From ac01048c5ec60947a1970b438e7534278b9d8bba Mon Sep 17 00:00:00 2001
From: Peter Wu <pwu@cloudflare.com>
Date: Tue, 5 Dec 2017 16:21:28 +0000
Subject: [PATCH] tris: add NSS server to client interop tests

Similar to boringssl, reuse the NSS client image for the NSS server test
against the tris client. Bump the NSS version to 3.34.1 gain support
for TLS 1.3 keylogging which is useful while debugging.

Adjust read check to fix intermittent NSS test failures:
https://github.com/cloudflare/tls-tris/issues/58
---
 .travis.yml                    |  2 +-
 _dev/tris-testclient/client.go |  4 +++-
 _dev/tstclnt/Dockerfile        | 12 ++++++++++--
 _dev/tstclnt/server.sh         | 11 +++++++++++
 4 files changed, 25 insertions(+), 4 deletions(-)
 create mode 100755 _dev/tstclnt/server.sh

diff --git a/.travis.yml b/.travis.yml
index 4e97d47..c10af39 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -9,7 +9,7 @@ go:
 
 env:
   - MODE=interop CLIENT=boring SERVER=boring
-  - MODE=interop CLIENT=tstclnt
+  - MODE=interop CLIENT=tstclnt SERVER=tstclnt
   - MODE=interop CLIENT=picotls ZRTT=1
   - MODE=interop CLIENT=mint
   - MODE=bogo
diff --git a/_dev/tris-testclient/client.go b/_dev/tris-testclient/client.go
index 05c44f8..e76ea65 100644
--- a/_dev/tris-testclient/client.go
+++ b/_dev/tris-testclient/client.go
@@ -57,7 +57,9 @@ func (c *Client) run(addr string, version, cipherSuite uint16) {
 
 	buf := make([]byte, 1024)
 	n, err := con.Read(buf)
-	if err != nil {
+	// A non-zero read with EOF is acceptable and occurs when a close_notify
+	// is received right after reading data (observed with NSS selfserv).
+	if !(n > 0 && err == io.EOF) && err != nil {
 		fmt.Printf("Read failed: %v\n\n", err)
 		c.failed++
 		return
diff --git a/_dev/tstclnt/Dockerfile b/_dev/tstclnt/Dockerfile
index 64ffbe4..d1df83c 100644
--- a/_dev/tstclnt/Dockerfile
+++ b/_dev/tstclnt/Dockerfile
@@ -17,8 +17,8 @@ ENV USE_64=1 NSS_ENABLE_TLS_1_3=1
 # Draft 18
 # ARG REVISION=b6dfef6d0ff0
 
-# tstclnt resumption
-ARG REVISION=2ed8aef0b360
+# Draft 18, NSS_3_34_1_RTM (with TLS 1.3 keylogging support)
+ARG REVISION=e61c0f657100
 
 RUN cd nss && hg pull
 RUN cd nss && hg checkout -C $REVISION
@@ -39,6 +39,14 @@ ENV LD_LIBRARY_PATH=/dist/OBJ-PATH/lib
 
 ENV SSLTRACE=100 SSLDEBUG=100
 
+# Init test key using an empty noise (seed) file (-z /dev/null).
+# Use different subjects, otherwise NSS seems to merge keys under the same nickname.
+RUN mkdir /certdb && \
+    /dist/OBJ-PATH/bin/certutil -d /certdb -N --empty-password && \
+    /dist/OBJ-PATH/bin/certutil -d /certdb -S -n rsa-server -t u -x -s CN=localhost -k rsa -z /dev/null && \
+    /dist/OBJ-PATH/bin/certutil -d /certdb -S -n ecdsa-server -t u -x -s CN=localhost,O=EC -k ec -z /dev/null -q nistp256
+
 ADD httpreq.txt /httpreq.txt
 ADD run.sh /run.sh
+ADD server.sh /server.sh
 ENTRYPOINT ["/run.sh"]
diff --git a/_dev/tstclnt/server.sh b/_dev/tstclnt/server.sh
new file mode 100755
index 0000000..1a1d071
--- /dev/null
+++ b/_dev/tstclnt/server.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+PATH=/dist/OBJ-PATH/bin:$PATH
+set -x
+
+# RSA
+selfserv -n rsa-server   -p 1443 -d /certdb -V tls1.2:tls1.3 -v -Z &
+
+# ECDSA
+selfserv -n ecdsa-server -p 2443 -d /certdb -V tls1.2:tls1.3 -v -Z &
+
+wait