Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1311688 - Support most of the BoGo test flags for TLS version res…
…trictions. r=ekr

This covers -max-version and the -no-{ssl,tls}* flags, but not -min-version.

Differential Revision: https://nss-dev.phacility.com/D115
  • Loading branch information
jld committed Nov 18, 2016
1 parent 8120faa commit e0046bc
Showing 1 changed file with 92 additions and 2 deletions.
94 changes: 92 additions & 2 deletions gtests/nss_bogo_shim/nss_bogo_shim.cc
Expand Up @@ -18,6 +18,14 @@

#include "nsskeys.h"

static const char* kVersionDisableFlags[] = {
"no-ssl3",
"no-tls1",
"no-tls11",
"no-tls12",
"no-tls13"
};

bool exitCodeUnimplemented = false;

std::string FormatError(PRErrorCode code) {
Expand Down Expand Up @@ -144,12 +152,90 @@ class TestAgent {
return true;
}

bool GetVersionRange(SSLVersionRange* range_out, SSLProtocolVariant variant) {
SSLVersionRange supported;
if (SSL_VersionRangeGetSupported(variant, &supported) != SECSuccess) {
return false;
}

auto max_allowed = static_cast<uint16_t>(cfg_.get<int>("max-version"));
if (variant == ssl_variant_datagram) {
// For DTLS this is the wire version; adjust if needed.
switch (max_allowed) {
case SSL_LIBRARY_VERSION_DTLS_1_0_WIRE:
max_allowed = SSL_LIBRARY_VERSION_DTLS_1_0;
break;
case SSL_LIBRARY_VERSION_DTLS_1_2_WIRE:
max_allowed = SSL_LIBRARY_VERSION_DTLS_1_2;
break;
case SSL_LIBRARY_VERSION_DTLS_1_3_WIRE:
max_allowed = SSL_LIBRARY_VERSION_DTLS_1_3;
break;
case 0xffff: // No maximum specified.
break;
default:
// Unrecognized DTLS version.
return false;
}
}

max_allowed = std::min(max_allowed, supported.max);

bool found_min = false;
bool found_max = false;
// Ignore -no-ssl3, because SSLv3 is never supported.
for (size_t i = 1; i < PR_ARRAY_SIZE(kVersionDisableFlags); ++i) {
auto version =
static_cast<uint16_t>(SSL_LIBRARY_VERSION_TLS_1_0 + (i - 1));
if (variant == ssl_variant_datagram) {
// In DTLS mode, the -no-tlsN flags refer to DTLS versions,
// but NSS wants the corresponding TLS versions.
if (version == SSL_LIBRARY_VERSION_TLS_1_1) {
// DTLS 1.1 doesn't exist.
continue;
}
if (version == SSL_LIBRARY_VERSION_TLS_1_0) {
version = SSL_LIBRARY_VERSION_DTLS_1_0;
}
}

if (version < supported.min) {
continue;
}
if (version > max_allowed) {
break;
}

const bool allowed = !cfg_.get<bool>(kVersionDisableFlags[i]);

if (!found_min && allowed) {
found_min = true;
range_out->min = version;
}
if (found_min && !found_max) {
if (allowed) {
range_out->max = version;
} else {
found_max = true;
}
}
if (found_max && allowed) {
// Discontiguous range.
return false;
}
}

// Iff found_min is still false, no usable version was found.
return found_min;
}

bool SetupOptions() {
SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
if (rv != SECSuccess) return false;

SSLVersionRange vrange = {SSL_LIBRARY_VERSION_TLS_1_0,
SSL_LIBRARY_VERSION_TLS_1_3};
SSLVersionRange vrange;
if (!GetVersionRange(&vrange, ssl_variant_stream)) return false;

rv = SSL_VersionRangeSet(ssl_fd_, &vrange);
if (rv != SECSuccess) return false;

Expand Down Expand Up @@ -268,6 +354,10 @@ std::unique_ptr<const Config> ReadConfig(int argc, char** argv) {
cfg->AddEntry<int>("resume-count", 0);
cfg->AddEntry<std::string>("key-file", "");
cfg->AddEntry<std::string>("cert-file", "");
cfg->AddEntry<int>("max-version", 0xffff);
for (auto flag : kVersionDisableFlags) {
cfg->AddEntry<bool>(flag, false);
}

auto rv = cfg->ParseArgs(argc, argv);
switch (rv) {
Expand Down

0 comments on commit e0046bc

Please sign in to comment.