_FD].out_flags & PR_POLL_HUP)
#define POLL_RECV_FLAGS (PR_POLL_READ | PR_POLL_ERR | PR_POLL_HUP)
#else
#define POLL_RECV_FLAGS (PR_POLL_READ | PR_POLL_ERR)
#endif
) {
if (pollset[SSOCK_FD].out_flags & POLL_RECV_FLAGS) {
/* Read from socket and write to stdout */
nb = PR_Recv(pollset[SSOCK_FD].fd, buf, sizeof buf, 0, maxInterval);
FPRINTF(stderr, "%s: Read from server %d bytes\n", progName, nb);
@@ -1554,7 +1569,7 @@ run(void)
if (skipProtoHeader != PR_TRUE || wrStarted == PR_TRUE) {
PR_Write(std_out, buf, nb);
} else {
separateReqHeader(std_out, buf, nb, &wrStarted,
separateReqHeader(std_out, (char *)buf, nb, &wrStarted,
&headerSeparatorPtrnId);
}
if (verbose)
@@ -1568,42 +1583,10 @@ done:
if (s) {
PR_Close(s);
}
return error;
}
PRInt32
ReadFile(const char *filename, char **data)
{
char *ret = NULL;
char buf[8192];
unsigned int len = 0;
PRStatus rv;
PRFileDesc *fd = PR_Open(filename, PR_RDONLY, 0);
if (!fd)
return -1;
for (;;) {
rv = PR_Read(fd, buf, sizeof(buf));
if (rv < 0) {
PR_Free(ret);
return rv;
}
if (!rv)
break;
ret = PR_Realloc(ret, len + rv);
if (!ret) {
return -1;
}
PORT_Memcpy(ret + len, buf, rv);
len += rv;
if (requestFile && pollset[STDIN_FD].fd) {
PR_Close(pollset[STDIN_FD].fd);
}
*data = ret;
return len;
return error;
}
int
@@ -1653,26 +1636,22 @@ main(int argc, char **argv)
switch (optstate->option) {
case '?':
default:
Usage(progName);
Usage();
break;
case '4':
allowIPv6 = PR_FALSE;
if (!allowIPv4)
Usage(progName);
Usage();
break;
case '6':
allowIPv4 = PR_FALSE;
if (!allowIPv6)
Usage(progName);
Usage();
break;
case 'A':
requestStringLen = ReadFile(optstate->value, &requestString);
if (requestStringLen < 0) {
fprintf(stderr, "Couldn't read file %s\n", optstate->value);
exit(1);
}
requestFile = PORT_Strdup(optstate->value);
break;
case 'C':
@@ -1735,7 +1714,7 @@ main(int argc, char **argv)
actAsServer = 1;
} else {
if (strcmp(optstate->value, "client")) {
Usage(progName);
Usage();
}
}
break;
@@ -1768,16 +1747,21 @@ main(int argc, char **argv)
if (!strcmp(optstate->value, "alt-server-hello")) {
enableAltServerHello = PR_TRUE;
} else {
Usage(progName);
Usage();
}
break;
case 'Y':
PrintCipherUsage(progName);
PrintCipherUsage();
exit(0);
break;
case 'Z':
enableZeroRtt = PR_TRUE;
zeroRttData = PORT_ZAlloc(ZERO_RTT_MAX);
if (!zeroRttData) {
fprintf(stderr, "Unable to allocate buffer for 0-RTT\n");
exit(1);
}
break;
case 'a':
@@ -1786,7 +1770,7 @@ main(int argc, char **argv)
} else if (!hs2SniHostName) {
hs2SniHostName = PORT_Strdup(optstate->value);
} else {
Usage(progName);
Usage();
}
break;
@@ -1875,7 +1859,7 @@ main(int argc, char **argv)
if (rv != SECSuccess) {
PL_DestroyOptState(optstate);
fprintf(stderr, "Bad group specified.\n");
Usage(progName);
Usage();
}
break;
}
@@ -1889,18 +1873,18 @@ main(int argc, char **argv)
enabledVersions, &enabledVersions) !=
SECSuccess) {
fprintf(stderr, "Bad version specified.\n");
Usage(progName);
Usage();
}
PORT_Free(versionString);
}
if (optstatus == PL_OPT_BAD) {
Usage(progName);
Usage();
}
if (!host || !portno) {
fprintf(stderr, "%s: parameters -h and -p are mandatory\n", progName);
Usage(progName);
Usage();
}
if (serverCertAuth.testFreshStatusFromSideChannel &&
@@ -2060,20 +2044,13 @@ done:
PR_Close(s);
}
if (hs1SniHostName) {
PORT_Free(hs1SniHostName);
}
if (hs2SniHostName) {
PORT_Free(hs2SniHostName);
}
if (nickname) {
PORT_Free(nickname);
}
if (pwdata.data) {
PORT_Free(pwdata.data);
}
PORT_Free((void *)requestFile);
PORT_Free(hs1SniHostName);
PORT_Free(hs2SniHostName);
PORT_Free(nickname);
PORT_Free(pwdata.data);
PORT_Free(host);
PORT_Free(requestString);
PORT_Free(zeroRttData);
if (enabledGroups) {
PORT_Free(enabledGroups);
security/nss/cmd/vfyserv/vfyserv.c
+2 -4
View File
@@ -327,9 +327,7 @@ do_connects(void *a, int connection)
}
void
client_main(unsigned short port,
int connections,
const char *hostName)
client_main(int connections)
{
int i;
SECStatus secStatus;
@@ -553,7 +551,7 @@ main(int argc, char **argv)
}
}
client_main(port, connections, hostName);
client_main(connections);
cleanup:
if (doOcspCheck) {
security/nss/cmd/vfyserv/vfyutil.c
+2 -2
View File
@@ -310,13 +310,13 @@ myHandshakeCallback(PRFileDesc *socket, void *arg)
void
disableAllSSLCiphers(void)
{
const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
const PRUint16 *allSuites = SSL_ImplementedCiphers;
int i = SSL_NumImplementedCiphers;
SECStatus rv;
/* disable all the SSL3 cipher suites */
while (--i >= 0) {
PRUint16 suite = cipherSuites[i];
PRUint16 suite = allSuites[i];
rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
if (rv != SECSuccess) {
fprintf(stderr,
security/nss/coreconf/Werror.mk
+4 -2
View File
@@ -48,9 +48,11 @@ ifndef WARNING_CFLAGS
else
# This tests to see if enabling the warning is possible before
# setting an option to disable it.
disable_warning = $(shell $(CC) -x c -E -Werror -W$(1) /dev/null >/dev/null 2>&1 && echo -Wno-$(1))
set_warning = $(shell $(CC) -x c -E -Werror -W$(1) /dev/null >/dev/null 2>&1 && echo -W$(2)$(1))
enable_warning = $(call set_warning,$(1),)
disable_warning = $(call set_warning,$(1),no-)
WARNING_CFLAGS = -Wall
WARNING_CFLAGS = -Wall $(call enable_warning,shadow)
ifdef CC_IS_CLANG
# -Qunused-arguments : clang objects to arguments that it doesn't understand
# and fixing this would require rearchitecture
security/nss/coreconf/config.mk
+4
View File
@@ -181,6 +181,10 @@ ifndef NSS_FORCE_FIPS
DEFINES += -DNSS_NO_INIT_SUPPORT
endif
ifdef NSS_SEED_ONLY_DEV_URANDOM
DEFINES += -DSEED_ONLY_DEV_URANDOM
endif
# Avoid building object leak test code for optimized library
ifndef BUILD_OPT
ifdef PKIX_OBJECT_LEAK_TEST
security/nss/coreconf/coreconf.dep
+1
View File
@@ -10,3 +10,4 @@
*/
#error "Do not include this header file."
security/nss/coreconf/nsinstall/pathsub.c
+1 -1
View File
@@ -212,7 +212,7 @@ reversepath(char *inpath, char *name, int len, char *outpath)
xchdir("..");
} else {
cp -= 3;
strncpy(cp, "../", 3);
memcpy(cp, "../", 3);
xchdir(buf);
}
}
security/nss/coreconf/werror.py
+1 -1
View File
@@ -54,7 +54,7 @@ def main():
set_warning(w, 'no-')
print('-Qunused-arguments')
# set_warning('shadow') # Bug 1309068
set_warning('shadow')
if __name__ == '__main__':
main()
security/nss/cpputil/databuffer.cc
+5 -5
View File
@@ -18,12 +18,12 @@
namespace nss_test {
void DataBuffer::Assign(const uint8_t* data, size_t len) {
if (data) {
Allocate(len);
memcpy(static_cast<void*>(data_), static_cast<const void*>(data), len);
void DataBuffer::Assign(const uint8_t* d, size_t l) {
if (d) {
Allocate(l);
memcpy(static_cast<void*>(data_), static_cast<const void*>(d), l);
} else {
assert(len == 0);
assert(l == 0);
data_ = nullptr;
len_ = 0;
}
security/nss/cpputil/databuffer.h
+7 -7
View File
@@ -17,8 +17,8 @@ namespace nss_test {
class DataBuffer {
public:
DataBuffer() : data_(nullptr), len_(0) {}
DataBuffer(const uint8_t* data, size_t len) : data_(nullptr), len_(0) {
Assign(data, len);
DataBuffer(const uint8_t* d, size_t l) : data_(nullptr), len_(0) {
Assign(d, l);
}
DataBuffer(const DataBuffer& other) : data_(nullptr), len_(0) {
Assign(other);
@@ -32,17 +32,17 @@ class DataBuffer {
return *this;
}
void Allocate(size_t len) {
void Allocate(size_t l) {
delete[] data_;
data_ = new uint8_t[len ? len : 1]; // Don't depend on new [0].
len_ = len;
data_ = new uint8_t[l ? l : 1]; // Don't depend on new [0].
len_ = l;
}
void Truncate(size_t len) { len_ = (std::min)(len_, len); }
void Truncate(size_t l) { len_ = (std::min)(len_, l); }
void Assign(const DataBuffer& other) { Assign(other.data(), other.len()); }
void Assign(const uint8_t* data, size_t len);
void Assign(const uint8_t* d, size_t l);
// Write will do a new allocation and expand the size of the buffer if needed.
// Returns the offset of the end of the write.
security/nss/cpputil/scoped_ptrs.h
+2
View File
@@ -45,6 +45,7 @@ struct ScopedDelete {
void operator()(SEC_PKCS12DecoderContext* dcx) {
SEC_PKCS12DecoderFinish(dcx);
}
void operator()(CERTDistNames* names) { CERT_FreeDistNames(names); }
};
template <class T>
@@ -78,6 +79,7 @@ SCOPED(PK11Context);
SCOPED(PK11GenericObject);
SCOPED(SSLResumptionTokenInfo);
SCOPED(SEC_PKCS12DecoderContext);
SCOPED(CERTDistNames);
#undef SCOPED
security/nss/cpputil/tls_parser.cc
+15
View File
@@ -46,6 +46,21 @@ bool TlsParser::Read(DataBuffer* val, size_t len) {
return true;
}
bool TlsParser::ReadFromMark(DataBuffer* val, size_t len, size_t mark) {
auto saved = offset_;
offset_ = mark;
if (remaining() < len) {
offset_ = saved;
return false;
}
val->Assign(ptr(), len);
offset_ = saved;
return true;
}
bool TlsParser::ReadVariable(DataBuffer* val, size_t len_size) {
uint32_t len;
if (!Read(&len, len_size)) {
security/nss/cpputil/tls_parser.h
+1
View File
@@ -123,6 +123,7 @@ class TlsParser {
bool Read(uint32_t* val, size_t size);
// Reads len bytes into dest buffer, overwriting it.
bool Read(DataBuffer* dest, size_t len);
bool ReadFromMark(DataBuffer* val, size_t len, size_t mark);
// Reads bytes into dest buffer, overwriting it. The number of bytes is
// determined by reading from len_size bytes from the stream first.
bool ReadVariable(DataBuffer* dest, size_t len_size);
security/nss/fuzz/fuzz.gyp
+3
View File
@@ -44,6 +44,9 @@
# This is a static build of pk11wrap, softoken, and freebl.
'<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
],
'cflags_cc': [
'-Wno-error=shadow',
],
'conditions': [
['fuzz_oss==0', {
'sources': [
security/nss/fuzz/tls_client_target.cc
+4 -4
View File
@@ -87,15 +87,12 @@ static void SetupCallbacks(PRFileDesc* fd, ClientConfig* config) {
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t len) {
static std::unique_ptr<NSSDatabase> db(new NSSDatabase());
std::unique_ptr<NSSDatabase> db(new NSSDatabase());
assert(db != nullptr);
EnableAllProtocolVersions();
std::unique_ptr<ClientConfig> config(new ClientConfig(data, len));
// Clear the cache. We never want to resume as we couldn't reproduce that.
SSL_ClearSessionCache();
// Reset the RNG state.
assert(RNG_RandomUpdate(NULL, 0) == SECSuccess);
@@ -114,6 +111,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t len) {
SetupCallbacks(ssl_fd, config.get());
DoHandshake(ssl_fd, false);
// Release all SIDs.
SSL_ClearSessionCache();
return 0;
}
security/nss/gtests/freebl_gtest/blake2b_unittest.cc
+2 -2
View File
@@ -50,7 +50,7 @@ TEST_P(Blake2BKATUnkeyed, Unkeyed) {
TEST_P(Blake2BKATKeyed, Keyed) {
std::vector<uint8_t> values(BLAKE2B512_LENGTH);
SECStatus rv = BLAKE2B_MAC_HashBuf(values.data(), kat_data.data(),
std::get<0>(GetParam()), key.data(),
std::get<0>(GetParam()), kat_key.data(),
BLAKE2B_KEY_SIZE);
ASSERT_EQ(SECSuccess, rv);
EXPECT_EQ(values, std::get<1>(GetParam()));
@@ -139,7 +139,7 @@ TEST_F(Blake2BTests, NullTest) {
EXPECT_EQ(std::get<1>(TestcasesUnkeyed[0]), digest);
digest = std::vector<uint8_t>(BLAKE2B512_LENGTH);
rv = BLAKE2B_MAC_HashBuf(digest.data(), nullptr, 0, key.data(),
rv = BLAKE2B_MAC_HashBuf(digest.data(), nullptr, 0, kat_key.data(),
BLAKE2B_KEY_SIZE);
ASSERT_EQ(SECSuccess, rv);
EXPECT_EQ(std::get<1>(TestcasesKeyed[0]), digest);
security/nss/gtests/freebl_gtest/kat/blake2b_kat.h
+1 -1
View File
@@ -7,7 +7,7 @@
#include <vector>
#include <stdint.h>
const std::vector<uint8_t> key = {
const std::vector<uint8_t> kat_key = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
security/nss/gtests/nss_bogo_shim/config.cc
+26 -15
View File
@@ -9,26 +9,37 @@
#include <queue>
#include <string>
bool ConfigEntryBase::ParseInternal(std::queue<const char *> *args,
std::string *out) {
if (args->empty()) return false;
*out = args->front();
args->pop();
return true;
}
bool ConfigEntryBase::ParseInternal(std::queue<const char *> *args, int *out) {
if (args->empty()) return false;
bool ConfigEntryBase::ParseInternal(std::queue<const char *> &args,
std::vector<int> &out) {
if (args.empty()) return false;
char *endptr;
*out = strtol(args->front(), &endptr, 10);
args->pop();
out.push_back(strtol(args.front(), &endptr, 10));
args.pop();
return !*endptr;
}
bool ConfigEntryBase::ParseInternal(std::queue<const char *> *args, bool *out) {
*out = true;
bool ConfigEntryBase::ParseInternal(std::queue<const char *> &args,
std::string &out) {
if (args.empty()) return false;
out = args.front();
args.pop();
return true;
}
bool ConfigEntryBase::ParseInternal(std::queue<const char *> &args, int &out) {
if (args.empty()) return false;
char *endptr;
out = strtol(args.front(), &endptr, 10);
args.pop();
return !*endptr;
}
bool ConfigEntryBase::ParseInternal(std::queue<const char *> &args, bool &out) {
out = true;
return true;
}
@@ -51,7 +62,7 @@ Config::Status Config::ParseArgs(int argc, char **argv) {
if (e == entries_.end()) {
return kUnknownFlag;
}
if (!e->second->Parse(&args)) return kMalformedArgument;
if (!e->second->Parse(args)) return kMalformedArgument;
}
return kOK;
security/nss/gtests/nss_bogo_shim/config.h
+9 -8
View File
@@ -23,18 +23,19 @@
// Abstract base class for a given config flag.
class ConfigEntryBase {
public:
ConfigEntryBase(const std::string& name, const std::string& type)
: name_(name), type_(type) {}
ConfigEntryBase(const std::string& nm, const std::string& typ)
: name_(nm), type_(typ) {}
virtual ~ConfigEntryBase() {}
const std::string& type() const { return type_; }
virtual bool Parse(std::queue<const char*>* args) = 0;
virtual bool Parse(std::queue<const char*>& args) = 0;
protected:
bool ParseInternal(std::queue<const char*>* args, std::string* out);
bool ParseInternal(std::queue<const char*>* args, int* out);
bool ParseInternal(std::queue<const char*>* args, bool* out);
bool ParseInternal(std::queue<const char*>& args, std::vector<int>& out);
bool ParseInternal(std::queue<const char*>& args, std::string& out);
bool ParseInternal(std::queue<const char*>& args, int& out);
bool ParseInternal(std::queue<const char*>& args, bool& out);
const std::string name_;
const std::string type_;
@@ -48,8 +49,8 @@ class ConfigEntry : public ConfigEntryBase {
: ConfigEntryBase(name, typeid(T).name()), value_(init) {}
T get() const { return value_; }
bool Parse(std::queue<const char*>* args) {
return ParseInternal(args, &value_);
bool Parse(std::queue<const char*>& args) {
return ParseInternal(args, value_);
}
private:
security/nss/gtests/nss_bogo_shim/config.json
+10 -64
View File
@@ -1,69 +1,16 @@
{
"DisabledTests": {
"### These tests break whenever we rev versions, so just leave them here for easy uncommenting":"",
"SendWarningAlerts-Pass":"BoringSSL updated",
"SendBogusAlertType":"BoringSSL updated",
"SendEmptyRecords-Pass":"BoringSSL updated",
"ExtraCompressionMethods-TLS12":"BoringSSL updated",
"SendSNIWarningAlert":"BoringSSL updated",
"NoNullCompression-TLS12":"BoringSSL updated",
"InvalidCompressionMethod":"BoringSSL updated",
"SupportTicketsWithSessionID":"BoringSSL updated",
"NoSharedCipher":"BoringSSL updated",
"ServerHelloBogusCipher":"BoringSSL updated",
"ClientHelloVersionTooHigh":"BoringSSL updated",
"ServerAuth-SignatureType":"BoringSSL updated",
"ECDSACurveMismatch-Verify-TLS12":"BoringSSL updated",
"UnknownExtension-Client":"BoringSSL updated",
"UnofferedExtension-Client":"BoringSSL updated",
"SendClientVersion-RSA":"BoringSSL updated",
"SupportedCurves-ServerHello-TLS12":"BoringSSL updated",
"Basic-Client*Sync":"BoringSSL updated",
"Resume-Client-CipherMismatch":"BoringSSL updated",
"ClientAuth-SignatureType":"BoringSSL updated",
"Agree-Digest-Default":"BoringSSL updated",
"Basic-Server*Sync":"BoringSSL updated",
"ClientAuth-*-Sync":"BoringSSL updated",
"RSA-PSS-Default*":"BoringSSL updated",
"Renegotiate-Server-NoExt*":"BoringSSL updated",
"Downgrade-TLS12*":"BoringSSL updated",
"MaxCBCPadding":"BoringSSL updated",
"UnknownCipher":"BoringSSL updated",
"LargeMessage":"BoringSSL updated",
"NoCommonCurves":"BoringSSL updated",
"UnknownCurve":"BoringSSL updated",
"SessionTicketsDisabled*":"BoringSSL updated",
"BadFinished-*":"BoringSSL updated",
"ServerSkipCertificateVerify":"BoringSSL updated",
"*VersionTolerance":"BoringSSL updated",
"ConflictingVersionNegotiation*":"BoringSSL updated",
"Ed25519DefaultDisable*":"BoringSSL updated",
"*SHA1-Fallback*":"BoringSSL updated",
"ExtendedMasterSecret-NoToNo*":"BoringSSL updated",
"ServerNameExtensionClientMissing*":"BoringSSL updated",
"NoClientCertificate*":"BoringSSL updated",
"ServerCipherFilter*":"BoringSSL updated",
"*FallbackSCSV*":"BoringSSL updated",
"LooseInitialRecordVersion*":"BoringSSL updated",
"ALPNClient*":"BoringSSL updated",
"MinimumVersion*":"BoringSSL updated",
"VersionNegotiation*":"BoringSSL updated",
"*Client-ClientAuth*":"BoringSSL updated",
"*Server-ClientAuth*":"BoringSSL updated",
"NoExtendedMasterSecret*":"BoringSSL updated",
"PointFormat*":"BoringSSL updated",
"*Sync-SplitHandshakeRecords*":"BoringSSL updated",
"*Sync-PackHandshakeFlight*":"BoringSSL updated",
"TicketSessionIDLength*":"BoringSSL updated",
"*LargeRecord*":"BoringSSL updated",
"WrongMessageType-NewSessionTicket":"BoringSSL updated",
"WrongMessageType*Certificate*":"BoringSSL updated",
"WrongMessageType*Client*":"BoringSSL updated",
"WrongMessageType*Server*":"BoringSSL updated",
"WrongMessageType*DTLS":"BoringSSL updated",
"GarbageCertificate*":"BoringSSL updated",
"EmptyExtensions*":"BoringSSL updated",
"*OmitExtensions*":"BoringSSL updated",
"ServerBogusVersion":"Check that SH.legacy_version=TLS12 when the server picks TLS 1.3 (Bug 1443761)",
"DummyPQPadding-Server*":"Boring is testing a dummy PQ padding extension",
"VerifyPreferences-Enforced":"NSS sends alerts in response to errors in protected handshake messages in the clear",
"Draft-Downgrade-Server":"Boring implements a draft downgrade sentinel used for measurements.",
"FilterExtraAlgorithms":"NSS doesn't allow sending unsupported signature algorithms",
"SendBogusAlertType":"Unexpected TLS alerts should abort connections (Bug 1438263)",
"VerifyPreferences-Ed25519":"Add Ed25519 support (Bug 1325335)",
"Ed25519DefaultDisable*":"Add Ed25519 support (Bug 1325335)",
"ServerCipherFilter*":"Add Ed25519 support (Bug 1325335)",
"GarbageCertificate*":"Send bad_certificate alert when certificate parsing fails (Bug 1441565)",
"SupportedVersionSelection-TLS12":"Should maybe reject TLS 1.2 in SH.supported_versions (Bug 1438266)",
"*TLS13*":"(NSS=19, BoGo=18)",
"*HelloRetryRequest*":"(NSS=19, BoGo=18)",
@@ -108,7 +55,6 @@
"WrongMessageType-TLS13-ServerCertificateVerify":"nss updated/broken",
"WrongMessageType-TLS13-ServerCertificate":"nss updated/broken",
"WrongMessageType-TLS13-ServerFinished":"nss updated/broken",
"EncryptedExtensionsWithKeyShare":"nss updated/broken",
"EmptyEncryptedExtensions":"nss updated/broken",
"TrailingMessageData-*": "Bug 1304575",
"DuplicateKeyShares":"Bug 1304578",
security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
+55 -4
View File
@@ -5,6 +5,7 @@
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "config.h"
#include <algorithm>
#include <cstdlib>
#include <iostream>
#include <memory>
@@ -90,9 +91,14 @@ class TestAgent {
PRStatus prv;
PRNetAddr addr;
prv = PR_StringToNetAddr("127.0.0.1", &addr);
// Try IPv6 first.
prv = PR_StringToNetAddr("::1", &addr);
if (prv != PR_SUCCESS) {
return false;
// If that fails, try IPv4.
prv = PR_StringToNetAddr("127.0.0.1", &addr);
if (prv != PR_SUCCESS) {
return false;
}
}
addr.inet.port = PR_htons(cfg_.get<int>("port"));
@@ -256,7 +262,11 @@ class TestAgent {
}
bool SetupOptions() {
SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
SECStatus rv =
SSL_OptionSet(ssl_fd_, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
if (rv != SECSuccess) return false;
rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
if (rv != SECSuccess) return false;
SSLVersionRange vrange;
@@ -287,6 +297,26 @@ class TestAgent {
if (rv != SECSuccess) return false;
}
// Set supported signature schemes.
auto sign_prefs = cfg_.get<std::vector<int>>("signing-prefs");
auto verify_prefs = cfg_.get<std::vector<int>>("verify-prefs");
if (sign_prefs.empty()) {
sign_prefs = verify_prefs;
} else if (!verify_prefs.empty()) {
return false; // Both shouldn't be set.
}
if (!sign_prefs.empty()) {
std::vector<SSLSignatureScheme> sig_schemes;
std::transform(
sign_prefs.begin(), sign_prefs.end(), std::back_inserter(sig_schemes),
[](int scheme) { return static_cast<SSLSignatureScheme>(scheme); });
rv = SSL_SignatureSchemePrefSet(
ssl_fd_, sig_schemes.data(),
static_cast<unsigned int>(sig_schemes.size()));
if (rv != SECSuccess) return false;
}
if (cfg_.get<bool>("fallback-scsv")) {
rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
if (rv != SECSuccess) return false;
@@ -410,7 +440,7 @@ class TestAgent {
size_t left = sizeof(block);
while (left) {
int32_t rv = PR_Read(ssl_fd_, block, left);
rv = PR_Read(ssl_fd_, block, left);
if (rv < 0) {
std::cerr << "Failure reading\n";
return SECFailure;
@@ -481,6 +511,24 @@ class TestAgent {
}
}
auto sig_alg = cfg_.get<int>("expect-peer-signature-algorithm");
if (sig_alg) {
SSLChannelInfo info;
rv = SSL_GetChannelInfo(ssl_fd_, &info, sizeof(info));
if (rv != SECSuccess) {
PRErrorCode err = PR_GetError();
std::cerr << "SSL_GetChannelInfo failed with error=" << FormatError(err)
<< std::endl;
return SECFailure;
}
auto expected = static_cast<SSLSignatureScheme>(sig_alg);
if (info.signatureScheme != expected) {
std::cerr << "Unexpected signature scheme" << std::endl;
return SECFailure;
}
}
return SECSuccess;
}
@@ -513,6 +561,9 @@ std::unique_ptr<const Config> ReadConfig(int argc, char** argv) {
cfg->AddEntry<bool>("verify-peer", false);
cfg->AddEntry<std::string>("advertise-alpn", "");
cfg->AddEntry<std::string>("expect-alpn", "");
cfg->AddEntry<std::vector<int>>("signing-prefs", std::vector<int>());
cfg->AddEntry<std::vector<int>>("verify-prefs", std::vector<int>());
cfg->AddEntry<int>("expect-peer-signature-algorithm", 0);
auto rv = cfg->ParseArgs(argc, argv);
switch (rv) {
security/nss/gtests/pk11_gtest/pk11_signature_test.h
+2 -2
View File
@@ -25,8 +25,8 @@ struct Pkcs11SignatureTestParams {
class Pk11SignatureTest : public ::testing::Test {
protected:
Pk11SignatureTest(CK_MECHANISM_TYPE mechanism, SECOidTag hash_oid)
: mechanism_(mechanism), hash_oid_(hash_oid) {}
Pk11SignatureTest(CK_MECHANISM_TYPE mech, SECOidTag hash_oid)
: mechanism_(mech), hash_oid_(hash_oid) {}
virtual const SECItem* parameters() const { return nullptr; }
CK_MECHANISM_TYPE mechanism() const { return mechanism_; }
security/nss/gtests/ssl_gtest/libssl_internals.c
+7 -6
View File
@@ -237,22 +237,23 @@ SECStatus SSLInt_AdvanceReadSeqNum(PRFileDesc *fd, PRUint64 to) {
if (!ss) {
return SECFailure;
}
if (to >= RECORD_SEQ_MAX) {
if (to > RECORD_SEQ_MAX) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
ssl_GetSpecWriteLock(ss);
spec = ss->ssl3.crSpec;
spec->seqNum = to;
spec->nextSeqNum = to;
/* For DTLS, we need to fix the record sequence number. For this, we can just
* scrub the entire structure on the assumption that the new sequence number
* is far enough past the last received sequence number. */
if (spec->seqNum <= spec->recvdRecords.right + DTLS_RECVD_RECORDS_WINDOW) {
if (spec->nextSeqNum <=
spec->recvdRecords.right + DTLS_RECVD_RECORDS_WINDOW) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
dtls_RecordSetRecvd(&spec->recvdRecords, spec->seqNum);
dtls_RecordSetRecvd(&spec->recvdRecords, spec->nextSeqNum - 1);
ssl_ReleaseSpecWriteLock(ss);
return SECSuccess;
@@ -270,7 +271,7 @@ SECStatus SSLInt_AdvanceWriteSeqNum(PRFileDesc *fd, PRUint64 to) {
return SECFailure;
}
ssl_GetSpecWriteLock(ss);
ss->ssl3.cwSpec->seqNum = to;
ss->ssl3.cwSpec->nextSeqNum = to;
ssl_ReleaseSpecWriteLock(ss);
return SECSuccess;
}
@@ -284,7 +285,7 @@ SECStatus SSLInt_AdvanceWriteSeqByAWindow(PRFileDesc *fd, PRInt32 extra) {
return SECFailure;
}
ssl_GetSpecReadLock(ss);
to = ss->ssl3.cwSpec->seqNum + DTLS_RECVD_RECORDS_WINDOW + extra;
to = ss->ssl3.cwSpec->nextSeqNum + DTLS_RECVD_RECORDS_WINDOW + extra;
ssl_ReleaseSpecReadLock(ss);
return SSLInt_AdvanceWriteSeqNum(fd, to);
}
security/nss/gtests/ssl_gtest/manifest.mn
+1
View File
@@ -36,6 +36,7 @@ CPPSRCS = \
ssl_loopback_unittest.cc \
ssl_misc_unittest.cc \
ssl_record_unittest.cc \
ssl_recordsize_unittest.cc \
ssl_resumption_unittest.cc \
ssl_renegotiation_unittest.cc \
ssl_skip_unittest.cc \
security/nss/gtests/ssl_gtest/rsa8193.h
+209
View File
@@ -0,0 +1,209 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
// openssl req -nodes -x509 -newkey rsa:8193 -out cert.pem -days 365
static const uint8_t rsa8193[] = {
0x30, 0x82, 0x09, 0x61, 0x30, 0x82, 0x05, 0x48, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x09, 0x00, 0xaf, 0xff, 0x37, 0x91, 0x3e, 0x44, 0xae, 0x57,
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
0x0b, 0x05, 0x00, 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
0x55, 0x04, 0x08, 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74,
0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a,
0x0c, 0x18, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57,
0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c,
0x74, 0x64, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x38, 0x30, 0x35, 0x31, 0x37,
0x30, 0x39, 0x34, 0x32, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x39, 0x30,
0x35, 0x31, 0x37, 0x30, 0x39, 0x34, 0x32, 0x32, 0x39, 0x5a, 0x30, 0x45,
0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x41,
0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a,
0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, 0x21,
0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49, 0x6e, 0x74,
0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67, 0x69, 0x74,
0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64, 0x30, 0x82, 0x04,
0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x04, 0x0f, 0x00, 0x30, 0x82, 0x04,
0x0a, 0x02, 0x82, 0x04, 0x01, 0x01, 0x77, 0xd6, 0xa9, 0x93, 0x4e, 0x15,
0xb5, 0x67, 0x70, 0x8e, 0xc3, 0x77, 0x4f, 0xc9, 0x8a, 0x06, 0xd9, 0xb9,
0xa6, 0x41, 0xb8, 0xfa, 0x4a, 0x13, 0x26, 0xdc, 0x2b, 0xc5, 0x82, 0xa0,
0x74, 0x8c, 0x1e, 0xe9, 0xc0, 0x70, 0x15, 0x56, 0xec, 0x1f, 0x7e, 0x91,
0x6e, 0x31, 0x42, 0x8b, 0xd5, 0xe2, 0x0e, 0x9c, 0xeb, 0xff, 0xbc, 0xf9,
0x42, 0xd3, 0xb9, 0x1c, 0x5e, 0x46, 0x80, 0x90, 0x5f, 0xe1, 0x59, 0x22,
0x13, 0x71, 0xd3, 0xd6, 0x66, 0x7a, 0xe0, 0x56, 0x04, 0x10, 0x59, 0x01,
0xb3, 0xb6, 0xd2, 0xc7, 0xa7, 0x3b, 0xbc, 0xe6, 0x38, 0x44, 0xd5, 0x71,
0x66, 0x1d, 0xb2, 0x63, 0x2f, 0xa9, 0x5e, 0x80, 0x92, 0x3c, 0x21, 0x0e,
0xe1, 0xda, 0xd6, 0x1d, 0xcb, 0xce, 0xac, 0xe1, 0x5f, 0x97, 0x45, 0x8f,
0xc1, 0x64, 0x16, 0xa6, 0x88, 0x2a, 0x36, 0x4a, 0x76, 0x64, 0x8f, 0x83,
0x7a, 0x1d, 0xd8, 0x91, 0x90, 0x7b, 0x58, 0xb8, 0x1c, 0x7f, 0x56, 0x57,
0x35, 0xfb, 0xf3, 0x1a, 0xcb, 0x7c, 0x66, 0x66, 0x04, 0x95, 0xee, 0x3a,
0x80, 0xf0, 0xd4, 0x12, 0x3a, 0x7e, 0x7e, 0x5e, 0xb8, 0x55, 0x29, 0x23,
0x06, 0xd3, 0x85, 0x0c, 0x99, 0x91, 0x42, 0xee, 0x5a, 0x30, 0x7f, 0x52,
0x20, 0xb3, 0xe2, 0xe7, 0x39, 0x69, 0xb6, 0xfc, 0x42, 0x1e, 0x98, 0xd3,
0x31, 0xa2, 0xfa, 0x81, 0x52, 0x69, 0x6d, 0x23, 0xf8, 0xc4, 0xc3, 0x3c,
0x9b, 0x48, 0x75, 0xa8, 0xc7, 0xe7, 0x61, 0x81, 0x1f, 0xf7, 0xce, 0x10,
0xaa, 0x13, 0xcb, 0x6e, 0x19, 0xc0, 0x4f, 0x6f, 0x90, 0xa8, 0x41, 0xea,
0x49, 0xdf, 0xe4, 0xef, 0x84, 0x54, 0xb5, 0x37, 0xaf, 0x12, 0x75, 0x1a,
0x11, 0x4b, 0x58, 0x7f, 0x63, 0x22, 0x33, 0xb1, 0xc8, 0x4d, 0xf2, 0x41,
0x10, 0xbc, 0x37, 0xb5, 0xd5, 0xb2, 0x21, 0x32, 0x35, 0x9d, 0xf3, 0x8d,
0xab, 0x66, 0x9d, 0x19, 0x12, 0x71, 0x45, 0xb3, 0x82, 0x5a, 0x5c, 0xff,
0x2d, 0xcf, 0xf4, 0x5b, 0x56, 0xb8, 0x08, 0xb3, 0xd2, 0x43, 0x8c, 0xac,
0xd2, 0xf8, 0xcc, 0x6d, 0x90, 0x97, 0xff, 0x12, 0x74, 0x97, 0xf8, 0xa4,
0xe3, 0x95, 0xae, 0x92, 0xdc, 0x7e, 0x9d, 0x2b, 0xb4, 0x94, 0xc3, 0x8d,
0x80, 0xe7, 0x77, 0x5c, 0x5b, 0xbb, 0x43, 0xdc, 0xa6, 0xe9, 0xbe, 0x20,
0xcc, 0x9d, 0x8e, 0xa4, 0x2b, 0xf2, 0x72, 0xdc, 0x44, 0x61, 0x0f, 0xad,
0x1a, 0x5e, 0xa5, 0x48, 0xe4, 0x42, 0xc5, 0xe4, 0xf1, 0x6d, 0x33, 0xdb,
0xb2, 0x1b, 0x9f, 0xb2, 0xff, 0x18, 0x0e, 0x62, 0x35, 0x99, 0xed, 0x22,
0x19, 0x4a, 0x5e, 0xb3, 0x3c, 0x07, 0x8f, 0x6e, 0x22, 0x5b, 0x16, 0x4a,
0x9f, 0xef, 0xf3, 0xe7, 0xd6, 0x48, 0xe1, 0xb4, 0x3b, 0xab, 0x1b, 0x9e,
0x53, 0xd7, 0x1b, 0xd9, 0x2d, 0x51, 0x8f, 0xe4, 0x1c, 0xab, 0xdd, 0xb9,
0xe2, 0xee, 0xe4, 0xdd, 0x60, 0x04, 0x86, 0x6b, 0x4e, 0x7a, 0xc8, 0x09,
0x51, 0xd1, 0x9b, 0x36, 0x9a, 0x36, 0x7f, 0xe8, 0x6b, 0x09, 0x6c, 0xee,
0xad, 0x3a, 0x2f, 0xa8, 0x63, 0x92, 0x23, 0x2f, 0x7e, 0x00, 0xe2, 0xd1,
0xbb, 0xd9, 0x5b, 0x5b, 0xfa, 0x4b, 0x83, 0x00, 0x19, 0x28, 0xfb, 0x7e,
0xfe, 0x58, 0xab, 0xb7, 0x33, 0x45, 0x8f, 0x75, 0x9a, 0x54, 0x3d, 0x77,
0x06, 0x75, 0x61, 0x4f, 0x5c, 0x93, 0xa0, 0xf9, 0xe8, 0xcf, 0xf6, 0x04,
0x14, 0xda, 0x1b, 0x2e, 0x79, 0x35, 0xb8, 0xb4, 0xfa, 0x08, 0x27, 0x9a,
0x03, 0x70, 0x78, 0x97, 0x8f, 0xae, 0x2e, 0xd5, 0x1c, 0xe0, 0x4d, 0x91,
0x3a, 0xfe, 0x1a, 0x64, 0xd8, 0x49, 0xdf, 0x6c, 0x66, 0xac, 0xc9, 0x57,
0x06, 0x72, 0xc0, 0xc0, 0x09, 0x71, 0x6a, 0xd0, 0xb0, 0x7d, 0x35, 0x3f,
0x53, 0x17, 0x49, 0x38, 0x92, 0x22, 0x55, 0xf6, 0x58, 0x56, 0xa2, 0x42,
0x77, 0x94, 0xb7, 0x28, 0x0a, 0xa0, 0xd2, 0xda, 0x25, 0xc1, 0xcc, 0x52,
0x51, 0xd6, 0xba, 0x18, 0x0f, 0x0d, 0xe3, 0x7d, 0xd1, 0xda, 0xd9, 0x0c,
0x5e, 0x3a, 0xca, 0xe9, 0xf1, 0xf5, 0x65, 0xfc, 0xc3, 0x99, 0x72, 0x25,
0xf2, 0xc0, 0xa1, 0x8c, 0x43, 0x9d, 0xb2, 0xc9, 0xb1, 0x1a, 0x24, 0x34,
0x57, 0xd8, 0xa7, 0x52, 0xa3, 0x39, 0x6e, 0x0b, 0xec, 0xbd, 0x5e, 0xc9,
0x1f, 0x74, 0xed, 0xae, 0xe6, 0x4e, 0x49, 0xe8, 0x87, 0x3e, 0x46, 0x0d,
0x40, 0x30, 0xda, 0x9d, 0xcf, 0xf5, 0x03, 0x1f, 0x38, 0x29, 0x3b, 0x66,
0xe5, 0xc0, 0x89, 0x4c, 0xfc, 0x09, 0x62, 0x37, 0x01, 0xf9, 0x01, 0xab,
0x8d, 0x53, 0x9c, 0x36, 0x5d, 0x36, 0x66, 0x8d, 0x87, 0xf4, 0xab, 0x37,
0xb7, 0xf7, 0xe3, 0xdf, 0xc1, 0x52, 0xc0, 0x1d, 0x09, 0x92, 0x21, 0x47,
0x49, 0x9a, 0x19, 0x38, 0x05, 0x62, 0xf3, 0x47, 0x80, 0x89, 0x1e, 0x70,
0xa1, 0x57, 0xb7, 0x72, 0xd0, 0x41, 0x7a, 0x5c, 0x6a, 0x13, 0x8b, 0x6c,
0xda, 0xdf, 0x6b, 0x01, 0x15, 0x20, 0xfa, 0xc8, 0x67, 0xee, 0xb2, 0x13,
0xd8, 0x5f, 0x84, 0x30, 0x44, 0x8e, 0xf9, 0x2a, 0xae, 0x17, 0x53, 0x49,
0xaa, 0x34, 0x31, 0x12, 0x31, 0xec, 0xf3, 0x25, 0x27, 0x53, 0x6b, 0xb5,
0x63, 0xa6, 0xbc, 0xf1, 0x77, 0xd4, 0xb4, 0x77, 0xd1, 0xee, 0xad, 0x62,
0x9d, 0x2c, 0x2e, 0x11, 0x0a, 0xd1, 0x87, 0xfe, 0xef, 0x77, 0x0e, 0xd1,
0x38, 0xfe, 0xcc, 0x88, 0xaa, 0x1c, 0x06, 0x93, 0x25, 0x56, 0xfe, 0x0c,
0x52, 0xe9, 0x7f, 0x4c, 0x3b, 0x2a, 0xfb, 0x40, 0x62, 0x29, 0x0a, 0x1d,
0x58, 0x78, 0x8b, 0x09, 0x25, 0xaa, 0xc6, 0x8f, 0x66, 0x8f, 0xd1, 0x93,
0x5a, 0xd6, 0x68, 0x35, 0x69, 0x13, 0x5d, 0x42, 0x35, 0x95, 0xcb, 0xc4,
0xec, 0x17, 0x92, 0x96, 0xcb, 0x4a, 0xb9, 0x8f, 0xe5, 0xc4, 0x4a, 0xe7,
0x54, 0x52, 0x4c, 0x64, 0x06, 0xac, 0x2f, 0x13, 0x32, 0x02, 0x47, 0x13,
0x5c, 0xa2, 0x66, 0xdc, 0x36, 0x0c, 0x4f, 0xbb, 0x89, 0x58, 0x85, 0x16,
0xf1, 0xf1, 0xff, 0xd2, 0x86, 0x54, 0x29, 0xb3, 0x7e, 0x2a, 0xbd, 0xf9,
0x53, 0x8c, 0xa0, 0x60, 0x60, 0xb2, 0x90, 0x7f, 0x3a, 0x11, 0x5f, 0x2a,
0x50, 0x74, 0x2a, 0xd1, 0x68, 0x78, 0xdb, 0x31, 0x1b, 0x8b, 0xee, 0xee,
0x18, 0x97, 0xf3, 0x50, 0x84, 0xc1, 0x8f, 0xe1, 0xc6, 0x01, 0xb4, 0x16,
0x65, 0x25, 0x0c, 0x03, 0xab, 0xed, 0x4f, 0xd6, 0xe6, 0x16, 0x23, 0xcc,
0x42, 0x93, 0xff, 0xfa, 0x92, 0x63, 0x33, 0x9e, 0x36, 0xb0, 0xdc, 0x9a,
0xb6, 0xaa, 0xd7, 0x48, 0xfe, 0x27, 0x01, 0xcf, 0x67, 0xc0, 0x75, 0xa0,
0x86, 0x9a, 0xec, 0xa7, 0x2e, 0xb8, 0x7b, 0x00, 0x7f, 0xd4, 0xe3, 0xb3,
0xfc, 0x48, 0xab, 0x50, 0x20, 0xd4, 0x0d, 0x58, 0x26, 0xc0, 0x3c, 0x09,
0x0b, 0x80, 0x9e, 0xaf, 0x14, 0x3c, 0x0c, 0x6e, 0x69, 0xbc, 0x6c, 0x4e,
0x50, 0x33, 0xb0, 0x07, 0x64, 0x6e, 0x77, 0x96, 0xc2, 0xe6, 0x3b, 0xd7,
0xfe, 0xdc, 0xa4, 0x2f, 0x18, 0x5b, 0x53, 0xe5, 0xdd, 0xb6, 0xce, 0xeb,
0x16, 0xb4, 0x25, 0xc6, 0xcb, 0xf2, 0x65, 0x3c, 0x4f, 0x94, 0xa5, 0x11,
0x18, 0xeb, 0x7b, 0x62, 0x1d, 0xd5, 0x02, 0x35, 0x76, 0xf6, 0xb5, 0x20,
0x27, 0x21, 0x9b, 0xab, 0xf4, 0xb6, 0x8f, 0x1a, 0x70, 0x1d, 0x12, 0xe3,
0xb9, 0x8e, 0x29, 0x52, 0x25, 0xf4, 0xba, 0xb4, 0x25, 0x2c, 0x91, 0x11,
0xf2, 0xae, 0x7b, 0xbe, 0xb6, 0x67, 0xd6, 0x08, 0xf8, 0x6f, 0xe7, 0xb0,
0x16, 0xc5, 0xf6, 0xd5, 0xfb, 0x07, 0x71, 0x5b, 0x0e, 0xe1, 0x02, 0x03,
0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55,
0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xaa, 0xe7, 0x7f, 0xcf, 0xf8, 0xb4,
0xe0, 0x8d, 0x39, 0x9a, 0x1d, 0x4f, 0x86, 0xa2, 0xac, 0x56, 0x32, 0xd9,
0x58, 0xe3, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
0x16, 0x80, 0x14, 0xaa, 0xe7, 0x7f, 0xcf, 0xf8, 0xb4, 0xe0, 0x8d, 0x39,
0x9a, 0x1d, 0x4f, 0x86, 0xa2, 0xac, 0x56, 0x32, 0xd9, 0x58, 0xe3, 0x30,
0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30,
0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x04, 0x02, 0x00,
0x00, 0x0a, 0x0a, 0x81, 0xb5, 0x2e, 0xac, 0x52, 0xab, 0x0f, 0xeb, 0xad,
0x96, 0xd6, 0xd6, 0x59, 0x8f, 0x55, 0x15, 0x56, 0x70, 0xda, 0xd5, 0x75,
0x47, 0x12, 0x9a, 0x0e, 0xd1, 0x65, 0x68, 0xe0, 0x51, 0x89, 0x59, 0xcc,
0xe3, 0x5a, 0x1b, 0x85, 0x14, 0xa3, 0x1d, 0x9b, 0x3f, 0xd1, 0xa4, 0x42,
0xb0, 0x89, 0x12, 0x93, 0xd3, 0x54, 0x19, 0x04, 0xa2, 0xaf, 0xaa, 0x60,
0xca, 0x03, 0xc2, 0xae, 0x62, 0x8c, 0xb6, 0x31, 0x03, 0xd6, 0xa5, 0xf3,
0x5e, 0x8d, 0x5c, 0x69, 0x4c, 0x7d, 0x81, 0x49, 0x20, 0x25, 0x41, 0xa4,
0x2a, 0x95, 0x87, 0x36, 0xa3, 0x9b, 0x9e, 0x9f, 0xed, 0x85, 0xf3, 0xb1,
0xf1, 0xe9, 0x1b, 0xbb, 0xe3, 0xbc, 0x3b, 0x11, 0x36, 0xca, 0xb9, 0x5f,
0xee, 0x64, 0xde, 0x2a, 0x99, 0x27, 0x91, 0xc0, 0x54, 0x9e, 0x7a, 0xd4,
0x89, 0x8c, 0xa0, 0xe3, 0xfd, 0x44, 0x6f, 0x02, 0x38, 0x3c, 0xee, 0x52,
0x48, 0x1b, 0xd4, 0x25, 0x2b, 0xcb, 0x8e, 0xa8, 0x1b, 0x09, 0xd6, 0x30,
0x51, 0x15, 0x6c, 0x5c, 0x03, 0x76, 0xad, 0x64, 0x45, 0x50, 0xa2, 0xe1,
0x3c, 0x5a, 0x67, 0x87, 0xff, 0x8c, 0xed, 0x9a, 0x8d, 0x04, 0xc1, 0xac,
0xf9, 0xca, 0xf5, 0x2a, 0x05, 0x9c, 0xdd, 0x78, 0xce, 0x99, 0x78, 0x7b,
0xcd, 0x43, 0x10, 0x40, 0xf7, 0xb5, 0x27, 0x12, 0xec, 0xe9, 0xb2, 0x3f,
0xf4, 0x5d, 0xd9, 0xbb, 0xf8, 0xc4, 0xc9, 0xa4, 0x46, 0x20, 0x41, 0x7f,
0xeb, 0x79, 0xb0, 0x51, 0x8c, 0xf7, 0xc3, 0x2c, 0x16, 0xfe, 0x42, 0x59,
0x77, 0xfe, 0x53, 0xfe, 0x19, 0x57, 0x58, 0x44, 0x6d, 0x12, 0xe2, 0x95,
0xd0, 0xd3, 0x5a, 0xb5, 0x2d, 0xe5, 0x7e, 0xb4, 0xb3, 0xa9, 0xcc, 0x7d,
0x53, 0x77, 0x81, 0x01, 0x0f, 0x0a, 0xf6, 0x86, 0x3c, 0x7d, 0xb5, 0x2c,
0xbf, 0x62, 0xc3, 0xf5, 0x38, 0x89, 0x13, 0x84, 0x1f, 0x44, 0x2d, 0x87,
0x5c, 0x23, 0x9e, 0x05, 0x62, 0x56, 0x3d, 0x71, 0x4d, 0xd0, 0xe3, 0x15,
0xe9, 0x09, 0x9c, 0x1a, 0xc0, 0x9a, 0x19, 0x8b, 0x9c, 0xe9, 0xae, 0xde,
0x62, 0x05, 0x23, 0xe2, 0xd0, 0x3f, 0xf5, 0xef, 0x04, 0x96, 0x4c, 0x87,
0x34, 0x2f, 0xd5, 0x90, 0xde, 0xbf, 0x4b, 0x56, 0x12, 0x5f, 0xc6, 0xdc,
0xa4, 0x1c, 0xc4, 0x53, 0x0c, 0xf9, 0xb4, 0xe4, 0x2c, 0xe7, 0x48, 0xbd,
0xb1, 0xac, 0xf1, 0xc1, 0x8d, 0x53, 0x47, 0x84, 0xc0, 0x78, 0x0a, 0x5e,
0xc2, 0x16, 0xff, 0xef, 0x97, 0x5b, 0x33, 0x85, 0x92, 0xcd, 0xd4, 0xbb,
0x64, 0xee, 0xed, 0x17, 0x18, 0x43, 0x32, 0x99, 0x32, 0x36, 0x25, 0xf4,
0x21, 0x3c, 0x2f, 0x55, 0xdc, 0x16, 0x06, 0x4d, 0x86, 0xa3, 0xa9, 0x34,
0x22, 0xd5, 0xc3, 0xc8, 0x64, 0x3c, 0x4e, 0x3a, 0x69, 0xbd, 0xcf, 0xd7,
0xee, 0x3f, 0x0d, 0x15, 0xeb, 0xfb, 0xbd, 0x91, 0x7f, 0xef, 0x48, 0xec,
0x86, 0xb2, 0x78, 0xf7, 0x53, 0x90, 0x38, 0xb5, 0x04, 0x9c, 0xb7, 0xd7,
0x9e, 0xaa, 0x15, 0xf7, 0xcd, 0xc2, 0x17, 0xd5, 0x8f, 0x82, 0x98, 0xa3,
0xaf, 0x59, 0xf1, 0x71, 0xda, 0x6e, 0xaf, 0x97, 0x6d, 0x77, 0x72, 0xfd,
0xa8, 0x80, 0x25, 0xce, 0x46, 0x04, 0x6e, 0x40, 0x15, 0x24, 0xc0, 0xf9,
0xbf, 0x13, 0x16, 0x72, 0xcb, 0xb7, 0x10, 0xc7, 0x0a, 0xd6, 0x66, 0x96,
0x5b, 0x27, 0x4d, 0x66, 0xc4, 0x2f, 0x21, 0x90, 0x9f, 0x8c, 0x24, 0xa0,
0x0e, 0xa2, 0x89, 0x92, 0xd2, 0x44, 0x63, 0x06, 0xb2, 0xab, 0x07, 0x26,
0xde, 0x03, 0x1d, 0xdb, 0x2a, 0x42, 0x5b, 0x4c, 0xf6, 0xfe, 0x53, 0xfa,
0x80, 0x45, 0x8d, 0x75, 0xf6, 0x0e, 0x1d, 0xcc, 0x4c, 0x3b, 0xb0, 0x80,
0x6d, 0x4c, 0xed, 0x7c, 0xe0, 0xd2, 0xe7, 0x62, 0x59, 0xb1, 0x5a, 0x5d,
0x3a, 0xec, 0x86, 0x04, 0xfe, 0x26, 0xd1, 0x18, 0xed, 0x56, 0x7d, 0x67,
0x56, 0x24, 0x6d, 0x7c, 0x6e, 0x8f, 0xc8, 0xa0, 0xba, 0x42, 0x0a, 0x33,
0x38, 0x7a, 0x09, 0x03, 0xc2, 0xbf, 0x9b, 0x01, 0xdd, 0x03, 0x5a, 0xba,
0x76, 0x04, 0xb1, 0xc3, 0x40, 0x23, 0x53, 0xbd, 0x64, 0x4e, 0x0f, 0xe7,
0xc3, 0x4e, 0x48, 0xea, 0x19, 0x2b, 0x1c, 0xe4, 0x3d, 0x93, 0xd8, 0xf6,
0xfb, 0xda, 0x3d, 0xeb, 0xed, 0xc2, 0xbd, 0x14, 0x57, 0x40, 0xde, 0xd1,
0x74, 0x54, 0x1b, 0xa8, 0x39, 0xda, 0x73, 0x56, 0xd4, 0xbe, 0xab, 0xec,
0xc7, 0x17, 0x4f, 0x91, 0xb6, 0xf6, 0xcb, 0x24, 0xc6, 0x1c, 0x07, 0xc4,
0xf3, 0xd0, 0x5e, 0x8d, 0xfa, 0x44, 0x98, 0x5c, 0x87, 0x36, 0x75, 0xb6,
0xa5, 0x31, 0xaa, 0xab, 0x7d, 0x38, 0x66, 0xb3, 0x18, 0x58, 0x65, 0x97,
0x06, 0xfd, 0x61, 0x81, 0x71, 0xc5, 0x17, 0x8b, 0x19, 0x03, 0xc8, 0x58,
0xec, 0x05, 0xca, 0x7b, 0x0f, 0xec, 0x9d, 0xb4, 0xbc, 0xa3, 0x20, 0x2e,
0xf8, 0xe4, 0xb1, 0x82, 0xdc, 0x5a, 0xd2, 0x92, 0x9c, 0x43, 0x5d, 0x16,
0x5b, 0x90, 0x80, 0xe4, 0xfb, 0x6e, 0x24, 0x6b, 0x8c, 0x1a, 0x35, 0xab,
0xbd, 0x77, 0x7f, 0xf9, 0x61, 0x80, 0xa5, 0xab, 0xa3, 0x39, 0xc2, 0xc9,
0x69, 0x3c, 0xfc, 0xb3, 0x9a, 0x05, 0x45, 0x03, 0x88, 0x8f, 0x8e, 0x23,
0xf2, 0x0c, 0x4c, 0x54, 0xb9, 0x40, 0x3a, 0x31, 0x1a, 0x22, 0x67, 0x43,
0x4a, 0x3e, 0xa0, 0x8c, 0x2d, 0x4d, 0x4f, 0xfc, 0xb5, 0x9b, 0x1f, 0xe1,
0xef, 0x02, 0x54, 0xab, 0x8d, 0x75, 0x4d, 0x93, 0xba, 0x76, 0xe1, 0xbc,
0x42, 0x7f, 0x6c, 0xcb, 0xf5, 0x47, 0xd6, 0x8a, 0xac, 0x5d, 0xe9, 0xbb,
0x3a, 0x65, 0x2c, 0x81, 0xe5, 0xff, 0x27, 0x7e, 0x60, 0x64, 0x80, 0x42,
0x8d, 0x36, 0x6b, 0x07, 0x76, 0x6a, 0xf1, 0xdf, 0x96, 0x17, 0x93, 0x21,
0x5d, 0xe4, 0x6c, 0xce, 0x1c, 0xb9, 0x82, 0x45, 0x05, 0x61, 0xe2, 0x41,
0x96, 0x03, 0x7d, 0x10, 0x8b, 0x3e, 0xc7, 0xe5, 0xcf, 0x08, 0xeb, 0x81,
0xd3, 0x82, 0x1b, 0x04, 0x96, 0x93, 0x5a, 0xe2, 0x8c, 0x8e, 0x50, 0x33,
0xf6, 0xf9, 0xf0, 0xfb, 0xb1, 0xd7, 0xc6, 0x97, 0xaa, 0xef, 0x0b, 0x87,
0xe1, 0x34, 0x97, 0x78, 0x2e, 0x7c, 0x46, 0x11, 0xd5, 0x3c, 0xec, 0x38,
0x70, 0x59, 0x14, 0x65, 0x4d, 0x0e, 0xd1, 0xeb, 0x49, 0xb3, 0x99, 0x6f,
0x87, 0xf1, 0x79, 0x21, 0xd9, 0x5c, 0x37, 0xb2, 0xfe, 0xc4, 0x7a, 0xc1,
0x67, 0xbd, 0x02, 0xfc, 0x02, 0xab, 0x2f, 0xf5, 0x0f, 0xa7, 0xae, 0x90,
0xc2, 0xaf, 0xdb, 0xd1, 0x96, 0xb2, 0x92, 0x5a, 0xfb, 0xca, 0x28, 0x74,
0x17, 0xed, 0xda, 0x2c, 0x9f, 0xb4, 0x2d, 0xf5, 0x71, 0x20, 0x64, 0x2d,
0x44, 0xe5, 0xa3, 0xa0, 0x94, 0x6f, 0x20, 0xb3, 0x73, 0x96, 0x40, 0x06,
0x9b, 0x25, 0x47, 0x4b, 0xe0, 0x63, 0x91, 0xd9, 0xda, 0xf3, 0xc3, 0xe5,
0x3a, 0x3c, 0xb7, 0x5f, 0xab, 0x1e, 0x51, 0x17, 0x4f, 0xec, 0xc1, 0x6d,
0x82, 0x79, 0x8e, 0xba, 0x7c, 0x47, 0x8e, 0x99, 0x00, 0x17, 0x9e, 0xda,
0x10, 0x42, 0x70, 0x25, 0x42, 0x84, 0xc8, 0xb1, 0x95, 0x56, 0xb2, 0x08,
0xa0, 0x4f, 0xdc, 0xcd, 0x9e, 0x31, 0x4b, 0x0c, 0x0b, 0x03, 0x5d, 0x2c,
0x26, 0xbc, 0xa9, 0x4b, 0x19, 0xdf, 0x90, 0x01, 0x9a, 0xe0, 0x06, 0x05,
0x13, 0x34, 0x9d, 0x34, 0xb8, 0xef, 0x13, 0x3a, 0x20, 0xf5, 0x74, 0x02,
0x70, 0x3b, 0x41, 0x60, 0x1f, 0x5e, 0x76, 0x0a, 0xb1, 0x17, 0xd5, 0xcf,
0x79, 0xef, 0xf7, 0xab, 0xe7, 0xd6, 0x0f, 0xad, 0x85, 0x2c, 0x52, 0x67,
0xb5, 0xa0, 0x4a, 0xfd, 0xaf};
security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
+2 -2
View File
@@ -345,8 +345,8 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRttNoAlpnClient) {
TEST_P(TlsConnectTls13, TestTls13ZeroRttAlpnChangeBoth) {
EnableAlpn();
SetupForZeroRtt();
static const uint8_t alpn[] = {0x01, 0x62}; // "b"
EnableAlpn(alpn, sizeof(alpn));
static const std::vector<uint8_t> alpn({0x01, 0x62}); // "b"
EnableAlpn(alpn);
client_->Set0RttEnabled(true);
server_->Set0RttEnabled(true);
ExpectResumption(RESUME_TICKET);
security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc
+49 -29
View File
@@ -8,9 +8,6 @@
#include "sslerr.h"
#include "sslproto.h"
// This is an internal header, used to get TLS_1_3_DRAFT_VERSION.
#include "ssl3prot.h"
#include <memory>
#include "databuffer.h"
@@ -21,7 +18,6 @@
namespace nss_test {
static const uint8_t kD13 = TLS_1_3_DRAFT_VERSION;
// This is a 1-RTT ClientHello with ECDHE.
const static uint8_t kCannedTls13ClientHello[] = {
0x01, 0x00, 0x00, 0xcf, 0x03, 0x03, 0x6c, 0xb3, 0x46, 0x81, 0xc8, 0x1a,
@@ -42,16 +38,7 @@ const static uint8_t kCannedTls13ClientHello[] = {
0x1e, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02, 0x03, 0x08, 0x04, 0x08,
0x05, 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x01, 0x04,
0x02, 0x05, 0x02, 0x06, 0x02, 0x02, 0x02};
const static uint8_t kCannedTls13ServerHello[] = {
0x03, 0x03, 0x9c, 0xbc, 0x14, 0x9b, 0x0e, 0x2e, 0xfa, 0x0d, 0xf3,
0xf0, 0x5c, 0x70, 0x7a, 0xe0, 0xd1, 0x9b, 0x3e, 0x5a, 0x44, 0x6b,
0xdf, 0xe5, 0xc2, 0x28, 0x64, 0xf7, 0x00, 0xc1, 0x9c, 0x08, 0x76,
0x08, 0x00, 0x13, 0x01, 0x00, 0x00, 0x2e, 0x00, 0x33, 0x00, 0x24,
0x00, 0x1d, 0x00, 0x20, 0xc2, 0xcf, 0x23, 0x17, 0x64, 0x23, 0x03,
0xf0, 0xfb, 0x45, 0x98, 0x26, 0xd1, 0x65, 0x24, 0xa1, 0x6c, 0xa9,
0x80, 0x8f, 0x2c, 0xac, 0x0a, 0xea, 0x53, 0x3a, 0xcb, 0xe3, 0x08,
0x84, 0xae, 0x19, 0x00, 0x2b, 0x00, 0x02, 0x7f, kD13};
static const size_t kFirstFragmentSize = 20;
static const char *k0RttData = "ABCDEF";
TEST_P(TlsAgentTest, EarlyFinished) {
@@ -74,8 +61,9 @@ TEST_P(TlsAgentTestClient13, CannedHello) {
DataBuffer buffer;
EnsureInit();
DataBuffer server_hello;
MakeHandshakeMessage(kTlsHandshakeServerHello, kCannedTls13ServerHello,
sizeof(kCannedTls13ServerHello), &server_hello);
auto sh = MakeCannedTls13ServerHello();
MakeHandshakeMessage(kTlsHandshakeServerHello, sh.data(), sh.len(),
&server_hello);
MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
server_hello.data(), server_hello.len(), &buffer);
ProcessMessage(buffer, TlsAgent::STATE_CONNECTING);
@@ -83,8 +71,9 @@ TEST_P(TlsAgentTestClient13, CannedHello) {
TEST_P(TlsAgentTestClient13, EncryptedExtensionsInClear) {
DataBuffer server_hello;
MakeHandshakeMessage(kTlsHandshakeServerHello, kCannedTls13ServerHello,
sizeof(kCannedTls13ServerHello), &server_hello);
auto sh = MakeCannedTls13ServerHello();
MakeHandshakeMessage(kTlsHandshakeServerHello, sh.data(), sh.len(),
&server_hello);
DataBuffer encrypted_extensions;
MakeHandshakeMessage(kTlsHandshakeEncryptedExtensions, nullptr, 0,
&encrypted_extensions, 1);
@@ -100,19 +89,21 @@ TEST_P(TlsAgentTestClient13, EncryptedExtensionsInClear) {
TEST_F(TlsAgentStreamTestClient, EncryptedExtensionsInClearTwoPieces) {
DataBuffer server_hello;
MakeHandshakeMessage(kTlsHandshakeServerHello, kCannedTls13ServerHello,
sizeof(kCannedTls13ServerHello), &server_hello);
auto sh = MakeCannedTls13ServerHello();
MakeHandshakeMessage(kTlsHandshakeServerHello, sh.data(), sh.len(),
&server_hello);
DataBuffer encrypted_extensions;
MakeHandshakeMessage(kTlsHandshakeEncryptedExtensions, nullptr, 0,
&encrypted_extensions, 1);
server_hello.Append(encrypted_extensions);
DataBuffer buffer;
MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
server_hello.data(), 20, &buffer);
server_hello.data(), kFirstFragmentSize, &buffer);
DataBuffer buffer2;
MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
server_hello.data() + 20, server_hello.len() - 20, &buffer2);
server_hello.data() + kFirstFragmentSize,
server_hello.len() - kFirstFragmentSize, &buffer2);
EnsureInit();
agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3,
@@ -124,15 +115,15 @@ TEST_F(TlsAgentStreamTestClient, EncryptedExtensionsInClearTwoPieces) {
}
TEST_F(TlsAgentDgramTestClient, EncryptedExtensionsInClearTwoPieces) {
auto sh = MakeCannedTls13ServerHello();
DataBuffer server_hello_frag1;
MakeHandshakeMessageFragment(
kTlsHandshakeServerHello, kCannedTls13ServerHello,
sizeof(kCannedTls13ServerHello), &server_hello_frag1, 0, 0, 20);
MakeHandshakeMessageFragment(kTlsHandshakeServerHello, sh.data(), sh.len(),
&server_hello_frag1, 0, 0, kFirstFragmentSize);
DataBuffer server_hello_frag2;
MakeHandshakeMessageFragment(
kTlsHandshakeServerHello, kCannedTls13ServerHello + 20,
sizeof(kCannedTls13ServerHello), &server_hello_frag2, 0, 20,
sizeof(kCannedTls13ServerHello) - 20);
MakeHandshakeMessageFragment(kTlsHandshakeServerHello,
sh.data() + kFirstFragmentSize, sh.len(),
&server_hello_frag2, 0, kFirstFragmentSize,
sh.len() - kFirstFragmentSize);
DataBuffer encrypted_extensions;
MakeHandshakeMessage(kTlsHandshakeEncryptedExtensions, nullptr, 0,
&encrypted_extensions, 1);
@@ -154,6 +145,35 @@ TEST_F(TlsAgentDgramTestClient, EncryptedExtensionsInClearTwoPieces) {
SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
}
TEST_F(TlsAgentDgramTestClient, AckWithBogusLengthField) {
EnsureInit();
// Length doesn't match
const uint8_t ackBuf[] = {0x00, 0x08, 0x00};
DataBuffer record;
MakeRecord(variant_, kTlsAckType, SSL_LIBRARY_VERSION_TLS_1_2, ackBuf,
sizeof(ackBuf), &record, 0);
agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3,
SSL_LIBRARY_VERSION_TLS_1_3);
ExpectAlert(kTlsAlertDecodeError);
ProcessMessage(record, TlsAgent::STATE_ERROR,
SSL_ERROR_RX_MALFORMED_DTLS_ACK);
}
TEST_F(TlsAgentDgramTestClient, AckWithNonEvenLength) {
EnsureInit();
// Length isn't a multiple of 8
const uint8_t ackBuf[] = {0x00, 0x01, 0x00};
DataBuffer record;
MakeRecord(variant_, kTlsAckType, SSL_LIBRARY_VERSION_TLS_1_2, ackBuf,
sizeof(ackBuf), &record, 0);
agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3,
SSL_LIBRARY_VERSION_TLS_1_3);
// Because we haven't negotiated the version,
// ssl3_DecodeError() sends an older (pre-TLS error).
ExpectAlert(kTlsAlertIllegalParameter);
ProcessMessage(record, TlsAgent::STATE_ERROR, SSL_ERROR_BAD_SERVER);
}
TEST_F(TlsAgentStreamTestClient, Set0RttOptionThenWrite) {
EnsureInit();
agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
+46 -2
View File
@@ -155,8 +155,8 @@ TEST_P(TlsConnectTls12, ClientAuthBigRsaCheckSigAlg) {
class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
public:
TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& agent)
: TlsHandshakeFilter(agent, {kTlsHandshakeCertificateRequest}) {}
TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(a, {kTlsHandshakeCertificateRequest}) {}
virtual PacketFilter::Action FilterHandshake(
const TlsHandshakeFilter::HandshakeHeader& header,
const DataBuffer& input, DataBuffer* output) {
@@ -366,6 +366,50 @@ TEST_P(TlsConnectTls12, SignatureAlgorithmDrop) {
server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
}
// Replaces the signature scheme in a TLS 1.3 CertificateVerify message.
class TlsReplaceSignatureSchemeFilter : public TlsHandshakeFilter {
public:
TlsReplaceSignatureSchemeFilter(const std::shared_ptr<TlsAgent>& a,
SSLSignatureScheme scheme)
: TlsHandshakeFilter(a, {kTlsHandshakeCertificateVerify}),
scheme_(scheme) {
EnableDecryption();
}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
output->Write(0, scheme_, 2);
return CHANGE;
}
private:
SSLSignatureScheme scheme_;
};
TEST_P(TlsConnectTls13, UnsupportedSignatureSchemeAlert) {
EnsureTlsSetup();
MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(server_, ssl_sig_none);
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CERT_VERIFY);
}
TEST_P(TlsConnectTls13, InconsistentSignatureSchemeAlert) {
EnsureTlsSetup();
// This won't work because we use an RSA cert by default.
MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(
server_, ssl_sig_ecdsa_secp256r1_sha256);
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
client_->CheckErrorCode(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
}
TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) {
server_->SetSignatureSchemes(SignatureSchemeRsaSha384,
PR_ARRAY_SIZE(SignatureSchemeRsaSha384));
security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
+6 -5
View File
@@ -166,8 +166,8 @@ class TlsCipherSuiteTestBase : public TlsConnectTestBase {
case ssl_calg_seed:
break;
}
EXPECT_TRUE(false) << "No limit for " << csinfo_.cipherSuiteName;
return 1ULL < 48;
ADD_FAILURE() << "No limit for " << csinfo_.cipherSuiteName;
return 0;
}
uint64_t last_safe_write() const {
@@ -246,12 +246,13 @@ TEST_P(TlsCipherSuiteTest, ReadLimit) {
client_->SendData(10, 10);
server_->ReadBytes(); // This should be OK.
server_->ReadBytes(); // Read twice to flush any 1,N-1 record splitting.
} else {
// In TLS 1.3, reading or writing triggers a KeyUpdate. That would mean
// that the sequence numbers would reset and we wouldn't hit the limit. So
// we move the sequence number to one less than the limit directly and don't
// test sending and receiving just before the limit.
uint64_t last = record_limit() - 1;
// move the sequence number to the limit directly and don't test sending and
// receiving just before the limit.
uint64_t last = record_limit();
EXPECT_EQ(SECSuccess, SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), last));
}
security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
+1
View File
@@ -68,6 +68,7 @@ static const uint16_t kManyExtensions[] = {
ssl_next_proto_nego_xtn,
ssl_renegotiation_info_xtn,
ssl_tls13_short_header_xtn,
ssl_record_size_limit_xtn,
1,
0xffff};
// The list here includes all extensions we expect to use (SSL_MAX_EXTENSIONS),
security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc
+56 -17
View File
@@ -103,8 +103,8 @@ TEST_P(TlsConnectGenericPre13, ConnectFfdheServer) {
class TlsDheServerKeyExchangeDamager : public TlsHandshakeFilter {
public:
TlsDheServerKeyExchangeDamager(const std::shared_ptr<TlsAgent>& agent)
: TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}) {}
TlsDheServerKeyExchangeDamager(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(a, {kTlsHandshakeServerKeyExchange}) {}
virtual PacketFilter::Action FilterHandshake(
const TlsHandshakeFilter::HandshakeHeader& header,
const DataBuffer& input, DataBuffer* output) {
@@ -141,9 +141,9 @@ class TlsDheSkeChangeY : public TlsHandshakeFilter {
kYZeroPad
};
TlsDheSkeChangeY(const std::shared_ptr<TlsAgent>& agent,
uint8_t handshake_type, ChangeYTo change)
: TlsHandshakeFilter(agent, {handshake_type}), change_Y_(change) {}
TlsDheSkeChangeY(const std::shared_ptr<TlsAgent>& a, uint8_t handshake_type,
ChangeYTo change)
: TlsHandshakeFilter(a, {handshake_type}), change_Y_(change) {}
protected:
void ChangeY(const DataBuffer& input, DataBuffer* output, size_t offset,
@@ -208,9 +208,9 @@ class TlsDheSkeChangeY : public TlsHandshakeFilter {
class TlsDheSkeChangeYServer : public TlsDheSkeChangeY {
public:
TlsDheSkeChangeYServer(const std::shared_ptr<TlsAgent>& agent,
ChangeYTo change, bool modify)
: TlsDheSkeChangeY(agent, kTlsHandshakeServerKeyExchange, change),
TlsDheSkeChangeYServer(const std::shared_ptr<TlsAgent>& a, ChangeYTo change,
bool modify)
: TlsDheSkeChangeY(a, kTlsHandshakeServerKeyExchange, change),
modify_(modify),
p_() {}
@@ -247,9 +247,9 @@ class TlsDheSkeChangeYServer : public TlsDheSkeChangeY {
class TlsDheSkeChangeYClient : public TlsDheSkeChangeY {
public:
TlsDheSkeChangeYClient(
const std::shared_ptr<TlsAgent>& agent, ChangeYTo change,
const std::shared_ptr<TlsAgent>& a, ChangeYTo change,
std::shared_ptr<const TlsDheSkeChangeYServer> server_filter)
: TlsDheSkeChangeY(agent, kTlsHandshakeClientKeyExchange, change),
: TlsDheSkeChangeY(a, kTlsHandshakeClientKeyExchange, change),
server_filter_(server_filter) {}
protected:
@@ -357,8 +357,8 @@ INSTANTIATE_TEST_CASE_P(
class TlsDheSkeMakePEven : public TlsHandshakeFilter {
public:
TlsDheSkeMakePEven(const std::shared_ptr<TlsAgent>& agent)
: TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}) {}
TlsDheSkeMakePEven(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(a, {kTlsHandshakeServerKeyExchange}) {}
virtual PacketFilter::Action FilterHandshake(
const TlsHandshakeFilter::HandshakeHeader& header,
@@ -390,8 +390,8 @@ TEST_P(TlsConnectGenericPre13, MakeDhePEven) {
class TlsDheSkeZeroPadP : public TlsHandshakeFilter {
public:
TlsDheSkeZeroPadP(const std::shared_ptr<TlsAgent>& agent)
: TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}) {}
TlsDheSkeZeroPadP(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(a, {kTlsHandshakeServerKeyExchange}) {}
virtual PacketFilter::Action FilterHandshake(
const TlsHandshakeFilter::HandshakeHeader& header,
@@ -475,6 +475,45 @@ TEST_P(TlsConnectTls13, NamedGroupMismatch13) {
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
}
// Replace the key share in the server key exchange message with one that's
// larger than 8192 bits.
class TooLongDHEServerKEXFilter : public TlsHandshakeFilter {
public:
TooLongDHEServerKEXFilter(const std::shared_ptr<TlsAgent>& server)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
// Replace the server key exchange message very large DH shares that are
// not supported by NSS.
const uint32_t share_len = 0x401;
const uint8_t zero_share[share_len] = {0x80};
size_t offset = 0;
// Write dh_p.
offset = output->Write(offset, share_len, 2);
offset = output->Write(offset, zero_share, share_len);
// Write dh_g.
offset = output->Write(offset, share_len, 2);
offset = output->Write(offset, zero_share, share_len);
// Write dh_Y.
offset = output->Write(offset, share_len, 2);
offset = output->Write(offset, zero_share, share_len);
return CHANGE;
}
};
TEST_P(TlsConnectGenericPre13, TooBigDHGroup) {
EnableOnlyDheCiphers();
MakeTlsFilter<TooLongDHEServerKEXFilter>(server_);
client_->SetOption(SSL_REQUIRE_DH_NAMED_GROUPS, PR_FALSE);
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
client_->CheckErrorCode(SSL_ERROR_DH_KEY_TOO_LONG);
}
// Even though the client doesn't have DHE groups enabled the server assumes it
// does. The client requires named groups and thus does not accept FF3072 as
// custom group in contrast to the previous test.
@@ -546,9 +585,9 @@ TEST_P(TlsConnectTls13, ResumeFfdhe) {
class TlsDheSkeChangeSignature : public TlsHandshakeFilter {
public:
TlsDheSkeChangeSignature(const std::shared_ptr<TlsAgent>& agent,
uint16_t version, const uint8_t* data, size_t len)
: TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}),
TlsDheSkeChangeSignature(const std::shared_ptr<TlsAgent>& a, uint16_t version,
const uint8_t* data, size_t len)
: TlsHandshakeFilter(a, {kTlsHandshakeServerKeyExchange}),
version_(version),
data_(data),
len_(len) {}
security/nss/gtests/ssl_gtest/ssl_drop_unittest.cc
+97 -29
View File
@@ -66,7 +66,8 @@ TEST_P(TlsConnectDatagramPre13, DropServerSecondFlightThrice) {
Connect();
}
class TlsDropDatagram13 : public TlsConnectDatagram13 {
class TlsDropDatagram13 : public TlsConnectDatagram13,
public ::testing::WithParamInterface<bool> {
public:
TlsDropDatagram13()
: client_filters_(),
@@ -77,6 +78,9 @@ class TlsDropDatagram13 : public TlsConnectDatagram13 {
void SetUp() override {
TlsConnectDatagram13::SetUp();
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
int short_header = GetParam() ? PR_TRUE : PR_FALSE;
client_->SetOption(SSL_ENABLE_DTLS_SHORT_HEADER, short_header);
server_->SetOption(SSL_ENABLE_DTLS_SHORT_HEADER, short_header);
SetFilters();
}
@@ -138,10 +142,13 @@ class TlsDropDatagram13 : public TlsConnectDatagram13 {
void CheckAcks(const DropAckChain& chain, size_t index,
std::vector<uint64_t> acks) {
const DataBuffer& buf = chain.ack_->record(index).buffer;
size_t offset = 0;
size_t offset = 2;
uint64_t len;
EXPECT_EQ(acks.size() * 8, buf.len());
if ((acks.size() * 8) != buf.len()) {
EXPECT_EQ(2 + acks.size() * 8, buf.len());
ASSERT_TRUE(buf.Read(0, 2, &len));
ASSERT_EQ(static_cast<size_t>(len + 2), buf.len());
if ((2 + acks.size() * 8) != buf.len()) {
while (offset < buf.len()) {
uint64_t ack;
ASSERT_TRUE(buf.Read(offset, 8, &ack));
@@ -186,7 +193,7 @@ class TlsDropDatagram13 : public TlsConnectDatagram13 {
// to the client upon receiving the client Finished.
// Dropping complete first and second flights does not produce
// ACKs
TEST_F(TlsDropDatagram13, DropClientFirstFlightOnce) {
TEST_P(TlsDropDatagram13, DropClientFirstFlightOnce) {
client_filters_.drop_->Reset({0});
StartConnect();
client_->Handshake();
@@ -195,7 +202,7 @@ TEST_F(TlsDropDatagram13, DropClientFirstFlightOnce) {
CheckAcks(server_filters_, 0, {0x0002000000000000ULL});
}
TEST_F(TlsDropDatagram13, DropServerFirstFlightOnce) {
TEST_P(TlsDropDatagram13, DropServerFirstFlightOnce) {
server_filters_.drop_->Reset(0xff);
StartConnect();
client_->Handshake();
@@ -209,7 +216,7 @@ TEST_F(TlsDropDatagram13, DropServerFirstFlightOnce) {
// Dropping the server's first record also does not produce
// an ACK because the next record is ignored.
// TODO(ekr@rtfm.com): We should generate an empty ACK.
TEST_F(TlsDropDatagram13, DropServerFirstRecordOnce) {
TEST_P(TlsDropDatagram13, DropServerFirstRecordOnce) {
server_filters_.drop_->Reset({0});
StartConnect();
client_->Handshake();
@@ -221,7 +228,7 @@ TEST_F(TlsDropDatagram13, DropServerFirstRecordOnce) {
// Dropping the second packet of the server's flight should
// produce an ACK.
TEST_F(TlsDropDatagram13, DropServerSecondRecordOnce) {
TEST_P(TlsDropDatagram13, DropServerSecondRecordOnce) {
server_filters_.drop_->Reset({1});
StartConnect();
client_->Handshake();
@@ -235,7 +242,7 @@ TEST_F(TlsDropDatagram13, DropServerSecondRecordOnce) {
// Drop the server ACK and verify that the client retransmits
// the ClientHello.
TEST_F(TlsDropDatagram13, DropServerAckOnce) {
TEST_P(TlsDropDatagram13, DropServerAckOnce) {
StartConnect();
client_->Handshake();
server_->Handshake();
@@ -263,7 +270,7 @@ TEST_F(TlsDropDatagram13, DropServerAckOnce) {
}
// Drop the client certificate verify.
TEST_F(TlsDropDatagram13, DropClientCertVerify) {
TEST_P(TlsDropDatagram13, DropClientCertVerify) {
StartConnect();
client_->SetupClientAuth();
server_->RequestClientAuth(true);
@@ -284,7 +291,7 @@ TEST_F(TlsDropDatagram13, DropClientCertVerify) {
}
// Shrink the MTU down so that certs get split and drop the first piece.
TEST_F(TlsDropDatagram13, DropFirstHalfOfServerCertificate) {
TEST_P(TlsDropDatagram13, DropFirstHalfOfServerCertificate) {
server_filters_.drop_->Reset({2});
StartConnect();
ShrinkPostServerHelloMtu();
@@ -311,7 +318,7 @@ TEST_F(TlsDropDatagram13, DropFirstHalfOfServerCertificate) {
}
// Shrink the MTU down so that certs get split and drop the second piece.
TEST_F(TlsDropDatagram13, DropSecondHalfOfServerCertificate) {
TEST_P(TlsDropDatagram13, DropSecondHalfOfServerCertificate) {
server_filters_.drop_->Reset({3});
StartConnect();
ShrinkPostServerHelloMtu();
@@ -524,11 +531,11 @@ class TlsFragmentationAndRecoveryTest : public TlsDropDatagram13 {
size_t cert_len_;
};
TEST_F(TlsFragmentationAndRecoveryTest, DropFirstHalf) { RunTest(0); }
TEST_P(TlsFragmentationAndRecoveryTest, DropFirstHalf) { RunTest(0); }
TEST_F(TlsFragmentationAndRecoveryTest, DropSecondHalf) { RunTest(1); }
TEST_P(TlsFragmentationAndRecoveryTest, DropSecondHalf) { RunTest(1); }
TEST_F(TlsDropDatagram13, NoDropsDuringZeroRtt) {
TEST_P(TlsDropDatagram13, NoDropsDuringZeroRtt) {
SetupForZeroRtt();
SetFilters();
std::cerr << "Starting second handshake" << std::endl;
@@ -546,7 +553,7 @@ TEST_F(TlsDropDatagram13, NoDropsDuringZeroRtt) {
0x0002000000000000ULL}); // Finished
}
TEST_F(TlsDropDatagram13, DropEEDuringZeroRtt) {
TEST_P(TlsDropDatagram13, DropEEDuringZeroRtt) {
SetupForZeroRtt();
SetFilters();
std::cerr << "Starting second handshake" << std::endl;
@@ -591,7 +598,7 @@ class TlsReorderDatagram13 : public TlsDropDatagram13 {
// Reorder the server records so that EE comes at the end
// of the flight and will still produce an ACK.
TEST_F(TlsDropDatagram13, ReorderServerEE) {
TEST_P(TlsDropDatagram13, ReorderServerEE) {
server_filters_.drop_->Reset({1});
StartConnect();
client_->Handshake();
@@ -647,7 +654,7 @@ class TlsSendCipherSpecCapturer {
std::vector<std::shared_ptr<TlsCipherSpec>> send_cipher_specs_;
};
TEST_F(TlsDropDatagram13, SendOutOfOrderAppWithHandshakeKey) {
TEST_P(TlsDropDatagram13, SendOutOfOrderAppWithHandshakeKey) {
StartConnect();
TlsSendCipherSpecCapturer capturer(client_);
client_->Handshake();
@@ -662,9 +669,9 @@ TEST_F(TlsDropDatagram13, SendOutOfOrderAppWithHandshakeKey) {
auto spec = capturer.spec(0);
ASSERT_NE(nullptr, spec.get());
ASSERT_EQ(2, spec->epoch());
ASSERT_TRUE(client_->SendEncryptedRecord(
spec, SSL_LIBRARY_VERSION_DTLS_1_2_WIRE, 0x0002000000000002,
kTlsApplicationDataType, DataBuffer(buf, sizeof(buf))));
ASSERT_TRUE(client_->SendEncryptedRecord(spec, 0x0002000000000002,
kTlsApplicationDataType,
DataBuffer(buf, sizeof(buf))));
// Now have the server consume the bogus message.
server_->ExpectSendAlert(illegal_parameter, kTlsAlertFatal);
@@ -673,7 +680,7 @@ TEST_F(TlsDropDatagram13, SendOutOfOrderAppWithHandshakeKey) {
EXPECT_EQ(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE, PORT_GetError());
}
TEST_F(TlsDropDatagram13, SendOutOfOrderHsNonsenseWithHandshakeKey) {
TEST_P(TlsDropDatagram13, SendOutOfOrderHsNonsenseWithHandshakeKey) {
StartConnect();
TlsSendCipherSpecCapturer capturer(client_);
client_->Handshake();
@@ -688,9 +695,9 @@ TEST_F(TlsDropDatagram13, SendOutOfOrderHsNonsenseWithHandshakeKey) {
auto spec = capturer.spec(0);
ASSERT_NE(nullptr, spec.get());
ASSERT_EQ(2, spec->epoch());
ASSERT_TRUE(client_->SendEncryptedRecord(
spec, SSL_LIBRARY_VERSION_DTLS_1_2_WIRE, 0x0002000000000002,
kTlsHandshakeType, DataBuffer(buf, sizeof(buf))));
ASSERT_TRUE(client_->SendEncryptedRecord(spec, 0x0002000000000002,
kTlsHandshakeType,
DataBuffer(buf, sizeof(buf))));
server_->Handshake();
EXPECT_EQ(2UL, server_filters_.ack_->count());
// The server acknowledges client Finished twice.
@@ -700,7 +707,7 @@ TEST_F(TlsDropDatagram13, SendOutOfOrderHsNonsenseWithHandshakeKey) {
// Shrink the MTU down so that certs get split and then swap the first and
// second pieces of the server certificate.
TEST_F(TlsReorderDatagram13, ReorderServerCertificate) {
TEST_P(TlsReorderDatagram13, ReorderServerCertificate) {
StartConnect();
ShrinkPostServerHelloMtu();
client_->Handshake();
@@ -722,7 +729,7 @@ TEST_F(TlsReorderDatagram13, ReorderServerCertificate) {
CheckAcks(server_filters_, 0, {0x0002000000000000ULL});
}
TEST_F(TlsReorderDatagram13, DataAfterEOEDDuringZeroRtt) {
TEST_P(TlsReorderDatagram13, DataAfterEOEDDuringZeroRtt) {
SetupForZeroRtt();
SetFilters();
std::cerr << "Starting second handshake" << std::endl;
@@ -761,7 +768,7 @@ TEST_F(TlsReorderDatagram13, DataAfterEOEDDuringZeroRtt) {
EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
}
TEST_F(TlsReorderDatagram13, DataAfterFinDuringZeroRtt) {
TEST_P(TlsReorderDatagram13, DataAfterFinDuringZeroRtt) {
SetupForZeroRtt();
SetFilters();
std::cerr << "Starting second handshake" << std::endl;
@@ -812,12 +819,17 @@ static void GetCipherAndLimit(uint16_t version, uint16_t* cipher,
*cipher = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
*limit = (1ULL << 48) - 1;
} else {
// This test probably isn't especially useful for TLS 1.3, which has a much
// shorter sequence number encoding. That space can probably be searched in
// a reasonable amount of time.
*cipher = TLS_CHACHA20_POLY1305_SHA256;
*limit = (1ULL << 48) - 1;
// Assume that we are starting with an expected sequence number of 0.
*limit = (1ULL << 29) - 1;
}
}
// This simulates a huge number of drops on one side.
// See Bug 12965514 where a large gap was handled very inefficiently.
TEST_P(TlsConnectDatagram, MissLotsOfPackets) {
uint16_t cipher;
uint64_t limit;
@@ -834,6 +846,17 @@ TEST_P(TlsConnectDatagram, MissLotsOfPackets) {
SendReceive();
}
// Send a sequence number of 0xfffffffd and it should be interpreted as that
// (and not -3 or UINT64_MAX - 2).
TEST_F(TlsConnectDatagram13, UnderflowSequenceNumber) {
Connect();
// This is only valid if short headers are disabled.
client_->SetOption(SSL_ENABLE_DTLS_SHORT_HEADER, PR_FALSE);
EXPECT_EQ(SECSuccess,
SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), (1ULL << 30) - 3));
SendReceive();
}
class TlsConnectDatagram12Plus : public TlsConnectDatagram {
public:
TlsConnectDatagram12Plus() : TlsConnectDatagram() {}
@@ -861,9 +884,54 @@ TEST_P(TlsConnectDatagram12Plus, MissAWindowAndOne) {
SendReceive();
}
// This filter replaces the first record it sees with junk application data.
class TlsReplaceFirstRecordWithJunk : public TlsRecordFilter {
public:
TlsReplaceFirstRecordWithJunk(const std::shared_ptr<TlsAgent>& a)
: TlsRecordFilter(a), replaced_(false) {}
protected:
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& record, size_t* offset,
DataBuffer* output) override {
if (replaced_) {
return KEEP;
}
replaced_ = true;
TlsRecordHeader out_header(header.variant(), header.version(),
kTlsApplicationDataType,
header.sequence_number());
static const uint8_t junk[] = {1, 2, 3, 4};
*offset = out_header.Write(output, *offset, DataBuffer(junk, sizeof(junk)));
return CHANGE;
}
private:
bool replaced_;
};
// DTLS needs to discard application_data that it receives prior to handshake
// completion, not generate an error.
TEST_P(TlsConnectDatagram, ReplaceFirstServerRecordWithApplicationData) {
MakeTlsFilter<TlsReplaceFirstRecordWithJunk>(server_);
Connect();
}
TEST_P(TlsConnectDatagram, ReplaceFirstClientRecordWithApplicationData) {
MakeTlsFilter<TlsReplaceFirstRecordWithJunk>(client_);
Connect();
}
INSTANTIATE_TEST_CASE_P(Datagram12Plus, TlsConnectDatagram12Plus,
TlsConnectTestBase::kTlsV12Plus);
INSTANTIATE_TEST_CASE_P(DatagramPre13, TlsConnectDatagramPre13,
TlsConnectTestBase::kTlsV11V12);
INSTANTIATE_TEST_CASE_P(DatagramDrop13, TlsDropDatagram13,
::testing::Values(true, false));
INSTANTIATE_TEST_CASE_P(DatagramReorder13, TlsReorderDatagram13,
::testing::Values(true, false));
INSTANTIATE_TEST_CASE_P(DatagramFragment13, TlsFragmentationAndRecoveryTest,
::testing::Values(true, false));
} // namespace nss_test
security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+109 -2
View File
@@ -192,8 +192,8 @@ TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) {
class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter {
public:
TlsKeyExchangeGroupCapture(const std::shared_ptr<TlsAgent> &agent)
: TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}),
TlsKeyExchangeGroupCapture(const std::shared_ptr<TlsAgent> &a)
: TlsHandshakeFilter(a, {kTlsHandshakeServerKeyExchange}),
group_(ssl_grp_none) {}
SSLNamedGroup group() const { return group_; }
@@ -559,6 +559,113 @@ TEST_P(TlsConnectGenericPre13, ConnectECDHEmptyClientPoint) {
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH);
}
// Damage ECParams/ECPoint of a SKE.
class ECCServerKEXDamager : public TlsHandshakeFilter {
public:
ECCServerKEXDamager(const std::shared_ptr<TlsAgent> &server, ECType ec_type,
SSLNamedGroup named_curve)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
ec_type_(ec_type),
named_curve_(named_curve) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader &header,
const DataBuffer &input,
DataBuffer *output) {
size_t offset = 0;
output->Allocate(5);
offset = output->Write(offset, ec_type_, 1);
offset = output->Write(offset, named_curve_, 2);
// Write a point with fmt != EC_POINT_FORM_UNCOMPRESSED.
offset = output->Write(offset, 1U, 1);
(void)output->Write(offset, 0x02, 1); // EC_POINT_FORM_COMPRESSED_Y0
return CHANGE;
}
private:
ECType ec_type_;
SSLNamedGroup named_curve_;
};
TEST_P(TlsConnectGenericPre13, ConnectUnsupportedCurveType) {
EnsureTlsSetup();
client_->DisableAllCiphers();
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
MakeTlsFilter<ECCServerKEXDamager>(server_, ec_type_explicitPrime,
ssl_grp_none);
ConnectExpectAlert(client_, kTlsAlertHandshakeFailure);
client_->CheckErrorCode(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
}
TEST_P(TlsConnectGenericPre13, ConnectUnsupportedCurve) {
EnsureTlsSetup();
client_->DisableAllCiphers();
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
MakeTlsFilter<ECCServerKEXDamager>(server_, ec_type_named,
ssl_grp_ffdhe_2048);
ConnectExpectAlert(client_, kTlsAlertHandshakeFailure);
client_->CheckErrorCode(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
}
TEST_P(TlsConnectGenericPre13, ConnectUnsupportedPointFormat) {
EnsureTlsSetup();
client_->DisableAllCiphers();
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
MakeTlsFilter<ECCServerKEXDamager>(server_, ec_type_named,
ssl_grp_ec_secp256r1);
ConnectExpectAlert(client_, kTlsAlertHandshakeFailure);
client_->CheckErrorCode(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM);
}
// Replace SignatureAndHashAlgorithm of a SKE.
class ECCServerKEXSigAlgReplacer : public TlsHandshakeFilter {
public:
ECCServerKEXSigAlgReplacer(const std::shared_ptr<TlsAgent> &server,
SSLSignatureScheme sig_scheme)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
sig_scheme_(sig_scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader &header,
const DataBuffer &input,
DataBuffer *output) {
*output = input;
uint32_t point_len;
EXPECT_TRUE(output->Read(3, 1, &point_len));
output->Write(4 + point_len, sig_scheme_, 2);
return CHANGE;
}
private:
SSLSignatureScheme sig_scheme_;
};
TEST_P(TlsConnectTls12, ConnectUnsupportedSigAlg) {
EnsureTlsSetup();
client_->DisableAllCiphers();
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
MakeTlsFilter<ECCServerKEXSigAlgReplacer>(server_, ssl_sig_none);
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
}
TEST_P(TlsConnectTls12, ConnectIncorrectSigAlg) {
EnsureTlsSetup();
client_->DisableAllCiphers();
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
MakeTlsFilter<ECCServerKEXSigAlgReplacer>(server_,
ssl_sig_ecdsa_secp256r1_sha256);
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
client_->CheckErrorCode(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
}
INSTANTIATE_TEST_CASE_P(KeyExchangeTest, TlsKeyExchangeTest,
::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
TlsConnectTestBase::kTlsV11Plus));
security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
+19 -16
View File
@@ -19,9 +19,9 @@ namespace nss_test {
class TlsExtensionTruncator : public TlsExtensionFilter {
public:
TlsExtensionTruncator(const std::shared_ptr<TlsAgent>& agent,
uint16_t extension, size_t length)
: TlsExtensionFilter(agent), extension_(extension), length_(length) {}
TlsExtensionTruncator(const std::shared_ptr<TlsAgent>& a, uint16_t extension,
size_t length)
: TlsExtensionFilter(a), extension_(extension), length_(length) {}
virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
const DataBuffer& input,
DataBuffer* output) {
@@ -43,9 +43,9 @@ class TlsExtensionTruncator : public TlsExtensionFilter {
class TlsExtensionDamager : public TlsExtensionFilter {
public:
TlsExtensionDamager(const std::shared_ptr<TlsAgent>& agent,
uint16_t extension, size_t index)
: TlsExtensionFilter(agent), extension_(extension), index_(index) {}
TlsExtensionDamager(const std::shared_ptr<TlsAgent>& a, uint16_t extension,
size_t index)
: TlsExtensionFilter(a), extension_(extension), index_(index) {}
virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
const DataBuffer& input,
DataBuffer* output) {
@@ -65,11 +65,9 @@ class TlsExtensionDamager : public TlsExtensionFilter {
class TlsExtensionAppender : public TlsHandshakeFilter {
public:
TlsExtensionAppender(const std::shared_ptr<TlsAgent>& agent,
TlsExtensionAppender(const std::shared_ptr<TlsAgent>& a,
uint8_t handshake_type, uint16_t ext, DataBuffer& data)
: TlsHandshakeFilter(agent, {handshake_type}),
extension_(ext),
data_(data) {}
: TlsHandshakeFilter(a, {handshake_type}), extension_(ext), data_(data) {}
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
@@ -323,7 +321,15 @@ TEST_P(TlsExtensionTestGeneric, AlpnMissingValue) {
TEST_P(TlsExtensionTestGeneric, AlpnZeroLength) {
EnableAlpn();
const uint8_t val[] = {0x01, 0x61, 0x00};
const uint8_t val[] = {0x00, 0x03, 0x01, 0x61, 0x00};
DataBuffer extension(val, sizeof(val));
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
client_, ssl_app_layer_protocol_xtn, extension));
}
TEST_P(TlsExtensionTestGeneric, AlpnLengthOverflow) {
EnableAlpn();
const uint8_t val[] = {0x00, 0x03, 0x01, 0x61, 0x01};
DataBuffer extension(val, sizeof(val));
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
client_, ssl_app_layer_protocol_xtn, extension));
@@ -628,12 +634,9 @@ typedef std::function<void(TlsPreSharedKeyReplacer*)>
class TlsPreSharedKeyReplacer : public TlsExtensionFilter {
public:
TlsPreSharedKeyReplacer(const std::shared_ptr<TlsAgent>& agent,
TlsPreSharedKeyReplacer(const std::shared_ptr<TlsAgent>& a,
TlsPreSharedKeyReplacerFunc function)
: TlsExtensionFilter(agent),
identities_(),
binders_(),
function_(function) {}
: TlsExtensionFilter(a), identities_(), binders_(), function_(function) {}
static size_t CopyAndMaybeReplace(TlsParser* parser, size_t size,
const std::unique_ptr<DataBuffer>& replace,
security/nss/gtests/ssl_gtest/ssl_fragment_unittest.cc
+17 -11
View File
@@ -20,14 +20,16 @@ namespace nss_test {
// This class cuts every unencrypted handshake record into two parts.
class RecordFragmenter : public PacketFilter {
public:
RecordFragmenter() : sequence_number_(0), splitting_(true) {}
RecordFragmenter(bool is_dtls13)
: is_dtls13_(is_dtls13), sequence_number_(0), splitting_(true) {}
private:
class HandshakeSplitter {
public:
HandshakeSplitter(const DataBuffer& input, DataBuffer* output,
uint64_t* sequence_number)
: input_(input),
HandshakeSplitter(bool is_dtls13, const DataBuffer& input,
DataBuffer* output, uint64_t* sequence_number)
: is_dtls13_(is_dtls13),
input_(input),
output_(output),
cursor_(0),
sequence_number_(sequence_number) {}
@@ -35,9 +37,9 @@ class RecordFragmenter : public PacketFilter {
private:
void WriteRecord(TlsRecordHeader& record_header,
DataBuffer& record_fragment) {
TlsRecordHeader fragment_header(record_header.version(),
record_header.content_type(),
*sequence_number_);
TlsRecordHeader fragment_header(
record_header.variant(), record_header.version(),
record_header.content_type(), *sequence_number_);
++*sequence_number_;
if (::g_ssl_gtest_verbose) {
std::cerr << "Fragment: " << fragment_header << ' ' << record_fragment
@@ -88,7 +90,7 @@ class RecordFragmenter : public PacketFilter {
while (parser.remaining()) {
TlsRecordHeader header;
DataBuffer record;
if (!header.Parse(0, &parser, &record)) {
if (!header.Parse(is_dtls13_, 0, &parser, &record)) {
ADD_FAILURE() << "bad record header";
return false;
}
@@ -118,6 +120,7 @@ class RecordFragmenter : public PacketFilter {
}
private:
bool is_dtls13_;
const DataBuffer& input_;
DataBuffer* output_;
size_t cursor_;
@@ -132,7 +135,7 @@ class RecordFragmenter : public PacketFilter {
}
output->Allocate(input.len());
HandshakeSplitter splitter(input, output, &sequence_number_);
HandshakeSplitter splitter(is_dtls13_, input, output, &sequence_number_);
if (!splitter.Split()) {
// If splitting fails, we obviously reached encrypted packets.
// Stop splitting from that point onward.
@@ -144,18 +147,21 @@ class RecordFragmenter : public PacketFilter {
}
private:
bool is_dtls13_;
uint64_t sequence_number_;
bool splitting_;
};
TEST_P(TlsConnectDatagram, FragmentClientPackets) {
client_->SetFilter(std::make_shared<RecordFragmenter>());
bool is_dtls13 = version_ >= SSL_LIBRARY_VERSION_TLS_1_3;
client_->SetFilter(std::make_shared<RecordFragmenter>(is_dtls13));
Connect();
SendReceive();
}
TEST_P(TlsConnectDatagram, FragmentServerPackets) {
server_->SetFilter(std::make_shared<RecordFragmenter>());
bool is_dtls13 = version_ >= SSL_LIBRARY_VERSION_TLS_1_3;
server_->SetFilter(std::make_shared<RecordFragmenter>(is_dtls13));
Connect();
SendReceive();
}
security/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc
+2 -2
View File
@@ -27,8 +27,8 @@ class TlsFuzzTest : public ::testing::Test {};
// Record the application data stream.
class TlsApplicationDataRecorder : public TlsRecordFilter {
public:
TlsApplicationDataRecorder(const std::shared_ptr<TlsAgent>& agent)
: TlsRecordFilter(agent), buffer_() {}
TlsApplicationDataRecorder(const std::shared_ptr<TlsAgent>& a)
: TlsRecordFilter(a), buffer_() {}
virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& input,
security/nss/gtests/ssl_gtest/ssl_gtest.gyp
+1
View File
@@ -37,6 +37,7 @@
'ssl_loopback_unittest.cc',
'ssl_misc_unittest.cc',
'ssl_record_unittest.cc',
'ssl_recordsize_unittest.cc',
'ssl_resumption_unittest.cc',
'ssl_renegotiation_unittest.cc',
'ssl_skip_unittest.cc',
security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
+129 -7
View File
@@ -69,8 +69,8 @@ TEST_P(TlsConnectTls13, HelloRetryRequestAbortsZeroRtt) {
// handshake packets, this will break.
class CorrectMessageSeqAfterHrrFilter : public TlsRecordFilter {
public:
CorrectMessageSeqAfterHrrFilter(const std::shared_ptr<TlsAgent>& agent)
: TlsRecordFilter(agent) {}
CorrectMessageSeqAfterHrrFilter(const std::shared_ptr<TlsAgent>& a)
: TlsRecordFilter(a) {}
protected:
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
@@ -81,8 +81,9 @@ class CorrectMessageSeqAfterHrrFilter : public TlsRecordFilter {
}
DataBuffer buffer(record);
TlsRecordHeader new_header = {header.version(), header.content_type(),
header.sequence_number() + 1};
TlsRecordHeader new_header(header.variant(), header.version(),
header.content_type(),
header.sequence_number() + 1);
// Correct message_seq.
buffer.Write(4, 1U, 2);
@@ -151,8 +152,8 @@ TEST_P(TlsConnectTls13, SecondClientHelloRejectEarlyDataXtn) {
class KeyShareReplayer : public TlsExtensionFilter {
public:
KeyShareReplayer(const std::shared_ptr<TlsAgent>& agent)
: TlsExtensionFilter(agent) {}
KeyShareReplayer(const std::shared_ptr<TlsAgent>& a)
: TlsExtensionFilter(a) {}
virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
const DataBuffer& input,
@@ -567,6 +568,28 @@ void TriggerHelloRetryRequest(std::shared_ptr<TlsAgent>& client,
client->Handshake();
server->Handshake();
EXPECT_EQ(1U, cb_called);
// Stop the callback from being called in future handshakes.
EXPECT_EQ(SECSuccess,
SSL_HelloRetryRequestCallback(server->ssl_fd(), nullptr, nullptr));
}
TEST_P(TlsConnectTls13, VersionNumbersAfterRetry) {
ConfigureSelfEncrypt();
EnsureTlsSetup();
auto r = MakeTlsFilter<TlsRecordRecorder>(client_);
TriggerHelloRetryRequest(client_, server_);
Handshake();
ASSERT_GT(r->count(), 1UL);
auto ch1 = r->record(0);
if (ch1.header.is_dtls()) {
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, ch1.header.version());
} else {
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, ch1.header.version());
}
auto ch2 = r->record(1);
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, ch2.header.version());
CheckConnected();
}
TEST_P(TlsConnectTls13, RetryStateless) {
@@ -577,6 +600,7 @@ TEST_P(TlsConnectTls13, RetryStateless) {
MakeNewServer();
Handshake();
CheckConnected();
SendReceive();
}
@@ -593,6 +617,68 @@ TEST_P(TlsConnectTls13, RetryStatefulDropCookie) {
server_->CheckErrorCode(SSL_ERROR_MISSING_COOKIE_EXTENSION);
}
class TruncateHrrCookie : public TlsExtensionFilter {
public:
TruncateHrrCookie(const std::shared_ptr<TlsAgent>& a)
: TlsExtensionFilter(a) {}
virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
const DataBuffer& input,
DataBuffer* output) {
if (extension_type != ssl_tls13_cookie_xtn) {
return KEEP;
}
// Claim a zero-length cookie.
output->Allocate(2);
output->Write(0, static_cast<uint32_t>(0), 2);
return CHANGE;
}
};
TEST_P(TlsConnectTls13, RetryCookieEmpty) {
ConfigureSelfEncrypt();
EnsureTlsSetup();
TriggerHelloRetryRequest(client_, server_);
MakeTlsFilter<TruncateHrrCookie>(client_);
ExpectAlert(server_, kTlsAlertHandshakeFailure);
Handshake();
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
}
class AddJunkToCookie : public TlsExtensionFilter {
public:
AddJunkToCookie(const std::shared_ptr<TlsAgent>& a) : TlsExtensionFilter(a) {}
virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
const DataBuffer& input,
DataBuffer* output) {
if (extension_type != ssl_tls13_cookie_xtn) {
return KEEP;
}
*output = input;
// Add junk after the cookie.
static const uint8_t junk[2] = {1, 2};
output->Append(DataBuffer(junk, sizeof(junk)));
return CHANGE;
}
};
TEST_P(TlsConnectTls13, RetryCookieWithExtras) {
ConfigureSelfEncrypt();
EnsureTlsSetup();
TriggerHelloRetryRequest(client_, server_);
MakeTlsFilter<AddJunkToCookie>(client_);
ExpectAlert(server_, kTlsAlertHandshakeFailure);
Handshake();
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
}
// Stream only because DTLS drops bad packets.
TEST_F(TlsConnectStreamTls13, RetryStatelessDamageFirstClientHello) {
ConfigureSelfEncrypt();
@@ -907,7 +993,10 @@ class HelloRetryRequestAgentTest : public TlsAgentTestClient {
hrr_data.Allocate(len + 6);
size_t i = 0;
i = hrr_data.Write(i, 0x0303, 2);
i = hrr_data.Write(i, variant_ == ssl_variant_datagram
? SSL_LIBRARY_VERSION_DTLS_1_2_WIRE
: SSL_LIBRARY_VERSION_TLS_1_2,
2);
i = hrr_data.Write(i, ssl_hello_retry_random,
sizeof(ssl_hello_retry_random));
i = hrr_data.Write(i, static_cast<uint32_t>(0), 1); // session_id
@@ -973,6 +1062,39 @@ TEST_P(HelloRetryRequestAgentTest, HandleNoopHelloRetryRequest) {
SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST);
}
class ReplaceRandom : public TlsHandshakeFilter {
public:
ReplaceRandom(const std::shared_ptr<TlsAgent>& a, const DataBuffer& r)
: TlsHandshakeFilter(a, {kTlsHandshakeServerHello}), random_(r) {}
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) override {
output->Assign(input);
output->Write(2, random_);
return CHANGE;
}
private:
DataBuffer random_;
};
// Make sure that the TLS 1.3 special value for the ServerHello.random
// is rejected by earlier versions.
TEST_P(TlsConnectStreamPre13, HrrRandomOnTls10) {
static const uint8_t hrr_random[] = {
0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C,
0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB,
0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C};
EnsureTlsSetup();
MakeTlsFilter<ReplaceRandom>(server_,
DataBuffer(hrr_random, sizeof(hrr_random)));
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
INSTANTIATE_TEST_CASE_P(HelloRetryRequestAgentTests, HelloRetryRequestAgentTest,
::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
TlsConnectTestBase::kTlsV13));
security/nss/gtests/ssl_gtest/ssl_loopback_unittest.cc
+60 -11
View File
@@ -56,8 +56,8 @@ TEST_P(TlsConnectGeneric, CipherSuiteMismatch) {
class TlsAlertRecorder : public TlsRecordFilter {
public:
TlsAlertRecorder(const std::shared_ptr<TlsAgent>& agent)
: TlsRecordFilter(agent), level_(255), description_(255) {}
TlsAlertRecorder(const std::shared_ptr<TlsAgent>& a)
: TlsRecordFilter(a), level_(255), description_(255) {}
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& input,
@@ -87,9 +87,9 @@ class TlsAlertRecorder : public TlsRecordFilter {
class HelloTruncator : public TlsHandshakeFilter {
public:
HelloTruncator(const std::shared_ptr<TlsAgent>& agent)
HelloTruncator(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(
agent, {kTlsHandshakeClientHello, kTlsHandshakeServerHello}) {}
a, {kTlsHandshakeClientHello, kTlsHandshakeServerHello}) {}
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) override {
@@ -149,6 +149,27 @@ TEST_P(TlsConnectGeneric, ConnectAlpn) {
CheckAlpn("a");
}
TEST_P(TlsConnectGeneric, ConnectAlpnPriorityA) {
// "alpn" "npn"
// alpn is the fallback here. npn has the highest priority and should be
// picked.
const std::vector<uint8_t> alpn = {0x04, 0x61, 0x6c, 0x70, 0x6e,
0x03, 0x6e, 0x70, 0x6e};
EnableAlpn(alpn);
Connect();
CheckAlpn("npn");
}
TEST_P(TlsConnectGeneric, ConnectAlpnPriorityB) {
// "alpn" "npn" "http"
// npn has the highest priority and should be picked.
const std::vector<uint8_t> alpn = {0x04, 0x61, 0x6c, 0x70, 0x6e, 0x03, 0x6e,
0x70, 0x6e, 0x04, 0x68, 0x74, 0x74, 0x70};
EnableAlpn(alpn);
Connect();
CheckAlpn("npn");
}
TEST_P(TlsConnectGeneric, ConnectAlpnClone) {
EnsureModelSockets();
client_model_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_));
@@ -157,6 +178,33 @@ TEST_P(TlsConnectGeneric, ConnectAlpnClone) {
CheckAlpn("a");
}
TEST_P(TlsConnectGeneric, ConnectAlpnWithCustomCallbackA) {
// "ab" "alpn"
const std::vector<uint8_t> client_alpn = {0x02, 0x61, 0x62, 0x04,
0x61, 0x6c, 0x70, 0x6e};
EnableAlpnWithCallback(client_alpn, "alpn");
Connect();
CheckAlpn("alpn");
}
TEST_P(TlsConnectGeneric, ConnectAlpnWithCustomCallbackB) {
// "ab" "alpn"
const std::vector<uint8_t> client_alpn = {0x02, 0x61, 0x62, 0x04,
0x61, 0x6c, 0x70, 0x6e};
EnableAlpnWithCallback(client_alpn, "ab");
Connect();
CheckAlpn("ab");
}
TEST_P(TlsConnectGeneric, ConnectAlpnWithCustomCallbackC) {
// "cd" "npn" "alpn"
const std::vector<uint8_t> client_alpn = {0x02, 0x63, 0x64, 0x03, 0x6e, 0x70,
0x6e, 0x04, 0x61, 0x6c, 0x70, 0x6e};
EnableAlpnWithCallback(client_alpn, "npn");
Connect();
CheckAlpn("npn");
}
TEST_P(TlsConnectDatagram, ConnectSrtp) {
EnableSrtp();
Connect();
@@ -171,8 +219,8 @@ TEST_P(TlsConnectGeneric, ConnectSendReceive) {
class SaveTlsRecord : public TlsRecordFilter {
public:
SaveTlsRecord(const std::shared_ptr<TlsAgent>& agent, size_t index)
: TlsRecordFilter(agent), index_(index), count_(0), contents_() {}
SaveTlsRecord(const std::shared_ptr<TlsAgent>& a, size_t index)
: TlsRecordFilter(a), index_(index), count_(0), contents_() {}
const DataBuffer& contents() const { return contents_; }
@@ -227,8 +275,8 @@ TEST_F(TlsConnectStreamTls13, DecryptRecordServer) {
class DropTlsRecord : public TlsRecordFilter {
public:
DropTlsRecord(const std::shared_ptr<TlsAgent>& agent, size_t index)
: TlsRecordFilter(agent), index_(index), count_(0) {}
DropTlsRecord(const std::shared_ptr<TlsAgent>& a, size_t index)
: TlsRecordFilter(a), index_(index), count_(0) {}
protected:
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
@@ -373,8 +421,8 @@ TEST_P(TlsHolddownTest, TestDtlsHolddownExpiryResumption) {
class TlsPreCCSHeaderInjector : public TlsRecordFilter {
public:
TlsPreCCSHeaderInjector(const std::shared_ptr<TlsAgent>& agent)
: TlsRecordFilter(agent) {}
TlsPreCCSHeaderInjector(const std::shared_ptr<TlsAgent>& a)
: TlsRecordFilter(a) {}
virtual PacketFilter::Action FilterRecord(
const TlsRecordHeader& record_header, const DataBuffer& input,
size_t* offset, DataBuffer* output) override {
@@ -383,7 +431,8 @@ class TlsPreCCSHeaderInjector : public TlsRecordFilter {
std::cerr << "Injecting Finished header before CCS\n";
const uint8_t hhdr[] = {kTlsHandshakeFinished, 0x00, 0x00, 0x0c};
DataBuffer hhdr_buf(hhdr, sizeof(hhdr));
TlsRecordHeader nhdr(record_header.version(), kTlsHandshakeType, 0);
TlsRecordHeader nhdr(record_header.variant(), record_header.version(),
kTlsHandshakeType, 0);
*offset = nhdr.Write(output, *offset, hhdr_buf);
*offset = record_header.Write(output, *offset, input);
return CHANGE;
security/nss/gtests/ssl_gtest/ssl_record_unittest.cc
+47 -10
View File
@@ -103,16 +103,14 @@ TEST_P(TlsPaddingTest, LastByteOfPadWrong) {
class RecordReplacer : public TlsRecordFilter {
public:
RecordReplacer(const std::shared_ptr<TlsAgent>& agent, size_t size)
: TlsRecordFilter(agent), enabled_(false), size_(size) {}
RecordReplacer(const std::shared_ptr<TlsAgent>& a, size_t size)
: TlsRecordFilter(a), size_(size) {
Disable();
}
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& data,
DataBuffer* changed) override {
if (!enabled_) {
return KEEP;
}
EXPECT_EQ(kTlsApplicationDataType, header.content_type());
changed->Allocate(size_);
@@ -120,17 +118,33 @@ class RecordReplacer : public TlsRecordFilter {
changed->data()[i] = i & 0xff;
}
enabled_ = false;
Disable();
return CHANGE;
}
void Enable() { enabled_ = true; }
private:
bool enabled_;
size_t size_;
};
TEST_P(TlsConnectStream, BadRecordMac) {
EnsureTlsSetup();
Connect();
client_->SetFilter(std::make_shared<TlsRecordLastByteDamager>(client_));
ExpectAlert(server_, kTlsAlertBadRecordMac);
client_->SendData(10);
// Read from the client, get error.
uint8_t buf[10];
PRInt32 rv = PR_Read(server_->ssl_fd(), buf, sizeof(buf));
EXPECT_GT(0, rv);
EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, PORT_GetError());
// Read the server alert.
rv = PR_Read(client_->ssl_fd(), buf, sizeof(buf));
EXPECT_GT(0, rv);
EXPECT_EQ(SSL_ERROR_BAD_MAC_ALERT, PORT_GetError());
}
TEST_F(TlsConnectStreamTls13, LargeRecord) {
EnsureTlsSetup();
@@ -168,6 +182,29 @@ TEST_F(TlsConnectStreamTls13, TooLargeRecord) {
EXPECT_EQ(SSL_ERROR_RECORD_OVERFLOW_ALERT, PORT_GetError());
}
class ShortHeaderChecker : public PacketFilter {
public:
PacketFilter::Action Filter(const DataBuffer& input, DataBuffer* output) {
// The first octet should be 0b001xxxxx.
EXPECT_EQ(1, input.data()[0] >> 5);
return KEEP;
}
};
TEST_F(TlsConnectDatagram13, ShortHeadersClient) {
Connect();
client_->SetOption(SSL_ENABLE_DTLS_SHORT_HEADER, PR_TRUE);
client_->SetFilter(std::make_shared<ShortHeaderChecker>());
SendReceive();
}
TEST_F(TlsConnectDatagram13, ShortHeadersServer) {
Connect();
server_->SetOption(SSL_ENABLE_DTLS_SHORT_HEADER, PR_TRUE);
server_->SetFilter(std::make_shared<ShortHeaderChecker>());
SendReceive();
}
const static size_t kContentSizesArr[] = {
1, kMacSize - 1, kMacSize, 30, 31, 32, 36, 256, 257, 287, 288};
security/nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc
+431
View File
@@ -0,0 +1,431 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "secerr.h"
#include "ssl.h"
#include "sslerr.h"
#include "sslproto.h"
#include "gtest_utils.h"
#include "scoped_ptrs.h"
#include "tls_connect.h"
#include "tls_filter.h"
#include "tls_parser.h"
namespace nss_test {
// This class tracks the maximum size of record that was sent, both cleartext
// and plain. It only tracks records that have an outer type of
// application_data. In TLS 1.3, this includes handshake messages.
class TlsRecordMaximum : public TlsRecordFilter {
public:
TlsRecordMaximum(const std::shared_ptr<TlsAgent>& a)
: TlsRecordFilter(a), max_ciphertext_(0), max_plaintext_(0) {}
size_t max_ciphertext() const { return max_ciphertext_; }
size_t max_plaintext() const { return max_plaintext_; }
protected:
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& record, size_t* offset,
DataBuffer* output) override {
std::cerr << "max: " << record << std::endl;
// Ignore unprotected packets.
if (header.content_type() != kTlsApplicationDataType) {
return KEEP;
}
max_ciphertext_ = (std::max)(max_ciphertext_, record.len());
return TlsRecordFilter::FilterRecord(header, record, offset, output);
}
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& data,
DataBuffer* changed) override {
max_plaintext_ = (std::max)(max_plaintext_, data.len());
return KEEP;
}
private:
size_t max_ciphertext_;
size_t max_plaintext_;
};
void CheckRecordSizes(const std::shared_ptr<TlsAgent>& agent,
const std::shared_ptr<TlsRecordMaximum>& record_max,
size_t config) {
uint16_t cipher_suite;
ASSERT_TRUE(agent->cipher_suite(&cipher_suite));
size_t expansion;
size_t iv;
switch (cipher_suite) {
case TLS_AES_128_GCM_SHA256:
case TLS_AES_256_GCM_SHA384:
case TLS_CHACHA20_POLY1305_SHA256:
expansion = 16;
iv = 0;
break;
case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
expansion = 16;
iv = 8;
break;
case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
// Expansion is 20 for the MAC. Maximum block padding is 16. Maximum
// padding is added when the input plus the MAC is an exact multiple of
// the block size.
expansion = 20 + 16 - ((config + 20) % 16);
iv = 16;
break;
default:
ADD_FAILURE() << "No expansion set for ciphersuite "
<< agent->cipher_suite_name();
return;
}
switch (agent->version()) {
case SSL_LIBRARY_VERSION_TLS_1_3:
EXPECT_EQ(0U, iv) << "No IV for TLS 1.3";
// We only have decryption in TLS 1.3.
EXPECT_EQ(config - 1, record_max->max_plaintext())
<< "bad plaintext length for " << agent->role_str();
break;
case SSL_LIBRARY_VERSION_TLS_1_2:
case SSL_LIBRARY_VERSION_TLS_1_1:
expansion += iv;
break;
case SSL_LIBRARY_VERSION_TLS_1_0:
break;
default:
ADD_FAILURE() << "Unexpected version " << agent->version();
return;
}
EXPECT_EQ(config + expansion, record_max->max_ciphertext())
<< "bad ciphertext length for " << agent->role_str();
}
TEST_P(TlsConnectGeneric, RecordSizeMaximum) {
uint16_t max_record_size =
(version_ >= SSL_LIBRARY_VERSION_TLS_1_3) ? 16385 : 16384;
size_t send_size = (version_ >= SSL_LIBRARY_VERSION_TLS_1_3)
? max_record_size
: max_record_size + 1;
EnsureTlsSetup();
auto client_max = MakeTlsFilter<TlsRecordMaximum>(client_);
client_max->EnableDecryption();
auto server_max = MakeTlsFilter<TlsRecordMaximum>(server_);
server_max->EnableDecryption();
Connect();
client_->SendData(send_size, send_size);
server_->SendData(send_size, send_size);
server_->ReadBytes(send_size);
client_->ReadBytes(send_size);
CheckRecordSizes(client_, client_max, max_record_size);
CheckRecordSizes(server_, server_max, max_record_size);
}
TEST_P(TlsConnectGeneric, RecordSizeMinimumClient) {
EnsureTlsSetup();
auto server_max = MakeTlsFilter<TlsRecordMaximum>(server_);
server_max->EnableDecryption();
client_->SetOption(SSL_RECORD_SIZE_LIMIT, 64);
Connect();
SendReceive(127); // Big enough for one record, allowing for 1+N splitting.
CheckRecordSizes(server_, server_max, 64);
}
TEST_P(TlsConnectGeneric, RecordSizeMinimumServer) {
EnsureTlsSetup();
auto client_max = MakeTlsFilter<TlsRecordMaximum>(client_);
client_max->EnableDecryption();
server_->SetOption(SSL_RECORD_SIZE_LIMIT, 64);
Connect();
SendReceive(127);
CheckRecordSizes(client_, client_max, 64);
}
TEST_P(TlsConnectGeneric, RecordSizeAsymmetric) {
EnsureTlsSetup();
auto client_max = MakeTlsFilter<TlsRecordMaximum>(client_);
client_max->EnableDecryption();
auto server_max = MakeTlsFilter<TlsRecordMaximum>(server_);
server_max->EnableDecryption();
client_->SetOption(SSL_RECORD_SIZE_LIMIT, 64);
server_->SetOption(SSL_RECORD_SIZE_LIMIT, 100);
Connect();
SendReceive(127);
CheckRecordSizes(client_, client_max, 100);
CheckRecordSizes(server_, server_max, 64);
}
// This just modifies the encrypted payload so to include a few extra zeros.
class TlsRecordExpander : public TlsRecordFilter {
public:
TlsRecordExpander(const std::shared_ptr<TlsAgent>& a, size_t expansion)
: TlsRecordFilter(a), expansion_(expansion) {}
protected:
virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& data,
DataBuffer* changed) {
if (header.content_type() != kTlsApplicationDataType) {
return KEEP;
}
changed->Allocate(data.len() + expansion_);
changed->Write(0, data.data(), data.len());
return CHANGE;
}
private:
size_t expansion_;
};
// Tweak the plaintext of server records so that they exceed the client's limit.
TEST_P(TlsConnectTls13, RecordSizePlaintextExceed) {
EnsureTlsSetup();
auto server_expand = MakeTlsFilter<TlsRecordExpander>(server_, 1);
server_expand->EnableDecryption();
client_->SetOption(SSL_RECORD_SIZE_LIMIT, 64);
Connect();
server_->SendData(100);
client_->ExpectReadWriteError();
ExpectAlert(client_, kTlsAlertRecordOverflow);
client_->ReadBytes(100);
EXPECT_EQ(SSL_ERROR_RX_RECORD_TOO_LONG, client_->error_code());
// Consume the alert at the server.
server_->Handshake();
server_->CheckErrorCode(SSL_ERROR_RECORD_OVERFLOW_ALERT);
}
// Tweak the ciphertext of server records so that they greatly exceed the limit.
// This requires a much larger expansion than for plaintext to trigger the
// guard, which runs before decryption (current allowance is 304 octets).
TEST_P(TlsConnectTls13, RecordSizeCiphertextExceed) {
EnsureTlsSetup();
client_->SetOption(SSL_RECORD_SIZE_LIMIT, 64);
Connect();
auto server_expand = MakeTlsFilter<TlsRecordExpander>(server_, 320);
server_->SendData(100);
client_->ExpectReadWriteError();
ExpectAlert(client_, kTlsAlertRecordOverflow);
client_->ReadBytes(100);
EXPECT_EQ(SSL_ERROR_RX_RECORD_TOO_LONG, client_->error_code());
// Consume the alert at the server.
server_->Handshake();
server_->CheckErrorCode(SSL_ERROR_RECORD_OVERFLOW_ALERT);
}
// This indiscriminately adds padding to application data records.
class TlsRecordPadder : public TlsRecordFilter {
public:
TlsRecordPadder(const std::shared_ptr<TlsAgent>& a, size_t padding)
: TlsRecordFilter(a), padding_(padding) {}
protected:
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& record, size_t* offset,
DataBuffer* output) override {
if (header.content_type() != kTlsApplicationDataType) {
return KEEP;
}
uint8_t inner_content_type;
DataBuffer plaintext;
if (!Unprotect(header, record, &inner_content_type, &plaintext)) {
return KEEP;
}
if (inner_content_type != kTlsApplicationDataType) {
return KEEP;
}
DataBuffer ciphertext;
bool ok =
Protect(header, inner_content_type, plaintext, &ciphertext, padding_);
EXPECT_TRUE(ok);
if (!ok) {
return KEEP;
}
*offset = header.Write(output, *offset, ciphertext);
return CHANGE;
}
private:
size_t padding_;
};
TEST_P(TlsConnectTls13, RecordSizeExceedPad) {
EnsureTlsSetup();
auto server_max = std::make_shared<TlsRecordMaximum>(server_);
auto server_expand = std::make_shared<TlsRecordPadder>(server_, 1);
server_->SetFilter(std::make_shared<ChainedPacketFilter>(
ChainedPacketFilterInit({server_max, server_expand})));
server_expand->EnableDecryption();
client_->SetOption(SSL_RECORD_SIZE_LIMIT, 64);
Connect();
server_->SendData(100);
client_->ExpectReadWriteError();
ExpectAlert(client_, kTlsAlertRecordOverflow);
client_->ReadBytes(100);
EXPECT_EQ(SSL_ERROR_RX_RECORD_TOO_LONG, client_->error_code());
// Consume the alert at the server.
server_->Handshake();
server_->CheckErrorCode(SSL_ERROR_RECORD_OVERFLOW_ALERT);
}
TEST_P(TlsConnectGeneric, RecordSizeBadValues) {
EnsureTlsSetup();
EXPECT_EQ(SECFailure,
SSL_OptionSet(client_->ssl_fd(), SSL_RECORD_SIZE_LIMIT, 63));
EXPECT_EQ(SECFailure,
SSL_OptionSet(client_->ssl_fd(), SSL_RECORD_SIZE_LIMIT, -1));
EXPECT_EQ(SECFailure,
SSL_OptionSet(server_->ssl_fd(), SSL_RECORD_SIZE_LIMIT, 16386));
Connect();
}
TEST_P(TlsConnectGeneric, RecordSizeGetValues) {
EnsureTlsSetup();
int v;
EXPECT_EQ(SECSuccess,
SSL_OptionGet(client_->ssl_fd(), SSL_RECORD_SIZE_LIMIT, &v));
EXPECT_EQ(16385, v);
client_->SetOption(SSL_RECORD_SIZE_LIMIT, 300);
EXPECT_EQ(SECSuccess,
SSL_OptionGet(client_->ssl_fd(), SSL_RECORD_SIZE_LIMIT, &v));
EXPECT_EQ(300, v);
Connect();
}
// The value of the extension is capped by the maximum version of the client.
TEST_P(TlsConnectGeneric, RecordSizeCapExtensionClient) {
EnsureTlsSetup();
client_->SetOption(SSL_RECORD_SIZE_LIMIT, 16385);
auto capture =
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_record_size_limit_xtn);
capture->EnableDecryption();
Connect();
uint64_t val = 0;
EXPECT_TRUE(capture->extension().Read(0, 2, &val));
if (version_ < SSL_LIBRARY_VERSION_TLS_1_3) {
EXPECT_EQ(16384U, val) << "Extension should be capped";
} else {
EXPECT_EQ(16385U, val);
}
}
// The value of the extension is capped by the maximum version of the server.
TEST_P(TlsConnectGeneric, RecordSizeCapExtensionServer) {
EnsureTlsSetup();
server_->SetOption(SSL_RECORD_SIZE_LIMIT, 16385);
auto capture =
MakeTlsFilter<TlsExtensionCapture>(server_, ssl_record_size_limit_xtn);
capture->EnableDecryption();
Connect();
uint64_t val = 0;
EXPECT_TRUE(capture->extension().Read(0, 2, &val));
if (version_ < SSL_LIBRARY_VERSION_TLS_1_3) {
EXPECT_EQ(16384U, val) << "Extension should be capped";
} else {
EXPECT_EQ(16385U, val);
}
}
// Damage the client extension and the handshake fails, but the server
// doesn't generate a validation error.
TEST_P(TlsConnectGenericPre13, RecordSizeClientExtensionInvalid) {
EnsureTlsSetup();
client_->SetOption(SSL_RECORD_SIZE_LIMIT, 1000);
static const uint8_t v[] = {0xf4, 0x1f};
MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_record_size_limit_xtn,
DataBuffer(v, sizeof(v)));
ConnectExpectAlert(server_, kTlsAlertDecryptError);
}
// Special handling for TLS 1.3, where the alert isn't read.
TEST_F(TlsConnectStreamTls13, RecordSizeClientExtensionInvalid) {
EnsureTlsSetup();
client_->SetOption(SSL_RECORD_SIZE_LIMIT, 1000);
static const uint8_t v[] = {0xf4, 0x1f};
MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_record_size_limit_xtn,
DataBuffer(v, sizeof(v)));
client_->ExpectSendAlert(kTlsAlertBadRecordMac);
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
ConnectExpectFail();
}
TEST_P(TlsConnectGeneric, RecordSizeServerExtensionInvalid) {
EnsureTlsSetup();
server_->SetOption(SSL_RECORD_SIZE_LIMIT, 1000);
static const uint8_t v[] = {0xf4, 0x1f};
auto replace = MakeTlsFilter<TlsExtensionReplacer>(
server_, ssl_record_size_limit_xtn, DataBuffer(v, sizeof(v)));
replace->EnableDecryption();
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
}
class RecordSizeDefaultsTest : public ::testing::Test {
public:
void SetUp() {
EXPECT_EQ(SECSuccess,
SSL_OptionGetDefault(SSL_RECORD_SIZE_LIMIT, &default_));
}
void TearDown() {
// Make sure to restore the default value at the end.
EXPECT_EQ(SECSuccess,
SSL_OptionSetDefault(SSL_RECORD_SIZE_LIMIT, default_));
}
private:
PRIntn default_ = 0;
};
TEST_F(RecordSizeDefaultsTest, RecordSizeBadValues) {
EXPECT_EQ(SECFailure, SSL_OptionSetDefault(SSL_RECORD_SIZE_LIMIT, 63));
EXPECT_EQ(SECFailure, SSL_OptionSetDefault(SSL_RECORD_SIZE_LIMIT, -1));
EXPECT_EQ(SECFailure, SSL_OptionSetDefault(SSL_RECORD_SIZE_LIMIT, 16386));
}
TEST_F(RecordSizeDefaultsTest, RecordSizeGetValue) {
int v;
EXPECT_EQ(SECSuccess, SSL_OptionGetDefault(SSL_RECORD_SIZE_LIMIT, &v));
EXPECT_EQ(16385, v);
EXPECT_EQ(SECSuccess, SSL_OptionSetDefault(SSL_RECORD_SIZE_LIMIT, 3000));
EXPECT_EQ(SECSuccess, SSL_OptionGetDefault(SSL_RECORD_SIZE_LIMIT, &v));
EXPECT_EQ(3000, v);
}
} // namespace nss_test
security/nss/gtests/ssl_gtest/ssl_resumption_unittest.cc
+2 -4
View File
@@ -484,10 +484,8 @@ TEST_P(TlsConnectStream, TestResumptionOverrideCipher) {
class SelectedVersionReplacer : public TlsHandshakeFilter {
public:
SelectedVersionReplacer(const std::shared_ptr<TlsAgent>& agent,
uint16_t version)
: TlsHandshakeFilter(agent, {kTlsHandshakeServerHello}),
version_(version) {}
SelectedVersionReplacer(const std::shared_ptr<TlsAgent>& a, uint16_t version)
: TlsHandshakeFilter(a, {kTlsHandshakeServerHello}), version_(version) {}
protected:
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
security/nss/gtests/ssl_gtest/ssl_skip_unittest.cc
+2 -4
View File
@@ -22,11 +22,9 @@ namespace nss_test {
class TlsHandshakeSkipFilter : public TlsRecordFilter {
public:
// A TLS record filter that skips handshake messages of the identified type.
TlsHandshakeSkipFilter(const std::shared_ptr<TlsAgent>& agent,
TlsHandshakeSkipFilter(const std::shared_ptr<TlsAgent>& a,
uint8_t handshake_type)
: TlsRecordFilter(agent),
handshake_type_(handshake_type),
skipped_(false) {}
: TlsRecordFilter(a), handshake_type_(handshake_type), skipped_(false) {}
protected:
// Takes a record; if it is a handshake record, it removes the first handshake
security/nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc
+36
View File
@@ -21,6 +21,7 @@ extern "C" {
#include "tls_connect.h"
#include "tls_filter.h"
#include "tls_parser.h"
#include "rsa8193.h"
namespace nss_test {
@@ -100,4 +101,39 @@ TEST_P(TlsConnectStreamPre13,
Connect();
}
// Replace the server certificate with one that uses 8193-bit RSA.
class TooLargeRSACertFilter : public TlsHandshakeFilter {
public:
TooLargeRSACertFilter(const std::shared_ptr<TlsAgent> &server)
: TlsHandshakeFilter(server, {kTlsHandshakeCertificate}) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader &header,
const DataBuffer &input,
DataBuffer *output) {
const uint32_t cert_len = sizeof(rsa8193);
const uint32_t outer_len = cert_len + 3;
size_t offset = 0;
offset = output->Write(offset, outer_len, 3);
offset = output->Write(offset, cert_len, 3);
offset = output->Write(offset, rsa8193, cert_len);
return CHANGE;
}
};
TEST_P(TlsConnectGenericPre13, TooLargeRSAKeyInCert) {
EnableOnlyStaticRsaCiphers();
MakeTlsFilter<TooLargeRSACertFilter>(server_);
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
client_->CheckErrorCode(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
TEST_P(TlsConnectGeneric, ServerAuthBiggestRsa) {
Reset(TlsAgent::kRsa8192);
Connect();
CheckKeys();
}
} // namespace nss_test
security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
+92
View File
@@ -214,6 +214,98 @@ TEST_F(Tls13CompatTest, EnabledHrrZeroRtt) {
CheckForCompatHandshake();
}
class TlsSessionIDEchoFilter : public TlsHandshakeFilter {
public:
TlsSessionIDEchoFilter(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(
a, {kTlsHandshakeClientHello, kTlsHandshakeServerHello}) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
TlsParser parser(input);
// Skip version + random.
EXPECT_TRUE(parser.Skip(2 + 32));
// Capture CH.legacy_session_id.
if (header.handshake_type() == kTlsHandshakeClientHello) {
EXPECT_TRUE(parser.ReadVariable(&sid_, 1));
return KEEP;
}
// Check that server sends one too.
uint32_t sid_len = 0;
EXPECT_TRUE(parser.Read(&sid_len, 1));
EXPECT_EQ(sid_len, sid_.len());
// Echo the one we captured.
*output = input;
output->Write(parser.consumed(), sid_.data(), sid_.len());
return CHANGE;
}
private:
DataBuffer sid_;
};
TEST_F(TlsConnectTest, EchoTLS13CompatibilitySessionID) {
ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
client_->SetOption(SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_3);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_2);
server_->SetFilter(MakeTlsFilter<TlsSessionIDEchoFilter>(client_));
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
class TlsSessionIDInjectFilter : public TlsHandshakeFilter {
public:
TlsSessionIDInjectFilter(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(a, {kTlsHandshakeServerHello}) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
TlsParser parser(input);
// Skip version + random.
EXPECT_TRUE(parser.Skip(2 + 32));
*output = input;
// Inject a Session ID.
const uint8_t fake_sid[SSL3_SESSIONID_BYTES] = {0xff};
output->Write(parser.consumed(), sizeof(fake_sid), 1);
output->Splice(fake_sid, sizeof(fake_sid), parser.consumed() + 1, 0);
return CHANGE;
}
};
TEST_F(TlsConnectTest, TLS13NonCompatModeSessionID) {
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
MakeTlsFilter<TlsSessionIDInjectFilter>(server_);
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
}
static const uint8_t kCannedCcs[] = {
kTlsChangeCipherSpecType,
SSL_LIBRARY_VERSION_TLS_1_2 >> 8,
security/nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
+6 -6
View File
@@ -50,12 +50,12 @@ inline std::ostream& operator<<(std::ostream& stream,
class VersionRangeWithLabel {
public:
VersionRangeWithLabel(const std::string& label, const SSLVersionRange& vr)
: label_(label), vr_(vr) {}
VersionRangeWithLabel(const std::string& label, uint16_t min, uint16_t max)
: label_(label) {
vr_.min = min;
vr_.max = max;
VersionRangeWithLabel(const std::string& txt, const SSLVersionRange& vr)
: label_(txt), vr_(vr) {}
VersionRangeWithLabel(const std::string& txt, uint16_t start, uint16_t end)
: label_(txt) {
vr_.min = start;
vr_.max = end;
}
VersionRangeWithLabel(const std::string& label) : label_(label) {
vr_.min = vr_.max = SSL_LIBRARY_VERSION_NONE;
security/nss/gtests/ssl_gtest/test_io.cc
+4 -4
View File
@@ -99,8 +99,8 @@ int32_t DummyPrSocket::Write(PRFileDesc *f, const void *buf, int32_t length) {
return -1;
}
auto peer = peer_.lock();
if (!peer) {
auto dst = peer_.lock();
if (!dst) {
PR_SetError(PR_IO_ERROR, 0);
return -1;
}
@@ -116,14 +116,14 @@ int32_t DummyPrSocket::Write(PRFileDesc *f, const void *buf, int32_t length) {
case PacketFilter::CHANGE:
LOG("Original packet: " << packet);
LOG("Filtered packet: " << filtered);
peer->PacketReceived(filtered);
dst->PacketReceived(filtered);
break;
case PacketFilter::DROP:
LOG("Droppped packet: " << packet);
break;
case PacketFilter::KEEP:
LOGV("Packet: " << packet);
peer->PacketReceived(packet);
dst->PacketReceived(packet);
break;
}
// libssl can't handle it if this reports something other than the length
security/nss/gtests/ssl_gtest/test_io.h
+3 -3
View File
@@ -59,9 +59,9 @@ class PacketFilter {
class DummyPrSocket : public DummyIOLayerMethods {
public:
DummyPrSocket(const std::string& name, SSLProtocolVariant variant)
DummyPrSocket(const std::string& name, SSLProtocolVariant var)
: name_(name),
variant_(variant),
variant_(var),
peer_(),
input_(),
filter_(nullptr),
@@ -73,7 +73,7 @@ class DummyPrSocket : public DummyIOLayerMethods {
ScopedPRFileDesc CreateFD();
std::weak_ptr<DummyPrSocket>& peer() { return peer_; }
void SetPeer(const std::shared_ptr<DummyPrSocket>& peer) { peer_ = peer; }
void SetPeer(const std::shared_ptr<DummyPrSocket>& p) { peer_ = p; }
void SetPacketFilter(const std::shared_ptr<PacketFilter>& filter) {
filter_ = filter;
}
security/nss/gtests/ssl_gtest/tls_agent.cc
+82 -49
View File
@@ -33,6 +33,7 @@ const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
const std::string TlsAgent::kClient = "client"; // both sign and encrypt
const std::string TlsAgent::kRsa2048 = "rsa2048"; // bigger
const std::string TlsAgent::kRsa8192 = "rsa8192"; // biggest allowed
const std::string TlsAgent::kServerRsa = "rsa"; // both sign and encrypt
const std::string TlsAgent::kServerRsaSign = "rsa_sign";
const std::string TlsAgent::kServerRsaPss = "rsa_pss";
@@ -44,13 +45,22 @@ const std::string TlsAgent::kServerEcdhRsa = "ecdh_rsa";
const std::string TlsAgent::kServerEcdhEcdsa = "ecdh_ecdsa";
const std::string TlsAgent::kServerDsa = "dsa";
TlsAgent::TlsAgent(const std::string& name, Role role,
SSLProtocolVariant variant)
: name_(name),
variant_(variant),
role_(role),
static const uint8_t kCannedTls13ServerHello[] = {
0x03, 0x03, 0x9c, 0xbc, 0x14, 0x9b, 0x0e, 0x2e, 0xfa, 0x0d, 0xf3,
0xf0, 0x5c, 0x70, 0x7a, 0xe0, 0xd1, 0x9b, 0x3e, 0x5a, 0x44, 0x6b,
0xdf, 0xe5, 0xc2, 0x28, 0x64, 0xf7, 0x00, 0xc1, 0x9c, 0x08, 0x76,
0x08, 0x00, 0x13, 0x01, 0x00, 0x00, 0x2e, 0x00, 0x33, 0x00, 0x24,
0x00, 0x1d, 0x00, 0x20, 0xc2, 0xcf, 0x23, 0x17, 0x64, 0x23, 0x03,
0xf0, 0xfb, 0x45, 0x98, 0x26, 0xd1, 0x65, 0x24, 0xa1, 0x6c, 0xa9,
0x80, 0x8f, 0x2c, 0xac, 0x0a, 0xea, 0x53, 0x3a, 0xcb, 0xe3, 0x08,
0x84, 0xae, 0x19, 0x00, 0x2b, 0x00, 0x02, 0x7f, kD13};
TlsAgent::TlsAgent(const std::string& nm, Role rl, SSLProtocolVariant var)
: name_(nm),
variant_(var),
role_(rl),
server_key_bits_(0),
adapter_(new DummyPrSocket(role_str(), variant)),
adapter_(new DummyPrSocket(role_str(), var)),
ssl_fd_(nullptr),
state_(STATE_INIT),
timer_handle_(nullptr),
@@ -103,11 +113,11 @@ TlsAgent::~TlsAgent() {
}
}
void TlsAgent::SetState(State state) {
if (state_ == state) return;
void TlsAgent::SetState(State s) {
if (state_ == s) return;
LOG("Changing state from " << state_ << " to " << state);
state_ = state;
LOG("Changing state from " << state_ << " to " << s);
state_ = s;
}
/*static*/ bool TlsAgent::LoadCertificate(const std::string& name,
@@ -124,11 +134,11 @@ void TlsAgent::SetState(State state) {
return true;
}
bool TlsAgent::ConfigServerCert(const std::string& name, bool updateKeyBits,
bool TlsAgent::ConfigServerCert(const std::string& id, bool updateKeyBits,
const SSLExtraServerCertData* serverCertData) {
ScopedCERTCertificate cert;
ScopedSECKEYPrivateKey priv;
if (!TlsAgent::LoadCertificate(name, &cert, &priv)) {
if (!TlsAgent::LoadCertificate(id, &cert, &priv)) {
return false;
}
@@ -175,6 +185,10 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc* modelSocket) {
if (rv != SECSuccess) return false;
}
ScopedCERTCertList anchors(CERT_NewCertList());
rv = SSL_SetTrustAnchors(ssl_fd(), anchors.get());
if (rv != SECSuccess) return false;
if (role_ == SERVER) {
EXPECT_TRUE(ConfigServerCert(name_, true));
@@ -182,10 +196,6 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc* modelSocket) {
EXPECT_EQ(SECSuccess, rv);
if (rv != SECSuccess) return false;
ScopedCERTCertList anchors(CERT_NewCertList());
rv = SSL_SetTrustAnchors(ssl_fd(), anchors.get());
if (rv != SECSuccess) return false;
rv = SSL_SetMaxEarlyDataSize(ssl_fd(), 1024);
EXPECT_EQ(SECSuccess, rv);
if (rv != SECSuccess) return false;
@@ -246,6 +256,17 @@ void TlsAgent::SetupClientAuth() {
reinterpret_cast<void*>(this)));
}
void CheckCertReqAgainstDefaultCAs(const CERTDistNames* caNames) {
ScopedCERTDistNames expected(CERT_GetSSLCACerts(nullptr));
ASSERT_EQ(expected->nnames, caNames->nnames);
for (size_t i = 0; i < static_cast<size_t>(expected->nnames); ++i) {
EXPECT_EQ(SECEqual,
SECITEM_CompareItem(&(expected->names[i]), &(caNames->names[i])));
}
}
SECStatus TlsAgent::GetClientAuthDataHook(void* self, PRFileDesc* fd,
CERTDistNames* caNames,
CERTCertificate** clientCert,
@@ -254,6 +275,9 @@ SECStatus TlsAgent::GetClientAuthDataHook(void* self, PRFileDesc* fd,
ScopedCERTCertificate peerCert(SSL_PeerCertificate(agent->ssl_fd()));
EXPECT_TRUE(peerCert) << "Client should be able to see the server cert";
// See bug 1457716
// CheckCertReqAgainstDefaultCAs(caNames);
ScopedCERTCertificate cert;
ScopedSECKEYPrivateKey priv;
if (!TlsAgent::LoadCertificate(agent->name(), &cert, &priv)) {
@@ -282,8 +306,8 @@ bool TlsAgent::GetPeerChainLength(size_t* count) {
return true;
}
void TlsAgent::CheckCipherSuite(uint16_t cipher_suite) {
EXPECT_EQ(csinfo_.cipherSuite, cipher_suite);
void TlsAgent::CheckCipherSuite(uint16_t suite) {
EXPECT_EQ(csinfo_.cipherSuite, suite);
}
void TlsAgent::RequestClientAuth(bool requireAuth) {
@@ -442,9 +466,7 @@ void TlsAgent::GetVersionRange(uint16_t* minver, uint16_t* maxver) {
*maxver = vrange_.max;
}
void TlsAgent::SetExpectedVersion(uint16_t version) {
expected_version_ = version;
}
void TlsAgent::SetExpectedVersion(uint16_t ver) { expected_version_ = ver; }
void TlsAgent::SetServerKeyBits(uint16_t bits) { server_key_bits_ = bits; }
@@ -491,10 +513,10 @@ void TlsAgent::SetSignatureSchemes(const SSLSignatureScheme* schemes,
EXPECT_EQ(i, configuredCount) << "schemes in use were all set";
}
void TlsAgent::CheckKEA(SSLKEAType kea_type, SSLNamedGroup kea_group,
void TlsAgent::CheckKEA(SSLKEAType kea, SSLNamedGroup kea_group,
size_t kea_size) const {
EXPECT_EQ(STATE_CONNECTED, state_);
EXPECT_EQ(kea_type, info_.keaType);
EXPECT_EQ(kea, info_.keaType);
if (kea_size == 0) {
switch (kea_group) {
case ssl_grp_ec_curve25519:
@@ -515,7 +537,7 @@ void TlsAgent::CheckKEA(SSLKEAType kea_type, SSLNamedGroup kea_group,
case ssl_grp_ffdhe_custom:
break;
default:
if (kea_type == ssl_kea_rsa) {
if (kea == ssl_kea_rsa) {
kea_size = server_key_bits_;
} else {
EXPECT_TRUE(false) << "need to update group sizes";
@@ -534,13 +556,13 @@ void TlsAgent::CheckOriginalKEA(SSLNamedGroup kea_group) const {
}
}
void TlsAgent::CheckAuthType(SSLAuthType auth_type,
void TlsAgent::CheckAuthType(SSLAuthType auth,
SSLSignatureScheme sig_scheme) const {
EXPECT_EQ(STATE_CONNECTED, state_);
EXPECT_EQ(auth_type, info_.authType);
EXPECT_EQ(auth, info_.authType);
EXPECT_EQ(server_key_bits_, info_.authKeyBits);
if (expected_version_ < SSL_LIBRARY_VERSION_TLS_1_2) {
switch (auth_type) {
switch (auth) {
case ssl_auth_rsa_sign:
sig_scheme = ssl_sig_rsa_pkcs1_sha1md5;
break;
@@ -558,9 +580,8 @@ void TlsAgent::CheckAuthType(SSLAuthType auth_type,
}
// Check authAlgorithm, which is the old value for authType. This is a second
// switch
// statement because default label is different.
switch (auth_type) {
// switch statement because default label is different.
switch (auth) {
case ssl_auth_rsa_sign:
EXPECT_EQ(ssl_auth_rsa_decrypt, csinfo_.authAlgorithm)
<< "authAlgorithm for RSA is always decrypt";
@@ -574,7 +595,7 @@ void TlsAgent::CheckAuthType(SSLAuthType auth_type,
<< "authAlgorithm for ECDH_ECDSA is ECDSA (i.e., wrong)";
break;
default:
EXPECT_EQ(auth_type, csinfo_.authAlgorithm)
EXPECT_EQ(auth, csinfo_.authAlgorithm)
<< "authAlgorithm is (usually) the same as authType";
break;
}
@@ -593,22 +614,20 @@ void TlsAgent::ExpectResumption() { expect_resumption_ = true; }
void TlsAgent::EnableAlpn(const uint8_t* val, size_t len) {
EXPECT_TRUE(EnsureTlsSetup());
SetOption(SSL_ENABLE_ALPN, PR_TRUE);
EXPECT_EQ(SECSuccess, SSL_SetNextProtoNego(ssl_fd(), val, len));
}
void TlsAgent::CheckAlpn(SSLNextProtoState expected_state,
const std::string& expected) const {
SSLNextProtoState state;
SSLNextProtoState alpn_state;
char chosen[10];
unsigned int chosen_len;
SECStatus rv = SSL_GetNextProto(ssl_fd(), &state,
SECStatus rv = SSL_GetNextProto(ssl_fd(), &alpn_state,
reinterpret_cast<unsigned char*>(chosen),
&chosen_len, sizeof(chosen));
EXPECT_EQ(SECSuccess, rv);
EXPECT_EQ(expected_state, state);
if (state == SSL_NEXT_PROTO_NO_SUPPORT) {
EXPECT_EQ(expected_state, alpn_state);
if (alpn_state == SSL_NEXT_PROTO_NO_SUPPORT) {
EXPECT_EQ("", expected);
} else {
EXPECT_NE("", expected);
@@ -840,10 +859,10 @@ void TlsAgent::CheckSecretsDestroyed() {
ASSERT_EQ(PR_TRUE, SSLInt_CheckSecretsDestroyed(ssl_fd()));
}
void TlsAgent::SetDowngradeCheckVersion(uint16_t version) {
void TlsAgent::SetDowngradeCheckVersion(uint16_t ver) {
ASSERT_TRUE(EnsureTlsSetup());
SECStatus rv = SSL_SetDowngradeCheckVersion(ssl_fd(), version);
SECStatus rv = SSL_SetDowngradeCheckVersion(ssl_fd(), ver);
ASSERT_EQ(SECSuccess, rv);
}
@@ -920,9 +939,9 @@ static bool ErrorIsNonFatal(PRErrorCode code) {
}
void TlsAgent::SendData(size_t bytes, size_t blocksize) {
uint8_t block[4096];
uint8_t block[16385]; // One larger than the maximum record size.
ASSERT_LT(blocksize, sizeof(block));
ASSERT_LE(blocksize, sizeof(block));
while (bytes) {
size_t tosend = std::min(blocksize, bytes);
@@ -951,12 +970,13 @@ void TlsAgent::SendBuffer(const DataBuffer& buf) {
}
bool TlsAgent::SendEncryptedRecord(const std::shared_ptr<TlsCipherSpec>& spec,
uint16_t wireVersion, uint64_t seq,
uint8_t ct, const DataBuffer& buf) {
LOGV("Writing " << buf.len() << " bytes");
// Ensure we are a TLS 1.3 cipher agent.
uint64_t seq, uint8_t ct,
const DataBuffer& buf) {
LOGV("Encrypting " << buf.len() << " bytes");
// Ensure that we are doing TLS 1.3.
EXPECT_GE(expected_version_, SSL_LIBRARY_VERSION_TLS_1_3);
TlsRecordHeader header(wireVersion, kTlsApplicationDataType, seq);
TlsRecordHeader header(variant_, expected_version_, kTlsApplicationDataType,
seq);
DataBuffer padded = buf;
padded.Write(padded.len(), ct, 1);
DataBuffer ciphertext;
@@ -1078,15 +1098,20 @@ void TlsAgentTestBase::ProcessMessage(const DataBuffer& buffer,
void TlsAgentTestBase::MakeRecord(SSLProtocolVariant variant, uint8_t type,
uint16_t version, const uint8_t* buf,
size_t len, DataBuffer* out,
uint64_t seq_num) {
uint64_t sequence_number) {
size_t index = 0;
index = out->Write(index, type, 1);
if (variant == ssl_variant_stream) {
index = out->Write(index, version, 2);
} else if (version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
type == kTlsApplicationDataType) {
uint32_t epoch = (sequence_number >> 48) & 0x3;
uint32_t seqno = sequence_number & ((1ULL << 30) - 1);
index = out->Write(index, (epoch << 30) | seqno, 4);
} else {
index = out->Write(index, TlsVersionToDtlsVersion(version), 2);
index = out->Write(index, seq_num >> 32, 4);
index = out->Write(index, seq_num & PR_UINT32_MAX, 4);
index = out->Write(index, sequence_number >> 32, 4);
index = out->Write(index, sequence_number & PR_UINT32_MAX, 4);
}
index = out->Write(index, len, 2);
out->Write(index, buf, len);
@@ -1144,4 +1169,12 @@ void TlsAgentTestBase::MakeTrivialHandshakeRecord(uint8_t hs_type,
}
}
DataBuffer TlsAgentTestBase::MakeCannedTls13ServerHello() {
DataBuffer sh(kCannedTls13ServerHello, sizeof(kCannedTls13ServerHello));
if (variant_ == ssl_variant_datagram) {
sh.Write(0, SSL_LIBRARY_VERSION_DTLS_1_2_WIRE, 2);
}
return sh;
}
} // namespace nss_test
security/nss/gtests/ssl_gtest/tls_agent.h
+16 -8
View File
@@ -10,6 +10,9 @@
#include "prio.h"
#include "ssl.h"
// This is an internal header, used to get TLS_1_3_DRAFT_VERSION.
#include "ssl3prot.h"
#include <functional>
#include <iostream>
@@ -57,6 +60,8 @@ typedef std::function<int32_t(TlsAgent* agent, const SECItem* srvNameArr,
PRUint32 srvNameArrSize)>
SniCallbackFunction;
static const uint8_t kD13 = TLS_1_3_DRAFT_VERSION;
class TlsAgent : public PollTarget {
public:
enum Role { CLIENT, SERVER };
@@ -64,6 +69,7 @@ class TlsAgent : public PollTarget {
static const std::string kClient; // the client key is sign only
static const std::string kRsa2048; // bigger sign and encrypt for either
static const std::string kRsa8192; // biggest sign and encrypt for either
static const std::string kServerRsa; // both sign and encrypt
static const std::string kServerRsaSign;
static const std::string kServerRsaPss;
@@ -143,8 +149,7 @@ class TlsAgent : public PollTarget {
void SendData(size_t bytes, size_t blocksize = 1024);
void SendBuffer(const DataBuffer& buf);
bool SendEncryptedRecord(const std::shared_ptr<TlsCipherSpec>& spec,
uint16_t wireVersion, uint64_t seq, uint8_t ct,
const DataBuffer& buf);
uint64_t seq, uint8_t ct, const DataBuffer& buf);
// Send data directly to the underlying socket, skipping the TLS layer.
void SendDirect(const DataBuffer& buf);
void SendRecordDirect(const TlsRecord& record);
@@ -209,10 +214,10 @@ class TlsAgent : public PollTarget {
return info_.protocolVersion;
}
bool cipher_suite(uint16_t* cipher_suite) const {
bool cipher_suite(uint16_t* suite) const {
if (state_ != STATE_CONNECTED) return false;
*cipher_suite = info_.cipherSuite;
*suite = info_.cipherSuite;
return true;
}
@@ -227,17 +232,17 @@ class TlsAgent : public PollTarget {
info_.sessionID + info_.sessionIDLength);
}
bool auth_type(SSLAuthType* auth_type) const {
bool auth_type(SSLAuthType* a) const {
if (state_ != STATE_CONNECTED) return false;
*auth_type = info_.authType;
*a = info_.authType;
return true;
}
bool kea_type(SSLKEAType* kea_type) const {
bool kea_type(SSLKEAType* k) const {
if (state_ != STATE_CONNECTED) return false;
*kea_type = info_.keaType;
*k = info_.keaType;
return true;
}
@@ -264,6 +269,8 @@ class TlsAgent : public PollTarget {
void ExpectReceiveAlert(uint8_t alert, uint8_t level = 0);
void ExpectSendAlert(uint8_t alert, uint8_t level = 0);
std::string alpn_value_to_use_ = "";
private:
const static char* states[];
@@ -443,6 +450,7 @@ class TlsAgentTestBase : public ::testing::Test {
size_t hs_len, DataBuffer* out,
uint64_t seq_num, uint32_t fragment_offset,
uint32_t fragment_length) const;
DataBuffer MakeCannedTls13ServerHello();
static void MakeTrivialHandshakeRecord(uint8_t hs_type, size_t hs_len,
DataBuffer* out);
static inline TlsAgent::Role ToRole(const std::string& str) {
security/nss/gtests/ssl_gtest/tls_connect.cc
+46 -3
View File
@@ -571,14 +571,57 @@ void TlsConnectTestBase::CheckResumption(SessionResumptionMode expected) {
}
}
static SECStatus NextProtoCallbackServer(void* arg, PRFileDesc* fd,
const unsigned char* protos,
unsigned int protos_len,
unsigned char* protoOut,
unsigned int* protoOutLen,
unsigned int protoMaxLen) {
EXPECT_EQ(protoMaxLen, 255U);
TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
// Check that agent->alpn_value_to_use_ is in protos.
if (protos_len < 1) {
return SECFailure;
}
for (size_t i = 0; i < protos_len;) {
size_t l = protos[i];
EXPECT_LT(i + l, protos_len);
if (i + l >= protos_len) {
return SECFailure;
}
std::string protos_s(reinterpret_cast<const char*>(protos + i + 1), l);
if (protos_s == agent->alpn_value_to_use_) {
size_t s_len = agent->alpn_value_to_use_.size();
EXPECT_LE(s_len, 255U);
memcpy(protoOut, &agent->alpn_value_to_use_[0], s_len);
*protoOutLen = s_len;
return SECSuccess;
}
i += l + 1;
}
return SECFailure;
}
void TlsConnectTestBase::EnableAlpn() {
client_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_));
server_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_));
}
void TlsConnectTestBase::EnableAlpn(const uint8_t* val, size_t len) {
client_->EnableAlpn(val, len);
server_->EnableAlpn(val, len);
void TlsConnectTestBase::EnableAlpnWithCallback(
const std::vector<uint8_t>& client_vals, std::string server_choice) {
EnsureTlsSetup();
server_->alpn_value_to_use_ = server_choice;
EXPECT_EQ(SECSuccess,
SSL_SetNextProtoNego(client_->ssl_fd(), client_vals.data(),
client_vals.size()));
SECStatus rv = SSL_SetNextProtoCallback(
server_->ssl_fd(), NextProtoCallbackServer, server_.get());
EXPECT_EQ(SECSuccess, rv);
}
void TlsConnectTestBase::EnableAlpn(const std::vector<uint8_t>& vals) {
client_->EnableAlpn(vals.data(), vals.size());
server_->EnableAlpn(vals.data(), vals.size());
}
void TlsConnectTestBase::EnsureModelSockets() {
security/nss/gtests/ssl_gtest/tls_connect.h
+3 -1
View File
@@ -110,7 +110,9 @@ class TlsConnectTestBase : public ::testing::Test {
void ConfigureSessionCache(SessionResumptionMode client,
SessionResumptionMode server);
void EnableAlpn();
void EnableAlpn(const uint8_t* val, size_t len);
void EnableAlpnWithCallback(const std::vector<uint8_t>& client,
std::string server_choice);
void EnableAlpn(const std::vector<uint8_t>& vals);
void EnsureModelSockets();
void CheckAlpn(const std::string& val);
void EnableSrtp();
security/nss/gtests/ssl_gtest/tls_filter.cc
+194 -40
View File
@@ -30,11 +30,9 @@ void TlsVersioned::WriteStream(std::ostream& stream) const {
case SSL_LIBRARY_VERSION_TLS_1_0:
stream << "1.0";
break;
case SSL_LIBRARY_VERSION_DTLS_1_0_WIRE:
case SSL_LIBRARY_VERSION_TLS_1_1:
stream << (is_dtls() ? "1.0" : "1.1");
break;
case SSL_LIBRARY_VERSION_DTLS_1_2_WIRE:
case SSL_LIBRARY_VERSION_TLS_1_2:
stream << "1.2";
break;
@@ -67,8 +65,14 @@ void TlsRecordFilter::CipherSpecChanged(void* arg, PRBool sending,
return;
}
self->in_sequence_number_ = 0;
self->out_sequence_number_ = 0;
uint64_t seq_no;
if (self->agent()->variant() == ssl_variant_datagram) {
seq_no = static_cast<uint64_t>(SSLInt_CipherSpecToEpoch(newSpec)) << 48;
} else {
seq_no = 0;
}
self->in_sequence_number_ = seq_no;
self->out_sequence_number_ = seq_no;
self->dropped_record_ = false;
self->cipher_spec_.reset(new TlsCipherSpec());
bool ret = self->cipher_spec_->Init(
@@ -77,33 +81,59 @@ void TlsRecordFilter::CipherSpecChanged(void* arg, PRBool sending,
EXPECT_EQ(true, ret);
}
bool TlsRecordFilter::is_dtls13() const {
if (agent()->variant() != ssl_variant_datagram) {
return false;
}
if (agent()->state() == TlsAgent::STATE_CONNECTED) {
return agent()->version() >= SSL_LIBRARY_VERSION_TLS_1_3;
}
SSLPreliminaryChannelInfo info;
EXPECT_EQ(SECSuccess, SSL_GetPreliminaryChannelInfo(agent()->ssl_fd(), &info,
sizeof(info)));
return (info.protocolVersion >= SSL_LIBRARY_VERSION_TLS_1_3) ||
info.canSendEarlyData;
}
PacketFilter::Action TlsRecordFilter::Filter(const DataBuffer& input,
DataBuffer* output) {
// Disable during shutdown.
if (!agent()) {
return KEEP;
}
bool changed = false;
size_t offset = 0U;
output->Allocate(input.len());
output->Allocate(input.len());
TlsParser parser(input);
while (parser.remaining()) {
TlsRecordHeader header;
DataBuffer record;
if (!header.Parse(in_sequence_number_, &parser, &record)) {
if (!header.Parse(is_dtls13(), in_sequence_number_, &parser, &record)) {
ADD_FAILURE() << "not a valid record";
return KEEP;
}
// Track the sequence number, which is necessary for stream mode (the
// sequence number is in the header for datagram).
// Track the sequence number, which is necessary for stream mode when
// decrypting and for TLS 1.3 datagram to recover the sequence number.
//
// This isn't perfectly robust. If there is a change from an active cipher
// We reset the counter when the cipher spec changes, but that notification
// appears before a record is sent. If multiple records are sent with
// different cipher specs, this would fail. This filters out cleartext
// records, so we don't get confused by handshake messages that are sent at
// the same time as encrypted records. Sequence numbers are therefore
// likely to be incorrect for cleartext records.
//
// This isn't perfectly robust: if there is a change from an active cipher
// spec to another active cipher spec (KeyUpdate for instance) AND writes
// are consolidated across that change AND packets were dropped from the
// older epoch, we will not correctly re-encrypt records in the old epoch to
// update their sequence numbers.
if (cipher_spec_ && header.content_type() == kTlsApplicationDataType) {
++in_sequence_number_;
// are consolidated across that change, this code could use the wrong
// sequence numbers when re-encrypting records with the old keys.
if (header.content_type() == kTlsApplicationDataType) {
in_sequence_number_ =
(std::max)(in_sequence_number_, header.sequence_number() + 1);
}
if (FilterRecord(header, record, &offset, output) != KEEP) {
@@ -131,11 +161,14 @@ PacketFilter::Action TlsRecordFilter::FilterRecord(
DataBuffer plaintext;
if (!Unprotect(header, record, &inner_content_type, &plaintext)) {
if (g_ssl_gtest_verbose) {
std::cerr << "unprotect failed: " << header << ":" << record << std::endl;
}
return KEEP;
}
TlsRecordHeader real_header = {header.version(), inner_content_type,
header.sequence_number()};
TlsRecordHeader real_header(header.variant(), header.version(),
inner_content_type, header.sequence_number());
PacketFilter::Action action = FilterRecord(real_header, plaintext, &filtered);
// In stream mode, even if something doesn't change we need to re-encrypt if
@@ -166,8 +199,8 @@ PacketFilter::Action TlsRecordFilter::FilterRecord(
} else {
seq_num = out_sequence_number_++;
}
TlsRecordHeader out_header = {header.version(), header.content_type(),
seq_num};
TlsRecordHeader out_header(header.variant(), header.version(),
header.content_type(), seq_num);
DataBuffer ciphertext;
bool rv = Protect(out_header, inner_content_type, filtered, &ciphertext);
@@ -179,20 +212,119 @@ PacketFilter::Action TlsRecordFilter::FilterRecord(
return CHANGE;
}
bool TlsRecordHeader::Parse(uint64_t sequence_number, TlsParser* parser,
size_t TlsRecordHeader::header_length() const {
// If we have a header, return it's length.
if (header_.len()) {
return header_.len();
}
// Otherwise make a dummy header and return the length.
DataBuffer buf;
return WriteHeader(&buf, 0, 0);
}
uint64_t TlsRecordHeader::RecoverSequenceNumber(uint64_t expected,
uint32_t partial,
size_t partial_bits) {
EXPECT_GE(32U, partial_bits);
uint64_t mask = (1 << partial_bits) - 1;
// First we determine the highest possible value. This is half the
// expressible range above the expected value.
uint64_t cap = expected + (1ULL << (partial_bits - 1));
// Add the partial piece in. e.g., xxxx789a and 1234 becomes xxxx1234.
uint64_t seq_no = (cap & ~mask) | partial;
// If the partial value is higher than the same partial piece from the cap,
// then the real value has to be lower. e.g., xxxx1234 can't become xxxx5678.
if (partial > (cap & mask)) {
seq_no -= 1ULL << partial_bits;
}
return seq_no;
}
// Determine the full epoch and sequence number from an expected and raw value.
// The expected and output values are packed as they are in DTLS 1.2 and
// earlier: with 16 bits of epoch and 48 bits of sequence number.
uint64_t TlsRecordHeader::ParseSequenceNumber(uint64_t expected, uint32_t raw,
size_t seq_no_bits,
size_t epoch_bits) {
uint64_t epoch_mask = (1ULL << epoch_bits) - 1;
uint64_t epoch = RecoverSequenceNumber(
expected >> 48, (raw >> seq_no_bits) & epoch_mask, epoch_bits);
if (epoch > (expected >> 48)) {
// If the epoch has changed, reset the expected sequence number.
expected = 0;
} else {
// Otherwise, retain just the sequence number part.
expected &= (1ULL << 48) - 1;
}
uint64_t seq_no_mask = (1ULL << seq_no_bits) - 1;
uint64_t seq_no =
RecoverSequenceNumber(expected, raw & seq_no_mask, seq_no_bits);
return (epoch << 48) | seq_no;
}
bool TlsRecordHeader::Parse(bool is_dtls13, uint64_t seqno, TlsParser* parser,
DataBuffer* body) {
auto mark = parser->consumed();
if (!parser->Read(&content_type_)) {
return false;
}
uint32_t version;
if (!parser->Read(&version, 2)) {
if (is_dtls13) {
variant_ = ssl_variant_datagram;
version_ = SSL_LIBRARY_VERSION_TLS_1_3;
#ifndef UNSAFE_FUZZER_MODE
// Deal with the 7 octet header.
if (content_type_ == kTlsApplicationDataType) {
uint32_t tmp;
if (!parser->Read(&tmp, 4)) {
return false;
}
sequence_number_ = ParseSequenceNumber(seqno, tmp, 30, 2);
if (!parser->ReadFromMark(&header_, parser->consumed() + 2 - mark,
mark)) {
return false;
}
return parser->ReadVariable(body, 2);
}
// The short, 2 octet header.
if ((content_type_ & 0xe0) == 0x20) {
uint32_t tmp;
if (!parser->Read(&tmp, 1)) {
return false;
}
// Need to use the low 5 bits of the first octet too.
tmp |= (content_type_ & 0x1f) << 8;
content_type_ = kTlsApplicationDataType;
sequence_number_ = ParseSequenceNumber(seqno, tmp, 12, 1);
if (!parser->ReadFromMark(&header_, parser->consumed() - mark, mark)) {
return false;
}
return parser->Read(body, parser->remaining());
}
// The full 13 octet header can only be used for a few types.
EXPECT_TRUE(content_type_ == kTlsAlertType ||
content_type_ == kTlsHandshakeType ||
content_type_ == kTlsAckType);
#endif
}
uint32_t ver;
if (!parser->Read(&ver, 2)) {
return false;
}
version_ = version;
if (!is_dtls13) {
variant_ = IsDtls(ver) ? ssl_variant_datagram : ssl_variant_stream;
}
version_ = NormalizeTlsVersion(ver);
// If this is DTLS, overwrite the sequence number.
if (IsDtls(version)) {
if (is_dtls()) {
// If this is DTLS, read the sequence number.
uint32_t tmp;
if (!parser->Read(&tmp, 4)) {
return false;
@@ -203,21 +335,40 @@ bool TlsRecordHeader::Parse(uint64_t sequence_number, TlsParser* parser,
}
sequence_number_ |= static_cast<uint64_t>(tmp);
} else {
sequence_number_ = sequence_number;
sequence_number_ = seqno;
}
if (!parser->ReadFromMark(&header_, parser->consumed() + 2 - mark, mark)) {
return false;
}
return parser->ReadVariable(body, 2);
}
size_t TlsRecordHeader::WriteHeader(DataBuffer* buffer, size_t offset,
size_t body_len) const {
offset = buffer->Write(offset, content_type_, 1);
if (is_dtls() && version_ >= SSL_LIBRARY_VERSION_TLS_1_3 &&
content_type() == kTlsApplicationDataType) {
// application_data records in TLS 1.3 have a different header format.
// Always use the long header here for simplicity.
uint32_t e = (sequence_number_ >> 48) & 0x3;
uint32_t seqno = sequence_number_ & ((1ULL << 30) - 1);
offset = buffer->Write(offset, (e << 30) | seqno, 4);
} else {
uint16_t v = is_dtls() ? TlsVersionToDtlsVersion(version_) : version_;
offset = buffer->Write(offset, v, 2);
if (is_dtls()) {
// write epoch (2 octet), and seqnum (6 octet)
offset = buffer->Write(offset, sequence_number_ >> 32, 4);
offset = buffer->Write(offset, sequence_number_ & 0xffffffff, 4);
}
}
offset = buffer->Write(offset, body_len, 2);
return offset;
}
size_t TlsRecordHeader::Write(DataBuffer* buffer, size_t offset,
const DataBuffer& body) const {
offset = buffer->Write(offset, content_type_, 1);
offset = buffer->Write(offset, version_, 2);
if (is_dtls()) {
// write epoch (2 octet), and seqnum (6 octet)
offset = buffer->Write(offset, sequence_number_ >> 32, 4);
offset = buffer->Write(offset, sequence_number_ & 0xffffffff, 4);
}
offset = buffer->Write(offset, body.len(), 2);
offset = WriteHeader(buffer, offset, body.len());
offset = buffer->Write(offset, body);
return offset;
}
@@ -259,7 +410,7 @@ bool TlsRecordFilter::Unprotect(const TlsRecordHeader& header,
bool TlsRecordFilter::Protect(const TlsRecordHeader& header,
uint8_t inner_content_type,
const DataBuffer& plaintext,
DataBuffer* ciphertext) {
DataBuffer* ciphertext, size_t padding) {
if (!cipher_spec_ || header.content_type() != kTlsApplicationDataType) {
*ciphertext = plaintext;
return true;
@@ -267,8 +418,10 @@ bool TlsRecordFilter::Protect(const TlsRecordHeader& header,
if (g_ssl_gtest_verbose) {
std::cerr << "protect: " << header.sequence_number() << std::endl;
}
DataBuffer padded = plaintext;
padded.Write(padded.len(), inner_content_type, 1);
DataBuffer padded;
padded.Allocate(plaintext.len() + 1 + padding);
size_t offset = padded.Write(0, plaintext.data(), plaintext.len());
padded.Write(offset, inner_content_type, 1);
return cipher_spec_->Protect(header, padded, ciphertext);
}
@@ -406,6 +559,7 @@ bool TlsHandshakeFilter::HandshakeHeader::Parse(
const DataBuffer& preceding_fragment, DataBuffer* body, bool* complete) {
*complete = false;
variant_ = record_header.variant();
version_ = record_header.version();
if (!parser->Read(&handshake_type_)) {
return false; // malformed
@@ -487,10 +641,10 @@ PacketFilter::Action TlsConversationRecorder::FilterRecord(
return KEEP;
}
PacketFilter::Action TlsHeaderRecorder::FilterRecord(
const TlsRecordHeader& header, const DataBuffer& input,
DataBuffer* output) {
headers_.push_back(header);
PacketFilter::Action TlsHeaderRecorder::FilterRecord(const TlsRecordHeader& hdr,
const DataBuffer& input,
DataBuffer* output) {
headers_.push_back(hdr);
return KEEP;
}
security/nss/gtests/ssl_gtest/tls_filter.h
+88 -61
View File
@@ -11,7 +11,7 @@
#include <memory>
#include <set>
#include <vector>
#include "sslt.h"
#include "test_io.h"
#include "tls_agent.h"
#include "tls_parser.h"
@@ -27,43 +27,57 @@ class TlsCipherSpec;
class TlsVersioned {
public:
TlsVersioned() : version_(0) {}
explicit TlsVersioned(uint16_t version) : version_(version) {}
TlsVersioned() : variant_(ssl_variant_stream), version_(0) {}
TlsVersioned(SSLProtocolVariant var, uint16_t ver)
: variant_(var), version_(ver) {}
bool is_dtls() const { return IsDtls(version_); }
bool is_dtls() const { return variant_ == ssl_variant_datagram; }
SSLProtocolVariant variant() const { return variant_; }
uint16_t version() const { return version_; }
void WriteStream(std::ostream& stream) const;
protected:
SSLProtocolVariant variant_;
uint16_t version_;
};
class TlsRecordHeader : public TlsVersioned {
public:
TlsRecordHeader() : TlsVersioned(), content_type_(0), sequence_number_(0) {}
TlsRecordHeader(uint16_t version, uint8_t content_type,
uint64_t sequence_number)
: TlsVersioned(version),
content_type_(content_type),
sequence_number_(sequence_number) {}
TlsRecordHeader()
: TlsVersioned(), content_type_(0), sequence_number_(0), header_() {}
TlsRecordHeader(SSLProtocolVariant var, uint16_t ver, uint8_t ct,
uint64_t seqno)
: TlsVersioned(var, ver),
content_type_(ct),
sequence_number_(seqno),
header_() {}
uint8_t content_type() const { return content_type_; }
uint64_t sequence_number() const { return sequence_number_; }
uint16_t epoch() const {
return static_cast<uint16_t>(sequence_number_ >> 48);
}
size_t header_length() const { return is_dtls() ? 13 : 5; }
size_t header_length() const;
const DataBuffer& header() const { return header_; }
// Parse the header; return true if successful; body in an outparam if OK.
bool Parse(uint64_t sequence_number, TlsParser* parser, DataBuffer* body);
bool Parse(bool is_dtls13, uint64_t sequence_number, TlsParser* parser,
DataBuffer* body);
// Write the header and body to a buffer at the given offset.
// Return the offset of the end of the write.
size_t Write(DataBuffer* buffer, size_t offset, const DataBuffer& body) const;
size_t WriteHeader(DataBuffer* buffer, size_t offset, size_t body_len) const;
private:
static uint64_t RecoverSequenceNumber(uint64_t expected, uint32_t partial,
size_t partial_bits);
static uint64_t ParseSequenceNumber(uint64_t expected, uint32_t raw,
size_t seq_no_bits, size_t epoch_bits);
uint8_t content_type_;
uint64_t sequence_number_;
DataBuffer header_;
};
struct TlsRecord {
@@ -83,8 +97,8 @@ inline std::shared_ptr<T> MakeTlsFilter(const std::shared_ptr<TlsAgent>& agent,
// Abstract filter that operates on entire (D)TLS records.
class TlsRecordFilter : public PacketFilter {
public:
TlsRecordFilter(const std::shared_ptr<TlsAgent>& agent)
: agent_(agent),
TlsRecordFilter(const std::shared_ptr<TlsAgent>& a)
: agent_(a),
count_(0),
cipher_spec_(),
dropped_record_(false),
@@ -106,7 +120,8 @@ class TlsRecordFilter : public PacketFilter {
bool Unprotect(const TlsRecordHeader& header, const DataBuffer& cipherText,
uint8_t* inner_content_type, DataBuffer* plaintext);
bool Protect(const TlsRecordHeader& header, uint8_t inner_content_type,
const DataBuffer& plaintext, DataBuffer* ciphertext);
const DataBuffer& plaintext, DataBuffer* ciphertext,
size_t padding = 0);
protected:
// There are two filter functions which can be overriden. Both are
@@ -130,6 +145,8 @@ class TlsRecordFilter : public PacketFilter {
return KEEP;
}
bool is_dtls13() const;
private:
static void CipherSpecChanged(void* arg, PRBool sending,
ssl3CipherSpec* newSpec);
@@ -183,13 +200,11 @@ inline std::ostream& operator<<(std::ostream& stream,
// records and that they don't span records or anything crazy like that.
class TlsHandshakeFilter : public TlsRecordFilter {
public:
TlsHandshakeFilter(const std::shared_ptr<TlsAgent>& agent)
: TlsRecordFilter(agent), handshake_types_(), preceding_fragment_() {}
TlsHandshakeFilter(const std::shared_ptr<TlsAgent>& agent,
TlsHandshakeFilter(const std::shared_ptr<TlsAgent>& a)
: TlsRecordFilter(a), handshake_types_(), preceding_fragment_() {}
TlsHandshakeFilter(const std::shared_ptr<TlsAgent>& a,
const std::set<uint8_t>& types)
: TlsRecordFilter(agent),
handshake_types_(types),
preceding_fragment_() {}
: TlsRecordFilter(a), handshake_types_(types), preceding_fragment_() {}
// This filter can be set to be selective based on handshake message type. If
// this function isn't used (or the set is empty), then all handshake messages
@@ -243,12 +258,12 @@ class TlsHandshakeFilter : public TlsRecordFilter {
// Make a copy of the first instance of a handshake message.
class TlsHandshakeRecorder : public TlsHandshakeFilter {
public:
TlsHandshakeRecorder(const std::shared_ptr<TlsAgent>& agent,
TlsHandshakeRecorder(const std::shared_ptr<TlsAgent>& a,
uint8_t handshake_type)
: TlsHandshakeFilter(agent, {handshake_type}), buffer_() {}
TlsHandshakeRecorder(const std::shared_ptr<TlsAgent>& agent,
: TlsHandshakeFilter(a, {handshake_type}), buffer_() {}
TlsHandshakeRecorder(const std::shared_ptr<TlsAgent>& a,
const std::set<uint8_t>& handshake_types)
: TlsHandshakeFilter(agent, handshake_types), buffer_() {}
: TlsHandshakeFilter(a, handshake_types), buffer_() {}
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
@@ -265,10 +280,10 @@ class TlsHandshakeRecorder : public TlsHandshakeFilter {
// Replace all instances of a handshake message.
class TlsInspectorReplaceHandshakeMessage : public TlsHandshakeFilter {
public:
TlsInspectorReplaceHandshakeMessage(const std::shared_ptr<TlsAgent>& agent,
TlsInspectorReplaceHandshakeMessage(const std::shared_ptr<TlsAgent>& a,
uint8_t handshake_type,
const DataBuffer& replacement)
: TlsHandshakeFilter(agent, {handshake_type}), buffer_(replacement) {}
: TlsHandshakeFilter(a, {handshake_type}), buffer_(replacement) {}
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
@@ -281,10 +296,10 @@ class TlsInspectorReplaceHandshakeMessage : public TlsHandshakeFilter {
// Make a copy of each record of a given type.
class TlsRecordRecorder : public TlsRecordFilter {
public:
TlsRecordRecorder(const std::shared_ptr<TlsAgent>& agent, uint8_t ct)
: TlsRecordFilter(agent), filter_(true), ct_(ct), records_() {}
TlsRecordRecorder(const std::shared_ptr<TlsAgent>& agent)
: TlsRecordFilter(agent),
TlsRecordRecorder(const std::shared_ptr<TlsAgent>& a, uint8_t ct)
: TlsRecordFilter(a), filter_(true), ct_(ct), records_() {}
TlsRecordRecorder(const std::shared_ptr<TlsAgent>& a)
: TlsRecordFilter(a),
filter_(false),
ct_(content_handshake), // dummy (<optional> is C++14)
records_() {}
@@ -306,9 +321,9 @@ class TlsRecordRecorder : public TlsRecordFilter {
// Make a copy of the complete conversation.
class TlsConversationRecorder : public TlsRecordFilter {
public:
TlsConversationRecorder(const std::shared_ptr<TlsAgent>& agent,
TlsConversationRecorder(const std::shared_ptr<TlsAgent>& a,
DataBuffer& buffer)
: TlsRecordFilter(agent), buffer_(buffer) {}
: TlsRecordFilter(a), buffer_(buffer) {}
virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& input,
@@ -321,8 +336,7 @@ class TlsConversationRecorder : public TlsRecordFilter {
// Make a copy of the records
class TlsHeaderRecorder : public TlsRecordFilter {
public:
TlsHeaderRecorder(const std::shared_ptr<TlsAgent>& agent)
: TlsRecordFilter(agent) {}
TlsHeaderRecorder(const std::shared_ptr<TlsAgent>& a) : TlsRecordFilter(a) {}
virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& input,
DataBuffer* output);
@@ -359,15 +373,15 @@ typedef std::function<bool(TlsParser* parser, const TlsVersioned& header)>
class TlsExtensionFilter : public TlsHandshakeFilter {
public:
TlsExtensionFilter(const std::shared_ptr<TlsAgent>& agent)
: TlsHandshakeFilter(agent,
TlsExtensionFilter(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(a,
{kTlsHandshakeClientHello, kTlsHandshakeServerHello,
kTlsHandshakeHelloRetryRequest,
kTlsHandshakeEncryptedExtensions}) {}
TlsExtensionFilter(const std::shared_ptr<TlsAgent>& agent,
TlsExtensionFilter(const std::shared_ptr<TlsAgent>& a,
const std::set<uint8_t>& types)
: TlsHandshakeFilter(agent, types) {}
: TlsHandshakeFilter(a, types) {}
static bool FindExtensions(TlsParser* parser, const HandshakeHeader& header);
@@ -388,9 +402,9 @@ class TlsExtensionFilter : public TlsHandshakeFilter {
class TlsExtensionCapture : public TlsExtensionFilter {
public:
TlsExtensionCapture(const std::shared_ptr<TlsAgent>& agent, uint16_t ext,
TlsExtensionCapture(const std::shared_ptr<TlsAgent>& a, uint16_t ext,
bool last = false)
: TlsExtensionFilter(agent),
: TlsExtensionFilter(a),
extension_(ext),
captured_(false),
last_(last),
@@ -413,9 +427,9 @@ class TlsExtensionCapture : public TlsExtensionFilter {
class TlsExtensionReplacer : public TlsExtensionFilter {
public:
TlsExtensionReplacer(const std::shared_ptr<TlsAgent>& agent,
uint16_t extension, const DataBuffer& data)
: TlsExtensionFilter(agent), extension_(extension), data_(data) {}
TlsExtensionReplacer(const std::shared_ptr<TlsAgent>& a, uint16_t extension,
const DataBuffer& data)
: TlsExtensionFilter(a), extension_(extension), data_(data) {}
PacketFilter::Action FilterExtension(uint16_t extension_type,
const DataBuffer& input,
DataBuffer* output) override;
@@ -427,9 +441,8 @@ class TlsExtensionReplacer : public TlsExtensionFilter {
class TlsExtensionDropper : public TlsExtensionFilter {
public:
TlsExtensionDropper(const std::shared_ptr<TlsAgent>& agent,
uint16_t extension)
: TlsExtensionFilter(agent), extension_(extension) {}
TlsExtensionDropper(const std::shared_ptr<TlsAgent>& a, uint16_t extension)
: TlsExtensionFilter(a), extension_(extension) {}
PacketFilter::Action FilterExtension(uint16_t extension_type,
const DataBuffer&, DataBuffer*) override;
@@ -439,9 +452,9 @@ class TlsExtensionDropper : public TlsExtensionFilter {
class TlsExtensionInjector : public TlsHandshakeFilter {
public:
TlsExtensionInjector(const std::shared_ptr<TlsAgent>& agent, uint16_t ext,
TlsExtensionInjector(const std::shared_ptr<TlsAgent>& a, uint16_t ext,
const DataBuffer& data)
: TlsHandshakeFilter(agent), extension_(ext), data_(data) {}
: TlsHandshakeFilter(a), extension_(ext), data_(data) {}
protected:
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
@@ -453,7 +466,6 @@ class TlsExtensionInjector : public TlsHandshakeFilter {
const DataBuffer data_;
};
class TlsAgent;
typedef std::function<void(void)> VoidFunction;
class AfterRecordN : public TlsRecordFilter {
@@ -495,6 +507,22 @@ class TlsClientHelloVersionChanger : public TlsHandshakeFilter {
std::weak_ptr<TlsAgent> server_;
};
// Damage a record.
class TlsRecordLastByteDamager : public TlsRecordFilter {
public:
TlsRecordLastByteDamager(const std::shared_ptr<TlsAgent>& a)
: TlsRecordFilter(a) {}
protected:
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& data,
DataBuffer* changed) override {
*changed = data;
changed->data()[changed->len() - 1]++;
return CHANGE;
}
};
// This class selectively drops complete writes. This relies on the fact that
// writes in libssl are on record boundaries.
class SelectiveDropFilter : public PacketFilter {
@@ -515,16 +543,16 @@ class SelectiveDropFilter : public PacketFilter {
// datagram, we just drop one.
class SelectiveRecordDropFilter : public TlsRecordFilter {
public:
SelectiveRecordDropFilter(const std::shared_ptr<TlsAgent>& agent,
SelectiveRecordDropFilter(const std::shared_ptr<TlsAgent>& a,
uint32_t pattern, bool enabled = true)
: TlsRecordFilter(agent), pattern_(pattern), counter_(0) {
: TlsRecordFilter(a), pattern_(pattern), counter_(0) {
if (!enabled) {
Disable();
}
}
SelectiveRecordDropFilter(const std::shared_ptr<TlsAgent>& agent,
SelectiveRecordDropFilter(const std::shared_ptr<TlsAgent>& a,
std::initializer_list<size_t> records)
: SelectiveRecordDropFilter(agent, ToPattern(records), true) {}
: SelectiveRecordDropFilter(a, ToPattern(records), true) {}
void Reset(uint32_t pattern) {
counter_ = 0;
@@ -551,10 +579,9 @@ class SelectiveRecordDropFilter : public TlsRecordFilter {
// Set the version number in the ClientHello.
class TlsClientHelloVersionSetter : public TlsHandshakeFilter {
public:
TlsClientHelloVersionSetter(const std::shared_ptr<TlsAgent>& agent,
TlsClientHelloVersionSetter(const std::shared_ptr<TlsAgent>& a,
uint16_t version)
: TlsHandshakeFilter(agent, {kTlsHandshakeClientHello}),
version_(version) {}
: TlsHandshakeFilter(a, {kTlsHandshakeClientHello}), version_(version) {}
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
@@ -567,8 +594,8 @@ class TlsClientHelloVersionSetter : public TlsHandshakeFilter {
// Damages the last byte of a handshake message.
class TlsLastByteDamager : public TlsHandshakeFilter {
public:
TlsLastByteDamager(const std::shared_ptr<TlsAgent>& agent, uint8_t type)
: TlsHandshakeFilter(agent), type_(type) {}
TlsLastByteDamager(const std::shared_ptr<TlsAgent>& a, uint8_t type)
: TlsHandshakeFilter(a), type_(type) {}
PacketFilter::Action FilterHandshake(
const TlsHandshakeFilter::HandshakeHeader& header,
const DataBuffer& input, DataBuffer* output) override {
@@ -588,9 +615,9 @@ class TlsLastByteDamager : public TlsHandshakeFilter {
class SelectedCipherSuiteReplacer : public TlsHandshakeFilter {
public:
SelectedCipherSuiteReplacer(const std::shared_ptr<TlsAgent>& agent,
SelectedCipherSuiteReplacer(const std::shared_ptr<TlsAgent>& a,
uint16_t suite)
: TlsHandshakeFilter(agent, {kTlsHandshakeServerHello}),
: TlsHandshakeFilter(a, {kTlsHandshakeServerHello}),
cipher_suite_(suite) {}
protected:
security/nss/gtests/ssl_gtest/tls_protect.cc
+21 -14
View File
@@ -54,17 +54,17 @@ bool AeadCipher::AeadInner(bool decrypt, void *params, size_t param_length,
return rv == SECSuccess;
}
bool AeadCipherAesGcm::Aead(bool decrypt, uint64_t seq, const uint8_t *in,
size_t inlen, uint8_t *out, size_t *outlen,
size_t maxlen) {
bool AeadCipherAesGcm::Aead(bool decrypt, const uint8_t *hdr, size_t hdr_len,
uint64_t seq, const uint8_t *in, size_t inlen,
uint8_t *out, size_t *outlen, size_t maxlen) {
CK_GCM_PARAMS aeadParams;
unsigned char nonce[12];
memset(&aeadParams, 0, sizeof(aeadParams));
aeadParams.pIv = nonce;
aeadParams.ulIvLen = sizeof(nonce);
aeadParams.pAAD = NULL;
aeadParams.ulAADLen = 0;
aeadParams.pAAD = const_cast<uint8_t *>(hdr);
aeadParams.ulAADLen = hdr_len;
aeadParams.ulTagBits = 128;
FormatNonce(seq, nonce);
@@ -72,7 +72,8 @@ bool AeadCipherAesGcm::Aead(bool decrypt, uint64_t seq, const uint8_t *in,
in, inlen, out, outlen, maxlen);
}
bool AeadCipherChacha20Poly1305::Aead(bool decrypt, uint64_t seq,
bool AeadCipherChacha20Poly1305::Aead(bool decrypt, const uint8_t *hdr,
size_t hdr_len, uint64_t seq,
const uint8_t *in, size_t inlen,
uint8_t *out, size_t *outlen,
size_t maxlen) {
@@ -82,8 +83,8 @@ bool AeadCipherChacha20Poly1305::Aead(bool decrypt, uint64_t seq,
memset(&aeadParams, 0, sizeof(aeadParams));
aeadParams.pNonce = nonce;
aeadParams.ulNonceLen = sizeof(nonce);
aeadParams.pAAD = NULL;
aeadParams.ulAADLen = 0;
aeadParams.pAAD = const_cast<uint8_t *>(hdr);
aeadParams.ulAADLen = hdr_len;
aeadParams.ulTagLen = 16;
FormatNonce(seq, nonce);
@@ -91,9 +92,9 @@ bool AeadCipherChacha20Poly1305::Aead(bool decrypt, uint64_t seq,
in, inlen, out, outlen, maxlen);
}
bool TlsCipherSpec::Init(uint16_t epoch, SSLCipherAlgorithm cipher,
bool TlsCipherSpec::Init(uint16_t epoc, SSLCipherAlgorithm cipher,
PK11SymKey *key, const uint8_t *iv) {
epoch_ = epoch;
epoch_ = epoc;
switch (cipher) {
case ssl_calg_aes_gcm:
aead_.reset(new AeadCipherAesGcm());
@@ -114,10 +115,12 @@ bool TlsCipherSpec::Unprotect(const TlsRecordHeader &header,
// Make space.
plaintext->Allocate(ciphertext.len());
auto header_bytes = header.header();
size_t len;
bool ret =
aead_->Aead(true, header.sequence_number(), ciphertext.data(),
ciphertext.len(), plaintext->data(), &len, plaintext->len());
aead_->Aead(true, header_bytes.data(), header_bytes.len(),
header.sequence_number(), ciphertext.data(), ciphertext.len(),
plaintext->data(), &len, plaintext->len());
if (!ret) return false;
plaintext->Truncate(len);
@@ -133,9 +136,13 @@ bool TlsCipherSpec::Protect(const TlsRecordHeader &header,
ciphertext->Allocate(plaintext.len() +
32); // Room for any plausible auth tag
size_t len;
DataBuffer header_bytes;
(void)header.WriteHeader(&header_bytes, 0, plaintext.len() + 16);
bool ret =
aead_->Aead(false, header.sequence_number(), plaintext.data(),
plaintext.len(), ciphertext->data(), &len, ciphertext->len());
aead_->Aead(false, header_bytes.data(), header_bytes.len(),
header.sequence_number(), plaintext.data(), plaintext.len(),
ciphertext->data(), &len, ciphertext->len());
if (!ret) return false;
ciphertext->Truncate(len);
security/nss/gtests/ssl_gtest/tls_protect.h
+9 -6
View File
@@ -23,8 +23,9 @@ class AeadCipher {
virtual ~AeadCipher();
bool Init(PK11SymKey *key, const uint8_t *iv);
virtual bool Aead(bool decrypt, uint64_t seq, const uint8_t *in, size_t inlen,
uint8_t *out, size_t *outlen, size_t maxlen) = 0;
virtual bool Aead(bool decrypt, const uint8_t *hdr, size_t hdr_len,
uint64_t seq, const uint8_t *in, size_t inlen, uint8_t *out,
size_t *outlen, size_t maxlen) = 0;
protected:
void FormatNonce(uint64_t seq, uint8_t *nonce);
@@ -42,8 +43,9 @@ class AeadCipherChacha20Poly1305 : public AeadCipher {
AeadCipherChacha20Poly1305() : AeadCipher(CKM_NSS_CHACHA20_POLY1305) {}
protected:
bool Aead(bool decrypt, uint64_t seq, const uint8_t *in, size_t inlen,
uint8_t *out, size_t *outlen, size_t maxlen);
bool Aead(bool decrypt, const uint8_t *hdr, size_t hdr_len, uint64_t seq,
const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen,
size_t maxlen);
};
class AeadCipherAesGcm : public AeadCipher {
@@ -51,8 +53,9 @@ class AeadCipherAesGcm : public AeadCipher {
AeadCipherAesGcm() : AeadCipher(CKM_AES_GCM) {}
protected:
bool Aead(bool decrypt, uint64_t seq, const uint8_t *in, size_t inlen,
uint8_t *out, size_t *outlen, size_t maxlen);
bool Aead(bool decrypt, const uint8_t *hdr, size_t hdr_len, uint64_t seq,
const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen,
size_t maxlen);
};
// Our analog of ssl3CipherSpec
security/nss/lib/certdb/crl.c
+4 -4
View File
@@ -898,13 +898,13 @@ static PLHashAllocOps preAllocOps = { PreAllocTable, PreFreeTable,
/* destructor for PreAllocator object */
void
PreAllocator_Destroy(PreAllocator* PreAllocator)
PreAllocator_Destroy(PreAllocator* allocator)
{
if (!PreAllocator) {
if (!allocator) {
return;
}
if (PreAllocator->arena) {
PORT_FreeArena(PreAllocator->arena, PR_TRUE);
if (allocator->arena) {
PORT_FreeArena(allocator->arena, PR_TRUE);
}
}
security/nss/lib/ckfw/Makefile
-4
View File
@@ -33,7 +33,3 @@ ifdef NSS_BUILD_CAPI
DIRS += capi
endif
endif
#ifeq ($(OS_ARCH), Darwin)
#DIRS += nssmkey
#endif
security/nss/lib/ckfw/builtins/certdata.txt
-467
View File
@@ -7240,163 +7240,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "TC TrustCenter Class 3 CA II"
#
# Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
# Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
# Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
# Not Valid Before: Thu Jan 12 14:41:57 2006
# Not Valid After : Wed Dec 31 22:59:59 2025
# Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E
# Fingerprint (SHA1): 80:25:EF:F4:6E:70:C8:D4:72:24:65:84:FE:40:3B:8A:8D:6A:DB:F5
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "TC TrustCenter Class 3 CA II"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\166\061\013\060\011\006\003\125\004\006\023\002\104\105\061
\034\060\032\006\003\125\004\012\023\023\124\103\040\124\162\165
\163\164\103\145\156\164\145\162\040\107\155\142\110\061\042\060
\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163\164
\103\145\156\164\145\162\040\103\154\141\163\163\040\063\040\103
\101\061\045\060\043\006\003\125\004\003\023\034\124\103\040\124
\162\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163
\040\063\040\103\101\040\111\111
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\166\061\013\060\011\006\003\125\004\006\023\002\104\105\061
\034\060\032\006\003\125\004\012\023\023\124\103\040\124\162\165
\163\164\103\145\156\164\145\162\040\107\155\142\110\061\042\060
\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163\164
\103\145\156\164\145\162\040\103\154\141\163\163\040\063\040\103
\101\061\045\060\043\006\003\125\004\003\023\034\124\103\040\124
\162\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163
\040\063\040\103\101\040\111\111
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\016\112\107\000\001\000\002\345\240\135\326\077\000\121\277
END
CKA_VALUE MULTILINE_OCTAL
\060\202\004\252\060\202\003\222\240\003\002\001\002\002\016\112
\107\000\001\000\002\345\240\135\326\077\000\121\277\060\015\006
\011\052\206\110\206\367\015\001\001\005\005\000\060\166\061\013
\060\011\006\003\125\004\006\023\002\104\105\061\034\060\032\006
\003\125\004\012\023\023\124\103\040\124\162\165\163\164\103\145
\156\164\145\162\040\107\155\142\110\061\042\060\040\006\003\125
\004\013\023\031\124\103\040\124\162\165\163\164\103\145\156\164
\145\162\040\103\154\141\163\163\040\063\040\103\101\061\045\060
\043\006\003\125\004\003\023\034\124\103\040\124\162\165\163\164
\103\145\156\164\145\162\040\103\154\141\163\163\040\063\040\103
\101\040\111\111\060\036\027\015\060\066\060\061\061\062\061\064
\064\061\065\067\132\027\015\062\065\061\062\063\061\062\062\065
\071\065\071\132\060\166\061\013\060\011\006\003\125\004\006\023
\002\104\105\061\034\060\032\006\003\125\004\012\023\023\124\103
\040\124\162\165\163\164\103\145\156\164\145\162\040\107\155\142
\110\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124
\162\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163
\040\063\040\103\101\061\045\060\043\006\003\125\004\003\023\034
\124\103\040\124\162\165\163\164\103\145\156\164\145\162\040\103
\154\141\163\163\040\063\040\103\101\040\111\111\060\202\001\042
\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
\202\001\017\000\060\202\001\012\002\202\001\001\000\264\340\273
\121\273\071\134\213\004\305\114\171\034\043\206\061\020\143\103
\125\047\077\306\105\307\244\075\354\011\015\032\036\040\302\126
\036\336\033\067\007\060\042\057\157\361\006\361\253\255\326\310
\253\141\243\057\103\304\260\262\055\374\303\226\151\173\176\212
\344\314\300\071\022\220\102\140\311\314\065\150\356\332\137\220
\126\137\315\034\115\133\130\111\353\016\001\117\144\372\054\074
\211\130\330\057\056\342\260\150\351\042\073\165\211\326\104\032
\145\362\033\227\046\035\050\155\254\350\275\131\035\053\044\366
\326\204\003\146\210\044\000\170\140\361\370\253\376\002\262\153
\373\042\373\065\346\026\321\255\366\056\022\344\372\065\152\345
\031\271\135\333\073\036\032\373\323\377\025\024\010\330\011\152
\272\105\235\024\171\140\175\257\100\212\007\163\263\223\226\323
\164\064\215\072\067\051\336\134\354\365\356\056\061\302\040\334
\276\361\117\177\043\122\331\133\342\144\331\234\252\007\010\265
\105\275\321\320\061\301\253\124\237\251\322\303\142\140\003\361
\273\071\112\222\112\075\012\271\235\305\240\376\067\002\003\001
\000\001\243\202\001\064\060\202\001\060\060\017\006\003\125\035
\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125
\035\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125
\035\016\004\026\004\024\324\242\374\237\263\303\330\003\323\127
\134\007\244\320\044\247\300\362\000\324\060\201\355\006\003\125
\035\037\004\201\345\060\201\342\060\201\337\240\201\334\240\201
\331\206\065\150\164\164\160\072\057\057\167\167\167\056\164\162
\165\163\164\143\145\156\164\145\162\056\144\145\057\143\162\154
\057\166\062\057\164\143\137\143\154\141\163\163\137\063\137\143
\141\137\111\111\056\143\162\154\206\201\237\154\144\141\160\072
\057\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145
\162\056\144\145\057\103\116\075\124\103\045\062\060\124\162\165
\163\164\103\145\156\164\145\162\045\062\060\103\154\141\163\163
\045\062\060\063\045\062\060\103\101\045\062\060\111\111\054\117
\075\124\103\045\062\060\124\162\165\163\164\103\145\156\164\145
\162\045\062\060\107\155\142\110\054\117\125\075\162\157\157\164
\143\145\162\164\163\054\104\103\075\164\162\165\163\164\143\145
\156\164\145\162\054\104\103\075\144\145\077\143\145\162\164\151
\146\151\143\141\164\145\122\145\166\157\143\141\164\151\157\156
\114\151\163\164\077\142\141\163\145\077\060\015\006\011\052\206
\110\206\367\015\001\001\005\005\000\003\202\001\001\000\066\140
\344\160\367\006\040\103\331\043\032\102\362\370\243\262\271\115
\212\264\363\302\232\125\061\174\304\073\147\232\264\337\115\016
\212\223\112\027\213\033\215\312\211\341\317\072\036\254\035\361
\234\062\264\216\131\166\242\101\205\045\067\240\023\320\365\174
\116\325\352\226\342\156\162\301\273\052\376\154\156\370\221\230
\106\374\311\033\127\133\352\310\032\073\077\260\121\230\074\007
\332\054\131\001\332\213\104\350\341\164\375\247\150\335\124\272
\203\106\354\310\106\265\370\257\227\300\073\011\034\217\316\162
\226\075\063\126\160\274\226\313\330\325\175\040\232\203\237\032
\334\071\361\305\162\243\021\003\375\073\102\122\051\333\350\001
\367\233\136\214\326\215\206\116\031\372\274\034\276\305\041\245
\207\236\170\056\066\333\011\161\243\162\064\370\154\343\006\011
\362\136\126\245\323\335\230\372\324\346\006\364\360\266\040\143
\113\352\051\275\252\202\146\036\373\201\252\247\067\255\023\030
\346\222\303\201\301\063\273\210\036\241\347\342\264\275\061\154
\016\121\075\157\373\226\126\200\342\066\027\321\334\344
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for Certificate "TC TrustCenter Class 3 CA II"
# Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
# Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
# Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
# Not Valid Before: Thu Jan 12 14:41:57 2006
# Not Valid After : Wed Dec 31 22:59:59 2025
# Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E
# Fingerprint (SHA1): 80:25:EF:F4:6E:70:C8:D4:72:24:65:84:FE:40:3B:8A:8D:6A:DB:F5
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "TC TrustCenter Class 3 CA II"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\200\045\357\364\156\160\310\324\162\044\145\204\376\100\073\212
\215\152\333\365
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\126\137\252\200\141\022\027\366\147\041\346\053\155\141\126\216
END
CKA_ISSUER MULTILINE_OCTAL
\060\166\061\013\060\011\006\003\125\004\006\023\002\104\105\061
\034\060\032\006\003\125\004\012\023\023\124\103\040\124\162\165
\163\164\103\145\156\164\145\162\040\107\155\142\110\061\042\060
\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163\164
\103\145\156\164\145\162\040\103\154\141\163\163\040\063\040\103
\101\061\045\060\043\006\003\125\004\003\023\034\124\103\040\124
\162\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163
\040\063\040\103\101\040\111\111
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\016\112\107\000\001\000\002\345\240\135\326\077\000\121\277
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Deutsche Telekom Root CA 2"
#
@@ -17882,155 +17725,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "S-TRUST Universal Root CA"
#
# Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
# Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e
# Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
# Not Valid Before: Tue Oct 22 00:00:00 2013
# Not Valid After : Thu Oct 21 23:59:59 2038
# Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
# Fingerprint (SHA1): 1B:3D:11:14:EA:7A:0F:95:58:54:41:95:BF:6B:25:82:AB:40:CE:9A
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "S-TRUST Universal Root CA"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\201\205\061\013\060\011\006\003\125\004\006\023\002\104\105
\061\051\060\047\006\003\125\004\012\023\040\104\145\165\164\163
\143\150\145\162\040\123\160\141\162\153\141\163\163\145\156\040
\126\145\162\154\141\147\040\107\155\142\110\061\047\060\045\006
\003\125\004\013\023\036\123\055\124\122\125\123\124\040\103\145
\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162\166
\151\143\145\163\061\042\060\040\006\003\125\004\003\023\031\123
\055\124\122\125\123\124\040\125\156\151\166\145\162\163\141\154
\040\122\157\157\164\040\103\101
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\201\205\061\013\060\011\006\003\125\004\006\023\002\104\105
\061\051\060\047\006\003\125\004\012\023\040\104\145\165\164\163
\143\150\145\162\040\123\160\141\162\153\141\163\163\145\156\040
\126\145\162\154\141\147\040\107\155\142\110\061\047\060\045\006
\003\125\004\013\023\036\123\055\124\122\125\123\124\040\103\145
\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162\166
\151\143\145\163\061\042\060\040\006\003\125\004\003\023\031\123
\055\124\122\125\123\124\040\125\156\151\166\145\162\163\141\154
\040\122\157\157\164\040\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\140\126\305\113\043\100\133\144\324\355\045\332\331\326
\036\036
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\330\060\202\002\300\240\003\002\001\002\002\020\140
\126\305\113\043\100\133\144\324\355\045\332\331\326\036\036\060
\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\201
\205\061\013\060\011\006\003\125\004\006\023\002\104\105\061\051
\060\047\006\003\125\004\012\023\040\104\145\165\164\163\143\150
\145\162\040\123\160\141\162\153\141\163\163\145\156\040\126\145
\162\154\141\147\040\107\155\142\110\061\047\060\045\006\003\125
\004\013\023\036\123\055\124\122\125\123\124\040\103\145\162\164
\151\146\151\143\141\164\151\157\156\040\123\145\162\166\151\143
\145\163\061\042\060\040\006\003\125\004\003\023\031\123\055\124
\122\125\123\124\040\125\156\151\166\145\162\163\141\154\040\122
\157\157\164\040\103\101\060\036\027\015\061\063\061\060\062\062
\060\060\060\060\060\060\132\027\015\063\070\061\060\062\061\062
\063\065\071\065\071\132\060\201\205\061\013\060\011\006\003\125
\004\006\023\002\104\105\061\051\060\047\006\003\125\004\012\023
\040\104\145\165\164\163\143\150\145\162\040\123\160\141\162\153
\141\163\163\145\156\040\126\145\162\154\141\147\040\107\155\142
\110\061\047\060\045\006\003\125\004\013\023\036\123\055\124\122
\125\123\124\040\103\145\162\164\151\146\151\143\141\164\151\157
\156\040\123\145\162\166\151\143\145\163\061\042\060\040\006\003
\125\004\003\023\031\123\055\124\122\125\123\124\040\125\156\151
\166\145\162\163\141\154\040\122\157\157\164\040\103\101\060\202
\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\250
\343\013\337\021\067\205\202\232\265\154\146\174\141\077\300\107
\032\035\106\343\260\125\144\345\270\202\071\050\007\176\027\377
\364\233\212\360\221\201\352\070\077\041\170\154\110\354\153\057
\242\323\212\162\262\247\327\331\352\177\264\300\111\153\060\045
\211\214\353\267\325\100\141\230\342\334\074\040\222\315\145\112
\162\237\032\216\214\372\045\025\277\363\041\203\050\015\213\257
\131\021\202\103\134\233\115\045\121\177\130\030\143\140\073\263
\265\212\213\130\143\067\110\110\220\104\302\100\335\135\367\103
\151\051\230\134\022\145\136\253\220\222\113\146\337\325\165\022
\123\124\030\246\336\212\326\273\127\003\071\131\231\030\005\014
\371\375\025\306\220\144\106\027\202\327\302\112\101\075\375\000
\276\127\162\030\224\167\033\123\132\211\001\366\063\162\016\223
\072\334\350\036\375\005\005\326\274\163\340\210\334\253\117\354
\265\030\206\117\171\204\016\110\052\146\052\335\062\310\170\145
\310\013\235\130\001\005\161\355\201\365\150\027\156\313\015\264
\113\330\241\354\256\070\353\034\130\057\241\145\003\064\057\002
\003\001\000\001\243\102\060\100\060\017\006\003\125\035\023\001
\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017
\001\001\377\004\004\003\002\001\006\060\035\006\003\125\035\016
\004\026\004\024\232\175\327\353\353\177\124\230\105\051\264\040
\253\155\013\226\043\031\244\302\060\015\006\011\052\206\110\206
\367\015\001\001\013\005\000\003\202\001\001\000\116\226\022\333
\176\167\136\222\047\236\041\027\030\202\166\330\077\274\245\011
\004\146\210\211\255\333\125\263\063\152\306\145\304\217\115\363
\062\066\334\171\004\226\251\167\062\321\227\365\030\153\214\272
\355\316\021\320\104\307\222\361\264\104\216\355\210\122\110\236
\325\375\131\370\243\036\121\373\001\122\345\137\345\172\335\252
\044\117\042\213\335\166\106\366\245\240\017\065\330\312\017\230
\271\060\135\040\157\302\201\036\275\275\300\376\025\323\070\052
\011\223\230\047\033\223\173\320\053\064\136\150\245\025\117\321
\122\303\240\312\240\203\105\035\365\365\267\131\163\135\131\001
\217\252\302\107\057\024\161\325\051\343\020\265\107\223\045\314
\043\051\332\267\162\330\221\324\354\033\110\212\042\344\301\052
\367\072\150\223\237\105\031\156\103\267\314\376\270\221\232\141
\032\066\151\143\144\222\050\363\157\141\222\205\023\237\311\007
\054\213\127\334\353\236\171\325\302\336\010\325\124\262\127\116
\052\062\215\241\342\072\321\020\040\042\071\175\064\105\157\161
\073\303\035\374\377\262\117\250\342\366\060\036
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for "S-TRUST Universal Root CA"
# Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
# Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e
# Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
# Not Valid Before: Tue Oct 22 00:00:00 2013
# Not Valid After : Thu Oct 21 23:59:59 2038
# Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
# Fingerprint (SHA1): 1B:3D:11:14:EA:7A:0F:95:58:54:41:95:BF:6B:25:82:AB:40:CE:9A
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "S-TRUST Universal Root CA"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\033\075\021\024\352\172\017\225\130\124\101\225\277\153\045\202
\253\100\316\232
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\130\366\101\001\256\365\133\121\231\116\134\041\350\117\324\146
END
CKA_ISSUER MULTILINE_OCTAL
\060\201\205\061\013\060\011\006\003\125\004\006\023\002\104\105
\061\051\060\047\006\003\125\004\012\023\040\104\145\165\164\163
\143\150\145\162\040\123\160\141\162\153\141\163\163\145\156\040
\126\145\162\154\141\147\040\107\155\142\110\061\047\060\045\006
\003\125\004\013\023\036\123\055\124\122\125\123\124\040\103\145
\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162\166
\151\143\145\163\061\042\060\040\006\003\125\004\003\023\031\123
\055\124\122\125\123\124\040\125\156\151\166\145\162\163\141\154
\040\122\157\157\164\040\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\140\126\305\113\043\100\133\144\324\355\045\332\331\326
\036\036
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Entrust Root Certification Authority - G2"
#
@@ -18508,167 +18202,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
#
# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
# Serial Number:00:8e:17:fe:24:20:81
# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
# Not Valid Before: Tue Apr 30 08:07:01 2013
# Not Valid After : Fri Apr 28 08:07:01 2023
# Fingerprint (SHA-256): 49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78
# Fingerprint (SHA1): C4:18:F6:4D:46:D1:DF:00:3D:27:30:13:72:43:A9:12:11:C6:75:FB
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
\261\040\110\065
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
\261\040\110\065
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\007\000\216\027\376\044\040\201
END
CKA_VALUE MULTILINE_OCTAL
\060\202\004\047\060\202\003\017\240\003\002\001\002\002\007\000
\216\027\376\044\040\201\060\015\006\011\052\206\110\206\367\015
\001\001\013\005\000\060\201\261\061\013\060\011\006\003\125\004
\006\023\002\124\122\061\017\060\015\006\003\125\004\007\014\006
\101\156\153\141\162\141\061\115\060\113\006\003\125\004\012\014
\104\124\303\234\122\113\124\122\125\123\124\040\102\151\154\147
\151\040\304\260\154\145\164\151\305\237\151\155\040\166\145\040
\102\151\154\151\305\237\151\155\040\107\303\274\166\145\156\154
\151\304\237\151\040\110\151\172\155\145\164\154\145\162\151\040
\101\056\305\236\056\061\102\060\100\006\003\125\004\003\014\071
\124\303\234\122\113\124\122\125\123\124\040\105\154\145\153\164
\162\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040
\110\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261
\143\304\261\163\304\261\040\110\065\060\036\027\015\061\063\060
\064\063\060\060\070\060\067\060\061\132\027\015\062\063\060\064
\062\070\060\070\060\067\060\061\132\060\201\261\061\013\060\011
\006\003\125\004\006\023\002\124\122\061\017\060\015\006\003\125
\004\007\014\006\101\156\153\141\162\141\061\115\060\113\006\003
\125\004\012\014\104\124\303\234\122\113\124\122\125\123\124\040
\102\151\154\147\151\040\304\260\154\145\164\151\305\237\151\155
\040\166\145\040\102\151\154\151\305\237\151\155\040\107\303\274
\166\145\156\154\151\304\237\151\040\110\151\172\155\145\164\154
\145\162\151\040\101\056\305\236\056\061\102\060\100\006\003\125
\004\003\014\071\124\303\234\122\113\124\122\125\123\124\040\105
\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146
\151\153\141\040\110\151\172\155\145\164\040\123\141\304\237\154
\141\171\304\261\143\304\261\163\304\261\040\110\065\060\202\001
\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
\003\202\001\017\000\060\202\001\012\002\202\001\001\000\244\045
\031\341\145\236\353\110\041\120\112\010\345\021\360\132\272\046
\377\203\131\316\104\052\057\376\341\316\140\003\374\215\003\245
\355\377\153\250\272\314\064\006\237\131\065\366\354\054\273\235
\373\215\122\151\343\234\047\020\123\363\244\002\305\247\371\021
\032\151\165\156\303\035\213\321\230\215\223\207\247\161\227\015
\041\307\231\371\122\323\054\143\135\125\274\350\037\001\110\271
\140\376\102\112\366\310\200\256\315\146\172\236\105\212\150\167
\342\110\150\237\242\332\361\341\301\020\237\353\074\051\201\247
\341\062\010\324\240\005\261\214\373\215\226\000\016\076\045\337
\123\206\042\073\374\364\275\363\011\176\167\354\206\353\017\063
\345\103\117\364\124\165\155\051\231\056\146\132\103\337\313\134
\312\310\345\070\361\176\073\065\235\017\364\305\132\241\314\363
\040\200\044\323\127\354\025\272\165\045\233\350\144\113\263\064
\204\357\004\270\366\311\154\252\002\076\266\125\342\062\067\137
\374\146\227\137\315\326\236\307\040\277\115\306\254\077\165\137
\034\355\062\234\174\151\000\151\221\343\043\030\123\351\002\003
\001\000\001\243\102\060\100\060\035\006\003\125\035\016\004\026
\004\024\126\231\007\036\323\254\014\151\144\264\014\120\107\336
\103\054\276\040\300\373\060\016\006\003\125\035\017\001\001\377
\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
\004\005\060\003\001\001\377\060\015\006\011\052\206\110\206\367
\015\001\001\013\005\000\003\202\001\001\000\236\105\166\173\027
\110\062\362\070\213\051\275\356\226\112\116\201\030\261\121\107
\040\315\320\144\261\016\311\331\001\331\011\316\310\231\334\150
\045\023\324\134\362\243\350\004\376\162\011\307\013\252\035\045
\125\176\226\232\127\267\272\305\021\172\031\346\247\176\075\205
\016\365\371\056\051\057\347\371\154\130\026\127\120\045\366\076
\056\076\252\355\167\161\252\252\231\226\106\012\256\216\354\052
\121\026\260\136\315\352\147\004\034\130\060\365\140\212\275\246
\275\115\345\226\264\374\102\211\001\153\366\160\310\120\071\014
\055\325\146\331\310\322\263\062\267\033\031\155\313\063\371\337
\245\346\025\204\067\360\302\362\145\226\222\220\167\360\255\364
\220\351\021\170\327\223\211\300\075\013\272\051\364\350\231\235
\162\216\355\235\057\356\222\175\241\361\377\135\272\063\140\205
\142\376\007\002\241\204\126\106\276\226\012\232\023\327\041\114
\267\174\007\237\116\116\077\221\164\373\047\235\021\314\335\346
\261\312\161\115\023\027\071\046\305\051\041\053\223\051\152\226
\372\253\101\341\113\266\065\013\300\233\025
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
# Serial Number:00:8e:17:fe:24:20:81
# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
# Not Valid Before: Tue Apr 30 08:07:01 2013
# Not Valid After : Fri Apr 28 08:07:01 2023
# Fingerprint (SHA-256): 49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78
# Fingerprint (SHA1): C4:18:F6:4D:46:D1:DF:00:3D:27:30:13:72:43:A9:12:11:C6:75:FB
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\304\030\366\115\106\321\337\000\075\047\060\023\162\103\251\022
\021\306\165\373
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\332\160\216\360\042\337\223\046\366\137\237\323\025\006\122\116
END
CKA_ISSUER MULTILINE_OCTAL
\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
\261\040\110\065
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\007\000\216\027\376\044\040\201
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Certinomis - Root CA"
#
security/nss/lib/ckfw/builtins/nssckbi.h
+3 -3
View File
@@ -32,7 +32,7 @@
* - whenever possible, if older branches require a modification to the
* list, these changes should be made on the main line of development (trunk),
* and the older branches should update to the most recent list.
*
*
* - ODD minor version numbers are reserved to indicate a snapshot that has
* deviated from the main line of development, e.g. if it was necessary
* to modify the list on a stable branch.
@@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 22
#define NSS_BUILTINS_LIBRARY_VERSION "2.22"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 24
#define NSS_BUILTINS_LIBRARY_VERSION "2.24"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
security/nss/lib/ckfw/nssmkey/Makefile
-72
View File
@@ -1,72 +0,0 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
include manifest.mn
include $(CORE_DEPTH)/coreconf/config.mk
include config.mk
EXTRA_LIBS = \
$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
$(NULL)
# can't do this in manifest.mn because OS_TARGET isn't defined there.
ifeq (,$(filter-out WIN%,$(OS_TARGET)))
ifdef NS_USE_GCC
EXTRA_LIBS += \
-L$(NSPR_LIB_DIR) \
-lplc4 \
-lplds4 \
-lnspr4 \
$(NULL)
else
EXTRA_SHARED_LIBS += \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
$(NULL)
endif # NS_USE_GCC
else
EXTRA_LIBS += \
-L$(NSPR_LIB_DIR) \
-lplc4 \
-lplds4 \
-lnspr4 \
-framework Security \
-framework CoreServices \
$(NULL)
endif
include $(CORE_DEPTH)/coreconf/rules.mk
# Generate certdata.c.
generate:
perl certdata.perl < certdata.txt
# This'll need some help from a build person.
ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
DSO_LDOPTS = -bM:SRE -bh:4 -bnoentry
EXTRA_DSO_LDOPTS = -lc
MKSHLIB = xlC $(DSO_LDOPTS)
$(SHARED_LIBRARY): $(OBJS)
@$(MAKE_OBJDIR)
rm -f $@
$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
chmod +x $@
endif
ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
LD += -G
endif

Some files were not shown because too many files have changed in this diff Show More