From 5f8de423f190bbb79a62f804151bc24824fa32d8 Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Fri, 2 Feb 2018 04:16:08 -0500 Subject: Add m-esr52 at 52.6.0 --- security/nss/tests/iopr/server_scr/client.cgi | 526 ++++++++++++++++++++++++++ 1 file changed, 526 insertions(+) create mode 100644 security/nss/tests/iopr/server_scr/client.cgi (limited to 'security/nss/tests/iopr/server_scr/client.cgi') diff --git a/security/nss/tests/iopr/server_scr/client.cgi b/security/nss/tests/iopr/server_scr/client.cgi new file mode 100644 index 000000000..581ad06d1 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/client.cgi @@ -0,0 +1,526 @@ +#!/usr/bin/perl + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +#-------------------------------------------------------------- +# cgi script that parses request argument to appropriate +# open ssl or tstclntw options and starts ssl client. +# + +use CGI qw/:standard/; + +use subs qw(debug); + +#-------------------------------------------------------------- +# Prints out an error string and exits the script with an +# exitStatus. +# Param: +# str : an error string +# exitStat: an exit status of the program +# +sub svr_error { + my ($str, $exitStat) = @_; + + if (!defined $str || $str eq "") { + $str = $ERR; + } + print "SERVER ERROR: $str\n"; + if ($exitStat) { + print end_html if ($osDataArr{wservRun}); + exit $exitStat; + } +} + +#-------------------------------------------------------------- +# Prints out a debug message +# Params: +# str: debug message +# inVal: additional value to print(optional) +# +sub debug { + my ($str, $inVal) = @_; + + print "-- DEBUG: $str ($inVal)\n" if ($DEBUG == 1); +} + + +#-------------------------------------------------------------- +# Initializes execution context depending on a webserver the +# script is running under. +# +sub init { + %osDataArr = ( + loadSupportedCipthersFn => \&osSpecific, + cipherIsSupportedFn => \&verifyCipherSupport, + cipherListFn => \&convertCipher, + buildCipherTableFn => \&buildCipherTable, + execCmdFn => \&osSpecific, + ); + + $scriptName = $ENV{'SCRIPT_NAME'}; + if (!defined $scriptName) { + $DEBUG=1; + debug "Debug is ON"; + } + $DEBUG=1; + + $svrSoft = $ENV{'SERVER_SOFTWARE'}; + if (defined $svrSoft) { + $_ = $svrSoft; + /.*Microsoft.*/ && ($osDataArr{wserv} = "IIS"); + /.*Apache.*/ && ($osDataArr{wserv} = "Apache"); + $osDataArr{wservRun} = 1; + } else { + $osDataArr{wserv} = "Apache"; + $osDataArr{wservRun} = 0; + } +} + +#-------------------------------------------------------------- +# Function-spigot to handle errors is OS specific functions are +# not implemented for a particular OS. +# Returns: +# always returns 0(failure) +# +sub osSpecific { + $ERR = "This function should be swapped to os specific function."; + return 0; +} + +#-------------------------------------------------------------- +# Sets os specific execution context values. +# Returns: +# 1 upon success, or 0 upon failure(if OS was not recognized) +# +sub setFunctRefs { + + debug("Entering setFunctRefs function", $osDataArr{wserv}); + + if ($osDataArr{wserv} eq "Apache") { + $osDataArr{osConfigFile} = "apache_unix.cfg"; + $osDataArr{suppCiphersCmd} = '$opensslb ciphers ALL:NULL'; + $osDataArr{clientRunCmd} = '$opensslb s_client -host $in_host -port $in_port -cert $certDir/$in_cert.crt -key $certDir/$in_cert.key -CAfile $caCertFile $proto $ciphers -ign_eof < $reqFile'; + $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Unix; + $osDataArr{execCmdFn} = \&execClientCmd_Unix; + } elsif ($osDataArr{wserv} eq "IIS") { + $osDataArr{osConfigFile} = "iis_windows.cfg"; + $osDataArr{suppCiphersCmd} = '$tstclntwb'; + $osDataArr{clientRunCmd} = '$tstclntwb -h $in_host -p $in_port -n $in_cert $proto $ciphers < $reqFile'; + $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Win; + $osDataArr{execCmdFn} = \&execClientCmd_Win; + } else { + $ERR = "Unknown Web Server type."; + return 0; + } + return 1; +} + +#-------------------------------------------------------------- +# Parses data from HTTP request. Will print a form if request +# does not contain sufficient number of parameters. +# Returns: +# 1 if request has sufficient number of parameters +# 0 if not. +sub getReqData { + my $debug = param('debug'); + $in_host = param('host'); + $in_port = param('port'); + $in_cert = param('cert'); + $in_cipher = param('cipher'); + + if (!$osDataArr{wservRun}) { + $in_host="goa1"; + $in_port="443"; + $in_cert="TestUser511"; + $in_cipher = "SSL3_RSA_WITH_NULL_SHA"; + } + + debug("Entering getReqData function", "$in_port:$in_host:$in_cert:$in_cipher"); + + if (defined $debug && $debug == "debug on") { + $DEBUG = 1; + } + + if (!defined $in_host || $in_host eq "" || + !defined $in_port || $in_port eq "" || + !defined $in_cert || $in_cert eq "") { + if ($osDataArr{wservRun}) { + print h1('Command description form:'), + start_form(-method=>"get"), + "Host: ",textfield('host'),p, + "Port: ",textfield('port'),p, + "Cert: ",textfield('cert'),p, + "Cipher: ",textfield('cipher'),p, + checkbox_group(-name=>'debug', + -values=>['debug on ']), + submit, + end_form, + hr; + } else { + print "Printing html form to get client arguments\n"; + } + $ERR = "the following parameters are required: host, port, cert"; + return 0; + } else { + print "
" if ($osDataArr{wservRun});
+        return 1;
+    }
+}
+
+
+#--------------------------------------------------------------
+# Building cipher conversion table from file based on the OS.
+# Params:
+#     tfile: cipher conversion file.
+#     sysName: system name
+#     tblPrt: returned pointer to a table.
+sub buildCipherTable {
+    my ($tfile, $sysName, $tblPrt) = @_;
+    my @retArr = @$tblPrt;
+    my %table, %rtable;
+    my $strCount = 0;
+
+    debug("Entering getReqData function", "$tfile:$sysName:$tblPrt");
+
+    ($ERR = "No system name supplied" && return 0) if ($sysName =~ /^$/);
+    if (!open(TFILE, "$tfile")) {
+        $ERR = "Missing cipher conversion table file.";
+        return 0;
+    }
+    foreach () {
+        chop;
+        /^#.*/ && next;
+        /^\s*$/ && next;
+        if ($strCount++ == 0) {
+            my @sysArr =  split /\s+/;
+            $colCount = 0;
+            for (;$colCount <= $#sysArr;$colCount++) {
+                last if ($sysArr[$colCount] =~ /(.*:|^)$sysName.*/);
+            }
+            next;
+        }
+        my @ciphArr =  split /\s+/, $_;
+        $table{$ciphArr[0]} = $ciphArr[$colCount];
+        $rtable{$ciphArr[$colCount]} = $ciphArr[0];
+    }
+    close(TFILE);
+    $cipherTablePtr[0] = \%table;
+    $cipherTablePtr[1] = \%rtable;
+    return 1
+}
+
+#--------------------------------------------------------------
+# Client configuration function. Loads client configuration file.
+# Initiates cipher table. Loads cipher list supported by ssl client.
+#
+sub configClient {
+
+    debug "Entering configClient function";
+
+    my $res = &setFunctRefs();
+    return $res if (!$res);
+
+    open(CFILE, $osDataArr{'osConfigFile'}) ||
+        ($ERR = "Missing configuration file." && return 0);
+    foreach () {
+        /^#.*/ && next;
+        chop;
+        eval $_;
+    }
+    close(CFILE);
+   
+    local @cipherTablePtr = ();
+    $osDataArr{'buildCipherTableFn'}->($cipherTableFile, $clientSys) || return 0;
+    $osDataArr{cipherTable} = $cipherTablePtr[0];
+    $osDataArr{rcipherTable} = $cipherTablePtr[1];
+    
+    local $suppCiphersTablePrt;
+    &{$osDataArr{'loadSupportedCipthersFn'}} || return 0;
+    $osDataArr{suppCiphersTable} = $suppCiphersTablePrt;
+}
+
+#--------------------------------------------------------------
+# Verifies that a particular cipher is supported.
+# Params:
+#    checkCipher: cipher name
+# Returns:
+#    1 - cipher is supported(also echos the cipher).
+#    0 - not supported.
+#
+sub verifyCipherSupport {
+    my ($checkCipher) = @_;
+    my @suppCiphersTable = @{$osDataArr{suppCiphersTable}};
+
+    debug("Entering verifyCipherSupport", $checkCipher);
+    foreach (@suppCiphersTable) {
+        return 1 if ($checkCipher eq $_);
+    }
+    $ERR = "cipher is not supported.";
+    return 0;
+}
+
+#--------------------------------------------------------------
+# Converts long(?name of the type?) cipher name to 
+# openssl/tstclntw cipher name.
+# Returns:
+#   0 if cipher was not listed. 1 upon success.
+#
+sub convertCipher {
+    my ($cipher) = @_;
+    my @retList;
+    my $resStr;
+    my %cipherTable = %{$osDataArr{cipherTable}};
+
+    debug("Entering convertCipher", $cipher);
+    if (defined $cipher) {
+        my $cphr = $cipherTable{$cipher};
+        if (!defined $cphr) {
+            $ERR = "cipher is not listed.";
+            return 0;
+        }        
+        &{$osDataArr{'cipherIsSupportedFn'}}($cphr) || return 0;
+        $ciphers = "$cphr";
+        return 1;
+    }
+    return 0;
+}
+
+#################################################################
+#  UNIX Apache Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Unix {
+    my @arr, @suppCiphersTable;
+
+    debug "Entering getSupportedCipherList_Unix function";
+
+    eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+    if (!open (OUT, "$sLisrCmd|")) {
+        $ERR="Can not run command to verify supported cipher list.";
+        return 0;
+    }
+    @arr = ;
+    chop $arr[0];
+    @suppCiphersTable = split /:/, $arr[0];
+    debug("Supported ciphers", $arr[0]);
+    $suppCiphersTablePrt = \@suppCiphersTable;
+    close(OUT);
+    return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Unix {
+    my $proto;
+    local $ciphers;
+
+    debug "Entering execClientCmd_Unix";
+    if (defined $in_cipher && $in_cipher ne "") {
+        my @arr = split /_/, $in_cipher, 2;
+        $proto = "-".$arr[0];
+        $proto =~ tr /SLT/slt/;
+        $proto = "-tls1" if ($proto eq "-tls");
+        return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+        $ciphers = "-cipher $ciphers";
+        debug("Return from cipher conversion", "$ciphers");
+    }
+
+    eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+    debug("Executing command", $command);
+    if (!open CMD_OUT, "$command 2>&1 |") {
+       $ERR = "can not launch client";
+       return 0;
+    }
+
+    my @cmdOutArr = ;
+    
+    foreach (@cmdOutArr) {
+        print $_;
+    }
+
+    my $haveVerify = 0;
+    my $haveErrors = 0;
+    foreach (@cmdOutArr) {
+        chop;
+        if (/unknown option/) {
+            $haveErrors++;
+            svr_error "unknown option\n";
+            next;
+        }
+        if (/:no ciphers available/) {
+            $haveErrors++;
+            svr_error "no cipthers available\n";
+            next;
+        }
+        if (/verify error:/) {
+            $haveErrors++;
+            svr_error "unable to do verification\n";
+            next;
+        }
+        if (/alert certificate revoked:/) {
+            $haveErrors++;
+            svr_error "attempt to connect with revoked sertificate\n";
+            next;
+        }
+        if (/(error|ERROR)/) {
+            $haveErrors++;
+            svr_error "found errors in server log\n";
+            next;
+        }
+        /verify return:1/ && ($haveVerify = 1);
+    }
+     if ($haveVerify == 0) {
+         svr_error "no 'verify return:1' found in server log\n";
+         $haveErrors++;
+     }
+
+    if ($haveErrors > 0) {
+        $ERR = "Have $haveErrors server errors";
+        debug "Exiting execClientCmd_Unix";
+        return 0;
+    }
+    debug "Exiting execClientCmd_Unix";
+    return 1;
+}
+
+#################################################################
+#  Windows IIS Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Win {
+    my @arr, @suppCiphersTable;
+
+    debug "Entering getSupportedCipherList_Win function";
+
+    eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+    if (!open (OUT, "$sLisrCmd|")) {
+        $ERR="Can not run command to verify supported cipher list.";
+        return 0;
+    }
+    my $startCipherList = 0;
+    foreach () {
+        chop;
+        if ($startCipherList) {
+            /^([a-zA-Z])\s+/ && push @suppCiphersTable, $1;
+            next;
+        }
+        /.*from list below.*/ && ($startCipherList = 1);
+    }
+    debug("Supported ciphers", join ':', @suppCiphersTable);
+    $suppCiphersTablePrt = \@suppCiphersTable;
+    close(OUT);
+    return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Win {
+    my $proto;
+    local $ciphers;
+
+    debug "Entering execClientCmd_Win";
+    if (defined $in_cipher && $in_cipher ne "") {
+        my @arr = split /_/, $in_cipher, 2;
+        $proto = "-2 -3 -T";
+
+        $proto =~ s/-T// if ($arr[0] eq "TLS");
+        $proto =~ s/-3// if ($arr[0] eq "SSL3");
+        $proto =~ s/-2// if ($arr[0] eq "SSL2");
+	return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+        $ciphers = "-c $ciphers";
+        debug("Return from cipher conversion", $ciphers);
+    }
+
+    eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+    debug("Executing command", $command);
+    if (!open CMD_OUT, "$command 2>&1 |") {
+        $ERR = "can not launch client";
+        return 0;
+    }
+
+    my @cmdOutArr = ;
+    
+    foreach (@cmdOutArr) {
+        print $_;
+    }
+
+    my $haveVerify = 0;
+    my $haveErrors = 0;
+    foreach (@cmdOutArr) {
+        chop;
+        if (/unknown option/) {
+            $haveErrors++;
+            svr_error "unknown option\n";
+            next;
+        }
+        if (/Error performing handshake/) {
+            $haveErrors++;
+            svr_error "Error performing handshake\n";
+            next;
+        }
+        if (/Error creating credentials/) {
+            $haveErrors++;
+            svr_error "Error creating credentials\n";
+            next;
+        }
+        if (/Error .* authenticating server credentials!/) {
+            $haveErrors++;
+            svr_error "Error authenticating server credentials\n";
+            next;
+        }
+        if (/(error|ERROR|Error)/) {
+            $haveErrors++;
+            svr_error "found errors in server log\n";
+            next;
+        }
+    }
+
+    if ($haveErrors > 0) {
+        $ERR = "Have $haveErrors server errors";
+        debug "Exiting execClientCmd_Win";
+        return 0;
+    }
+    debug "Exiting execClientCmd_Win";
+    return 1;
+}
+
+#################################################################
+#  Main line of execution
+#----------------------------------------------------------------
+&init;
+
+if ($osDataArr{wservRun}) {
+    print header('text/html').
+        start_html('iopr client');
+}
+ 
+print "SCRIPT=OK\n";
+
+if (!&getReqData) { 
+    svr_error($ERR, 1);
+}
+
+if (!&configClient) { 
+    svr_error($ERR, 1);
+}
+
+&{$osDataArr{'execCmdFn'}} || svr_error;
+
+if ($osDataArr{wservRun}) {
+    print "
"; + print end_html; +} -- cgit v1.2.3