summaryrefslogtreecommitdiff
path: root/gtests
Commit message (Collapse)AuthorAgeFilesLines
* Bug 1831983 - Add a constant time select function. r=mtHEADmasterJohn M. Schanck2023-05-173-0/+57
| | | | Differential Revision: https://phabricator.services.mozilla.com/D177803
* Bug 1786018 - Add explicit handling of zero length records. r=mtDennis Jackson2023-05-051-14/+32
| | | | | | | | | This is based on the patch developed by Leander in D157183, but is a little more explicit. Co-Authored-By: Leander Schwarz Differential Revision: https://phabricator.services.mozilla.com/D176157
* Bug 1829391 - Tidy up DTLS ACK Error Handling Path. r=mtDennis Jackson2023-05-051-2/+2
| | | | Differential Revision: https://phabricator.services.mozilla.com/D176156
* Bug 1786018 - Refactor zero length record tests. r=mtDennis Jackson2023-05-051-33/+55
| | | | | | | This ensures we properly test the different DTLS / TLS versions and makes the expected behaviour explicit. Differential Revision: https://phabricator.services.mozilla.com/D176155
* Bug 1829112 - Fix compiler warning via correct assert. r=nkulatova.Dennis Jackson2023-05-051-4/+4
| | | | Differential Revision: https://phabricator.services.mozilla.com/D176056
* Bug 1767883 - Need to add policy control to keys lengths for signatures. ↵Robert Relyea2023-03-032-3/+32
| | | | | | | | | | | | | | | | | r=nss-reviewers There are three changes in the patch which are related to key length processing: Change RSA_MIN_MODULUS_BITS in blalpit.h from 128 to 1023. This necessitated changes to the following tests: testcrmf.c: up the generated key for the test from 512 to 1024. pk11_rsapkcs1_unittest.cc (in pk11_gtest): skip the min padding test if the MIN_RSA_MODULUS_BITS is more than 736 (The largest hash we support is 512, which fits in an RSA key less then 736. If we can't generate a key less than 736, we can't test minimum padding, but we can never get into that situation anyway now). tls_subcerts_unittest.cc: set our key size to at least RSA_MIN_MODULUS_BITS, and then make sure the policy had a higher minimum key length so we still trigger the 'weakKey' event. pk11kea.c: use 1024 bits for the transfer key now that smaller keysizes aren't supported by softoken. Expand the add a new flag to meaning of NSS_XXX_MIN_KEY_SIZE beyond it's use in SSL (add the ability to limit signing and verification to this as well). This allows us to set strict FIPS 140-3 policies, where we can only sign with 2048, but can still verify 1024. This part includes: New utility functions in seckey.c: SECKEY_PrivateKeyStrengthInBits(): The private key equivalent to SECKEY_PublicKeyStrengthInBits(). This function could be exported globally, but isn't in this patch. seckey_EnforceKeySize(). Takes a key type and a length and makes sure that length falls into the range set by policy. secsign.c and secvfy.c: add policy length check where we check the other policy flags. nss.h, nssoptions.c: add NSS_KEY_SIZE_POLICY_FLAGS and define flags for SSL, VERIFY, and SIGN. SSL is set by default (to maintain the current behavior). pk11parse.c: add keywords for the new NSS_KEY_SIZE_POLICY_FLAGS. ssl3con.c: use the flags to decide if the policy lengths are active for SSL. policy.txt: Test that the new policy flags are parsed correctly sslpolicy.txt: Add tests to make sure the policy flags are functioning. Update fips_algorithms.h to make sure the FIPS indicators are exactly compliant with FIPS 140-3 current guidance (RSA 2028 and above, any key size, Legacy verification allowed for 1024, 1280, 1536, and 1792 [1024-1792, step 256]). The previous attempt to push failed because the pk11_rsapkcs1_unittest.cc change was eaten in the merge. Differential Revision: https://phabricator.services.mozilla.com/D146341
* Bug 1820175 - Fix various compiler warnings in NSS. r=jschanck.Dennis Jackson2023-03-033-29/+7
| | | | Differential Revision: https://phabricator.services.mozilla.com/D171581
* Backed out changeset 761e7d215e0a for causing gtest failuresNSS_3_89_BETA1John M. Schanck2023-03-021-24/+2
|
* Bug 1767883 Need to add policy control to keys lengths for signatures.Robert Relyea2022-12-191-2/+24
| | | | | | | | | | | | There are three changes in the patch which are related to key length processing: Change RSA_MIN_MODULUS_BITS in blalpit.h from 128 to 1023. This necessitated changes to the following tests: testcrmf.c: up the generated key for the test from 512 to 1024. pk11_rsapkcs1_unittest.cc (in pk11_gtest): skip the min padding test if the MIN_RSA_MODULUS_BITS is more than 736 (The largest hash we support is 512, which fits in an RSA key less then 736. If we can't generate a key less than 736, we can't test minimum padding, but we can never get into that situation anyway now). tls_subcerts_unittest.cc: set our key size to at least RSA_MIN_MODULUS_BITS, and then make sure the policy had a higher minimum key length so we still trigger the 'weakKey' event. pk11kea.c: use 1024 bits for the transfer key now that smaller keysizes aren't supported by softoken. Expand the add a new flag to meaning of NSS_XXX_MIN_KEY_SIZE beyond it's use in SSL (add the ability to limit signing and verification to this as well). This allows us to set strict FIPS 140-3 policies, where we can only sign with 2048, but can still verify 1024. This part includes: New utility functions in seckey.c: SECKEY_PrivateKeyStrengthInBits(): The private key equivalent to SECKEY_PublicKeyStrengthInBits(). This function could be exported globally, but isn't in this patch. seckey_EnforceKeySize(). Takes a key type and a length and makes sure that length falls into the range set by policy. secsign.c and secvfy.c: add policy length check where we check the other policy flags. nss.h, nssoptions.c: add NSS_KEY_SIZE_POLICY_FLAGS and define flags for SSL, VERIFY, and SIGN. SSL is set by default (to maintain the current behavior). pk11parse.c: add keywords for the new NSS_KEY_SIZE_POLICY_FLAGS. ssl3con.c: use the flags to decide if the policy lengths are active for SSL. policy.txt: Test that the new policy flags are parsed correctly sslpolicy.txt: Add tests to make sure the policy flags are functioning. Update fips_algorithms.h to make sure the FIPS indicators are exactly compliant with FIPS 140-3 current guidance (RSA 2028 and above, any key size, Legacy verification allowed for 1024, 1280, 1536, and 1792 [1024-1792, step 256]). Differential Revision: https://phabricator.services.mozilla.com/D146341
* Fix formatting in ssl_extension_unittest.ccDennis Jackson2023-02-231-2/+2
|
* Bug 1815167: Tolerate certificate_authorities xtn in ClientHello. ↵Dennis Jackson2023-02-221-0/+18
| | | | | | r=mt,nss-reviewers Differential Revision: https://phabricator.services.mozilla.com/D169918
* Bug 1789436: Fix build failure on Windows. r=bbeurdoucheDennis Jackson2023-02-201-0/+28
| | | | Differential Revision: https://phabricator.services.mozilla.com/D170360
* Bug 1570615: Add interop tests for HRR and PSK to GREASE suite. r=mtDennis Jackson2023-02-151-0/+46
| | | | Differential Revision: https://phabricator.services.mozilla.com/D169622
* Bug 1570615: Add presence/absence tests for TLS GREASE. r=mtDennis Jackson2023-02-153-7/+372
| | | | | | | | | | | | | | | | | | | | This patch adds tests to check that we correctly add GREASE codepoints in the permitted locations (when enabled and using TLS1.3 or higher) and that we do not add any codepoints if disabled or negotiating an earlier version of TLS. The tests check: For ClientHello: - 1 codepoint is added to ciphersuites, name groups, key share, sig algs, supported versions, psk exchange methods, ALPN. - A 0-byte and a 1-byte GREASE extension is added. For CertificateRequests: - 1 codepoint is added to the sig alg extension. - 1 0-byte GREASE extension is added. For NewSessionTicket: - 1 1-byte GREASE extension is added. Differential Revision: https://phabricator.services.mozilla.com/D169621
* Bug 1789436 - CH extension permutation. r=djacksonLeander Schwarz2023-02-156-0/+113
| | | | | | Depends on D161806 Differential Revision: https://phabricator.services.mozilla.com/D163078
* Bug 1570615: TLS GREASE (RFC8701) r=djacksonLeander Schwarz2023-02-1510-120/+640
| | | | Differential Revision: https://phabricator.services.mozilla.com/D161806
* Bug 1212915 - Add check for ClientHello SID max length. This is tested by ↵NSS_3_88_BETA1Leander Schwarz2023-01-161-1/+0
| | | | | | | | Bogo tests Server-TooLongSessionID-TLS1*. r=djackson Depends on D147675 Differential Revision: https://phabricator.services.mozilla.com/D147726
* Bug 1771100 - Added EarlyData ALPN test support to BoGo shim. r=djacksonLeander Schwarz2023-01-162-42/+131
| | | | Differential Revision: https://phabricator.services.mozilla.com/D157290
* Bug 1790357: ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) ↵Leander Schwarz2023-01-161-4/+33
| | | | | | if ECH configs are setup. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D157110
* Bug 1714245 - On HRR skip PSK incompatible with negotiated ciphersuites hash ↵Leander Schwarz2023-01-161-1/+0
| | | | | | algorithm. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D156660
* Bug 1789410 - ECH client: Send ech_required alert on server negotiating TLS ↵Leander Schwarz2023-01-162-3/+11
| | | | | | 1.2. Fixed misleading Gtest, enabled corresponding BoGo test. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D156565
* Bug 1771100 - Added Bogo ECH rejection test support. r=djacksonLeander Schwarz2023-01-162-9/+67
| | | | Differential Revision: https://phabricator.services.mozilla.com/D154631
* Bug 1771100 - Added ECH 0Rtt support to BoGo shim. r=djacksonLeander Schwarz2023-01-163-5/+109
| | | | Differential Revision: https://phabricator.services.mozilla.com/D154209
* Bug 1747957 - RSA OAEP Wycheproof JSON, r=jschanckMartin Thomson2023-01-1226-7834/+14449
| | | | | | Depends on D134922 Differential Revision: https://phabricator.services.mozilla.com/D134923
* Bug 1747957 - RSA decrypt Wycheproof JSON, r=jschanckMartin Thomson2023-01-1211-27327/+5935
| | | | | | Depends on D134921 Differential Revision: https://phabricator.services.mozilla.com/D134922
* Bug 1747957 - ECDSA Wycheproof JSON, r=jschanckMartin Thomson2023-01-1210-32339/+24352
| | | | | | Depends on D134920 Differential Revision: https://phabricator.services.mozilla.com/D134921
* Bug 1747957 - ECDH Wycheproof JSON, r=jschanckMartin Thomson2023-01-125-51862/+194
| | | | | | Depends on D134886 Differential Revision: https://phabricator.services.mozilla.com/D134920
* Bug 1747957 - PKCS#1v1.5 wycheproof json, r=nss-reviewers,nkulatovaMartin Thomson2023-01-1220-87156/+19489
| | | | | | Depends on D134853 Differential Revision: https://phabricator.services.mozilla.com/D134886
* Bug 1747957 - Use X25519 wycheproof json, r=nss-reviewers,jschanckMartin Thomson2023-01-1211-11713/+508
| | | | | | Depends on D134846 Differential Revision: https://phabricator.services.mozilla.com/D134853
* Bug 1792821 - Updating the clang-format version to 10. r=jschanckAnna Weine2022-10-0725-89/+81
| | | | Differential Revision: https://phabricator.services.mozilla.com/D158323
* Bug 1771100 - Added bug reference and description to disabled ↵Leander Schwarz2022-08-261-1/+1
| | | | | | *UnsolicitedServerNameAck bogo ECH test. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D152739
* Bug 1779361 - Removed skipping of ECH on equality of private and public SNI ↵Leander Schwarz2022-08-261-1/+1
| | | | | | server name. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D151696
* Bug 1779357 - Added comment and bug reference to *ECH*RandomHRRExtension ↵Leander Schwarz2022-08-261-1/+1
| | | | | | bogo test. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D151695
* Bug 1779370 - Added Bogo shim client HRR test support. Fixed overwriting of ↵Leander Schwarz2022-08-262-1/+13
| | | | | | CHInner.random on HRR. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D151692
* Bug 1779234 - Added check for server only sending ECH extension with retry ↵Leander Schwarz2022-08-262-2/+4
| | | | | | | | | | | | configs in EncryptedExtensions and if not accepting ECH. Changed config setting behavior to skip configs with unsupported mandatory extensions instead of failing. r=djackson The following bogo tests test the changed behavior: - TLS-ECH-GREASE-Client-TLS12-RejectRetryConfigs - TLS-ECH-Client-TLS12-RejectRetryConfigs - This and above test, test correct rejection of TLS 1.2 server ECH extension with rettry configs (outside EncryptedExtensions) - TLS-ECH-Client-Accept-RejectRetryConfigs - Test correct rejection of retry configs received even though ECH was acceped by server. - TLS-ECH-Client-SelectECHConfig - Tests correct skipping of unsupported (mandatory extension) configs. Differential Revision: https://phabricator.services.mozilla.com/D151607
* Bug 1771100 - Added ECH client support to BoGo shim. Changed CHInner ↵Leander Schwarz2022-08-262-13/+49
| | | | | | creation to skip TLS 1.2 only extensions to comply with BoGo. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D151489
* Bug 1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH server ↵Leander Schwarz2022-08-262-1/+10
| | | | | | accept_confirmation bugs. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D153479
* Bug 1771100 - Update BoGo tests to recent BoringSSL version. r=djacksonLeander Schwarz2022-08-262-69/+90
| | | | | | | | | | It was required to update docker-interop image to ubuntu 20.04 since a newer Go release was required for the BoGo tests to run. See nss/gtests/nss_bogo_shim/config.json for a list of disabled BoGo test, including short descriptions/bug links. A -loose-local-errors falg was added to Bogo (runner.go) to allow usage of more tests by ignoring differences in local errors on the Go side of test connections, similar to the remote error 'suppression' used. The code is patched to the BoGo runner after cloning in nss/tests/bogo/bogo.sh and can be found in nss/gtests/nss_bogo_shim/nss_loose_local_errors.patch. Differential Revision: https://phabricator.services.mozilla.com/D147675
* Bug 1784724 - Initialize local variables in ↵Mike Hommey2022-08-151-3/+3
| | | | | | TlsConnectTestBase::ConnectAndCheckCipherSuite. r=bbeurdouche,nss-reviewers Differential Revision: https://phabricator.services.mozilla.com/D154594
* Bug 1681099, pk11wrap: Tighten certificate lookup based on PKCS #11 URI, ↵Daiki Ueno2022-07-262-24/+234
| | | | | | | | | | r=kjacobs,rrelyea Previously we only used the "object" attribute (mapped to CKA_LABEL) to find certificates by PKCS #11 URI. This updates the logic to match also with "id" (mapped to CKA_ID) and reject the request if a "type" attribute is present with the value other than "cert". Note: as "id" may not be null-terminated, the PKCS #11 URI API had to be revamped to allow binary blobs. This is still not perfect because PK11URIAttribute doesn't have a length field of value. Differential Revision: https://phabricator.services.mozilla.com/D98940
* Bug 1779285: Add no_application_protocol alert handler and test client error ↵Dennis Jackson2022-07-131-0/+1
| | | | | | code is set. r=mt,nss-reviewers. Differential Revision: https://phabricator.services.mozilla.com/D151645
* Bug 1617956 - Add support for asynchronous client auth hooks. r=mtDennis Jackson2022-06-163-81/+337
| | | | Differential Revision: https://phabricator.services.mozilla.com/D138149
* Bug 1765383 - GatherBuffer: Reduced plaintext buffer allocations by ↵Leander Schwarz2022-06-101-0/+27
| | | | | | allocating it on initialization. Replaced redundant code with assert. Debug builds: Added buffer freeing/allocation for each record. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D144034
* Bug 1764788 - Correct invalid record inner and outter content type alerts. ↵Leander Schwarz2022-05-172-24/+222
| | | | | | | | | | r=djackson Added test cases for alerts during and pre handshake as well as TLS 1.3 only after handshake (application data) cases due to unsupported de- and encryption of lower TLS version records in gtest. Adjusted some test cases that expect failed connections to the updated alerts. Differential Revision: https://phabricator.services.mozilla.com/D144029
* Bug 1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ↵Leander Schwarz2022-05-171-4/+29
| | | | | | ClientHello.legacy_version. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D144279
* Bug 1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ↵Leander Schwarz2022-05-171-0/+16
| | | | | | ECPointFormat extension alerts. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D144420
* Bug 1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite ↵John M. Schanck2022-05-163-0/+71
| | | | | | | | | | | | | | | | | | | | | | | | GROUP. r=keeler,nss-reviewers,djackson In an iteration over elements of an indefinite-length encoded GROUP (sec_asn1d_next_in_group), the child of the current state is responsible for parsing the GROUP's end-of-contents octets---a call to sec_asn1d_parse_end_of_contents(state->child) sets the endofcontents flag for state->child and a later call to sec_asn1d_next_in_group checks state->child->endofcontents and terminates the iteration. In an iteration over elements of an indefinite-length encoded SEQUENCE (sec_asn1d_next_in_sequence), on the other hand, the current state, not its child, handles the end-of-contents octets. Prior to this commit, an error would occur when state pointed to an indefinite-length encoded GROUP and state->child pointed to an indefinite-length encoded SEQUENCE. In this case, state->child would be passed to sec_asn1d_parse_end_of_contents to parse the SEQUENCE's end-of-contents octets. This would set the endofcontents flag for state->child, and this would be misinterpreted as an end-of-iteration signal for the surrounding GROUP. Differential Revision: https://phabricator.services.mozilla.com/D142985
* Bug 1755264 - Added TLS 1.3 zero-length inner plaintext checks and tests, ↵NSS_3_78_BETA1Leander Schwarz2022-04-212-16/+295
| | | | | | zero-length record/fragment handling tests. Enabled tls fuzzer empty alert test. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D141841
* Bug 1294978 - Reworked overlong record size checks and added TLS1.3 specific ↵Leander Schwarz2022-04-212-5/+233
| | | | | | | | | | | | | | | | | | | | | | | | | boundaries. r=djackson Old overlong record check flow: 1.) There is a check for the default maximally allowed record size in ssl3gthr.c/ssl3_GatherData after reception of TLS records. In the same file the DTLS reception buffers are set to the maximum possible record size in dtls_GatherData. 2.) Next the ssl3_HandleRecord handler checks TLS and DTLS records sizes, considering possibly set size limits by the record-size-limit-extension and the maximally approximated cipher expansion possible in NSS. 3.) Until this patch there was a less strict redundant size check in ssl3con.c/ssl3_UnprotectRecord. In tls13con.c/tls13_UnprotectRecord and ssl3con.c/ssl3_UnprotectRecord the plaintext size is checked for validity after unprotecting (plaintext checks were not changed in this patch). 4.) DTLS errors regarding record size and unprotecting are inconsistently sometimes propagated to the peer (alerts) and sometimes silently dropped. Changes: 1.) In ssl3gthr.c TLS 1.3 specific cases for overlong record checks and DTLS buffer allocation have been added. 2.) The ssl3_HandleRecord handler checks for RFC compliant records sizes (all TLS versions), considering limits set by record_size_limit_extension. This is less strict for TLS <= 1.2, stricter checks have been moved to the unprotection functions to create a similar 'check flow/levels' for all TLS versions. 3.) - TLS <= 1.2: Moved strict check for maximum allowed plaintext + approximated maximum cipher expansion to ssl3con.c/ssl3_UnprotectRecord. - TLS 1.3: Added strict check for maximum allowed plaintext + actually used cipher expansion to tls13con.c/tls13_UnprotectRecord. (Maximum allowed plaintext considers limits set by record_size_limit_extension) 4.) Following RFC6347, Section 4.1.2.7 DTLS errors regarding records and unprotecting and now consistently dropped silently. Added Tests: - Positive tests (All (D)TLS versions): Test that largest valid plainext + encryption expansion are successfully sent and handled. - Negative tests (All (D)TLS versions): Test that all added/updated boundaries lead to the expected alerts. Tested with smallest illegal record size for each of the mentioned checks. Differential Revision: https://phabricator.services.mozilla.com/D138529
* Bug 1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. r=djacksonJohn M. Schanck2022-04-216-12/+8
| | | | Differential Revision: https://phabricator.services.mozilla.com/D143514
View Lorry Controller Status