Rebase to NSS 3.31.0
This commit is contained in:
parent
4a49c5748c
commit
5ed56146a2
1
.gitignore
vendored
1
.gitignore
vendored
@ -18,3 +18,4 @@ TestUser51.cert
|
||||
/nss-3.29.1.tar.gz
|
||||
/nss-3.30.0.tar.gz
|
||||
/nss-3.30.2.tar.gz
|
||||
/nss-3.31.0.tar.gz
|
||||
|
@ -1,754 +0,0 @@
|
||||
diff --git a/gtests/nss_bogo_shim/nss_bogo_shim.cc b/gtests/nss_bogo_shim/nss_bogo_shim.cc
|
||||
--- a/gtests/nss_bogo_shim/nss_bogo_shim.cc
|
||||
+++ b/gtests/nss_bogo_shim/nss_bogo_shim.cc
|
||||
@@ -260,16 +260,22 @@ class TestAgent {
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
SSLVersionRange vrange;
|
||||
if (!GetVersionRange(&vrange, ssl_variant_stream)) return false;
|
||||
|
||||
rv = SSL_VersionRangeSet(ssl_fd_, &vrange);
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
+ SSLVersionRange verify_vrange;
|
||||
+ rv = SSL_VersionRangeGet(ssl_fd_, &verify_vrange);
|
||||
+ if (rv != SECSuccess) return false;
|
||||
+ if (vrange.min != verify_vrange.min || vrange.max != verify_vrange.max)
|
||||
+ return false;
|
||||
+
|
||||
rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE, false);
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
auto alpn = cfg_.get<std::string>("advertise-alpn");
|
||||
if (!alpn.empty()) {
|
||||
assert(!cfg_.get<bool>("server"));
|
||||
|
||||
rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_ALPN, PR_TRUE);
|
||||
diff --git a/gtests/ssl_gtest/tls_agent.cc b/gtests/ssl_gtest/tls_agent.cc
|
||||
--- a/gtests/ssl_gtest/tls_agent.cc
|
||||
+++ b/gtests/ssl_gtest/tls_agent.cc
|
||||
@@ -20,16 +20,21 @@ extern "C" {
|
||||
|
||||
#define GTEST_HAS_RTTI 0
|
||||
#include "gtest/gtest.h"
|
||||
#include "gtest_utils.h"
|
||||
#include "scoped_ptrs.h"
|
||||
|
||||
extern std::string g_working_dir_path;
|
||||
|
||||
+static bool SSLVersionRangesAreEqual(SSLVersionRange& vr1,
|
||||
+ SSLVersionRange& vr2) {
|
||||
+ return vr1.min == vr2.min && vr1.max == vr2.max;
|
||||
+}
|
||||
+
|
||||
namespace nss_test {
|
||||
|
||||
const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
|
||||
|
||||
const std::string TlsAgent::kClient = "client"; // both sign and encrypt
|
||||
const std::string TlsAgent::kRsa2048 = "rsa2048"; // bigger
|
||||
const std::string TlsAgent::kServerRsa = "rsa"; // both sign and encrypt
|
||||
const std::string TlsAgent::kServerRsaSign = "rsa_sign";
|
||||
@@ -156,16 +161,26 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc
|
||||
return false;
|
||||
}
|
||||
dummy_fd.release(); // Now subsumed by ssl_fd_.
|
||||
|
||||
SECStatus rv = SSL_VersionRangeSet(ssl_fd(), &vrange_);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
+ SSLVersionRange verify_vrange;
|
||||
+ rv = SSL_VersionRangeGet(ssl_fd(), &verify_vrange);
|
||||
+ EXPECT_EQ(SECSuccess, rv);
|
||||
+ if (rv != SECSuccess) return false;
|
||||
+
|
||||
+ bool ranges_are_equal = SSLVersionRangesAreEqual(vrange_, verify_vrange);
|
||||
+ EXPECT_TRUE(ranges_are_equal)
|
||||
+ << "System policy must not restrict the allowed min/max SSL/TLS range";
|
||||
+ if (!ranges_are_equal) return false;
|
||||
+
|
||||
if (role_ == SERVER) {
|
||||
EXPECT_TRUE(ConfigServerCert(name_, true));
|
||||
|
||||
rv = SSL_SNISocketConfigHook(ssl_fd(), SniHook, this);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
if (rv != SECSuccess) return false;
|
||||
|
||||
ScopedCERTCertList anchors(CERT_NewCertList());
|
||||
@@ -400,16 +415,23 @@ void TlsAgent::SetShortHeadersEnabled()
|
||||
|
||||
void TlsAgent::SetVersionRange(uint16_t minver, uint16_t maxver) {
|
||||
vrange_.min = minver;
|
||||
vrange_.max = maxver;
|
||||
|
||||
if (ssl_fd()) {
|
||||
SECStatus rv = SSL_VersionRangeSet(ssl_fd(), &vrange_);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
+
|
||||
+ SSLVersionRange verify_vrange;
|
||||
+ rv = SSL_VersionRangeGet(ssl_fd(), &verify_vrange);
|
||||
+ EXPECT_EQ(SECSuccess, rv);
|
||||
+ bool ranges_are_equal = SSLVersionRangesAreEqual(vrange_, verify_vrange);
|
||||
+ EXPECT_TRUE(ranges_are_equal)
|
||||
+ << "System policy must not restrict the allowed min/max SSL/TLS range";
|
||||
}
|
||||
}
|
||||
|
||||
void TlsAgent::GetVersionRange(uint16_t* minver, uint16_t* maxver) {
|
||||
*minver = vrange_.min;
|
||||
*maxver = vrange_.max;
|
||||
}
|
||||
|
||||
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
--- a/lib/ssl/sslsock.c
|
||||
+++ b/lib/ssl/sslsock.c
|
||||
@@ -2202,38 +2202,42 @@ ssl3_GetRangePolicy(SSLProtocolVariant p
|
||||
return SECFailure; /* don't accept an invalid policy */
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/*
|
||||
* Constrain a single protocol variant's range based on the user policy
|
||||
*/
|
||||
-static SECStatus
|
||||
-ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant)
|
||||
+static void
|
||||
+ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant,
|
||||
+ SSLVersionRange *rangeParam /* in and out */)
|
||||
{
|
||||
SSLVersionRange vrange;
|
||||
SSLVersionRange pvrange;
|
||||
SECStatus rv;
|
||||
|
||||
- vrange = *VERSIONS_DEFAULTS(protocolVariant);
|
||||
+ if (!rangeParam) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ vrange = *rangeParam;
|
||||
rv = ssl3_GetRangePolicy(protocolVariant, &pvrange);
|
||||
if (rv != SECSuccess) {
|
||||
- return SECSuccess; /* we don't have any policy */
|
||||
+ return; /* we don't have any policy */
|
||||
}
|
||||
vrange.min = PR_MAX(vrange.min, pvrange.min);
|
||||
vrange.max = PR_MIN(vrange.max, pvrange.max);
|
||||
if (vrange.max >= vrange.min) {
|
||||
- *VERSIONS_DEFAULTS(protocolVariant) = vrange;
|
||||
+ *rangeParam = vrange;
|
||||
} else {
|
||||
/* there was no overlap, turn off range altogether */
|
||||
pvrange.min = pvrange.max = SSL_LIBRARY_VERSION_NONE;
|
||||
- *VERSIONS_DEFAULTS(protocolVariant) = pvrange;
|
||||
+ *rangeParam = pvrange;
|
||||
}
|
||||
- return SECSuccess;
|
||||
}
|
||||
|
||||
static PRBool
|
||||
ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant,
|
||||
SSL3ProtocolVersion version)
|
||||
{
|
||||
SSLVersionRange pvrange;
|
||||
SECStatus rv;
|
||||
@@ -2249,60 +2253,59 @@ ssl_VersionIsSupportedByPolicy(SSLProtoc
|
||||
|
||||
/*
|
||||
* This is called at SSL init time to constrain the existing range based
|
||||
* on user supplied policy.
|
||||
*/
|
||||
SECStatus
|
||||
ssl3_ConstrainRangeByPolicy(void)
|
||||
{
|
||||
- SECStatus rv;
|
||||
- rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_stream);
|
||||
- if (rv != SECSuccess) {
|
||||
- return rv;
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(ssl_variant_stream,
|
||||
+ VERSIONS_DEFAULTS(ssl_variant_stream));
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(ssl_variant_datagram,
|
||||
+ VERSIONS_DEFAULTS(ssl_variant_datagram));
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
+PRBool
|
||||
+ssl3_VersionIsSupportedByCode(SSLProtocolVariant protocolVariant,
|
||||
+ SSL3ProtocolVersion version)
|
||||
+{
|
||||
+ switch (protocolVariant) {
|
||||
+ case ssl_variant_stream:
|
||||
+ return (version >= SSL_LIBRARY_VERSION_3_0 &&
|
||||
+ version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
|
||||
+ case ssl_variant_datagram:
|
||||
+ return (version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
|
||||
+ version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
|
||||
}
|
||||
- rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_datagram);
|
||||
- if (rv != SECSuccess) {
|
||||
- return rv;
|
||||
- }
|
||||
- return SECSuccess;
|
||||
+
|
||||
+ /* Can't get here */
|
||||
+ PORT_Assert(PR_FALSE);
|
||||
+ return PR_FALSE;
|
||||
}
|
||||
|
||||
PRBool
|
||||
ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
|
||||
SSL3ProtocolVersion version)
|
||||
{
|
||||
if (!ssl_VersionIsSupportedByPolicy(protocolVariant, version)) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
- switch (protocolVariant) {
|
||||
- case ssl_variant_stream:
|
||||
- return (version >= SSL_LIBRARY_VERSION_3_0 &&
|
||||
- version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
|
||||
- case ssl_variant_datagram:
|
||||
- return (version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
|
||||
- version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
|
||||
- default:
|
||||
- /* Can't get here */
|
||||
- PORT_Assert(PR_FALSE);
|
||||
- return PR_FALSE;
|
||||
- }
|
||||
+ return ssl3_VersionIsSupportedByCode(protocolVariant, version);
|
||||
}
|
||||
|
||||
-/* Returns PR_TRUE if the given version range is valid and
|
||||
-** fully supported; otherwise, returns PR_FALSE.
|
||||
-*/
|
||||
static PRBool
|
||||
ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant,
|
||||
const SSLVersionRange *vrange)
|
||||
{
|
||||
return vrange &&
|
||||
vrange->min <= vrange->max &&
|
||||
- ssl3_VersionIsSupported(protocolVariant, vrange->min) &&
|
||||
- ssl3_VersionIsSupported(protocolVariant, vrange->max) &&
|
||||
+ ssl3_VersionIsSupportedByCode(protocolVariant, vrange->min) &&
|
||||
+ ssl3_VersionIsSupportedByCode(protocolVariant, vrange->max) &&
|
||||
(vrange->min > SSL_LIBRARY_VERSION_3_0 ||
|
||||
vrange->max < SSL_LIBRARY_VERSION_TLS_1_3);
|
||||
}
|
||||
|
||||
const SECItem *
|
||||
SSL_PeerSignedCertTimestamps(PRFileDesc *fd)
|
||||
{
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
@@ -2329,60 +2332,116 @@ SSL_VersionRangeGetSupported(SSLProtocol
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
switch (protocolVariant) {
|
||||
case ssl_variant_stream:
|
||||
vrange->min = SSL_LIBRARY_VERSION_3_0;
|
||||
vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
|
||||
- // We don't allow SSLv3 and TLSv1.3 together.
|
||||
- if (vrange->max == SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
- vrange->min = SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
- }
|
||||
+ /* We don't allow SSLv3 and TLSv1.3 together.
|
||||
+ * However, don't check yet, apply the policy first.
|
||||
+ * Because if the effective supported range doesn't use TLS 1.3,
|
||||
+ * then we don't need to increase the minimum. */
|
||||
break;
|
||||
case ssl_variant_datagram:
|
||||
vrange->min = SSL_LIBRARY_VERSION_TLS_1_1;
|
||||
vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
|
||||
break;
|
||||
default:
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(protocolVariant, vrange);
|
||||
+ if (vrange->min == SSL_LIBRARY_VERSION_NONE) {
|
||||
+ /* Library default and policy don't overlap. */
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ if (protocolVariant == ssl_variant_stream) {
|
||||
+ /* We don't allow SSLv3 and TLSv1.3 together */
|
||||
+ if (vrange->max == SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
+ vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant,
|
||||
SSLVersionRange *vrange)
|
||||
{
|
||||
if ((protocolVariant != ssl_variant_stream &&
|
||||
protocolVariant != ssl_variant_datagram) ||
|
||||
!vrange) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
*vrange = *VERSIONS_DEFAULTS(protocolVariant);
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(protocolVariant, vrange);
|
||||
+
|
||||
+ if (vrange->min == SSL_LIBRARY_VERSION_NONE) {
|
||||
+ /* Library default and policy don't overlap. */
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
-SECStatus
|
||||
-SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant,
|
||||
- const SSLVersionRange *vrange)
|
||||
+static SECStatus
|
||||
+ssl3_CheckRangeValidAndConstrainByPolicy(SSLProtocolVariant protocolVariant,
|
||||
+ SSLVersionRange *vrange)
|
||||
{
|
||||
if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) {
|
||||
PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
- *VERSIONS_DEFAULTS(protocolVariant) = *vrange;
|
||||
-
|
||||
+ /* Try to adjust the received range using our policy.
|
||||
+ * If there's overlap, we'll use the (possibly reduced) range.
|
||||
+ * If there isn't overlap, it's failure. */
|
||||
+
|
||||
+ ssl3_ConstrainVariantRangeByPolicy(protocolVariant, vrange);
|
||||
+ if (vrange->min == SSL_LIBRARY_VERSION_NONE) {
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ if (protocolVariant == ssl_variant_stream) {
|
||||
+ /* We don't allow SSLv3 and TLSv1.3 together */
|
||||
+ if (vrange->max == SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
+ vrange->min =
|
||||
+ PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
+SECStatus
|
||||
+SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant,
|
||||
+ const SSLVersionRange *vrange)
|
||||
+{
|
||||
+ SSLVersionRange constrainedRange;
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ if (!vrange) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ constrainedRange = *vrange;
|
||||
+ rv = ssl3_CheckRangeValidAndConstrainByPolicy(protocolVariant,
|
||||
+ &constrainedRange);
|
||||
+ if (rv != SECSuccess)
|
||||
+ return rv;
|
||||
+
|
||||
+ *VERSIONS_DEFAULTS(protocolVariant) = constrainedRange;
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange)
|
||||
{
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
|
||||
@@ -2406,41 +2465,50 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLV
|
||||
ssl_Release1stHandshakeLock(ss);
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
|
||||
{
|
||||
- sslSocket *ss = ssl_FindSocket(fd);
|
||||
-
|
||||
+ SSLVersionRange constrainedRange;
|
||||
+ sslSocket *ss;
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ if (!vrange) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ ss = ssl_FindSocket(fd);
|
||||
if (!ss) {
|
||||
SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeSet",
|
||||
SSL_GETPID(), fd));
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
- if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) {
|
||||
- PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
|
||||
- return SECFailure;
|
||||
- }
|
||||
+ constrainedRange = *vrange;
|
||||
+ rv = ssl3_CheckRangeValidAndConstrainByPolicy(ss->protocolVariant,
|
||||
+ &constrainedRange);
|
||||
+ if (rv != SECSuccess)
|
||||
+ return rv;
|
||||
|
||||
ssl_Get1stHandshakeLock(ss);
|
||||
ssl_GetSSL3HandshakeLock(ss);
|
||||
|
||||
if (ss->ssl3.downgradeCheckVersion &&
|
||||
ss->vrange.max > ss->ssl3.downgradeCheckVersion) {
|
||||
PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
|
||||
ssl_ReleaseSSL3HandshakeLock(ss);
|
||||
ssl_Release1stHandshakeLock(ss);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
- ss->vrange = *vrange;
|
||||
+ ss->vrange = constrainedRange;
|
||||
|
||||
ssl_ReleaseSSL3HandshakeLock(ss);
|
||||
ssl_Release1stHandshakeLock(ss);
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
diff --git a/gtests/ssl_gtest/Makefile b/gtests/ssl_gtest/Makefile
|
||||
--- a/gtests/ssl_gtest/Makefile
|
||||
+++ b/gtests/ssl_gtest/Makefile
|
||||
@@ -32,16 +32,18 @@ CFLAGS += -I$(CORE_DEPTH)/lib/ssl
|
||||
ifdef NSS_SSL_ENABLE_ZLIB
|
||||
include $(CORE_DEPTH)/coreconf/zlib.mk
|
||||
endif
|
||||
|
||||
ifdef NSS_DISABLE_TLS_1_3
|
||||
NSS_DISABLE_TLS_1_3=1
|
||||
# Run parameterized tests only, for which we can easily exclude TLS 1.3
|
||||
CPPSRCS := $(filter-out $(shell grep -l '^TEST_F' $(CPPSRCS)), $(CPPSRCS))
|
||||
+# But always include ssl_versionpolicy_unittest.cc
|
||||
+CPPSRCS += ssl_versionpolicy_unittest.cc
|
||||
CFLAGS += -DNSS_DISABLE_TLS_1_3
|
||||
endif
|
||||
|
||||
#######################################################################
|
||||
# (5) Execute "global" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
diff --git a/gtests/ssl_gtest/manifest.mn b/gtests/ssl_gtest/manifest.mn
|
||||
--- a/gtests/ssl_gtest/manifest.mn
|
||||
+++ b/gtests/ssl_gtest/manifest.mn
|
||||
@@ -33,16 +33,17 @@ CPPSRCS = \
|
||||
ssl_hrr_unittest.cc \
|
||||
ssl_loopback_unittest.cc \
|
||||
ssl_record_unittest.cc \
|
||||
ssl_resumption_unittest.cc \
|
||||
ssl_skip_unittest.cc \
|
||||
ssl_staticrsa_unittest.cc \
|
||||
ssl_v2_client_hello_unittest.cc \
|
||||
ssl_version_unittest.cc \
|
||||
+ ssl_versionpolicy_unittest.cc \
|
||||
test_io.cc \
|
||||
tls_agent.cc \
|
||||
tls_connect.cc \
|
||||
tls_hkdf_unittest.cc \
|
||||
tls_filter.cc \
|
||||
tls_parser.cc \
|
||||
tls_protect.cc \
|
||||
$(NULL)
|
||||
diff --git a/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc b/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
|
||||
@@ -0,0 +1,281 @@
|
||||
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
+/* vim: set ts=2 et sw=2 tw=80: */
|
||||
+/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
+
|
||||
+#include "nss.h"
|
||||
+#include "secerr.h"
|
||||
+#include "ssl.h"
|
||||
+#include "ssl3prot.h"
|
||||
+#include "sslerr.h"
|
||||
+#include "sslproto.h"
|
||||
+
|
||||
+#include "gtest_utils.h"
|
||||
+#include "scoped_ptrs.h"
|
||||
+#include "tls_connect.h"
|
||||
+#include "tls_filter.h"
|
||||
+#include "tls_parser.h"
|
||||
+
|
||||
+static bool SSLVersionRangesAreEqual(SSLVersionRange &vr1,
|
||||
+ SSLVersionRange &vr2) {
|
||||
+ return vr1.min == vr2.min && vr1.max == vr2.max;
|
||||
+}
|
||||
+
|
||||
+namespace nss_test {
|
||||
+
|
||||
+class TestVersionRangePolicy : public ::testing::Test {
|
||||
+ protected:
|
||||
+ PRInt32 savedMinTLS;
|
||||
+ PRInt32 savedMaxTLS;
|
||||
+ PRInt32 savedMinDTLS;
|
||||
+ PRInt32 savedMaxDTLS;
|
||||
+ PRUint32 savedAlgorithmPolicy;
|
||||
+
|
||||
+ public:
|
||||
+ void SaveOriginalPolicy() {
|
||||
+ NSS_OptionGet(NSS_TLS_VERSION_MIN_POLICY, &savedMinTLS);
|
||||
+ NSS_OptionGet(NSS_TLS_VERSION_MAX_POLICY, &savedMaxTLS);
|
||||
+ NSS_OptionGet(NSS_DTLS_VERSION_MIN_POLICY, &savedMinDTLS);
|
||||
+ NSS_OptionGet(NSS_DTLS_VERSION_MAX_POLICY, &savedMaxDTLS);
|
||||
+ NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &savedAlgorithmPolicy);
|
||||
+ }
|
||||
+ void SetUsePolicyInSSL() {
|
||||
+ NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
|
||||
+ }
|
||||
+ void RestoreOriginalPolicy() {
|
||||
+ NSS_OptionSet(NSS_TLS_VERSION_MIN_POLICY, savedMinTLS);
|
||||
+ NSS_OptionSet(NSS_TLS_VERSION_MAX_POLICY, savedMaxTLS);
|
||||
+ NSS_OptionSet(NSS_DTLS_VERSION_MIN_POLICY, savedMinDTLS);
|
||||
+ NSS_OptionSet(NSS_DTLS_VERSION_MAX_POLICY, savedMaxDTLS);
|
||||
+ /* If it wasn't set initially, clear the bit that we set. */
|
||||
+ if (!(savedAlgorithmPolicy & NSS_USE_POLICY_IN_SSL)) {
|
||||
+ NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, 0,
|
||||
+ NSS_USE_POLICY_IN_SSL);
|
||||
+ }
|
||||
+ }
|
||||
+ void SetTLSPolicy(SSLVersionRange &policy) {
|
||||
+ NSS_OptionSet(NSS_TLS_VERSION_MIN_POLICY, policy.min);
|
||||
+ NSS_OptionSet(NSS_TLS_VERSION_MAX_POLICY, policy.max);
|
||||
+ }
|
||||
+ void SetDTLSPolicy(SSLVersionRange &policy) {
|
||||
+ /* SSL3 isn't allowed for DTLS, but isn't a problem to allow by policy */
|
||||
+ NSS_OptionSet(NSS_DTLS_VERSION_MIN_POLICY, policy.min);
|
||||
+ NSS_OptionSet(NSS_DTLS_VERSION_MAX_POLICY, policy.max);
|
||||
+ }
|
||||
+ std::string version_to_string(PRInt32 v) {
|
||||
+ switch (v) {
|
||||
+ case SSL_LIBRARY_VERSION_3_0:
|
||||
+ return "ssl3";
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_0:
|
||||
+ return "tls1.0";
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_1:
|
||||
+ return "tls1.1";
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_2:
|
||||
+ return "tls1.2";
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_3:
|
||||
+ return "tls1.3";
|
||||
+ case SSL_LIBRARY_VERSION_NONE:
|
||||
+ return "NONE";
|
||||
+ }
|
||||
+ return "undefined???";
|
||||
+ }
|
||||
+ std::string info_str(const SSLVersionRange &policy,
|
||||
+ const SSLVersionRange &vrange,
|
||||
+ const SSLVersionRange *expectation,
|
||||
+ const SSLVersionRange *result, bool testDTLS) {
|
||||
+ return std::string(testDTLS ? "DTLS" : "TLS") + std::string(" policy: ") +
|
||||
+ version_to_string(policy.min) + std::string(",") +
|
||||
+ version_to_string(policy.max) + std::string(" input: ") +
|
||||
+ version_to_string(vrange.min) + std::string(",") +
|
||||
+ version_to_string(vrange.max) +
|
||||
+ (expectation
|
||||
+ ? (std::string(" expected: ") +
|
||||
+ version_to_string(expectation->min) + std::string(",") +
|
||||
+ version_to_string(expectation->max))
|
||||
+ : std::string()) +
|
||||
+ (result
|
||||
+ ? (std::string(" result: ") + version_to_string(result->min) +
|
||||
+ std::string(",") + version_to_string(result->max))
|
||||
+ : std::string());
|
||||
+ }
|
||||
+ void TestPolicyRangeExpectation(SSLVersionRange &policy,
|
||||
+ SSLVersionRange &vrange,
|
||||
+ SSLVersionRange &expectation, bool testDTLS) {
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ SetTLSPolicy(policy);
|
||||
+ rv = SSL_VersionRangeSetDefault(ssl_variant_stream, &vrange);
|
||||
+ EXPECT_EQ(SECSuccess, rv)
|
||||
+ << "expected successful return from SSL_VersionRangeSetDefault with: "
|
||||
+ << info_str(policy, vrange, &expectation, NULL, false);
|
||||
+
|
||||
+ SSLVersionRange result;
|
||||
+ rv = SSL_VersionRangeGetDefault(ssl_variant_stream, &result);
|
||||
+ EXPECT_EQ(SECSuccess, rv)
|
||||
+ << "expected successful return from SSL_VersionRangeGetDefault: "
|
||||
+ << info_str(policy, vrange, &expectation, NULL, false);
|
||||
+
|
||||
+ EXPECT_EQ(true, SSLVersionRangesAreEqual(result, expectation))
|
||||
+ << "range returned by SSL_VersionRangeGetDefault doesn't match "
|
||||
+ "expectation: "
|
||||
+ << info_str(policy, vrange, &expectation, &result, false);
|
||||
+
|
||||
+ if (testDTLS) {
|
||||
+ SetDTLSPolicy(policy);
|
||||
+ rv = SSL_VersionRangeSetDefault(ssl_variant_datagram, &vrange);
|
||||
+ EXPECT_EQ(SECSuccess, rv)
|
||||
+ << "expected successful return from SSL_VersionRangeSetDefault with: "
|
||||
+ << info_str(policy, vrange, &expectation, NULL, true);
|
||||
+
|
||||
+ SSLVersionRange result;
|
||||
+ rv = SSL_VersionRangeGetDefault(ssl_variant_datagram, &result);
|
||||
+ EXPECT_EQ(SECSuccess, rv)
|
||||
+ << "expected successful return from SSL_VersionRangeGetDefault: "
|
||||
+ << info_str(policy, vrange, &expectation, NULL, true);
|
||||
+
|
||||
+ EXPECT_EQ(true, SSLVersionRangesAreEqual(result, expectation))
|
||||
+ << "range returned by SSL_VersionRangeGetDefault doesn't match "
|
||||
+ "expectation: "
|
||||
+ << info_str(policy, vrange, &expectation, &result, true);
|
||||
+ }
|
||||
+ }
|
||||
+ void TestPolicyRangeFailure(SSLVersionRange &policy, SSLVersionRange &vrange,
|
||||
+ bool testDTLS) {
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ SetTLSPolicy(policy);
|
||||
+ rv = SSL_VersionRangeSetDefault(ssl_variant_stream, &vrange);
|
||||
+ EXPECT_EQ(SECFailure, rv)
|
||||
+ << "expected failure return from SSL_VersionRangeSetDefault with: "
|
||||
+ << info_str(policy, vrange, NULL, NULL, false);
|
||||
+
|
||||
+ if (testDTLS) {
|
||||
+ SetDTLSPolicy(policy);
|
||||
+ rv = SSL_VersionRangeSetDefault(ssl_variant_datagram, &vrange);
|
||||
+ EXPECT_EQ(SECFailure, rv)
|
||||
+ << "expected failure return from SSL_VersionRangeSetDefault with: "
|
||||
+ << info_str(policy, vrange, NULL, NULL, true);
|
||||
+ }
|
||||
+ }
|
||||
+ void Run() {
|
||||
+ SaveOriginalPolicy();
|
||||
+ SetUsePolicyInSSL();
|
||||
+
|
||||
+#ifndef NSS_DISABLE_TLS_1_3
|
||||
+ SSLVersionRange range3to13{SSL_LIBRARY_VERSION_3_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+ SSLVersionRange range10to13{SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+ SSLVersionRange range11to13{SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+ SSLVersionRange range12to13{SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+ SSLVersionRange range13to13{SSL_LIBRARY_VERSION_TLS_1_3,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_3};
|
||||
+#endif
|
||||
+
|
||||
+ SSLVersionRange range3to12{SSL_LIBRARY_VERSION_3_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2};
|
||||
+ SSLVersionRange range10to12{SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2};
|
||||
+ SSLVersionRange range11to12{SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2};
|
||||
+ SSLVersionRange range12to12{SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2};
|
||||
+
|
||||
+ SSLVersionRange range3to11{SSL_LIBRARY_VERSION_3_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_1};
|
||||
+ SSLVersionRange range10to11{SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_1};
|
||||
+ SSLVersionRange range11to11{SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_1};
|
||||
+
|
||||
+ SSLVersionRange range3to10{SSL_LIBRARY_VERSION_3_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_0};
|
||||
+ SSLVersionRange range10to10{SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_0};
|
||||
+
|
||||
+ SSLVersionRange range3to3{SSL_LIBRARY_VERSION_3_0, SSL_LIBRARY_VERSION_3_0};
|
||||
+
|
||||
+// When testing SSL3 or TLS1.0, we set "test DTLS" to false.
|
||||
+
|
||||
+#ifndef NSS_DISABLE_TLS_1_3
|
||||
+ // Invalid range input (cannot enable both SSL3 and TLS1.3)
|
||||
+ TestPolicyRangeFailure(range3to13, range3to13, false);
|
||||
+#endif
|
||||
+
|
||||
+ // No overlap between policy and range input
|
||||
+ TestPolicyRangeFailure(range11to11, range10to10, false);
|
||||
+ TestPolicyRangeFailure(range11to11, range12to12, true);
|
||||
+ TestPolicyRangeFailure(range10to12, range3to3, false);
|
||||
+#ifndef NSS_DISABLE_TLS_1_3
|
||||
+ TestPolicyRangeFailure(range10to12, range13to13, true);
|
||||
+#endif
|
||||
+
|
||||
+ // straightforward overlap tests
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range3to11, range10to12, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range10to12, range10to12, false);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range11to12, range10to12, range11to12, false);
|
||||
+ TestPolicyRangeExpectation(range11to12, range11to12, range11to12, true);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range12to12, range10to12, range12to12, false);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range3to12, range3to3, range3to3, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range3to10, range3to10, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range3to11, range3to11, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range3to12, range3to12, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range10to10, range10to10, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range10to11, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range10to12, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range3to12, range11to11, range11to11, true);
|
||||
+ TestPolicyRangeExpectation(range3to12, range11to12, range11to12, true);
|
||||
+ TestPolicyRangeExpectation(range3to12, range12to12, range12to12, true);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range10to12, range3to10, range10to10, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range3to11, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range3to12, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range10to10, range10to10, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range10to11, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range10to12, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range10to12, range11to11, range11to11, true);
|
||||
+ TestPolicyRangeExpectation(range10to12, range11to12, range11to12, true);
|
||||
+ TestPolicyRangeExpectation(range10to12, range12to12, range12to12, true);
|
||||
+
|
||||
+#ifndef NSS_DISABLE_TLS_1_3
|
||||
+ TestPolicyRangeExpectation(range3to12, range10to13, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range10to13, range10to13, range10to13, false);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range11to13, range10to13, range11to13, false);
|
||||
+ TestPolicyRangeExpectation(range11to13, range11to13, range11to13, true);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range12to13, range10to13, range12to13, false);
|
||||
+ TestPolicyRangeExpectation(range12to13, range11to13, range12to13, true);
|
||||
+ TestPolicyRangeExpectation(range12to13, range12to13, range12to13, true);
|
||||
+
|
||||
+ TestPolicyRangeExpectation(range3to13, range3to3, range3to3, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range3to10, range3to10, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range3to11, range3to11, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range3to12, range3to12, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range10to10, range10to10, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range10to11, range10to11, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range10to12, range10to12, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range10to13, range10to13, false);
|
||||
+ TestPolicyRangeExpectation(range3to13, range11to11, range11to11, true);
|
||||
+ TestPolicyRangeExpectation(range3to13, range11to12, range11to12, true);
|
||||
+ TestPolicyRangeExpectation(range3to13, range12to12, range12to12, true);
|
||||
+ TestPolicyRangeExpectation(range3to13, range12to13, range12to13, true);
|
||||
+ TestPolicyRangeExpectation(range3to13, range13to13, range13to13, true);
|
||||
+#endif
|
||||
+
|
||||
+ RestoreOriginalPolicy();
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+TEST_F(TestVersionRangePolicy, TestVersionRangesAndCryptoPolicyInteraction) {
|
||||
+ Run();
|
||||
+}
|
||||
+
|
||||
+} // namespace nss_test
|
@ -1,12 +0,0 @@
|
||||
diff -up nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c.gcc7 nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
|
||||
--- nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c.gcc7 2017-02-08 14:34:04.212655936 +0100
|
||||
+++ nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c 2017-02-08 14:37:33.326388891 +0100
|
||||
@@ -89,7 +89,7 @@ pkix_pl_OcspRequest_Hashcode(
|
||||
PKIX_HASHCODE(ocspRq->signerCert, &signerHash, plContext,
|
||||
PKIX_CERTHASHCODEFAILED);
|
||||
|
||||
- *pHashcode = (((((extensionHash << 8) || certHash) << 8) ||
|
||||
+ *pHashcode = ((PKIX_UInt32)(((PKIX_UInt32)((extensionHash << 8) || certHash) << 8) ||
|
||||
dateHash) << 8) || signerHash;
|
||||
|
||||
cleanup:
|
@ -1,6 +1,14 @@
|
||||
diff -up nss/cmd/platlibs.mk.gtests-split nss/cmd/platlibs.mk
|
||||
--- nss/cmd/platlibs.mk.gtests-split 2017-06-02 10:47:41.000000000 +0200
|
||||
+++ nss/cmd/platlibs.mk 2017-06-02 10:54:18.707290028 +0200
|
||||
# HG changeset patch
|
||||
# User Daiki Ueno <dueno@redhat.com>
|
||||
# Date 1496306850 -7200
|
||||
# Thu Jun 01 10:47:30 2017 +0200
|
||||
# Node ID a15755b99b544dc9643f6e3e7c3b36825112c5b2
|
||||
# Parent d20ee6560caf7c8ed6640583791700451fe06921
|
||||
Bug 1280846 - tests: adjust gtests to compile under modular builds, r=franziskus
|
||||
|
||||
diff --git a/cmd/platlibs.mk b/cmd/platlibs.mk
|
||||
--- a/cmd/platlibs.mk
|
||||
+++ b/cmd/platlibs.mk
|
||||
@@ -32,6 +32,12 @@ else
|
||||
DBMLIB = $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX)
|
||||
endif
|
||||
@ -79,43 +87,11 @@ diff -up nss/cmd/platlibs.mk.gtests-split nss/cmd/platlibs.mk
|
||||
|
||||
ifdef SOFTOKEN_LIB_DIR
|
||||
ifdef NSS_USE_SYSTEM_FREEBL
|
||||
diff -up nss/cpputil/scoped_ptrs_base.h.gtests-split nss/cpputil/scoped_ptrs_base.h
|
||||
--- nss/cpputil/scoped_ptrs_base.h.gtests-split 2017-06-02 10:54:18.707290028 +0200
|
||||
+++ nss/cpputil/scoped_ptrs_base.h 2017-06-02 10:54:18.707290028 +0200
|
||||
@@ -0,0 +1,29 @@
|
||||
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
+/* vim: set ts=2 et sw=2 tw=80: */
|
||||
+/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
+
|
||||
+#ifndef scoped_ptrs_base_h__
|
||||
+#define scoped_ptrs_base_h__
|
||||
+
|
||||
+#include <memory>
|
||||
+
|
||||
+template <class T>
|
||||
+struct ScopedDelete {
|
||||
+ void operator()(T*);
|
||||
+};
|
||||
+
|
||||
+template <class T>
|
||||
+struct ScopedMaybeDelete {
|
||||
+ void operator()(T* ptr) {
|
||||
+ if (ptr) {
|
||||
+ ScopedDelete<T> del;
|
||||
+ del(ptr);
|
||||
+ }
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped##x
|
||||
+
|
||||
+#endif // scoped_ptrs_base_h__
|
||||
diff -up nss/cpputil/scoped_ptrs_util.h.gtests-split nss/cpputil/scoped_ptrs_util.h
|
||||
--- nss/cpputil/scoped_ptrs_util.h.gtests-split 2017-06-02 10:54:18.707290028 +0200
|
||||
+++ nss/cpputil/scoped_ptrs_util.h 2017-06-02 11:03:10.361102513 +0200
|
||||
@@ -0,0 +1,41 @@
|
||||
diff --git a/cpputil/scoped_ptrs_util.h b/cpputil/scoped_ptrs_util.h
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/cpputil/scoped_ptrs_util.h
|
||||
@@ -0,0 +1,39 @@
|
||||
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
+/* vim: set ts=2 et sw=2 tw=80: */
|
||||
+/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
@ -125,41 +101,55 @@ diff -up nss/cpputil/scoped_ptrs_util.h.gtests-split nss/cpputil/scoped_ptrs_uti
|
||||
+#ifndef scoped_ptrs_util_h__
|
||||
+#define scoped_ptrs_util_h__
|
||||
+
|
||||
+#include "scoped_ptrs_base.h"
|
||||
+
|
||||
+#include "nspr.h"
|
||||
+#include "secitem.h"
|
||||
+#include <memory>
|
||||
+#include "pkcs11uri.h"
|
||||
+#include "secoid.h"
|
||||
+
|
||||
+template <>
|
||||
+struct ScopedDelete<PRFileDesc> {
|
||||
+ void operator()(PRFileDesc* fd) { PR_Close(fd); }
|
||||
+};
|
||||
+
|
||||
+template <>
|
||||
+struct ScopedDelete<SECItem> {
|
||||
+ void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
|
||||
+};
|
||||
+
|
||||
+template <>
|
||||
+struct ScopedDelete<SECAlgorithmID> {
|
||||
+struct ScopedDelete {
|
||||
+ void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
|
||||
+};
|
||||
+
|
||||
+template <>
|
||||
+struct ScopedDelete<PLArenaPool> {
|
||||
+ void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
|
||||
+ void operator()(PK11URI* uri) { PK11URI_DestroyURI(uri); }
|
||||
+ void operator()(PLArenaPool* arena) { PORT_FreeArena(arena, PR_FALSE); }
|
||||
+};
|
||||
+
|
||||
+SCOPED(PRFileDesc);
|
||||
+SCOPED(SECItem);
|
||||
+template <class T>
|
||||
+struct ScopedMaybeDelete {
|
||||
+ void operator()(T* ptr) {
|
||||
+ if (ptr) {
|
||||
+ ScopedDelete del;
|
||||
+ del(ptr);
|
||||
+ }
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped##x
|
||||
+
|
||||
+SCOPED(SECAlgorithmID);
|
||||
+SCOPED(PLArenaPool);
|
||||
+SCOPED(SECItem);
|
||||
+SCOPED(PK11URI);
|
||||
+
|
||||
+#undef SCOPED
|
||||
+
|
||||
+#endif // scoped_ptrs_util_h__
|
||||
diff -up nss/gtests/common/gtests-util.cc.gtests-split nss/gtests/common/gtests-util.cc
|
||||
--- nss/gtests/common/gtests-util.cc.gtests-split 2017-06-02 10:54:18.707290028 +0200
|
||||
+++ nss/gtests/common/gtests-util.cc 2017-06-02 10:54:18.707290028 +0200
|
||||
diff --git a/gtests/certhigh_gtest/manifest.mn b/gtests/certhigh_gtest/manifest.mn
|
||||
--- a/gtests/certhigh_gtest/manifest.mn
|
||||
+++ b/gtests/certhigh_gtest/manifest.mn
|
||||
@@ -14,9 +14,9 @@ INCLUDES += -I$(CORE_DEPTH)/gtests/googl
|
||||
-I$(CORE_DEPTH)/gtests/common \
|
||||
-I$(CORE_DEPTH)/cpputil
|
||||
|
||||
-REQUIRES = nspr nss libdbm gtest
|
||||
+REQUIRES = nspr gtest
|
||||
|
||||
PROGRAM = certhigh_gtest
|
||||
|
||||
EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) $(EXTRA_OBJS) \
|
||||
- ../common/$(OBJDIR)/gtests$(OBJ_SUFFIX)
|
||||
+ $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX)
|
||||
diff --git a/gtests/common/gtests-util.cc b/gtests/common/gtests-util.cc
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/gtests/common/gtests-util.cc
|
||||
@@ -0,0 +1,26 @@
|
||||
+/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
@ -187,9 +177,9 @@ diff -up nss/gtests/common/gtests-util.cc.gtests-split nss/gtests/common/gtests-
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
diff -up nss/gtests/common/manifest.mn.gtests-split nss/gtests/common/manifest.mn
|
||||
--- nss/gtests/common/manifest.mn.gtests-split 2017-04-20 16:25:50.000000000 +0200
|
||||
+++ nss/gtests/common/manifest.mn 2017-06-02 10:54:18.707290028 +0200
|
||||
diff --git a/gtests/common/manifest.mn b/gtests/common/manifest.mn
|
||||
--- a/gtests/common/manifest.mn
|
||||
+++ b/gtests/common/manifest.mn
|
||||
@@ -6,9 +6,13 @@ CORE_DEPTH = ../..
|
||||
DEPTH = ../..
|
||||
MODULE = nss
|
||||
@ -214,9 +204,9 @@ diff -up nss/gtests/common/manifest.mn.gtests-split nss/gtests/common/manifest.m
|
||||
-
|
||||
-# NOTE: this is not actually used but required to build gtests.o
|
||||
-PROGRAM = gtests
|
||||
diff -up nss/gtests/der_gtest/der_getint_unittest.cc.gtests-split nss/gtests/der_gtest/der_getint_unittest.cc
|
||||
--- nss/gtests/der_gtest/der_getint_unittest.cc.gtests-split 2017-04-20 16:25:50.000000000 +0200
|
||||
+++ nss/gtests/der_gtest/der_getint_unittest.cc 2017-06-02 10:54:18.708290005 +0200
|
||||
diff --git a/gtests/der_gtest/der_getint_unittest.cc b/gtests/der_gtest/der_getint_unittest.cc
|
||||
--- a/gtests/der_gtest/der_getint_unittest.cc
|
||||
+++ b/gtests/der_gtest/der_getint_unittest.cc
|
||||
@@ -4,14 +4,13 @@
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
* You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
@ -235,28 +225,46 @@ diff -up nss/gtests/der_gtest/der_getint_unittest.cc.gtests-split nss/gtests/der
|
||||
|
||||
namespace nss_test {
|
||||
|
||||
diff -up nss/gtests/der_gtest/der_gtest.gyp.gtests-split nss/gtests/der_gtest/der_gtest.gyp
|
||||
--- nss/gtests/der_gtest/der_gtest.gyp.gtests-split 2017-06-02 10:54:18.708290005 +0200
|
||||
+++ nss/gtests/der_gtest/der_gtest.gyp 2017-06-02 11:03:35.778519718 +0200
|
||||
diff --git a/gtests/der_gtest/der_gtest.gyp b/gtests/der_gtest/der_gtest.gyp
|
||||
--- a/gtests/der_gtest/der_gtest.gyp
|
||||
+++ b/gtests/der_gtest/der_gtest.gyp
|
||||
@@ -12,7 +12,6 @@
|
||||
'type': 'executable',
|
||||
'sources': [
|
||||
'der_getint_unittest.cc',
|
||||
- 'der_private_key_import_unittest.cc',
|
||||
'der_quickder_unittest.cc',
|
||||
'<(DEPTH)/gtests/common/gtests.cc'
|
||||
],
|
||||
'dependencies': [
|
||||
diff -up nss/gtests/der_gtest/manifest.mn.gtests-split nss/gtests/der_gtest/manifest.mn
|
||||
--- nss/gtests/der_gtest/manifest.mn.gtests-split 2017-04-20 16:25:50.000000000 +0200
|
||||
+++ nss/gtests/der_gtest/manifest.mn 2017-06-02 11:03:55.137075847 +0200
|
||||
@@ -8,16 +8,15 @@ MODULE = nss
|
||||
diff --git a/gtests/der_gtest/der_quickder_unittest.cc b/gtests/der_gtest/der_quickder_unittest.cc
|
||||
--- a/gtests/der_gtest/der_quickder_unittest.cc
|
||||
+++ b/gtests/der_gtest/der_quickder_unittest.cc
|
||||
@@ -7,11 +7,12 @@
|
||||
#include <stdint.h>
|
||||
|
||||
#include "gtest/gtest.h"
|
||||
-#include "scoped_ptrs.h"
|
||||
+#include "scoped_ptrs_util.h"
|
||||
|
||||
#include "nss.h"
|
||||
#include "prerror.h"
|
||||
#include "secasn1.h"
|
||||
+#include "secder.h"
|
||||
#include "secerr.h"
|
||||
#include "secitem.h"
|
||||
|
||||
diff --git a/gtests/der_gtest/manifest.mn b/gtests/der_gtest/manifest.mn
|
||||
--- a/gtests/der_gtest/manifest.mn
|
||||
+++ b/gtests/der_gtest/manifest.mn
|
||||
@@ -8,7 +8,6 @@ MODULE = nss
|
||||
|
||||
CPPSRCS = \
|
||||
der_getint_unittest.cc \
|
||||
- der_private_key_import_unittest.cc \
|
||||
der_quickder_unittest.cc \
|
||||
$(NULL)
|
||||
|
||||
INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
|
||||
@@ -16,9 +15,9 @@ INCLUDES += -I$(CORE_DEPTH)/gtests/googl
|
||||
-I$(CORE_DEPTH)/gtests/common \
|
||||
-I$(CORE_DEPTH)/cpputil
|
||||
|
||||
@ -268,9 +276,9 @@ diff -up nss/gtests/der_gtest/manifest.mn.gtests-split nss/gtests/der_gtest/mani
|
||||
EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) $(EXTRA_OBJS) \
|
||||
- ../common/$(OBJDIR)/gtests$(OBJ_SUFFIX)
|
||||
+ $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX)
|
||||
diff -up nss/gtests/pk11_gtest/manifest.mn.gtests-split nss/gtests/pk11_gtest/manifest.mn
|
||||
--- nss/gtests/pk11_gtest/manifest.mn.gtests-split 2017-04-20 16:25:50.000000000 +0200
|
||||
+++ nss/gtests/pk11_gtest/manifest.mn 2017-06-02 10:54:18.708290005 +0200
|
||||
diff --git a/gtests/pk11_gtest/manifest.mn b/gtests/pk11_gtest/manifest.mn
|
||||
--- a/gtests/pk11_gtest/manifest.mn
|
||||
+++ b/gtests/pk11_gtest/manifest.mn
|
||||
@@ -16,6 +16,7 @@ CPPSRCS = \
|
||||
pk11_prf_unittest.cc \
|
||||
pk11_prng_unittest.cc \
|
||||
@ -286,9 +294,10 @@ diff -up nss/gtests/pk11_gtest/manifest.mn.gtests-split nss/gtests/pk11_gtest/ma
|
||||
- ../common/$(OBJDIR)/gtests$(OBJ_SUFFIX)
|
||||
+ $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX)
|
||||
|
||||
diff -up nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc.gtests-split nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc
|
||||
--- nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc.gtests-split 2017-06-02 10:54:18.708290005 +0200
|
||||
+++ nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc 2017-06-02 10:54:18.708290005 +0200
|
||||
diff --git a/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc b/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc
|
||||
@@ -0,0 +1,110 @@
|
||||
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
+/* vim: set ts=2 et sw=2 tw=80: */
|
||||
@ -400,10 +409,10 @@ diff -up nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc.gtests-sp
|
||||
+}
|
||||
+
|
||||
+} // namespace nss_test
|
||||
diff -up nss/gtests/pk11_gtest/pk11_gtest.gyp.gtests-split nss/gtests/pk11_gtest/pk11_gtest.gyp
|
||||
--- nss/gtests/pk11_gtest/pk11_gtest.gyp.gtests-split 2017-04-20 16:25:50.000000000 +0200
|
||||
+++ nss/gtests/pk11_gtest/pk11_gtest.gyp 2017-06-02 10:54:18.708290005 +0200
|
||||
@@ -19,6 +19,7 @@
|
||||
diff --git a/gtests/pk11_gtest/pk11_gtest.gyp b/gtests/pk11_gtest/pk11_gtest.gyp
|
||||
--- a/gtests/pk11_gtest/pk11_gtest.gyp
|
||||
+++ b/gtests/pk11_gtest/pk11_gtest.gyp
|
||||
@@ -20,6 +20,7 @@
|
||||
'pk11_prf_unittest.cc',
|
||||
'pk11_prng_unittest.cc',
|
||||
'pk11_rsapss_unittest.cc',
|
||||
@ -411,19 +420,19 @@ diff -up nss/gtests/pk11_gtest/pk11_gtest.gyp.gtests-split nss/gtests/pk11_gtest
|
||||
'<(DEPTH)/gtests/common/gtests.cc'
|
||||
],
|
||||
'dependencies': [
|
||||
diff -up nss/gtests/util_gtest/manifest.mn.gtests-split nss/gtests/util_gtest/manifest.mn
|
||||
--- nss/gtests/util_gtest/manifest.mn.gtests-split 2017-04-20 16:25:50.000000000 +0200
|
||||
+++ nss/gtests/util_gtest/manifest.mn 2017-06-02 10:54:18.708290005 +0200
|
||||
@@ -24,5 +24,5 @@ PROGRAM = util_gtest
|
||||
diff --git a/gtests/util_gtest/manifest.mn b/gtests/util_gtest/manifest.mn
|
||||
--- a/gtests/util_gtest/manifest.mn
|
||||
+++ b/gtests/util_gtest/manifest.mn
|
||||
@@ -25,5 +25,5 @@ PROGRAM = util_gtest
|
||||
EXTRA_LIBS = \
|
||||
$(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
|
||||
$(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
|
||||
- ../common/$(OBJDIR)/gtests$(OBJ_SUFFIX) \
|
||||
+ $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX) \
|
||||
$(NULL)
|
||||
diff -up nss/gtests/util_gtest/util_b64_unittest.cc.gtests-split nss/gtests/util_gtest/util_b64_unittest.cc
|
||||
--- nss/gtests/util_gtest/util_b64_unittest.cc.gtests-split 2017-04-20 16:25:50.000000000 +0200
|
||||
+++ nss/gtests/util_gtest/util_b64_unittest.cc 2017-06-02 10:54:18.708290005 +0200
|
||||
diff --git a/gtests/util_gtest/util_b64_unittest.cc b/gtests/util_gtest/util_b64_unittest.cc
|
||||
--- a/gtests/util_gtest/util_b64_unittest.cc
|
||||
+++ b/gtests/util_gtest/util_b64_unittest.cc
|
||||
@@ -9,7 +9,7 @@
|
||||
#include "nssb64.h"
|
||||
|
||||
@ -433,9 +442,21 @@ diff -up nss/gtests/util_gtest/util_b64_unittest.cc.gtests-split nss/gtests/util
|
||||
|
||||
namespace nss_test {
|
||||
|
||||
diff -up nss/tests/gtests/gtests.sh.gtests-split nss/tests/gtests/gtests.sh
|
||||
--- nss/tests/gtests/gtests.sh.gtests-split 2017-04-20 16:25:50.000000000 +0200
|
||||
+++ nss/tests/gtests/gtests.sh 2017-06-02 10:54:18.708290005 +0200
|
||||
diff --git a/gtests/util_gtest/util_pkcs11uri_unittest.cc b/gtests/util_gtest/util_pkcs11uri_unittest.cc
|
||||
--- a/gtests/util_gtest/util_pkcs11uri_unittest.cc
|
||||
+++ b/gtests/util_gtest/util_pkcs11uri_unittest.cc
|
||||
@@ -9,7 +9,7 @@
|
||||
#include "pkcs11uri.h"
|
||||
|
||||
#include "gtest/gtest.h"
|
||||
-#include "scoped_ptrs.h"
|
||||
+#include "scoped_ptrs_util.h"
|
||||
|
||||
namespace nss_test {
|
||||
|
||||
diff --git a/tests/gtests/gtests.sh b/tests/gtests/gtests.sh
|
||||
--- a/tests/gtests/gtests.sh
|
||||
+++ b/tests/gtests/gtests.sh
|
||||
@@ -24,7 +24,7 @@ gtest_init()
|
||||
{
|
||||
cd "$(dirname "$1")"
|
@ -1,10 +1,10 @@
|
||||
diff -up nss/gtests/manifest.mn.skip_util_gtest nss/gtests/manifest.mn
|
||||
--- nss/gtests/manifest.mn.skip_util_gtest 2017-04-20 16:25:50.000000000 +0200
|
||||
+++ nss/gtests/manifest.mn 2017-06-02 12:36:48.278269769 +0200
|
||||
@@ -8,8 +8,6 @@ DEPTH = ..
|
||||
DIRS = \
|
||||
google_test \
|
||||
--- nss/gtests/manifest.mn.skip_util_gtest 2017-06-21 17:40:39.997865113 +0200
|
||||
+++ nss/gtests/manifest.mn 2017-06-21 17:40:52.554579498 +0200
|
||||
@@ -10,8 +10,6 @@ DIRS = \
|
||||
common \
|
||||
certdb_gtest \
|
||||
certhigh_gtest \
|
||||
- der_gtest \
|
||||
- util_gtest \
|
||||
pk11_gtest \
|
||||
|
19
nss.spec
19
nss.spec
@ -1,6 +1,6 @@
|
||||
%global nspr_version 4.14.0
|
||||
%global nss_util_version 3.30.2
|
||||
%global nss_softokn_version 3.30.2
|
||||
%global nspr_version 4.15.0
|
||||
%global nss_util_version 3.31.0
|
||||
%global nss_softokn_version 3.31.0
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
|
||||
|
||||
@ -18,10 +18,10 @@
|
||||
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.30.2
|
||||
Version: 3.31.0
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 3%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
@ -111,9 +111,7 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch59: nss-check-policy-file.patch
|
||||
Patch62: nss-skip-util-gtest.patch
|
||||
Patch63: nss-gcc7.patch
|
||||
Patch65: nss-1328318-v8-3.30.patch
|
||||
Patch66: gtests-split-v5.patch
|
||||
Patch66: nss-gtests-split.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
@ -197,8 +195,6 @@ low level services.
|
||||
pushd nss
|
||||
%patch59 -p1 -b .check_policy_file
|
||||
%patch62 -p1 -b .skip_util_gtest
|
||||
%patch63 -p1 -b .gcc7
|
||||
%patch65 -p1 -b .1328318
|
||||
%patch66 -p1 -b .gtests-split
|
||||
popd
|
||||
|
||||
@ -801,6 +797,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jun 21 2017 Daiki Ueno <dueno@redhat.com> - 3.31.0-2
|
||||
- Rebase to NSS 3.31.0
|
||||
|
||||
* Fri Jun 2 2017 Daiki Ueno <dueno@redhat.com> - 3.30.2-3
|
||||
- Enable gtests
|
||||
|
||||
|
2
sources
2
sources
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
|
||||
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
||||
SHA512 (nss-3.30.2.tar.gz) = 02f14bc000cbde42268c4b6f42df80680b010d1491643ef9b11e0bac31a286a2e7fa251c40cb4ac70b64883a1b90efc64440ef9d797357f8a47cd37195fc5500
|
||||
SHA512 (nss-3.31.0.tar.gz) = 9f59c5013021c2718b7132b47610a63414e53ccc99054a405383e7d980c4e03634daea6e9cb04424ba7c1e52dc416f651059d2909c232cccefc85c54c38994ad
|
||||
|
Loading…
Reference in New Issue
Block a user