From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 02:47:55 +0200 Subject: Adding upstream version 124.0.1. Signed-off-by: Daniel Baumann --- security/nss/tests/policy/crypto-policy.txt | 22 ++++++++ security/nss/tests/policy/policy.sh | 83 +++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 security/nss/tests/policy/crypto-policy.txt create mode 100755 security/nss/tests/policy/policy.sh (limited to 'security/nss/tests/policy') diff --git a/security/nss/tests/policy/crypto-policy.txt b/security/nss/tests/policy/crypto-policy.txt new file mode 100644 index 0000000000..03515ffcd0 --- /dev/null +++ b/security/nss/tests/policy/crypto-policy.txt @@ -0,0 +1,22 @@ +# col 1: expected return value of nss-policy-check +# col 2: policy config statement, using _ instead of space +# col 3: an extended regular expression, expected to match the output +# col 4: description of the test +# +0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy +0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy +0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy +0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=KEY-SIZE-SSL,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Valid key size +2 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=UNKNOWN,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-FAIL.*unknown.* Invalid key size +2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value +2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value +2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier +1 disallow=all NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all +1 disallow=all/signature NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all signatures +1 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-WARN.*NUMBER-OF-HASH No Hashes +1 disallow=ALL_allow=tls-version-min=0:tls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS All TLS versions disabled +1 disallow=ALL_allow=dtls-version-min=0:dtls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS All DTLS versions disabled +1 disallow=ALL_allow=tls-version-min=tls1.2:tls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS Invalid range of TLS versions +1 disallow=ALL_allow=dtls-version-min=tls1.2:dtls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS Invalid range of DTLS versions +1 disallow=ALL_allow=tls-version-min=tls1.1:tls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-TLS-VERSIONS Valid range of TLS versions +1 disallow=ALL_allow=dtls-version-min=tls1.1:dtls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-DTLS-VERSIONS Valid range of DTLS versions diff --git a/security/nss/tests/policy/policy.sh b/security/nss/tests/policy/policy.sh new file mode 100755 index 0000000000..51f7cc9019 --- /dev/null +++ b/security/nss/tests/policy/policy.sh @@ -0,0 +1,83 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/policy/policy.sh +# +# Script to test NSS crypto policy code +# +######################################################################## + +policy_init() +{ + SCRIPTNAME=policy.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + SCRIPTNAME=policy.sh + +} + +policy_cleanup() +{ + cd ${QADIR} + . common/cleanup.sh +} + +ignore_blank_lines() +{ + LC_ALL=C egrep -v '^[[:space:]]*(#|$)' "$1" +} + +policy_run_tests() +{ + html_head "CRYPTO-POLICY" + + POLICY_INPUT=${QADIR}/policy/crypto-policy.txt + + ignore_blank_lines ${POLICY_INPUT} | \ + while read value policy match testname + do + echo "$SCRIPTNAME: running \"$testname\" ----------------------------" + policy=`echo ${policy} | sed -e 's;_; ;g'` + match=`echo ${match} | sed -e 's;_; ;g'` + POLICY_FILE="${TMP}/nss-policy" + + echo "$SCRIPTNAME: policy: \"$policy\"" + + cat > "$POLICY_FILE" << ++EOF++ +library= +name=Policy +NSS=flags=policyOnly,moduleDB +++EOF++ + echo "config=\"${policy}\"" >> "$POLICY_FILE" + echo "" >> "$POLICY_FILE" + + nss-policy-check -f identifier -f value "$POLICY_FILE" >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + + html_msg $ret $value "\"${testname}\"" \ + "produced a returncode of $ret, expected is $value" + + egrep "${match}" ${TMP}/$HOST.tmp.$$ + ret=$? + html_msg $ret 0 "\"${testname}\" output is expected to match \"${match}\"" + + done + html "
" +} + +policy_init +policy_run_tests +policy_cleanup -- cgit v1.2.3