summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/iopr/server_scr
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/tests/iopr/server_scr')
-rw-r--r--security/nss/tests/iopr/server_scr/apache_unix.cfg47
-rw-r--r--security/nss/tests/iopr/server_scr/cert_gen.sh367
-rw-r--r--security/nss/tests/iopr/server_scr/cipher.list98
-rw-r--r--security/nss/tests/iopr/server_scr/client.cgi526
-rw-r--r--security/nss/tests/iopr/server_scr/config17
-rw-r--r--security/nss/tests/iopr/server_scr/iis_windows.cfg33
-rw-r--r--security/nss/tests/iopr/server_scr/iopr_server.cfg67
-rw-r--r--security/nss/tests/iopr/server_scr/sslreq.dat2
8 files changed, 1157 insertions, 0 deletions
diff --git a/security/nss/tests/iopr/server_scr/apache_unix.cfg b/security/nss/tests/iopr/server_scr/apache_unix.cfg
new file mode 100644
index 000000000..3992bf52d
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/apache_unix.cfg
@@ -0,0 +1,47 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# Apache OPENSSL configuration file
+#
+
+#
+# Define what type of system this is.
+#
+$clientSys = "openssl";
+
+#
+# Cipher conversion table file
+#
+$cipherTableFile = "$certDir/cipher.list";
+
+#--------------------------------------------
+# Web server specific variables start here:
+#
+
+#
+# Location of installed openssl binary
+#
+$opensslb = "/usr/local/bin/openssl";
+
+
+#
+# General location of apache server
+#
+$apacheHttpd="/var/httpd-ssl";
+
+#
+# HTTP Request file
+#
+$reqFile = "$apacheHttpd/cgi-bin/sslreq.dat";
+
+#
+# OpenSSL certificate directory
+#
+$certDir = "$apacheHttpd/cert";
+
+#
+# CA certificate file
+#
+$caCertFile = "$certDir/serverCA.crt";
diff --git a/security/nss/tests/iopr/server_scr/cert_gen.sh b/security/nss/tests/iopr/server_scr/cert_gen.sh
new file mode 100644
index 000000000..17771ade1
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/cert_gen.sh
@@ -0,0 +1,367 @@
+#!/bin/bash
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+######################################################################################
+# Server and client certs and crl generator functions. Generated files placed in a <dir>
+# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
+# This functions is used for manual webserver configuration and it is not a part of
+# nss test run.
+# To create certs use the following command:
+# sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
+# Where:
+# dir - directory where to place created files
+# cert name - name of created server cert(FQDN)
+# cert req - cert request to be used for cert generation.
+#
+repAndExec() {
+ echo
+ if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
+ shift
+ echo certutil -s "$CU_SUBJECT" $@
+ certutil -s "$CU_SUBJECT" $@
+ RET=$?
+ else
+ echo $@
+ $@
+ RET=$?
+ fi
+
+ return $RET
+}
+
+setExtData() {
+ extData=$1
+
+ fldNum=0
+ extData=`echo $extData | sed 's/,/ /g'`
+ for extDT in $extData; do
+ if [ $fldNum -eq 0 ]; then
+ eval extType=$extDT
+ fldNum=1
+ continue
+ fi
+ eval data${fldNum}=$extDT
+ fldNum=`expr $fldNum + 1`
+ done
+}
+
+signCert() {
+ dir=$1
+ crtDir=$2
+ crtName=$3
+ crtSN=$4
+ req=$5
+ cuAddParam=$6
+ extList=$7
+
+ if [ -z "$certSigner" ]; then
+ certSigner=TestCA
+ fi
+
+ extCmdLine=""
+ extCmdFile=$dir/extInFile; rm -f $extCmdFile
+ touch $extCmdFile
+ extList=`echo $extList | sed 's/;/ /g'`
+ for ext in $extList; do
+ setExtData $ext
+ [ -z "$extType" ] && echo "incorrect extention format" && return 1
+ case $extType in
+ ocspDR)
+ extCmdLine="$extCmdLine -6"
+ cat <<EOF >> $extCmdFile
+5
+9
+y
+EOF
+ break
+ exit 1
+ ;;
+ AIA)
+ extCmdLine="$extCmdLine -9"
+ cat <<EOF >> $extCmdFile
+2
+7
+$data1
+0
+n
+n
+EOF
+ break
+ ;;
+ *)
+ echo "Unsupported extension type: $extType"
+ break
+ ;;
+ esac
+ done
+ echo "cmdLine: $extCmdLine"
+ echo "cmdFile: "`cat $extCmdFile`
+ repAndExec \
+ certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
+ -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
+ return $RET
+}
+
+createSignedCert() {
+ dir=$1
+ certDir=$2
+ certName=$3
+ certSN=$4
+ certSubj=$5
+ keyType=$6
+ extList=$7
+
+ echo Creating cert $certName-$keyType with SN=$certSN
+
+ CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ repAndExec \
+ certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
+ -k $keyType -o $dir/req 2>&1
+ [ "$RET" -ne 0 ] && return $RET
+
+ signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ rm -f $dir/req
+
+ repAndExec \
+ certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
+ -i "$dir/${certName}-$keyType.crt" 2>&1
+ [ "$RET" -ne 0 ] && return $RET
+
+ cp "$dir/${certName}-$keyType.crt" $certDir
+
+ repAndExec \
+ pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
+ -k ${PW_FILE} -W iopr
+ [ "$RET" -ne 0 ] && return $RET
+ return 0
+}
+
+generateAndExportSSLCerts() {
+ dir=$1
+ certDir=$2
+ serverName=$3
+ servCertReq=$4
+
+ if [ "$servCertReq" -a -f $servCertReq ]; then
+ grep REQUEST $servCertReq >/dev/null 2>&1
+ signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+ fi
+
+ certName=$serverName
+ createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=TestUser510
+ createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=TestUser511
+ createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=TestUser512
+ createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=TestUser513
+ createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+}
+
+generateAndExportOCSPCerts() {
+ dir=$1
+ certDir=$2
+
+ certName=ocspTrustedResponder
+ createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspDesignatedResponder
+ createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspTRTestUser514
+ createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspTRTestUser516
+ createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspRCATestUser518
+ createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2561
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspRCATestUser520
+ createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2561
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspDRTestUser522
+ createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2562
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspDRTestUser524
+ createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2562
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ generateAndExportCACert $dir "" TestCA-unknown
+ [ $? -ne 0 ] && return $ret
+
+ certSigner=TestCA-unknown
+
+ certName=ocspTRUnkownIssuerCert
+ createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspRCAUnkownIssuerCert
+ createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2561
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspDRUnkownIssuerCert
+ createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2562
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certSigner=""
+
+ return 0
+}
+
+generateAndExportCACert() {
+ dir=$1
+ certDirL=$2
+ caName=$3
+
+ certName=TestCA
+ [ "$caName" ] && certName=$caName
+ CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ repAndExec \
+ certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
+ -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
+5
+6
+9
+n
+y
+-1
+n
+EOF
+
+ if [ "$certDirL" ]; then
+ repAndExec \
+ certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt
+ [ "$RET" -ne 0 ] && return $RET
+
+ repAndExec \
+ pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
+ [ "$RET" -ne 0 ] && return $RET
+ fi
+}
+
+
+generateCerts() {
+ certDir=$1
+ serverName=$2
+ reuseCACert=$3
+ servCertReq=$4
+
+ [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
+ [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
+
+ mkdir -p $certDir
+ [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
+
+
+ dir=/tmp/db.$$
+ if [ -z "$reuseCACert" ]; then
+ if [ -d "$dir" ]; then
+ rm -f $dir
+ fi
+
+ PW_FILE=$dir/nss.pwd
+ NOISE_FILE=$dir/nss.noise
+
+ mkdir -p $dir
+ [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
+
+ echo nss > $PW_FILE
+ date >> ${NOISE_FILE} 2>&1
+
+ repAndExec \
+ certutil -d $dir -N -f $PW_FILE
+ [ "$RET" -ne 0 ] && return $RET
+
+ generateAndExportCACert $dir $certDir
+ [ "$RET" -ne 0 ] && return $RET
+ else
+ dir=$reuseCACert
+ PW_FILE=$dir/nss.pwd
+ NOISE_FILE=$dir/nss.noise
+ hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
+ [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
+ return $RET;
+ fi
+
+ generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
+ [ "$RET" -ne 0 ] && return $RET
+
+ generateAndExportOCSPCerts $dir $certDir
+ [ "$RET" -ne 0 ] && return $RET
+
+ crlUpdate=`date +%Y%m%d%H%M%SZ`
+ crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
+ repAndExec \
+ crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI
+update=$crlUpdate
+nextupdate=$crlNextUpdate
+addcert 509-511 $crlUpdate
+addcert 516 $crlUpdate
+addcert 520 $crlUpdate
+addcert 524 $crlUpdate
+EOF_CRLINI
+ [ "$RET" -ne 0 ] && return $RET
+
+ rm -rf $dir
+ return 0
+}
+
+
+if [ -z "$1" -o -z "$2" ]; then
+ echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
+ exit 1
+fi
+generateCerts $1 $2 "$3" $4
+exit $?
diff --git a/security/nss/tests/iopr/server_scr/cipher.list b/security/nss/tests/iopr/server_scr/cipher.list
new file mode 100644
index 000000000..668084c37
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/cipher.list
@@ -0,0 +1,98 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+nss openssl iis
+
+#
+# SSL v3.0 cipher suites.
+#
+SSL3_RSA_WITH_NULL_MD5 NULL-MD5 i
+SSL3_RSA_WITH_NULL_SHA NULL-SHA z
+SSL3_RSA_WITH_RC4_128_MD5 RC4-MD5 c
+SSL3_RSA_WITH_RC4_128_SHA RC4-SHA n
+SSL3_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
+SSL3_RSA_WITH_DES_CBC_SHA DES-CBC-SHA e
+SSL3_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA d
+
+SSL3_DH_DSS_WITH_DES_CBC_SHA Not_implemented.
+SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented.
+SSL3_DH_RSA_WITH_DES_CBC_SHA Not_implemented.
+SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented.
+SSL3_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA s
+SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA q
+SSL3_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA
+SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA
+
+SSL3_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
+SSL3_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA
+SSL3_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
+
+SSL3_FORTEZZA_KEA_WITH_NULL_SHA Not_implemented.
+SSL3_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not_implemented.
+SSL3_FORTEZZA_KEA_WITH_RC4_128_SHA Not_implemented.
+
+#
+# Next four added to have ciphers below for SSL3 protocol
+#
+SSL3_RSA_WITH_AES_128_CBC_SHA AES128-SHA
+SSL3_RSA_WITH_AES_256_CBC_SHA AES256-SHA
+
+#
+#TLS v1.0 cipher suites.
+#
+TLS_RSA_WITH_NULL_MD5 NULL-MD5
+TLS_RSA_WITH_NULL_SHA NULL-SHA
+TLS_RSA_WITH_RC4_128_MD5 RC4-MD5
+TLS_RSA_WITH_RC4_128_SHA RC4-SHA
+TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
+TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA
+TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
+
+TLS_DH_DSS_WITH_DES_CBC_SHA Not_implemented.
+TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented.
+TLS_DH_RSA_WITH_DES_CBC_SHA Not_implemented.
+TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented.
+TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA
+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA
+TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA
+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA
+
+TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
+TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA
+TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
+
+#
+#AES ciphersuites from RFC3268, extending TLS v1.0
+#
+
+TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
+TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
+
+TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA
+TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA
+TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA
+TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA
+
+TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA
+TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA
+TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA
+TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA
+
+TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA
+TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA
+
+#
+#Additional cipher suites
+#
+#Note: these ciphers can also be used in SSL v3.
+#
+TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA
+
+#
+# FIPS cipher list
+#
+TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented
+TLS_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented
+SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented
+SSL3_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented
diff --git a/security/nss/tests/iopr/server_scr/client.cgi b/security/nss/tests/iopr/server_scr/client.cgi
new file mode 100644
index 000000000..581ad06d1
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/client.cgi
@@ -0,0 +1,526 @@
+#!/usr/bin/perl
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#--------------------------------------------------------------
+# cgi script that parses request argument to appropriate
+# open ssl or tstclntw options and starts ssl client.
+#
+
+use CGI qw/:standard/;
+
+use subs qw(debug);
+
+#--------------------------------------------------------------
+# Prints out an error string and exits the script with an
+# exitStatus.
+# Param:
+# str : an error string
+# exitStat: an exit status of the program
+#
+sub svr_error {
+ my ($str, $exitStat) = @_;
+
+ if (!defined $str || $str eq "") {
+ $str = $ERR;
+ }
+ print "SERVER ERROR: $str\n";
+ if ($exitStat) {
+ print end_html if ($osDataArr{wservRun});
+ exit $exitStat;
+ }
+}
+
+#--------------------------------------------------------------
+# Prints out a debug message
+# Params:
+# str: debug message
+# inVal: additional value to print(optional)
+#
+sub debug {
+ my ($str, $inVal) = @_;
+
+ print "-- DEBUG: $str ($inVal)\n" if ($DEBUG == 1);
+}
+
+
+#--------------------------------------------------------------
+# Initializes execution context depending on a webserver the
+# script is running under.
+#
+sub init {
+ %osDataArr = (
+ loadSupportedCipthersFn => \&osSpecific,
+ cipherIsSupportedFn => \&verifyCipherSupport,
+ cipherListFn => \&convertCipher,
+ buildCipherTableFn => \&buildCipherTable,
+ execCmdFn => \&osSpecific,
+ );
+
+ $scriptName = $ENV{'SCRIPT_NAME'};
+ if (!defined $scriptName) {
+ $DEBUG=1;
+ debug "Debug is ON";
+ }
+ $DEBUG=1;
+
+ $svrSoft = $ENV{'SERVER_SOFTWARE'};
+ if (defined $svrSoft) {
+ $_ = $svrSoft;
+ /.*Microsoft.*/ && ($osDataArr{wserv} = "IIS");
+ /.*Apache.*/ && ($osDataArr{wserv} = "Apache");
+ $osDataArr{wservRun} = 1;
+ } else {
+ $osDataArr{wserv} = "Apache";
+ $osDataArr{wservRun} = 0;
+ }
+}
+
+#--------------------------------------------------------------
+# Function-spigot to handle errors is OS specific functions are
+# not implemented for a particular OS.
+# Returns:
+# always returns 0(failure)
+#
+sub osSpecific {
+ $ERR = "This function should be swapped to os specific function.";
+ return 0;
+}
+
+#--------------------------------------------------------------
+# Sets os specific execution context values.
+# Returns:
+# 1 upon success, or 0 upon failure(if OS was not recognized)
+#
+sub setFunctRefs {
+
+ debug("Entering setFunctRefs function", $osDataArr{wserv});
+
+ if ($osDataArr{wserv} eq "Apache") {
+ $osDataArr{osConfigFile} = "apache_unix.cfg";
+ $osDataArr{suppCiphersCmd} = '$opensslb ciphers ALL:NULL';
+ $osDataArr{clientRunCmd} = '$opensslb s_client -host $in_host -port $in_port -cert $certDir/$in_cert.crt -key $certDir/$in_cert.key -CAfile $caCertFile $proto $ciphers -ign_eof < $reqFile';
+ $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Unix;
+ $osDataArr{execCmdFn} = \&execClientCmd_Unix;
+ } elsif ($osDataArr{wserv} eq "IIS") {
+ $osDataArr{osConfigFile} = "iis_windows.cfg";
+ $osDataArr{suppCiphersCmd} = '$tstclntwb';
+ $osDataArr{clientRunCmd} = '$tstclntwb -h $in_host -p $in_port -n $in_cert $proto $ciphers < $reqFile';
+ $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Win;
+ $osDataArr{execCmdFn} = \&execClientCmd_Win;
+ } else {
+ $ERR = "Unknown Web Server type.";
+ return 0;
+ }
+ return 1;
+}
+
+#--------------------------------------------------------------
+# Parses data from HTTP request. Will print a form if request
+# does not contain sufficient number of parameters.
+# Returns:
+# 1 if request has sufficient number of parameters
+# 0 if not.
+sub getReqData {
+ my $debug = param('debug');
+ $in_host = param('host');
+ $in_port = param('port');
+ $in_cert = param('cert');
+ $in_cipher = param('cipher');
+
+ if (!$osDataArr{wservRun}) {
+ $in_host="goa1";
+ $in_port="443";
+ $in_cert="TestUser511";
+ $in_cipher = "SSL3_RSA_WITH_NULL_SHA";
+ }
+
+ debug("Entering getReqData function", "$in_port:$in_host:$in_cert:$in_cipher");
+
+ if (defined $debug && $debug == "debug on") {
+ $DEBUG = 1;
+ }
+
+ if (!defined $in_host || $in_host eq "" ||
+ !defined $in_port || $in_port eq "" ||
+ !defined $in_cert || $in_cert eq "") {
+ if ($osDataArr{wservRun}) {
+ print h1('Command description form:'),
+ start_form(-method=>"get"),
+ "Host: ",textfield('host'),p,
+ "Port: ",textfield('port'),p,
+ "Cert: ",textfield('cert'),p,
+ "Cipher: ",textfield('cipher'),p,
+ checkbox_group(-name=>'debug',
+ -values=>['debug on ']),
+ submit,
+ end_form,
+ hr;
+ } else {
+ print "Printing html form to get client arguments\n";
+ }
+ $ERR = "the following parameters are required: host, port, cert";
+ return 0;
+ } else {
+ print "<pre>" if ($osDataArr{wservRun});
+ return 1;
+ }
+}
+
+
+#--------------------------------------------------------------
+# Building cipher conversion table from file based on the OS.
+# Params:
+# tfile: cipher conversion file.
+# sysName: system name
+# tblPrt: returned pointer to a table.
+sub buildCipherTable {
+ my ($tfile, $sysName, $tblPrt) = @_;
+ my @retArr = @$tblPrt;
+ my %table, %rtable;
+ my $strCount = 0;
+
+ debug("Entering getReqData function", "$tfile:$sysName:$tblPrt");
+
+ ($ERR = "No system name supplied" && return 0) if ($sysName =~ /^$/);
+ if (!open(TFILE, "$tfile")) {
+ $ERR = "Missing cipher conversion table file.";
+ return 0;
+ }
+ foreach (<TFILE>) {
+ chop;
+ /^#.*/ && next;
+ /^\s*$/ && next;
+ if ($strCount++ == 0) {
+ my @sysArr = split /\s+/;
+ $colCount = 0;
+ for (;$colCount <= $#sysArr;$colCount++) {
+ last if ($sysArr[$colCount] =~ /(.*:|^)$sysName.*/);
+ }
+ next;
+ }
+ my @ciphArr = split /\s+/, $_;
+ $table{$ciphArr[0]} = $ciphArr[$colCount];
+ $rtable{$ciphArr[$colCount]} = $ciphArr[0];
+ }
+ close(TFILE);
+ $cipherTablePtr[0] = \%table;
+ $cipherTablePtr[1] = \%rtable;
+ return 1
+}
+
+#--------------------------------------------------------------
+# Client configuration function. Loads client configuration file.
+# Initiates cipher table. Loads cipher list supported by ssl client.
+#
+sub configClient {
+
+ debug "Entering configClient function";
+
+ my $res = &setFunctRefs();
+ return $res if (!$res);
+
+ open(CFILE, $osDataArr{'osConfigFile'}) ||
+ ($ERR = "Missing configuration file." && return 0);
+ foreach (<CFILE>) {
+ /^#.*/ && next;
+ chop;
+ eval $_;
+ }
+ close(CFILE);
+
+ local @cipherTablePtr = ();
+ $osDataArr{'buildCipherTableFn'}->($cipherTableFile, $clientSys) || return 0;
+ $osDataArr{cipherTable} = $cipherTablePtr[0];
+ $osDataArr{rcipherTable} = $cipherTablePtr[1];
+
+ local $suppCiphersTablePrt;
+ &{$osDataArr{'loadSupportedCipthersFn'}} || return 0;
+ $osDataArr{suppCiphersTable} = $suppCiphersTablePrt;
+}
+
+#--------------------------------------------------------------
+# Verifies that a particular cipher is supported.
+# Params:
+# checkCipher: cipher name
+# Returns:
+# 1 - cipher is supported(also echos the cipher).
+# 0 - not supported.
+#
+sub verifyCipherSupport {
+ my ($checkCipher) = @_;
+ my @suppCiphersTable = @{$osDataArr{suppCiphersTable}};
+
+ debug("Entering verifyCipherSupport", $checkCipher);
+ foreach (@suppCiphersTable) {
+ return 1 if ($checkCipher eq $_);
+ }
+ $ERR = "cipher is not supported.";
+ return 0;
+}
+
+#--------------------------------------------------------------
+# Converts long(?name of the type?) cipher name to
+# openssl/tstclntw cipher name.
+# Returns:
+# 0 if cipher was not listed. 1 upon success.
+#
+sub convertCipher {
+ my ($cipher) = @_;
+ my @retList;
+ my $resStr;
+ my %cipherTable = %{$osDataArr{cipherTable}};
+
+ debug("Entering convertCipher", $cipher);
+ if (defined $cipher) {
+ my $cphr = $cipherTable{$cipher};
+ if (!defined $cphr) {
+ $ERR = "cipher is not listed.";
+ return 0;
+ }
+ &{$osDataArr{'cipherIsSupportedFn'}}($cphr) || return 0;
+ $ciphers = "$cphr";
+ return 1;
+ }
+ return 0;
+}
+
+#################################################################
+# UNIX Apache Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Unix {
+ my @arr, @suppCiphersTable;
+
+ debug "Entering getSupportedCipherList_Unix function";
+
+ eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+ if (!open (OUT, "$sLisrCmd|")) {
+ $ERR="Can not run command to verify supported cipher list.";
+ return 0;
+ }
+ @arr = <OUT>;
+ chop $arr[0];
+ @suppCiphersTable = split /:/, $arr[0];
+ debug("Supported ciphers", $arr[0]);
+ $suppCiphersTablePrt = \@suppCiphersTable;
+ close(OUT);
+ return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Unix {
+ my $proto;
+ local $ciphers;
+
+ debug "Entering execClientCmd_Unix";
+ if (defined $in_cipher && $in_cipher ne "") {
+ my @arr = split /_/, $in_cipher, 2;
+ $proto = "-".$arr[0];
+ $proto =~ tr /SLT/slt/;
+ $proto = "-tls1" if ($proto eq "-tls");
+ return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+ $ciphers = "-cipher $ciphers";
+ debug("Return from cipher conversion", "$ciphers");
+ }
+
+ eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+ debug("Executing command", $command);
+ if (!open CMD_OUT, "$command 2>&1 |") {
+ $ERR = "can not launch client";
+ return 0;
+ }
+
+ my @cmdOutArr = <CMD_OUT>;
+
+ foreach (@cmdOutArr) {
+ print $_;
+ }
+
+ my $haveVerify = 0;
+ my $haveErrors = 0;
+ foreach (@cmdOutArr) {
+ chop;
+ if (/unknown option/) {
+ $haveErrors++;
+ svr_error "unknown option\n";
+ next;
+ }
+ if (/:no ciphers available/) {
+ $haveErrors++;
+ svr_error "no cipthers available\n";
+ next;
+ }
+ if (/verify error:/) {
+ $haveErrors++;
+ svr_error "unable to do verification\n";
+ next;
+ }
+ if (/alert certificate revoked:/) {
+ $haveErrors++;
+ svr_error "attempt to connect with revoked sertificate\n";
+ next;
+ }
+ if (/(error|ERROR)/) {
+ $haveErrors++;
+ svr_error "found errors in server log\n";
+ next;
+ }
+ /verify return:1/ && ($haveVerify = 1);
+ }
+ if ($haveVerify == 0) {
+ svr_error "no 'verify return:1' found in server log\n";
+ $haveErrors++;
+ }
+
+ if ($haveErrors > 0) {
+ $ERR = "Have $haveErrors server errors";
+ debug "Exiting execClientCmd_Unix";
+ return 0;
+ }
+ debug "Exiting execClientCmd_Unix";
+ return 1;
+}
+
+#################################################################
+# Windows IIS Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Win {
+ my @arr, @suppCiphersTable;
+
+ debug "Entering getSupportedCipherList_Win function";
+
+ eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+ if (!open (OUT, "$sLisrCmd|")) {
+ $ERR="Can not run command to verify supported cipher list.";
+ return 0;
+ }
+ my $startCipherList = 0;
+ foreach (<OUT>) {
+ chop;
+ if ($startCipherList) {
+ /^([a-zA-Z])\s+/ && push @suppCiphersTable, $1;
+ next;
+ }
+ /.*from list below.*/ && ($startCipherList = 1);
+ }
+ debug("Supported ciphers", join ':', @suppCiphersTable);
+ $suppCiphersTablePrt = \@suppCiphersTable;
+ close(OUT);
+ return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Win {
+ my $proto;
+ local $ciphers;
+
+ debug "Entering execClientCmd_Win";
+ if (defined $in_cipher && $in_cipher ne "") {
+ my @arr = split /_/, $in_cipher, 2;
+ $proto = "-2 -3 -T";
+
+ $proto =~ s/-T// if ($arr[0] eq "TLS");
+ $proto =~ s/-3// if ($arr[0] eq "SSL3");
+ $proto =~ s/-2// if ($arr[0] eq "SSL2");
+ return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+ $ciphers = "-c $ciphers";
+ debug("Return from cipher conversion", $ciphers);
+ }
+
+ eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+ debug("Executing command", $command);
+ if (!open CMD_OUT, "$command 2>&1 |") {
+ $ERR = "can not launch client";
+ return 0;
+ }
+
+ my @cmdOutArr = <CMD_OUT>;
+
+ foreach (@cmdOutArr) {
+ print $_;
+ }
+
+ my $haveVerify = 0;
+ my $haveErrors = 0;
+ foreach (@cmdOutArr) {
+ chop;
+ if (/unknown option/) {
+ $haveErrors++;
+ svr_error "unknown option\n";
+ next;
+ }
+ if (/Error performing handshake/) {
+ $haveErrors++;
+ svr_error "Error performing handshake\n";
+ next;
+ }
+ if (/Error creating credentials/) {
+ $haveErrors++;
+ svr_error "Error creating credentials\n";
+ next;
+ }
+ if (/Error .* authenticating server credentials!/) {
+ $haveErrors++;
+ svr_error "Error authenticating server credentials\n";
+ next;
+ }
+ if (/(error|ERROR|Error)/) {
+ $haveErrors++;
+ svr_error "found errors in server log\n";
+ next;
+ }
+ }
+
+ if ($haveErrors > 0) {
+ $ERR = "Have $haveErrors server errors";
+ debug "Exiting execClientCmd_Win";
+ return 0;
+ }
+ debug "Exiting execClientCmd_Win";
+ return 1;
+}
+
+#################################################################
+# Main line of execution
+#----------------------------------------------------------------
+&init;
+
+if ($osDataArr{wservRun}) {
+ print header('text/html').
+ start_html('iopr client');
+}
+
+print "SCRIPT=OK\n";
+
+if (!&getReqData) {
+ svr_error($ERR, 1);
+}
+
+if (!&configClient) {
+ svr_error($ERR, 1);
+}
+
+&{$osDataArr{'execCmdFn'}} || svr_error;
+
+if ($osDataArr{wservRun}) {
+ print "</pre>";
+ print end_html;
+}
diff --git a/security/nss/tests/iopr/server_scr/config b/security/nss/tests/iopr/server_scr/config
new file mode 100644
index 000000000..9e65b926c
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/config
@@ -0,0 +1,17 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+certDir=/iopr
+caCertName=TestCA
+caCrlName=TestCA
+userCertNames="TestUser510 TestUser511"
+userRevokedCertNames="TestUser510"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+supportedTests="SslSingleHs"
+# SslSingleHs: ssl single handshake with out client cert auth
+SslSingleHsPort=443
+SslSingleHsUrl=/
+SslSingleHsParam=NOAUTH:NOCOV:NOCRL
+#ParamSslSingleHandshakeWithOutClientCertAuth="443 / NOAUTH:NOCOV:NOCRL"
+#ParamSslSingleHandshakeWithOutClientCertAuth="443 /"
diff --git a/security/nss/tests/iopr/server_scr/iis_windows.cfg b/security/nss/tests/iopr/server_scr/iis_windows.cfg
new file mode 100644
index 000000000..76499b8b6
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/iis_windows.cfg
@@ -0,0 +1,33 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# IIS windows configuration file
+#
+
+#
+# Define what type of system this is.
+#
+$clientSys = "iis";
+
+#
+# Cipher conversion table file
+#
+$cipherTableFile = "cipher.list";
+
+#--------------------------------------------
+# Web server specific variables start here:
+#
+
+#
+# Location of installed tstclntb binary
+#
+$tstclntwb = "./tstclntw.exe";
+
+#
+# HTTP Request file
+#
+$reqFile = "sslreq.dat";
+
+
diff --git a/security/nss/tests/iopr/server_scr/iopr_server.cfg b/security/nss/tests/iopr/server_scr/iopr_server.cfg
new file mode 100644
index 000000000..2b196e015
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/iopr_server.cfg
@@ -0,0 +1,67 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+certDir=/iopr
+caCertName=TestCA
+caCrlName=TestCA
+
+#old values
+userCertNames="TestUser510-rsa TestUser512-rsa"
+userRevokedCertNames="TestUser510-rsa"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+#reverseTestParam=NOREVALL
+supportedTests="SslSingleHs SslSecondHs"
+#supportedTests="SslSecondHs"
+
+
+downloadFiles="TestUser510-rsa.p12 TestUser512-rsa.p12 ocspTrustedResponder-rsa.crt ocspTRTestUser514-rsa.crt ocspTRTestUser516-rsa.crt ocspRCATestUser518-rsa.crt ocspRCATestUser520-rsa.crt ocspDRTestUser522-rsa.crt ocspDRTestUser524-rsa.crt ocspTRUnknownIssuerCert-rsa.crt ocspRCAUnknownIssuerCert-rsa.crt ocspDRUnknownIssuerCert-rsa.crt"
+# Keep a space at the end of
+SslClntValidCertName="TestUser512-rsa"
+SslClntRevokedCertName="TestUser510-rsa"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+#reverseTestParam=NOREVALL
+
+supportedTests_new="SslSingleHs SslSecondHs OcspTrustedResponder OcspResponderCA OcspDesinatedResponder"
+
+#
+# SslSingleHs: ssl single handshake with out client cert auth
+SslSingleHsDescr="ssl with single handshake without client cert auth"
+SslSingleHsPort=443
+SslSingleHsUrl=/iopr_test/test_pg.html
+SslSingleHsParam=NOAUTH
+
+#
+# SslSecondHs: ssl with secondary hs when accessing direcory
+# that requires cert verification
+SslSecondHsDescr="ssl with secondary hs when accessing direcory that requires cert verification"
+SslSecondHsPort=443
+SslSecondHsUrl=/iopr_test_2hs/test_pg.html
+SslSecondHsParam=NOCOV
+
+#
+# OcspTrustedResponder - trusted responder key is used to sign OCSP response
+#
+OcspTrustedResponderDescr="trusted responder key is used to sign OCSP response"
+OcspTrustedResponderProto=http
+OcspTrustedResponderPort=2560
+OcspTrustedResponderResponderCert=ocspTrustedResponder-rsa
+OcspTrustedResponderValidCertNames="ocspTRTestUser516-rsa"
+OcspTrustedResponderRevokedCertNames="ocspTRTestUser514-rsa"
+OcspTrustedResponderStatUnknownCertNames="ocspTRUnknownIssuerCert-rsa"
+
+#
+# OcspResponderCA - CA key is used to sign OCSP response
+#
+OcspResponderCADescr="CA key is used to sign OCSP response"
+OcspResponderCAValidCertNames="ocspRCATestUser518-rsa"
+OcspResponderCARevokedCertNames="ocspRCATestUser520-rsa"
+OcspResponderCAStatUnknownCertNames="ocspRCAUnknownIssuerCert-rsa"
+
+#
+# OcspDesinatedResponder - CA Designated Responder key is used to sign OCSP response
+#
+OcspDesinatedResponderDescr="CA Designated Responder key is used to sign OCSP response"
+OcspDesinatedResponderValidCertNames="ocspDRTestUser522-rsa"
+OcspDesinatedResponderRevokedCertNames="ocspDRTestUser524-rsa"
+OcspDesinatedResponderStatUnknownCertNames="ocspDRUnknownIssuerCert-rsa"
diff --git a/security/nss/tests/iopr/server_scr/sslreq.dat b/security/nss/tests/iopr/server_scr/sslreq.dat
new file mode 100644
index 000000000..2f7ad7736
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/sslreq.dat
@@ -0,0 +1,2 @@
+GET / HTTP/1.0
+