Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1336424 - Update BoGo tests revision and support more flags r=fra…
…nziskus

Differential Revision: https://nss-review.dev.mozaws.net/D213

--HG--
extra : amend_source : 93bcb16747e39cb7e0ac6135f36955fdd50a4b6c
  • Loading branch information
Tim Taubert committed Feb 15, 2017
1 parent f7e4d2f commit b4b517d
Show file tree
Hide file tree
Showing 3 changed files with 89 additions and 20 deletions.
20 changes: 10 additions & 10 deletions gtests/nss_bogo_shim/config.json
Expand Up @@ -5,35 +5,28 @@
"#*HelloRetryRequest*":"(NSS=18, BoGo=16)",
"#*KeyShare*":"(NSS=18, BoGo=16)",
"#*EncryptedExtensions*":"(NSS=18, BoGo=16)",
"#*ServerHelloSignatureAlgorithms*":"(NSS=18, BoGo=16)",
"#*SecondClientHello*":"(NSS=18, BoGo=16)",
"#*IgnoreClientVersionOrder*":"(NSS=18, BoGo=16)",
"Resume-Server-BinderWrongLength":"Alert disagreement (Bug 1317633)",
"Resume-Server-NoPSKBinder":"Alert disagreement (Bug 1317633)",
"CheckRecordVersion-TLS*":"Bug 1317634",
"GREASE-Server-TLS13":"BoringSSL GREASEs without a flag, but we ignore it",
"TLS13-ExpectNoSessionTicketOnBadKEMode-Server":"Bug in NSS. Don't send ticket when not permitted by KE modes (Bug 1317635)",
"Resume-Server-InvalidPSKBinder":"(Bogo incorrectly expects 'illegal_parameter')",
"FallbackSCSV-VersionMatch":"Draft version mismatch (NSS=15, BoGo=14)",
"*KeyUpdate*":"KeyUpdate Unimplemented",
"ClientAuth-NoFallback-TLS13":"Disagreement about alerts. Bug 1294975",
"ClientAuth-SHA1-Fallback":"Disagreement about alerts. Bug 1294975",
"SendWarningAlerts-TLS13":"NSS needs to trigger on warning alerts",
"NoSupportedCurves":"This tests a non-spec behavior for TLS 1.2 and expects the wrong alert for TLS 1.3",
"SendEmptyRecords":"Tests a non-spec behavior in BoGo where it chokes on too many empty records",
"LargePlaintext":"NSS needs to check for over-long records. Bug 1294978",
"TLS13-RC4-MD5-server":"This fails properly but returns an unexpected error. Not a bug but needs cleanup",
"*VersionTolerance":"BoGo expects us to negotiate 1.3 but we negotiate 1.2 because BoGo didn't send draft version",
"*SSL3*":"NSS disables SSLv3",
"*SSLv3*":"NSS disables SSLv3",
"*AES256*":"Inconsistent support for AES256",
"*AES128-SHA256*":"No support for Suite B ciphers",
"*CHACHA20-POLY1305-OLD*":"Old ChaCha/Poly",
"DuplicateExtension*":"NSS sends unexpected_extension alert",
"WeakDH":"NSS supports 768-bit DH",
"SillyDH":"NSS supports 4097-bit DH",
"SendWarningAlerts":"This appears to be Boring-specific",
"V2ClientHello-WarningAlertPrefix":"Bug 1292893",
"TLS12-AES128-GCM-client":"Bug 1292895",
"*TLS12-AES128-GCM-LargeRecord*":"Bug 1292895",
"Renegotiate-Client-Forbidden-1":"Bug 1292898",
Expand All @@ -51,11 +44,18 @@
"WrongMessageType-TLS13-ServerFinished":"nss updated/broken",
"EncryptedExtensionsWithKeyShare":"nss updated/broken",
"EmptyEncryptedExtensions":"nss updated/broken",
"ClientAuth-SHA1-Fallback-RSA":"We fail when the sig_algs_ext is empty",
"Downgrade-TLS12-*":"NSS implements downgrade detection",
"TrailingMessageData-*": "Bug 1304575",
"DuplicateKeyShares":"Bug 1304578",
"Resume-Server-TLS13-TLS13":"Bug 1314351"
"Resume-Server-TLS13-TLS13":"Bug 1314351",
"SkipEarlyData-Interleaved":"Bug 1336916",
"ECDSAKeyUsage-TLS1*":"Bug 1338194",
"PointFormat-Client-MissingUncompressed":"We ignore ec_point_formats extensions sent by servers.",
"SkipEarlyData-SecondClientHelloEarlyData":"Boring doesn't reject early_data in the 2nd CH but fails later with bad_record_mac.",
"SkipEarlyData-*TooMuchData":"Bug 1339373",
"UnsolicitedServerNameAck-TLS1*":"Boring wants us to fail with an unexpected_extension alert, we simply ignore ssl_server_name_xtn.",
"RequireAnyClientCertificate-TLS1*":"Bug 1339387",
"SendExtensionOnClientCertificate-TLS13":"Bug 1339392",
"ALPNClient-Mismatch-TLS1*":"Bug 1339418"
},
"ErrorMap" : {
":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP",
Expand Down
87 changes: 78 additions & 9 deletions gtests/nss_bogo_shim/nss_bogo_shim.cc
Expand Up @@ -122,24 +122,23 @@ class TestAgent {
cert_ = ReadCertificate(cfg_.get<std::string>("cert-file"));
if (!cert_) return false;
}

// Needed because certs are not entirely valid.
rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook, this);
if (rv != SECSuccess) return false;

if (cfg_.get<bool>("server")) {
// Server
rv = SSL_ConfigServerCert(ssl_fd_, cert_, key_, nullptr, 0);
if (rv != SECSuccess) {
std::cerr << "Couldn't configure server cert\n";
return false;
}
} else {
// Client.

// Needed because server certs are not entirely valid.
rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook, this);
} else if (key_ && cert_) {
// Client.
rv = SSL_GetClientAuthDataHook(ssl_fd_, GetClientAuthDataHook, this);
if (rv != SECSuccess) return false;

if (key_ && cert_) {
rv = SSL_GetClientAuthDataHook(ssl_fd_, GetClientAuthDataHook, this);
if (rv != SECSuccess) return false;
}
}

return true;
Expand Down Expand Up @@ -269,6 +268,47 @@ class TestAgent {
rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE, false);
if (rv != SECSuccess) return false;

auto alpn = cfg_.get<std::string>("advertise-alpn");
if (!alpn.empty()) {
assert(!cfg_.get<bool>("server"));

rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_ALPN, PR_TRUE);
if (rv != SECSuccess) return false;

rv = SSL_SetNextProtoNego(
ssl_fd_, reinterpret_cast<const unsigned char*>(alpn.c_str()),
alpn.size());
if (rv != SECSuccess) return false;
}

if (cfg_.get<bool>("fallback-scsv")) {
rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
if (rv != SECSuccess) return false;
}

if (cfg_.get<bool>("false-start")) {
rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_FALSE_START, PR_TRUE);
if (rv != SECSuccess) return false;
}

if (cfg_.get<bool>("enable-ocsp-stapling")) {
rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
if (rv != SECSuccess) return false;
}

bool requireClientCert = cfg_.get<bool>("require-any-client-certificate");
if (requireClientCert || cfg_.get<bool>("verify-peer")) {
assert(cfg_.get<bool>("server"));

rv = SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE);
if (rv != SECSuccess) return false;

rv = SSL_OptionSet(
ssl_fd_, SSL_REQUIRE_CERTIFICATE,
requireClientCert ? SSL_REQUIRE_ALWAYS : SSL_REQUIRE_NO_ERROR);
if (rv != SECSuccess) return false;
}

if (!cfg_.get<bool>("server")) {
// Needed to make resumption work.
rv = SSL_SetURL(ssl_fd_, "server");
Expand Down Expand Up @@ -413,6 +453,28 @@ class TestAgent {
}
}

auto alpn = cfg_.get<std::string>("expect-alpn");
if (!alpn.empty()) {
SSLNextProtoState state;
char chosen[256];
unsigned int chosen_len;
rv = SSL_GetNextProto(ssl_fd_, &state,
reinterpret_cast<unsigned char*>(chosen),
&chosen_len, sizeof(chosen));
if (rv != SECSuccess) {
PRErrorCode err = PR_GetError();
std::cerr << "SSL_GetNextProto failed with error=" << FormatError(err)
<< std::endl;
return SECFailure;
}

assert(chosen_len <= sizeof(chosen));
if (std::string(chosen, chosen_len) != alpn) {
std::cerr << "Unexpected ALPN selection" << std::endl;
return SECFailure;
}
}

return SECSuccess;
}

Expand All @@ -437,7 +499,14 @@ std::unique_ptr<const Config> ReadConfig(int argc, char** argv) {
for (auto flag : kVersionDisableFlags) {
cfg->AddEntry<bool>(flag, false);
}
cfg->AddEntry<bool>("fallback-scsv", false);
cfg->AddEntry<bool>("false-start", false);
cfg->AddEntry<bool>("enable-ocsp-stapling", false);
cfg->AddEntry<bool>("write-then-read", false);
cfg->AddEntry<bool>("require-any-client-certificate", false);
cfg->AddEntry<bool>("verify-peer", false);
cfg->AddEntry<std::string>("advertise-alpn", "");
cfg->AddEntry<std::string>("expect-alpn", "");

auto rv = cfg->ParseArgs(argc, argv);
switch (rv) {
Expand Down
2 changes: 1 addition & 1 deletion tests/bogo/bogo.sh
Expand Up @@ -25,7 +25,7 @@ bogo_init()
BORING=${BORING:=boringssl}
if [ ! -d "$BORING" ]; then
git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3
git -C "$BORING" checkout -q 004bff3a1412fcc6ba168d4295a942f9b1e0866e
fi

SCRIPTNAME="bogo.sh"
Expand Down

0 comments on commit b4b517d

Please sign in to comment.