Bug 1086145 - Improving handshake test coverage, r=wtc

--HG--
extra : rebase_source : ff9160ed9fd8c30942150392bb75bd9260134328

external_tests/README

@@ -21,11 +21,11 @@ You should be able to run the unit tests manually as:
 
   ssl_gtest -d ${SSLGTESTDIR}
 
-Where $SSLGTESTDIR the directory created by ./all.sh or a manually
-created directory with a database containing a certificate called
-server (with its private keys)
+Where $SSLGTESTDIR is a directory with a database containing:
+ - an RSA certificate called server (with its private key)
+ - an ECDSA certificate called ecdsa (with its private key)
 
+A directory like this is created by ./all.sh and can be found
+in a directory named something like
 
-There is a very trivial set of tests that demonstrate some
-of the features.
-
+  tests_results/security/${hostname}.${NUMBER}/ssl_gtests

external_tests/ssl_gtest/manifest.mn

@@ -9,6 +9,7 @@ MODULE = nss
 CPPSRCS = \
       ssl_loopback_unittest.cc \
       ssl_extension_unittest.cc \
+      ssl_skip_unittest.cc \
       ssl_gtest.cc \
       test_io.cc \
       tls_agent.cc \

external_tests/ssl_gtest/ssl_extension_unittest.cc

@@ -268,8 +268,8 @@ class TlsExtensionTestBase : public TlsConnectTestBase {
       client_->SetPacketFilter(filter);
     }
     ConnectExpectFail();
-    ASSERT_EQ(kTlsAlertFatal, alert_recorder->level());
-    ASSERT_EQ(alert, alert_recorder->description());
+    EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
+    EXPECT_EQ(alert, alert_recorder->description());
   }
 
   void ServerHelloErrorTest(PacketFilter* filter,
@@ -280,8 +280,8 @@ class TlsExtensionTestBase : public TlsConnectTestBase {
       server_->SetPacketFilter(filter);
     }
     ConnectExpectFail();
-    ASSERT_EQ(kTlsAlertFatal, alert_recorder->level());
-    ASSERT_EQ(alert, alert_recorder->description());
+    EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
+    EXPECT_EQ(alert, alert_recorder->description());
   }
 
   static void InitSimpleSni(DataBuffer* extension) {
@@ -494,47 +494,47 @@ TEST_P(TlsExtensionTest12Plus, DISABLED_SignatureAlgorithmsSigUnsupported) {
 }
 
 TEST_P(TlsExtensionTestGeneric, SupportedCurvesShort) {
-  EnableSomeECDHECiphers();
+  EnableSomeEcdheCiphers();
   const uint8_t val[] = { 0x00, 0x01, 0x00 };
   DataBuffer extension(val, sizeof(val));
   ClientHelloErrorTest(new TlsExtensionReplacer(ssl_elliptic_curves_xtn,
                                                 extension));
 }
 
 TEST_P(TlsExtensionTestGeneric, SupportedCurvesBadLength) {
-  EnableSomeECDHECiphers();
+  EnableSomeEcdheCiphers();
   const uint8_t val[] = { 0x09, 0x99, 0x00, 0x00 };
   DataBuffer extension(val, sizeof(val));
   ClientHelloErrorTest(new TlsExtensionReplacer(ssl_elliptic_curves_xtn,
                                                 extension));
 }
 
 TEST_P(TlsExtensionTestGeneric, SupportedCurvesTrailingData) {
-  EnableSomeECDHECiphers();
+  EnableSomeEcdheCiphers();
   const uint8_t val[] = { 0x00, 0x02, 0x00, 0x00, 0x00 };
   DataBuffer extension(val, sizeof(val));
   ClientHelloErrorTest(new TlsExtensionReplacer(ssl_elliptic_curves_xtn,
                                                 extension));
 }
 
 TEST_P(TlsExtensionTestGeneric, SupportedPointsEmpty) {
-  EnableSomeECDHECiphers();
+  EnableSomeEcdheCiphers();
   const uint8_t val[] = { 0x00 };
   DataBuffer extension(val, sizeof(val));
   ClientHelloErrorTest(new TlsExtensionReplacer(ssl_ec_point_formats_xtn,
                                                 extension));
 }
 
 TEST_P(TlsExtensionTestGeneric, SupportedPointsBadLength) {
-  EnableSomeECDHECiphers();
+  EnableSomeEcdheCiphers();
   const uint8_t val[] = { 0x99, 0x00, 0x00 };
   DataBuffer extension(val, sizeof(val));
   ClientHelloErrorTest(new TlsExtensionReplacer(ssl_ec_point_formats_xtn,
                                                 extension));
 }
 
 TEST_P(TlsExtensionTestGeneric, SupportedPointsTrailingData) {
-  EnableSomeECDHECiphers();
+  EnableSomeEcdheCiphers();
   const uint8_t val[] = { 0x01, 0x00, 0x00 };
   DataBuffer extension(val, sizeof(val));
   ClientHelloErrorTest(new TlsExtensionReplacer(ssl_ec_point_formats_xtn,

external_tests/ssl_gtest/ssl_loopback_unittest.cc

@@ -15,7 +15,7 @@
 
 namespace nss_test {
 
-class TlsServerKeyExchangeECDHE {
+class TlsServerKeyExchangeEcdhe {
  public:
   bool Parse(const DataBuffer& buffer) {
     TlsParser parser(buffer);
@@ -45,37 +45,38 @@ TEST_P(TlsConnectGeneric, SetupOnly) {}
 TEST_P(TlsConnectGeneric, Connect) {
   Connect();
   client_->CheckVersion(std::get<1>(GetParam()));
+  client_->CheckAuthType(ssl_auth_rsa);
 }
 
 TEST_P(TlsConnectGeneric, ConnectResumed) {
   ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
   Connect();
 
-  Reset();
+  ResetRsa();
   Connect();
   CheckResumption(RESUME_SESSIONID);
 }
 
 TEST_P(TlsConnectGeneric, ConnectClientCacheDisabled) {
   ConfigureSessionCache(RESUME_NONE, RESUME_SESSIONID);
   Connect();
-  Reset();
+  ResetRsa();
   Connect();
   CheckResumption(RESUME_NONE);
 }
 
 TEST_P(TlsConnectGeneric, ConnectServerCacheDisabled) {
   ConfigureSessionCache(RESUME_SESSIONID, RESUME_NONE);
   Connect();
-  Reset();
+  ResetRsa();
   Connect();
   CheckResumption(RESUME_NONE);
 }
 
 TEST_P(TlsConnectGeneric, ConnectSessionCacheDisabled) {
   ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
   Connect();
-  Reset();
+  ResetRsa();
   Connect();
   CheckResumption(RESUME_NONE);
 }
@@ -85,7 +86,7 @@ TEST_P(TlsConnectGeneric, ConnectResumeSupportBoth) {
   ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
   Connect();
 
-  Reset();
+  ResetRsa();
   ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
   Connect();
   CheckResumption(RESUME_TICKET);
@@ -97,7 +98,7 @@ TEST_P(TlsConnectGeneric, ConnectResumeClientTicketServerBoth) {
   ConfigureSessionCache(RESUME_TICKET, RESUME_BOTH);
   Connect();
 
-  Reset();
+  ResetRsa();
   ConfigureSessionCache(RESUME_TICKET, RESUME_BOTH);
   Connect();
   CheckResumption(RESUME_NONE);
@@ -108,7 +109,7 @@ TEST_P(TlsConnectGeneric, ConnectResumeClientBothTicketServerTicket) {
   ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
   Connect();
 
-  Reset();
+  ResetRsa();
   ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
   Connect();
   CheckResumption(RESUME_TICKET);
@@ -120,7 +121,7 @@ TEST_P(TlsConnectGeneric, ConnectClientServerTicketOnly) {
   ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
   Connect();
 
-  Reset();
+  ResetRsa();
   ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
   Connect();
   CheckResumption(RESUME_NONE);
@@ -130,7 +131,7 @@ TEST_P(TlsConnectGeneric, ConnectClientBothServerNone) {
   ConfigureSessionCache(RESUME_BOTH, RESUME_NONE);
   Connect();
 
-  Reset();
+  ResetRsa();
   ConfigureSessionCache(RESUME_BOTH, RESUME_NONE);
   Connect();
   CheckResumption(RESUME_NONE);
@@ -140,35 +141,12 @@ TEST_P(TlsConnectGeneric, ConnectClientNoneServerBoth) {
   ConfigureSessionCache(RESUME_NONE, RESUME_BOTH);
   Connect();
 
-  Reset();
+  ResetRsa();
   ConfigureSessionCache(RESUME_NONE, RESUME_BOTH);
   Connect();
   CheckResumption(RESUME_NONE);
 }
 
-TEST_P(TlsConnectGeneric, ConnectTLS_1_1_Only) {
-  EnsureTlsSetup();
-  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
-                           SSL_LIBRARY_VERSION_TLS_1_1);
-
-  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
-                           SSL_LIBRARY_VERSION_TLS_1_1);
-
-  Connect();
-
-  client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_1);
-}
-
-TEST_P(TlsConnectGeneric, ConnectTLS_1_2_Only) {
-  EnsureTlsSetup();
-  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
-                           SSL_LIBRARY_VERSION_TLS_1_2);
-  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
-                           SSL_LIBRARY_VERSION_TLS_1_2);
-  Connect();
-  client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_2);
-}
-
 TEST_P(TlsConnectGeneric, ResumeWithHigherVersion) {
   EnsureTlsSetup();
   ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
@@ -178,7 +156,7 @@ TEST_P(TlsConnectGeneric, ResumeWithHigherVersion) {
                            SSL_LIBRARY_VERSION_TLS_1_1);
   Connect();
 
-  Reset();
+  ResetRsa();
   EnsureTlsSetup();
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_2);
@@ -196,77 +174,84 @@ TEST_P(TlsConnectGeneric, ConnectAlpn) {
   server_->CheckAlpn(SSL_NEXT_PROTO_NEGOTIATED, "a");
 }
 
+TEST_P(TlsConnectGeneric, ConnectEcdsa) {
+  ResetEcdsa();
+  Connect();
+  client_->CheckVersion(std::get<1>(GetParam()));
+  client_->CheckAuthType(ssl_auth_ecdsa);
+}
+
 TEST_P(TlsConnectDatagram, ConnectSrtp) {
   EnableSrtp();
   Connect();
   CheckSrtp();
 }
 
-TEST_P(TlsConnectStream, ConnectECDHE) {
-  EnableSomeECDHECiphers();
+TEST_P(TlsConnectStream, ConnectEcdhe) {
+  EnableSomeEcdheCiphers();
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 }
 
-TEST_P(TlsConnectStream, ConnectECDHETwiceReuseKey) {
-  EnableSomeECDHECiphers();
+TEST_P(TlsConnectStream, ConnectEcdheTwiceReuseKey) {
+  EnableSomeEcdheCiphers();
   TlsInspectorRecordHandshakeMessage* i1 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
   server_->SetPacketFilter(i1);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
-  TlsServerKeyExchangeECDHE dhe1;
-  ASSERT_TRUE(dhe1.Parse(i1->buffer()));
+  TlsServerKeyExchangeEcdhe dhe1;
+  EXPECT_TRUE(dhe1.Parse(i1->buffer()));
 
   // Restart
-  Reset();
+  ResetRsa();
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
   server_->SetPacketFilter(i2);
-  EnableSomeECDHECiphers();
+  EnableSomeEcdheCiphers();
   ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
-  TlsServerKeyExchangeECDHE dhe2;
-  ASSERT_TRUE(dhe2.Parse(i2->buffer()));
+  TlsServerKeyExchangeEcdhe dhe2;
+  EXPECT_TRUE(dhe2.Parse(i2->buffer()));
 
   // Make sure they are the same.
-  ASSERT_EQ(dhe1.public_key_.len(), dhe2.public_key_.len());
-  ASSERT_TRUE(!memcmp(dhe1.public_key_.data(), dhe2.public_key_.data(),
+  EXPECT_EQ(dhe1.public_key_.len(), dhe2.public_key_.len());
+  EXPECT_TRUE(!memcmp(dhe1.public_key_.data(), dhe2.public_key_.data(),
                       dhe1.public_key_.len()));
 }
 
-TEST_P(TlsConnectStream, ConnectECDHETwiceNewKey) {
-  EnableSomeECDHECiphers();
+TEST_P(TlsConnectStream, ConnectEcdheTwiceNewKey) {
+  EnableSomeEcdheCiphers();
   SECStatus rv =
       SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
-  ASSERT_EQ(SECSuccess, rv);
+  EXPECT_EQ(SECSuccess, rv);
   TlsInspectorRecordHandshakeMessage* i1 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
   server_->SetPacketFilter(i1);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
-  TlsServerKeyExchangeECDHE dhe1;
-  ASSERT_TRUE(dhe1.Parse(i1->buffer()));
+  TlsServerKeyExchangeEcdhe dhe1;
+  EXPECT_TRUE(dhe1.Parse(i1->buffer()));
 
   // Restart
-  Reset();
-  EnableSomeECDHECiphers();
+  ResetRsa();
+  EnableSomeEcdheCiphers();
   rv = SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
-  ASSERT_EQ(SECSuccess, rv);
+  EXPECT_EQ(SECSuccess, rv);
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
   server_->SetPacketFilter(i2);
   ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
-  TlsServerKeyExchangeECDHE dhe2;
-  ASSERT_TRUE(dhe2.Parse(i2->buffer()));
+  TlsServerKeyExchangeEcdhe dhe2;
+  EXPECT_TRUE(dhe2.Parse(i2->buffer()));
 
   // Make sure they are different.
-  ASSERT_FALSE((dhe1.public_key_.len() == dhe2.public_key_.len()) &&
+  EXPECT_FALSE((dhe1.public_key_.len() == dhe2.public_key_.len()) &&
                (!memcmp(dhe1.public_key_.data(), dhe2.public_key_.data(),
                         dhe1.public_key_.len())));
 }