mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-14 22:05:44 +00:00
Bug 1432177, uplift NSS_3_36_BETA3, r=me
UPGRADE_NSS_RELEASE
This commit is contained in:
parent
208923b645
commit
16cfaba763
@ -1 +1 @@
|
||||
1b20549e1075
|
||||
NSS_3_36_BETA3
|
||||
|
@ -1,4 +1,4 @@
|
||||
4.18
|
||||
4.19
|
||||
|
||||
# The first line of this file must contain the human readable NSPR
|
||||
# version number, which is the minimum required version of NSPR
|
||||
|
@ -9,7 +9,7 @@ ENV haclrepo https://github.com/mitls/hacl-star.git
|
||||
|
||||
# Define versions of dependencies
|
||||
ENV opamv 4.04.2
|
||||
ENV haclversion dcd48329d535727dbde93877b124c5ec4a7a2b20
|
||||
ENV haclversion 104de0fbc83939a5e76012d64e3db2b3c0524bd1
|
||||
|
||||
# Install required packages and set versions
|
||||
ADD setup.sh /tmp/setup.sh
|
||||
|
@ -77,7 +77,8 @@ queue.filter(task => {
|
||||
}
|
||||
}
|
||||
|
||||
if (task.tests == "fips" && task.platform == "mac") {
|
||||
if (task.tests == "fips" &&
|
||||
(task.platform == "mac" || task.platform == "aarch64")) {
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -93,7 +94,7 @@ queue.filter(task => {
|
||||
}
|
||||
}
|
||||
|
||||
// Don't run additional hardware tests on ARM (we don't have anything there).
|
||||
// Don't run all additional hardware tests on ARM.
|
||||
if (task.group == "Cipher" && task.platform == "aarch64" && task.env &&
|
||||
(task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_HW_AES == "1"
|
||||
|| task.env.NSS_DISABLE_AVX == "1")) {
|
||||
@ -271,6 +272,18 @@ export default async function main() {
|
||||
}, aarch64_base)
|
||||
);
|
||||
|
||||
await scheduleLinux("Linux AArch64 (debug, make)",
|
||||
merge({
|
||||
env: {USE_64: "1"},
|
||||
command: [
|
||||
"/bin/bash",
|
||||
"-c",
|
||||
"bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
|
||||
],
|
||||
collection: "make",
|
||||
}, aarch64_base)
|
||||
);
|
||||
|
||||
await scheduleMac("Mac (opt)", {collection: "opt"}, "--opt");
|
||||
await scheduleMac("Mac (debug)", {collection: "debug"});
|
||||
}
|
||||
@ -899,6 +912,13 @@ function scheduleTests(task_build, task_cert, test_base) {
|
||||
name: "Cipher tests", symbol: "NoAVX", tests: "cipher",
|
||||
env: {NSS_DISABLE_AVX: "1"}, group: "Cipher"
|
||||
}));
|
||||
queue.scheduleTask(merge(no_cert_base, {
|
||||
name: "Cipher tests", symbol: "NoSSSE3|NEON", tests: "cipher",
|
||||
env: {
|
||||
NSS_DISABLE_ARM_NEON: "1",
|
||||
NSS_DISABLE_SSSE3: "1"
|
||||
}, group: "Cipher"
|
||||
}));
|
||||
queue.scheduleTask(merge(no_cert_base, {
|
||||
name: "EC tests", symbol: "EC", tests: "ec"
|
||||
}));
|
||||
|
@ -31,10 +31,11 @@ function parseRoutes(routes) {
|
||||
];
|
||||
|
||||
// Notify about failures (except on try).
|
||||
if (process.env.TC_PROJECT != "nss-try") {
|
||||
// Turned off, too noisy.
|
||||
/*if (process.env.TC_PROJECT != "nss-try") {
|
||||
rv.push(`notify.email.${process.env.TC_OWNER}.on-failed`,
|
||||
`notify.email.${process.env.TC_OWNER}.on-exception`);
|
||||
}
|
||||
}*/
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
@ -1,137 +0,0 @@
|
||||
How to setup your very own Cert-O-Matic Root CA server
|
||||
|
||||
This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
How to setup your very own Cert-O-Matic Root CA server
|
||||
|
||||
The program certcgi is part of a small test CA that is used inside
|
||||
Netscape by the NSS development team. That CA is affectionately known
|
||||
as "Cert-O-Matic" or "Cert-O-Matic II". It presently runs on a server
|
||||
named interzone.mcom.com inside Netscape's firewall.
|
||||
|
||||
If you wish to setup your own Cert-O-Matic, here are directions.
|
||||
|
||||
Disclaimer: This program does not follow good practices for root CAs.
|
||||
It should be used only for playing/testing and never for production use.
|
||||
Remember, you've been warned!
|
||||
|
||||
Cert-O-Matic consists of some html files, shell scripts, one executable
|
||||
program that uses NSS and NSPR, the usual set of NSS .db files, and a file
|
||||
in which to remember the serial number of the last cert issued. The
|
||||
html files and the source to the executable program are in this directory.
|
||||
Sample shell scripts are shown below.
|
||||
|
||||
The shell scripts and executable program run as CGI "scripts". The
|
||||
entire thing runs on an ordinary http web server. It would also run on
|
||||
an https web server. The shell scripts and html files must be
|
||||
customized for the server on which they run.
|
||||
|
||||
The package assumes you have a "document root" directory $DOCROOT, and a
|
||||
"cgi-bin" directory $CGIBIN. In this example, the document root is
|
||||
assumed to be located in /var/www/htdocs, and the cgi-bin directory in
|
||||
/var/www/cgi-bin.
|
||||
|
||||
The server is assumed to run all cgi scripts as the user "nobody".
|
||||
The names of the cgi scripts run directly by the server all end in .cgi
|
||||
because some servers like it that way.
|
||||
|
||||
Instructions:
|
||||
|
||||
- Create directory $DOCROOT/certomatic
|
||||
- Copy the following files from nss/cmd/certcgi to $DOCROOT/certomatic
|
||||
ca.html index.html main.html nscp_ext_form.html stnd_ext_form.html
|
||||
- Edit the html files, substituting the name of your own server for the
|
||||
server named in those files.
|
||||
- In some web page (e.g. your server's home page), provide an html link to
|
||||
$DOCROOT/certomatic/index.html. This is where users start to get their
|
||||
own certs from certomatic.
|
||||
- give these files and directories appropriate permissions.
|
||||
|
||||
- Create directories $CGIBIN/certomatic and $CGIBIN/certomatic/bin
|
||||
make sure that $CGIBIN/certomatic is writable by "nobody"
|
||||
|
||||
- Create a new set of NSS db files there with the following command:
|
||||
|
||||
certutil -N -d $CGIBIN/certomatic
|
||||
|
||||
- when certutil prompts you for the password, enter the word foo
|
||||
because that is compiled into the certcgi program.
|
||||
|
||||
- Create the new Root CA cert with this command
|
||||
|
||||
certutil -S -x -d $CGIBIN/certomatic -n "Cert-O-Matic II" \
|
||||
-s "CN=Cert-O-Matic II, O=Cert-O-Matic II" -t TCu,cu,cu -k rsa \
|
||||
-g 1024 -m 10001 -v 60
|
||||
|
||||
(adjust the -g, -m and -v parameters to taste. -s and -x must be as
|
||||
shown.)
|
||||
|
||||
- dump out the new root CA cert in base64 encoding:
|
||||
|
||||
certutil -d $CGIBIN/certomatic -L -n "Cert-O-Matic II" -a > \
|
||||
$CGIBIN/certomatic/root.cacert
|
||||
|
||||
- In $CGIBIN/certomatic/bin add two shell scripts - one to download the
|
||||
root CA cert on demand, and one to run the certcgi program.
|
||||
|
||||
download.cgi, the script to install the root CA cert into a browser on
|
||||
demand, is this:
|
||||
|
||||
#!/bin/sh
|
||||
echo "Content-type: application/x-x509-ca-cert"
|
||||
echo
|
||||
cat $CGIBIN/certomatic/root.cacert
|
||||
|
||||
You'll have to put the real path into that cat command because CGIBIN
|
||||
won't be defined when this script is run by the server.
|
||||
|
||||
certcgi.cgi, the script to run the certcgi program is similar to this:
|
||||
|
||||
#!/bin/sh
|
||||
cd $CGIBIN/certomatic/bin
|
||||
LD_LIBRARY_PATH=$PLATFORM/lib
|
||||
export LD_LIBRARY_PATH
|
||||
$PLATFORM/bin/certcgi $* 2>&1
|
||||
|
||||
Where $PLATFORM/lib is where the NSPR nad NSS DSOs are located, and
|
||||
$PLATFORM/bin is where certcgi is located. PLATFORM is not defined when
|
||||
the server runs this script, so you'll have to substitute the right value
|
||||
in your script. certcgi requires that the working directory be one level
|
||||
below the NSS DBs, that is, the DBs are accessed in the directory "..".
|
||||
|
||||
You'll want to provide an html link somewhere to the script that downloads
|
||||
the root.cacert file. You'll probably want to put that next to the link
|
||||
that loads the index.html page. On interzone, this is done with the
|
||||
following html:
|
||||
|
||||
<a href="/certomatic/index.html">Cert-O-Matic II Root CA server</a>
|
||||
<p>
|
||||
<a href="/cgi-bin/certomatic/bin/download.cgi">Download and trust Root CA
|
||||
certificate</a>
|
||||
|
||||
The index.html file in this directory invokes the certcgi.cgi script with
|
||||
the form post method, so if you change the name of the certcgi.cgi script,
|
||||
you'll also have to change the index.html file in $DOCROOT/certomatic
|
||||
|
||||
The 4 files used by the certcgi program (the 3 NSS DBs, and the serial
|
||||
number file) are not required to live in $CGIBIN/certomatic, but they are
|
||||
required to live in $CWD/.. when certcgi starts.
|
||||
|
||||
Known bugs:
|
||||
|
||||
1. Because multiple of these CAs exist simultaneously, it would be best if
|
||||
they didn't all have to be called "Cert-O-Matic II", but that string is
|
||||
presently hard coded into certcgi.c.
|
||||
|
||||
2. the html files in this directory contain numerous extraneous <FORM> tags
|
||||
which appear to use the post method and have action URLS that are never
|
||||
actually used. burp.cgi and echoform.cgi are never actually used. This
|
||||
should be cleaned up.
|
||||
|
||||
3. The html files use <layer> tags which are supported only in Netscape
|
||||
Navigator and Netscape Communication 4.x browsers. The html files do
|
||||
not work as intended with Netscape 6.x, Mozilla or Microsoft IE browsers.
|
||||
The html files should be fixed to work with all those named browsers.
|
||||
|
@ -1,48 +0,0 @@
|
||||
#! gmake
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
#######################################################################
|
||||
# (1) Include initial platform-independent assignments (MANDATORY). #
|
||||
#######################################################################
|
||||
|
||||
include manifest.mn
|
||||
|
||||
#######################################################################
|
||||
# (2) Include "global" configuration information. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
include $(CORE_DEPTH)/coreconf/config.mk
|
||||
|
||||
#######################################################################
|
||||
# (3) Include "component" configuration information. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
|
||||
#######################################################################
|
||||
|
||||
include ../platlibs.mk
|
||||
|
||||
#######################################################################
|
||||
# (5) Execute "global" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
|
||||
#######################################################################
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
#######################################################################
|
||||
|
||||
|
||||
|
||||
include ../platrules.mk
|
||||
|
@ -1,19 +0,0 @@
|
||||
<!-- This Source Code Form is subject to the terms of the Mozilla Public
|
||||
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
|
||||
|
||||
<form method="post" name="ca_form" action="mailto:jerdonek@netscape.com">
|
||||
<input type="radio" name="caChoiceradio" value="SignWithDefaultkey"
|
||||
onClick="{parent.choice_change(this.form)}">
|
||||
Use the Cert-O-matic certificate to issue the cert</p>
|
||||
<input type="radio" name="caChoiceradio" value="SignWithRandomChain"
|
||||
onClick="{parent.choice_change(this.form)}"> Use a
|
||||
<input type="text" size="2" maxsize="2" name="autoCAs"> CA long
|
||||
automatically generated chain ending with the Cert-O-Matic Cert
|
||||
(18 maximum)</p>
|
||||
<input type="radio" name="caChoiceradio" value="SignWithSpecifiedChain"
|
||||
onClick="{parent.choice_change(this.form)}"> Use a
|
||||
<input type="text" size="1" maxlength="1" name="manCAs"
|
||||
onChange="{parent.ca_num_change(this.value,this.form)}"> CA long
|
||||
user input chain ending in the Cert-O-Matic Cert.</p>
|
||||
</form>
|
@ -1,357 +0,0 @@
|
||||
<html>
|
||||
<!-- This Source Code Form is subject to the terms of the Mozilla Public
|
||||
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
|
||||
<form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
|
||||
<table border=0 cellspacing=10 cellpadding=0>
|
||||
<tr>
|
||||
<td>
|
||||
Common Name:</td><td> <input type="text" name="name" onChange="{window.top.reset_subject('CN=', value, form)}"></p>
|
||||
</td>
|
||||
<td></td><td></td><td>
|
||||
Mail: </td><td><input type="text" name="email" onChange="var temp;{if (email_type[0].checked) {temp = 'MAIL='} else {temp = 'E='}} ;{window.top.reset_subject(temp, value, form)}"></p>
|
||||
RFC 1274<input type="radio" name="email_type" value="1" onClick="window.top.switch_mail(form)">
|
||||
e-mail<input type="radio" name="email_type" value="2" checked onClick="window.top.switch_mail(form)"></td>
|
||||
<tr>
|
||||
<td>
|
||||
Organization: </td><td> <input type="text" name="org" onChange="{window.top.reset_subject('O=', value, form)}"></p></td>
|
||||
<td></td><td></td><td>
|
||||
Organizational Unit: </td><td><input type="text" name="org_unit" onChange="{window.top.reset_subject('OU=', value, form)}"></p></td>
|
||||
<tr>
|
||||
<td>
|
||||
RFC 1274 UID: </td><td><input type="text" name="uid" onChange="{window.top.reset_subject('UID=', value, form)}"></p></td>
|
||||
<td></td><td></td><td>
|
||||
Locality: </td><td><input type="text" name="loc" onChange="{window.top.reset_subject('L=', value, form)}"></p></td>
|
||||
<tr>
|
||||
<td>
|
||||
State or Province: </td><td><input type="text" name="state" onChange="{window.top.reset_subject('ST=', value, form)}"></p></td>
|
||||
<td></td><td></td><td>
|
||||
Country: </td><td><input type="text" size="2" maxsize="2" name="country" onChange="{window.top.reset_subject('C=', value, form)}"></p></td>
|
||||
</table>
|
||||
<table border=0 cellspacing=10 cellpadding=0>
|
||||
<tr>
|
||||
<td>
|
||||
Serial Number:</p>
|
||||
<DD>
|
||||
<input type="radio" name="serial" value="auto" checked> Auto Generate</P>
|
||||
<DD>
|
||||
<input type="radio" name="serial" value="input">
|
||||
Use this value: <input type="text" name="serial_value" size="8" maxlength="8"></p>
|
||||
</td>
|
||||
<td></td><td></td><td></td><td></td>
|
||||
<td>
|
||||
X.509 version:</p>
|
||||
<DD>
|
||||
<input type="radio" name="ver" value="1" checked> Version 1</p>
|
||||
<DD>
|
||||
<input type="radio" name="ver" value="3"> Version 3</P></td>
|
||||
<td></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td>
|
||||
<td>
|
||||
Key Type:</p>
|
||||
<DD>
|
||||
<input type="radio" name="keyType" value="rsa" checked> RSA</p>
|
||||
<DD>
|
||||
<input type="radio" name="keyType" value="dsa"> DSA</P></td>
|
||||
</table>
|
||||
DN: <input type="text" name="subject" size="70" onChange="{window.top.reset_subjectFields(form)}"></P>
|
||||
<Select name="keysize">
|
||||
<option>1024 (High Grade)
|
||||
<option>768 (Medium Grade)
|
||||
<option>512 (Low Grade)
|
||||
</select>
|
||||
</p>
|
||||
<hr>
|
||||
</p>
|
||||
<table border=1 cellspacing=5 cellpadding=5>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape Certificate Type: </b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-cert-type"></P>
|
||||
Critical: <input type="checkbox" name="netscape-cert-type-crit">
|
||||
<td>
|
||||
<input type="checkbox" name="netscape-cert-type-ssl-client"> SSL Client</P>
|
||||
<input type="checkbox" name="netscape-cert-type-ssl-server"> SSL Server</P>
|
||||
<input type="checkbox" name="netscape-cert-type-smime"> S/MIME</P>
|
||||
<input type="checkbox" name="netscape-cert-type-object-signing"> Object Signing</P>
|
||||
<input type="checkbox" name="netscape-cert-type-reserved"> Reserved for future use (bit 4)</P>
|
||||
<input type="checkbox" name="netscape-cert-type-ssl-ca"> SSL CA</P>
|
||||
<input type="checkbox" name="netscape-cert-type-smime-ca"> S/MIME CA</P>
|
||||
<input type="checkbox" name="netscape-cert-type-object-signing-ca"> Object Signing CA</P>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape Base URL:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-base-url"></P>
|
||||
Critical: <input type="checkbox" name="netscape-base-url-crit">
|
||||
<td>
|
||||
<input type="text" name="netscape-base-url-text" size="50">
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape Revocation URL:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-revocation-url"></P>
|
||||
Critical: <input type="checkbox" name="netscape-revocation-url-crit">
|
||||
<td>
|
||||
<input type="text" name="netscape-revocation-url-text" size="50">
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape CA Revocation URL:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-ca-revocation-url"></P>
|
||||
Critical: <input type="checkbox" name="netscape-ca-revocation-url-crit">
|
||||
<td>
|
||||
<input type="text" name="netscape-ca-revocation-url-text" size="50">
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape Certificate Renewal URL:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-cert-renewal-url"></P>
|
||||
Critical: <input type="checkbox" name="netscape-cert-renewal-url-crit">
|
||||
<td>
|
||||
<input type="text" name="netscape-cert-renewal-url-text" size="50">
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape CA Policy URL:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-ca-policy-url"></P>
|
||||
Critical: <input type="checkbox" name="netscape-ca-policy-url-crit">
|
||||
<td>
|
||||
<input type="text" name="netscape-ca-policy-url-text" size="50">
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape SSL Server Name:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-ssl-server-name"></P>
|
||||
Critical: <input type="checkbox" name="netscape-ssl-server-name-crit">
|
||||
<td>
|
||||
<input type="text" name="netscape-ssl-server-name-text" size="50">
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape Comment:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-comment"></P>
|
||||
Critical: <input type="checkbox" name="netscape-comment-crit">
|
||||
<td>
|
||||
<textarea name="netscape-comment-text" rows="5" cols="50"></textarea>
|
||||
</tr>
|
||||
</table>
|
||||
</p>
|
||||
<hr>
|
||||
</p>
|
||||
<table border=1 cellspacing=5 cellpadding=5>
|
||||
<form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
|
||||
<tr>
|
||||
<td>
|
||||
<b>Key Usage: </b></p>
|
||||
Activate extension: <input type="checkbox" name="keyUsage"></P>
|
||||
Critical: <input type="checkbox" name="keyUsage-crit">
|
||||
<td>
|
||||
<input type="checkbox" name="keyUsage-digitalSignature"> Digital Signature</P>
|
||||
<input type="checkbox" name="keyUsage-nonRepudiation"> Non Repudiation</P>
|
||||
<input type="checkbox" name="keyUsage-keyEncipherment"> Key Encipherment</P>
|
||||
<input type="checkbox" name="keyUsage-dataEncipherment"> Data Encipherment</P>
|
||||
<input type="checkbox" name="keyUsage-keyAgreement"> Key Agreement</P>
|
||||
<input type="checkbox" name="keyUsage-keyCertSign"> Key Certificate Signing</P>
|
||||
<input type="checkbox" name="keyUsage-cRLSign"> CRL Signing</P>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Extended Key Usage: </b></p>
|
||||
Activate extension: <input type="checkbox" name="extKeyUsage"></P>
|
||||
Critical: <input type="checkbox" name="extKeyUsage-crit">
|
||||
<td>
|
||||
<input type="checkbox" name="extKeyUsage-serverAuth"> Server Auth</P>
|
||||
<input type="checkbox" name="extKeyUsage-clientAuth"> Client Auth</P>
|
||||
<input type="checkbox" name="extKeyUsage-codeSign"> Code Signing</P>
|
||||
<input type="checkbox" name="extKeyUsage-emailProtect"> Email Protection</P>
|
||||
<input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
|
||||
<input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
|
||||
<input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
|
||||
<input type="checkbox" name="extKeyUsage-msTrustListSign"> Microsoft Trust List Signing</P>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Basic Constraints:</b></p>
|
||||
Activate extension: <input type="checkbox" name="basicConstraints"></P>
|
||||
Critical: <input type="checkbox" name="basicConstraints-crit">
|
||||
<td>
|
||||
CA:</p>
|
||||
<dd><input type=radio name="basicConstraints-cA-radio" value="CA"> True</p>
|
||||
<dd><input type=radio name="basicConstraints-cA-radio" value="NotCA"> False</p>
|
||||
<input type="checkbox" name="basicConstraints-pathLengthConstraint">
|
||||
Include Path length: <input type="text" name="basicConstraints-pathLengthConstraint-text" size="2"></p>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Authority Key Identifier:</b></p>
|
||||
Activate extension: <input type="checkbox" name="authorityKeyIdentifier">
|
||||
<td>
|
||||
<input type="radio" name="authorityKeyIdentifier-radio" value="keyIdentifier"> Key Identider</p>
|
||||
<input type="radio" name="authorityKeyIdentifier-radio" value="authorityCertIssuer"> Issuer Name and Serial number</p>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Subject Key Identifier:</b></p>
|
||||
Activate extension: <input type="checkbox" name="subjectKeyIdentifier">
|
||||
<td>
|
||||
Key Identifier:
|
||||
<input type="text" name="subjectKeyIdentifier-text"></p>
|
||||
This is an:<p>
|
||||
<dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="ascii"> ascii text value<p>
|
||||
<dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="hex"> hex value<p>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Private Key Usage Period:</b></p>
|
||||
Activate extension: <input type="checkbox" name="privKeyUsagePeriod"></p>
|
||||
Critical: <input type="checkbox" name="privKeyUsagePeriod-crit">
|
||||
<td>
|
||||
Use:</p>
|
||||
<dd><input type="radio" name="privKeyUsagePeriod-radio" value="notBefore"> Not Before</p>
|
||||
<dd><input type="radio" name="privKeyUsagePeriod-radio" value="notAfter"> Not After</p>
|
||||
<dd><input type="radio" name="privKeyUsagePeriod-radio" value="both" > Both</p>
|
||||
<b>Not to be used to sign before:</b></p>
|
||||
<dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="auto"> Set to time of certificate issue</p>
|
||||
<dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="manual"> Use This value</p>
|
||||
<dd><dd>(YYYY/MM/DD HH:MM:SS):
|
||||
<input type="text" name="privKeyUsagePeriod-notBefore-year" size="4" maxlength="4">/
|
||||
<input type="text" name="privKeyUsagePeriod-notBefore-month" size="2" maxlength="2">/
|
||||
<input type="text" name="privKeyUsagePeriod-notBefore-day" size="2" maxlength="2">
|
||||
<input type="text" name="privKeyUsagePeriod-notBefore-hour" size="2" maxlength="2">:
|
||||
<input type="text" name="privKeyUsagePeriod-notBefore-minute" size="2" maxlength="2">:
|
||||
<input type="text" name="privKeyUsagePeriod-notBefore-second" size="2" maxlength="2"></p>
|
||||
<b>Not to be used to sign after:</b></p>
|
||||
<dd>(YYYY/MM/DD HH:MM:SS):
|
||||
<input type="text" name="privKeyUsagePeriod-notAfter-year" size="4" maxlength="4">/
|
||||
<input type="text" name="privKeyUsagePeriod-notAfter-month" size="2" maxlength="2">/
|
||||
<input type="text" name="privKeyUsagePeriod-notAfter-day" size="2" maxlength="2">
|
||||
<input type="text" name="privKeyUsagePeriod-notAfter-hour" size="2" maxlength="2">:
|
||||
<input type="text" name="privKeyUsagePeriod-notAfter-minute" size="2" maxlength="2">:
|
||||
<input type="text" name="privKeyUsagePeriod-notAfter-second" size="2" maxlength="2"></p>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Subject Alternative Name:</b></p>
|
||||
Activate extension: <input type="checkbox" name="SubAltName"></P>
|
||||
Critical: <input type="checkbox" name="SubAltName-crit">
|
||||
<td>
|
||||
<table>
|
||||
<tr>
|
||||
<td>
|
||||
General Names:</p>
|
||||
<select name="SubAltNameSelect" multiple size="10">
|
||||
</select></p></p>
|
||||
<input type="button" name="SubAltName-add" value="Add" onClick="{parent.addSubAltName(this.form)}">
|
||||
<input type="button" name="SubAltName-delete" value="Delete" onClick="parent.deleteSubAltName(this.form)">
|
||||
</td><td>
|
||||
<table><tr><td>
|
||||
Name Type: </td></tr><tr><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="otherName" onClick="parent.setSubAltNameType(form)"> Other Name,
|
||||
OID: <input type="text" name="SubAltNameOtherNameOID" size="6"> </td><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="rfc822Name" onClick="parent.setSubAltNameType(form)"> RFC 822 Name</td></tr><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="dnsName" onClick="parent.setSubAltNameType(form)"> DNS Name </td><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="x400" onClick="parent.setSubAltNameType(form)"> X400 Address</td></tr><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="directoryName" onClick="parent.setSubAltNameType(form)"> Directory Name</td><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="ediPartyName" onClick="parent.setSubAltNameType(form)"> EDI Party Name</td></tr><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="URL" onClick="parent.setSubAltNameType(form)"> Uniform Resource Locator</td><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="ipAddress" onClick="parent.setSubAltNameType(form)"> IP Address</td></tr><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="regID"onClick="parent.setSubAltNameType(form)"> Registered ID</td><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="nscpNickname" onClick="parent.setSubAltNameType(form)"> Netscape Certificate Nickname</td><td></tr>
|
||||
</table>
|
||||
Name: <input type="text" name="SubAltNameText">
|
||||
Binary Encoded: <input type="checkbox" name="SubAltNameDataType" value="binary" onClick="parent.setSubAltNameType(form)"></p>
|
||||
</tr>
|
||||
</table>
|
||||
</tr>
|
||||
|
||||
|
||||
<tr>
|
||||
<td>
|
||||
<b>Issuer Alternative Name:</b></p>
|
||||
Activate extension: <input type="checkbox" name="IssuerAltName"></P>
|
||||
Critical: <input type="checkbox" name="IssuerAltName-crit">
|
||||
<td>
|
||||
<input type="radio" name="IssuerAltNameSourceRadio" value="auto"> Use the Subject Alternative Name from the Issuers Certificate</p>
|
||||
<input type="radio" name="IssuerAltNameSourceRadio" value="man"> Use this Name:
|
||||
<table>
|
||||
<tr>
|
||||
<td>
|
||||
General Names:</p>
|
||||
<select name="IssuerAltNameSelect" multiple size="10">
|
||||
</select></p></p>
|
||||
<input type="button" name="IssuerAltName-add" value="Add" onClick="{parent.addIssuerAltName(this.form)}">
|
||||
<input type="button" name="IssuerAltName-delete" value="Delete" onClick="parent.deleteIssuerAltName(this.form)">
|
||||
</td><td>
|
||||
<table><tr><td>
|
||||
Name Type: </td></tr><tr><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="otherName" onClick="parent.setIssuerAltNameType(form)"> Other Name,
|
||||
OID: <input type="text" name="IssuerAltNameOtherNameOID" size="6"> </td><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="rfc822Name" onClick="parent.setIssuerAltNameType(form)"> RFC 822 Name</td></tr><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="dnsName" onClick="parent.setIssuerAltNameType(form)"> DNS Name </td><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="x400" onClick="parent.setIssuerAltNameType(form)"> X400 Address</td></tr><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="directoryName" onClick="parent.setIssuerAltNameType(form)"> Directory Name</td><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="ediPartyName" onClick="parent.setIssuerAltNameType(form)"> EDI Party Name</td></tr><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="URL" onClick="parent.setIssuerAltNameType(form)"> Uniform Resource Locator</td><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="ipAddress" onClick="parent.setIssuerAltNameType(form)"> IP Address</td></tr><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="regID" onClick="parent.setIssuerAltNameType(form)"> Registered ID</td><td></tr>
|
||||
</table>
|
||||
Name: <input type="text" name="IssuerAltNameText">
|
||||
Binary Encoded: <input type="checkbox" name="IssuerAltNameDataType" value="binary" onClick="parent.setIssuerAltNameType(form)"></p>
|
||||
</tr>
|
||||
</table>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td>
|
||||
<b>Name Constraints:</b></p>
|
||||
Activate extension: <input type="checkbox" name="NameConstraints"></P>
|
||||
<td>
|
||||
<table>
|
||||
<tr>
|
||||
<td>
|
||||
Name Constraints:</p>
|
||||
|
||||
|
||||
<select name="NameConstraintSelect" multiple size="10">
|
||||
</select></p></p>
|
||||
<input type="button" name="NameConstraint-add" value="Add" onClick="{parent.addNameConstraint(this.form)}">
|
||||
<input type="button" name="NameConstraint-delete" value="Delete" onClick="parent.deleteNameConstraint(this.form)">
|
||||
</td><td>
|
||||
<table><tr><td>
|
||||
Name Type: </td></tr><tr><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="otherName" onClick="parent.setNameConstraintNameType(form)"> Other Name,
|
||||
OID: <input type="text" name="NameConstraintOtherNameOID" size="6"> </td><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="rfc822Name" onClick="parent.setNameConstraintNameType(form)"> RFC 822 Name</td></tr><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="dnsName" onClick="parent.setNameConstraintNameType(form)"> DNS Name </td><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="x400" onClick="parent.setNameConstraintNameType(form)"> X400 Address</td></tr><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="directoryName" onClick="parent.setNameConstraintNameType(form)"> Directory Name</td><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="ediPartyName" onClick="parent.setNameConstraintNameType(form)"> EDI Party Name</td></tr><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="URL" onClick="parent.setNameConstraintNameType(form)"> Uniform Resource Locator</td><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="ipAddress" onClick="parent.setNameConstraintNameType(form)"> IP Address</td></tr><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="regID" onClick="parent.setNameConstraintNameType(form)"> Registered ID</td><td></tr>
|
||||
</table>
|
||||
Name: <input type="text" name="NameConstraintText">
|
||||
Binary Encoded: <input type="checkbox" name="NameConstraintNameDataType" value="binary" onClick="parent.setNameConstraintNameType(form)"></p>
|
||||
Constraint type:<p>
|
||||
<dd><input type="radio" name="NameConstraintTypeRadio" value="permited"> permited<p>
|
||||
<dd><input type="radio" name="NameConstraintTypeRadio" value="excluded"> excluded<p>
|
||||
Minimum: <input type="text" name="NameConstraintMin" size="8" maxlength="8"></p>
|
||||
Maximum: <input type="text" name="NameConstraintMax" size="8" maxlength="8"></p>
|
||||
|
||||
|
||||
|
||||
</tr>
|
||||
</table>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,33 +0,0 @@
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
{
|
||||
'includes': [
|
||||
'../../coreconf/config.gypi',
|
||||
'../../cmd/platlibs.gypi'
|
||||
],
|
||||
'targets': [
|
||||
{
|
||||
'target_name': 'certcgi',
|
||||
'type': 'executable',
|
||||
'sources': [
|
||||
'certcgi.c'
|
||||
],
|
||||
'dependencies': [
|
||||
'<(DEPTH)/exports.gyp:dbm_exports',
|
||||
'<(DEPTH)/exports.gyp:nss_exports',
|
||||
'<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3'
|
||||
]
|
||||
}
|
||||
],
|
||||
'target_defaults': {
|
||||
'defines': [
|
||||
'NSPR20',
|
||||
'NSS_USE_STATIC_LIBS'
|
||||
]
|
||||
},
|
||||
'variables': {
|
||||
'module': 'nss',
|
||||
'use_static_libs': 1
|
||||
}
|
||||
}
|
@ -1,789 +0,0 @@
|
||||
<HTML> <!-- -*- Mode: Java; tab-width: 8 -*- -->
|
||||
<!-- This Source Code Form is subject to the terms of the Mozilla Public
|
||||
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
|
||||
<HEAD>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||||
<SCRIPT LANGUAGE="JavaScript1.2">
|
||||
|
||||
script_url = 'http://interzone.mcom.com/cgi-bin/certomatic/bin/certcgi.cgi'
|
||||
|
||||
ext_page_ver1 =
|
||||
make_page_intro('Version 1 extensions', "#FFFFFF") +
|
||||
'<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext1">' +
|
||||
'Version 1 X.509 certs do not support extensions' +
|
||||
'</IFRAME>' +
|
||||
'</body></html>';
|
||||
|
||||
num_ca = 0;
|
||||
|
||||
your_certificate_index_label = 'Your Certificate';
|
||||
netscape_extensions_index_label = 'Netscape X.509 Extensions';
|
||||
standard_extensions_index_label = 'Standard X.509 Extensions';
|
||||
certifying_authorities_index_label = 'Certifying Authorities';
|
||||
add_sub_alt_name_index_label = 'Add Subject Alternative Name';
|
||||
|
||||
index_list =
|
||||
'0, your_certificate_index_label,' +
|
||||
'0, netscape_extensions_index_label,' +
|
||||
'0, standard_extensions_index_label,' +
|
||||
'0, certifying_authorities_index_label';
|
||||
|
||||
add_index_list = '';
|
||||
|
||||
ver = 3
|
||||
|
||||
max_pages = 13;
|
||||
cur_page = 1;
|
||||
|
||||
ext_page_array = new Array(max_pages);
|
||||
|
||||
index_label = 'Options';
|
||||
|
||||
var main_page =
|
||||
make_page_intro('Your Key', "#FFFFFF") +
|
||||
'<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="main" SRC="main.html">' +
|
||||
'</IFRAME>' +
|
||||
'</body></html>' ;
|
||||
|
||||
function setSubAltNameType(form)
|
||||
{
|
||||
with(form) {
|
||||
if (SubAltNameRadio[0].checked) {
|
||||
return true;
|
||||
}
|
||||
if (SubAltNameRadio[3].checked || SubAltNameRadio[5].checked) {
|
||||
SubAltNameDataType.checked = true;
|
||||
return true;
|
||||
}
|
||||
if (SubAltNameRadio[1].checked || SubAltNameRadio[2].checked ||
|
||||
SubAltNameRadio[4].checked || SubAltNameRadio[6].checked ||
|
||||
SubAltNameRadio[7].checked || SubAltNameRadio[8].checked) {
|
||||
SubAltNameDataType.checked = false;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
function setIssuerAltNameType(form)
|
||||
{
|
||||
with(form) {
|
||||
if (IssuerAltNameRadio[0].checked) {
|
||||
return true;
|
||||
}
|
||||
if (IssuerAltNameRadio[3].checked || IssuerAltNameRadio[5].checked) {
|
||||
IssuerAltNameDataType.checked = true;
|
||||
return true;
|
||||
}
|
||||
if (IssuerAltNameRadio[1].checked || IssuerAltNameRadio[2].checked ||
|
||||
IssuerAltNameRadio[4].checked || IssuerAltNameRadio[6].checked ||
|
||||
IssuerAltNameRadio[7].checked || IssuerAltNameRadio[8].checked) {
|
||||
IssuerAltNameDataType.checked = false;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
function setNameConstraintNameType(form)
|
||||
{
|
||||
with(form) {
|
||||
if (NameConstraintRadio[0].checked) {
|
||||
return true;
|
||||
}
|
||||
if (NameConstraintRadio[3].checked || NameConstraintRadio[5].checked) {
|
||||
NameConstraintNameDataType.checked = true;
|
||||
return true;
|
||||
}
|
||||
if (NameConstraintRadio[1].checked || NameConstraintRadio[2].checked ||
|
||||
NameConstraintRadio[4].checked || NameConstraintRadio[6].checked ||
|
||||
NameConstraintRadio[7].checked || NameConstraintRadio[8].checked) {
|
||||
NameConstraintNameDataType.checked = false;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
function addSubAltName(form)
|
||||
{
|
||||
with(form) {
|
||||
var len = SubAltNameSelect.length;
|
||||
var value;
|
||||
var i = 0;
|
||||
while(!(i == (SubAltNameRadio.length - 1)) &
|
||||
!(SubAltNameRadio[i].checked == true)) {
|
||||
i++;
|
||||
}
|
||||
if (i != 0) {
|
||||
value = SubAltNameText.value + " - " + (i + 1);
|
||||
} else {
|
||||
value = SubAltNameText.value + " - " +
|
||||
SubAltNameOtherNameOID.value + " - ";
|
||||
if (SubAltNameDataType.checked) {
|
||||
value += "1 - ";
|
||||
} else {
|
||||
value += "0 - ";
|
||||
}
|
||||
value += (i + 1);
|
||||
if (SubAltNameOtherNameOID.value == "") {
|
||||
alert("Other names must include an OID");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
if ((SubAltNameText.value == "") | (SubAltNameRadio[i].checked != true)) {
|
||||
alert("Alternative Names must include values for name and name type.");
|
||||
} else {
|
||||
SubAltNameSelect.options[len] = new Option(value, value);
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
function deleteSubAltName(form)
|
||||
{
|
||||
with(form) {
|
||||
while (SubAltNameSelect.selectedIndex >= 0) {
|
||||
SubAltNameSelect[SubAltNameSelect.selectedIndex] = null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function addIssuerAltName(form)
|
||||
{
|
||||
with(form)
|
||||
{
|
||||
var len = IssuerAltNameSelect.length;
|
||||
var value;
|
||||
var i = 0;
|
||||
|
||||
while(!(i == (IssuerAltNameRadio.length -1)) &
|
||||
!(IssuerAltNameRadio[i].checked == true)) {
|
||||
i++;
|
||||
}
|
||||
if (i != 0) {
|
||||
value = IssuerAltNameText.value + " - " + (i + 1);
|
||||
} else {
|
||||
value = IssuerAltNameText.value + " - " +
|
||||
IssuerAltNameOtherNameOID.value + " - ";
|
||||
if (IssuerAltNameDataType.checked) {
|
||||
value += "1 - ";
|
||||
} else {
|
||||
value += "0 - ";
|
||||
}
|
||||
value += (i + 1);
|
||||
if (IssuerAltNameOtherNameOID.value == "") {
|
||||
alert("Other names must include an OID");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if ((IssuerAltNameText.value == "") |
|
||||
(IssuerAltNameRadio[i].checked != true)) {
|
||||
alert("Alternative Names must include values for name and name type.")
|
||||
} else {
|
||||
IssuerAltNameSelect.options[len] = new Option(value, value);
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
function deleteIssuerAltName(form)
|
||||
{
|
||||
with(form) {
|
||||
while (IssuerAltNameSelect.selectedIndex >= 0) {
|
||||
IssuerAltNameSelect[IssuerAltNameSelect.selectedIndex] = null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
function addNameConstraint(form)
|
||||
{
|
||||
with(form) {
|
||||
var len = NameConstraintSelect.length;
|
||||
var value;
|
||||
var i = 0;
|
||||
var min = NameConstraintMin.value;
|
||||
var max = NameConstraintMax.value;
|
||||
|
||||
while(!(i == (NameConstraintRadio.length - 1) ) &
|
||||
!(NameConstraintRadio[i].checked == true)) {
|
||||
i++;
|
||||
}
|
||||
value = NameConstraintText.value + " - ";
|
||||
if (i == 0) {
|
||||
value += NameConstraintOtherNameOID.value + " - ";
|
||||
if (NameConstraintNameDataType.checked) {
|
||||
value += "1 - ";
|
||||
} else {
|
||||
value += "0 - ";
|
||||
}
|
||||
if (NameConstraintOtherNameOID.value == "") {
|
||||
alert("Other names must include an OID");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
value += (i + 1) + " - ";
|
||||
if (NameConstraintTypeRadio[0].checked == true) {
|
||||
value += "p - ";
|
||||
} else {
|
||||
value += "e - ";
|
||||
}
|
||||
value += min + " - " + max;
|
||||
if ((min == "") | (NameConstraintText.value == "") |
|
||||
(NameConstraintRadio[i].checked != true)) {
|
||||
alert("Name Constraints must include values for minimum, name, and name type.")
|
||||
} else {
|
||||
NameConstraintSelect.options[len] = new Option(value, value);
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
function deleteNameConstraint(form)
|
||||
{
|
||||
with(form) {
|
||||
while (NameConstraintSelect.selectedIndex >= 0) {
|
||||
NameConstraintSelect[NameConstraintSelect.selectedIndex] = null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
function submit_it()
|
||||
{
|
||||
save_cur_page(cur_page);
|
||||
|
||||
var ver1 = (ver == 1);
|
||||
var ver3 = (ver == 3);
|
||||
var array_string;
|
||||
var serial = ext_page_array[0][10][0];
|
||||
var serial_number = ext_page_array[0][12][0];
|
||||
var manValidity = ext_page_array[0][19][0];
|
||||
var notBefore = ext_page_array[0][20][0];
|
||||
var notAfter = ext_page_array[0][21][0];
|
||||
var subject = ext_page_array[0][22][0];
|
||||
|
||||
if (subject == "") {
|
||||
alert("The DN field must contain some data");
|
||||
return false;
|
||||
}
|
||||
if (!serial & serial_number == "") {
|
||||
alert("No serial number specified");
|
||||
return false;
|
||||
}
|
||||
if (ext_page_array[0][15][0]) {
|
||||
var keygen = "<keygen name=\"key\" challenge=\"foo\">";
|
||||
} else {
|
||||
switch (ext_page_array[0][17][0]) {
|
||||
case 2:
|
||||
var keygen = "<keygen keytype=\"dsa\" pqg=\"MIGdAkEAjfKklEkidqo9JXWbsGhpy+rA2Dr7jQz3y7gyTw14guXQdi/FtyEOr8Lprawyq3qsSWk9+/g3JMLsBzbuMcgCkQIVAMdzIYxzfsjumTtPLe0w9I7azpFfAkEAYm0CeDnqChNBMWOlW0y1ACmdVSKVbO/LO/8Q85nOLC5xy53l+iS6v1jlt5UhklycxC6fb0ZLCIzFcq9T5teIAg==\" name=\"key\" challenge=\"foo\">";
|
||||
break;
|
||||
case 1:
|
||||
var keygen = "<keygen keytype=\"dsa\" pqg=\"MIHaAmDCboVgX0+6pEeMlbwsasWDVBcJNHPKMzkq9kbCRK2U3k+tE15n+Dc2g3ZjDYr1um51e2iLC34/BwAAAAAAAAAAAAAAAAAAAAAAAAABbBhnlFN5Djmt0Mk8cdEBY5H8iPMCFMhUnFtbpjn3EyfH2DjVg3ALh7FtAmA2zWzhpeCwvOTjYnQorlXiv0WcnSiWmaC79CRYkFt5i+UEfRxwP1eNGJBVB1T+CPW6JGd4WhgsqtSf53pn5DEtv++O7lNfXyOhWhb3KaWHYIx8fuAXtioIWkWmpfEIVZA=\" name=\"key\" challenge=\"foo\">";
|
||||
break;
|
||||
case 0:
|
||||
var keygen = "<keygen keytype=\"dsa\" pqg=\"MIIBHAKBgId8SiiWrcdua5zbsBhPkKfFcnHBG7T/bQla7c6OixGjjmSSuq2fJLvMKa579CaxHxLZzZZXIHmAk9poRgWl2GUUkCJ68XSum8OQzDPXPsofcEdeANjw3mIAAAAAAAAAAAAAAAAAAAAAAAAIE+MkW5hguLIQqWvEVi9dMpbNu6OZAhTIA+y3TgyiwA0D8pt686ofaL1IOQKBgAiZQC6UCXztr2iXxJrAC+51gN5oX/R9Thilln9RGegsWnHrdxUOpcm5vAWp1LU8TOXtujE8kqkm3UxIRhUWQORe9IxLANAXmZJqkw9FEVHkxj6Cy9detwT2MyBzSwS6avsf7aLisgHmI/IHSeapJsQ3NQa3rikb6zRiqIV+TVa6\" name=\"key\" challenge=\"foo\">";
|
||||
break;
|
||||
}
|
||||
}
|
||||
array_string = build_array_string();
|
||||
hiddens = "<input type=\"hidden\" name=\"subject\" value=\'" + subject + "\'> \n" +
|
||||
"<input type=\"hidden\" name=\"serial-auto\" value=\"" + serial + "\"> \n" +
|
||||
"<input type=\"hidden\" name=\"serial_value\" value=\"" + serial_number + "\"> \n" +
|
||||
"<input type=\"hidden\" name=\"ver-1\" value=\"" + ver1 + "\"> \n" +
|
||||
"<input type=\"hidden\" name=\"ver-3\" value=\"" + ver3 + "\"> \n" +
|
||||
"<input type=\"hidden\" name=\"notBefore\" value=\"" + notBefore + "\"> \n" +
|
||||
"<input type=\"hidden\" name=\"notAfter\" value=\"" + notAfter + "\"> \n" +
|
||||
"<input type=\"hidden\" name=\"manValidity\" value=\"" + manValidity + "\"> \n" +
|
||||
array_string;
|
||||
|
||||
var good_submit_page =
|
||||
'<html>' +
|
||||
'<BODY TEXT="#000000" LINK="#000000" VLINK="#000000" ALINK="#FF0000" BGCOLOR="#FFFFFF">' +
|
||||
'<form method="post" action="' + script_url + '">' +
|
||||
'Select size for your key:' + keygen + '</p>' +
|
||||
'<input type="submit"></p>' +
|
||||
hiddens +
|
||||
'</form>\n' +
|
||||
'</body>\n' +
|
||||
'</html>\n';
|
||||
|
||||
window.frames['right'].document.write(good_submit_page);
|
||||
window.frames['right'].document.close();
|
||||
cur_page = max_pages + 1;
|
||||
make_left_frame(window);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
|
||||
function build_array_string()
|
||||
{
|
||||
var pg;
|
||||
var array_string = '';
|
||||
var pages;
|
||||
|
||||
if ((ext_page_array[3][4][0] > 0) && ext_page_array[3][3][0]) {
|
||||
pages = 4 + parseInt(ext_page_array[3][4][0]);
|
||||
} else {
|
||||
pages = 4;
|
||||
}
|
||||
for (pg = 1; pg < pages; pg++) {
|
||||
if ((pg > 1 || (ver == 3)) && (ext_page_array[pg].length > 1)) {
|
||||
if (pg < 4) {
|
||||
for (i = 0; i < ext_page_array[pg].length; i++) {
|
||||
if (ext_page_array[pg][i][3].indexOf("radio") == -1) {
|
||||
if (ext_page_array[pg][i][3].indexOf("multiple") == -1) {
|
||||
array_string += '<input type=\"hidden\" name=\"' +
|
||||
ext_page_array[pg][i][1] + '\" value=\'' +
|
||||
ext_page_array[pg][i][0] + '\'> \n';
|
||||
} else {
|
||||
for (k = 0; k < ext_page_array[pg][i][0].length; k++) {
|
||||
array_string += '<input type=\"hidden\" name=\"' +
|
||||
ext_page_array[pg][i][1] + k + '\" value=\'' +
|
||||
ext_page_array[pg][i][0][k] + '\'> \n';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
array_string += '<input type=\"hidden\" name=\"' +
|
||||
ext_page_array[pg][i][1] + '-' +
|
||||
ext_page_array[pg][i][2] + '\" value=\'' +
|
||||
ext_page_array[pg][i][0] + '\'> \n';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for (i = 0; i < ext_page_array[pg].length; i++) {
|
||||
if (ext_page_array[pg][i][3].indexOf("radio") == -1) {
|
||||
if (ext_page_array[pg][i][3].indexOf("multiple") == -1) {
|
||||
array_string += '<input type=\"hidden\" name=\"' +
|
||||
'CA#' + (pg - 3) + '-' +
|
||||
ext_page_array[pg][i][1] + '\" value=\'' +
|
||||
ext_page_array[pg][i][0] +'\'> \n';
|
||||
} else {
|
||||
for (k = 0; k < ext_page_array[pg][i][0].length; k++) {
|
||||
array_string += '<input type=\"hidden\" name=\"' +
|
||||
'CA#' + (pg - 3) + '-' +
|
||||
ext_page_array[pg][i][1] + k + '\" value=\'' +
|
||||
ext_page_array[pg][i][0][k] + '\'> \n';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
array_string += '<input type=\"hidden\" name=\"' +
|
||||
'CA#' + (pg - 3) + '-' +
|
||||
ext_page_array[pg][i][1] + '-' +
|
||||
ext_page_array[pg][i][2] + '\" value=\'' +
|
||||
ext_page_array[pg][i][0] + '\'> \n';
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return array_string;
|
||||
}
|
||||
|
||||
|
||||
|
||||
function init_ext_page_array()
|
||||
{
|
||||
for (i = 0; i < max_pages; i++) {
|
||||
ext_page_array[i] = '';
|
||||
}
|
||||
}
|
||||
|
||||
function ca_num_change(n,ca_form)
|
||||
{
|
||||
with(ca_form) {
|
||||
n = parseInt(n,10);
|
||||
if (caChoiceradio[2].checked) {
|
||||
if (n) {
|
||||
update_left_frame(n);
|
||||
} else {
|
||||
update_left_frame(0);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function choice_change(ca_form)
|
||||
{
|
||||
with(ca_form) {
|
||||
if (caChoiceradio[2].checked) {
|
||||
ca_num_change(manCAs.value,ca_form);
|
||||
} else {
|
||||
update_left_frame(0);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function update_left_frame(n)
|
||||
{
|
||||
var add_string = '';
|
||||
for (var i = 0; i < n; i++) {
|
||||
var j = i + 1;
|
||||
add_string = add_string + ',1, \'CA #' + j + '\'';
|
||||
}
|
||||
top.add_index_list = add_string;
|
||||
num_ca = n;
|
||||
make_left_frame(window);
|
||||
}
|
||||
|
||||
function set_ver1()
|
||||
// redraws the extensions page for version 1 certificates
|
||||
{
|
||||
ver = 1
|
||||
if (cur_page == 2 || cur_page == 3) {
|
||||
switch_right_frame(window, cur_page, cur_page);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
function set_ver3()
|
||||
// redraws the extensions page for version 3 certificates
|
||||
{
|
||||
ver = 3
|
||||
if (cur_page == 2) {
|
||||
switch_right_frame(window, 0, 2);
|
||||
} else if (cur_page == 3) {
|
||||
switch_right_frame(window, 0, 3);
|
||||
}
|
||||
}
|
||||
|
||||
function reset_subject(marker, value, form)
|
||||
// Updates the subject field from a subordinate field
|
||||
{
|
||||
with(form) {
|
||||
var field_sep = '", ';
|
||||
var begin_index = subject.value.indexOf(marker);
|
||||
if (begin_index != 0 && subject.value[begin_index - 1] != ' ') {
|
||||
begin_index = subject.value.indexOf(marker, begin_index +1);
|
||||
}
|
||||
var end_index = subject.value.indexOf(field_sep, begin_index);
|
||||
if (begin_index > -1) { // is it a delete/change?
|
||||
if (end_index == -1) { // is it the last one (includes only one)?
|
||||
if (value.length > 0) { // do I have to change it?
|
||||
if (begin_index == 0) { // is is the only one?
|
||||
subject.value = marker + '"' + value + '"';
|
||||
} else { // it is the last of many
|
||||
subject.value = subject.value.substring(0,begin_index) +
|
||||
marker + '"' + value + '"';
|
||||
}
|
||||
} else { // must be a delete
|
||||
if (begin_index == 0) { // is it the only one?
|
||||
begin_index += 2;
|
||||
}
|
||||
subject.value = subject.value.substring(0,(begin_index - 2));
|
||||
}
|
||||
} else { // it is the first of many or a middle one
|
||||
if (value.length >0) { // do I have to change it?
|
||||
subject.value =
|
||||
subject.value.substring(0,(begin_index + marker.length + 1)) +
|
||||
value + subject.value.substring(end_index,subject.length);
|
||||
} else { // it is a delete
|
||||
subject.value = subject.value.substring(0,begin_index) +
|
||||
subject.value.substring((end_index + 3),subject.length);
|
||||
}
|
||||
}
|
||||
} else { // It is either an insert or a do nothing
|
||||
if (value.length > 0) { // is it an insert?
|
||||
if (subject.value.length == 0) { // is subject currently empty?
|
||||
subject.value = marker + '"' + value + '"';
|
||||
} else {
|
||||
subject.value = subject.value + ', ' + marker + '"' + value + '"';
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
function reset_subjectFields(form)
|
||||
// updates all the subordinate fields from the subject field of a form
|
||||
// **** move the strings to global variables, to make maintentance easier ****
|
||||
{
|
||||
|
||||
update_subject_Field(form, 'CN=\"', form.name);
|
||||
update_subject_Field(form, 'MAIL=\"', form.email);
|
||||
update_subject_Field(form, 'O=\"', form.org);
|
||||
update_subject_Field(form, 'C=\"', form.country);
|
||||
update_subject_Field(form, ' L=\"', form.loc);
|
||||
update_subject_Field(form, 'ST=\"', form.state);
|
||||
update_subject_Field(form, 'E=\"', form.email);
|
||||
update_subject_Field(form, 'OU=\"', form.org_unit);
|
||||
update_subject_Field(form, 'UID=\"', form.uid);
|
||||
}
|
||||
|
||||
function update_subject_Field(form, marker, update_field)
|
||||
//updates a single subordinate field from the subject field of a form
|
||||
// *** need to deal with the two types of e-mail addresses **************
|
||||
{
|
||||
with(form) {
|
||||
var field_sep = '", ';
|
||||
var begin_index = subject.value.indexOf(marker) + marker.length;
|
||||
var end_index = subject.value.indexOf(field_sep, begin_index);
|
||||
if (end_index == -1) {
|
||||
end_index = subject.value.indexOf('"',begin_index);
|
||||
}
|
||||
if (begin_index != (-1 + marker.length) ) {
|
||||
update_field.value = subject.value.substring(begin_index, end_index);
|
||||
} else {
|
||||
update_field.value = '';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
function switch_mail(form)
|
||||
// **** Do I want to delete the other type of e-mail address ? ************
|
||||
{
|
||||
if (form.email_type[0].checked) {
|
||||
var del = 'E=';
|
||||
var ins = 'MAIL=';
|
||||
} else {
|
||||
var del = 'MAIL=';
|
||||
var ins = 'E=';
|
||||
}
|
||||
reset_subject(del, '', form);
|
||||
reset_subject(ins, form.email.value, form);
|
||||
}
|
||||
|
||||
function make_page_intro(title, bgcolor)
|
||||
{
|
||||
var style = '<STYLE TYPE="text/css">BODY{' +
|
||||
'font-family: Geneva,MS Sans Serif,Arial,Lucida,Helvetica,sans-serif;' +
|
||||
'font-size: 10pt;' +
|
||||
'}' +
|
||||
'TD{' +
|
||||
'font-family: Geneva,MS Sans Serif,Arial,Lucida,Helvetica,sans-serif;' +
|
||||
'font-size: 10pt;}' +
|
||||
'</STYLE>';
|
||||
|
||||
if (bgcolor == null) { bgcolor = "#C0C0C0"; }
|
||||
return '<HTML><HEAD>' +
|
||||
'<TITLE>' + title + '</TITLE>' +
|
||||
'</HEAD>' +
|
||||
'<BODY TEXT="#000000" LINK="#000000" VLINK="#000000" ALINK="#FF0000" ' +
|
||||
'BGCOLOR="' + bgcolor + '">';
|
||||
}
|
||||
|
||||
|
||||
function make_left_frame(window)
|
||||
{
|
||||
with (window.frames['index']) {
|
||||
eval ('index_string = make_left_frame_page(cur_page, '
|
||||
+ index_list + add_index_list + ' )');
|
||||
fool1 = make_page_intro(index_label, "#FFFFFF") +
|
||||
index_string + '</BODY></HTML>';
|
||||
document.write(fool1);
|
||||
document.close();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
function save_cur_page(page_number)
|
||||
{
|
||||
var len;
|
||||
var pg = page_number - 1;
|
||||
if (window.frames['right'].document.forms.length != 0) {
|
||||
with (window.frames['right'].document) {
|
||||
if ((page_number != 2 && page_number != 3 && page_number <= max_pages) ||
|
||||
ver == 3) {
|
||||
ext_page_array[pg] = new Array(forms[0].elements.length);
|
||||
for (i = 0; i < forms[0].elements.length; i++) {
|
||||
ext_page_array[pg][i] = new Array(4);
|
||||
switch (forms[0].elements[i].type) {
|
||||
case 'radio':
|
||||
case 'checkbox':
|
||||
ext_page_array[pg][i][0] = forms[0].elements[i].checked;
|
||||
break;
|
||||
case 'select-one':
|
||||
ext_page_array[pg][i][0] = forms[0].elements[i].selectedIndex;
|
||||
break;
|
||||
case 'select-multiple':
|
||||
len = forms[0].elements[i].options.length;
|
||||
ext_page_array[pg][i][0] = new Array(len);
|
||||
for(k = 0; k < len; k++) {
|
||||
ext_page_array[pg][i][0][k] = forms[0].elements[i].options[k].value;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
ext_page_array[pg][i][0] = forms[0].elements[i].value;
|
||||
}
|
||||
ext_page_array[pg][i][1] = forms[0].elements[i].name;
|
||||
ext_page_array[pg][i][2] = forms[0].elements[i].value;
|
||||
ext_page_array[pg][i][3] = forms[0].elements[i].type;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function reload_form(page_number)
|
||||
{
|
||||
var j = page_number - 1;
|
||||
with (window.frames['right'].document) {
|
||||
if (((page_number < 2 || page_number > 3) || ver == 3)
|
||||
&& page_number != 0 && (ext_page_array[j].length > 1)) {
|
||||
for (i = 0; i < ext_page_array[j].length; i++) {
|
||||
switch (forms[0].elements[i].type) {
|
||||
case 'radio': case 'checkbox':
|
||||
forms[0].elements[i].checked = ext_page_array[j][i][0];
|
||||
break;
|
||||
case 'select-one':
|
||||
forms[0].elements[i].selectedIndex = ext_page_array[j][i][0];
|
||||
break;
|
||||
case 'select-multiple':
|
||||
for (k = 0; k < ext_page_array[j][i][0].length; k++) {
|
||||
forms[0].elements[i].options[k] =
|
||||
new Option(ext_page_array[j][i][0][k],
|
||||
ext_page_array[j][i][0][k]);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
forms[0].elements[i].value = ext_page_array[j][i][0];
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function switch_right_frame(top_window, old_pane, new_pane)
|
||||
{
|
||||
var ext_page_stnd =
|
||||
make_page_intro(standard_extensions_index_label, "#FFFFFF") +
|
||||
'<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
|
||||
'SRC="stnd_ext_form.html">' +
|
||||
'</IFRAME></body></html>';
|
||||
|
||||
var ext_page_nscp =
|
||||
make_page_intro(netscape_extensions_index_label, "#FFFFFF") +
|
||||
'<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
|
||||
'SRC="nscp_ext_form.html">' +
|
||||
'</IFRAME></body></html>';
|
||||
|
||||
var ext_page_ca =
|
||||
make_page_intro(certifying_authorities_index_label, "#FFFFFF") +
|
||||
'<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
|
||||
'SRC="ca.html">' +
|
||||
'</IFRAME></body</html>';
|
||||
|
||||
var ext_page_ca_exp =
|
||||
make_page_intro('Certifying Authority Details', "#FFFFFF") +
|
||||
'<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
|
||||
'SRC="ca_form.html">' +
|
||||
'</IFRAME></body></html>';
|
||||
|
||||
|
||||
if (old_pane > 0 && cur_page <= max_pages) {
|
||||
save_cur_page(old_pane);
|
||||
}
|
||||
cur_page = new_pane;
|
||||
make_left_frame(top_window);
|
||||
if (new_pane == 2 || new_pane == 3) {
|
||||
if (ver == 1) {
|
||||
frames['right'].document.write(ext_page_ver1);
|
||||
frames['right'].document.close();
|
||||
} else if (new_pane == 2) {
|
||||
frames['right'].document.write(ext_page_nscp);
|
||||
frames['right'].document.close();
|
||||
reload_form(new_pane);
|
||||
} else {
|
||||
frames['right'].document.write(ext_page_stnd);
|
||||
frames['right'].document.close();
|
||||
reload_form(new_pane);
|
||||
}
|
||||
} else if (new_pane == 4) {
|
||||
frames['right'].document.write(ext_page_ca);
|
||||
frames['right'].document.close();
|
||||
reload_form(new_pane);
|
||||
} else if (new_pane == 1) {
|
||||
frames['right'].document.write(main_page);
|
||||
frames['right'].document.close();
|
||||
reload_form(new_pane);
|
||||
} else {
|
||||
frames['right'].document.write(ext_page_ca_exp);
|
||||
frames['right'].document.close();
|
||||
reload_form(new_pane);
|
||||
}
|
||||
}
|
||||
|
||||
function make_left_frame_page(selected)
|
||||
{
|
||||
var n_strings = ( make_left_frame_page.arguments.length - 1 ) / 2;
|
||||
var table_background;
|
||||
var command;
|
||||
var indent;
|
||||
var label;
|
||||
var ret_string = "";
|
||||
|
||||
ret_string += '<TABLE CELLSPACING=4>';
|
||||
for ( var i = 1; i <= n_strings; i++ ) {
|
||||
if ( i == selected ) {
|
||||
table_background = 'BGCOLOR=#BBCCBB';
|
||||
} else {
|
||||
table_background = '';
|
||||
}
|
||||
|
||||
indent = make_left_frame_page.arguments[(i*2) - 1];
|
||||
label = make_left_frame_page.arguments[(i*2)];
|
||||
|
||||
if ( indent == 0 ) {
|
||||
ret_string += ('<TR><TD COLSPAN=2 ' + table_background + '>');
|
||||
} else {
|
||||
ret_string += ('<TR><TD> </TD><TD ' + table_background + '>');
|
||||
}
|
||||
|
||||
command = "'parent.switch_right_frame(parent," + selected + "," + i + ")'";
|
||||
ret_string += ('<A HREF="javascript:void setTimeout(' + command + ',0)">');
|
||||
if ( indent == 0 ) { ret_string += "<B>"; }
|
||||
ret_string += label;
|
||||
if ( indent == 0 ) { ret_string += "</B>"; }
|
||||
ret_string += '</A></TD></TR>';
|
||||
}
|
||||
if (selected == (max_pages + 1)) {
|
||||
table_background = 'BGCOLOR=#BBCCBB';
|
||||
} else {
|
||||
table_background = '';
|
||||
}
|
||||
ret_string +=
|
||||
'<TR><TD COLSPAN=2 ' + table_background +
|
||||
'><b><A HREF="javascript:void setTimeout(\'top.submit_it()\', 0)">Finish</A></b>' +
|
||||
'</TD></TR>' +
|
||||
'<input type="submit"></form>' +
|
||||
'</TABLE>';
|
||||
return(ret_string);
|
||||
}
|
||||
|
||||
|
||||
function make_page(window)
|
||||
// Draws the initial page setup
|
||||
{
|
||||
selected = cur_page
|
||||
init_ext_page_array()
|
||||
|
||||
with (window.frames['right']) {
|
||||
location="main.html";
|
||||
// document.write(main_page);
|
||||
// document.close();
|
||||
}
|
||||
|
||||
make_left_frame(window);
|
||||
|
||||
}
|
||||
</script>
|
||||
|
||||
</HEAD>
|
||||
<title>Cert-O-Matic</title>
|
||||
<FRAMESET cols="150,*" BORDER=3 ONLOAD="make_page(window)">
|
||||
<FRAME SRC="about:blank" ID="index" NAME="index"
|
||||
MARGINWIDTH=15 MARGINHEIGHT=10 BORDER=3>
|
||||
<FRAME SRC="about:blank" ID="right" NAME="right"
|
||||
MARGINWIDTH=15 MARGINHEIGHT=10 BORDER=3>
|
||||
</FRAMESET>
|
||||
</HTML>
|
@ -1,76 +0,0 @@
|
||||
<HTML>
|
||||
<!-- This Source Code Form is subject to the terms of the Mozilla Public
|
||||
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
|
||||
<HEAD>
|
||||
<TITLE>Main Layer for CertOMatic</TITLE>
|
||||
</HEAD>
|
||||
|
||||
<form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
|
||||
<table border=0 cellspacing=10 cellpadding=0>
|
||||
<tr>
|
||||
<td>
|
||||
Common Name:</td><td> <input type="text" name="name" onChange="{window.top.reset_subject('CN=', value, form)}"></p>
|
||||
</td>
|
||||
<td></td><td></td>
|
||||
<td>
|
||||
Organization: </td><td> <input type="text" name="org" onChange="{window.top.reset_subject('O=', value, form)}"></p></td>
|
||||
<tr>
|
||||
<td>
|
||||
<input type="radio" name="email_type" value="1" onClick="window.top.switch_mail(form)">MAIL=
|
||||
|
||||
<input type="radio" name="email_type" value="2" checked onClick="window.top.switch_mail(form)">E=
|
||||
</td>
|
||||
<td>
|
||||
<input type="text" name="email" onChange="var temp;{if (email_type[0].checked) {temp = 'MAIL='} else {temp = 'E='}} ;{window.top.reset_subject(temp, value, form)}">
|
||||
</td>
|
||||
<td></td><td></td><td>
|
||||
Organizational Unit: </td><td><input type="text" name="org_unit" onChange="{window.top.reset_subject('OU=', value, form)}"></p></td>
|
||||
<tr>
|
||||
<td>
|
||||
UID= </td><td><input type="text" name="uid" onChange="{window.top.reset_subject('UID=', value, form)}"></p></td>
|
||||
<td></td><td></td><td>
|
||||
Locality: </td><td><input type="text" name="loc" onChange="{window.top.reset_subject('L=', value, form)}"></p></td>
|
||||
<tr>
|
||||
<td>
|
||||
State or Province: </td><td><input type="text" name="state" onChange="{window.top.reset_subject('ST=', value, form)}"></p></td>
|
||||
<td></td><td></td><td>
|
||||
Country: </td><td><input type="text" size="2" name="country" onChange="{window.top.reset_subject('C=', value, form)}" maxlength="2"></p></td>
|
||||
<tr>
|
||||
<td COLSPAN=2>
|
||||
Serial Number:
|
||||
<DD><input type="radio" name="serial" value="auto" checked> Auto Generate
|
||||
<DD><input type="radio" name="serial" value="input">
|
||||
Use this hex value: <input type="text" name="serial_value" size="8" maxlength="8"></p>
|
||||
</td>
|
||||
<td></td> <td></td>
|
||||
<td COLSPAN=2>
|
||||
X.509 version:
|
||||
<DD><input type="radio" name="ver" value="1" onClick="if (this.checked) {window.top.set_ver1();}"> Version 1
|
||||
<DD><input type="radio" name="ver" value="3" checked onClick="if (this.checked) {window.top.set_ver3();}"> Version 3</P></td>
|
||||
<tr>
|
||||
<td COLSPAN=2>
|
||||
Key Type:
|
||||
<DD><input type="radio" name="keyType" value="rsa" checked> RSA
|
||||
<DD><input type="radio" name="keyType" value="dsa"> DSA</p>
|
||||
Intermediate CA Key Sizes:
|
||||
<DD><select name="keysize">
|
||||
<option>2048 (Very High Grade)
|
||||
<option>1024 (High Grade)
|
||||
<option>512 (Low Grade)
|
||||
</select>
|
||||
</td>
|
||||
<td></td> <td></td>
|
||||
<td COLSPAN=2>
|
||||
Validity:
|
||||
<DD><input type="radio" name="validity" value="auto" checked>
|
||||
Generate Automatically
|
||||
<DD><input type="radio" name="validity" value="man"> Use these values:
|
||||
<DD>Not Before: <input type="text" size="15" maxlength="17" name="notBefore">
|
||||
<DD>Not After: <input type="text" size="15" maxlength="17" name="notAfter">
|
||||
<DD>
|
||||
<FONT SIZE=-1><TT>YYMMDDhhmm[ss]{Z|+hhmm|-hhmm} </TT></FONT>
|
||||
</table>
|
||||
DN: <input type="text" name="subject" size="70" onChange="{window.top.reset_subjectFields(form)}"></P>
|
||||
</form>
|
||||
</HTML>
|
@ -1,22 +0,0 @@
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
CORE_DEPTH = ../..
|
||||
|
||||
# MODULE public and private header directories are implicitly REQUIREd.
|
||||
MODULE = nss
|
||||
|
||||
# This next line is used by .mk files
|
||||
# and gets translated into $LINCS in manifest.mnw
|
||||
REQUIRES = seccmd dbm
|
||||
|
||||
DEFINES = -DNSPR20
|
||||
|
||||
CSRCS = certcgi.c
|
||||
|
||||
PROGRAM = certcgi
|
||||
|
||||
USE_STATIC_LIBS = 1
|
||||
|
@ -1,84 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
|
||||
<html>
|
||||
<!-- This Source Code Form is subject to the terms of the Mozilla Public
|
||||
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
|
||||
|
||||
<body>
|
||||
<table border=1 cellspacing=5 cellpadding=5>
|
||||
<form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape Certificate Type: </b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-cert-type"></P>
|
||||
Critical: <input type="checkbox" name="netscape-cert-type-crit">
|
||||
<td>
|
||||
<input type="checkbox" name="netscape-cert-type-ssl-client"> SSL Client</P>
|
||||
<input type="checkbox" name="netscape-cert-type-ssl-server"> SSL Server</P>
|
||||
<input type="checkbox" name="netscape-cert-type-smime"> S/MIME</P>
|
||||
<input type="checkbox" name="netscape-cert-type-object-signing"> Object Signing</P>
|
||||
<input type="checkbox" name="netscape-cert-type-reserved"> Reserved for future use (bit 4)</P>
|
||||
<input type="checkbox" name="netscape-cert-type-ssl-ca"> SSL CA</P>
|
||||
<input type="checkbox" name="netscape-cert-type-smime-ca"> S/MIME CA</P>
|
||||
<input type="checkbox" name="netscape-cert-type-object-signing-ca"> Object Signing CA</P>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape Base URL:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-base-url"></P>
|
||||
Critical: <input type="checkbox" name="netscape-base-url-crit">
|
||||
<td>
|
||||
<input type="text" name="netscape-base-url-text" size="50">
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape Revocation URL:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-revocation-url"></P>
|
||||
Critical: <input type="checkbox" name="netscape-revocation-url-crit">
|
||||
<td>
|
||||
<input type="text" name="netscape-revocation-url-text" size="50">
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape CA Revocation URL:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-ca-revocation-url"></P>
|
||||
Critical: <input type="checkbox" name="netscape-ca-revocation-url-crit">
|
||||
<td>
|
||||
<input type="text" name="netscape-ca-revocation-url-text" size="50">
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape Certificate Renewal URL:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-cert-renewal-url"></P>
|
||||
Critical: <input type="checkbox" name="netscape-cert-renewal-url-crit">
|
||||
<td>
|
||||
<input type="text" name="netscape-cert-renewal-url-text" size="50">
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape CA Policy URL:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-ca-policy-url"></P>
|
||||
Critical: <input type="checkbox" name="netscape-ca-policy-url-crit">
|
||||
<td>
|
||||
<input type="text" name="netscape-ca-policy-url-text" size="50">
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape SSL Server Name:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-ssl-server-name"></P>
|
||||
Critical: <input type="checkbox" name="netscape-ssl-server-name-crit">
|
||||
<td>
|
||||
<input type="text" name="netscape-ssl-server-name-text" size="50">
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Netscape Comment:</b></p>
|
||||
Activate extension: <input type="checkbox" name="netscape-comment"></P>
|
||||
Critical: <input type="checkbox" name="netscape-comment-crit">
|
||||
<td>
|
||||
<textarea name="netscape-comment-text" rows="5" cols="50"></textarea>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
</body>
|
||||
</html>
|
@ -1,219 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
|
||||
<html>
|
||||
<!-- This Source Code Form is subject to the terms of the Mozilla Public
|
||||
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
|
||||
|
||||
<body>
|
||||
<table border=1 cellspacing=5 cellpadding=5>
|
||||
<form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
|
||||
<tr>
|
||||
<td>
|
||||
<b>Key Usage: </b></p>
|
||||
Activate extension: <input type="checkbox" name="keyUsage"></P>
|
||||
Critical: <input type="checkbox" name="keyUsage-crit">
|
||||
<td>
|
||||
<input type="checkbox" name="keyUsage-digitalSignature"> Digital Signature</P>
|
||||
<input type="checkbox" name="keyUsage-nonRepudiation"> Non Repudiation</P>
|
||||
<input type="checkbox" name="keyUsage-keyEncipherment"> Key Encipherment</P>
|
||||
<input type="checkbox" name="keyUsage-dataEncipherment"> Data Encipherment</P>
|
||||
<input type="checkbox" name="keyUsage-keyAgreement"> Key Agreement</P>
|
||||
<input type="checkbox" name="keyUsage-keyCertSign"> Key Certificate Signing</P>
|
||||
<input type="checkbox" name="keyUsage-cRLSign"> CRL Signing</P>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Extended Key Usage: </b></p>
|
||||
Activate extension: <input type="checkbox" name="extKeyUsage"></P>
|
||||
Critical: <input type="checkbox" name="extKeyUsage-crit">
|
||||
<td>
|
||||
<input type="checkbox" name="extKeyUsage-serverAuth"> Server Auth</P>
|
||||
<input type="checkbox" name="extKeyUsage-clientAuth"> Client Auth</P>
|
||||
<input type="checkbox" name="extKeyUsage-codeSign"> Code Signing</P>
|
||||
<input type="checkbox" name="extKeyUsage-emailProtect"> Email Protection</P>
|
||||
<input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
|
||||
<input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
|
||||
<input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
|
||||
<input type="checkbox" name="extKeyUsage-msTrustListSign"> Microsoft Trust List Signing</P>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Basic Constraints:</b></p>
|
||||
Activate extension: <input type="checkbox" name="basicConstraints"></P>
|
||||
Critical: <input type="checkbox" name="basicConstraints-crit">
|
||||
<td>
|
||||
CA:</p>
|
||||
<dd><input type=radio name="basicConstraints-cA-radio" value="CA"> True</p>
|
||||
<dd><input type=radio name="basicConstraints-cA-radio" value="NotCA"> False</p>
|
||||
<input type="checkbox" name="basicConstraints-pathLengthConstraint">
|
||||
Include Path length: <input type="text" name="basicConstraints-pathLengthConstraint-text" size="2"></p>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Authority Key Identifier:</b></p>
|
||||
Activate extension: <input type="checkbox" name="authorityKeyIdentifier">
|
||||
<td>
|
||||
<input type="radio" name="authorityKeyIdentifier-radio" value="keyIdentifier"> Key Identider</p>
|
||||
<input type="radio" name="authorityKeyIdentifier-radio" value="authorityCertIssuer"> Issuer Name and Serial number</p>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Subject Key Identifier:</b></p>
|
||||
Activate extension: <input type="checkbox" name="subjectKeyIdentifier">
|
||||
<td>
|
||||
Key Identifier:
|
||||
<input type="text" name="subjectKeyIdentifier-text"></p>
|
||||
This is an:<p>
|
||||
<dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="ascii"> ascii text value<p>
|
||||
<dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="hex"> hex value<p>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Private Key Usage Period:</b></p>
|
||||
Activate extension: <input type="checkbox" name="privKeyUsagePeriod"></p>
|
||||
Critical: <input type="checkbox" name="privKeyUsagePeriod-crit">
|
||||
<td>
|
||||
Use:</p>
|
||||
<dd><input type="radio" name="privKeyUsagePeriod-radio" value="notBefore"> Not Before</p>
|
||||
<dd><input type="radio" name="privKeyUsagePeriod-radio" value="notAfter"> Not After</p>
|
||||
<dd><input type="radio" name="privKeyUsagePeriod-radio" value="both" > Both</p>
|
||||
<b>Not to be used to sign before:</b></p>
|
||||
<dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="auto"> Set to time of certificate issue</p>
|
||||
<dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="manual"> Use This value</p>
|
||||
<dd><dd>(YYYY/MM/DD HH:MM:SS):
|
||||
<input type="text" name="privKeyUsagePeriod-notBefore-year" size="4" maxlength="4">/
|
||||
<input type="text" name="privKeyUsagePeriod-notBefore-month" size="2" maxlength="2">/
|
||||
<input type="text" name="privKeyUsagePeriod-notBefore-day" size="2" maxlength="2">
|
||||
<input type="text" name="privKeyUsagePeriod-notBefore-hour" size="2" maxlength="2">:
|
||||
<input type="text" name="privKeyUsagePeriod-notBefore-minute" size="2" maxlength="2">:
|
||||
<input type="text" name="privKeyUsagePeriod-notBefore-second" size="2" maxlength="2"></p>
|
||||
<b>Not to be used to sign after:</b></p>
|
||||
<dd>(YYYY/MM/DD HH:MM:SS):
|
||||
<input type="text" name="privKeyUsagePeriod-notAfter-year" size="4" maxlength="4">/
|
||||
<input type="text" name="privKeyUsagePeriod-notAfter-month" size="2" maxlength="2">/
|
||||
<input type="text" name="privKeyUsagePeriod-notAfter-day" size="2" maxlength="2">
|
||||
<input type="text" name="privKeyUsagePeriod-notAfter-hour" size="2" maxlength="2">:
|
||||
<input type="text" name="privKeyUsagePeriod-notAfter-minute" size="2" maxlength="2">:
|
||||
<input type="text" name="privKeyUsagePeriod-notAfter-second" size="2" maxlength="2"></p>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<b>Subject Alternative Name:</b></p>
|
||||
Activate extension: <input type="checkbox" name="SubAltName"></P>
|
||||
Critical: <input type="checkbox" name="SubAltName-crit">
|
||||
<td>
|
||||
<table>
|
||||
<tr>
|
||||
<td>
|
||||
General Names:</p>
|
||||
<select name="SubAltNameSelect" multiple size="10">
|
||||
</select></p></p>
|
||||
<input type="button" name="SubAltName-add" value="Add" onClick="{parent.addSubAltName(this.form)}">
|
||||
<input type="button" name="SubAltName-delete" value="Delete" onClick="parent.deleteSubAltName(this.form)">
|
||||
</td><td>
|
||||
<table><tr><td>
|
||||
Name Type: </td></tr><tr><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="otherName" onClick="parent.setSubAltNameType(form)"> Other Name,
|
||||
OID: <input type="text" name="SubAltNameOtherNameOID" size="6"> </td><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="rfc822Name" onClick="parent.setSubAltNameType(form)"> RFC 822 Name</td></tr><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="dnsName" onClick="parent.setSubAltNameType(form)"> DNS Name </td><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="x400" onClick="parent.setSubAltNameType(form)"> X400 Address</td></tr><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="directoryName" onClick="parent.setSubAltNameType(form)"> Directory Name</td><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="ediPartyName" onClick="parent.setSubAltNameType(form)"> EDI Party Name</td></tr><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="URL" onClick="parent.setSubAltNameType(form)"> Uniform Resource Locator</td><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="ipAddress" onClick="parent.setSubAltNameType(form)"> IP Address</td></tr><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="regID"onClick="parent.setSubAltNameType(form)"> Registered ID</td><td>
|
||||
<input type="radio" name="SubAltNameRadio" value="nscpNickname" onClick="parent.setSubAltNameType(form)"> Netscape Certificate Nickname</td><td></tr>
|
||||
</table>
|
||||
Name: <input type="text" name="SubAltNameText">
|
||||
Binary Encoded: <input type="checkbox" name="SubAltNameDataType" value="binary" onClick="parent.setSubAltNameType(form)"></p>
|
||||
</tr>
|
||||
</table>
|
||||
</tr>
|
||||
|
||||
|
||||
<tr>
|
||||
<td>
|
||||
<b>Issuer Alternative Name:</b></p>
|
||||
Activate extension: <input type="checkbox" name="IssuerAltName"></P>
|
||||
Critical: <input type="checkbox" name="IssuerAltName-crit">
|
||||
<td>
|
||||
<input type="radio" name="IssuerAltNameSourceRadio" value="auto"> Use the Subject Alternative Name from the Issuers Certificate</p>
|
||||
<input type="radio" name="IssuerAltNameSourceRadio" value="man"> Use this Name:
|
||||
<table>
|
||||
<tr>
|
||||
<td>
|
||||
General Names:</p>
|
||||
<select name="IssuerAltNameSelect" multiple size="10">
|
||||
</select></p></p>
|
||||
<input type="button" name="IssuerAltName-add" value="Add" onClick="{parent.addIssuerAltName(this.form)}">
|
||||
<input type="button" name="IssuerAltName-delete" value="Delete" onClick="parent.deleteIssuerAltName(this.form)">
|
||||
</td><td>
|
||||
<table><tr><td>
|
||||
Name Type: </td></tr><tr><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="otherName" onClick="parent.setIssuerAltNameType(form)"> Other Name,
|
||||
OID: <input type="text" name="IssuerAltNameOtherNameOID" size="6"> </td><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="rfc822Name" onClick="parent.setIssuerAltNameType(form)"> RFC 822 Name</td></tr><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="dnsName" onClick="parent.setIssuerAltNameType(form)"> DNS Name </td><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="x400" onClick="parent.setIssuerAltNameType(form)"> X400 Address</td></tr><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="directoryName" onClick="parent.setIssuerAltNameType(form)"> Directory Name</td><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="ediPartyName" onClick="parent.setIssuerAltNameType(form)"> EDI Party Name</td></tr><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="URL" onClick="parent.setIssuerAltNameType(form)"> Uniform Resource Locator</td><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="ipAddress" onClick="parent.setIssuerAltNameType(form)"> IP Address</td></tr><td>
|
||||
<input type="radio" name="IssuerAltNameRadio" value="regID" onClick="parent.setIssuerAltNameType(form)"> Registered ID</td><td></tr>
|
||||
</table>
|
||||
Name: <input type="text" name="IssuerAltNameText">
|
||||
Binary Encoded: <input type="checkbox" name="IssuerAltNameDataType" value="binary" onClick="parent.setIssuerAltNameType(form)"></p>
|
||||
</tr>
|
||||
</table>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td>
|
||||
<b>Name Constraints:</b></p>
|
||||
Activate extension: <input type="checkbox" name="NameConstraints"></P>
|
||||
<td>
|
||||
<table>
|
||||
<tr>
|
||||
<td>
|
||||
Name Constraints:</p>
|
||||
<select name="NameConstraintSelect" multiple size="10">
|
||||
</select></p></p>
|
||||
<input type="button" name="NameConstraint-add" value="Add" onClick="{parent.addNameConstraint(this.form)}">
|
||||
<input type="button" name="NameConstraint-delete" value="Delete" onClick="parent.deleteNameConstraint(this.form)">
|
||||
</td><td>
|
||||
<table><tr><td>
|
||||
Name Type: </td></tr><tr><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="otherName" onClick="parent.setNameConstraintNameType(form)"> Other Name,
|
||||
OID: <input type="text" name="NameConstraintOtherNameOID" size="6"> </td><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="rfc822Name" onClick="parent.setNameConstraintNameType(form)"> RFC 822 Name</td></tr><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="dnsName" onClick="parent.setNameConstraintNameType(form)"> DNS Name </td><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="x400" onClick="parent.setNameConstraintNameType(form)"> X400 Address</td></tr><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="directoryName" onClick="parent.setNameConstraintNameType(form)"> Directory Name</td><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="ediPartyName" onClick="parent.setNameConstraintNameType(form)"> EDI Party Name</td></tr><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="URL" onClick="parent.setNameConstraintNameType(form)"> Uniform Resource Locator</td><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="ipAddress" onClick="parent.setNameConstraintNameType(form)"> IP Address</td></tr><td>
|
||||
<input type="radio" name="NameConstraintRadio" value="regID" onClick="parent.setNameConstraintNameType(form)"> Registered ID</td><td></tr>
|
||||
</table>
|
||||
Name: <input type="text" name="NameConstraintText">
|
||||
Binary Encoded: <input type="checkbox" name="NameConstraintNameDataType" value="binary" onClick="parent.setNameConstraintNameType(form)"></p>
|
||||
Constraint type:<p>
|
||||
<dd><input type="radio" name="NameConstraintTypeRadio" value="permited"> permited<p>
|
||||
<dd><input type="radio" name="NameConstraintTypeRadio" value="excluded"> excluded<p>
|
||||
Minimum: <input type="text" name="NameConstraintMin" size="8" maxlength="8"></p>
|
||||
Maximum: <input type="text" name="NameConstraintMax" size="8" maxlength="8"></p>
|
||||
</tr>
|
||||
</table>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -1371,7 +1371,7 @@ luF(enum usage_level ul, const char *command)
|
||||
{
|
||||
int is_my_command = (command && 0 == strcmp(command, "F"));
|
||||
if (ul == usage_all || !command || is_my_command)
|
||||
FPS "%-15s Delete a key from the database\n",
|
||||
FPS "%-15s Delete a key and associated certificate from the database\n",
|
||||
"-F");
|
||||
if (ul == usage_selected && !is_my_command)
|
||||
return;
|
||||
|
@ -36,7 +36,6 @@ NSS_SRCDIRS = \
|
||||
addbuiltin \
|
||||
atob \
|
||||
btoa \
|
||||
certcgi \
|
||||
certutil \
|
||||
chktest \
|
||||
crlutil \
|
||||
|
@ -43,6 +43,7 @@ SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
|
||||
int status;
|
||||
char tempfn[FNSIZE], fullfn[FNSIZE];
|
||||
int keyType = rsaKey;
|
||||
int count;
|
||||
|
||||
metafile = meta_file;
|
||||
optimize = _optimize;
|
||||
@ -81,9 +82,18 @@ SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
|
||||
}
|
||||
|
||||
/* rsa/dsa to zip */
|
||||
sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
|
||||
: "rsa"));
|
||||
sprintf(fullfn, "%s/%s", tree, tempfn);
|
||||
count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa"));
|
||||
if (count >= sizeof(tempfn)) {
|
||||
PR_fprintf(errorFD, "unable to write key metadata\n");
|
||||
errorCount++;
|
||||
exit(ERRX);
|
||||
}
|
||||
count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn);
|
||||
if (count >= sizeof(fullfn)) {
|
||||
PR_fprintf(errorFD, "unable to write key metadata\n");
|
||||
errorCount++;
|
||||
exit(ERRX);
|
||||
}
|
||||
JzipAdd(fullfn, tempfn, zipfile, compression_level);
|
||||
|
||||
/* Loop through all files & subdirectories, add to archive */
|
||||
@ -93,20 +103,44 @@ SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
|
||||
}
|
||||
/* mf to zip */
|
||||
strcpy(tempfn, "META-INF/manifest.mf");
|
||||
sprintf(fullfn, "%s/%s", tree, tempfn);
|
||||
count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn);
|
||||
if (count >= sizeof(fullfn)) {
|
||||
PR_fprintf(errorFD, "unable to write manifest\n");
|
||||
errorCount++;
|
||||
exit(ERRX);
|
||||
}
|
||||
JzipAdd(fullfn, tempfn, zipfile, compression_level);
|
||||
|
||||
/* sf to zip */
|
||||
sprintf(tempfn, "META-INF/%s.sf", base);
|
||||
sprintf(fullfn, "%s/%s", tree, tempfn);
|
||||
count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.sf", base);
|
||||
if (count >= sizeof(tempfn)) {
|
||||
PR_fprintf(errorFD, "unable to write sf metadata\n");
|
||||
errorCount++;
|
||||
exit(ERRX);
|
||||
}
|
||||
count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn);
|
||||
if (count >= sizeof(fullfn)) {
|
||||
PR_fprintf(errorFD, "unable to write sf metadata\n");
|
||||
errorCount++;
|
||||
exit(ERRX);
|
||||
}
|
||||
JzipAdd(fullfn, tempfn, zipfile, compression_level);
|
||||
|
||||
/* Add the rsa/dsa file to the zip archive normally */
|
||||
if (!xpi_arc) {
|
||||
/* rsa/dsa to zip */
|
||||
sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
|
||||
: "rsa"));
|
||||
sprintf(fullfn, "%s/%s", tree, tempfn);
|
||||
count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa"));
|
||||
if (count >= sizeof(tempfn)) {
|
||||
PR_fprintf(errorFD, "unable to write key metadata\n");
|
||||
errorCount++;
|
||||
exit(ERRX);
|
||||
}
|
||||
count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn);
|
||||
if (count >= sizeof(fullfn)) {
|
||||
PR_fprintf(errorFD, "unable to write key metadata\n");
|
||||
errorCount++;
|
||||
exit(ERRX);
|
||||
}
|
||||
JzipAdd(fullfn, tempfn, zipfile, compression_level);
|
||||
}
|
||||
|
||||
@ -408,6 +442,7 @@ static int
|
||||
manifesto_xpi_fn(char *relpath, char *basedir, char *reldir, char *filename, void *arg)
|
||||
{
|
||||
char fullname[FNSIZE];
|
||||
int count;
|
||||
|
||||
if (verbosity >= 0) {
|
||||
PR_fprintf(outputFD, "--> %s\n", relpath);
|
||||
@ -421,7 +456,10 @@ manifesto_xpi_fn(char *relpath, char *basedir, char *reldir, char *filename, voi
|
||||
if (!PL_HashTableLookup(extensions, ext))
|
||||
return 0;
|
||||
}
|
||||
sprintf(fullname, "%s/%s", basedir, relpath);
|
||||
count = snprintf(fullname, sizeof(fullname), "%s/%s", basedir, relpath);
|
||||
if (count >= sizeof(fullname)) {
|
||||
return 1;
|
||||
}
|
||||
JzipAdd(fullname, relpath, zipfile, compression_level);
|
||||
|
||||
return 0;
|
||||
|
@ -10,4 +10,3 @@
|
||||
*/
|
||||
|
||||
#error "Do not include this header file."
|
||||
|
||||
|
@ -84,11 +84,11 @@
|
||||
|
||||
<varlistentry>
|
||||
<term>-F</term>
|
||||
<listitem><para>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
|
||||
<option>-d</option> argument. Use the <option>-k</option> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <option>-k</option> argument, the option looks for an RSA key matching the specified nickname.
|
||||
<listitem><para>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
|
||||
<option>-d</option> argument.
|
||||
</para>
|
||||
<para>
|
||||
When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </para></listitem>
|
||||
Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
@ -1,6 +1,70 @@
|
||||
{
|
||||
"DisabledTests": {
|
||||
"### These tests break whenever we rev versions, so just leave them here for easy uncommenting":"",
|
||||
"SendWarningAlerts-Pass":"BoringSSL updated",
|
||||
"SendBogusAlertType":"BoringSSL updated",
|
||||
"SendEmptyRecords-Pass":"BoringSSL updated",
|
||||
"ExtraCompressionMethods-TLS12":"BoringSSL updated",
|
||||
"SendSNIWarningAlert":"BoringSSL updated",
|
||||
"NoNullCompression-TLS12":"BoringSSL updated",
|
||||
"InvalidCompressionMethod":"BoringSSL updated",
|
||||
"SupportTicketsWithSessionID":"BoringSSL updated",
|
||||
"NoSharedCipher":"BoringSSL updated",
|
||||
"ServerHelloBogusCipher":"BoringSSL updated",
|
||||
"ClientHelloVersionTooHigh":"BoringSSL updated",
|
||||
"ServerAuth-SignatureType":"BoringSSL updated",
|
||||
"ECDSACurveMismatch-Verify-TLS12":"BoringSSL updated",
|
||||
"UnknownExtension-Client":"BoringSSL updated",
|
||||
"UnofferedExtension-Client":"BoringSSL updated",
|
||||
"SendClientVersion-RSA":"BoringSSL updated",
|
||||
"SupportedCurves-ServerHello-TLS12":"BoringSSL updated",
|
||||
"Basic-Client*Sync":"BoringSSL updated",
|
||||
"Resume-Client-CipherMismatch":"BoringSSL updated",
|
||||
"ClientAuth-SignatureType":"BoringSSL updated",
|
||||
"Agree-Digest-Default":"BoringSSL updated",
|
||||
"Basic-Server*Sync":"BoringSSL updated",
|
||||
"ClientAuth-*-Sync":"BoringSSL updated",
|
||||
"RSA-PSS-Default*":"BoringSSL updated",
|
||||
"Renegotiate-Server-NoExt*":"BoringSSL updated",
|
||||
"Downgrade-TLS12*":"BoringSSL updated",
|
||||
"MaxCBCPadding":"BoringSSL updated",
|
||||
"UnknownCipher":"BoringSSL updated",
|
||||
"LargeMessage":"BoringSSL updated",
|
||||
"NoCommonCurves":"BoringSSL updated",
|
||||
"UnknownCurve":"BoringSSL updated",
|
||||
"SessionTicketsDisabled*":"BoringSSL updated",
|
||||
"BadFinished-*":"BoringSSL updated",
|
||||
"ServerSkipCertificateVerify":"BoringSSL updated",
|
||||
"*VersionTolerance":"BoringSSL updated",
|
||||
"ConflictingVersionNegotiation*":"BoringSSL updated",
|
||||
"Ed25519DefaultDisable*":"BoringSSL updated",
|
||||
"*SHA1-Fallback*":"BoringSSL updated",
|
||||
"ExtendedMasterSecret-NoToNo*":"BoringSSL updated",
|
||||
"ServerNameExtensionClientMissing*":"BoringSSL updated",
|
||||
"NoClientCertificate*":"BoringSSL updated",
|
||||
"ServerCipherFilter*":"BoringSSL updated",
|
||||
"*FallbackSCSV*":"BoringSSL updated",
|
||||
"LooseInitialRecordVersion*":"BoringSSL updated",
|
||||
"ALPNClient*":"BoringSSL updated",
|
||||
"MinimumVersion*":"BoringSSL updated",
|
||||
"VersionNegotiation*":"BoringSSL updated",
|
||||
"*Client-ClientAuth*":"BoringSSL updated",
|
||||
"*Server-ClientAuth*":"BoringSSL updated",
|
||||
"NoExtendedMasterSecret*":"BoringSSL updated",
|
||||
"PointFormat*":"BoringSSL updated",
|
||||
"*Sync-SplitHandshakeRecords*":"BoringSSL updated",
|
||||
"*Sync-PackHandshakeFlight*":"BoringSSL updated",
|
||||
"TicketSessionIDLength*":"BoringSSL updated",
|
||||
"*LargeRecord*":"BoringSSL updated",
|
||||
"WrongMessageType-NewSessionTicket":"BoringSSL updated",
|
||||
"WrongMessageType*Certificate*":"BoringSSL updated",
|
||||
"WrongMessageType*Client*":"BoringSSL updated",
|
||||
"WrongMessageType*Server*":"BoringSSL updated",
|
||||
"WrongMessageType*DTLS":"BoringSSL updated",
|
||||
"GarbageCertificate*":"BoringSSL updated",
|
||||
"EmptyExtensions*":"BoringSSL updated",
|
||||
"*OmitExtensions*":"BoringSSL updated",
|
||||
"SupportedVersionSelection-TLS12":"Should maybe reject TLS 1.2 in SH.supported_versions (Bug 1438266)",
|
||||
"*TLS13*":"(NSS=19, BoGo=18)",
|
||||
"*HelloRetryRequest*":"(NSS=19, BoGo=18)",
|
||||
"*KeyShare*":"(NSS=19, BoGo=18)",
|
||||
|
@ -105,4 +105,4 @@ static const BloomFilterConfig kBloomFilterConfigurations[] = {
|
||||
INSTANTIATE_TEST_CASE_P(BloomFilterConfigurations, BloomFilterTest,
|
||||
::testing::ValuesIn(kBloomFilterConfigurations));
|
||||
|
||||
} // namespace nspr_test
|
||||
} // namespace nss_test
|
||||
|
@ -94,7 +94,7 @@ class TlsZeroRttReplayTest : public TlsConnectTls13 {
|
||||
|
||||
// Now run a true 0-RTT handshake, but capture the first packet.
|
||||
auto first_packet = std::make_shared<SaveFirstPacket>();
|
||||
client_->SetPacketFilter(first_packet);
|
||||
client_->SetFilter(first_packet);
|
||||
client_->Set0RttEnabled(true);
|
||||
server_->Set0RttEnabled(true);
|
||||
ExpectResumption(RESUME_TICKET);
|
||||
@ -116,8 +116,7 @@ class TlsZeroRttReplayTest : public TlsConnectTls13 {
|
||||
|
||||
// Capture the early_data extension, which should not appear.
|
||||
auto early_data_ext =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_early_data_xtn);
|
||||
server_->SetPacketFilter(early_data_ext);
|
||||
MakeTlsFilter<TlsExtensionCapture>(server_, ssl_tls13_early_data_xtn);
|
||||
|
||||
// Finally, replay the ClientHello and force the server to consume it. Stop
|
||||
// after the server sends its first flight; the client will not be able to
|
||||
@ -604,7 +603,7 @@ TEST_P(TlsConnectTls13, ZeroRttOrdering) {
|
||||
// Now, coalesce the next three things from the client: early data, second
|
||||
// flight and 1-RTT data.
|
||||
auto coalesce = std::make_shared<PacketCoalesceFilter>();
|
||||
client_->SetPacketFilter(coalesce);
|
||||
client_->SetFilter(coalesce);
|
||||
|
||||
// Send (and hold) early data.
|
||||
static const std::vector<uint8_t> early_data = {3, 2, 1};
|
||||
|
@ -160,9 +160,8 @@ TEST_F(TlsAgentStreamTestClient, Set0RttOptionThenWrite) {
|
||||
SSL_LIBRARY_VERSION_TLS_1_3);
|
||||
agent_->StartConnect();
|
||||
agent_->Set0RttEnabled(true);
|
||||
auto filter = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeClientHello);
|
||||
agent_->SetPacketFilter(filter);
|
||||
auto filter =
|
||||
MakeTlsFilter<TlsHandshakeRecorder>(agent_, kTlsHandshakeClientHello);
|
||||
PRInt32 rv = PR_Write(agent_->ssl_fd(), k0RttData, strlen(k0RttData));
|
||||
EXPECT_EQ(-1, rv);
|
||||
int32_t err = PORT_GetError();
|
||||
|
@ -95,10 +95,9 @@ TEST_P(TlsConnectGeneric, ClientAuthBigRsa) {
|
||||
}
|
||||
|
||||
// Offset is the position in the captured buffer where the signature sits.
|
||||
static void CheckSigScheme(
|
||||
std::shared_ptr<TlsInspectorRecordHandshakeMessage>& capture, size_t offset,
|
||||
std::shared_ptr<TlsAgent>& peer, uint16_t expected_scheme,
|
||||
size_t expected_size) {
|
||||
static void CheckSigScheme(std::shared_ptr<TlsHandshakeRecorder>& capture,
|
||||
size_t offset, std::shared_ptr<TlsAgent>& peer,
|
||||
uint16_t expected_scheme, size_t expected_size) {
|
||||
EXPECT_LT(offset + 2U, capture->buffer().len());
|
||||
|
||||
uint32_t scheme = 0;
|
||||
@ -114,9 +113,8 @@ static void CheckSigScheme(
|
||||
// in the default certificate.
|
||||
TEST_P(TlsConnectTls12, ServerAuthCheckSigAlg) {
|
||||
EnsureTlsSetup();
|
||||
auto capture_ske = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeServerKeyExchange);
|
||||
server_->SetPacketFilter(capture_ske);
|
||||
auto capture_ske = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
server_, kTlsHandshakeServerKeyExchange);
|
||||
Connect();
|
||||
CheckKeys();
|
||||
|
||||
@ -133,10 +131,8 @@ TEST_P(TlsConnectTls12, ServerAuthCheckSigAlg) {
|
||||
|
||||
TEST_P(TlsConnectTls12, ClientAuthCheckSigAlg) {
|
||||
EnsureTlsSetup();
|
||||
auto capture_cert_verify =
|
||||
std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeCertificateVerify);
|
||||
client_->SetPacketFilter(capture_cert_verify);
|
||||
auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
client_, kTlsHandshakeCertificateVerify);
|
||||
client_->SetupClientAuth();
|
||||
server_->RequestClientAuth(true);
|
||||
Connect();
|
||||
@ -147,10 +143,8 @@ TEST_P(TlsConnectTls12, ClientAuthCheckSigAlg) {
|
||||
|
||||
TEST_P(TlsConnectTls12, ClientAuthBigRsaCheckSigAlg) {
|
||||
Reset(TlsAgent::kServerRsa, TlsAgent::kRsa2048);
|
||||
auto capture_cert_verify =
|
||||
std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeCertificateVerify);
|
||||
client_->SetPacketFilter(capture_cert_verify);
|
||||
auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
client_, kTlsHandshakeCertificateVerify);
|
||||
client_->SetupClientAuth();
|
||||
server_->RequestClientAuth(true);
|
||||
Connect();
|
||||
@ -161,8 +155,8 @@ TEST_P(TlsConnectTls12, ClientAuthBigRsaCheckSigAlg) {
|
||||
|
||||
class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsZeroCertificateRequestSigAlgsFilter()
|
||||
: TlsHandshakeFilter({kTlsHandshakeCertificateRequest}) {}
|
||||
TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsHandshakeFilter(agent, {kTlsHandshakeCertificateRequest}) {}
|
||||
virtual PacketFilter::Action FilterHandshake(
|
||||
const TlsHandshakeFilter::HandshakeHeader& header,
|
||||
const DataBuffer& input, DataBuffer* output) {
|
||||
@ -207,12 +201,9 @@ class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
|
||||
// supported_signature_algorithms in the CertificateRequest message.
|
||||
TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {
|
||||
EnsureTlsSetup();
|
||||
auto filter = std::make_shared<TlsZeroCertificateRequestSigAlgsFilter>();
|
||||
server_->SetPacketFilter(filter);
|
||||
auto capture_cert_verify =
|
||||
std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeCertificateVerify);
|
||||
client_->SetPacketFilter(capture_cert_verify);
|
||||
MakeTlsFilter<TlsZeroCertificateRequestSigAlgsFilter>(server_);
|
||||
auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
client_, kTlsHandshakeCertificateVerify);
|
||||
client_->SetupClientAuth();
|
||||
server_->RequestClientAuth(true);
|
||||
|
||||
@ -360,8 +351,7 @@ TEST_P(TlsConnectPre12, SignatureAlgorithmNoOverlapEcdsa) {
|
||||
|
||||
// The signature_algorithms extension is mandatory in TLS 1.3.
|
||||
TEST_P(TlsConnectTls13, SignatureAlgorithmDrop) {
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsExtensionDropper>(ssl_signature_algorithms_xtn));
|
||||
MakeTlsFilter<TlsExtensionDropper>(client_, ssl_signature_algorithms_xtn);
|
||||
ConnectExpectAlert(server_, kTlsAlertMissingExtension);
|
||||
client_->CheckErrorCode(SSL_ERROR_MISSING_EXTENSION_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION);
|
||||
@ -370,8 +360,7 @@ TEST_P(TlsConnectTls13, SignatureAlgorithmDrop) {
|
||||
// TLS 1.2 has trouble detecting this sort of modification: it uses SHA1 and
|
||||
// only fails when the Finished is checked.
|
||||
TEST_P(TlsConnectTls12, SignatureAlgorithmDrop) {
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsExtensionDropper>(ssl_signature_algorithms_xtn));
|
||||
MakeTlsFilter<TlsExtensionDropper>(client_, ssl_signature_algorithms_xtn);
|
||||
ConnectExpectAlert(server_, kTlsAlertDecryptError);
|
||||
client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
|
||||
@ -389,11 +378,11 @@ class BeforeFinished : public TlsRecordFilter {
|
||||
enum HandshakeState { BEFORE_CCS, AFTER_CCS, DONE };
|
||||
|
||||
public:
|
||||
BeforeFinished(std::shared_ptr<TlsAgent>& client,
|
||||
std::shared_ptr<TlsAgent>& server, VoidFunction before_ccs,
|
||||
VoidFunction before_finished)
|
||||
: client_(client),
|
||||
server_(server),
|
||||
BeforeFinished(const std::shared_ptr<TlsAgent>& server,
|
||||
const std::shared_ptr<TlsAgent>& client,
|
||||
VoidFunction before_ccs, VoidFunction before_finished)
|
||||
: TlsRecordFilter(server),
|
||||
client_(client),
|
||||
before_ccs_(before_ccs),
|
||||
before_finished_(before_finished),
|
||||
state_(BEFORE_CCS) {}
|
||||
@ -413,7 +402,7 @@ class BeforeFinished : public TlsRecordFilter {
|
||||
// but that means that they both get processed together.
|
||||
DataBuffer ccs;
|
||||
header.Write(&ccs, 0, body);
|
||||
server_.lock()->SendDirect(ccs);
|
||||
agent()->SendDirect(ccs);
|
||||
client_.lock()->Handshake();
|
||||
state_ = AFTER_CCS;
|
||||
// Request that the original record be dropped by the filter.
|
||||
@ -438,7 +427,6 @@ class BeforeFinished : public TlsRecordFilter {
|
||||
|
||||
private:
|
||||
std::weak_ptr<TlsAgent> client_;
|
||||
std::weak_ptr<TlsAgent> server_;
|
||||
VoidFunction before_ccs_;
|
||||
VoidFunction before_finished_;
|
||||
HandshakeState state_;
|
||||
@ -463,11 +451,11 @@ class BeforeFinished13 : public PacketFilter {
|
||||
};
|
||||
|
||||
public:
|
||||
BeforeFinished13(std::shared_ptr<TlsAgent>& client,
|
||||
std::shared_ptr<TlsAgent>& server,
|
||||
BeforeFinished13(const std::shared_ptr<TlsAgent>& server,
|
||||
const std::shared_ptr<TlsAgent>& client,
|
||||
VoidFunction before_finished)
|
||||
: client_(client),
|
||||
server_(server),
|
||||
: server_(server),
|
||||
client_(client),
|
||||
before_finished_(before_finished),
|
||||
records_(0) {}
|
||||
|
||||
@ -499,8 +487,8 @@ class BeforeFinished13 : public PacketFilter {
|
||||
}
|
||||
|
||||
private:
|
||||
std::weak_ptr<TlsAgent> client_;
|
||||
std::weak_ptr<TlsAgent> server_;
|
||||
std::weak_ptr<TlsAgent> client_;
|
||||
VoidFunction before_finished_;
|
||||
size_t records_;
|
||||
};
|
||||
@ -514,11 +502,9 @@ static SECStatus AuthCompleteBlock(TlsAgent*, PRBool, PRBool) {
|
||||
// processed by the client, SSL_AuthCertificateComplete() is called.
|
||||
TEST_F(TlsConnectDatagram13, AuthCompleteBeforeFinished) {
|
||||
client_->SetAuthCertificateCallback(AuthCompleteBlock);
|
||||
server_->SetPacketFilter(
|
||||
std::make_shared<BeforeFinished13>(client_, server_, [this]() {
|
||||
EXPECT_EQ(SECSuccess,
|
||||
SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
|
||||
}));
|
||||
MakeTlsFilter<BeforeFinished13>(server_, client_, [this]() {
|
||||
EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
|
||||
});
|
||||
Connect();
|
||||
}
|
||||
|
||||
@ -546,13 +532,13 @@ TEST_F(TlsConnectDatagram13, AuthCompleteAfterFinished) {
|
||||
|
||||
TEST_P(TlsConnectGenericPre13, ClientWriteBetweenCCSAndFinishedWithFalseStart) {
|
||||
client_->EnableFalseStart();
|
||||
server_->SetPacketFilter(std::make_shared<BeforeFinished>(
|
||||
client_, server_,
|
||||
MakeTlsFilter<BeforeFinished>(
|
||||
server_, client_,
|
||||
[this]() { EXPECT_TRUE(client_->can_falsestart_hook_called()); },
|
||||
[this]() {
|
||||
// Write something, which used to fail: bug 1235366.
|
||||
client_->SendData(10);
|
||||
}));
|
||||
});
|
||||
|
||||
Connect();
|
||||
server_->SendData(10);
|
||||
@ -562,8 +548,8 @@ TEST_P(TlsConnectGenericPre13, ClientWriteBetweenCCSAndFinishedWithFalseStart) {
|
||||
TEST_P(TlsConnectGenericPre13, AuthCompleteBeforeFinishedWithFalseStart) {
|
||||
client_->EnableFalseStart();
|
||||
client_->SetAuthCertificateCallback(AuthCompleteBlock);
|
||||
server_->SetPacketFilter(std::make_shared<BeforeFinished>(
|
||||
client_, server_,
|
||||
MakeTlsFilter<BeforeFinished>(
|
||||
server_, client_,
|
||||
[]() {
|
||||
// Do nothing before CCS
|
||||
},
|
||||
@ -574,7 +560,7 @@ TEST_P(TlsConnectGenericPre13, AuthCompleteBeforeFinishedWithFalseStart) {
|
||||
SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
|
||||
EXPECT_TRUE(client_->can_falsestart_hook_called());
|
||||
client_->SendData(10);
|
||||
}));
|
||||
});
|
||||
|
||||
Connect();
|
||||
server_->SendData(10);
|
||||
@ -608,7 +594,7 @@ TEST_P(TlsConnectGenericPre13, AuthCompleteDelayed) {
|
||||
EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
|
||||
|
||||
// The client should send nothing from here on.
|
||||
client_->SetPacketFilter(std::make_shared<EnforceNoActivity>());
|
||||
client_->SetFilter(std::make_shared<EnforceNoActivity>());
|
||||
client_->Handshake();
|
||||
EXPECT_EQ(TlsAgent::STATE_CONNECTING, client_->state());
|
||||
|
||||
@ -618,8 +604,8 @@ TEST_P(TlsConnectGenericPre13, AuthCompleteDelayed) {
|
||||
EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state());
|
||||
EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
|
||||
|
||||
// Remove this before closing or the close_notify alert will trigger it.
|
||||
client_->DeletePacketFilter();
|
||||
// Remove filter before closing or the close_notify alert will trigger it.
|
||||
client_->ClearFilter();
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectGenericPre13, AuthCompleteFailDelayed) {
|
||||
@ -634,12 +620,12 @@ TEST_P(TlsConnectGenericPre13, AuthCompleteFailDelayed) {
|
||||
EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
|
||||
|
||||
// The client should send nothing from here on.
|
||||
client_->SetPacketFilter(std::make_shared<EnforceNoActivity>());
|
||||
client_->SetFilter(std::make_shared<EnforceNoActivity>());
|
||||
client_->Handshake();
|
||||
EXPECT_EQ(TlsAgent::STATE_CONNECTING, client_->state());
|
||||
|
||||
// Report failure.
|
||||
client_->DeletePacketFilter();
|
||||
client_->ClearFilter();
|
||||
client_->ExpectSendAlert(kTlsAlertBadCertificate);
|
||||
EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(),
|
||||
SSL_ERROR_BAD_CERTIFICATE));
|
||||
@ -659,12 +645,12 @@ TEST_P(TlsConnectTls13, AuthCompleteDelayed) {
|
||||
EXPECT_EQ(TlsAgent::STATE_CONNECTING, server_->state());
|
||||
|
||||
// The client will send nothing until AuthCertificateComplete is called.
|
||||
client_->SetPacketFilter(std::make_shared<EnforceNoActivity>());
|
||||
client_->SetFilter(std::make_shared<EnforceNoActivity>());
|
||||
client_->Handshake();
|
||||
EXPECT_EQ(TlsAgent::STATE_CONNECTING, client_->state());
|
||||
|
||||
// This should allow the handshake to complete now.
|
||||
client_->DeletePacketFilter();
|
||||
client_->ClearFilter();
|
||||
EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
|
||||
client_->Handshake(); // Send Finished
|
||||
server_->Handshake(); // Transition to connected and send NewSessionTicket
|
||||
@ -682,12 +668,12 @@ TEST_P(TlsConnectTls13, AuthCompleteFailDelayed) {
|
||||
EXPECT_EQ(TlsAgent::STATE_CONNECTING, server_->state());
|
||||
|
||||
// The client will send nothing until AuthCertificateComplete is called.
|
||||
client_->SetPacketFilter(std::make_shared<EnforceNoActivity>());
|
||||
client_->SetFilter(std::make_shared<EnforceNoActivity>());
|
||||
client_->Handshake();
|
||||
EXPECT_EQ(TlsAgent::STATE_CONNECTING, client_->state());
|
||||
|
||||
// Report failure.
|
||||
client_->DeletePacketFilter();
|
||||
client_->ClearFilter();
|
||||
ExpectAlert(client_, kTlsAlertBadCertificate);
|
||||
EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(),
|
||||
SSL_ERROR_BAD_CERTIFICATE));
|
||||
@ -832,8 +818,7 @@ TEST_P(TlsSignatureSchemeConfiguration, SignatureSchemeConfigServer) {
|
||||
TEST_P(TlsSignatureSchemeConfiguration, SignatureSchemeConfigClient) {
|
||||
Reset(certificate_);
|
||||
auto capture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_signature_algorithms_xtn);
|
||||
client_->SetPacketFilter(capture);
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_signature_algorithms_xtn);
|
||||
TestSignatureSchemeConfig(client_);
|
||||
|
||||
const DataBuffer& ext = capture->extension();
|
||||
@ -907,4 +892,4 @@ INSTANTIATE_TEST_CASE_P(
|
||||
TlsAgent::kServerEcdsa384),
|
||||
::testing::Values(ssl_auth_ecdsa),
|
||||
::testing::Values(ssl_sig_ecdsa_sha1)));
|
||||
}
|
||||
} // namespace nss_test
|
||||
|
@ -180,9 +180,8 @@ TEST_P(TlsConnectGenericPre13, OcspMangled) {
|
||||
server_->ConfigServerCert(TlsAgent::kServerRsa, true, &kOcspExtraData));
|
||||
|
||||
static const uint8_t val[] = {1};
|
||||
auto replacer = std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_cert_status_xtn, DataBuffer(val, sizeof(val)));
|
||||
server_->SetPacketFilter(replacer);
|
||||
auto replacer = MakeTlsFilter<TlsExtensionReplacer>(
|
||||
server_, ssl_cert_status_xtn, DataBuffer(val, sizeof(val)));
|
||||
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
|
||||
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
|
||||
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
|
||||
@ -192,8 +191,7 @@ TEST_P(TlsConnectGeneric, OcspSuccess) {
|
||||
EnsureTlsSetup();
|
||||
client_->SetOption(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
|
||||
auto capture_ocsp =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_cert_status_xtn);
|
||||
server_->SetPacketFilter(capture_ocsp);
|
||||
MakeTlsFilter<TlsExtensionCapture>(server_, ssl_cert_status_xtn);
|
||||
|
||||
// The value should be available during the AuthCertificateCallback
|
||||
client_->SetAuthCertificateCallback([](TlsAgent* agent, bool checksig,
|
||||
@ -245,4 +243,4 @@ TEST_P(TlsConnectGeneric, OcspHugeSuccess) {
|
||||
Connect();
|
||||
}
|
||||
|
||||
} // namespace nspr_test
|
||||
} // namespace nss_test
|
||||
|
@ -466,4 +466,4 @@ static const SecStatusParams kSecStatusTestValuesArr[] = {
|
||||
INSTANTIATE_TEST_CASE_P(TestSecurityStatus, SecurityStatusTest,
|
||||
::testing::ValuesIn(kSecStatusTestValuesArr));
|
||||
|
||||
} // namespace nspr_test
|
||||
} // namespace nss_test
|
||||
|
@ -150,9 +150,8 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionWriterDisable) {
|
||||
client_->ssl_fd(), ssl_signed_cert_timestamp_xtn, NoopExtensionWriter,
|
||||
nullptr, NoopExtensionHandler, nullptr);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
auto capture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_signed_cert_timestamp_xtn);
|
||||
client_->SetPacketFilter(capture);
|
||||
auto capture = MakeTlsFilter<TlsExtensionCapture>(
|
||||
client_, ssl_signed_cert_timestamp_xtn);
|
||||
|
||||
Connect();
|
||||
// So nothing will be sent.
|
||||
@ -204,9 +203,8 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionOverride) {
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
|
||||
// Capture it to see what we got.
|
||||
auto capture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_signed_cert_timestamp_xtn);
|
||||
client_->SetPacketFilter(capture);
|
||||
auto capture = MakeTlsFilter<TlsExtensionCapture>(
|
||||
client_, ssl_signed_cert_timestamp_xtn);
|
||||
|
||||
ConnectExpectAlert(server_, kTlsAlertDecodeError);
|
||||
|
||||
@ -246,8 +244,7 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionClientToServer) {
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
|
||||
// Capture it to see what we got.
|
||||
auto capture = std::make_shared<TlsExtensionCapture>(extension_code);
|
||||
client_->SetPacketFilter(capture);
|
||||
auto capture = MakeTlsFilter<TlsExtensionCapture>(client_, extension_code);
|
||||
|
||||
// Handle it so that the handshake completes.
|
||||
rv = SSL_InstallExtensionHooks(server_->ssl_fd(), extension_code,
|
||||
@ -290,9 +287,8 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionServerToClientSH) {
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
|
||||
// Capture the extension from the ServerHello only and check it.
|
||||
auto capture = std::make_shared<TlsExtensionCapture>(extension_code);
|
||||
auto capture = MakeTlsFilter<TlsExtensionCapture>(server_, extension_code);
|
||||
capture->SetHandshakeTypes({kTlsHandshakeServerHello});
|
||||
server_->SetPacketFilter(capture);
|
||||
|
||||
Connect();
|
||||
|
||||
@ -329,9 +325,9 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionServerToClientEE) {
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
|
||||
// Capture the extension from the EncryptedExtensions only and check it.
|
||||
auto capture = std::make_shared<TlsExtensionCapture>(extension_code);
|
||||
auto capture = MakeTlsFilter<TlsExtensionCapture>(server_, extension_code);
|
||||
capture->SetHandshakeTypes({kTlsHandshakeEncryptedExtensions});
|
||||
server_->SetTlsRecordFilter(capture);
|
||||
capture->EnableDecryption();
|
||||
|
||||
Connect();
|
||||
|
||||
@ -350,8 +346,7 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionUnsolicitedServer) {
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
|
||||
// Capture it to see what we got.
|
||||
auto capture = std::make_shared<TlsExtensionCapture>(extension_code);
|
||||
server_->SetPacketFilter(capture);
|
||||
auto capture = MakeTlsFilter<TlsExtensionCapture>(server_, extension_code);
|
||||
|
||||
client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
|
||||
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
|
||||
@ -500,4 +495,4 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionOverrunBuffer) {
|
||||
client_->CheckErrorCode(SEC_ERROR_APPLICATION_CALLBACK_ERROR);
|
||||
}
|
||||
|
||||
} // namespace "nss_test"
|
||||
} // namespace nss_test
|
||||
|
@ -50,19 +50,19 @@ TEST_F(TlsConnectTest, DamageSecretHandleServerFinished) {
|
||||
SSL_LIBRARY_VERSION_TLS_1_3);
|
||||
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
SSL_LIBRARY_VERSION_TLS_1_3);
|
||||
server_->SetPacketFilter(std::make_shared<AfterRecordN>(
|
||||
MakeTlsFilter<AfterRecordN>(
|
||||
server_, client_,
|
||||
0, // ServerHello.
|
||||
[this]() { SSLInt_DamageServerHsTrafficSecret(client_->ssl_fd()); }));
|
||||
[this]() { SSLInt_DamageServerHsTrafficSecret(client_->ssl_fd()); });
|
||||
ConnectExpectAlert(client_, kTlsAlertDecryptError);
|
||||
client_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectGenericPre13, DamageServerSignature) {
|
||||
EnsureTlsSetup();
|
||||
auto filter =
|
||||
std::make_shared<TlsLastByteDamager>(kTlsHandshakeServerKeyExchange);
|
||||
server_->SetTlsRecordFilter(filter);
|
||||
auto filter = MakeTlsFilter<TlsLastByteDamager>(
|
||||
server_, kTlsHandshakeServerKeyExchange);
|
||||
filter->EnableDecryption();
|
||||
ExpectAlert(client_, kTlsAlertDecryptError);
|
||||
ConnectExpectFail();
|
||||
client_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
|
||||
@ -71,9 +71,9 @@ TEST_P(TlsConnectGenericPre13, DamageServerSignature) {
|
||||
|
||||
TEST_P(TlsConnectTls13, DamageServerSignature) {
|
||||
EnsureTlsSetup();
|
||||
auto filter =
|
||||
std::make_shared<TlsLastByteDamager>(kTlsHandshakeCertificateVerify);
|
||||
server_->SetTlsRecordFilter(filter);
|
||||
auto filter = MakeTlsFilter<TlsLastByteDamager>(
|
||||
server_, kTlsHandshakeCertificateVerify);
|
||||
filter->EnableDecryption();
|
||||
ConnectExpectAlert(client_, kTlsAlertDecryptError);
|
||||
client_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
|
||||
}
|
||||
@ -82,9 +82,9 @@ TEST_P(TlsConnectGeneric, DamageClientSignature) {
|
||||
EnsureTlsSetup();
|
||||
client_->SetupClientAuth();
|
||||
server_->RequestClientAuth(true);
|
||||
auto filter =
|
||||
std::make_shared<TlsLastByteDamager>(kTlsHandshakeCertificateVerify);
|
||||
client_->SetTlsRecordFilter(filter);
|
||||
auto filter = MakeTlsFilter<TlsLastByteDamager>(
|
||||
client_, kTlsHandshakeCertificateVerify);
|
||||
filter->EnableDecryption();
|
||||
server_->ExpectSendAlert(kTlsAlertDecryptError);
|
||||
// Do these handshakes by hand to avoid race condition on
|
||||
// the client processing the server's alert.
|
||||
@ -100,4 +100,4 @@ TEST_P(TlsConnectGeneric, DamageClientSignature) {
|
||||
server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
|
||||
}
|
||||
|
||||
} // namespace nspr_test
|
||||
} // namespace nss_test
|
||||
|
@ -32,12 +32,12 @@ TEST_P(TlsConnectTls13, SharesForBothEcdheAndDhe) {
|
||||
client_->ConfigNamedGroups(kAllDHEGroups);
|
||||
|
||||
auto groups_capture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_supported_groups_xtn);
|
||||
std::make_shared<TlsExtensionCapture>(client_, ssl_supported_groups_xtn);
|
||||
auto shares_capture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_key_share_xtn);
|
||||
std::make_shared<TlsExtensionCapture>(client_, ssl_tls13_key_share_xtn);
|
||||
std::vector<std::shared_ptr<PacketFilter>> captures = {groups_capture,
|
||||
shares_capture};
|
||||
client_->SetPacketFilter(std::make_shared<ChainedPacketFilter>(captures));
|
||||
client_->SetFilter(std::make_shared<ChainedPacketFilter>(captures));
|
||||
|
||||
Connect();
|
||||
|
||||
@ -61,12 +61,12 @@ TEST_P(TlsConnectGeneric, ConnectFfdheClient) {
|
||||
EnableOnlyDheCiphers();
|
||||
client_->SetOption(SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE);
|
||||
auto groups_capture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_supported_groups_xtn);
|
||||
std::make_shared<TlsExtensionCapture>(client_, ssl_supported_groups_xtn);
|
||||
auto shares_capture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_key_share_xtn);
|
||||
std::make_shared<TlsExtensionCapture>(client_, ssl_tls13_key_share_xtn);
|
||||
std::vector<std::shared_ptr<PacketFilter>> captures = {groups_capture,
|
||||
shares_capture};
|
||||
client_->SetPacketFilter(std::make_shared<ChainedPacketFilter>(captures));
|
||||
client_->SetFilter(std::make_shared<ChainedPacketFilter>(captures));
|
||||
|
||||
Connect();
|
||||
|
||||
@ -103,8 +103,8 @@ TEST_P(TlsConnectGenericPre13, ConnectFfdheServer) {
|
||||
|
||||
class TlsDheServerKeyExchangeDamager : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsDheServerKeyExchangeDamager()
|
||||
: TlsHandshakeFilter({kTlsHandshakeServerKeyExchange}) {}
|
||||
TlsDheServerKeyExchangeDamager(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}) {}
|
||||
virtual PacketFilter::Action FilterHandshake(
|
||||
const TlsHandshakeFilter::HandshakeHeader& header,
|
||||
const DataBuffer& input, DataBuffer* output) {
|
||||
@ -122,7 +122,7 @@ class TlsDheServerKeyExchangeDamager : public TlsHandshakeFilter {
|
||||
TEST_P(TlsConnectGenericPre13, DamageServerKeyShare) {
|
||||
EnableOnlyDheCiphers();
|
||||
client_->SetOption(SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE);
|
||||
server_->SetPacketFilter(std::make_shared<TlsDheServerKeyExchangeDamager>());
|
||||
MakeTlsFilter<TlsDheServerKeyExchangeDamager>(server_);
|
||||
|
||||
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
|
||||
|
||||
@ -141,8 +141,9 @@ class TlsDheSkeChangeY : public TlsHandshakeFilter {
|
||||
kYZeroPad
|
||||
};
|
||||
|
||||
TlsDheSkeChangeY(uint8_t handshake_type, ChangeYTo change)
|
||||
: TlsHandshakeFilter({handshake_type}), change_Y_(change) {}
|
||||
TlsDheSkeChangeY(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint8_t handshake_type, ChangeYTo change)
|
||||
: TlsHandshakeFilter(agent, {handshake_type}), change_Y_(change) {}
|
||||
|
||||
protected:
|
||||
void ChangeY(const DataBuffer& input, DataBuffer* output, size_t offset,
|
||||
@ -207,8 +208,9 @@ class TlsDheSkeChangeY : public TlsHandshakeFilter {
|
||||
|
||||
class TlsDheSkeChangeYServer : public TlsDheSkeChangeY {
|
||||
public:
|
||||
TlsDheSkeChangeYServer(ChangeYTo change, bool modify)
|
||||
: TlsDheSkeChangeY(kTlsHandshakeServerKeyExchange, change),
|
||||
TlsDheSkeChangeYServer(const std::shared_ptr<TlsAgent>& agent,
|
||||
ChangeYTo change, bool modify)
|
||||
: TlsDheSkeChangeY(agent, kTlsHandshakeServerKeyExchange, change),
|
||||
modify_(modify),
|
||||
p_() {}
|
||||
|
||||
@ -245,9 +247,9 @@ class TlsDheSkeChangeYServer : public TlsDheSkeChangeY {
|
||||
class TlsDheSkeChangeYClient : public TlsDheSkeChangeY {
|
||||
public:
|
||||
TlsDheSkeChangeYClient(
|
||||
ChangeYTo change,
|
||||
const std::shared_ptr<TlsAgent>& agent, ChangeYTo change,
|
||||
std::shared_ptr<const TlsDheSkeChangeYServer> server_filter)
|
||||
: TlsDheSkeChangeY(kTlsHandshakeClientKeyExchange, change),
|
||||
: TlsDheSkeChangeY(agent, kTlsHandshakeClientKeyExchange, change),
|
||||
server_filter_(server_filter) {}
|
||||
|
||||
protected:
|
||||
@ -282,8 +284,7 @@ TEST_P(TlsDamageDHYTest, DamageServerY) {
|
||||
client_->SetOption(SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE);
|
||||
}
|
||||
TlsDheSkeChangeY::ChangeYTo change = std::get<2>(GetParam());
|
||||
server_->SetPacketFilter(
|
||||
std::make_shared<TlsDheSkeChangeYServer>(change, true));
|
||||
MakeTlsFilter<TlsDheSkeChangeYServer>(server_, change, true);
|
||||
|
||||
if (change == TlsDheSkeChangeY::kYZeroPad) {
|
||||
ExpectAlert(client_, kTlsAlertDecryptError);
|
||||
@ -312,14 +313,12 @@ TEST_P(TlsDamageDHYTest, DamageClientY) {
|
||||
client_->SetOption(SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE);
|
||||
}
|
||||
// The filter on the server is required to capture the prime.
|
||||
auto server_filter =
|
||||
std::make_shared<TlsDheSkeChangeYServer>(TlsDheSkeChangeY::kYZero, false);
|
||||
server_->SetPacketFilter(server_filter);
|
||||
auto server_filter = MakeTlsFilter<TlsDheSkeChangeYServer>(
|
||||
server_, TlsDheSkeChangeY::kYZero, false);
|
||||
|
||||
// The client filter does the damage.
|
||||
TlsDheSkeChangeY::ChangeYTo change = std::get<2>(GetParam());
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsDheSkeChangeYClient>(change, server_filter));
|
||||
MakeTlsFilter<TlsDheSkeChangeYClient>(client_, change, server_filter);
|
||||
|
||||
if (change == TlsDheSkeChangeY::kYZeroPad) {
|
||||
ExpectAlert(server_, kTlsAlertDecryptError);
|
||||
@ -358,7 +357,9 @@ INSTANTIATE_TEST_CASE_P(
|
||||
|
||||
class TlsDheSkeMakePEven : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsDheSkeMakePEven() : TlsHandshakeFilter({kTlsHandshakeServerKeyExchange}) {}
|
||||
TlsDheSkeMakePEven(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}) {}
|
||||
|
||||
virtual PacketFilter::Action FilterHandshake(
|
||||
const TlsHandshakeFilter::HandshakeHeader& header,
|
||||
const DataBuffer& input, DataBuffer* output) {
|
||||
@ -379,7 +380,7 @@ class TlsDheSkeMakePEven : public TlsHandshakeFilter {
|
||||
// Even without requiring named groups, an even value for p is bad news.
|
||||
TEST_P(TlsConnectGenericPre13, MakeDhePEven) {
|
||||
EnableOnlyDheCiphers();
|
||||
server_->SetPacketFilter(std::make_shared<TlsDheSkeMakePEven>());
|
||||
MakeTlsFilter<TlsDheSkeMakePEven>(server_);
|
||||
|
||||
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
|
||||
|
||||
@ -389,7 +390,9 @@ TEST_P(TlsConnectGenericPre13, MakeDhePEven) {
|
||||
|
||||
class TlsDheSkeZeroPadP : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsDheSkeZeroPadP() : TlsHandshakeFilter({kTlsHandshakeServerKeyExchange}) {}
|
||||
TlsDheSkeZeroPadP(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}) {}
|
||||
|
||||
virtual PacketFilter::Action FilterHandshake(
|
||||
const TlsHandshakeFilter::HandshakeHeader& header,
|
||||
const DataBuffer& input, DataBuffer* output) {
|
||||
@ -407,7 +410,7 @@ class TlsDheSkeZeroPadP : public TlsHandshakeFilter {
|
||||
// Zero padding only causes signature failure.
|
||||
TEST_P(TlsConnectGenericPre13, PadDheP) {
|
||||
EnableOnlyDheCiphers();
|
||||
server_->SetPacketFilter(std::make_shared<TlsDheSkeZeroPadP>());
|
||||
MakeTlsFilter<TlsDheSkeZeroPadP>(server_);
|
||||
|
||||
ConnectExpectAlert(client_, kTlsAlertDecryptError);
|
||||
|
||||
@ -530,11 +533,9 @@ TEST_P(TlsConnectTls13, ResumeFfdhe) {
|
||||
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
||||
EnableOnlyDheCiphers();
|
||||
auto clientCapture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_pre_shared_key_xtn);
|
||||
client_->SetPacketFilter(clientCapture);
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_pre_shared_key_xtn);
|
||||
auto serverCapture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_pre_shared_key_xtn);
|
||||
server_->SetPacketFilter(serverCapture);
|
||||
MakeTlsFilter<TlsExtensionCapture>(server_, ssl_tls13_pre_shared_key_xtn);
|
||||
ExpectResumption(RESUME_TICKET);
|
||||
Connect();
|
||||
CheckKeys(ssl_kea_dh, ssl_grp_ffdhe_2048, ssl_auth_rsa_sign,
|
||||
@ -545,8 +546,9 @@ TEST_P(TlsConnectTls13, ResumeFfdhe) {
|
||||
|
||||
class TlsDheSkeChangeSignature : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsDheSkeChangeSignature(uint16_t version, const uint8_t* data, size_t len)
|
||||
: TlsHandshakeFilter({kTlsHandshakeServerKeyExchange}),
|
||||
TlsDheSkeChangeSignature(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint16_t version, const uint8_t* data, size_t len)
|
||||
: TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}),
|
||||
version_(version),
|
||||
data_(data),
|
||||
len_(len) {}
|
||||
@ -595,8 +597,8 @@ TEST_P(TlsConnectGenericPre13, InvalidDERSignatureFfdhe) {
|
||||
const std::vector<SSLNamedGroup> client_groups = {ssl_grp_ffdhe_2048};
|
||||
client_->ConfigNamedGroups(client_groups);
|
||||
|
||||
server_->SetPacketFilter(std::make_shared<TlsDheSkeChangeSignature>(
|
||||
version_, kBogusDheSignature, sizeof(kBogusDheSignature)));
|
||||
MakeTlsFilter<TlsDheSkeChangeSignature>(server_, version_, kBogusDheSignature,
|
||||
sizeof(kBogusDheSignature));
|
||||
|
||||
ConnectExpectAlert(client_, kTlsAlertDecryptError);
|
||||
client_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
|
||||
|
@ -22,13 +22,13 @@ extern "C" {
|
||||
namespace nss_test {
|
||||
|
||||
TEST_P(TlsConnectDatagramPre13, DropClientFirstFlightOnce) {
|
||||
client_->SetPacketFilter(std::make_shared<SelectiveDropFilter>(0x1));
|
||||
client_->SetFilter(std::make_shared<SelectiveDropFilter>(0x1));
|
||||
Connect();
|
||||
SendReceive();
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectDatagramPre13, DropServerFirstFlightOnce) {
|
||||
server_->SetPacketFilter(std::make_shared<SelectiveDropFilter>(0x1));
|
||||
server_->SetFilter(std::make_shared<SelectiveDropFilter>(0x1));
|
||||
Connect();
|
||||
SendReceive();
|
||||
}
|
||||
@ -37,32 +37,32 @@ TEST_P(TlsConnectDatagramPre13, DropServerFirstFlightOnce) {
|
||||
// flights that they send. Note: In DTLS 1.3, the shorter handshake means that
|
||||
// this will also drop some application data, so we can't call SendReceive().
|
||||
TEST_P(TlsConnectDatagramPre13, DropAllFirstTransmissions) {
|
||||
client_->SetPacketFilter(std::make_shared<SelectiveDropFilter>(0x15));
|
||||
server_->SetPacketFilter(std::make_shared<SelectiveDropFilter>(0x5));
|
||||
client_->SetFilter(std::make_shared<SelectiveDropFilter>(0x15));
|
||||
server_->SetFilter(std::make_shared<SelectiveDropFilter>(0x5));
|
||||
Connect();
|
||||
}
|
||||
|
||||
// This drops the server's first flight three times.
|
||||
TEST_P(TlsConnectDatagramPre13, DropServerFirstFlightThrice) {
|
||||
server_->SetPacketFilter(std::make_shared<SelectiveDropFilter>(0x7));
|
||||
server_->SetFilter(std::make_shared<SelectiveDropFilter>(0x7));
|
||||
Connect();
|
||||
}
|
||||
|
||||
// This drops the client's second flight once
|
||||
TEST_P(TlsConnectDatagramPre13, DropClientSecondFlightOnce) {
|
||||
client_->SetPacketFilter(std::make_shared<SelectiveDropFilter>(0x2));
|
||||
client_->SetFilter(std::make_shared<SelectiveDropFilter>(0x2));
|
||||
Connect();
|
||||
}
|
||||
|
||||
// This drops the client's second flight three times.
|
||||
TEST_P(TlsConnectDatagramPre13, DropClientSecondFlightThrice) {
|
||||
client_->SetPacketFilter(std::make_shared<SelectiveDropFilter>(0xe));
|
||||
client_->SetFilter(std::make_shared<SelectiveDropFilter>(0xe));
|
||||
Connect();
|
||||
}
|
||||
|
||||
// This drops the server's second flight three times.
|
||||
TEST_P(TlsConnectDatagramPre13, DropServerSecondFlightThrice) {
|
||||
server_->SetPacketFilter(std::make_shared<SelectiveDropFilter>(0xe));
|
||||
server_->SetFilter(std::make_shared<SelectiveDropFilter>(0xe));
|
||||
Connect();
|
||||
}
|
||||
|
||||
@ -74,7 +74,7 @@ class TlsDropDatagram13 : public TlsConnectDatagram13 {
|
||||
expected_client_acks_(0),
|
||||
expected_server_acks_(1) {}
|
||||
|
||||
void SetUp() {
|
||||
void SetUp() override {
|
||||
TlsConnectDatagram13::SetUp();
|
||||
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
|
||||
SetFilters();
|
||||
@ -82,12 +82,8 @@ class TlsDropDatagram13 : public TlsConnectDatagram13 {
|
||||
|
||||
void SetFilters() {
|
||||
EnsureTlsSetup();
|
||||
client_->SetPacketFilter(client_filters_.chain_);
|
||||
client_filters_.ack_->SetAgent(client_.get());
|
||||
client_filters_.ack_->EnableDecryption();
|
||||
server_->SetPacketFilter(server_filters_.chain_);
|
||||
server_filters_.ack_->SetAgent(server_.get());
|
||||
server_filters_.ack_->EnableDecryption();
|
||||
client_filters_.Init(client_);
|
||||
server_filters_.Init(server_);
|
||||
}
|
||||
|
||||
void HandshakeAndAck(const std::shared_ptr<TlsAgent>& agent) {
|
||||
@ -119,11 +115,17 @@ class TlsDropDatagram13 : public TlsConnectDatagram13 {
|
||||
class DropAckChain {
|
||||
public:
|
||||
DropAckChain()
|
||||
: records_(std::make_shared<TlsRecordRecorder>()),
|
||||
ack_(std::make_shared<TlsRecordRecorder>(content_ack)),
|
||||
drop_(std::make_shared<SelectiveRecordDropFilter>(0, false)),
|
||||
chain_(std::make_shared<ChainedPacketFilter>(
|
||||
ChainedPacketFilterInit({records_, ack_, drop_}))) {}
|
||||
: records_(nullptr), ack_(nullptr), drop_(nullptr), chain_(nullptr) {}
|
||||
|
||||
void Init(const std::shared_ptr<TlsAgent>& agent) {
|
||||
records_ = std::make_shared<TlsRecordRecorder>(agent);
|
||||
ack_ = std::make_shared<TlsRecordRecorder>(agent, content_ack);
|
||||
ack_->EnableDecryption();
|
||||
drop_ = std::make_shared<SelectiveRecordDropFilter>(agent, 0, false);
|
||||
chain_ = std::make_shared<ChainedPacketFilter>(
|
||||
ChainedPacketFilterInit({records_, ack_, drop_}));
|
||||
agent->SetFilter(chain_);
|
||||
}
|
||||
|
||||
const TlsRecord& record(size_t i) const { return records_->record(i); }
|
||||
|
||||
@ -227,7 +229,7 @@ TEST_F(TlsDropDatagram13, DropServerSecondRecordOnce) {
|
||||
HandshakeAndAck(client_);
|
||||
expected_client_acks_ = 1;
|
||||
CheckedHandshakeSendReceive();
|
||||
CheckAcks(client_filters_, 0, {0});
|
||||
CheckAcks(client_filters_, 0, {0}); // ServerHello
|
||||
CheckAcks(server_filters_, 0, {0x0002000000000000ULL});
|
||||
}
|
||||
|
||||
@ -257,7 +259,7 @@ TEST_F(TlsDropDatagram13, DropServerAckOnce) {
|
||||
CheckPostHandshake();
|
||||
// There should be two copies of the finished ACK
|
||||
CheckAcks(server_filters_, 0, {0x0002000000000000ULL});
|
||||
CheckAcks(server_filters_, 0, {0x0002000000000000ULL});
|
||||
CheckAcks(server_filters_, 1, {0x0002000000000000ULL});
|
||||
}
|
||||
|
||||
// Drop the client certificate verify.
|
||||
@ -276,10 +278,9 @@ TEST_F(TlsDropDatagram13, DropClientCertVerify) {
|
||||
// Ack of the whole client handshake.
|
||||
CheckAcks(
|
||||
server_filters_, 1,
|
||||
{0x0002000000000000ULL, // CH (we drop everything after this on client)
|
||||
0x0002000000000003ULL, // CT (2)
|
||||
0x0002000000000004ULL} // FIN (2)
|
||||
);
|
||||
{0x0002000000000000ULL, // CH (we drop everything after this on client)
|
||||
0x0002000000000003ULL, // CT (2)
|
||||
0x0002000000000004ULL}); // FIN (2)
|
||||
}
|
||||
|
||||
// Shrink the MTU down so that certs get split and drop the first piece.
|
||||
@ -303,10 +304,9 @@ TEST_F(TlsDropDatagram13, DropFirstHalfOfServerCertificate) {
|
||||
EXPECT_EQ(ct1_size, server_filters_.record(0).buffer.len());
|
||||
CheckedHandshakeSendReceive();
|
||||
CheckAcks(client_filters_, 0,
|
||||
{0, // SH
|
||||
0x0002000000000000ULL, // EE
|
||||
0x0002000000000002ULL} // CT2
|
||||
);
|
||||
{0, // SH
|
||||
0x0002000000000000ULL, // EE
|
||||
0x0002000000000002ULL}); // CT2
|
||||
CheckAcks(server_filters_, 0, {0x0002000000000000ULL});
|
||||
}
|
||||
|
||||
@ -540,7 +540,10 @@ TEST_F(TlsDropDatagram13, NoDropsDuringZeroRtt) {
|
||||
ExpectEarlyDataAccepted(true);
|
||||
CheckConnected();
|
||||
SendReceive();
|
||||
CheckAcks(server_filters_, 0, {0x0002000000000000ULL});
|
||||
EXPECT_EQ(0U, client_filters_.ack_->count());
|
||||
CheckAcks(server_filters_, 0,
|
||||
{0x0001000000000001ULL, // EOED
|
||||
0x0002000000000000ULL}); // Finished
|
||||
}
|
||||
|
||||
TEST_F(TlsDropDatagram13, DropEEDuringZeroRtt) {
|
||||
@ -558,7 +561,9 @@ TEST_F(TlsDropDatagram13, DropEEDuringZeroRtt) {
|
||||
CheckConnected();
|
||||
SendReceive();
|
||||
CheckAcks(client_filters_, 0, {0});
|
||||
CheckAcks(server_filters_, 0, {0x0002000000000000ULL});
|
||||
CheckAcks(server_filters_, 0,
|
||||
{0x0001000000000002ULL, // EOED
|
||||
0x0002000000000000ULL}); // Finished
|
||||
}
|
||||
|
||||
class TlsReorderDatagram13 : public TlsDropDatagram13 {
|
||||
@ -688,6 +693,7 @@ TEST_F(TlsDropDatagram13, SendOutOfOrderHsNonsenseWithHandshakeKey) {
|
||||
kTlsHandshakeType, DataBuffer(buf, sizeof(buf))));
|
||||
server_->Handshake();
|
||||
EXPECT_EQ(2UL, server_filters_.ack_->count());
|
||||
// The server acknowledges client Finished twice.
|
||||
CheckAcks(server_filters_, 0, {0x0002000000000000ULL});
|
||||
CheckAcks(server_filters_, 1, {0x0002000000000000ULL});
|
||||
}
|
||||
@ -746,7 +752,9 @@ TEST_F(TlsReorderDatagram13, DataAfterEOEDDuringZeroRtt) {
|
||||
ReSend(TlsAgent::CLIENT, std::vector<size_t>({1, 0, 2}));
|
||||
server_->Handshake();
|
||||
CheckConnected();
|
||||
CheckAcks(server_filters_, 0, {0x0002000000000000ULL});
|
||||
EXPECT_EQ(0U, client_filters_.ack_->count());
|
||||
// Acknowledgements for EOED and Finished.
|
||||
CheckAcks(server_filters_, 0, {0x0001000000000002ULL, 0x0002000000000000ULL});
|
||||
uint8_t buf[8];
|
||||
rv = PR_Read(server_->ssl_fd(), buf, sizeof(buf));
|
||||
EXPECT_EQ(-1, rv);
|
||||
@ -783,7 +791,9 @@ TEST_F(TlsReorderDatagram13, DataAfterFinDuringZeroRtt) {
|
||||
ReSend(TlsAgent::CLIENT, std::vector<size_t>({1, 2, 0}));
|
||||
server_->Handshake();
|
||||
CheckConnected();
|
||||
CheckAcks(server_filters_, 0, {0x0002000000000000ULL});
|
||||
EXPECT_EQ(0U, client_filters_.ack_->count());
|
||||
// Acknowledgements for EOED and Finished.
|
||||
CheckAcks(server_filters_, 0, {0x0001000000000002ULL, 0x0002000000000000ULL});
|
||||
uint8_t buf[8];
|
||||
rv = PR_Read(server_->ssl_fd(), buf, sizeof(buf));
|
||||
EXPECT_EQ(-1, rv);
|
||||
|
@ -75,9 +75,8 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) {
|
||||
// This causes a HelloRetryRequest in TLS 1.3. Earlier versions don't care.
|
||||
TEST_P(TlsConnectGeneric, ConnectEcdheP384Server) {
|
||||
EnsureTlsSetup();
|
||||
auto hrr_capture = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeHelloRetryRequest);
|
||||
server_->SetPacketFilter(hrr_capture);
|
||||
auto hrr_capture = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
server_, kTlsHandshakeHelloRetryRequest);
|
||||
const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1};
|
||||
server_->ConfigNamedGroups(groups);
|
||||
Connect();
|
||||
@ -193,8 +192,8 @@ TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) {
|
||||
|
||||
class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsKeyExchangeGroupCapture()
|
||||
: TlsHandshakeFilter({kTlsHandshakeServerKeyExchange}),
|
||||
TlsKeyExchangeGroupCapture(const std::shared_ptr<TlsAgent> &agent)
|
||||
: TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}),
|
||||
group_(ssl_grp_none) {}
|
||||
|
||||
SSLNamedGroup group() const { return group_; }
|
||||
@ -221,10 +220,8 @@ class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter {
|
||||
// P-256 is supported by the client (<= 1.2 only).
|
||||
TEST_P(TlsConnectGenericPre13, DropSupportedGroupExtensionP256) {
|
||||
EnsureTlsSetup();
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsExtensionDropper>(ssl_supported_groups_xtn));
|
||||
auto group_capture = std::make_shared<TlsKeyExchangeGroupCapture>();
|
||||
server_->SetPacketFilter(group_capture);
|
||||
MakeTlsFilter<TlsExtensionDropper>(client_, ssl_supported_groups_xtn);
|
||||
auto group_capture = MakeTlsFilter<TlsKeyExchangeGroupCapture>(server_);
|
||||
|
||||
ConnectExpectAlert(server_, kTlsAlertDecryptError);
|
||||
client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
|
||||
@ -236,8 +233,7 @@ TEST_P(TlsConnectGenericPre13, DropSupportedGroupExtensionP256) {
|
||||
// Supported groups is mandatory in TLS 1.3.
|
||||
TEST_P(TlsConnectTls13, DropSupportedGroupExtension) {
|
||||
EnsureTlsSetup();
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsExtensionDropper>(ssl_supported_groups_xtn));
|
||||
MakeTlsFilter<TlsExtensionDropper>(client_, ssl_supported_groups_xtn);
|
||||
ConnectExpectAlert(server_, kTlsAlertMissingExtension);
|
||||
client_->CheckErrorCode(SSL_ERROR_MISSING_EXTENSION_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION);
|
||||
@ -516,7 +512,8 @@ TEST_P(TlsKeyExchangeTest13, MultipleClientShares) {
|
||||
// Replace the point in the client key exchange message with an empty one
|
||||
class ECCClientKEXFilter : public TlsHandshakeFilter {
|
||||
public:
|
||||
ECCClientKEXFilter() : TlsHandshakeFilter({kTlsHandshakeClientKeyExchange}) {}
|
||||
ECCClientKEXFilter(const std::shared_ptr<TlsAgent> &client)
|
||||
: TlsHandshakeFilter(client, {kTlsHandshakeClientKeyExchange}) {}
|
||||
|
||||
protected:
|
||||
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader &header,
|
||||
@ -532,7 +529,8 @@ class ECCClientKEXFilter : public TlsHandshakeFilter {
|
||||
// Replace the point in the server key exchange message with an empty one
|
||||
class ECCServerKEXFilter : public TlsHandshakeFilter {
|
||||
public:
|
||||
ECCServerKEXFilter() : TlsHandshakeFilter({kTlsHandshakeServerKeyExchange}) {}
|
||||
ECCServerKEXFilter(const std::shared_ptr<TlsAgent> &server)
|
||||
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}) {}
|
||||
|
||||
protected:
|
||||
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader &header,
|
||||
@ -550,15 +548,13 @@ class ECCServerKEXFilter : public TlsHandshakeFilter {
|
||||
};
|
||||
|
||||
TEST_P(TlsConnectGenericPre13, ConnectECDHEmptyServerPoint) {
|
||||
// add packet filter
|
||||
server_->SetPacketFilter(std::make_shared<ECCServerKEXFilter>());
|
||||
MakeTlsFilter<ECCServerKEXFilter>(server_);
|
||||
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
|
||||
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH);
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectGenericPre13, ConnectECDHEmptyClientPoint) {
|
||||
// add packet filter
|
||||
client_->SetPacketFilter(std::make_shared<ECCClientKEXFilter>());
|
||||
MakeTlsFilter<ECCClientKEXFilter>(client_);
|
||||
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
|
||||
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH);
|
||||
}
|
||||
|
@ -19,8 +19,9 @@ namespace nss_test {
|
||||
|
||||
class TlsExtensionTruncator : public TlsExtensionFilter {
|
||||
public:
|
||||
TlsExtensionTruncator(uint16_t extension, size_t length)
|
||||
: extension_(extension), length_(length) {}
|
||||
TlsExtensionTruncator(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint16_t extension, size_t length)
|
||||
: TlsExtensionFilter(agent), extension_(extension), length_(length) {}
|
||||
virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
|
||||
const DataBuffer& input,
|
||||
DataBuffer* output) {
|
||||
@ -42,8 +43,9 @@ class TlsExtensionTruncator : public TlsExtensionFilter {
|
||||
|
||||
class TlsExtensionDamager : public TlsExtensionFilter {
|
||||
public:
|
||||
TlsExtensionDamager(uint16_t extension, size_t index)
|
||||
: extension_(extension), index_(index) {}
|
||||
TlsExtensionDamager(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint16_t extension, size_t index)
|
||||
: TlsExtensionFilter(agent), extension_(extension), index_(index) {}
|
||||
virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
|
||||
const DataBuffer& input,
|
||||
DataBuffer* output) {
|
||||
@ -63,8 +65,11 @@ class TlsExtensionDamager : public TlsExtensionFilter {
|
||||
|
||||
class TlsExtensionAppender : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsExtensionAppender(uint8_t handshake_type, uint16_t ext, DataBuffer& data)
|
||||
: TlsHandshakeFilter({handshake_type}), extension_(ext), data_(data) {}
|
||||
TlsExtensionAppender(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint8_t handshake_type, uint16_t ext, DataBuffer& data)
|
||||
: TlsHandshakeFilter(agent, {handshake_type}),
|
||||
extension_(ext),
|
||||
data_(data) {}
|
||||
|
||||
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
|
||||
const DataBuffer& input,
|
||||
@ -124,13 +129,13 @@ class TlsExtensionTestBase : public TlsConnectTestBase {
|
||||
|
||||
void ClientHelloErrorTest(std::shared_ptr<PacketFilter> filter,
|
||||
uint8_t desc = kTlsAlertDecodeError) {
|
||||
client_->SetPacketFilter(filter);
|
||||
client_->SetFilter(filter);
|
||||
ConnectExpectAlert(server_, desc);
|
||||
}
|
||||
|
||||
void ServerHelloErrorTest(std::shared_ptr<PacketFilter> filter,
|
||||
uint8_t desc = kTlsAlertDecodeError) {
|
||||
server_->SetPacketFilter(filter);
|
||||
server_->SetFilter(filter);
|
||||
ConnectExpectAlert(client_, desc);
|
||||
}
|
||||
|
||||
@ -156,7 +161,7 @@ class TlsExtensionTestBase : public TlsConnectTestBase {
|
||||
StartConnect();
|
||||
client_->Handshake(); // Send ClientHello
|
||||
server_->Handshake(); // Send HRR.
|
||||
client_->SetPacketFilter(std::make_shared<TlsExtensionDropper>(type));
|
||||
MakeTlsFilter<TlsExtensionDropper>(client_, type);
|
||||
Handshake();
|
||||
client_->CheckErrorCode(client_error);
|
||||
server_->CheckErrorCode(server_error);
|
||||
@ -197,8 +202,8 @@ class TlsExtensionTest13
|
||||
|
||||
void ConnectWithBogusVersionList(const uint8_t* buf, size_t len) {
|
||||
DataBuffer versions_buf(buf, len);
|
||||
client_->SetPacketFilter(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_tls13_supported_versions_xtn, versions_buf));
|
||||
MakeTlsFilter<TlsExtensionReplacer>(
|
||||
client_, ssl_tls13_supported_versions_xtn, versions_buf);
|
||||
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
|
||||
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
|
||||
@ -209,8 +214,8 @@ class TlsExtensionTest13
|
||||
|
||||
size_t index = versions_buf.Write(0, 2, 1);
|
||||
versions_buf.Write(index, version, 2);
|
||||
client_->SetPacketFilter(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_tls13_supported_versions_xtn, versions_buf));
|
||||
MakeTlsFilter<TlsExtensionReplacer>(
|
||||
client_, ssl_tls13_supported_versions_xtn, versions_buf);
|
||||
ConnectExpectFail();
|
||||
}
|
||||
};
|
||||
@ -241,26 +246,26 @@ class TlsExtensionTestPre13 : public TlsExtensionTestBase,
|
||||
|
||||
TEST_P(TlsExtensionTestGeneric, DamageSniLength) {
|
||||
ClientHelloErrorTest(
|
||||
std::make_shared<TlsExtensionDamager>(ssl_server_name_xtn, 1));
|
||||
std::make_shared<TlsExtensionDamager>(client_, ssl_server_name_xtn, 1));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestGeneric, DamageSniHostLength) {
|
||||
ClientHelloErrorTest(
|
||||
std::make_shared<TlsExtensionDamager>(ssl_server_name_xtn, 4));
|
||||
std::make_shared<TlsExtensionDamager>(client_, ssl_server_name_xtn, 4));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestGeneric, TruncateSni) {
|
||||
ClientHelloErrorTest(
|
||||
std::make_shared<TlsExtensionTruncator>(ssl_server_name_xtn, 7));
|
||||
std::make_shared<TlsExtensionTruncator>(client_, ssl_server_name_xtn, 7));
|
||||
}
|
||||
|
||||
// A valid extension that appears twice will be reported as unsupported.
|
||||
TEST_P(TlsExtensionTestGeneric, RepeatSni) {
|
||||
DataBuffer extension;
|
||||
InitSimpleSni(&extension);
|
||||
ClientHelloErrorTest(
|
||||
std::make_shared<TlsExtensionInjector>(ssl_server_name_xtn, extension),
|
||||
kTlsAlertIllegalParameter);
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionInjector>(
|
||||
client_, ssl_server_name_xtn, extension),
|
||||
kTlsAlertIllegalParameter);
|
||||
}
|
||||
|
||||
// An SNI entry with zero length is considered invalid (strangely, not if it is
|
||||
@ -272,23 +277,23 @@ TEST_P(TlsExtensionTestGeneric, BadSni) {
|
||||
extension.Allocate(simple.len() + 3);
|
||||
extension.Write(0, static_cast<uint32_t>(0), 3);
|
||||
extension.Write(3, simple);
|
||||
ClientHelloErrorTest(
|
||||
std::make_shared<TlsExtensionReplacer>(ssl_server_name_xtn, extension));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
client_, ssl_server_name_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestGeneric, EmptySni) {
|
||||
DataBuffer extension;
|
||||
extension.Allocate(2);
|
||||
extension.Write(0, static_cast<uint32_t>(0), 2);
|
||||
ClientHelloErrorTest(
|
||||
std::make_shared<TlsExtensionReplacer>(ssl_server_name_xtn, extension));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
client_, ssl_server_name_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestGeneric, EmptyAlpnExtension) {
|
||||
EnableAlpn();
|
||||
DataBuffer extension;
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_app_layer_protocol_xtn, extension),
|
||||
client_, ssl_app_layer_protocol_xtn, extension),
|
||||
kTlsAlertIllegalParameter);
|
||||
}
|
||||
|
||||
@ -299,21 +304,21 @@ TEST_P(TlsExtensionTestGeneric, EmptyAlpnList) {
|
||||
const uint8_t val[] = {0x00, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_app_layer_protocol_xtn, extension),
|
||||
client_, ssl_app_layer_protocol_xtn, extension),
|
||||
kTlsAlertNoApplicationProtocol);
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestGeneric, OneByteAlpn) {
|
||||
EnableAlpn();
|
||||
ClientHelloErrorTest(
|
||||
std::make_shared<TlsExtensionTruncator>(ssl_app_layer_protocol_xtn, 1));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionTruncator>(
|
||||
client_, ssl_app_layer_protocol_xtn, 1));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestGeneric, AlpnMissingValue) {
|
||||
EnableAlpn();
|
||||
// This will leave the length of the second entry, but no value.
|
||||
ClientHelloErrorTest(
|
||||
std::make_shared<TlsExtensionTruncator>(ssl_app_layer_protocol_xtn, 5));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionTruncator>(
|
||||
client_, ssl_app_layer_protocol_xtn, 5));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestGeneric, AlpnZeroLength) {
|
||||
@ -321,7 +326,7 @@ TEST_P(TlsExtensionTestGeneric, AlpnZeroLength) {
|
||||
const uint8_t val[] = {0x01, 0x61, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_app_layer_protocol_xtn, extension));
|
||||
client_, ssl_app_layer_protocol_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestGeneric, AlpnMismatch) {
|
||||
@ -340,7 +345,7 @@ TEST_P(TlsExtensionTestPre13, AlpnReturnedEmptyList) {
|
||||
const uint8_t val[] = {0x00, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ServerHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_app_layer_protocol_xtn, extension));
|
||||
server_, ssl_app_layer_protocol_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestPre13, AlpnReturnedEmptyName) {
|
||||
@ -348,7 +353,7 @@ TEST_P(TlsExtensionTestPre13, AlpnReturnedEmptyName) {
|
||||
const uint8_t val[] = {0x00, 0x01, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ServerHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_app_layer_protocol_xtn, extension));
|
||||
server_, ssl_app_layer_protocol_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestPre13, AlpnReturnedListTrailingData) {
|
||||
@ -356,7 +361,7 @@ TEST_P(TlsExtensionTestPre13, AlpnReturnedListTrailingData) {
|
||||
const uint8_t val[] = {0x00, 0x02, 0x01, 0x61, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ServerHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_app_layer_protocol_xtn, extension));
|
||||
server_, ssl_app_layer_protocol_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestPre13, AlpnReturnedExtraEntry) {
|
||||
@ -364,7 +369,7 @@ TEST_P(TlsExtensionTestPre13, AlpnReturnedExtraEntry) {
|
||||
const uint8_t val[] = {0x00, 0x04, 0x01, 0x61, 0x01, 0x62};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ServerHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_app_layer_protocol_xtn, extension));
|
||||
server_, ssl_app_layer_protocol_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestPre13, AlpnReturnedBadListLength) {
|
||||
@ -372,7 +377,7 @@ TEST_P(TlsExtensionTestPre13, AlpnReturnedBadListLength) {
|
||||
const uint8_t val[] = {0x00, 0x99, 0x01, 0x61, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ServerHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_app_layer_protocol_xtn, extension));
|
||||
server_, ssl_app_layer_protocol_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestPre13, AlpnReturnedBadNameLength) {
|
||||
@ -380,7 +385,7 @@ TEST_P(TlsExtensionTestPre13, AlpnReturnedBadNameLength) {
|
||||
const uint8_t val[] = {0x00, 0x02, 0x99, 0x61};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ServerHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_app_layer_protocol_xtn, extension));
|
||||
server_, ssl_app_layer_protocol_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestPre13, AlpnReturnedUnknownName) {
|
||||
@ -388,43 +393,43 @@ TEST_P(TlsExtensionTestPre13, AlpnReturnedUnknownName) {
|
||||
const uint8_t val[] = {0x00, 0x02, 0x01, 0x67};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ServerHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_app_layer_protocol_xtn, extension),
|
||||
server_, ssl_app_layer_protocol_xtn, extension),
|
||||
kTlsAlertIllegalParameter);
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestDtls, SrtpShort) {
|
||||
EnableSrtp();
|
||||
ClientHelloErrorTest(
|
||||
std::make_shared<TlsExtensionTruncator>(ssl_use_srtp_xtn, 3));
|
||||
std::make_shared<TlsExtensionTruncator>(client_, ssl_use_srtp_xtn, 3));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestDtls, SrtpOdd) {
|
||||
EnableSrtp();
|
||||
const uint8_t val[] = {0x00, 0x01, 0xff, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(
|
||||
std::make_shared<TlsExtensionReplacer>(ssl_use_srtp_xtn, extension));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
client_, ssl_use_srtp_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsBadLength) {
|
||||
const uint8_t val[] = {0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_signature_algorithms_xtn, extension));
|
||||
client_, ssl_signature_algorithms_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsTrailingData) {
|
||||
const uint8_t val[] = {0x00, 0x02, 0x04, 0x01, 0x00}; // sha-256, rsa
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_signature_algorithms_xtn, extension));
|
||||
client_, ssl_signature_algorithms_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsEmpty) {
|
||||
const uint8_t val[] = {0x00, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_signature_algorithms_xtn, extension),
|
||||
client_, ssl_signature_algorithms_xtn, extension),
|
||||
kTlsAlertHandshakeFailure);
|
||||
}
|
||||
|
||||
@ -432,7 +437,7 @@ TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsNoOverlap) {
|
||||
const uint8_t val[] = {0x00, 0x02, 0xff, 0xff};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_signature_algorithms_xtn, extension),
|
||||
client_, ssl_signature_algorithms_xtn, extension),
|
||||
kTlsAlertHandshakeFailure);
|
||||
}
|
||||
|
||||
@ -440,12 +445,12 @@ TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsOddLength) {
|
||||
const uint8_t val[] = {0x00, 0x01, 0x04};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_signature_algorithms_xtn, extension));
|
||||
client_, ssl_signature_algorithms_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestGeneric, NoSupportedGroups) {
|
||||
ClientHelloErrorTest(
|
||||
std::make_shared<TlsExtensionDropper>(ssl_supported_groups_xtn),
|
||||
std::make_shared<TlsExtensionDropper>(client_, ssl_supported_groups_xtn),
|
||||
version_ < SSL_LIBRARY_VERSION_TLS_1_3 ? kTlsAlertDecryptError
|
||||
: kTlsAlertMissingExtension);
|
||||
}
|
||||
@ -454,63 +459,63 @@ TEST_P(TlsExtensionTestGeneric, SupportedCurvesShort) {
|
||||
const uint8_t val[] = {0x00, 0x01, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_elliptic_curves_xtn, extension));
|
||||
client_, ssl_elliptic_curves_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestGeneric, SupportedCurvesBadLength) {
|
||||
const uint8_t val[] = {0x09, 0x99, 0x00, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_elliptic_curves_xtn, extension));
|
||||
client_, ssl_elliptic_curves_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestGeneric, SupportedCurvesTrailingData) {
|
||||
const uint8_t val[] = {0x00, 0x02, 0x00, 0x00, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_elliptic_curves_xtn, extension));
|
||||
client_, ssl_elliptic_curves_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestPre13, SupportedPointsEmpty) {
|
||||
const uint8_t val[] = {0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_ec_point_formats_xtn, extension));
|
||||
client_, ssl_ec_point_formats_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestPre13, SupportedPointsBadLength) {
|
||||
const uint8_t val[] = {0x99, 0x00, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_ec_point_formats_xtn, extension));
|
||||
client_, ssl_ec_point_formats_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestPre13, SupportedPointsTrailingData) {
|
||||
const uint8_t val[] = {0x01, 0x00, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_ec_point_formats_xtn, extension));
|
||||
client_, ssl_ec_point_formats_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestPre13, RenegotiationInfoBadLength) {
|
||||
const uint8_t val[] = {0x99};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_renegotiation_info_xtn, extension));
|
||||
client_, ssl_renegotiation_info_xtn, extension));
|
||||
}
|
||||
|
||||
TEST_P(TlsExtensionTestPre13, RenegotiationInfoMismatch) {
|
||||
const uint8_t val[] = {0x01, 0x00};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_renegotiation_info_xtn, extension));
|
||||
client_, ssl_renegotiation_info_xtn, extension));
|
||||
}
|
||||
|
||||
// The extension has to contain a length.
|
||||
TEST_P(TlsExtensionTestPre13, RenegotiationInfoExtensionEmpty) {
|
||||
DataBuffer extension;
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_renegotiation_info_xtn, extension));
|
||||
client_, ssl_renegotiation_info_xtn, extension));
|
||||
}
|
||||
|
||||
// This only works on TLS 1.2, since it relies on static RSA; otherwise libssl
|
||||
@ -520,9 +525,8 @@ TEST_P(TlsExtensionTest12, SignatureAlgorithmConfiguration) {
|
||||
ssl_sig_rsa_pss_rsae_sha384};
|
||||
|
||||
auto capture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_signature_algorithms_xtn);
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_signature_algorithms_xtn);
|
||||
client_->SetSignatureSchemes(schemes, PR_ARRAY_SIZE(schemes));
|
||||
client_->SetPacketFilter(capture);
|
||||
EnableOnlyStaticRsaCiphers();
|
||||
Connect();
|
||||
|
||||
@ -540,9 +544,9 @@ TEST_P(TlsExtensionTest12, SignatureAlgorithmConfiguration) {
|
||||
// Temporary test to verify that we choke on an empty ClientKeyShare.
|
||||
// This test will fail when we implement HelloRetryRequest.
|
||||
TEST_P(TlsExtensionTest13, EmptyClientKeyShare) {
|
||||
ClientHelloErrorTest(
|
||||
std::make_shared<TlsExtensionTruncator>(ssl_tls13_key_share_xtn, 2),
|
||||
kTlsAlertHandshakeFailure);
|
||||
ClientHelloErrorTest(std::make_shared<TlsExtensionTruncator>(
|
||||
client_, ssl_tls13_key_share_xtn, 2),
|
||||
kTlsAlertHandshakeFailure);
|
||||
}
|
||||
|
||||
// These tests only work in stream mode because the client sends a
|
||||
@ -551,8 +555,7 @@ TEST_P(TlsExtensionTest13, EmptyClientKeyShare) {
|
||||
// packet gets dropped.
|
||||
TEST_F(TlsExtensionTest13Stream, DropServerKeyShare) {
|
||||
EnsureTlsSetup();
|
||||
server_->SetPacketFilter(
|
||||
std::make_shared<TlsExtensionDropper>(ssl_tls13_key_share_xtn));
|
||||
MakeTlsFilter<TlsExtensionDropper>(server_, ssl_tls13_key_share_xtn);
|
||||
client_->ExpectSendAlert(kTlsAlertMissingExtension);
|
||||
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
|
||||
ConnectExpectFail();
|
||||
@ -572,8 +575,7 @@ TEST_F(TlsExtensionTest13Stream, WrongServerKeyShare) {
|
||||
0x02};
|
||||
DataBuffer buf(key_share, sizeof(key_share));
|
||||
EnsureTlsSetup();
|
||||
server_->SetPacketFilter(
|
||||
std::make_shared<TlsExtensionReplacer>(ssl_tls13_key_share_xtn, buf));
|
||||
MakeTlsFilter<TlsExtensionReplacer>(server_, ssl_tls13_key_share_xtn, buf);
|
||||
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
|
||||
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
|
||||
ConnectExpectFail();
|
||||
@ -594,8 +596,7 @@ TEST_F(TlsExtensionTest13Stream, UnknownServerKeyShare) {
|
||||
0x02};
|
||||
DataBuffer buf(key_share, sizeof(key_share));
|
||||
EnsureTlsSetup();
|
||||
server_->SetPacketFilter(
|
||||
std::make_shared<TlsExtensionReplacer>(ssl_tls13_key_share_xtn, buf));
|
||||
MakeTlsFilter<TlsExtensionReplacer>(server_, ssl_tls13_key_share_xtn, buf);
|
||||
client_->ExpectSendAlert(kTlsAlertMissingExtension);
|
||||
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
|
||||
ConnectExpectFail();
|
||||
@ -606,8 +607,8 @@ TEST_F(TlsExtensionTest13Stream, UnknownServerKeyShare) {
|
||||
TEST_F(TlsExtensionTest13Stream, AddServerSignatureAlgorithmsOnResumption) {
|
||||
SetupForResume();
|
||||
DataBuffer empty;
|
||||
server_->SetPacketFilter(std::make_shared<TlsExtensionInjector>(
|
||||
ssl_signature_algorithms_xtn, empty));
|
||||
MakeTlsFilter<TlsExtensionInjector>(server_, ssl_signature_algorithms_xtn,
|
||||
empty);
|
||||
client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
|
||||
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
|
||||
ConnectExpectFail();
|
||||
@ -627,8 +628,12 @@ typedef std::function<void(TlsPreSharedKeyReplacer*)>
|
||||
|
||||
class TlsPreSharedKeyReplacer : public TlsExtensionFilter {
|
||||
public:
|
||||
TlsPreSharedKeyReplacer(TlsPreSharedKeyReplacerFunc function)
|
||||
: identities_(), binders_(), function_(function) {}
|
||||
TlsPreSharedKeyReplacer(const std::shared_ptr<TlsAgent>& agent,
|
||||
TlsPreSharedKeyReplacerFunc function)
|
||||
: TlsExtensionFilter(agent),
|
||||
identities_(),
|
||||
binders_(),
|
||||
function_(function) {}
|
||||
|
||||
static size_t CopyAndMaybeReplace(TlsParser* parser, size_t size,
|
||||
const std::unique_ptr<DataBuffer>& replace,
|
||||
@ -742,8 +747,10 @@ class TlsPreSharedKeyReplacer : public TlsExtensionFilter {
|
||||
TEST_F(TlsExtensionTest13Stream, ResumeEmptyPskLabel) {
|
||||
SetupForResume();
|
||||
|
||||
client_->SetPacketFilter(std::make_shared<TlsPreSharedKeyReplacer>([](
|
||||
TlsPreSharedKeyReplacer* r) { r->identities_[0].identity.Truncate(0); }));
|
||||
MakeTlsFilter<TlsPreSharedKeyReplacer>(
|
||||
client_, [](TlsPreSharedKeyReplacer* r) {
|
||||
r->identities_[0].identity.Truncate(0);
|
||||
});
|
||||
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
|
||||
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
|
||||
@ -753,10 +760,10 @@ TEST_F(TlsExtensionTest13Stream, ResumeEmptyPskLabel) {
|
||||
TEST_F(TlsExtensionTest13Stream, ResumeIncorrectBinderValue) {
|
||||
SetupForResume();
|
||||
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsPreSharedKeyReplacer>([](TlsPreSharedKeyReplacer* r) {
|
||||
MakeTlsFilter<TlsPreSharedKeyReplacer>(
|
||||
client_, [](TlsPreSharedKeyReplacer* r) {
|
||||
r->binders_[0].Write(0, r->binders_[0].data()[0] ^ 0xff, 1);
|
||||
}));
|
||||
});
|
||||
ConnectExpectAlert(server_, kTlsAlertDecryptError);
|
||||
client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
|
||||
@ -766,10 +773,10 @@ TEST_F(TlsExtensionTest13Stream, ResumeIncorrectBinderValue) {
|
||||
TEST_F(TlsExtensionTest13Stream, ResumeIncorrectBinderLength) {
|
||||
SetupForResume();
|
||||
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsPreSharedKeyReplacer>([](TlsPreSharedKeyReplacer* r) {
|
||||
MakeTlsFilter<TlsPreSharedKeyReplacer>(
|
||||
client_, [](TlsPreSharedKeyReplacer* r) {
|
||||
r->binders_[0].Write(r->binders_[0].len(), 0xff, 1);
|
||||
}));
|
||||
});
|
||||
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
|
||||
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
|
||||
@ -779,8 +786,8 @@ TEST_F(TlsExtensionTest13Stream, ResumeIncorrectBinderLength) {
|
||||
TEST_F(TlsExtensionTest13Stream, ResumeBinderTooShort) {
|
||||
SetupForResume();
|
||||
|
||||
client_->SetPacketFilter(std::make_shared<TlsPreSharedKeyReplacer>(
|
||||
[](TlsPreSharedKeyReplacer* r) { r->binders_[0].Truncate(31); }));
|
||||
MakeTlsFilter<TlsPreSharedKeyReplacer>(
|
||||
client_, [](TlsPreSharedKeyReplacer* r) { r->binders_[0].Truncate(31); });
|
||||
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
|
||||
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
|
||||
@ -791,11 +798,11 @@ TEST_F(TlsExtensionTest13Stream, ResumeBinderTooShort) {
|
||||
TEST_F(TlsExtensionTest13Stream, ResumeTwoPsks) {
|
||||
SetupForResume();
|
||||
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsPreSharedKeyReplacer>([](TlsPreSharedKeyReplacer* r) {
|
||||
MakeTlsFilter<TlsPreSharedKeyReplacer>(
|
||||
client_, [](TlsPreSharedKeyReplacer* r) {
|
||||
r->identities_.push_back(r->identities_[0]);
|
||||
r->binders_.push_back(r->binders_[0]);
|
||||
}));
|
||||
});
|
||||
ConnectExpectAlert(server_, kTlsAlertDecryptError);
|
||||
client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
|
||||
@ -806,10 +813,10 @@ TEST_F(TlsExtensionTest13Stream, ResumeTwoPsks) {
|
||||
TEST_F(TlsExtensionTest13Stream, ResumeTwoIdentitiesOneBinder) {
|
||||
SetupForResume();
|
||||
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsPreSharedKeyReplacer>([](TlsPreSharedKeyReplacer* r) {
|
||||
MakeTlsFilter<TlsPreSharedKeyReplacer>(
|
||||
client_, [](TlsPreSharedKeyReplacer* r) {
|
||||
r->identities_.push_back(r->identities_[0]);
|
||||
}));
|
||||
});
|
||||
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
|
||||
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
|
||||
@ -818,8 +825,10 @@ TEST_F(TlsExtensionTest13Stream, ResumeTwoIdentitiesOneBinder) {
|
||||
TEST_F(TlsExtensionTest13Stream, ResumeOneIdentityTwoBinders) {
|
||||
SetupForResume();
|
||||
|
||||
client_->SetPacketFilter(std::make_shared<TlsPreSharedKeyReplacer>([](
|
||||
TlsPreSharedKeyReplacer* r) { r->binders_.push_back(r->binders_[0]); }));
|
||||
MakeTlsFilter<TlsPreSharedKeyReplacer>(
|
||||
client_, [](TlsPreSharedKeyReplacer* r) {
|
||||
r->binders_.push_back(r->binders_[0]);
|
||||
});
|
||||
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
|
||||
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
|
||||
@ -831,8 +840,8 @@ TEST_F(TlsExtensionTest13Stream, ResumePskExtensionNotLast) {
|
||||
const uint8_t empty_buf[] = {0};
|
||||
DataBuffer empty(empty_buf, 0);
|
||||
// Inject an unused extension after the PSK extension.
|
||||
client_->SetPacketFilter(std::make_shared<TlsExtensionAppender>(
|
||||
kTlsHandshakeClientHello, 0xffff, empty));
|
||||
MakeTlsFilter<TlsExtensionAppender>(client_, kTlsHandshakeClientHello, 0xffff,
|
||||
empty);
|
||||
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
|
||||
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
|
||||
@ -842,8 +851,8 @@ TEST_F(TlsExtensionTest13Stream, ResumeNoKeModes) {
|
||||
SetupForResume();
|
||||
|
||||
DataBuffer empty;
|
||||
client_->SetPacketFilter(std::make_shared<TlsExtensionDropper>(
|
||||
ssl_tls13_psk_key_exchange_modes_xtn));
|
||||
MakeTlsFilter<TlsExtensionDropper>(client_,
|
||||
ssl_tls13_psk_key_exchange_modes_xtn);
|
||||
ConnectExpectAlert(server_, kTlsAlertMissingExtension);
|
||||
client_->CheckErrorCode(SSL_ERROR_MISSING_EXTENSION_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES);
|
||||
@ -858,8 +867,8 @@ TEST_F(TlsExtensionTest13Stream, ResumeBogusKeModes) {
|
||||
kTls13PskKe};
|
||||
|
||||
DataBuffer modes(ke_modes, sizeof(ke_modes));
|
||||
client_->SetPacketFilter(std::make_shared<TlsExtensionReplacer>(
|
||||
ssl_tls13_psk_key_exchange_modes_xtn, modes));
|
||||
MakeTlsFilter<TlsExtensionReplacer>(
|
||||
client_, ssl_tls13_psk_key_exchange_modes_xtn, modes);
|
||||
client_->ExpectSendAlert(kTlsAlertBadRecordMac);
|
||||
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
|
||||
ConnectExpectFail();
|
||||
@ -869,9 +878,8 @@ TEST_F(TlsExtensionTest13Stream, ResumeBogusKeModes) {
|
||||
|
||||
TEST_P(TlsExtensionTest13, NoKeModesIfResumptionOff) {
|
||||
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
|
||||
auto capture = std::make_shared<TlsExtensionCapture>(
|
||||
ssl_tls13_psk_key_exchange_modes_xtn);
|
||||
client_->SetPacketFilter(capture);
|
||||
auto capture = MakeTlsFilter<TlsExtensionCapture>(
|
||||
client_, ssl_tls13_psk_key_exchange_modes_xtn);
|
||||
Connect();
|
||||
EXPECT_FALSE(capture->captured());
|
||||
}
|
||||
@ -967,11 +975,9 @@ class TlsBogusExtensionTest : public TlsConnectTestBase,
|
||||
static uint8_t empty_buf[1] = {0};
|
||||
DataBuffer empty(empty_buf, 0);
|
||||
auto filter =
|
||||
std::make_shared<TlsExtensionAppender>(message, extension, empty);
|
||||
MakeTlsFilter<TlsExtensionAppender>(server_, message, extension, empty);
|
||||
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
server_->SetTlsRecordFilter(filter);
|
||||
} else {
|
||||
server_->SetPacketFilter(filter);
|
||||
filter->EnableDecryption();
|
||||
}
|
||||
}
|
||||
|
||||
@ -1087,8 +1093,7 @@ TEST_P(TlsConnectStream, IncludePadding) {
|
||||
SECStatus rv = SSL_SetURL(client_->ssl_fd(), long_name);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
|
||||
auto capture = std::make_shared<TlsExtensionCapture>(ssl_padding_xtn);
|
||||
client_->SetPacketFilter(capture);
|
||||
auto capture = MakeTlsFilter<TlsExtensionCapture>(client_, ssl_padding_xtn);
|
||||
client_->StartConnect();
|
||||
client_->Handshake();
|
||||
EXPECT_TRUE(capture->captured());
|
||||
|
@ -149,13 +149,13 @@ class RecordFragmenter : public PacketFilter {
|
||||
};
|
||||
|
||||
TEST_P(TlsConnectDatagram, FragmentClientPackets) {
|
||||
client_->SetPacketFilter(std::make_shared<RecordFragmenter>());
|
||||
client_->SetFilter(std::make_shared<RecordFragmenter>());
|
||||
Connect();
|
||||
SendReceive();
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectDatagram, FragmentServerPackets) {
|
||||
server_->SetPacketFilter(std::make_shared<RecordFragmenter>());
|
||||
server_->SetFilter(std::make_shared<RecordFragmenter>());
|
||||
Connect();
|
||||
SendReceive();
|
||||
}
|
||||
|
@ -27,7 +27,8 @@ class TlsFuzzTest : public ::testing::Test {};
|
||||
// Record the application data stream.
|
||||
class TlsApplicationDataRecorder : public TlsRecordFilter {
|
||||
public:
|
||||
TlsApplicationDataRecorder() : buffer_() {}
|
||||
TlsApplicationDataRecorder(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsRecordFilter(agent), buffer_() {}
|
||||
|
||||
virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
|
||||
const DataBuffer& input,
|
||||
@ -106,16 +107,16 @@ FUZZ_P(TlsConnectGeneric, DeterministicTranscript) {
|
||||
DisableECDHEServerKeyReuse();
|
||||
|
||||
DataBuffer buffer;
|
||||
client_->SetPacketFilter(std::make_shared<TlsConversationRecorder>(buffer));
|
||||
server_->SetPacketFilter(std::make_shared<TlsConversationRecorder>(buffer));
|
||||
MakeTlsFilter<TlsConversationRecorder>(client_, buffer);
|
||||
MakeTlsFilter<TlsConversationRecorder>(server_, buffer);
|
||||
|
||||
// Reset the RNG state.
|
||||
EXPECT_EQ(SECSuccess, RNG_RandomUpdate(NULL, 0));
|
||||
Connect();
|
||||
|
||||
// Ensure the filters go away before |buffer| does.
|
||||
client_->DeletePacketFilter();
|
||||
server_->DeletePacketFilter();
|
||||
client_->ClearFilter();
|
||||
server_->ClearFilter();
|
||||
|
||||
if (last.len() > 0) {
|
||||
EXPECT_EQ(last, buffer);
|
||||
@ -133,10 +134,8 @@ FUZZ_P(TlsConnectGeneric, ConnectSendReceive_NullCipher) {
|
||||
EnsureTlsSetup();
|
||||
|
||||
// Set up app data filters.
|
||||
auto client_recorder = std::make_shared<TlsApplicationDataRecorder>();
|
||||
client_->SetPacketFilter(client_recorder);
|
||||
auto server_recorder = std::make_shared<TlsApplicationDataRecorder>();
|
||||
server_->SetPacketFilter(server_recorder);
|
||||
auto client_recorder = MakeTlsFilter<TlsApplicationDataRecorder>(client_);
|
||||
auto server_recorder = MakeTlsFilter<TlsApplicationDataRecorder>(server_);
|
||||
|
||||
Connect();
|
||||
|
||||
@ -161,10 +160,9 @@ FUZZ_P(TlsConnectGeneric, ConnectSendReceive_NullCipher) {
|
||||
FUZZ_P(TlsConnectGeneric, BogusClientFinished) {
|
||||
EnsureTlsSetup();
|
||||
|
||||
auto i1 = std::make_shared<TlsInspectorReplaceHandshakeMessage>(
|
||||
kTlsHandshakeFinished,
|
||||
MakeTlsFilter<TlsInspectorReplaceHandshakeMessage>(
|
||||
client_, kTlsHandshakeFinished,
|
||||
DataBuffer(kShortEmptyFinished, sizeof(kShortEmptyFinished)));
|
||||
client_->SetPacketFilter(i1);
|
||||
Connect();
|
||||
SendReceive();
|
||||
}
|
||||
@ -173,10 +171,9 @@ FUZZ_P(TlsConnectGeneric, BogusClientFinished) {
|
||||
FUZZ_P(TlsConnectGeneric, BogusServerFinished) {
|
||||
EnsureTlsSetup();
|
||||
|
||||
auto i1 = std::make_shared<TlsInspectorReplaceHandshakeMessage>(
|
||||
kTlsHandshakeFinished,
|
||||
MakeTlsFilter<TlsInspectorReplaceHandshakeMessage>(
|
||||
server_, kTlsHandshakeFinished,
|
||||
DataBuffer(kLongEmptyFinished, sizeof(kLongEmptyFinished)));
|
||||
server_->SetPacketFilter(i1);
|
||||
Connect();
|
||||
SendReceive();
|
||||
}
|
||||
@ -187,7 +184,7 @@ FUZZ_P(TlsConnectGeneric, BogusServerAuthSignature) {
|
||||
uint8_t msg_type = version_ == SSL_LIBRARY_VERSION_TLS_1_3
|
||||
? kTlsHandshakeCertificateVerify
|
||||
: kTlsHandshakeServerKeyExchange;
|
||||
server_->SetPacketFilter(std::make_shared<TlsLastByteDamager>(msg_type));
|
||||
MakeTlsFilter<TlsLastByteDamager>(server_, msg_type);
|
||||
Connect();
|
||||
SendReceive();
|
||||
}
|
||||
@ -197,8 +194,7 @@ FUZZ_P(TlsConnectGeneric, BogusClientAuthSignature) {
|
||||
EnsureTlsSetup();
|
||||
client_->SetupClientAuth();
|
||||
server_->RequestClientAuth(true);
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsLastByteDamager>(kTlsHandshakeCertificateVerify));
|
||||
MakeTlsFilter<TlsLastByteDamager>(client_, kTlsHandshakeCertificateVerify);
|
||||
Connect();
|
||||
}
|
||||
|
||||
@ -219,29 +215,28 @@ FUZZ_P(TlsConnectGeneric, SessionTicketResumption) {
|
||||
FUZZ_P(TlsConnectGeneric, UnencryptedSessionTickets) {
|
||||
ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
|
||||
|
||||
auto i1 = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeNewSessionTicket);
|
||||
server_->SetPacketFilter(i1);
|
||||
auto filter = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
server_, kTlsHandshakeNewSessionTicket);
|
||||
Connect();
|
||||
|
||||
std::cerr << "ticket" << i1->buffer() << std::endl;
|
||||
std::cerr << "ticket" << filter->buffer() << std::endl;
|
||||
size_t offset = 4; /* lifetime */
|
||||
if (version_ == SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
offset += 4; /* ticket_age_add */
|
||||
uint32_t nonce_len = 0;
|
||||
EXPECT_TRUE(i1->buffer().Read(offset, 1, &nonce_len));
|
||||
EXPECT_TRUE(filter->buffer().Read(offset, 1, &nonce_len));
|
||||
offset += 1 + nonce_len;
|
||||
}
|
||||
offset += 2 + /* ticket length */
|
||||
2; /* TLS_EX_SESS_TICKET_VERSION */
|
||||
// Check the protocol version number.
|
||||
uint32_t tls_version = 0;
|
||||
EXPECT_TRUE(i1->buffer().Read(offset, sizeof(version_), &tls_version));
|
||||
EXPECT_TRUE(filter->buffer().Read(offset, sizeof(version_), &tls_version));
|
||||
EXPECT_EQ(version_, static_cast<decltype(version_)>(tls_version));
|
||||
|
||||
// Check the cipher suite.
|
||||
uint32_t suite = 0;
|
||||
EXPECT_TRUE(i1->buffer().Read(offset + sizeof(version_), 2, &suite));
|
||||
EXPECT_TRUE(filter->buffer().Read(offset + sizeof(version_), 2, &suite));
|
||||
client_->CheckCipherSuite(static_cast<uint16_t>(suite));
|
||||
}
|
||||
}
|
||||
|
@ -35,17 +35,15 @@ TEST_P(TlsConnectTls13, HelloRetryRequestAbortsZeroRtt) {
|
||||
|
||||
// Send first ClientHello and send 0-RTT data
|
||||
auto capture_early_data =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_early_data_xtn);
|
||||
client_->SetPacketFilter(capture_early_data);
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_early_data_xtn);
|
||||
client_->Handshake();
|
||||
EXPECT_EQ(k0RttDataLen, PR_Write(client_->ssl_fd(), k0RttData,
|
||||
k0RttDataLen)); // 0-RTT write.
|
||||
EXPECT_TRUE(capture_early_data->captured());
|
||||
|
||||
// Send the HelloRetryRequest
|
||||
auto hrr_capture = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeHelloRetryRequest);
|
||||
server_->SetPacketFilter(hrr_capture);
|
||||
auto hrr_capture = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
server_, kTlsHandshakeHelloRetryRequest);
|
||||
server_->Handshake();
|
||||
EXPECT_LT(0U, hrr_capture->buffer().len());
|
||||
|
||||
@ -56,8 +54,7 @@ TEST_P(TlsConnectTls13, HelloRetryRequestAbortsZeroRtt) {
|
||||
|
||||
// Make a new capture for the early data.
|
||||
capture_early_data =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_early_data_xtn);
|
||||
client_->SetPacketFilter(capture_early_data);
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_early_data_xtn);
|
||||
|
||||
// Complete the handshake successfully
|
||||
Handshake();
|
||||
@ -71,6 +68,10 @@ TEST_P(TlsConnectTls13, HelloRetryRequestAbortsZeroRtt) {
|
||||
// packet. If the record is split into two packets, or there are multiple
|
||||
// handshake packets, this will break.
|
||||
class CorrectMessageSeqAfterHrrFilter : public TlsRecordFilter {
|
||||
public:
|
||||
CorrectMessageSeqAfterHrrFilter(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsRecordFilter(agent) {}
|
||||
|
||||
protected:
|
||||
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
|
||||
const DataBuffer& record, size_t* offset,
|
||||
@ -131,8 +132,7 @@ TEST_P(TlsConnectTls13, SecondClientHelloRejectEarlyDataXtn) {
|
||||
|
||||
// Correct the DTLS message sequence number after an HRR.
|
||||
if (variant_ == ssl_variant_datagram) {
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<CorrectMessageSeqAfterHrrFilter>());
|
||||
MakeTlsFilter<CorrectMessageSeqAfterHrrFilter>(client_);
|
||||
}
|
||||
|
||||
server_->SetPeer(client_);
|
||||
@ -151,7 +151,8 @@ TEST_P(TlsConnectTls13, SecondClientHelloRejectEarlyDataXtn) {
|
||||
|
||||
class KeyShareReplayer : public TlsExtensionFilter {
|
||||
public:
|
||||
KeyShareReplayer() {}
|
||||
KeyShareReplayer(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsExtensionFilter(agent) {}
|
||||
|
||||
virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
|
||||
const DataBuffer& input,
|
||||
@ -178,7 +179,7 @@ class KeyShareReplayer : public TlsExtensionFilter {
|
||||
// server should reject this.
|
||||
TEST_P(TlsConnectTls13, RetryWithSameKeyShare) {
|
||||
EnsureTlsSetup();
|
||||
client_->SetPacketFilter(std::make_shared<KeyShareReplayer>());
|
||||
MakeTlsFilter<KeyShareReplayer>(client_);
|
||||
static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1,
|
||||
ssl_grp_ec_secp521r1};
|
||||
server_->ConfigNamedGroups(groups);
|
||||
@ -192,7 +193,7 @@ TEST_P(TlsConnectTls13, RetryWithSameKeyShare) {
|
||||
TEST_P(TlsConnectTls13, RetryWithTwoShares) {
|
||||
EnsureTlsSetup();
|
||||
EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1));
|
||||
client_->SetPacketFilter(std::make_shared<KeyShareReplayer>());
|
||||
MakeTlsFilter<KeyShareReplayer>(client_);
|
||||
|
||||
static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1,
|
||||
ssl_grp_ec_secp521r1};
|
||||
@ -238,9 +239,9 @@ TEST_P(TlsConnectTls13, RetryCallbackAcceptGroupMismatch) {
|
||||
return ssl_hello_retry_accept;
|
||||
};
|
||||
|
||||
auto capture = std::make_shared<TlsExtensionCapture>(ssl_tls13_cookie_xtn);
|
||||
auto capture =
|
||||
MakeTlsFilter<TlsExtensionCapture>(server_, ssl_tls13_cookie_xtn);
|
||||
capture->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest});
|
||||
server_->SetPacketFilter(capture);
|
||||
|
||||
static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1};
|
||||
server_->ConfigNamedGroups(groups);
|
||||
@ -359,14 +360,14 @@ SSLHelloRetryRequestAction RetryHello(PRBool firstHello,
|
||||
TEST_P(TlsConnectTls13, RetryCallbackRetry) {
|
||||
EnsureTlsSetup();
|
||||
|
||||
auto capture_hrr = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
ssl_hs_hello_retry_request);
|
||||
auto capture_hrr = std::make_shared<TlsHandshakeRecorder>(
|
||||
server_, ssl_hs_hello_retry_request);
|
||||
auto capture_key_share =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_key_share_xtn);
|
||||
std::make_shared<TlsExtensionCapture>(server_, ssl_tls13_key_share_xtn);
|
||||
capture_key_share->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest});
|
||||
std::vector<std::shared_ptr<PacketFilter>> chain = {capture_hrr,
|
||||
capture_key_share};
|
||||
server_->SetPacketFilter(std::make_shared<ChainedPacketFilter>(chain));
|
||||
server_->SetFilter(std::make_shared<ChainedPacketFilter>(chain));
|
||||
|
||||
size_t cb_called = 0;
|
||||
EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(),
|
||||
@ -383,8 +384,7 @@ TEST_P(TlsConnectTls13, RetryCallbackRetry) {
|
||||
<< "no key_share extension expected";
|
||||
|
||||
auto capture_cookie =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_cookie_xtn);
|
||||
client_->SetPacketFilter(capture_cookie);
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_cookie_xtn);
|
||||
|
||||
Handshake();
|
||||
CheckConnected();
|
||||
@ -413,9 +413,8 @@ TEST_P(TlsConnectTls13, RetryCallbackRetryWithAdditionalShares) {
|
||||
EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1));
|
||||
|
||||
auto capture_server =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_key_share_xtn);
|
||||
MakeTlsFilter<TlsExtensionCapture>(server_, ssl_tls13_key_share_xtn);
|
||||
capture_server->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest});
|
||||
server_->SetPacketFilter(capture_server);
|
||||
|
||||
size_t cb_called = 0;
|
||||
EXPECT_EQ(SECSuccess, SSL_HelloRetryRequestCallback(server_->ssl_fd(),
|
||||
@ -431,8 +430,7 @@ TEST_P(TlsConnectTls13, RetryCallbackRetryWithAdditionalShares) {
|
||||
<< "no key_share extension expected from server";
|
||||
|
||||
auto capture_client_2nd =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_key_share_xtn);
|
||||
client_->SetPacketFilter(capture_client_2nd);
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_key_share_xtn);
|
||||
|
||||
Handshake();
|
||||
CheckConnected();
|
||||
@ -449,12 +447,12 @@ TEST_P(TlsConnectTls13, RetryCallbackRetryWithGroupMismatch) {
|
||||
EnsureTlsSetup();
|
||||
|
||||
auto capture_cookie =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_cookie_xtn);
|
||||
std::make_shared<TlsExtensionCapture>(server_, ssl_tls13_cookie_xtn);
|
||||
capture_cookie->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest});
|
||||
auto capture_key_share =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_key_share_xtn);
|
||||
std::make_shared<TlsExtensionCapture>(server_, ssl_tls13_key_share_xtn);
|
||||
capture_key_share->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest});
|
||||
server_->SetPacketFilter(std::make_shared<ChainedPacketFilter>(
|
||||
server_->SetFilter(std::make_shared<ChainedPacketFilter>(
|
||||
ChainedPacketFilterInit{capture_cookie, capture_key_share}));
|
||||
|
||||
static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1};
|
||||
@ -493,9 +491,8 @@ TEST_P(TlsConnectTls13, RetryCallbackRetryWithToken) {
|
||||
EnsureTlsSetup();
|
||||
|
||||
auto capture_key_share =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_key_share_xtn);
|
||||
MakeTlsFilter<TlsExtensionCapture>(server_, ssl_tls13_key_share_xtn);
|
||||
capture_key_share->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest});
|
||||
server_->SetPacketFilter(capture_key_share);
|
||||
|
||||
size_t cb_called = 0;
|
||||
EXPECT_EQ(SECSuccess,
|
||||
@ -513,9 +510,8 @@ TEST_P(TlsConnectTls13, RetryCallbackRetryWithTokenAndGroupMismatch) {
|
||||
server_->ConfigNamedGroups(groups);
|
||||
|
||||
auto capture_key_share =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_key_share_xtn);
|
||||
MakeTlsFilter<TlsExtensionCapture>(server_, ssl_tls13_key_share_xtn);
|
||||
capture_key_share->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest});
|
||||
server_->SetPacketFilter(capture_key_share);
|
||||
|
||||
size_t cb_called = 0;
|
||||
EXPECT_EQ(SECSuccess,
|
||||
@ -589,8 +585,7 @@ TEST_P(TlsConnectTls13, RetryStatefulDropCookie) {
|
||||
EnsureTlsSetup();
|
||||
|
||||
TriggerHelloRetryRequest(client_, server_);
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsExtensionDropper>(ssl_tls13_cookie_xtn));
|
||||
MakeTlsFilter<TlsExtensionDropper>(client_, ssl_tls13_cookie_xtn);
|
||||
|
||||
ExpectAlert(server_, kTlsAlertMissingExtension);
|
||||
Handshake();
|
||||
@ -603,8 +598,8 @@ TEST_F(TlsConnectStreamTls13, RetryStatelessDamageFirstClientHello) {
|
||||
ConfigureSelfEncrypt();
|
||||
EnsureTlsSetup();
|
||||
|
||||
auto damage_ch = std::make_shared<TlsExtensionInjector>(0xfff3, DataBuffer());
|
||||
client_->SetPacketFilter(damage_ch);
|
||||
auto damage_ch =
|
||||
MakeTlsFilter<TlsExtensionInjector>(client_, 0xfff3, DataBuffer());
|
||||
|
||||
TriggerHelloRetryRequest(client_, server_);
|
||||
MakeNewServer();
|
||||
@ -625,8 +620,8 @@ TEST_F(TlsConnectStreamTls13, RetryStatelessDamageSecondClientHello) {
|
||||
TriggerHelloRetryRequest(client_, server_);
|
||||
MakeNewServer();
|
||||
|
||||
auto damage_ch = std::make_shared<TlsExtensionInjector>(0xfff3, DataBuffer());
|
||||
client_->SetPacketFilter(damage_ch);
|
||||
auto damage_ch =
|
||||
MakeTlsFilter<TlsExtensionInjector>(client_, 0xfff3, DataBuffer());
|
||||
|
||||
// Key exchange fails when the handshake continues because client and server
|
||||
// disagree about the transcript.
|
||||
@ -640,7 +635,7 @@ TEST_F(TlsConnectStreamTls13, RetryStatelessDamageSecondClientHello) {
|
||||
// Read the cipher suite from the HRR and disable it on the identified agent.
|
||||
static void DisableSuiteFromHrr(
|
||||
std::shared_ptr<TlsAgent>& agent,
|
||||
std::shared_ptr<TlsInspectorRecordHandshakeMessage>& capture_hrr) {
|
||||
std::shared_ptr<TlsHandshakeRecorder>& capture_hrr) {
|
||||
uint32_t tmp;
|
||||
size_t offset = 2 + 32; // skip version + server_random
|
||||
ASSERT_TRUE(
|
||||
@ -657,9 +652,8 @@ TEST_P(TlsConnectTls13, RetryStatelessDisableSuiteClient) {
|
||||
ConfigureSelfEncrypt();
|
||||
EnsureTlsSetup();
|
||||
|
||||
auto capture_hrr = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
ssl_hs_hello_retry_request);
|
||||
server_->SetPacketFilter(capture_hrr);
|
||||
auto capture_hrr =
|
||||
MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_hello_retry_request);
|
||||
|
||||
TriggerHelloRetryRequest(client_, server_);
|
||||
MakeNewServer();
|
||||
@ -678,9 +672,8 @@ TEST_P(TlsConnectTls13, RetryStatelessDisableSuiteServer) {
|
||||
ConfigureSelfEncrypt();
|
||||
EnsureTlsSetup();
|
||||
|
||||
auto capture_hrr = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
ssl_hs_hello_retry_request);
|
||||
server_->SetPacketFilter(capture_hrr);
|
||||
auto capture_hrr =
|
||||
MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_hello_retry_request);
|
||||
|
||||
TriggerHelloRetryRequest(client_, server_);
|
||||
MakeNewServer();
|
||||
@ -761,8 +754,8 @@ TEST_F(TlsConnectStreamTls13, RetryWithDifferentCipherSuite) {
|
||||
static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1};
|
||||
server_->ConfigNamedGroups(groups);
|
||||
// Then switch out the default suite (TLS_AES_128_GCM_SHA256).
|
||||
server_->SetPacketFilter(std::make_shared<SelectedCipherSuiteReplacer>(
|
||||
TLS_CHACHA20_POLY1305_SHA256));
|
||||
MakeTlsFilter<SelectedCipherSuiteReplacer>(server_,
|
||||
TLS_CHACHA20_POLY1305_SHA256);
|
||||
|
||||
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
|
||||
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
|
||||
@ -777,7 +770,7 @@ TEST_F(TlsConnectDatagram13, DropClientSecondFlightWithHelloRetry) {
|
||||
static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1,
|
||||
ssl_grp_ec_secp521r1};
|
||||
server_->ConfigNamedGroups(groups);
|
||||
server_->SetPacketFilter(std::make_shared<SelectiveDropFilter>(0x2));
|
||||
server_->SetFilter(std::make_shared<SelectiveDropFilter>(0x2));
|
||||
Connect();
|
||||
}
|
||||
|
||||
@ -833,9 +826,9 @@ TEST_P(TlsKeyExchange13,
|
||||
EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1));
|
||||
|
||||
auto capture_server =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_key_share_xtn);
|
||||
std::make_shared<TlsExtensionCapture>(server_, ssl_tls13_key_share_xtn);
|
||||
capture_server->SetHandshakeTypes({kTlsHandshakeHelloRetryRequest});
|
||||
server_->SetPacketFilter(std::make_shared<ChainedPacketFilter>(
|
||||
server_->SetFilter(std::make_shared<ChainedPacketFilter>(
|
||||
ChainedPacketFilterInit{capture_hrr_, capture_server}));
|
||||
|
||||
size_t cb_called = 0;
|
||||
|
@ -20,8 +20,8 @@ static const std::string keylog_env = "SSLKEYLOGFILE=" + keylog_file_path;
|
||||
|
||||
class KeyLogFileTest : public TlsConnectGeneric {
|
||||
public:
|
||||
void SetUp() {
|
||||
TlsConnectTestBase::SetUp();
|
||||
void SetUp() override {
|
||||
TlsConnectGeneric::SetUp();
|
||||
// Remove previous results (if any).
|
||||
(void)remove(keylog_file_path.c_str());
|
||||
PR_SetEnv(keylog_env.c_str());
|
||||
|
@ -56,7 +56,8 @@ TEST_P(TlsConnectGeneric, CipherSuiteMismatch) {
|
||||
|
||||
class TlsAlertRecorder : public TlsRecordFilter {
|
||||
public:
|
||||
TlsAlertRecorder() : level_(255), description_(255) {}
|
||||
TlsAlertRecorder(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsRecordFilter(agent), level_(255), description_(255) {}
|
||||
|
||||
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
|
||||
const DataBuffer& input,
|
||||
@ -86,9 +87,9 @@ class TlsAlertRecorder : public TlsRecordFilter {
|
||||
|
||||
class HelloTruncator : public TlsHandshakeFilter {
|
||||
public:
|
||||
HelloTruncator()
|
||||
HelloTruncator(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsHandshakeFilter(
|
||||
{kTlsHandshakeClientHello, kTlsHandshakeServerHello}) {}
|
||||
agent, {kTlsHandshakeClientHello, kTlsHandshakeServerHello}) {}
|
||||
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
|
||||
const DataBuffer& input,
|
||||
DataBuffer* output) override {
|
||||
@ -99,9 +100,8 @@ class HelloTruncator : public TlsHandshakeFilter {
|
||||
|
||||
// Verify that when NSS reports that an alert is sent, it is actually sent.
|
||||
TEST_P(TlsConnectGeneric, CaptureAlertServer) {
|
||||
client_->SetPacketFilter(std::make_shared<HelloTruncator>());
|
||||
auto alert_recorder = std::make_shared<TlsAlertRecorder>();
|
||||
server_->SetPacketFilter(alert_recorder);
|
||||
MakeTlsFilter<HelloTruncator>(client_);
|
||||
auto alert_recorder = MakeTlsFilter<TlsAlertRecorder>(server_);
|
||||
|
||||
ConnectExpectAlert(server_, kTlsAlertDecodeError);
|
||||
EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
|
||||
@ -109,9 +109,8 @@ TEST_P(TlsConnectGeneric, CaptureAlertServer) {
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectGenericPre13, CaptureAlertClient) {
|
||||
server_->SetPacketFilter(std::make_shared<HelloTruncator>());
|
||||
auto alert_recorder = std::make_shared<TlsAlertRecorder>();
|
||||
client_->SetPacketFilter(alert_recorder);
|
||||
MakeTlsFilter<HelloTruncator>(server_);
|
||||
auto alert_recorder = MakeTlsFilter<TlsAlertRecorder>(client_);
|
||||
|
||||
ConnectExpectAlert(client_, kTlsAlertDecodeError);
|
||||
EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
|
||||
@ -120,9 +119,8 @@ TEST_P(TlsConnectGenericPre13, CaptureAlertClient) {
|
||||
|
||||
// In TLS 1.3, the server can't read the client alert.
|
||||
TEST_P(TlsConnectTls13, CaptureAlertClient) {
|
||||
server_->SetPacketFilter(std::make_shared<HelloTruncator>());
|
||||
auto alert_recorder = std::make_shared<TlsAlertRecorder>();
|
||||
client_->SetPacketFilter(alert_recorder);
|
||||
MakeTlsFilter<HelloTruncator>(server_);
|
||||
auto alert_recorder = MakeTlsFilter<TlsAlertRecorder>(client_);
|
||||
|
||||
StartConnect();
|
||||
|
||||
@ -173,7 +171,8 @@ TEST_P(TlsConnectGeneric, ConnectSendReceive) {
|
||||
|
||||
class SaveTlsRecord : public TlsRecordFilter {
|
||||
public:
|
||||
SaveTlsRecord(size_t index) : index_(index), count_(0), contents_() {}
|
||||
SaveTlsRecord(const std::shared_ptr<TlsAgent>& agent, size_t index)
|
||||
: TlsRecordFilter(agent), index_(index), count_(0), contents_() {}
|
||||
|
||||
const DataBuffer& contents() const { return contents_; }
|
||||
|
||||
@ -198,8 +197,8 @@ class SaveTlsRecord : public TlsRecordFilter {
|
||||
TEST_F(TlsConnectStreamTls13, DecryptRecordClient) {
|
||||
EnsureTlsSetup();
|
||||
// 0 = ClientHello, 1 = Finished, 2 = SendReceive, 3 = SendBuffer
|
||||
auto saved = std::make_shared<SaveTlsRecord>(3);
|
||||
client_->SetTlsRecordFilter(saved);
|
||||
auto saved = MakeTlsFilter<SaveTlsRecord>(client_, 3);
|
||||
saved->EnableDecryption();
|
||||
Connect();
|
||||
SendReceive();
|
||||
|
||||
@ -215,8 +214,8 @@ TEST_F(TlsConnectStreamTls13, DecryptRecordServer) {
|
||||
EXPECT_EQ(SECSuccess, SSL_OptionSet(server_->ssl_fd(),
|
||||
SSL_ENABLE_SESSION_TICKETS, PR_FALSE));
|
||||
// 0 = ServerHello, 1 = other handshake, 2 = SendReceive, 3 = SendBuffer
|
||||
auto saved = std::make_shared<SaveTlsRecord>(3);
|
||||
server_->SetTlsRecordFilter(saved);
|
||||
auto saved = MakeTlsFilter<SaveTlsRecord>(server_, 3);
|
||||
saved->EnableDecryption();
|
||||
Connect();
|
||||
SendReceive();
|
||||
|
||||
@ -228,7 +227,8 @@ TEST_F(TlsConnectStreamTls13, DecryptRecordServer) {
|
||||
|
||||
class DropTlsRecord : public TlsRecordFilter {
|
||||
public:
|
||||
DropTlsRecord(size_t index) : index_(index), count_(0) {}
|
||||
DropTlsRecord(const std::shared_ptr<TlsAgent>& agent, size_t index)
|
||||
: TlsRecordFilter(agent), index_(index), count_(0) {}
|
||||
|
||||
protected:
|
||||
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
|
||||
@ -253,7 +253,8 @@ TEST_F(TlsConnectStreamTls13, DropRecordServer) {
|
||||
SSL_ENABLE_SESSION_TICKETS, PR_FALSE));
|
||||
|
||||
// 0 = ServerHello, 1 = other handshake, 2 = first write
|
||||
server_->SetTlsRecordFilter(std::make_shared<DropTlsRecord>(2));
|
||||
auto filter = MakeTlsFilter<DropTlsRecord>(server_, 2);
|
||||
filter->EnableDecryption();
|
||||
Connect();
|
||||
server_->SendData(23, 23); // This should be dropped, so it won't be counted.
|
||||
server_->ResetSentBytes();
|
||||
@ -263,7 +264,8 @@ TEST_F(TlsConnectStreamTls13, DropRecordServer) {
|
||||
TEST_F(TlsConnectStreamTls13, DropRecordClient) {
|
||||
EnsureTlsSetup();
|
||||
// 0 = ClientHello, 1 = Finished, 2 = first write
|
||||
client_->SetTlsRecordFilter(std::make_shared<DropTlsRecord>(2));
|
||||
auto filter = MakeTlsFilter<DropTlsRecord>(client_, 2);
|
||||
filter->EnableDecryption();
|
||||
Connect();
|
||||
client_->SendData(26, 26); // This should be dropped, so it won't be counted.
|
||||
client_->ResetSentBytes();
|
||||
@ -371,7 +373,8 @@ TEST_P(TlsHolddownTest, TestDtlsHolddownExpiryResumption) {
|
||||
|
||||
class TlsPreCCSHeaderInjector : public TlsRecordFilter {
|
||||
public:
|
||||
TlsPreCCSHeaderInjector() {}
|
||||
TlsPreCCSHeaderInjector(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsRecordFilter(agent) {}
|
||||
virtual PacketFilter::Action FilterRecord(
|
||||
const TlsRecordHeader& record_header, const DataBuffer& input,
|
||||
size_t* offset, DataBuffer* output) override {
|
||||
@ -388,14 +391,14 @@ class TlsPreCCSHeaderInjector : public TlsRecordFilter {
|
||||
};
|
||||
|
||||
TEST_P(TlsConnectStreamPre13, ClientFinishedHeaderBeforeCCS) {
|
||||
client_->SetPacketFilter(std::make_shared<TlsPreCCSHeaderInjector>());
|
||||
MakeTlsFilter<TlsPreCCSHeaderInjector>(client_);
|
||||
ConnectExpectAlert(server_, kTlsAlertUnexpectedMessage);
|
||||
client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectStreamPre13, ServerFinishedHeaderBeforeCCS) {
|
||||
server_->SetPacketFilter(std::make_shared<TlsPreCCSHeaderInjector>());
|
||||
MakeTlsFilter<TlsPreCCSHeaderInjector>(server_);
|
||||
StartConnect();
|
||||
ExpectAlert(client_, kTlsAlertUnexpectedMessage);
|
||||
Handshake();
|
||||
@ -476,8 +479,7 @@ TEST_F(TlsConnectTest, OneNRecordSplitting) {
|
||||
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_0);
|
||||
EnsureTlsSetup();
|
||||
ConnectWithCipherSuite(TLS_RSA_WITH_AES_128_CBC_SHA);
|
||||
auto records = std::make_shared<TlsRecordRecorder>();
|
||||
server_->SetPacketFilter(records);
|
||||
auto records = MakeTlsFilter<TlsRecordRecorder>(server_);
|
||||
// This should be split into 1, 16384 and 20.
|
||||
DataBuffer big_buffer;
|
||||
big_buffer.Allocate(1 + 16384 + 20);
|
||||
|
@ -103,8 +103,8 @@ TEST_P(TlsPaddingTest, LastByteOfPadWrong) {
|
||||
|
||||
class RecordReplacer : public TlsRecordFilter {
|
||||
public:
|
||||
RecordReplacer(size_t size)
|
||||
: TlsRecordFilter(), enabled_(false), size_(size) {}
|
||||
RecordReplacer(const std::shared_ptr<TlsAgent>& agent, size_t size)
|
||||
: TlsRecordFilter(agent), enabled_(false), size_(size) {}
|
||||
|
||||
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
|
||||
const DataBuffer& data,
|
||||
@ -135,8 +135,8 @@ TEST_F(TlsConnectStreamTls13, LargeRecord) {
|
||||
EnsureTlsSetup();
|
||||
|
||||
const size_t record_limit = 16384;
|
||||
auto replacer = std::make_shared<RecordReplacer>(record_limit);
|
||||
client_->SetTlsRecordFilter(replacer);
|
||||
auto replacer = MakeTlsFilter<RecordReplacer>(client_, record_limit);
|
||||
replacer->EnableDecryption();
|
||||
Connect();
|
||||
|
||||
replacer->Enable();
|
||||
@ -149,8 +149,8 @@ TEST_F(TlsConnectStreamTls13, TooLargeRecord) {
|
||||
EnsureTlsSetup();
|
||||
|
||||
const size_t record_limit = 16384;
|
||||
auto replacer = std::make_shared<RecordReplacer>(record_limit + 1);
|
||||
client_->SetTlsRecordFilter(replacer);
|
||||
auto replacer = MakeTlsFilter<RecordReplacer>(client_, record_limit + 1);
|
||||
replacer->EnableDecryption();
|
||||
Connect();
|
||||
|
||||
replacer->Enable();
|
||||
@ -177,4 +177,4 @@ auto kTrueFalse = ::testing::ValuesIn(kTrueFalseArr);
|
||||
|
||||
INSTANTIATE_TEST_CASE_P(TlsPadding, TlsPaddingTest,
|
||||
::testing::Combine(kContentSizes, kTrueFalse));
|
||||
} // namespace nspr_test
|
||||
} // namespace nss_test
|
||||
|
@ -219,8 +219,7 @@ TEST_P(TlsConnectGenericResumption, ConnectWithExpiredTicketAtClient) {
|
||||
SSLExtensionType xtn = (version_ >= SSL_LIBRARY_VERSION_TLS_1_3)
|
||||
? ssl_tls13_pre_shared_key_xtn
|
||||
: ssl_session_ticket_xtn;
|
||||
auto capture = std::make_shared<TlsExtensionCapture>(xtn);
|
||||
client_->SetPacketFilter(capture);
|
||||
auto capture = MakeTlsFilter<TlsExtensionCapture>(client_, xtn);
|
||||
Connect();
|
||||
|
||||
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
@ -245,8 +244,7 @@ TEST_P(TlsConnectGeneric, ConnectWithExpiredTicketAtServer) {
|
||||
SSLExtensionType xtn = (version_ >= SSL_LIBRARY_VERSION_TLS_1_3)
|
||||
? ssl_tls13_pre_shared_key_xtn
|
||||
: ssl_session_ticket_xtn;
|
||||
auto capture = std::make_shared<TlsExtensionCapture>(xtn);
|
||||
client_->SetPacketFilter(capture);
|
||||
auto capture = MakeTlsFilter<TlsExtensionCapture>(client_, xtn);
|
||||
StartConnect();
|
||||
client_->Handshake();
|
||||
EXPECT_TRUE(capture->captured());
|
||||
@ -327,25 +325,23 @@ TEST_P(TlsConnectGeneric, ServerSNICertTypeSwitch) {
|
||||
|
||||
// Prior to TLS 1.3, we were not fully ephemeral; though 1.3 fixes that
|
||||
TEST_P(TlsConnectGenericPre13, ConnectEcdheTwiceReuseKey) {
|
||||
auto i1 = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeServerKeyExchange);
|
||||
server_->SetPacketFilter(i1);
|
||||
auto filter = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
server_, kTlsHandshakeServerKeyExchange);
|
||||
Connect();
|
||||
CheckKeys();
|
||||
TlsServerKeyExchangeEcdhe dhe1;
|
||||
EXPECT_TRUE(dhe1.Parse(i1->buffer()));
|
||||
EXPECT_TRUE(dhe1.Parse(filter->buffer()));
|
||||
|
||||
// Restart
|
||||
Reset();
|
||||
auto i2 = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeServerKeyExchange);
|
||||
server_->SetPacketFilter(i2);
|
||||
auto filter2 = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
server_, kTlsHandshakeServerKeyExchange);
|
||||
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
|
||||
Connect();
|
||||
CheckKeys();
|
||||
|
||||
TlsServerKeyExchangeEcdhe dhe2;
|
||||
EXPECT_TRUE(dhe2.Parse(i2->buffer()));
|
||||
EXPECT_TRUE(dhe2.Parse(filter2->buffer()));
|
||||
|
||||
// Make sure they are the same.
|
||||
EXPECT_EQ(dhe1.public_key_.len(), dhe2.public_key_.len());
|
||||
@ -356,26 +352,24 @@ TEST_P(TlsConnectGenericPre13, ConnectEcdheTwiceReuseKey) {
|
||||
// This test parses the ServerKeyExchange, which isn't in 1.3
|
||||
TEST_P(TlsConnectGenericPre13, ConnectEcdheTwiceNewKey) {
|
||||
server_->SetOption(SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
|
||||
auto i1 = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeServerKeyExchange);
|
||||
server_->SetPacketFilter(i1);
|
||||
auto filter = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
server_, kTlsHandshakeServerKeyExchange);
|
||||
Connect();
|
||||
CheckKeys();
|
||||
TlsServerKeyExchangeEcdhe dhe1;
|
||||
EXPECT_TRUE(dhe1.Parse(i1->buffer()));
|
||||
EXPECT_TRUE(dhe1.Parse(filter->buffer()));
|
||||
|
||||
// Restart
|
||||
Reset();
|
||||
server_->SetOption(SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
|
||||
auto i2 = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeServerKeyExchange);
|
||||
server_->SetPacketFilter(i2);
|
||||
auto filter2 = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
server_, kTlsHandshakeServerKeyExchange);
|
||||
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
|
||||
Connect();
|
||||
CheckKeys();
|
||||
|
||||
TlsServerKeyExchangeEcdhe dhe2;
|
||||
EXPECT_TRUE(dhe2.Parse(i2->buffer()));
|
||||
EXPECT_TRUE(dhe2.Parse(filter2->buffer()));
|
||||
|
||||
// Make sure they are different.
|
||||
EXPECT_FALSE((dhe1.public_key_.len() == dhe2.public_key_.len()) &&
|
||||
@ -434,8 +428,8 @@ TEST_P(TlsConnectGenericResumption, TestResumeClientDifferentCipher) {
|
||||
} else {
|
||||
ticket_extension = ssl_session_ticket_xtn;
|
||||
}
|
||||
auto ticket_capture = std::make_shared<TlsExtensionCapture>(ticket_extension);
|
||||
client_->SetPacketFilter(ticket_capture);
|
||||
auto ticket_capture =
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ticket_extension);
|
||||
Connect();
|
||||
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
|
||||
EXPECT_EQ(0U, ticket_capture->extension().len());
|
||||
@ -468,8 +462,8 @@ TEST_P(TlsConnectStream, TestResumptionOverrideCipher) {
|
||||
|
||||
Reset();
|
||||
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
||||
server_->SetPacketFilter(std::make_shared<SelectedCipherSuiteReplacer>(
|
||||
ChooseAnotherCipher(version_)));
|
||||
MakeTlsFilter<SelectedCipherSuiteReplacer>(server_,
|
||||
ChooseAnotherCipher(version_));
|
||||
|
||||
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
|
||||
@ -490,8 +484,10 @@ TEST_P(TlsConnectStream, TestResumptionOverrideCipher) {
|
||||
|
||||
class SelectedVersionReplacer : public TlsHandshakeFilter {
|
||||
public:
|
||||
SelectedVersionReplacer(uint16_t version)
|
||||
: TlsHandshakeFilter({kTlsHandshakeServerHello}), version_(version) {}
|
||||
SelectedVersionReplacer(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint16_t version)
|
||||
: TlsHandshakeFilter(agent, {kTlsHandshakeServerHello}),
|
||||
version_(version) {}
|
||||
|
||||
protected:
|
||||
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
|
||||
@ -543,8 +539,7 @@ TEST_P(TlsConnectGenericPre13, TestResumptionOverrideVersion) {
|
||||
// Enable the lower version on the client.
|
||||
client_->SetVersionRange(version_ - 1, version_);
|
||||
server_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
|
||||
server_->SetPacketFilter(
|
||||
std::make_shared<SelectedVersionReplacer>(override_version));
|
||||
MakeTlsFilter<SelectedVersionReplacer>(server_, override_version);
|
||||
|
||||
ConnectExpectAlert(client_, kTlsAlertHandshakeFailure);
|
||||
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
|
||||
@ -567,8 +562,8 @@ TEST_F(TlsConnectTest, TestTls13ResumptionTwice) {
|
||||
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
||||
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
|
||||
ExpectResumption(RESUME_TICKET);
|
||||
auto c1 = std::make_shared<TlsExtensionCapture>(ssl_tls13_pre_shared_key_xtn);
|
||||
client_->SetPacketFilter(c1);
|
||||
auto c1 =
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_pre_shared_key_xtn);
|
||||
Connect();
|
||||
SendReceive();
|
||||
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
|
||||
@ -584,8 +579,8 @@ TEST_F(TlsConnectTest, TestTls13ResumptionTwice) {
|
||||
ClearStats();
|
||||
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
||||
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
|
||||
auto c2 = std::make_shared<TlsExtensionCapture>(ssl_tls13_pre_shared_key_xtn);
|
||||
client_->SetPacketFilter(c2);
|
||||
auto c2 =
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_pre_shared_key_xtn);
|
||||
ExpectResumption(RESUME_TICKET);
|
||||
Connect();
|
||||
SendReceive();
|
||||
@ -656,9 +651,9 @@ TEST_F(TlsConnectTest, TestTls13ResumptionDuplicateNSTWithToken) {
|
||||
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
||||
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
|
||||
|
||||
auto nst_capture = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
ssl_hs_new_session_ticket);
|
||||
server_->SetTlsRecordFilter(nst_capture);
|
||||
auto nst_capture =
|
||||
MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_new_session_ticket);
|
||||
nst_capture->EnableDecryption();
|
||||
Connect();
|
||||
|
||||
// Clear the session ticket keys to invalidate the old ticket.
|
||||
@ -679,8 +674,7 @@ TEST_F(TlsConnectTest, TestTls13ResumptionDuplicateNSTWithToken) {
|
||||
ExpectResumption(RESUME_TICKET);
|
||||
|
||||
auto psk_capture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_pre_shared_key_xtn);
|
||||
client_->SetPacketFilter(psk_capture);
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_pre_shared_key_xtn);
|
||||
Connect();
|
||||
SendReceive();
|
||||
|
||||
@ -696,9 +690,9 @@ TEST_F(TlsConnectTest, SendSessionTicketWithTicketsDisabled) {
|
||||
EXPECT_EQ(SECSuccess, SSL_OptionSet(server_->ssl_fd(),
|
||||
SSL_ENABLE_SESSION_TICKETS, PR_FALSE));
|
||||
|
||||
auto nst_capture = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
ssl_hs_new_session_ticket);
|
||||
server_->SetTlsRecordFilter(nst_capture);
|
||||
auto nst_capture =
|
||||
MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_new_session_ticket);
|
||||
nst_capture->EnableDecryption();
|
||||
Connect();
|
||||
|
||||
EXPECT_EQ(0U, nst_capture->buffer().len()) << "expect nothing captured yet";
|
||||
@ -715,8 +709,7 @@ TEST_F(TlsConnectTest, SendSessionTicketWithTicketsDisabled) {
|
||||
ExpectResumption(RESUME_TICKET);
|
||||
|
||||
auto psk_capture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_pre_shared_key_xtn);
|
||||
client_->SetPacketFilter(psk_capture);
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_pre_shared_key_xtn);
|
||||
Connect();
|
||||
SendReceive();
|
||||
|
||||
@ -819,20 +812,20 @@ TEST_F(TlsConnectTest, TestTls13ResumptionForcedDowngrade) {
|
||||
// We will eventually fail the (sid.version == SH.version) check.
|
||||
std::vector<std::shared_ptr<PacketFilter>> filters;
|
||||
filters.push_back(std::make_shared<SelectedCipherSuiteReplacer>(
|
||||
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256));
|
||||
filters.push_back(
|
||||
std::make_shared<SelectedVersionReplacer>(SSL_LIBRARY_VERSION_TLS_1_2));
|
||||
server_, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256));
|
||||
filters.push_back(std::make_shared<SelectedVersionReplacer>(
|
||||
server_, SSL_LIBRARY_VERSION_TLS_1_2));
|
||||
|
||||
// Drop a bunch of extensions so that we get past the SH processing. The
|
||||
// version extension says TLS 1.3, which is counter to our goal, the others
|
||||
// are not permitted in TLS 1.2 handshakes.
|
||||
filters.push_back(std::make_shared<TlsExtensionDropper>(
|
||||
server_, ssl_tls13_supported_versions_xtn));
|
||||
filters.push_back(
|
||||
std::make_shared<TlsExtensionDropper>(ssl_tls13_supported_versions_xtn));
|
||||
filters.push_back(
|
||||
std::make_shared<TlsExtensionDropper>(ssl_tls13_key_share_xtn));
|
||||
filters.push_back(
|
||||
std::make_shared<TlsExtensionDropper>(ssl_tls13_pre_shared_key_xtn));
|
||||
server_->SetPacketFilter(std::make_shared<ChainedPacketFilter>(filters));
|
||||
std::make_shared<TlsExtensionDropper>(server_, ssl_tls13_key_share_xtn));
|
||||
filters.push_back(std::make_shared<TlsExtensionDropper>(
|
||||
server_, ssl_tls13_pre_shared_key_xtn));
|
||||
server_->SetFilter(std::make_shared<ChainedPacketFilter>(filters));
|
||||
|
||||
// The client here generates an unexpected_message alert when it receives an
|
||||
// encrypted handshake message from the server (EncryptedExtension). The
|
||||
|
@ -22,8 +22,11 @@ namespace nss_test {
|
||||
class TlsHandshakeSkipFilter : public TlsRecordFilter {
|
||||
public:
|
||||
// A TLS record filter that skips handshake messages of the identified type.
|
||||
TlsHandshakeSkipFilter(uint8_t handshake_type)
|
||||
: handshake_type_(handshake_type), skipped_(false) {}
|
||||
TlsHandshakeSkipFilter(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint8_t handshake_type)
|
||||
: TlsRecordFilter(agent),
|
||||
handshake_type_(handshake_type),
|
||||
skipped_(false) {}
|
||||
|
||||
protected:
|
||||
// Takes a record; if it is a handshake record, it removes the first handshake
|
||||
@ -92,9 +95,14 @@ class TlsSkipTest : public TlsConnectTestBase,
|
||||
TlsSkipTest()
|
||||
: TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {}
|
||||
|
||||
void SetUp() override {
|
||||
TlsConnectTestBase::SetUp();
|
||||
EnsureTlsSetup();
|
||||
}
|
||||
|
||||
void ServerSkipTest(std::shared_ptr<PacketFilter> filter,
|
||||
uint8_t alert = kTlsAlertUnexpectedMessage) {
|
||||
server_->SetPacketFilter(filter);
|
||||
server_->SetFilter(filter);
|
||||
ConnectExpectAlert(client_, alert);
|
||||
}
|
||||
};
|
||||
@ -105,9 +113,14 @@ class Tls13SkipTest : public TlsConnectTestBase,
|
||||
Tls13SkipTest()
|
||||
: TlsConnectTestBase(GetParam(), SSL_LIBRARY_VERSION_TLS_1_3) {}
|
||||
|
||||
void ServerSkipTest(std::shared_ptr<TlsRecordFilter> filter, int32_t error) {
|
||||
void SetUp() override {
|
||||
TlsConnectTestBase::SetUp();
|
||||
EnsureTlsSetup();
|
||||
server_->SetTlsRecordFilter(filter);
|
||||
}
|
||||
|
||||
void ServerSkipTest(std::shared_ptr<TlsRecordFilter> filter, int32_t error) {
|
||||
filter->EnableDecryption();
|
||||
server_->SetFilter(filter);
|
||||
ExpectAlert(client_, kTlsAlertUnexpectedMessage);
|
||||
ConnectExpectFail();
|
||||
client_->CheckErrorCode(error);
|
||||
@ -115,8 +128,8 @@ class Tls13SkipTest : public TlsConnectTestBase,
|
||||
}
|
||||
|
||||
void ClientSkipTest(std::shared_ptr<TlsRecordFilter> filter, int32_t error) {
|
||||
EnsureTlsSetup();
|
||||
client_->SetTlsRecordFilter(filter);
|
||||
filter->EnableDecryption();
|
||||
client_->SetFilter(filter);
|
||||
server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
|
||||
ConnectExpectFailOneSide(TlsAgent::SERVER);
|
||||
|
||||
@ -129,48 +142,49 @@ class Tls13SkipTest : public TlsConnectTestBase,
|
||||
|
||||
TEST_P(TlsSkipTest, SkipCertificateRsa) {
|
||||
EnableOnlyStaticRsaCiphers();
|
||||
ServerSkipTest(
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeCertificate));
|
||||
ServerSkipTest(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
server_, kTlsHandshakeCertificate));
|
||||
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
|
||||
}
|
||||
|
||||
TEST_P(TlsSkipTest, SkipCertificateDhe) {
|
||||
ServerSkipTest(
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeCertificate));
|
||||
ServerSkipTest(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
server_, kTlsHandshakeCertificate));
|
||||
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
|
||||
}
|
||||
|
||||
TEST_P(TlsSkipTest, SkipCertificateEcdhe) {
|
||||
ServerSkipTest(
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeCertificate));
|
||||
ServerSkipTest(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
server_, kTlsHandshakeCertificate));
|
||||
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
|
||||
}
|
||||
|
||||
TEST_P(TlsSkipTest, SkipCertificateEcdsa) {
|
||||
Reset(TlsAgent::kServerEcdsa256);
|
||||
ServerSkipTest(
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeCertificate));
|
||||
ServerSkipTest(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
server_, kTlsHandshakeCertificate));
|
||||
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
|
||||
}
|
||||
|
||||
TEST_P(TlsSkipTest, SkipServerKeyExchange) {
|
||||
ServerSkipTest(
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeServerKeyExchange));
|
||||
ServerSkipTest(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
server_, kTlsHandshakeServerKeyExchange));
|
||||
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
|
||||
}
|
||||
|
||||
TEST_P(TlsSkipTest, SkipServerKeyExchangeEcdsa) {
|
||||
Reset(TlsAgent::kServerEcdsa256);
|
||||
ServerSkipTest(
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeServerKeyExchange));
|
||||
ServerSkipTest(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
server_, kTlsHandshakeServerKeyExchange));
|
||||
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
|
||||
}
|
||||
|
||||
TEST_P(TlsSkipTest, SkipCertAndKeyExch) {
|
||||
auto chain = std::make_shared<ChainedPacketFilter>(ChainedPacketFilterInit{
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeCertificate),
|
||||
std::make_shared<TlsHandshakeSkipFilter>(
|
||||
kTlsHandshakeServerKeyExchange)});
|
||||
auto chain = std::make_shared<ChainedPacketFilter>(
|
||||
ChainedPacketFilterInit{std::make_shared<TlsHandshakeSkipFilter>(
|
||||
server_, kTlsHandshakeCertificate),
|
||||
std::make_shared<TlsHandshakeSkipFilter>(
|
||||
server_, kTlsHandshakeServerKeyExchange)});
|
||||
ServerSkipTest(chain);
|
||||
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
|
||||
}
|
||||
@ -178,48 +192,48 @@ TEST_P(TlsSkipTest, SkipCertAndKeyExch) {
|
||||
TEST_P(TlsSkipTest, SkipCertAndKeyExchEcdsa) {
|
||||
Reset(TlsAgent::kServerEcdsa256);
|
||||
auto chain = std::make_shared<ChainedPacketFilter>();
|
||||
chain->Add(
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeCertificate));
|
||||
chain->Add(
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeServerKeyExchange));
|
||||
chain->Add(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
server_, kTlsHandshakeCertificate));
|
||||
chain->Add(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
server_, kTlsHandshakeServerKeyExchange));
|
||||
ServerSkipTest(chain);
|
||||
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
|
||||
}
|
||||
|
||||
TEST_P(Tls13SkipTest, SkipEncryptedExtensions) {
|
||||
ServerSkipTest(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
kTlsHandshakeEncryptedExtensions),
|
||||
server_, kTlsHandshakeEncryptedExtensions),
|
||||
SSL_ERROR_RX_UNEXPECTED_CERTIFICATE);
|
||||
}
|
||||
|
||||
TEST_P(Tls13SkipTest, SkipServerCertificate) {
|
||||
ServerSkipTest(
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeCertificate),
|
||||
SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
|
||||
ServerSkipTest(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
server_, kTlsHandshakeCertificate),
|
||||
SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
|
||||
}
|
||||
|
||||
TEST_P(Tls13SkipTest, SkipServerCertificateVerify) {
|
||||
ServerSkipTest(
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeCertificateVerify),
|
||||
SSL_ERROR_RX_UNEXPECTED_FINISHED);
|
||||
ServerSkipTest(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
server_, kTlsHandshakeCertificateVerify),
|
||||
SSL_ERROR_RX_UNEXPECTED_FINISHED);
|
||||
}
|
||||
|
||||
TEST_P(Tls13SkipTest, SkipClientCertificate) {
|
||||
client_->SetupClientAuth();
|
||||
server_->RequestClientAuth(true);
|
||||
client_->ExpectReceiveAlert(kTlsAlertUnexpectedMessage);
|
||||
ClientSkipTest(
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeCertificate),
|
||||
SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
|
||||
ClientSkipTest(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
client_, kTlsHandshakeCertificate),
|
||||
SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
|
||||
}
|
||||
|
||||
TEST_P(Tls13SkipTest, SkipClientCertificateVerify) {
|
||||
client_->SetupClientAuth();
|
||||
server_->RequestClientAuth(true);
|
||||
client_->ExpectReceiveAlert(kTlsAlertUnexpectedMessage);
|
||||
ClientSkipTest(
|
||||
std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeCertificateVerify),
|
||||
SSL_ERROR_RX_UNEXPECTED_FINISHED);
|
||||
ClientSkipTest(std::make_shared<TlsHandshakeSkipFilter>(
|
||||
client_, kTlsHandshakeCertificateVerify),
|
||||
SSL_ERROR_RX_UNEXPECTED_FINISHED);
|
||||
}
|
||||
|
||||
INSTANTIATE_TEST_CASE_P(
|
||||
|
@ -48,10 +48,9 @@ TEST_P(TlsConnectGenericPre13, ConnectStaticRSA) {
|
||||
// This test is stream so we can catch the bad_record_mac alert.
|
||||
TEST_P(TlsConnectStreamPre13, ConnectStaticRSABogusCKE) {
|
||||
EnableOnlyStaticRsaCiphers();
|
||||
auto i1 = std::make_shared<TlsInspectorReplaceHandshakeMessage>(
|
||||
kTlsHandshakeClientKeyExchange,
|
||||
MakeTlsFilter<TlsInspectorReplaceHandshakeMessage>(
|
||||
client_, kTlsHandshakeClientKeyExchange,
|
||||
DataBuffer(kBogusClientKeyExchange, sizeof(kBogusClientKeyExchange)));
|
||||
client_->SetPacketFilter(i1);
|
||||
ConnectExpectAlert(server_, kTlsAlertBadRecordMac);
|
||||
}
|
||||
|
||||
@ -59,8 +58,7 @@ TEST_P(TlsConnectStreamPre13, ConnectStaticRSABogusCKE) {
|
||||
// This test is stream so we can catch the bad_record_mac alert.
|
||||
TEST_P(TlsConnectStreamPre13, ConnectStaticRSABogusPMSVersionDetect) {
|
||||
EnableOnlyStaticRsaCiphers();
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsInspectorClientHelloVersionChanger>(server_));
|
||||
MakeTlsFilter<TlsClientHelloVersionChanger>(client_, server_);
|
||||
ConnectExpectAlert(server_, kTlsAlertBadRecordMac);
|
||||
}
|
||||
|
||||
@ -69,8 +67,7 @@ TEST_P(TlsConnectStreamPre13, ConnectStaticRSABogusPMSVersionDetect) {
|
||||
// ConnectStaticRSABogusPMSVersionDetect.
|
||||
TEST_P(TlsConnectGenericPre13, ConnectStaticRSABogusPMSVersionIgnore) {
|
||||
EnableOnlyStaticRsaCiphers();
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsInspectorClientHelloVersionChanger>(server_));
|
||||
MakeTlsFilter<TlsClientHelloVersionChanger>(client_, server_);
|
||||
server_->SetOption(SSL_ROLLBACK_DETECTION, PR_FALSE);
|
||||
Connect();
|
||||
}
|
||||
@ -79,10 +76,9 @@ TEST_P(TlsConnectGenericPre13, ConnectStaticRSABogusPMSVersionIgnore) {
|
||||
TEST_P(TlsConnectStreamPre13, ConnectExtendedMasterSecretStaticRSABogusCKE) {
|
||||
EnableOnlyStaticRsaCiphers();
|
||||
EnableExtendedMasterSecret();
|
||||
auto inspect = std::make_shared<TlsInspectorReplaceHandshakeMessage>(
|
||||
kTlsHandshakeClientKeyExchange,
|
||||
MakeTlsFilter<TlsInspectorReplaceHandshakeMessage>(
|
||||
client_, kTlsHandshakeClientKeyExchange,
|
||||
DataBuffer(kBogusClientKeyExchange, sizeof(kBogusClientKeyExchange)));
|
||||
client_->SetPacketFilter(inspect);
|
||||
ConnectExpectAlert(server_, kTlsAlertBadRecordMac);
|
||||
}
|
||||
|
||||
@ -91,8 +87,7 @@ TEST_P(TlsConnectStreamPre13,
|
||||
ConnectExtendedMasterSecretStaticRSABogusPMSVersionDetect) {
|
||||
EnableOnlyStaticRsaCiphers();
|
||||
EnableExtendedMasterSecret();
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsInspectorClientHelloVersionChanger>(server_));
|
||||
MakeTlsFilter<TlsClientHelloVersionChanger>(client_, server_);
|
||||
ConnectExpectAlert(server_, kTlsAlertBadRecordMac);
|
||||
}
|
||||
|
||||
@ -100,10 +95,9 @@ TEST_P(TlsConnectStreamPre13,
|
||||
ConnectExtendedMasterSecretStaticRSABogusPMSVersionIgnore) {
|
||||
EnableOnlyStaticRsaCiphers();
|
||||
EnableExtendedMasterSecret();
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsInspectorClientHelloVersionChanger>(server_));
|
||||
MakeTlsFilter<TlsClientHelloVersionChanger>(client_, server_);
|
||||
server_->SetOption(SSL_ROLLBACK_DETECTION, PR_FALSE);
|
||||
Connect();
|
||||
}
|
||||
|
||||
} // namespace nspr_test
|
||||
} // namespace nss_test
|
||||
|
@ -67,10 +67,7 @@ class Tls13CompatTest : public TlsConnectStreamTls13 {
|
||||
|
||||
private:
|
||||
struct Recorders {
|
||||
Recorders()
|
||||
: records_(new TlsRecordRecorder()),
|
||||
hello_(new TlsInspectorRecordHandshakeMessage(std::set<uint8_t>(
|
||||
{kTlsHandshakeClientHello, kTlsHandshakeServerHello}))) {}
|
||||
Recorders() : records_(nullptr), hello_(nullptr) {}
|
||||
|
||||
uint8_t session_id_length() const {
|
||||
// session_id is always after version (2) and random (32).
|
||||
@ -91,12 +88,22 @@ class Tls13CompatTest : public TlsConnectStreamTls13 {
|
||||
}
|
||||
|
||||
void Install(std::shared_ptr<TlsAgent>& agent) {
|
||||
agent->SetPacketFilter(std::make_shared<ChainedPacketFilter>(
|
||||
if (records_ && records_->agent() == agent) {
|
||||
// Avoid replacing the filters if they are already installed on this
|
||||
// agent. This ensures that InstallFilters() can be used after
|
||||
// MakeNewServer() without losing state on the client filters.
|
||||
return;
|
||||
}
|
||||
records_.reset(new TlsRecordRecorder(agent));
|
||||
hello_.reset(new TlsHandshakeRecorder(
|
||||
agent, std::set<uint8_t>(
|
||||
{kTlsHandshakeClientHello, kTlsHandshakeServerHello})));
|
||||
agent->SetFilter(std::make_shared<ChainedPacketFilter>(
|
||||
ChainedPacketFilterInit({records_, hello_})));
|
||||
}
|
||||
|
||||
std::shared_ptr<TlsRecordRecorder> records_;
|
||||
std::shared_ptr<TlsInspectorRecordHandshakeMessage> hello_;
|
||||
std::shared_ptr<TlsHandshakeRecorder> hello_;
|
||||
};
|
||||
|
||||
void CheckRecordsAreTls12(const std::string& agent,
|
||||
@ -171,16 +178,20 @@ TEST_F(Tls13CompatTest, EnabledStatelessHrr) {
|
||||
server_->StartConnect();
|
||||
client_->Handshake();
|
||||
server_->Handshake();
|
||||
|
||||
// The server should send CCS before HRR.
|
||||
CheckForCCS(false, true);
|
||||
|
||||
// A new server should just work, but not send another CCS.
|
||||
// A new server should complete the handshake, and not send CCS.
|
||||
MakeNewServer();
|
||||
InstallFilters();
|
||||
server_->ConfigNamedGroups({ssl_grp_ec_secp384r1});
|
||||
|
||||
Handshake();
|
||||
CheckConnected();
|
||||
CheckForCompatHandshake();
|
||||
CheckRecordVersions();
|
||||
CheckHelloVersions();
|
||||
CheckForCCS(true, false);
|
||||
}
|
||||
|
||||
TEST_F(Tls13CompatTest, EnabledHrrZeroRtt) {
|
||||
@ -262,10 +273,8 @@ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHello12) {
|
||||
TEST_F(TlsConnectDatagram13, CompatModeDtlsClient) {
|
||||
EnsureTlsSetup();
|
||||
client_->SetOption(SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
|
||||
auto client_records = std::make_shared<TlsRecordRecorder>();
|
||||
client_->SetPacketFilter(client_records);
|
||||
auto server_records = std::make_shared<TlsRecordRecorder>();
|
||||
server_->SetPacketFilter(server_records);
|
||||
auto client_records = MakeTlsFilter<TlsRecordRecorder>(client_);
|
||||
auto server_records = MakeTlsFilter<TlsRecordRecorder>(server_);
|
||||
Connect();
|
||||
|
||||
ASSERT_EQ(2U, client_records->count()); // CH, Fin
|
||||
@ -283,7 +292,8 @@ TEST_F(TlsConnectDatagram13, CompatModeDtlsClient) {
|
||||
|
||||
class AddSessionIdFilter : public TlsHandshakeFilter {
|
||||
public:
|
||||
AddSessionIdFilter() : TlsHandshakeFilter({ssl_hs_client_hello}) {}
|
||||
AddSessionIdFilter(const std::shared_ptr<TlsAgent>& client)
|
||||
: TlsHandshakeFilter(client, {ssl_hs_client_hello}) {}
|
||||
|
||||
protected:
|
||||
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
|
||||
@ -303,14 +313,14 @@ class AddSessionIdFilter : public TlsHandshakeFilter {
|
||||
// mode. It should be ignored instead.
|
||||
TEST_F(TlsConnectDatagram13, CompatModeDtlsServer) {
|
||||
EnsureTlsSetup();
|
||||
auto client_records = std::make_shared<TlsRecordRecorder>();
|
||||
client_->SetPacketFilter(
|
||||
auto client_records = std::make_shared<TlsRecordRecorder>(client_);
|
||||
client_->SetFilter(
|
||||
std::make_shared<ChainedPacketFilter>(ChainedPacketFilterInit(
|
||||
{client_records, std::make_shared<AddSessionIdFilter>()})));
|
||||
auto server_hello = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeServerHello);
|
||||
auto server_records = std::make_shared<TlsRecordRecorder>();
|
||||
server_->SetPacketFilter(std::make_shared<ChainedPacketFilter>(
|
||||
{client_records, std::make_shared<AddSessionIdFilter>(client_)})));
|
||||
auto server_hello =
|
||||
std::make_shared<TlsHandshakeRecorder>(server_, kTlsHandshakeServerHello);
|
||||
auto server_records = std::make_shared<TlsRecordRecorder>(server_);
|
||||
server_->SetFilter(std::make_shared<ChainedPacketFilter>(
|
||||
ChainedPacketFilterInit({server_records, server_hello})));
|
||||
StartConnect();
|
||||
client_->Handshake();
|
||||
@ -334,4 +344,4 @@ TEST_F(TlsConnectDatagram13, CompatModeDtlsServer) {
|
||||
EXPECT_EQ(0U, session_id_len);
|
||||
}
|
||||
|
||||
} // nss_test
|
||||
} // namespace nss_test
|
||||
|
@ -23,7 +23,8 @@ namespace nss_test {
|
||||
// Replaces the client hello with an SSLv2 version once.
|
||||
class SSLv2ClientHelloFilter : public PacketFilter {
|
||||
public:
|
||||
SSLv2ClientHelloFilter(std::shared_ptr<TlsAgent>& client, uint16_t version)
|
||||
SSLv2ClientHelloFilter(const std::shared_ptr<TlsAgent>& client,
|
||||
uint16_t version)
|
||||
: replaced_(false),
|
||||
client_(client),
|
||||
version_(version),
|
||||
@ -147,10 +148,9 @@ class SSLv2ClientHelloTestF : public TlsConnectTestBase {
|
||||
SSLv2ClientHelloTestF(SSLProtocolVariant variant, uint16_t version)
|
||||
: TlsConnectTestBase(variant, version), filter_(nullptr) {}
|
||||
|
||||
void SetUp() {
|
||||
void SetUp() override {
|
||||
TlsConnectTestBase::SetUp();
|
||||
filter_ = std::make_shared<SSLv2ClientHelloFilter>(client_, version_);
|
||||
client_->SetPacketFilter(filter_);
|
||||
filter_ = MakeTlsFilter<SSLv2ClientHelloFilter>(client_, version_);
|
||||
}
|
||||
|
||||
void SetExpectedVersion(uint16_t version) {
|
||||
|
@ -56,18 +56,15 @@ TEST_P(TlsConnectGeneric, ServerNegotiateTls12) {
|
||||
// two validate that we can also detect fallback using the
|
||||
// SSL_SetDowngradeCheckVersion() API.
|
||||
TEST_F(TlsConnectTest, TestDowngradeDetectionToTls11) {
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsInspectorClientHelloVersionSetter>(
|
||||
SSL_LIBRARY_VERSION_TLS_1_1));
|
||||
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
|
||||
SSL_LIBRARY_VERSION_TLS_1_1);
|
||||
ConnectExpectFail();
|
||||
ASSERT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code());
|
||||
}
|
||||
|
||||
/* Attempt to negotiate the bogus DTLS 1.1 version. */
|
||||
TEST_F(DtlsConnectTest, TestDtlsVersion11) {
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsInspectorClientHelloVersionSetter>(
|
||||
((~0x0101) & 0xffff)));
|
||||
MakeTlsFilter<TlsClientHelloVersionSetter>(client_, ((~0x0101) & 0xffff));
|
||||
ConnectExpectFail();
|
||||
// It's kind of surprising that SSL_ERROR_NO_CYPHER_OVERLAP is
|
||||
// what is returned here, but this is deliberate in ssl3_HandleAlert().
|
||||
@ -78,9 +75,8 @@ TEST_F(DtlsConnectTest, TestDtlsVersion11) {
|
||||
// Disabled as long as we have draft version.
|
||||
TEST_F(TlsConnectTest, TestDowngradeDetectionToTls12) {
|
||||
EnsureTlsSetup();
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsInspectorClientHelloVersionSetter>(
|
||||
SSL_LIBRARY_VERSION_TLS_1_2));
|
||||
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2);
|
||||
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
SSL_LIBRARY_VERSION_TLS_1_3);
|
||||
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
@ -92,9 +88,8 @@ TEST_F(TlsConnectTest, TestDowngradeDetectionToTls12) {
|
||||
// TLS 1.1 clients do not check the random values, so we should
|
||||
// instead get a handshake failure alert from the server.
|
||||
TEST_F(TlsConnectTest, TestDowngradeDetectionToTls10) {
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsInspectorClientHelloVersionSetter>(
|
||||
SSL_LIBRARY_VERSION_TLS_1_0));
|
||||
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0);
|
||||
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_1);
|
||||
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
@ -177,12 +172,10 @@ class Tls13NoSupportedVersions : public TlsConnectStreamTls12 {
|
||||
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2);
|
||||
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, max_server_version);
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsInspectorClientHelloVersionSetter>(
|
||||
overwritten_client_version));
|
||||
auto capture = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeServerHello);
|
||||
server_->SetPacketFilter(capture);
|
||||
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
|
||||
overwritten_client_version);
|
||||
auto capture =
|
||||
MakeTlsFilter<TlsHandshakeRecorder>(server_, kTlsHandshakeServerHello);
|
||||
ConnectExpectAlert(server_, kTlsAlertDecryptError);
|
||||
client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
|
||||
server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
|
||||
@ -214,12 +207,10 @@ TEST_F(Tls13NoSupportedVersions,
|
||||
// Offer 1.3 but with ClientHello.legacy_version == TLS 1.4. This
|
||||
// causes a bad MAC error when we read EncryptedExtensions.
|
||||
TEST_F(TlsConnectStreamTls13, Tls14ClientHelloWithSupportedVersions) {
|
||||
client_->SetPacketFilter(
|
||||
std::make_shared<TlsInspectorClientHelloVersionSetter>(
|
||||
SSL_LIBRARY_VERSION_TLS_1_3 + 1));
|
||||
auto capture =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_supported_versions_xtn);
|
||||
server_->SetPacketFilter(capture);
|
||||
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
|
||||
SSL_LIBRARY_VERSION_TLS_1_3 + 1);
|
||||
auto capture = MakeTlsFilter<TlsExtensionCapture>(
|
||||
server_, ssl_tls13_supported_versions_xtn);
|
||||
client_->ExpectSendAlert(kTlsAlertBadRecordMac);
|
||||
server_->ExpectSendAlert(kTlsAlertBadRecordMac);
|
||||
ConnectExpectFail();
|
||||
|
@ -189,12 +189,12 @@ class TestPolicyVersionRange
|
||||
}
|
||||
}
|
||||
|
||||
void SetUp() {
|
||||
SetPolicy(policy_.range());
|
||||
void SetUp() override {
|
||||
TlsConnectTestBase::SetUp();
|
||||
SetPolicy(policy_.range());
|
||||
}
|
||||
|
||||
void TearDown() {
|
||||
void TearDown() override {
|
||||
TlsConnectTestBase::TearDown();
|
||||
saved_version_policy_.RestoreOriginalPolicy();
|
||||
}
|
||||
|
@ -25,10 +25,6 @@ namespace nss_test {
|
||||
if (g_ssl_gtest_verbose) LOG(a); \
|
||||
} while (false)
|
||||
|
||||
void DummyPrSocket::SetPacketFilter(std::shared_ptr<PacketFilter> filter) {
|
||||
filter_ = filter;
|
||||
}
|
||||
|
||||
ScopedPRFileDesc DummyPrSocket::CreateFD() {
|
||||
static PRDescIdentity test_fd_identity =
|
||||
PR_GetUniqueIdentity("testtransportadapter");
|
||||
|
@ -74,7 +74,9 @@ class DummyPrSocket : public DummyIOLayerMethods {
|
||||
|
||||
std::weak_ptr<DummyPrSocket>& peer() { return peer_; }
|
||||
void SetPeer(const std::shared_ptr<DummyPrSocket>& peer) { peer_ = peer; }
|
||||
void SetPacketFilter(std::shared_ptr<PacketFilter> filter);
|
||||
void SetPacketFilter(const std::shared_ptr<PacketFilter>& filter) {
|
||||
filter_ = filter;
|
||||
}
|
||||
// Drops peer, packet filter and any outstanding packets.
|
||||
void Reset();
|
||||
|
||||
@ -176,6 +178,6 @@ class Poller {
|
||||
timers_;
|
||||
};
|
||||
|
||||
} // end of namespace
|
||||
} // namespace nss_test
|
||||
|
||||
#endif
|
||||
|
@ -12,6 +12,7 @@
|
||||
#include "sslerr.h"
|
||||
#include "sslexp.h"
|
||||
#include "sslproto.h"
|
||||
#include "tls_filter.h"
|
||||
#include "tls_parser.h"
|
||||
|
||||
extern "C" {
|
||||
|
@ -14,7 +14,6 @@
|
||||
#include <iostream>
|
||||
|
||||
#include "test_io.h"
|
||||
#include "tls_filter.h"
|
||||
|
||||
#define GTEST_HAS_RTTI 0
|
||||
#include "gtest/gtest.h"
|
||||
@ -37,7 +36,10 @@ enum SessionResumptionMode {
|
||||
RESUME_BOTH = RESUME_SESSIONID | RESUME_TICKET
|
||||
};
|
||||
|
||||
class PacketFilter;
|
||||
class TlsAgent;
|
||||
class TlsCipherSpec;
|
||||
struct TlsRecord;
|
||||
|
||||
const extern std::vector<SSLNamedGroup> kAllDHEGroups;
|
||||
const extern std::vector<SSLNamedGroup> kECDHEGroups;
|
||||
@ -80,18 +82,10 @@ class TlsAgent : public PollTarget {
|
||||
adapter_->SetPeer(peer->adapter_);
|
||||
}
|
||||
|
||||
// Set a filter that can access plaintext (TLS 1.3 only).
|
||||
void SetTlsRecordFilter(std::shared_ptr<TlsRecordFilter> filter) {
|
||||
filter->SetAgent(this);
|
||||
adapter_->SetPacketFilter(filter);
|
||||
filter->EnableDecryption();
|
||||
}
|
||||
|
||||
void SetPacketFilter(std::shared_ptr<PacketFilter> filter) {
|
||||
void SetFilter(std::shared_ptr<PacketFilter> filter) {
|
||||
adapter_->SetPacketFilter(filter);
|
||||
}
|
||||
|
||||
void DeletePacketFilter() { adapter_->SetPacketFilter(nullptr); }
|
||||
void ClearFilter() { adapter_->SetPacketFilter(nullptr); }
|
||||
|
||||
void StartConnect(PRFileDesc* model = nullptr);
|
||||
void CheckKEA(SSLKEAType kea_type, SSLNamedGroup group,
|
||||
@ -463,7 +457,7 @@ class TlsAgentTestBase : public ::testing::Test {
|
||||
void ProcessMessage(const DataBuffer& buffer, TlsAgent::State expected_state,
|
||||
int32_t error_code = 0);
|
||||
|
||||
std::unique_ptr<TlsAgent> agent_;
|
||||
std::shared_ptr<TlsAgent> agent_;
|
||||
TlsAgent::Role role_;
|
||||
SSLProtocolVariant variant_;
|
||||
uint16_t version_;
|
||||
|
@ -770,17 +770,16 @@ TlsConnectGenericResumptionToken::TlsConnectGenericResumptionToken()
|
||||
void TlsKeyExchangeTest::EnsureKeyShareSetup() {
|
||||
EnsureTlsSetup();
|
||||
groups_capture_ =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_supported_groups_xtn);
|
||||
std::make_shared<TlsExtensionCapture>(client_, ssl_supported_groups_xtn);
|
||||
shares_capture_ =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_key_share_xtn);
|
||||
shares_capture2_ =
|
||||
std::make_shared<TlsExtensionCapture>(ssl_tls13_key_share_xtn, true);
|
||||
std::make_shared<TlsExtensionCapture>(client_, ssl_tls13_key_share_xtn);
|
||||
shares_capture2_ = std::make_shared<TlsExtensionCapture>(
|
||||
client_, ssl_tls13_key_share_xtn, true);
|
||||
std::vector<std::shared_ptr<PacketFilter>> captures = {
|
||||
groups_capture_, shares_capture_, shares_capture2_};
|
||||
client_->SetPacketFilter(std::make_shared<ChainedPacketFilter>(captures));
|
||||
capture_hrr_ = std::make_shared<TlsInspectorRecordHandshakeMessage>(
|
||||
kTlsHandshakeHelloRetryRequest);
|
||||
server_->SetPacketFilter(capture_hrr_);
|
||||
client_->SetFilter(std::make_shared<ChainedPacketFilter>(captures));
|
||||
capture_hrr_ = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
server_, kTlsHandshakeHelloRetryRequest);
|
||||
}
|
||||
|
||||
void TlsKeyExchangeTest::ConfigNamedGroups(
|
||||
|
@ -45,8 +45,8 @@ class TlsConnectTestBase : public ::testing::Test {
|
||||
TlsConnectTestBase(SSLProtocolVariant variant, uint16_t version);
|
||||
virtual ~TlsConnectTestBase();
|
||||
|
||||
void SetUp();
|
||||
void TearDown();
|
||||
virtual void SetUp();
|
||||
virtual void TearDown();
|
||||
|
||||
// Initialize client and server.
|
||||
void Init();
|
||||
@ -319,7 +319,7 @@ class TlsKeyExchangeTest : public TlsConnectGeneric {
|
||||
std::shared_ptr<TlsExtensionCapture> groups_capture_;
|
||||
std::shared_ptr<TlsExtensionCapture> shares_capture_;
|
||||
std::shared_ptr<TlsExtensionCapture> shares_capture2_;
|
||||
std::shared_ptr<TlsInspectorRecordHandshakeMessage> capture_hrr_;
|
||||
std::shared_ptr<TlsHandshakeRecorder> capture_hrr_;
|
||||
|
||||
void EnsureKeyShareSetup();
|
||||
void ConfigNamedGroups(const std::vector<SSLNamedGroup>& groups);
|
||||
|
@ -452,7 +452,7 @@ size_t TlsHandshakeFilter::HandshakeHeader::Write(
|
||||
return offset;
|
||||
}
|
||||
|
||||
PacketFilter::Action TlsInspectorRecordHandshakeMessage::FilterHandshake(
|
||||
PacketFilter::Action TlsHandshakeRecorder::FilterHandshake(
|
||||
const HandshakeHeader& header, const DataBuffer& input,
|
||||
DataBuffer* output) {
|
||||
// Only do this once.
|
||||
@ -763,7 +763,7 @@ PacketFilter::Action AfterRecordN::FilterRecord(const TlsRecordHeader& header,
|
||||
if (counter_++ == record_) {
|
||||
DataBuffer buf;
|
||||
header.Write(&buf, 0, body);
|
||||
src_.lock()->SendDirect(buf);
|
||||
agent()->SendDirect(buf);
|
||||
dest_.lock()->Handshake();
|
||||
func_();
|
||||
return DROP;
|
||||
@ -772,7 +772,7 @@ PacketFilter::Action AfterRecordN::FilterRecord(const TlsRecordHeader& header,
|
||||
return KEEP;
|
||||
}
|
||||
|
||||
PacketFilter::Action TlsInspectorClientHelloVersionChanger::FilterHandshake(
|
||||
PacketFilter::Action TlsClientHelloVersionChanger::FilterHandshake(
|
||||
const HandshakeHeader& header, const DataBuffer& input,
|
||||
DataBuffer* output) {
|
||||
EXPECT_EQ(SECSuccess,
|
||||
@ -808,7 +808,7 @@ PacketFilter::Action SelectiveRecordDropFilter::FilterRecord(
|
||||
return pattern;
|
||||
}
|
||||
|
||||
PacketFilter::Action TlsInspectorClientHelloVersionSetter::FilterHandshake(
|
||||
PacketFilter::Action TlsClientHelloVersionSetter::FilterHandshake(
|
||||
const HandshakeHeader& header, const DataBuffer& input,
|
||||
DataBuffer* output) {
|
||||
*output = input;
|
||||
|
@ -13,6 +13,7 @@
|
||||
#include <vector>
|
||||
|
||||
#include "test_io.h"
|
||||
#include "tls_agent.h"
|
||||
#include "tls_parser.h"
|
||||
#include "tls_protect.h"
|
||||
|
||||
@ -23,7 +24,6 @@ extern "C" {
|
||||
namespace nss_test {
|
||||
|
||||
class TlsCipherSpec;
|
||||
class TlsAgent;
|
||||
|
||||
class TlsVersioned {
|
||||
public:
|
||||
@ -71,19 +71,27 @@ struct TlsRecord {
|
||||
const DataBuffer buffer;
|
||||
};
|
||||
|
||||
// Make a filter and install it on a TlsAgent.
|
||||
template <class T, typename... Args>
|
||||
inline std::shared_ptr<T> MakeTlsFilter(const std::shared_ptr<TlsAgent>& agent,
|
||||
Args&&... args) {
|
||||
auto filter = std::make_shared<T>(agent, std::forward<Args>(args)...);
|
||||
agent->SetFilter(filter);
|
||||
return filter;
|
||||
}
|
||||
|
||||
// Abstract filter that operates on entire (D)TLS records.
|
||||
class TlsRecordFilter : public PacketFilter {
|
||||
public:
|
||||
TlsRecordFilter()
|
||||
: agent_(nullptr),
|
||||
TlsRecordFilter(const std::shared_ptr<TlsAgent>& agent)
|
||||
: agent_(agent),
|
||||
count_(0),
|
||||
cipher_spec_(),
|
||||
dropped_record_(false),
|
||||
in_sequence_number_(0),
|
||||
out_sequence_number_(0) {}
|
||||
|
||||
void SetAgent(const TlsAgent* agent) { agent_ = agent; }
|
||||
const TlsAgent* agent() const { return agent_; }
|
||||
std::shared_ptr<TlsAgent> agent() const { return agent_.lock(); }
|
||||
|
||||
// External interface. Overrides PacketFilter.
|
||||
PacketFilter::Action Filter(const DataBuffer& input, DataBuffer* output);
|
||||
@ -126,7 +134,7 @@ class TlsRecordFilter : public PacketFilter {
|
||||
static void CipherSpecChanged(void* arg, PRBool sending,
|
||||
ssl3CipherSpec* newSpec);
|
||||
|
||||
const TlsAgent* agent_;
|
||||
std::weak_ptr<TlsAgent> agent_;
|
||||
size_t count_;
|
||||
std::unique_ptr<TlsCipherSpec> cipher_spec_;
|
||||
// Whether we dropped a record since the cipher spec changed.
|
||||
@ -175,9 +183,13 @@ inline std::ostream& operator<<(std::ostream& stream,
|
||||
// records and that they don't span records or anything crazy like that.
|
||||
class TlsHandshakeFilter : public TlsRecordFilter {
|
||||
public:
|
||||
TlsHandshakeFilter() : handshake_types_(), preceding_fragment_() {}
|
||||
TlsHandshakeFilter(const std::set<uint8_t>& types)
|
||||
: handshake_types_(types), preceding_fragment_() {}
|
||||
TlsHandshakeFilter(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsRecordFilter(agent), handshake_types_(), preceding_fragment_() {}
|
||||
TlsHandshakeFilter(const std::shared_ptr<TlsAgent>& agent,
|
||||
const std::set<uint8_t>& types)
|
||||
: TlsRecordFilter(agent),
|
||||
handshake_types_(types),
|
||||
preceding_fragment_() {}
|
||||
|
||||
// This filter can be set to be selective based on handshake message type. If
|
||||
// this function isn't used (or the set is empty), then all handshake messages
|
||||
@ -229,12 +241,14 @@ class TlsHandshakeFilter : public TlsRecordFilter {
|
||||
};
|
||||
|
||||
// Make a copy of the first instance of a handshake message.
|
||||
class TlsInspectorRecordHandshakeMessage : public TlsHandshakeFilter {
|
||||
class TlsHandshakeRecorder : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsInspectorRecordHandshakeMessage(uint8_t handshake_type)
|
||||
: TlsHandshakeFilter({handshake_type}), buffer_() {}
|
||||
TlsInspectorRecordHandshakeMessage(const std::set<uint8_t>& handshake_types)
|
||||
: TlsHandshakeFilter(handshake_types), buffer_() {}
|
||||
TlsHandshakeRecorder(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint8_t handshake_type)
|
||||
: TlsHandshakeFilter(agent, {handshake_type}), buffer_() {}
|
||||
TlsHandshakeRecorder(const std::shared_ptr<TlsAgent>& agent,
|
||||
const std::set<uint8_t>& handshake_types)
|
||||
: TlsHandshakeFilter(agent, handshake_types), buffer_() {}
|
||||
|
||||
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
|
||||
const DataBuffer& input,
|
||||
@ -251,9 +265,10 @@ class TlsInspectorRecordHandshakeMessage : public TlsHandshakeFilter {
|
||||
// Replace all instances of a handshake message.
|
||||
class TlsInspectorReplaceHandshakeMessage : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsInspectorReplaceHandshakeMessage(uint8_t handshake_type,
|
||||
TlsInspectorReplaceHandshakeMessage(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint8_t handshake_type,
|
||||
const DataBuffer& replacement)
|
||||
: TlsHandshakeFilter({handshake_type}), buffer_(replacement) {}
|
||||
: TlsHandshakeFilter(agent, {handshake_type}), buffer_(replacement) {}
|
||||
|
||||
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
|
||||
const DataBuffer& input,
|
||||
@ -266,9 +281,11 @@ class TlsInspectorReplaceHandshakeMessage : public TlsHandshakeFilter {
|
||||
// Make a copy of each record of a given type.
|
||||
class TlsRecordRecorder : public TlsRecordFilter {
|
||||
public:
|
||||
TlsRecordRecorder(uint8_t ct) : filter_(true), ct_(ct), records_() {}
|
||||
TlsRecordRecorder()
|
||||
: filter_(false),
|
||||
TlsRecordRecorder(const std::shared_ptr<TlsAgent>& agent, uint8_t ct)
|
||||
: TlsRecordFilter(agent), filter_(true), ct_(ct), records_() {}
|
||||
TlsRecordRecorder(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsRecordFilter(agent),
|
||||
filter_(false),
|
||||
ct_(content_handshake), // dummy (<optional> is C++14)
|
||||
records_() {}
|
||||
virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
|
||||
@ -289,7 +306,9 @@ class TlsRecordRecorder : public TlsRecordFilter {
|
||||
// Make a copy of the complete conversation.
|
||||
class TlsConversationRecorder : public TlsRecordFilter {
|
||||
public:
|
||||
TlsConversationRecorder(DataBuffer& buffer) : buffer_(buffer) {}
|
||||
TlsConversationRecorder(const std::shared_ptr<TlsAgent>& agent,
|
||||
DataBuffer& buffer)
|
||||
: TlsRecordFilter(agent), buffer_(buffer) {}
|
||||
|
||||
virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
|
||||
const DataBuffer& input,
|
||||
@ -302,6 +321,8 @@ class TlsConversationRecorder : public TlsRecordFilter {
|
||||
// Make a copy of the records
|
||||
class TlsHeaderRecorder : public TlsRecordFilter {
|
||||
public:
|
||||
TlsHeaderRecorder(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsRecordFilter(agent) {}
|
||||
virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
|
||||
const DataBuffer& input,
|
||||
DataBuffer* output);
|
||||
@ -338,13 +359,15 @@ typedef std::function<bool(TlsParser* parser, const TlsVersioned& header)>
|
||||
|
||||
class TlsExtensionFilter : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsExtensionFilter()
|
||||
: TlsHandshakeFilter({kTlsHandshakeClientHello, kTlsHandshakeServerHello,
|
||||
TlsExtensionFilter(const std::shared_ptr<TlsAgent>& agent)
|
||||
: TlsHandshakeFilter(agent,
|
||||
{kTlsHandshakeClientHello, kTlsHandshakeServerHello,
|
||||
kTlsHandshakeHelloRetryRequest,
|
||||
kTlsHandshakeEncryptedExtensions}) {}
|
||||
|
||||
TlsExtensionFilter(const std::set<uint8_t>& types)
|
||||
: TlsHandshakeFilter(types) {}
|
||||
TlsExtensionFilter(const std::shared_ptr<TlsAgent>& agent,
|
||||
const std::set<uint8_t>& types)
|
||||
: TlsHandshakeFilter(agent, types) {}
|
||||
|
||||
static bool FindExtensions(TlsParser* parser, const HandshakeHeader& header);
|
||||
|
||||
@ -365,8 +388,13 @@ class TlsExtensionFilter : public TlsHandshakeFilter {
|
||||
|
||||
class TlsExtensionCapture : public TlsExtensionFilter {
|
||||
public:
|
||||
TlsExtensionCapture(uint16_t ext, bool last = false)
|
||||
: extension_(ext), captured_(false), last_(last), data_() {}
|
||||
TlsExtensionCapture(const std::shared_ptr<TlsAgent>& agent, uint16_t ext,
|
||||
bool last = false)
|
||||
: TlsExtensionFilter(agent),
|
||||
extension_(ext),
|
||||
captured_(false),
|
||||
last_(last),
|
||||
data_() {}
|
||||
|
||||
const DataBuffer& extension() const { return data_; }
|
||||
bool captured() const { return captured_; }
|
||||
@ -385,8 +413,9 @@ class TlsExtensionCapture : public TlsExtensionFilter {
|
||||
|
||||
class TlsExtensionReplacer : public TlsExtensionFilter {
|
||||
public:
|
||||
TlsExtensionReplacer(uint16_t extension, const DataBuffer& data)
|
||||
: extension_(extension), data_(data) {}
|
||||
TlsExtensionReplacer(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint16_t extension, const DataBuffer& data)
|
||||
: TlsExtensionFilter(agent), extension_(extension), data_(data) {}
|
||||
PacketFilter::Action FilterExtension(uint16_t extension_type,
|
||||
const DataBuffer& input,
|
||||
DataBuffer* output) override;
|
||||
@ -398,7 +427,9 @@ class TlsExtensionReplacer : public TlsExtensionFilter {
|
||||
|
||||
class TlsExtensionDropper : public TlsExtensionFilter {
|
||||
public:
|
||||
TlsExtensionDropper(uint16_t extension) : extension_(extension) {}
|
||||
TlsExtensionDropper(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint16_t extension)
|
||||
: TlsExtensionFilter(agent), extension_(extension) {}
|
||||
PacketFilter::Action FilterExtension(uint16_t extension_type,
|
||||
const DataBuffer&, DataBuffer*) override;
|
||||
|
||||
@ -408,8 +439,9 @@ class TlsExtensionDropper : public TlsExtensionFilter {
|
||||
|
||||
class TlsExtensionInjector : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsExtensionInjector(uint16_t ext, const DataBuffer& data)
|
||||
: extension_(ext), data_(data) {}
|
||||
TlsExtensionInjector(const std::shared_ptr<TlsAgent>& agent, uint16_t ext,
|
||||
const DataBuffer& data)
|
||||
: TlsHandshakeFilter(agent), extension_(ext), data_(data) {}
|
||||
|
||||
protected:
|
||||
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
|
||||
@ -426,16 +458,20 @@ typedef std::function<void(void)> VoidFunction;
|
||||
|
||||
class AfterRecordN : public TlsRecordFilter {
|
||||
public:
|
||||
AfterRecordN(std::shared_ptr<TlsAgent>& src, std::shared_ptr<TlsAgent>& dest,
|
||||
unsigned int record, VoidFunction func)
|
||||
: src_(src), dest_(dest), record_(record), func_(func), counter_(0) {}
|
||||
AfterRecordN(const std::shared_ptr<TlsAgent>& src,
|
||||
const std::shared_ptr<TlsAgent>& dest, unsigned int record,
|
||||
VoidFunction func)
|
||||
: TlsRecordFilter(src),
|
||||
dest_(dest),
|
||||
record_(record),
|
||||
func_(func),
|
||||
counter_(0) {}
|
||||
|
||||
virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
|
||||
const DataBuffer& body,
|
||||
DataBuffer* out) override;
|
||||
|
||||
private:
|
||||
std::weak_ptr<TlsAgent> src_;
|
||||
std::weak_ptr<TlsAgent> dest_;
|
||||
unsigned int record_;
|
||||
VoidFunction func_;
|
||||
@ -444,10 +480,12 @@ class AfterRecordN : public TlsRecordFilter {
|
||||
|
||||
// When we see the ClientKeyExchange from |client|, increment the
|
||||
// ClientHelloVersion on |server|.
|
||||
class TlsInspectorClientHelloVersionChanger : public TlsHandshakeFilter {
|
||||
class TlsClientHelloVersionChanger : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsInspectorClientHelloVersionChanger(std::shared_ptr<TlsAgent>& server)
|
||||
: TlsHandshakeFilter({kTlsHandshakeClientKeyExchange}), server_(server) {}
|
||||
TlsClientHelloVersionChanger(const std::shared_ptr<TlsAgent>& client,
|
||||
const std::shared_ptr<TlsAgent>& server)
|
||||
: TlsHandshakeFilter(client, {kTlsHandshakeClientKeyExchange}),
|
||||
server_(server) {}
|
||||
|
||||
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
|
||||
const DataBuffer& input,
|
||||
@ -477,14 +515,16 @@ class SelectiveDropFilter : public PacketFilter {
|
||||
// datagram, we just drop one.
|
||||
class SelectiveRecordDropFilter : public TlsRecordFilter {
|
||||
public:
|
||||
SelectiveRecordDropFilter(uint32_t pattern, bool enabled = true)
|
||||
: pattern_(pattern), counter_(0) {
|
||||
SelectiveRecordDropFilter(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint32_t pattern, bool enabled = true)
|
||||
: TlsRecordFilter(agent), pattern_(pattern), counter_(0) {
|
||||
if (!enabled) {
|
||||
Disable();
|
||||
}
|
||||
}
|
||||
SelectiveRecordDropFilter(std::initializer_list<size_t> records)
|
||||
: SelectiveRecordDropFilter(ToPattern(records), true) {}
|
||||
SelectiveRecordDropFilter(const std::shared_ptr<TlsAgent>& agent,
|
||||
std::initializer_list<size_t> records)
|
||||
: SelectiveRecordDropFilter(agent, ToPattern(records), true) {}
|
||||
|
||||
void Reset(uint32_t pattern) {
|
||||
counter_ = 0;
|
||||
@ -509,10 +549,12 @@ class SelectiveRecordDropFilter : public TlsRecordFilter {
|
||||
};
|
||||
|
||||
// Set the version number in the ClientHello.
|
||||
class TlsInspectorClientHelloVersionSetter : public TlsHandshakeFilter {
|
||||
class TlsClientHelloVersionSetter : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsInspectorClientHelloVersionSetter(uint16_t version)
|
||||
: TlsHandshakeFilter({kTlsHandshakeClientHello}), version_(version) {}
|
||||
TlsClientHelloVersionSetter(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint16_t version)
|
||||
: TlsHandshakeFilter(agent, {kTlsHandshakeClientHello}),
|
||||
version_(version) {}
|
||||
|
||||
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
|
||||
const DataBuffer& input,
|
||||
@ -525,7 +567,8 @@ class TlsInspectorClientHelloVersionSetter : public TlsHandshakeFilter {
|
||||
// Damages the last byte of a handshake message.
|
||||
class TlsLastByteDamager : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsLastByteDamager(uint8_t type) : type_(type) {}
|
||||
TlsLastByteDamager(const std::shared_ptr<TlsAgent>& agent, uint8_t type)
|
||||
: TlsHandshakeFilter(agent), type_(type) {}
|
||||
PacketFilter::Action FilterHandshake(
|
||||
const TlsHandshakeFilter::HandshakeHeader& header,
|
||||
const DataBuffer& input, DataBuffer* output) override {
|
||||
@ -545,8 +588,10 @@ class TlsLastByteDamager : public TlsHandshakeFilter {
|
||||
|
||||
class SelectedCipherSuiteReplacer : public TlsHandshakeFilter {
|
||||
public:
|
||||
SelectedCipherSuiteReplacer(uint16_t suite)
|
||||
: TlsHandshakeFilter({kTlsHandshakeServerHello}), cipher_suite_(suite) {}
|
||||
SelectedCipherSuiteReplacer(const std::shared_ptr<TlsAgent>& agent,
|
||||
uint16_t suite)
|
||||
: TlsHandshakeFilter(agent, {kTlsHandshakeServerHello}),
|
||||
cipher_suite_(suite) {}
|
||||
|
||||
protected:
|
||||
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
|
||||
|
@ -30,6 +30,7 @@
|
||||
#include "pkistore.h"
|
||||
#include "dev3hack.h"
|
||||
#include "dev.h"
|
||||
#include "secmodi.h"
|
||||
|
||||
PRBool
|
||||
SEC_CertNicknameConflict(const char *nickname, const SECItem *derSubject,
|
||||
@ -280,6 +281,18 @@ __CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
|
||||
nssCertificateStore_RemoveCertLOCKED(context->certStore, c);
|
||||
nssCertificateStore_Unlock(context->certStore, &lockTrace, &unlockTrace);
|
||||
c->object.cryptoContext = NULL;
|
||||
|
||||
/* if the id has not been set explicitly yet, create one from the public
|
||||
* key. */
|
||||
if (c->id.data == NULL) {
|
||||
SECItem *keyID = pk11_mkcertKeyID(cert);
|
||||
if (keyID) {
|
||||
nssItem_Create(c->object.arena, &c->id, keyID->len, keyID->data);
|
||||
SECITEM_FreeItem(keyID, PR_TRUE);
|
||||
}
|
||||
/* if any of these failed, continue with our null c->id */
|
||||
}
|
||||
|
||||
/* Import the perm instance onto the internal token */
|
||||
slot = PK11_GetInternalKeySlot();
|
||||
internal = PK11Slot_GetNSSToken(slot);
|
||||
|
@ -90,20 +90,22 @@ NSS_IMPLEMENT void
|
||||
nssSlot_ResetDelay(
|
||||
NSSSlot *slot)
|
||||
{
|
||||
slot->lastTokenPing = 0;
|
||||
PZ_Lock(slot->isPresentLock);
|
||||
slot->lastTokenPingState = nssSlotLastPingState_Reset;
|
||||
PZ_Unlock(slot->isPresentLock);
|
||||
}
|
||||
|
||||
static PRBool
|
||||
within_token_delay_period(const NSSSlot *slot)
|
||||
{
|
||||
PRIntervalTime time, lastTime;
|
||||
PRIntervalTime time;
|
||||
int lastPingState = slot->lastTokenPingState;
|
||||
/* Set the delay time for checking the token presence */
|
||||
if (s_token_delay_time == 0) {
|
||||
s_token_delay_time = PR_SecondsToInterval(NSSSLOT_TOKEN_DELAY_TIME);
|
||||
}
|
||||
time = PR_IntervalNow();
|
||||
lastTime = slot->lastTokenPing;
|
||||
if ((lastTime) && ((time - lastTime) < s_token_delay_time)) {
|
||||
if ((lastPingState == nssSlotLastPingState_Valid) && ((time - slot->lastTokenPingTime) < s_token_delay_time)) {
|
||||
return PR_TRUE;
|
||||
}
|
||||
return PR_FALSE;
|
||||
@ -156,7 +158,9 @@ nssSlot_IsTokenPresent(
|
||||
}
|
||||
/* this is the winning thread, block all others until we've determined
|
||||
* if the token is present and that it needs initialization. */
|
||||
slot->lastTokenPingState = nssSlotLastPingState_Update;
|
||||
slot->inIsPresent = PR_TRUE;
|
||||
|
||||
PZ_Unlock(slot->isPresentLock);
|
||||
|
||||
nssSlot_EnterMonitor(slot);
|
||||
@ -240,14 +244,19 @@ nssSlot_IsTokenPresent(
|
||||
done:
|
||||
/* Once we've set up the condition variable,
|
||||
* Before returning, it's necessary to:
|
||||
* 1) Set the lastTokenPing time so that any other threads waiting on this
|
||||
* 1) Set the lastTokenPingTime so that any other threads waiting on this
|
||||
* initialization and any future calls within the initialization window
|
||||
* return the just-computed status.
|
||||
* 2) Indicate we're complete, waking up all other threads that may still
|
||||
* be waiting on initialization can progress.
|
||||
*/
|
||||
PZ_Lock(slot->isPresentLock);
|
||||
slot->lastTokenPing = PR_IntervalNow();
|
||||
/* don't update the time if we were reset while we were
|
||||
* getting the token state */
|
||||
if (slot->lastTokenPingState == nssSlotLastPingState_Update) {
|
||||
slot->lastTokenPingTime = PR_IntervalNow();
|
||||
slot->lastTokenPingState = nssSlotLastPingState_Valid;
|
||||
}
|
||||
slot->inIsPresent = PR_FALSE;
|
||||
PR_NotifyAllCondVar(slot->isPresentCondition);
|
||||
PZ_Unlock(slot->isPresentLock);
|
||||
|
@ -70,6 +70,14 @@ struct nssSlotAuthInfoStr {
|
||||
PRIntervalTime askPasswordTimeout;
|
||||
};
|
||||
|
||||
/* values for lastTokenPingState */
|
||||
typedef enum {
|
||||
nssSlotLastPingState_Reset = 0, /* the state has just been reset, discard
|
||||
* our cache */
|
||||
nssSlotLastPingState_Update = 1, /* we are updating the lastTokenPingTime */
|
||||
nssSlotLastPingState_Valid = 2, /* lastTokenPingTime is valid */
|
||||
} nssSlotLastPingState;
|
||||
|
||||
struct NSSSlotStr {
|
||||
struct nssDeviceBaseStr base;
|
||||
NSSModule *module; /* Parent */
|
||||
@ -77,7 +85,8 @@ struct NSSSlotStr {
|
||||
CK_SLOT_ID slotID;
|
||||
CK_FLAGS ckFlags; /* from CK_SLOT_INFO.flags */
|
||||
struct nssSlotAuthInfoStr authInfo;
|
||||
PRIntervalTime lastTokenPing;
|
||||
PRIntervalTime lastTokenPingTime;
|
||||
nssSlotLastPingState lastTokenPingState;
|
||||
PZLock *lock;
|
||||
void *epv;
|
||||
PK11SlotInfo *pk11slot;
|
||||
|
@ -32,7 +32,7 @@ nssCryptokiObject_Create(
|
||||
/* a failure here indicates a device error */
|
||||
return (nssCryptokiObject *)NULL;
|
||||
}
|
||||
if (cert_template[0].ulValueLen == 0) {
|
||||
if (cert_template[0].ulValueLen == 0 || !cert_template[0].pValue) {
|
||||
nss_ZFreeIf(cert_template[1].pValue);
|
||||
return (nssCryptokiObject *)NULL;
|
||||
}
|
||||
|
@ -519,23 +519,16 @@ ifndef NSS_DISABLE_CHACHAPOLY
|
||||
else
|
||||
EXTRA_SRCS += poly1305.c
|
||||
endif
|
||||
|
||||
ifneq (1,$(CC_IS_GCC))
|
||||
EXTRA_SRCS += chacha20.c
|
||||
VERIFIED_SRCS += Hacl_Chacha20.c
|
||||
else
|
||||
EXTRA_SRCS += chacha20_vec.c
|
||||
endif
|
||||
else
|
||||
ifeq ($(CPU_ARCH),aarch64)
|
||||
EXTRA_SRCS += Hacl_Poly1305_64.c
|
||||
else
|
||||
EXTRA_SRCS += poly1305.c
|
||||
endif
|
||||
|
||||
EXTRA_SRCS += chacha20.c
|
||||
VERIFIED_SRCS += Hacl_Chacha20.c
|
||||
endif # x86_64
|
||||
|
||||
VERIFIED_SRCS += Hacl_Chacha20.c
|
||||
VERIFIED_SRCS += Hacl_Chacha20_Vec128.c
|
||||
endif # NSS_DISABLE_CHACHAPOLY
|
||||
|
||||
ifeq (,$(filter-out i386 x386 x86 x86_64 aarch64,$(CPU_ARCH)))
|
||||
|
@ -80,5 +80,11 @@ SECStatus generate_prime(mp_int *prime, int primeLen);
|
||||
PRBool aesni_support();
|
||||
PRBool clmul_support();
|
||||
PRBool avx_support();
|
||||
PRBool ssse3_support();
|
||||
PRBool arm_neon_support();
|
||||
PRBool arm_aes_support();
|
||||
PRBool arm_pmull_support();
|
||||
PRBool arm_sha1_support();
|
||||
PRBool arm_sha2_support();
|
||||
|
||||
#endif /* _BLAPII_H_ */
|
||||
|
@ -23,6 +23,12 @@ static PRCallOnceType coFreeblInit;
|
||||
static PRBool aesni_support_ = PR_FALSE;
|
||||
static PRBool clmul_support_ = PR_FALSE;
|
||||
static PRBool avx_support_ = PR_FALSE;
|
||||
static PRBool ssse3_support_ = PR_FALSE;
|
||||
static PRBool arm_neon_support_ = PR_FALSE;
|
||||
static PRBool arm_aes_support_ = PR_FALSE;
|
||||
static PRBool arm_sha1_support_ = PR_FALSE;
|
||||
static PRBool arm_sha2_support_ = PR_FALSE;
|
||||
static PRBool arm_pmull_support_ = PR_FALSE;
|
||||
|
||||
#ifdef NSS_X86_OR_X64
|
||||
/*
|
||||
@ -62,6 +68,7 @@ check_xcr0_ymm()
|
||||
#define ECX_XSAVE (1 << 26)
|
||||
#define ECX_OSXSAVE (1 << 27)
|
||||
#define ECX_AVX (1 << 28)
|
||||
#define ECX_SSSE3 (1 << 9)
|
||||
#define AVX_BITS (ECX_XSAVE | ECX_OSXSAVE | ECX_AVX)
|
||||
|
||||
void
|
||||
@ -71,6 +78,7 @@ CheckX86CPUSupport()
|
||||
char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
|
||||
char *disable_pclmul = PR_GetEnvSecure("NSS_DISABLE_PCLMUL");
|
||||
char *disable_avx = PR_GetEnvSecure("NSS_DISABLE_AVX");
|
||||
char *disable_ssse3 = PR_GetEnvSecure("NSS_DISABLE_SSSE3");
|
||||
freebl_cpuid(1, &eax, &ebx, &ecx, &edx);
|
||||
aesni_support_ = (PRBool)((ecx & ECX_AESNI) != 0 && disable_hw_aes == NULL);
|
||||
clmul_support_ = (PRBool)((ecx & ECX_CLMUL) != 0 && disable_pclmul == NULL);
|
||||
@ -78,9 +86,107 @@ CheckX86CPUSupport()
|
||||
* as well as XMM and YMM state. */
|
||||
avx_support_ = (PRBool)((ecx & AVX_BITS) == AVX_BITS) && check_xcr0_ymm() &&
|
||||
disable_avx == NULL;
|
||||
ssse3_support_ = (PRBool)((ecx & ECX_SSSE3) != 0 &&
|
||||
disable_ssse3 == NULL);
|
||||
}
|
||||
#endif /* NSS_X86_OR_X64 */
|
||||
|
||||
#if (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__)
|
||||
#if defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)
|
||||
#include <sys/auxv.h>
|
||||
extern unsigned long getauxval(unsigned long type) __attribute__((weak));
|
||||
#else
|
||||
static unsigned long (*getauxval)(unsigned long) = NULL;
|
||||
#define AT_HWCAP2
|
||||
#define AT_HWCAP
|
||||
#endif /* defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)*/
|
||||
#endif /* (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__) */
|
||||
|
||||
#if defined(__aarch64__) && !defined(__ANDROID__)
|
||||
// Defines from hwcap.h in Linux kernel - ARM64
|
||||
#define HWCAP_AES (1 << 3)
|
||||
#define HWCAP_PMULL (1 << 4)
|
||||
#define HWCAP_SHA1 (1 << 5)
|
||||
#define HWCAP_SHA2 (1 << 6)
|
||||
|
||||
void
|
||||
CheckARMSupport()
|
||||
{
|
||||
char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
|
||||
char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
|
||||
if (getauxval) {
|
||||
long hwcaps = getauxval(AT_HWCAP);
|
||||
arm_aes_support_ = hwcaps & HWCAP_AES && disable_hw_aes == NULL;
|
||||
arm_pmull_support_ = hwcaps & HWCAP_PMULL;
|
||||
arm_sha1_support_ = hwcaps & HWCAP_SHA1;
|
||||
arm_sha2_support_ = hwcaps & HWCAP_SHA2;
|
||||
}
|
||||
/* aarch64 must support NEON. */
|
||||
arm_neon_support_ = disable_arm_neon == NULL;
|
||||
}
|
||||
#endif /* defined(__aarch64__) && !defined(__ANDROID__) */
|
||||
|
||||
#if defined(__arm__) && !defined(__ANDROID__)
|
||||
// Defines from hwcap.h in Linux kernel - ARM
|
||||
/*
|
||||
* HWCAP flags - for elf_hwcap (in kernel) and AT_HWCAP
|
||||
*/
|
||||
#define HWCAP_NEON (1 << 12)
|
||||
|
||||
/*
|
||||
* HWCAP2 flags - for elf_hwcap2 (in kernel) and AT_HWCAP2
|
||||
*/
|
||||
#define HWCAP2_AES (1 << 0)
|
||||
#define HWCAP2_PMULL (1 << 1)
|
||||
#define HWCAP2_SHA1 (1 << 2)
|
||||
#define HWCAP2_SHA2 (1 << 3)
|
||||
|
||||
void
|
||||
CheckARMSupport()
|
||||
{
|
||||
char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
|
||||
char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
|
||||
if (getauxval) {
|
||||
long hwcaps = getauxval(AT_HWCAP2);
|
||||
arm_aes_support_ = hwcaps & HWCAP2_AES && disable_hw_aes == NULL;
|
||||
arm_pmull_support_ = hwcaps & HWCAP2_PMULL;
|
||||
arm_sha1_support_ = hwcaps & HWCAP2_SHA1;
|
||||
arm_sha2_support_ = hwcaps & HWCAP2_SHA2;
|
||||
arm_neon_support_ = hwcaps & HWCAP_NEON && disable_arm_neon == NULL;
|
||||
}
|
||||
}
|
||||
#endif /* defined(__arm__) && !defined(__ANDROID__) */
|
||||
|
||||
// Enable when Firefox can use it.
|
||||
// #if defined(__ANDROID__) && (defined(__arm__) || defined(__aarch64__))
|
||||
// #include <cpu-features.h>
|
||||
// void
|
||||
// CheckARMSupport()
|
||||
// {
|
||||
// char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
|
||||
// char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
|
||||
// AndroidCpuFamily family = android_getCpuFamily();
|
||||
// uint64_t features = android_getCpuFeatures();
|
||||
// if (family == ANDROID_CPU_FAMILY_ARM64) {
|
||||
// arm_aes_support_ = features & ANDROID_CPU_ARM64_FEATURE_AES &&
|
||||
// disable_hw_aes == NULL;
|
||||
// arm_pmull_support_ = features & ANDROID_CPU_ARM64_FEATURE_PMULL;
|
||||
// arm_sha1_support_ = features & ANDROID_CPU_ARM64_FEATURE_SHA1;
|
||||
// arm_sha2_support_ = features & ANDROID_CPU_ARM64_FEATURE_SHA2;
|
||||
// arm_neon_support_ = disable_arm_neon == NULL;
|
||||
// }
|
||||
// if (family == ANDROID_CPU_FAMILY_ARM) {
|
||||
// arm_aes_support_ = features & ANDROID_CPU_ARM_FEATURE_AES &&
|
||||
// disable_hw_aes == NULL;
|
||||
// arm_pmull_support_ = features & ANDROID_CPU_ARM_FEATURE_PMULL;
|
||||
// arm_sha1_support_ = features & ANDROID_CPU_ARM_FEATURE_SHA1;
|
||||
// arm_sha2_support_ = features & ANDROID_CPU_ARM_FEATURE_SHA2;
|
||||
// arm_neon_support_ = hwcaps & ANDROID_CPU_ARM_FEATURE_NEON &&
|
||||
// disable_arm_neon == NULL;
|
||||
// }
|
||||
// }
|
||||
// #endif /* defined(__ANDROID__) && (defined(__arm__) || defined(__aarch64__)) */
|
||||
|
||||
PRBool
|
||||
aesni_support()
|
||||
{
|
||||
@ -96,12 +202,44 @@ avx_support()
|
||||
{
|
||||
return avx_support_;
|
||||
}
|
||||
PRBool
|
||||
ssse3_support()
|
||||
{
|
||||
return ssse3_support_;
|
||||
}
|
||||
PRBool
|
||||
arm_neon_support()
|
||||
{
|
||||
return arm_neon_support_;
|
||||
}
|
||||
PRBool
|
||||
arm_aes_support()
|
||||
{
|
||||
return arm_aes_support_;
|
||||
}
|
||||
PRBool
|
||||
arm_pmull_support()
|
||||
{
|
||||
return arm_pmull_support_;
|
||||
}
|
||||
PRBool
|
||||
arm_sha1_support()
|
||||
{
|
||||
return arm_sha1_support_;
|
||||
}
|
||||
PRBool
|
||||
arm_sha2_support()
|
||||
{
|
||||
return arm_sha2_support_;
|
||||
}
|
||||
|
||||
static PRStatus
|
||||
FreeblInit(void)
|
||||
{
|
||||
#ifdef NSS_X86_OR_X64
|
||||
CheckX86CPUSupport();
|
||||
#elif (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__)
|
||||
CheckARMSupport();
|
||||
#endif
|
||||
return PR_SUCCESS;
|
||||
}
|
||||
|
@ -1,19 +0,0 @@
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
/* Adopted from the public domain code in NaCl by djb. */
|
||||
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "chacha20.h"
|
||||
#include "verified/Hacl_Chacha20.h"
|
||||
|
||||
void
|
||||
ChaCha20XOR(unsigned char *out, const unsigned char *in, unsigned int inLen,
|
||||
const unsigned char key[32], const unsigned char nonce[12],
|
||||
uint32_t counter)
|
||||
{
|
||||
Hacl_Chacha20_chacha20(out, (uint8_t *)in, inLen, (uint8_t *)key, (uint8_t *)nonce, counter);
|
||||
}
|
@ -1,26 +0,0 @@
|
||||
/*
|
||||
* chacha20.h - header file for ChaCha20 implementation.
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifndef FREEBL_CHACHA20_H_
|
||||
#define FREEBL_CHACHA20_H_
|
||||
|
||||
#if defined(_MSC_VER) && _MSC_VER < 1600
|
||||
#include "prtypes.h"
|
||||
typedef PRUint32 uint32_t;
|
||||
typedef PRUint64 uint64_t;
|
||||
#else
|
||||
#include <stdint.h>
|
||||
#endif
|
||||
|
||||
/* ChaCha20XOR encrypts |inLen| bytes from |in| with the given key and
|
||||
* nonce and writes the result to |out|, which may be equal to |in|. The
|
||||
* initial block counter is specified by |counter|. */
|
||||
extern void ChaCha20XOR(unsigned char *out, const unsigned char *in,
|
||||
unsigned int inLen, const unsigned char key[32],
|
||||
const unsigned char nonce[12], uint32_t counter);
|
||||
|
||||
#endif /* FREEBL_CHACHA20_H_ */
|
@ -1,327 +0,0 @@
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
/* This implementation is by Ted Krovetz and was submitted to SUPERCOP and
|
||||
* marked as public domain. It was been altered to allow for non-aligned inputs
|
||||
* and to allow the block counter to be passed in specifically. */
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#include "chacha20.h"
|
||||
#include "blapii.h"
|
||||
|
||||
#ifndef CHACHA_RNDS
|
||||
#define CHACHA_RNDS 20 /* 8 (high speed), 20 (conservative), 12 (middle) */
|
||||
#endif
|
||||
|
||||
/* Architecture-neutral way to specify 16-byte vector of ints */
|
||||
typedef unsigned vec __attribute__((vector_size(16)));
|
||||
|
||||
/* This implementation is designed for Neon, SSE and AltiVec machines. The
|
||||
* following specify how to do certain vector operations efficiently on
|
||||
* each architecture, using intrinsics.
|
||||
* This implementation supports parallel processing of multiple blocks,
|
||||
* including potentially using general-purpose registers.
|
||||
*/
|
||||
#if __ARM_NEON__
|
||||
#include <arm_neon.h>
|
||||
#define GPR_TOO 1
|
||||
#define VBPI 2
|
||||
#define ONE (vec) vsetq_lane_u32(1, vdupq_n_u32(0), 0)
|
||||
#define LOAD(m) (vec)(*((vec *)(m)))
|
||||
#define STORE(m, r) (*((vec *)(m))) = (r)
|
||||
#define ROTV1(x) (vec) vextq_u32((uint32x4_t)x, (uint32x4_t)x, 1)
|
||||
#define ROTV2(x) (vec) vextq_u32((uint32x4_t)x, (uint32x4_t)x, 2)
|
||||
#define ROTV3(x) (vec) vextq_u32((uint32x4_t)x, (uint32x4_t)x, 3)
|
||||
#define ROTW16(x) (vec) vrev32q_u16((uint16x8_t)x)
|
||||
#if __clang__
|
||||
#define ROTW7(x) (x << ((vec){ 7, 7, 7, 7 })) ^ (x >> ((vec){ 25, 25, 25, 25 }))
|
||||
#define ROTW8(x) (x << ((vec){ 8, 8, 8, 8 })) ^ (x >> ((vec){ 24, 24, 24, 24 }))
|
||||
#define ROTW12(x) (x << ((vec){ 12, 12, 12, 12 })) ^ (x >> ((vec){ 20, 20, 20, 20 }))
|
||||
#else
|
||||
#define ROTW7(x) (vec) vsriq_n_u32(vshlq_n_u32((uint32x4_t)x, 7), (uint32x4_t)x, 25)
|
||||
#define ROTW8(x) (vec) vsriq_n_u32(vshlq_n_u32((uint32x4_t)x, 8), (uint32x4_t)x, 24)
|
||||
#define ROTW12(x) (vec) vsriq_n_u32(vshlq_n_u32((uint32x4_t)x, 12), (uint32x4_t)x, 20)
|
||||
#endif
|
||||
#elif __SSE2__
|
||||
#include <emmintrin.h>
|
||||
#define GPR_TOO 0
|
||||
#if __clang__
|
||||
#define VBPI 4
|
||||
#else
|
||||
#define VBPI 3
|
||||
#endif
|
||||
#define ONE (vec) _mm_set_epi32(0, 0, 0, 1)
|
||||
#define LOAD(m) (vec) _mm_loadu_si128((__m128i *)(m))
|
||||
#define STORE(m, r) _mm_storeu_si128((__m128i *)(m), (__m128i)(r))
|
||||
#define ROTV1(x) (vec) _mm_shuffle_epi32((__m128i)x, _MM_SHUFFLE(0, 3, 2, 1))
|
||||
#define ROTV2(x) (vec) _mm_shuffle_epi32((__m128i)x, _MM_SHUFFLE(1, 0, 3, 2))
|
||||
#define ROTV3(x) (vec) _mm_shuffle_epi32((__m128i)x, _MM_SHUFFLE(2, 1, 0, 3))
|
||||
#define ROTW7(x) (vec)(_mm_slli_epi32((__m128i)x, 7) ^ _mm_srli_epi32((__m128i)x, 25))
|
||||
#define ROTW12(x) (vec)(_mm_slli_epi32((__m128i)x, 12) ^ _mm_srli_epi32((__m128i)x, 20))
|
||||
#if __SSSE3__
|
||||
#include <tmmintrin.h>
|
||||
#define ROTW8(x) (vec) _mm_shuffle_epi8((__m128i)x, _mm_set_epi8(14, 13, 12, 15, 10, 9, 8, 11, 6, 5, 4, 7, 2, 1, 0, 3))
|
||||
#define ROTW16(x) (vec) _mm_shuffle_epi8((__m128i)x, _mm_set_epi8(13, 12, 15, 14, 9, 8, 11, 10, 5, 4, 7, 6, 1, 0, 3, 2))
|
||||
#else
|
||||
#define ROTW8(x) (vec)(_mm_slli_epi32((__m128i)x, 8) ^ _mm_srli_epi32((__m128i)x, 24))
|
||||
#define ROTW16(x) (vec)(_mm_slli_epi32((__m128i)x, 16) ^ _mm_srli_epi32((__m128i)x, 16))
|
||||
#endif
|
||||
#else
|
||||
#error-- Implementation supports only machines with neon or SSE2
|
||||
#endif
|
||||
|
||||
#ifndef REVV_BE
|
||||
#define REVV_BE(x) (x)
|
||||
#endif
|
||||
|
||||
#ifndef REVW_BE
|
||||
#define REVW_BE(x) (x)
|
||||
#endif
|
||||
|
||||
#define BPI (VBPI + GPR_TOO) /* Blocks computed per loop iteration */
|
||||
|
||||
#define DQROUND_VECTORS(a, b, c, d) \
|
||||
a += b; \
|
||||
d ^= a; \
|
||||
d = ROTW16(d); \
|
||||
c += d; \
|
||||
b ^= c; \
|
||||
b = ROTW12(b); \
|
||||
a += b; \
|
||||
d ^= a; \
|
||||
d = ROTW8(d); \
|
||||
c += d; \
|
||||
b ^= c; \
|
||||
b = ROTW7(b); \
|
||||
b = ROTV1(b); \
|
||||
c = ROTV2(c); \
|
||||
d = ROTV3(d); \
|
||||
a += b; \
|
||||
d ^= a; \
|
||||
d = ROTW16(d); \
|
||||
c += d; \
|
||||
b ^= c; \
|
||||
b = ROTW12(b); \
|
||||
a += b; \
|
||||
d ^= a; \
|
||||
d = ROTW8(d); \
|
||||
c += d; \
|
||||
b ^= c; \
|
||||
b = ROTW7(b); \
|
||||
b = ROTV3(b); \
|
||||
c = ROTV2(c); \
|
||||
d = ROTV1(d);
|
||||
|
||||
#define QROUND_WORDS(a, b, c, d) \
|
||||
a = a + b; \
|
||||
d ^= a; \
|
||||
d = d << 16 | d >> 16; \
|
||||
c = c + d; \
|
||||
b ^= c; \
|
||||
b = b << 12 | b >> 20; \
|
||||
a = a + b; \
|
||||
d ^= a; \
|
||||
d = d << 8 | d >> 24; \
|
||||
c = c + d; \
|
||||
b ^= c; \
|
||||
b = b << 7 | b >> 25;
|
||||
|
||||
#define WRITE_XOR(in, op, d, v0, v1, v2, v3) \
|
||||
STORE(op + d + 0, LOAD(in + d + 0) ^ REVV_BE(v0)); \
|
||||
STORE(op + d + 4, LOAD(in + d + 4) ^ REVV_BE(v1)); \
|
||||
STORE(op + d + 8, LOAD(in + d + 8) ^ REVV_BE(v2)); \
|
||||
STORE(op + d + 12, LOAD(in + d + 12) ^ REVV_BE(v3));
|
||||
|
||||
void NO_SANITIZE_ALIGNMENT
|
||||
ChaCha20XOR(unsigned char *out, const unsigned char *in, unsigned int inlen,
|
||||
const unsigned char key[32], const unsigned char nonce[12],
|
||||
uint32_t counter)
|
||||
{
|
||||
unsigned iters, i, *op = (unsigned *)out, *ip = (unsigned *)in, *kp;
|
||||
#if defined(__ARM_NEON__)
|
||||
unsigned *np;
|
||||
#endif
|
||||
vec s0, s1, s2, s3;
|
||||
#if !defined(__ARM_NEON__) && !defined(__SSE2__)
|
||||
__attribute__((aligned(16))) unsigned key[8], nonce[4];
|
||||
#endif
|
||||
__attribute__((aligned(16))) unsigned chacha_const[] =
|
||||
{ 0x61707865, 0x3320646E, 0x79622D32, 0x6B206574 };
|
||||
#if defined(__ARM_NEON__) || defined(__SSE2__)
|
||||
kp = (unsigned *)key;
|
||||
#else
|
||||
((vec *)key)[0] = REVV_BE(((vec *)key)[0]);
|
||||
((vec *)key)[1] = REVV_BE(((vec *)key)[1]);
|
||||
((unsigned *)nonce)[0] = REVW_BE(((unsigned *)nonce)[0]);
|
||||
((unsigned *)nonce)[1] = REVW_BE(((unsigned *)nonce)[1]);
|
||||
((unsigned *)nonce)[2] = REVW_BE(((unsigned *)nonce)[2]);
|
||||
((unsigned *)nonce)[3] = REVW_BE(((unsigned *)nonce)[3]);
|
||||
kp = (unsigned *)key;
|
||||
np = (unsigned *)nonce;
|
||||
#endif
|
||||
#if defined(__ARM_NEON__)
|
||||
np = (unsigned *)nonce;
|
||||
#endif
|
||||
s0 = LOAD(chacha_const);
|
||||
s1 = LOAD(&((vec *)kp)[0]);
|
||||
s2 = LOAD(&((vec *)kp)[1]);
|
||||
s3 = (vec){
|
||||
counter,
|
||||
((uint32_t *)nonce)[0],
|
||||
((uint32_t *)nonce)[1],
|
||||
((uint32_t *)nonce)[2]
|
||||
};
|
||||
|
||||
for (iters = 0; iters < inlen / (BPI * 64); iters++) {
|
||||
#if GPR_TOO
|
||||
register unsigned x0, x1, x2, x3, x4, x5, x6, x7, x8,
|
||||
x9, x10, x11, x12, x13, x14, x15;
|
||||
#endif
|
||||
#if VBPI > 2
|
||||
vec v8, v9, v10, v11;
|
||||
#endif
|
||||
#if VBPI > 3
|
||||
vec v12, v13, v14, v15;
|
||||
#endif
|
||||
|
||||
vec v0, v1, v2, v3, v4, v5, v6, v7;
|
||||
v4 = v0 = s0;
|
||||
v5 = v1 = s1;
|
||||
v6 = v2 = s2;
|
||||
v3 = s3;
|
||||
v7 = v3 + ONE;
|
||||
#if VBPI > 2
|
||||
v8 = v4;
|
||||
v9 = v5;
|
||||
v10 = v6;
|
||||
v11 = v7 + ONE;
|
||||
#endif
|
||||
#if VBPI > 3
|
||||
v12 = v8;
|
||||
v13 = v9;
|
||||
v14 = v10;
|
||||
v15 = v11 + ONE;
|
||||
#endif
|
||||
#if GPR_TOO
|
||||
x0 = chacha_const[0];
|
||||
x1 = chacha_const[1];
|
||||
x2 = chacha_const[2];
|
||||
x3 = chacha_const[3];
|
||||
x4 = kp[0];
|
||||
x5 = kp[1];
|
||||
x6 = kp[2];
|
||||
x7 = kp[3];
|
||||
x8 = kp[4];
|
||||
x9 = kp[5];
|
||||
x10 = kp[6];
|
||||
x11 = kp[7];
|
||||
x12 = counter + BPI * iters + (BPI - 1);
|
||||
x13 = np[0];
|
||||
x14 = np[1];
|
||||
x15 = np[2];
|
||||
#endif
|
||||
for (i = CHACHA_RNDS / 2; i; i--) {
|
||||
DQROUND_VECTORS(v0, v1, v2, v3)
|
||||
DQROUND_VECTORS(v4, v5, v6, v7)
|
||||
#if VBPI > 2
|
||||
DQROUND_VECTORS(v8, v9, v10, v11)
|
||||
#endif
|
||||
#if VBPI > 3
|
||||
DQROUND_VECTORS(v12, v13, v14, v15)
|
||||
#endif
|
||||
#if GPR_TOO
|
||||
QROUND_WORDS(x0, x4, x8, x12)
|
||||
QROUND_WORDS(x1, x5, x9, x13)
|
||||
QROUND_WORDS(x2, x6, x10, x14)
|
||||
QROUND_WORDS(x3, x7, x11, x15)
|
||||
QROUND_WORDS(x0, x5, x10, x15)
|
||||
QROUND_WORDS(x1, x6, x11, x12)
|
||||
QROUND_WORDS(x2, x7, x8, x13)
|
||||
QROUND_WORDS(x3, x4, x9, x14)
|
||||
#endif
|
||||
}
|
||||
|
||||
WRITE_XOR(ip, op, 0, v0 + s0, v1 + s1, v2 + s2, v3 + s3)
|
||||
s3 += ONE;
|
||||
WRITE_XOR(ip, op, 16, v4 + s0, v5 + s1, v6 + s2, v7 + s3)
|
||||
s3 += ONE;
|
||||
#if VBPI > 2
|
||||
WRITE_XOR(ip, op, 32, v8 + s0, v9 + s1, v10 + s2, v11 + s3)
|
||||
s3 += ONE;
|
||||
#endif
|
||||
#if VBPI > 3
|
||||
WRITE_XOR(ip, op, 48, v12 + s0, v13 + s1, v14 + s2, v15 + s3)
|
||||
s3 += ONE;
|
||||
#endif
|
||||
ip += VBPI * 16;
|
||||
op += VBPI * 16;
|
||||
#if GPR_TOO
|
||||
op[0] = REVW_BE(REVW_BE(ip[0]) ^ (x0 + chacha_const[0]));
|
||||
op[1] = REVW_BE(REVW_BE(ip[1]) ^ (x1 + chacha_const[1]));
|
||||
op[2] = REVW_BE(REVW_BE(ip[2]) ^ (x2 + chacha_const[2]));
|
||||
op[3] = REVW_BE(REVW_BE(ip[3]) ^ (x3 + chacha_const[3]));
|
||||
op[4] = REVW_BE(REVW_BE(ip[4]) ^ (x4 + kp[0]));
|
||||
op[5] = REVW_BE(REVW_BE(ip[5]) ^ (x5 + kp[1]));
|
||||
op[6] = REVW_BE(REVW_BE(ip[6]) ^ (x6 + kp[2]));
|
||||
op[7] = REVW_BE(REVW_BE(ip[7]) ^ (x7 + kp[3]));
|
||||
op[8] = REVW_BE(REVW_BE(ip[8]) ^ (x8 + kp[4]));
|
||||
op[9] = REVW_BE(REVW_BE(ip[9]) ^ (x9 + kp[5]));
|
||||
op[10] = REVW_BE(REVW_BE(ip[10]) ^ (x10 + kp[6]));
|
||||
op[11] = REVW_BE(REVW_BE(ip[11]) ^ (x11 + kp[7]));
|
||||
op[12] = REVW_BE(REVW_BE(ip[12]) ^ (x12 + counter + BPI * iters + (BPI - 1)));
|
||||
op[13] = REVW_BE(REVW_BE(ip[13]) ^ (x13 + np[0]));
|
||||
op[14] = REVW_BE(REVW_BE(ip[14]) ^ (x14 + np[1]));
|
||||
op[15] = REVW_BE(REVW_BE(ip[15]) ^ (x15 + np[2]));
|
||||
s3 += ONE;
|
||||
ip += 16;
|
||||
op += 16;
|
||||
#endif
|
||||
}
|
||||
|
||||
for (iters = inlen % (BPI * 64) / 64; iters != 0; iters--) {
|
||||
vec v0 = s0, v1 = s1, v2 = s2, v3 = s3;
|
||||
for (i = CHACHA_RNDS / 2; i; i--) {
|
||||
DQROUND_VECTORS(v0, v1, v2, v3);
|
||||
}
|
||||
WRITE_XOR(ip, op, 0, v0 + s0, v1 + s1, v2 + s2, v3 + s3)
|
||||
s3 += ONE;
|
||||
ip += 16;
|
||||
op += 16;
|
||||
}
|
||||
|
||||
inlen = inlen % 64;
|
||||
if (inlen) {
|
||||
__attribute__((aligned(16))) vec buf[4];
|
||||
vec v0, v1, v2, v3;
|
||||
v0 = s0;
|
||||
v1 = s1;
|
||||
v2 = s2;
|
||||
v3 = s3;
|
||||
for (i = CHACHA_RNDS / 2; i; i--) {
|
||||
DQROUND_VECTORS(v0, v1, v2, v3);
|
||||
}
|
||||
|
||||
if (inlen >= 16) {
|
||||
STORE(op + 0, LOAD(ip + 0) ^ REVV_BE(v0 + s0));
|
||||
if (inlen >= 32) {
|
||||
STORE(op + 4, LOAD(ip + 4) ^ REVV_BE(v1 + s1));
|
||||
if (inlen >= 48) {
|
||||
STORE(op + 8, LOAD(ip + 8) ^ REVV_BE(v2 + s2));
|
||||
buf[3] = REVV_BE(v3 + s3);
|
||||
} else {
|
||||
buf[2] = REVV_BE(v2 + s2);
|
||||
}
|
||||
} else {
|
||||
buf[1] = REVV_BE(v1 + s1);
|
||||
}
|
||||
} else {
|
||||
buf[0] = REVV_BE(v0 + s0);
|
||||
}
|
||||
|
||||
for (i = inlen & ~15; i < inlen; i++) {
|
||||
((char *)op)[i] = ((char *)ip)[i] ^ ((char *)buf)[i];
|
||||
}
|
||||
}
|
||||
}
|
@ -12,25 +12,28 @@
|
||||
#include "seccomon.h"
|
||||
#include "secerr.h"
|
||||
#include "blapit.h"
|
||||
#include "blapii.h"
|
||||
|
||||
#ifndef NSS_DISABLE_CHACHAPOLY
|
||||
#if defined(HAVE_INT128_SUPPORT) && (defined(NSS_X86_OR_X64) || defined(__aarch64__))
|
||||
#include "verified/Hacl_Poly1305_64.h"
|
||||
#else
|
||||
#include "poly1305.h"
|
||||
#endif
|
||||
#include "chacha20.h"
|
||||
#include "chacha20poly1305.h"
|
||||
#endif
|
||||
// Forward declaration from "Hacl_Chacha20_Vec128.h".
|
||||
extern void Hacl_Chacha20_Vec128_chacha20(uint8_t *output, uint8_t *plain,
|
||||
uint32_t len, uint8_t *k, uint8_t *n1,
|
||||
uint32_t ctr);
|
||||
// Forward declaration from "Hacl_Chacha20.h".
|
||||
extern void Hacl_Chacha20_chacha20(uint8_t *output, uint8_t *plain, uint32_t len,
|
||||
uint8_t *k, uint8_t *n1, uint32_t ctr);
|
||||
|
||||
/* Poly1305Do writes the Poly1305 authenticator of the given additional data
|
||||
* and ciphertext to |out|. */
|
||||
#ifndef NSS_DISABLE_CHACHAPOLY
|
||||
|
||||
#if defined(HAVE_INT128_SUPPORT) && (defined(NSS_X86_OR_X64) || defined(__aarch64__))
|
||||
/* Use HACL* Poly1305 on 64-bit Intel and ARM */
|
||||
#include "verified/Hacl_Poly1305_64.h"
|
||||
|
||||
static void
|
||||
Poly1305PadUpdate(Hacl_Impl_Poly1305_64_State_poly1305_state state, unsigned char *block, const unsigned char *p, const unsigned int pLen)
|
||||
Poly1305PadUpdate(Hacl_Impl_Poly1305_64_State_poly1305_state state,
|
||||
unsigned char *block, const unsigned char *p,
|
||||
const unsigned int pLen)
|
||||
{
|
||||
unsigned int pRemLen = pLen % 16;
|
||||
Hacl_Poly1305_64_update(state, (uint8_t *)p, (pLen / 16));
|
||||
@ -46,7 +49,8 @@ Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen,
|
||||
const unsigned char key[32])
|
||||
{
|
||||
uint64_t tmp1[6U] = { 0U };
|
||||
Hacl_Impl_Poly1305_64_State_poly1305_state state = Hacl_Poly1305_64_mk_state(tmp1, tmp1 + 3);
|
||||
Hacl_Impl_Poly1305_64_State_poly1305_state state =
|
||||
Hacl_Poly1305_64_mk_state(tmp1, tmp1 + 3);
|
||||
|
||||
unsigned char block[16] = { 0 };
|
||||
Hacl_Poly1305_64_init(state, (uint8_t *)key);
|
||||
@ -68,6 +72,8 @@ Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen,
|
||||
Hacl_Poly1305_64_finish(state, out, (uint8_t *)(key + 16));
|
||||
}
|
||||
#else
|
||||
/* All other platforms get the 32-bit poly1305 reference implementation. */
|
||||
#include "poly1305.h"
|
||||
|
||||
static void
|
||||
Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen,
|
||||
@ -165,6 +171,17 @@ ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, PRBool freeit)
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
ChaCha20Xor(uint8_t *output, uint8_t *block, uint32_t len, uint8_t *k,
|
||||
uint8_t *nonce, uint32_t ctr)
|
||||
{
|
||||
if (ssse3_support() || arm_neon_support()) {
|
||||
Hacl_Chacha20_Vec128_chacha20(output, block, len, k, nonce, ctr);
|
||||
} else {
|
||||
Hacl_Chacha20_chacha20(output, block, len, k, nonce, ctr);
|
||||
}
|
||||
}
|
||||
|
||||
SECStatus
|
||||
ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx, unsigned char *output,
|
||||
unsigned int *outputLen, unsigned int maxOutputLen,
|
||||
@ -191,8 +208,10 @@ ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx, unsigned char *output,
|
||||
PORT_Memset(block, 0, sizeof(block));
|
||||
// Generate a block of keystream. The first 32 bytes will be the poly1305
|
||||
// key. The remainder of the block is discarded.
|
||||
ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0);
|
||||
ChaCha20XOR(output, input, inputLen, ctx->key, nonce, 1);
|
||||
ChaCha20Xor(block, (uint8_t *)block, sizeof(block), (uint8_t *)ctx->key,
|
||||
(uint8_t *)nonce, 0);
|
||||
ChaCha20Xor(output, (uint8_t *)input, inputLen, (uint8_t *)ctx->key,
|
||||
(uint8_t *)nonce, 1);
|
||||
|
||||
Poly1305Do(tag, ad, adLen, output, inputLen, block);
|
||||
PORT_Memcpy(output + inputLen, tag, ctx->tagLen);
|
||||
@ -233,14 +252,16 @@ ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx, unsigned char *output,
|
||||
PORT_Memset(block, 0, sizeof(block));
|
||||
// Generate a block of keystream. The first 32 bytes will be the poly1305
|
||||
// key. The remainder of the block is discarded.
|
||||
ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0);
|
||||
ChaCha20Xor(block, (uint8_t *)block, sizeof(block), (uint8_t *)ctx->key,
|
||||
(uint8_t *)nonce, 0);
|
||||
Poly1305Do(tag, ad, adLen, input, ciphertextLen, block);
|
||||
if (NSS_SecureMemcmp(tag, &input[ciphertextLen], ctx->tagLen) != 0) {
|
||||
PORT_SetError(SEC_ERROR_BAD_DATA);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
ChaCha20XOR(output, input, ciphertextLen, ctx->key, nonce, 1);
|
||||
ChaCha20Xor(output, (uint8_t *)input, ciphertextLen, (uint8_t *)ctx->key,
|
||||
(uint8_t *)nonce, 1);
|
||||
|
||||
return SECSuccess;
|
||||
#endif
|
||||
|
@ -90,7 +90,7 @@ EXTRA_SHARED_LIBS += \
|
||||
endif
|
||||
endif
|
||||
|
||||
ifeq ($(OS_ARCH), Linux)
|
||||
ifeq (,$(filter-out DragonFly FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET)))
|
||||
CFLAGS += -std=gnu99
|
||||
endif
|
||||
|
||||
|
@ -4,7 +4,7 @@
|
||||
|
||||
#include "blapi.h"
|
||||
#include "blapit.h"
|
||||
#include "chacha20.h"
|
||||
#include "Hacl_Chacha20.h"
|
||||
#include "nssilock.h"
|
||||
#include "seccomon.h"
|
||||
#include "secerr.h"
|
||||
@ -99,7 +99,7 @@ RNG_GenerateGlobalRandomBytes(void *dest, size_t len)
|
||||
|
||||
memset(dest, 0, len);
|
||||
memcpy(dest, globalBytes, PR_MIN(len, GLOBAL_BYTES_SIZE));
|
||||
ChaCha20XOR(dest, dest, len, key, nonce, 0);
|
||||
Hacl_Chacha20_chacha20(dest, (uint8_t *)dest, len, (uint8_t *)key, nonce, 0);
|
||||
ChaCha20Poly1305_DestroyContext(cx, PR_TRUE);
|
||||
|
||||
PZ_Unlock(rng_lock);
|
||||
|
@ -74,8 +74,7 @@ struct RNGContextStr {
|
||||
#define V_type V_Data[0]
|
||||
#define V(rng) (((rng)->V_Data) + 1)
|
||||
#define VSize(rng) ((sizeof(rng)->V_Data) - 1)
|
||||
PRUint8 C[PRNG_SEEDLEN]; /* internal state variables */
|
||||
PRUint8 lastOutput[SHA256_LENGTH]; /* for continuous rng checking */
|
||||
PRUint8 C[PRNG_SEEDLEN]; /* internal state variables */
|
||||
/* If we get calls for the PRNG to return less than the length of our
|
||||
* hash, we extend the request for a full hash (since we'll be doing
|
||||
* the full hash anyway). Future requests for random numbers are fulfilled
|
||||
@ -286,7 +285,6 @@ prng_Hashgen(RNGContext *rng, PRUint8 *returned_bytes,
|
||||
{
|
||||
PRUint8 data[VSize(rng)];
|
||||
PRUint8 thisHash[SHA256_LENGTH];
|
||||
PRUint8 *lastHash = rng->lastOutput;
|
||||
|
||||
PORT_Memcpy(data, V(rng), VSize(rng));
|
||||
while (no_of_returned_bytes) {
|
||||
@ -297,15 +295,10 @@ prng_Hashgen(RNGContext *rng, PRUint8 *returned_bytes,
|
||||
SHA256_Begin(&ctx);
|
||||
SHA256_Update(&ctx, data, sizeof data);
|
||||
SHA256_End(&ctx, thisHash, &len, SHA256_LENGTH);
|
||||
if (PORT_Memcmp(lastHash, thisHash, len) == 0) {
|
||||
rng->isValid = PR_FALSE;
|
||||
break;
|
||||
}
|
||||
if (no_of_returned_bytes < SHA256_LENGTH) {
|
||||
len = no_of_returned_bytes;
|
||||
}
|
||||
PORT_Memcpy(returned_bytes, thisHash, len);
|
||||
lastHash = returned_bytes;
|
||||
returned_bytes += len;
|
||||
no_of_returned_bytes -= len;
|
||||
/* The carry parameter is a bool (increment or not).
|
||||
@ -313,7 +306,6 @@ prng_Hashgen(RNGContext *rng, PRUint8 *returned_bytes,
|
||||
carry = no_of_returned_bytes;
|
||||
PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry);
|
||||
}
|
||||
PORT_Memcpy(rng->lastOutput, thisHash, SHA256_LENGTH);
|
||||
PORT_Memset(data, 0, sizeof data);
|
||||
PORT_Memset(thisHash, 0, sizeof thisHash);
|
||||
}
|
||||
@ -361,11 +353,6 @@ prng_generateNewBytes(RNGContext *rng,
|
||||
if (no_of_returned_bytes == SHA256_LENGTH) {
|
||||
/* short_cut to hashbuf and a couple of copies and clears */
|
||||
SHA256_HashBuf(returned_bytes, V(rng), VSize(rng));
|
||||
/* continuous rng check */
|
||||
if (memcmp(rng->lastOutput, returned_bytes, SHA256_LENGTH) == 0) {
|
||||
rng->isValid = PR_FALSE;
|
||||
}
|
||||
PORT_Memcpy(rng->lastOutput, returned_bytes, sizeof rng->lastOutput);
|
||||
} else {
|
||||
prng_Hashgen(rng, returned_bytes, no_of_returned_bytes);
|
||||
}
|
||||
|
@ -10,7 +10,7 @@
|
||||
'target_name': 'intel-gcm-wrap_c_lib',
|
||||
'type': 'static_library',
|
||||
'sources': [
|
||||
'intel-gcm-wrap.c'
|
||||
'intel-gcm-wrap.c',
|
||||
],
|
||||
'dependencies': [
|
||||
'<(DEPTH)/exports.gyp:nss_exports'
|
||||
@ -22,6 +22,38 @@
|
||||
'-mssse3'
|
||||
]
|
||||
},
|
||||
{
|
||||
# TODO: make this so that all hardware accelerated code is in here.
|
||||
'target_name': 'hw-acc-crypto',
|
||||
'type': 'static_library',
|
||||
'sources': [
|
||||
'verified/Hacl_Chacha20_Vec128.c',
|
||||
],
|
||||
'dependencies': [
|
||||
'<(DEPTH)/exports.gyp:nss_exports'
|
||||
],
|
||||
'conditions': [
|
||||
[ 'target_arch=="ia32" or target_arch=="x64"', {
|
||||
'cflags': [
|
||||
'-mssse3'
|
||||
],
|
||||
'cflags_mozilla': [
|
||||
'-mssse3'
|
||||
],
|
||||
# GCC doesn't define this.
|
||||
'defines': [
|
||||
'__SSSE3__',
|
||||
],
|
||||
}],
|
||||
[ 'OS=="android"', {
|
||||
# On Android we can't use any of the hardware acceleration :(
|
||||
'defines!': [
|
||||
'__ARM_NEON__',
|
||||
'__ARM_NEON',
|
||||
],
|
||||
}],
|
||||
],
|
||||
},
|
||||
{
|
||||
'target_name': 'gcm-aes-x86_c_lib',
|
||||
'type': 'static_library',
|
||||
@ -74,11 +106,12 @@
|
||||
],
|
||||
'dependencies': [
|
||||
'<(DEPTH)/exports.gyp:nss_exports',
|
||||
'hw-acc-crypto',
|
||||
],
|
||||
'conditions': [
|
||||
[ 'target_arch=="ia32" or target_arch=="x64"', {
|
||||
'dependencies': [
|
||||
'gcm-aes-x86_c_lib'
|
||||
'gcm-aes-x86_c_lib',
|
||||
],
|
||||
}],
|
||||
[ 'OS=="linux"', {
|
||||
@ -110,11 +143,12 @@
|
||||
],
|
||||
'dependencies': [
|
||||
'<(DEPTH)/exports.gyp:nss_exports',
|
||||
'hw-acc-crypto',
|
||||
],
|
||||
'conditions': [
|
||||
[ 'target_arch=="ia32" or target_arch=="x64"', {
|
||||
'dependencies': [
|
||||
'gcm-aes-x86_c_lib'
|
||||
'gcm-aes-x86_c_lib',
|
||||
]
|
||||
}],
|
||||
[ 'OS!="linux" and OS!="android"', {
|
||||
@ -275,6 +309,11 @@
|
||||
'-std=gnu99',
|
||||
],
|
||||
}],
|
||||
[ 'OS=="dragonfly" or OS=="freebsd" or OS=="netbsd" or OS=="openbsd"', {
|
||||
'cflags': [
|
||||
'-std=gnu99',
|
||||
],
|
||||
}],
|
||||
[ 'OS=="linux" or OS=="android"', {
|
||||
'conditions': [
|
||||
[ 'target_arch=="x64"', {
|
||||
|
@ -144,12 +144,17 @@
|
||||
],
|
||||
}],
|
||||
[ 'disable_chachapoly==0', {
|
||||
# The ChaCha20 code is linked in through the static ssse3-crypto lib on
|
||||
# all platforms that support SSSE3. There are runtime checks in place to
|
||||
# choose the correct ChaCha implementation at runtime.
|
||||
'sources': [
|
||||
'verified/Hacl_Chacha20.c',
|
||||
],
|
||||
'conditions': [
|
||||
[ 'OS!="win"', {
|
||||
'conditions': [
|
||||
[ 'target_arch=="x64"', {
|
||||
'sources': [
|
||||
'chacha20_vec.c',
|
||||
'verified/Hacl_Poly1305_64.c',
|
||||
],
|
||||
}, {
|
||||
@ -157,15 +162,11 @@
|
||||
'conditions': [
|
||||
[ 'target_arch=="arm64" or target_arch=="aarch64"', {
|
||||
'sources': [
|
||||
'chacha20.c',
|
||||
'verified/Hacl_Chacha20.c',
|
||||
'verified/Hacl_Poly1305_64.c',
|
||||
],
|
||||
}, {
|
||||
# !Windows & !x64 & !arm64 & !aarch64
|
||||
'sources': [
|
||||
'chacha20.c',
|
||||
'verified/Hacl_Chacha20.c',
|
||||
'poly1305.c',
|
||||
],
|
||||
}],
|
||||
@ -175,8 +176,6 @@
|
||||
}, {
|
||||
# Windows
|
||||
'sources': [
|
||||
'chacha20.c',
|
||||
'verified/Hacl_Chacha20.c',
|
||||
'poly1305.c',
|
||||
],
|
||||
}],
|
||||
|
396
security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
Normal file
396
security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
Normal file
@ -0,0 +1,396 @@
|
||||
/* Copyright 2016-2017 INRIA and Microsoft Corporation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include "Hacl_Chacha20_Vec128.h"
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_State_state_incr(vec *k)
|
||||
{
|
||||
vec k3 = k[3U];
|
||||
k[3U] = vec_increment(k3);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_State_state_to_key_block(uint8_t *stream_block, vec *k)
|
||||
{
|
||||
vec k0 = k[0U];
|
||||
vec k1 = k[1U];
|
||||
vec k2 = k[2U];
|
||||
vec k3 = k[3U];
|
||||
uint8_t *a = stream_block;
|
||||
uint8_t *b = stream_block + (uint32_t)16U;
|
||||
uint8_t *c = stream_block + (uint32_t)32U;
|
||||
uint8_t *d = stream_block + (uint32_t)48U;
|
||||
vec_store_le(a, k0);
|
||||
vec_store_le(b, k1);
|
||||
vec_store_le(c, k2);
|
||||
vec_store_le(d, k3);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_State_state_setup(vec *st, uint8_t *k, uint8_t *n1, uint32_t c)
|
||||
{
|
||||
st[0U] =
|
||||
vec_load_32x4((uint32_t)0x61707865U,
|
||||
(uint32_t)0x3320646eU,
|
||||
(uint32_t)0x79622d32U,
|
||||
(uint32_t)0x6b206574U);
|
||||
vec k0 = vec_load128_le(k);
|
||||
vec k1 = vec_load128_le(k + (uint32_t)16U);
|
||||
st[1U] = k0;
|
||||
st[2U] = k1;
|
||||
uint32_t n0 = load32_le(n1);
|
||||
uint8_t *x00 = n1 + (uint32_t)4U;
|
||||
uint32_t n10 = load32_le(x00);
|
||||
uint8_t *x0 = n1 + (uint32_t)8U;
|
||||
uint32_t n2 = load32_le(x0);
|
||||
vec v1 = vec_load_32x4(c, n0, n10, n2);
|
||||
st[3U] = v1;
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_round(vec *st)
|
||||
{
|
||||
vec sa = st[0U];
|
||||
vec sb0 = st[1U];
|
||||
vec sd0 = st[3U];
|
||||
vec sa10 = vec_add(sa, sb0);
|
||||
vec sd10 = vec_rotate_left(vec_xor(sd0, sa10), (uint32_t)16U);
|
||||
st[0U] = sa10;
|
||||
st[3U] = sd10;
|
||||
vec sa0 = st[2U];
|
||||
vec sb1 = st[3U];
|
||||
vec sd2 = st[1U];
|
||||
vec sa11 = vec_add(sa0, sb1);
|
||||
vec sd11 = vec_rotate_left(vec_xor(sd2, sa11), (uint32_t)12U);
|
||||
st[2U] = sa11;
|
||||
st[1U] = sd11;
|
||||
vec sa2 = st[0U];
|
||||
vec sb2 = st[1U];
|
||||
vec sd3 = st[3U];
|
||||
vec sa12 = vec_add(sa2, sb2);
|
||||
vec sd12 = vec_rotate_left(vec_xor(sd3, sa12), (uint32_t)8U);
|
||||
st[0U] = sa12;
|
||||
st[3U] = sd12;
|
||||
vec sa3 = st[2U];
|
||||
vec sb = st[3U];
|
||||
vec sd = st[1U];
|
||||
vec sa1 = vec_add(sa3, sb);
|
||||
vec sd1 = vec_rotate_left(vec_xor(sd, sa1), (uint32_t)7U);
|
||||
st[2U] = sa1;
|
||||
st[1U] = sd1;
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_double_round(vec *st)
|
||||
{
|
||||
Hacl_Impl_Chacha20_Vec128_round(st);
|
||||
vec r1 = st[1U];
|
||||
vec r20 = st[2U];
|
||||
vec r30 = st[3U];
|
||||
st[1U] = vec_shuffle_right(r1, (uint32_t)1U);
|
||||
st[2U] = vec_shuffle_right(r20, (uint32_t)2U);
|
||||
st[3U] = vec_shuffle_right(r30, (uint32_t)3U);
|
||||
Hacl_Impl_Chacha20_Vec128_round(st);
|
||||
vec r10 = st[1U];
|
||||
vec r2 = st[2U];
|
||||
vec r3 = st[3U];
|
||||
st[1U] = vec_shuffle_right(r10, (uint32_t)3U);
|
||||
st[2U] = vec_shuffle_right(r2, (uint32_t)2U);
|
||||
st[3U] = vec_shuffle_right(r3, (uint32_t)1U);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_double_round3(vec *st, vec *st_, vec *st__)
|
||||
{
|
||||
Hacl_Impl_Chacha20_Vec128_double_round(st);
|
||||
Hacl_Impl_Chacha20_Vec128_double_round(st_);
|
||||
Hacl_Impl_Chacha20_Vec128_double_round(st__);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_sum_states(vec *st_, vec *st)
|
||||
{
|
||||
vec s0 = st[0U];
|
||||
vec s1 = st[1U];
|
||||
vec s2 = st[2U];
|
||||
vec s3 = st[3U];
|
||||
vec s0_ = st_[0U];
|
||||
vec s1_ = st_[1U];
|
||||
vec s2_ = st_[2U];
|
||||
vec s3_ = st_[3U];
|
||||
st_[0U] = vec_add(s0_, s0);
|
||||
st_[1U] = vec_add(s1_, s1);
|
||||
st_[2U] = vec_add(s2_, s2);
|
||||
st_[3U] = vec_add(s3_, s3);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_copy_state(vec *st_, vec *st)
|
||||
{
|
||||
vec st0 = st[0U];
|
||||
vec st1 = st[1U];
|
||||
vec st2 = st[2U];
|
||||
vec st3 = st[3U];
|
||||
st_[0U] = st0;
|
||||
st_[1U] = st1;
|
||||
st_[2U] = st2;
|
||||
st_[3U] = st3;
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_core(vec *k, vec *st)
|
||||
{
|
||||
Hacl_Impl_Chacha20_Vec128_copy_state(k, st);
|
||||
for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U)
|
||||
Hacl_Impl_Chacha20_Vec128_double_round(k);
|
||||
Hacl_Impl_Chacha20_Vec128_sum_states(k, st);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_Vec128_state_incr(vec *st)
|
||||
{
|
||||
Hacl_Impl_Chacha20_Vec128_State_state_incr(st);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_incr3(vec *k0, vec *k1, vec *k2, vec *st)
|
||||
{
|
||||
Hacl_Impl_Chacha20_Vec128_copy_state(k0, st);
|
||||
Hacl_Impl_Chacha20_Vec128_copy_state(k1, st);
|
||||
Hacl_Impl_Chacha20_Vec128_state_incr(k1);
|
||||
Hacl_Impl_Chacha20_Vec128_copy_state(k2, k1);
|
||||
Hacl_Impl_Chacha20_Vec128_state_incr(k2);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_sum3(vec *k0, vec *k1, vec *k2, vec *st)
|
||||
{
|
||||
Hacl_Impl_Chacha20_Vec128_sum_states(k0, st);
|
||||
Hacl_Impl_Chacha20_Vec128_state_incr(st);
|
||||
Hacl_Impl_Chacha20_Vec128_sum_states(k1, st);
|
||||
Hacl_Impl_Chacha20_Vec128_state_incr(st);
|
||||
Hacl_Impl_Chacha20_Vec128_sum_states(k2, st);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_core3(vec *k0, vec *k1, vec *k2, vec *st)
|
||||
{
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_incr3(k0, k1, k2, st);
|
||||
for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U)
|
||||
Hacl_Impl_Chacha20_Vec128_double_round3(k0, k1, k2);
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_sum3(k0, k1, k2, st);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_block(uint8_t *stream_block, vec *st)
|
||||
{
|
||||
KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U);
|
||||
vec k[4U];
|
||||
for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i)
|
||||
k[_i] = vec_zero();
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_core(k, st);
|
||||
Hacl_Impl_Chacha20_Vec128_State_state_to_key_block(stream_block, k);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_Vec128_init(vec *st, uint8_t *k, uint8_t *n1, uint32_t ctr)
|
||||
{
|
||||
Hacl_Impl_Chacha20_Vec128_State_state_setup(st, k, n1, ctr);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_Vec128_update_last(uint8_t *output, uint8_t *plain, uint32_t len, vec *st)
|
||||
{
|
||||
uint8_t block[64U] = { 0U };
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_block(block, st);
|
||||
uint8_t *mask = block;
|
||||
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) {
|
||||
uint8_t xi = plain[i];
|
||||
uint8_t yi = mask[i];
|
||||
output[i] = xi ^ yi;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_Vec128_store_4_vec(uint8_t *output, vec v0, vec v1, vec v2, vec v3)
|
||||
{
|
||||
uint8_t *o0 = output;
|
||||
uint8_t *o1 = output + (uint32_t)16U;
|
||||
uint8_t *o2 = output + (uint32_t)32U;
|
||||
uint8_t *o3 = output + (uint32_t)48U;
|
||||
vec_store_le(o0, v0);
|
||||
vec_store_le(o1, v1);
|
||||
vec_store_le(o2, v2);
|
||||
vec_store_le(o3, v3);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_Vec128_xor_block(uint8_t *output, uint8_t *plain, vec *st)
|
||||
{
|
||||
vec p0 = vec_load_le(plain);
|
||||
vec p1 = vec_load_le(plain + (uint32_t)16U);
|
||||
vec p2 = vec_load_le(plain + (uint32_t)32U);
|
||||
vec p3 = vec_load_le(plain + (uint32_t)48U);
|
||||
vec k0 = st[0U];
|
||||
vec k1 = st[1U];
|
||||
vec k2 = st[2U];
|
||||
vec k3 = st[3U];
|
||||
vec o0 = vec_xor(p0, k0);
|
||||
vec o1 = vec_xor(p1, k1);
|
||||
vec o2 = vec_xor(p2, k2);
|
||||
vec o3 = vec_xor(p3, k3);
|
||||
Hacl_Impl_Chacha20_Vec128_store_4_vec(output, o0, o1, o2, o3);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_Vec128_update(uint8_t *output, uint8_t *plain, vec *st)
|
||||
{
|
||||
KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U);
|
||||
vec k[4U];
|
||||
for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i)
|
||||
k[_i] = vec_zero();
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_core(k, st);
|
||||
Hacl_Impl_Chacha20_Vec128_xor_block(output, plain, k);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_Vec128_update3(uint8_t *output, uint8_t *plain, vec *st)
|
||||
{
|
||||
KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U);
|
||||
vec k0[4U];
|
||||
for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i)
|
||||
k0[_i] = vec_zero();
|
||||
KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U);
|
||||
vec k1[4U];
|
||||
for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i)
|
||||
k1[_i] = vec_zero();
|
||||
KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U);
|
||||
vec k2[4U];
|
||||
for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i)
|
||||
k2[_i] = vec_zero();
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_core3(k0, k1, k2, st);
|
||||
uint8_t *p0 = plain;
|
||||
uint8_t *p1 = plain + (uint32_t)64U;
|
||||
uint8_t *p2 = plain + (uint32_t)128U;
|
||||
uint8_t *o0 = output;
|
||||
uint8_t *o1 = output + (uint32_t)64U;
|
||||
uint8_t *o2 = output + (uint32_t)128U;
|
||||
Hacl_Impl_Chacha20_Vec128_xor_block(o0, p0, k0);
|
||||
Hacl_Impl_Chacha20_Vec128_xor_block(o1, p1, k1);
|
||||
Hacl_Impl_Chacha20_Vec128_xor_block(o2, p2, k2);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_Vec128_update3_(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
vec *st,
|
||||
uint32_t i)
|
||||
{
|
||||
uint8_t *out_block = output + (uint32_t)192U * i;
|
||||
uint8_t *plain_block = plain + (uint32_t)192U * i;
|
||||
Hacl_Impl_Chacha20_Vec128_update3(out_block, plain_block, st);
|
||||
Hacl_Impl_Chacha20_Vec128_state_incr(st);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode_blocks3(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
vec *st)
|
||||
{
|
||||
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
|
||||
Hacl_Impl_Chacha20_Vec128_update3_(output, plain, len, st, i);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode_blocks(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
vec *st)
|
||||
{
|
||||
uint32_t len3 = len / (uint32_t)3U;
|
||||
uint32_t rest3 = len % (uint32_t)3U;
|
||||
uint8_t *plain_ = plain;
|
||||
uint8_t *blocks1 = plain + (uint32_t)192U * len3;
|
||||
uint8_t *output_ = output;
|
||||
uint8_t *outs = output + (uint32_t)192U * len3;
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode_blocks3(output_, plain_, len3, st);
|
||||
if (rest3 == (uint32_t)2U) {
|
||||
uint8_t *block0 = blocks1;
|
||||
uint8_t *block1 = blocks1 + (uint32_t)64U;
|
||||
uint8_t *out0 = outs;
|
||||
uint8_t *out1 = outs + (uint32_t)64U;
|
||||
Hacl_Impl_Chacha20_Vec128_update(out0, block0, st);
|
||||
Hacl_Impl_Chacha20_Vec128_state_incr(st);
|
||||
Hacl_Impl_Chacha20_Vec128_update(out1, block1, st);
|
||||
Hacl_Impl_Chacha20_Vec128_state_incr(st);
|
||||
} else if (rest3 == (uint32_t)1U) {
|
||||
Hacl_Impl_Chacha20_Vec128_update(outs, blocks1, st);
|
||||
Hacl_Impl_Chacha20_Vec128_state_incr(st);
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
vec *st)
|
||||
{
|
||||
uint32_t blocks_len = len >> (uint32_t)6U;
|
||||
uint32_t part_len = len & (uint32_t)0x3fU;
|
||||
uint8_t *output_ = output;
|
||||
uint8_t *plain_ = plain;
|
||||
uint8_t *output__ = output + (uint32_t)64U * blocks_len;
|
||||
uint8_t *plain__ = plain + (uint32_t)64U * blocks_len;
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode_blocks(output_, plain_, blocks_len, st);
|
||||
if (part_len > (uint32_t)0U)
|
||||
Hacl_Impl_Chacha20_Vec128_update_last(output__, plain__, part_len, st);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
uint8_t *k,
|
||||
uint8_t *n1,
|
||||
uint32_t ctr)
|
||||
{
|
||||
KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U);
|
||||
vec buf[4U];
|
||||
for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i)
|
||||
buf[_i] = vec_zero();
|
||||
vec *st = buf;
|
||||
Hacl_Impl_Chacha20_Vec128_init(st, k, n1, ctr);
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode(output, plain, len, st);
|
||||
}
|
||||
|
||||
void
|
||||
Hacl_Chacha20_Vec128_chacha20(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
uint8_t *k,
|
||||
uint8_t *n1,
|
||||
uint32_t ctr)
|
||||
{
|
||||
Hacl_Impl_Chacha20_Vec128_chacha20(output, plain, len, k, n1, ctr);
|
||||
}
|
61
security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h
Normal file
61
security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h
Normal file
@ -0,0 +1,61 @@
|
||||
/* Copyright 2016-2017 INRIA and Microsoft Corporation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include "kremlib.h"
|
||||
#ifndef __Hacl_Chacha20_Vec128_H
|
||||
#define __Hacl_Chacha20_Vec128_H
|
||||
|
||||
#include "vec128.h"
|
||||
|
||||
typedef uint32_t Hacl_Impl_Xor_Lemmas_u32;
|
||||
|
||||
typedef uint8_t Hacl_Impl_Xor_Lemmas_u8;
|
||||
|
||||
typedef uint32_t Hacl_Impl_Chacha20_Vec128_State_u32;
|
||||
|
||||
typedef uint32_t Hacl_Impl_Chacha20_Vec128_State_h32;
|
||||
|
||||
typedef uint8_t *Hacl_Impl_Chacha20_Vec128_State_uint8_p;
|
||||
|
||||
typedef vec *Hacl_Impl_Chacha20_Vec128_State_state;
|
||||
|
||||
typedef uint32_t Hacl_Impl_Chacha20_Vec128_u32;
|
||||
|
||||
typedef uint32_t Hacl_Impl_Chacha20_Vec128_h32;
|
||||
|
||||
typedef uint8_t *Hacl_Impl_Chacha20_Vec128_uint8_p;
|
||||
|
||||
typedef uint32_t Hacl_Impl_Chacha20_Vec128_idx;
|
||||
|
||||
typedef struct
|
||||
{
|
||||
void *k;
|
||||
void *n;
|
||||
uint32_t ctr;
|
||||
} Hacl_Impl_Chacha20_Vec128_log_t_;
|
||||
|
||||
typedef void *Hacl_Impl_Chacha20_Vec128_log_t;
|
||||
|
||||
typedef uint8_t *Hacl_Chacha20_Vec128_uint8_p;
|
||||
|
||||
void
|
||||
Hacl_Chacha20_Vec128_chacha20(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
uint8_t *k,
|
||||
uint8_t *n1,
|
||||
uint32_t ctr);
|
||||
#endif
|
345
security/nss/lib/freebl/verified/vec128.h
Normal file
345
security/nss/lib/freebl/verified/vec128.h
Normal file
@ -0,0 +1,345 @@
|
||||
/* Copyright 2016-2017 INRIA and Microsoft Corporation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#ifndef __Vec_H
|
||||
#define __Vec_H
|
||||
|
||||
#ifdef __MSVC__
|
||||
#define forceinline __forceinline inline
|
||||
#elif (defined(__GNUC__) || defined(__clang__))
|
||||
#define forceinline __attribute__((always_inline)) inline
|
||||
#else
|
||||
#define forceinline inline
|
||||
#endif
|
||||
|
||||
#if defined(__SSSE3__) || defined(__AVX2__) || defined(__AVX__)
|
||||
|
||||
#include <emmintrin.h>
|
||||
#include <tmmintrin.h>
|
||||
|
||||
#define VEC128
|
||||
#define vec_size 4
|
||||
|
||||
typedef __m128i vec;
|
||||
|
||||
static forceinline vec
|
||||
vec_rotate_left_8(vec v)
|
||||
{
|
||||
__m128i x = _mm_set_epi8(14, 13, 12, 15, 10, 9, 8, 11, 6, 5, 4, 7, 2, 1, 0, 3);
|
||||
return _mm_shuffle_epi8(v, x);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_rotate_left_16(vec v)
|
||||
{
|
||||
__m128i x = _mm_set_epi8(13, 12, 15, 14, 9, 8, 11, 10, 5, 4, 7, 6, 1, 0, 3, 2);
|
||||
return _mm_shuffle_epi8(v, x);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_rotate_left(vec v, unsigned int n)
|
||||
{
|
||||
if (n == 8)
|
||||
return vec_rotate_left_8(v);
|
||||
if (n == 16)
|
||||
return vec_rotate_left_16(v);
|
||||
return _mm_xor_si128(_mm_slli_epi32(v, n),
|
||||
_mm_srli_epi32(v, 32 - n));
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_rotate_right(vec v, unsigned int n)
|
||||
{
|
||||
return (vec_rotate_left(v, 32 - n));
|
||||
}
|
||||
|
||||
#define vec_shuffle_right(x, n) \
|
||||
_mm_shuffle_epi32(x, _MM_SHUFFLE((3 + (n)) % 4, (2 + (n)) % 4, (1 + (n)) % 4, (n) % 4))
|
||||
|
||||
#define vec_shuffle_left(x, n) vec_shuffle_right((x), 4 - (n))
|
||||
|
||||
static forceinline vec
|
||||
vec_load_32x4(uint32_t x1, uint32_t x2, uint32_t x3, uint32_t x4)
|
||||
{
|
||||
return _mm_set_epi32(x4, x3, x2, x1);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_load_32x8(uint32_t x1, uint32_t x2, uint32_t x3, uint32_t x4, uint32_t x5, uint32_t x6, uint32_t x7, uint32_t x8)
|
||||
{
|
||||
return _mm_set_epi32(x4, x3, x2, x1);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_load_le(const unsigned char* in)
|
||||
{
|
||||
return _mm_loadu_si128((__m128i*)(in));
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_load128_le(const unsigned char* in)
|
||||
{
|
||||
return vec_load_le(in);
|
||||
}
|
||||
|
||||
static forceinline void
|
||||
vec_store_le(unsigned char* out, vec v)
|
||||
{
|
||||
_mm_storeu_si128((__m128i*)(out), v);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_add(vec v1, vec v2)
|
||||
{
|
||||
return _mm_add_epi32(v1, v2);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_add_u32(vec v1, uint32_t x)
|
||||
{
|
||||
vec v2 = vec_load_32x4(x, 0, 0, 0);
|
||||
return _mm_add_epi32(v1, v2);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_increment(vec v1)
|
||||
{
|
||||
vec one = vec_load_32x4(1, 0, 0, 0);
|
||||
return _mm_add_epi32(v1, one);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_xor(vec v1, vec v2)
|
||||
{
|
||||
return _mm_xor_si128(v1, v2);
|
||||
}
|
||||
|
||||
#define vec_zero() _mm_set_epi32(0, 0, 0, 0)
|
||||
|
||||
#elif defined(__ARM_NEON__) || defined(__ARM_NEON)
|
||||
#include <arm_neon.h>
|
||||
|
||||
typedef uint32x4_t vec;
|
||||
|
||||
static forceinline vec
|
||||
vec_xor(vec v1, vec v2)
|
||||
{
|
||||
return veorq_u32(v1, v2);
|
||||
}
|
||||
|
||||
#define vec_rotate_left(x, n) \
|
||||
vsriq_n_u32(vshlq_n_u32((x), (n)), (x), 32 - (n))
|
||||
|
||||
#define vec_rotate_right(a, b) \
|
||||
vec_rotate_left((b), 32 - (b))
|
||||
|
||||
#define vec_shuffle_right(x, n) \
|
||||
vextq_u32((x), (x), (n))
|
||||
|
||||
#define vec_shuffle_left(a, b) \
|
||||
vec_shuffle_right((a), 4 - (b))
|
||||
|
||||
static forceinline vec
|
||||
vec_load_32x4(uint32_t x1, uint32_t x2, uint32_t x3, uint32_t x4)
|
||||
{
|
||||
uint32_t a[4] = { x1, x2, x3, x4 };
|
||||
return vld1q_u32(a);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_load_32(uint32_t x1)
|
||||
{
|
||||
uint32_t a[4] = { x1, x1, x1, x1 };
|
||||
return vld1q_u32(a);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_load_32x8(uint32_t x1, uint32_t x2, uint32_t x3, uint32_t x4, uint32_t x5, uint32_t x6, uint32_t x7, uint32_t x8)
|
||||
{
|
||||
return vec_load_32x4(x1, x2, x3, x4);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_load_le(const unsigned char* in)
|
||||
{
|
||||
return vld1q_u32((uint32_t*)in);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_load128_le(const unsigned char* in)
|
||||
{
|
||||
return vec_load_le(in);
|
||||
}
|
||||
|
||||
static forceinline void
|
||||
vec_store_le(unsigned char* out, vec v)
|
||||
{
|
||||
vst1q_u32((uint32_t*)out, v);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_add(vec v1, vec v2)
|
||||
{
|
||||
return vaddq_u32(v1, v2);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_add_u32(vec v1, uint32_t x)
|
||||
{
|
||||
vec v2 = vec_load_32x4(x, 0, 0, 0);
|
||||
return vec_add(v1, v2);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_increment(vec v1)
|
||||
{
|
||||
vec one = vec_load_32x4(1, 0, 0, 0);
|
||||
return vec_add(v1, one);
|
||||
}
|
||||
|
||||
#define vec_zero() vec_load_32x4(0, 0, 0, 0)
|
||||
|
||||
#else
|
||||
|
||||
#define VEC128
|
||||
#define vec_size 4
|
||||
|
||||
typedef struct {
|
||||
uint32_t v[4];
|
||||
} vec;
|
||||
|
||||
static forceinline vec
|
||||
vec_xor(vec v1, vec v2)
|
||||
{
|
||||
vec r;
|
||||
r.v[0] = v1.v[0] ^ v2.v[0];
|
||||
r.v[1] = v1.v[1] ^ v2.v[1];
|
||||
r.v[2] = v1.v[2] ^ v2.v[2];
|
||||
r.v[3] = v1.v[3] ^ v2.v[3];
|
||||
return r;
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_rotate_left(vec v, unsigned int n)
|
||||
{
|
||||
vec r;
|
||||
r.v[0] = (v.v[0] << n) ^ (v.v[0] >> (32 - n));
|
||||
r.v[1] = (v.v[1] << n) ^ (v.v[1] >> (32 - n));
|
||||
r.v[2] = (v.v[2] << n) ^ (v.v[2] >> (32 - n));
|
||||
r.v[3] = (v.v[3] << n) ^ (v.v[3] >> (32 - n));
|
||||
return r;
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_rotate_right(vec v, unsigned int n)
|
||||
{
|
||||
return (vec_rotate_left(v, 32 - n));
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_shuffle_right(vec v, unsigned int n)
|
||||
{
|
||||
vec r;
|
||||
r.v[0] = v.v[n % 4];
|
||||
r.v[1] = v.v[(n + 1) % 4];
|
||||
r.v[2] = v.v[(n + 2) % 4];
|
||||
r.v[3] = v.v[(n + 3) % 4];
|
||||
return r;
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_shuffle_left(vec x, unsigned int n)
|
||||
{
|
||||
return vec_shuffle_right(x, 4 - n);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_load_32x4(uint32_t x0, uint32_t x1, uint32_t x2, uint32_t x3)
|
||||
{
|
||||
vec v;
|
||||
v.v[0] = x0;
|
||||
v.v[1] = x1;
|
||||
v.v[2] = x2;
|
||||
v.v[3] = x3;
|
||||
return v;
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_load_32(uint32_t x0)
|
||||
{
|
||||
vec v;
|
||||
v.v[0] = x0;
|
||||
v.v[1] = x0;
|
||||
v.v[2] = x0;
|
||||
v.v[3] = x0;
|
||||
return v;
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_load_le(const uint8_t* in)
|
||||
{
|
||||
vec r;
|
||||
r.v[0] = load32_le((uint8_t*)in);
|
||||
r.v[1] = load32_le((uint8_t*)in + 4);
|
||||
r.v[2] = load32_le((uint8_t*)in + 8);
|
||||
r.v[3] = load32_le((uint8_t*)in + 12);
|
||||
return r;
|
||||
}
|
||||
|
||||
static forceinline void
|
||||
vec_store_le(unsigned char* out, vec r)
|
||||
{
|
||||
store32_le(out, r.v[0]);
|
||||
store32_le(out + 4, r.v[1]);
|
||||
store32_le(out + 8, r.v[2]);
|
||||
store32_le(out + 12, r.v[3]);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_load128_le(const unsigned char* in)
|
||||
{
|
||||
return vec_load_le(in);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_add(vec v1, vec v2)
|
||||
{
|
||||
vec r;
|
||||
r.v[0] = v1.v[0] + v2.v[0];
|
||||
r.v[1] = v1.v[1] + v2.v[1];
|
||||
r.v[2] = v1.v[2] + v2.v[2];
|
||||
r.v[3] = v1.v[3] + v2.v[3];
|
||||
return r;
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_add_u32(vec v1, uint32_t x)
|
||||
{
|
||||
vec v2 = vec_load_32x4(x, 0, 0, 0);
|
||||
return vec_add(v1, v2);
|
||||
}
|
||||
|
||||
static forceinline vec
|
||||
vec_increment(vec v1)
|
||||
{
|
||||
vec one = vec_load_32x4(1, 0, 0, 0);
|
||||
return vec_add(v1, one);
|
||||
}
|
||||
|
||||
#define vec_zero() vec_load_32x4(0, 0, 0, 0)
|
||||
|
||||
#endif
|
||||
|
||||
#endif
|
@ -123,6 +123,7 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
|
||||
rvSlot->isPresentLock = PZ_NewLock(nssiLockOther);
|
||||
rvSlot->isPresentCondition = PR_NewCondVar(rvSlot->isPresentLock);
|
||||
rvSlot->inIsPresent = PR_FALSE;
|
||||
rvSlot->lastTokenPingState = nssSlotLastPingState_Reset;
|
||||
return rvSlot;
|
||||
}
|
||||
|
||||
|
@ -636,7 +636,7 @@ PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
|
||||
break;
|
||||
}
|
||||
if (rv == SECSuccess) {
|
||||
if (!PK11_IsFriendly(slot)) {
|
||||
if (!contextSpecific && !PK11_IsFriendly(slot)) {
|
||||
nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
|
||||
slot->nssToken);
|
||||
}
|
||||
|
@ -164,6 +164,7 @@ CERTCertificate *PK11_MakeCertFromHandle(PK11SlotInfo *slot,
|
||||
SECItem *pk11_GenerateNewParamWithKeyLen(CK_MECHANISM_TYPE type, int keyLen);
|
||||
SECItem *pk11_ParamFromIVWithLen(CK_MECHANISM_TYPE type,
|
||||
SECItem *iv, int keyLen);
|
||||
SECItem *pk11_mkcertKeyID(CERTCertificate *cert);
|
||||
|
||||
SEC_END_PROTOS
|
||||
|
||||
|
@ -923,9 +923,11 @@ nssPKIObjectCollection_AddInstanceAsObject(
|
||||
return PR_FAILURE;
|
||||
}
|
||||
if (!node->haveObject) {
|
||||
nssPKIObject *original = node->object;
|
||||
node->object = (*collection->createObject)(node->object);
|
||||
if (!node->object) {
|
||||
/*remove bogus object from list*/
|
||||
nssPKIObject_Destroy(original);
|
||||
nssPKIObjectCollection_RemoveNode(collection, node);
|
||||
return PR_FAILURE;
|
||||
}
|
||||
|
37
security/nss/nss-tool/hw-support.c
Normal file
37
security/nss/nss-tool/hw-support.c
Normal file
@ -0,0 +1,37 @@
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifdef FREEBL_NO_DEPEND
|
||||
#include "stubs.h"
|
||||
#endif
|
||||
|
||||
/* This is a freebl command line utility that prints hardware support as freebl
|
||||
* sees it from its detection in blinit.c
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
#include "blapi.h"
|
||||
#include "blapii.h"
|
||||
#include "nss.h"
|
||||
|
||||
int main(int argc, char const *argv[]) {
|
||||
BL_Init();
|
||||
printf("\n\n ========== NSS Hardware Report ==========\n");
|
||||
#if defined(NSS_X86_OR_X64)
|
||||
printf("\tAES-NI \t%s supported\n", aesni_support() ? "" : "not");
|
||||
printf("\tPCLMUL \t%s supported\n", clmul_support() ? "" : "not");
|
||||
printf("\tAVX \t%s supported\n", avx_support() ? "" : "not");
|
||||
printf("\tSSSE3 \t%s supported\n", ssse3_support() ? "" : "not");
|
||||
#elif defined(__aarch64__) || defined(__arm__)
|
||||
printf("\tNEON \t%s supported\n", arm_neon_support() ? "" : "not");
|
||||
printf("\tAES \t%s supported\n", arm_aes_support() ? "" : "not");
|
||||
printf("\tPMULL \t%s supported\n", arm_pmull_support() ? "" : "not");
|
||||
printf("\tSHA1 \t%s supported\n", arm_sha1_support() ? "" : "not");
|
||||
printf("\tSHA2 \t%s supported\n", arm_sha2_support() ? "" : "not");
|
||||
#endif
|
||||
printf(" ========== Hardware Report End ==========\n\n\n");
|
||||
BL_Cleanup();
|
||||
return 0;
|
||||
}
|
@ -26,6 +26,43 @@
|
||||
'<(DEPTH)/exports.gyp:dbm_exports',
|
||||
'<(DEPTH)/exports.gyp:nss_exports',
|
||||
],
|
||||
}
|
||||
},
|
||||
{
|
||||
'target_name': 'hw-support',
|
||||
'type': 'executable',
|
||||
'sources': [
|
||||
'hw-support.c',
|
||||
],
|
||||
'conditions': [
|
||||
[ 'OS=="win"', {
|
||||
'libraries': [
|
||||
'advapi32.lib',
|
||||
],
|
||||
}],
|
||||
],
|
||||
'dependencies' : [
|
||||
'<(DEPTH)/exports.gyp:nss_exports',
|
||||
'<(DEPTH)/lib/util/util.gyp:nssutil3',
|
||||
'<(DEPTH)/lib/nss/nss.gyp:nss_static',
|
||||
'<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
|
||||
'<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
|
||||
'<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
|
||||
'<(DEPTH)/lib/certdb/certdb.gyp:certdb',
|
||||
'<(DEPTH)/lib/base/base.gyp:nssb',
|
||||
'<(DEPTH)/lib/dev/dev.gyp:nssdev',
|
||||
'<(DEPTH)/lib/pki/pki.gyp:nsspki',
|
||||
],
|
||||
'include_dirs': [
|
||||
'<(DEPTH)/lib/freebl',
|
||||
'<(DEPTH)/lib/freebl/mpi',
|
||||
],
|
||||
'defines': [
|
||||
'NSS_USE_STATIC_LIBS'
|
||||
],
|
||||
'variables': {
|
||||
'module': 'nss',
|
||||
'use_static_libs': 1
|
||||
},
|
||||
},
|
||||
],
|
||||
}
|
||||
|
@ -107,6 +107,7 @@
|
||||
'cmd/ssltap/ssltap.gyp:ssltap',
|
||||
'cmd/symkeyutil/symkeyutil.gyp:symkeyutil',
|
||||
'nss-tool/nss_tool.gyp:nss',
|
||||
'nss-tool/nss_tool.gyp:hw-support',
|
||||
],
|
||||
}],
|
||||
],
|
||||
@ -123,7 +124,6 @@
|
||||
'cmd/atob/atob.gyp:atob',
|
||||
'cmd/bltest/bltest.gyp:bltest',
|
||||
'cmd/btoa/btoa.gyp:btoa',
|
||||
'cmd/certcgi/certcgi.gyp:certcgi',
|
||||
'cmd/chktest/chktest.gyp:chktest',
|
||||
'cmd/crmftest/crmftest.gyp:crmftest',
|
||||
'cmd/dbtest/dbtest.gyp:dbtest',
|
||||
|
@ -325,6 +325,11 @@ NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}"
|
||||
ENV_BACKUP=${HOSTDIR}/env.sh
|
||||
env_backup > ${ENV_BACKUP}
|
||||
|
||||
# Print hardware support if we built it.
|
||||
if [ -f ${BINDIR}/hw-support ]; then
|
||||
${BINDIR}/hw-support
|
||||
fi
|
||||
|
||||
if [ "${O_CRON}" = "ON" ]; then
|
||||
run_cycles >> ${LOGFILE}
|
||||
else
|
||||
|
@ -25,7 +25,7 @@ bogo_init()
|
||||
BORING=${BORING:=boringssl}
|
||||
if [ ! -d "$BORING" ]; then
|
||||
git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
|
||||
git -C "$BORING" checkout -q bbfe603519bc54fbc4c8dd87efe1ed385df550b4
|
||||
git -C "$BORING" checkout -q a513e86c1ebb1383930c9e504bdabcc302a85f30
|
||||
fi
|
||||
|
||||
SCRIPTNAME="bogo.sh"
|
||||
|
@ -30,6 +30,8 @@ if [ -z "${CLEANUP}" -o "${CLEANUP}" = "${SCRIPTNAME}" ]; then
|
||||
echo "NSS_DISABLE_HW_AES=${NSS_DISABLE_HW_AES}"
|
||||
echo "NSS_DISABLE_PCLMUL=${NSS_DISABLE_PCLMUL}"
|
||||
echo "NSS_DISABLE_AVX=${NSS_DISABLE_AVX}"
|
||||
echo "NSS_DISABLE_ARM_NEON=${NSS_DISABLE_ARM_NEON}"
|
||||
echo "NSS_DISABLE_SSSE3=${NSS_DISABLE_SSSE3}"
|
||||
echo
|
||||
echo "Tests summary:"
|
||||
echo "--------------"
|
||||
|
Loading…
Reference in New Issue
Block a user