From 5f8de423f190bbb79a62f804151bc24824fa32d8 Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Fri, 2 Feb 2018 04:16:08 -0500 Subject: Add m-esr52 at 52.6.0 --- security/nss/tests/iopr/server_scr/apache_unix.cfg | 47 ++ security/nss/tests/iopr/server_scr/cert_gen.sh | 367 ++++++++++++++ security/nss/tests/iopr/server_scr/cipher.list | 98 ++++ security/nss/tests/iopr/server_scr/client.cgi | 526 +++++++++++++++++++++ security/nss/tests/iopr/server_scr/config | 17 + security/nss/tests/iopr/server_scr/iis_windows.cfg | 33 ++ security/nss/tests/iopr/server_scr/iopr_server.cfg | 67 +++ security/nss/tests/iopr/server_scr/sslreq.dat | 2 + 8 files changed, 1157 insertions(+) create mode 100644 security/nss/tests/iopr/server_scr/apache_unix.cfg create mode 100644 security/nss/tests/iopr/server_scr/cert_gen.sh create mode 100644 security/nss/tests/iopr/server_scr/cipher.list create mode 100644 security/nss/tests/iopr/server_scr/client.cgi create mode 100644 security/nss/tests/iopr/server_scr/config create mode 100644 security/nss/tests/iopr/server_scr/iis_windows.cfg create mode 100644 security/nss/tests/iopr/server_scr/iopr_server.cfg create mode 100644 security/nss/tests/iopr/server_scr/sslreq.dat (limited to 'security/nss/tests/iopr/server_scr') diff --git a/security/nss/tests/iopr/server_scr/apache_unix.cfg b/security/nss/tests/iopr/server_scr/apache_unix.cfg new file mode 100644 index 000000000..3992bf52d --- /dev/null +++ b/security/nss/tests/iopr/server_scr/apache_unix.cfg @@ -0,0 +1,47 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# Apache OPENSSL configuration file +# + +# +# Define what type of system this is. +# +$clientSys = "openssl"; + +# +# Cipher conversion table file +# +$cipherTableFile = "$certDir/cipher.list"; + +#-------------------------------------------- +# Web server specific variables start here: +# + +# +# Location of installed openssl binary +# +$opensslb = "/usr/local/bin/openssl"; + + +# +# General location of apache server +# +$apacheHttpd="/var/httpd-ssl"; + +# +# HTTP Request file +# +$reqFile = "$apacheHttpd/cgi-bin/sslreq.dat"; + +# +# OpenSSL certificate directory +# +$certDir = "$apacheHttpd/cert"; + +# +# CA certificate file +# +$caCertFile = "$certDir/serverCA.crt"; diff --git a/security/nss/tests/iopr/server_scr/cert_gen.sh b/security/nss/tests/iopr/server_scr/cert_gen.sh new file mode 100644 index 000000000..17771ade1 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/cert_gen.sh @@ -0,0 +1,367 @@ +#!/bin/bash + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +###################################################################################### +# Server and client certs and crl generator functions. Generated files placed in a +# directory to be accessible through http:///iopr/TestCA.crt directory. +# This functions is used for manual webserver configuration and it is not a part of +# nss test run. +# To create certs use the following command: +# sh cert_iopr.sh cert_gen [cert req] +# Where: +# dir - directory where to place created files +# cert name - name of created server cert(FQDN) +# cert req - cert request to be used for cert generation. +# +repAndExec() { + echo + if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then + shift + echo certutil -s "$CU_SUBJECT" $@ + certutil -s "$CU_SUBJECT" $@ + RET=$? + else + echo $@ + $@ + RET=$? + fi + + return $RET +} + +setExtData() { + extData=$1 + + fldNum=0 + extData=`echo $extData | sed 's/,/ /g'` + for extDT in $extData; do + if [ $fldNum -eq 0 ]; then + eval extType=$extDT + fldNum=1 + continue + fi + eval data${fldNum}=$extDT + fldNum=`expr $fldNum + 1` + done +} + +signCert() { + dir=$1 + crtDir=$2 + crtName=$3 + crtSN=$4 + req=$5 + cuAddParam=$6 + extList=$7 + + if [ -z "$certSigner" ]; then + certSigner=TestCA + fi + + extCmdLine="" + extCmdFile=$dir/extInFile; rm -f $extCmdFile + touch $extCmdFile + extList=`echo $extList | sed 's/;/ /g'` + for ext in $extList; do + setExtData $ext + [ -z "$extType" ] && echo "incorrect extention format" && return 1 + case $extType in + ocspDR) + extCmdLine="$extCmdLine -6" + cat <> $extCmdFile +5 +9 +y +EOF + break + exit 1 + ;; + AIA) + extCmdLine="$extCmdLine -9" + cat <> $extCmdFile +2 +7 +$data1 +0 +n +n +EOF + break + ;; + *) + echo "Unsupported extension type: $extType" + break + ;; + esac + done + echo "cmdLine: $extCmdLine" + echo "cmdFile: "`cat $extCmdFile` + repAndExec \ + certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \ + -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1 + return $RET +} + +createSignedCert() { + dir=$1 + certDir=$2 + certName=$3 + certSN=$4 + certSubj=$5 + keyType=$6 + extList=$7 + + echo Creating cert $certName-$keyType with SN=$certSN + + CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + repAndExec \ + certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \ + -k $keyType -o $dir/req 2>&1 + [ "$RET" -ne 0 ] && return $RET + + signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList + ret=$? + [ "$ret" -ne 0 ] && return $ret + + rm -f $dir/req + + repAndExec \ + certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \ + -i "$dir/${certName}-$keyType.crt" 2>&1 + [ "$RET" -ne 0 ] && return $RET + + cp "$dir/${certName}-$keyType.crt" $certDir + + repAndExec \ + pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \ + -k ${PW_FILE} -W iopr + [ "$RET" -ne 0 ] && return $RET + return 0 +} + +generateAndExportSSLCerts() { + dir=$1 + certDir=$2 + serverName=$3 + servCertReq=$4 + + if [ "$servCertReq" -a -f $servCertReq ]; then + grep REQUEST $servCertReq >/dev/null 2>&1 + signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a` + ret=$? + [ "$ret" -ne 0 ] && return $ret + fi + + certName=$serverName + createSignedCert $dir $certDir $certName 500 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + createSignedCert $dir $certDir $certName 501 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser510 + createSignedCert $dir $certDir $certName 510 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser511 + createSignedCert $dir $certDir $certName 511 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser512 + createSignedCert $dir $certDir $certName 512 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser513 + createSignedCert $dir $certDir $certName 513 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret +} + +generateAndExportOCSPCerts() { + dir=$1 + certDir=$2 + + certName=ocspTrustedResponder + createSignedCert $dir $certDir $certName 525 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDesignatedResponder + createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspTRTestUser514 + createSignedCert $dir $certDir $certName 514 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspTRTestUser516 + createSignedCert $dir $certDir $certName 516 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCATestUser518 + createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCATestUser520 + createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRTestUser522 + createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRTestUser524 + createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + generateAndExportCACert $dir "" TestCA-unknown + [ $? -ne 0 ] && return $ret + + certSigner=TestCA-unknown + + certName=ocspTRUnkownIssuerCert + createSignedCert $dir $certDir $certName 531 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCAUnkownIssuerCert + createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRUnkownIssuerCert + createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certSigner="" + + return 0 +} + +generateAndExportCACert() { + dir=$1 + certDirL=$2 + caName=$3 + + certName=TestCA + [ "$caName" ] && certName=$caName + CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + repAndExec \ + certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \ + -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 < $PW_FILE + date >> ${NOISE_FILE} 2>&1 + + repAndExec \ + certutil -d $dir -N -f $PW_FILE + [ "$RET" -ne 0 ] && return $RET + + generateAndExportCACert $dir $certDir + [ "$RET" -ne 0 ] && return $RET + else + dir=$reuseCACert + PW_FILE=$dir/nss.pwd + NOISE_FILE=$dir/nss.noise + hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu` + [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \ + return $RET; + fi + + generateAndExportSSLCerts $dir $certDir $serverName $servCertReq + [ "$RET" -ne 0 ] && return $RET + + generateAndExportOCSPCerts $dir $certDir + [ "$RET" -ne 0 ] && return $RET + + crlUpdate=`date +%Y%m%d%H%M%SZ` + crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'` + repAndExec \ + crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl < [reuse CA cert] [cert req]" + exit 1 +fi +generateCerts $1 $2 "$3" $4 +exit $? diff --git a/security/nss/tests/iopr/server_scr/cipher.list b/security/nss/tests/iopr/server_scr/cipher.list new file mode 100644 index 000000000..668084c37 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/cipher.list @@ -0,0 +1,98 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +nss openssl iis + +# +# SSL v3.0 cipher suites. +# +SSL3_RSA_WITH_NULL_MD5 NULL-MD5 i +SSL3_RSA_WITH_NULL_SHA NULL-SHA z +SSL3_RSA_WITH_RC4_128_MD5 RC4-MD5 c +SSL3_RSA_WITH_RC4_128_SHA RC4-SHA n +SSL3_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA +SSL3_RSA_WITH_DES_CBC_SHA DES-CBC-SHA e +SSL3_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA d + +SSL3_DH_DSS_WITH_DES_CBC_SHA Not_implemented. +SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented. +SSL3_DH_RSA_WITH_DES_CBC_SHA Not_implemented. +SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented. +SSL3_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA s +SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA q +SSL3_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA +SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA + +SSL3_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 +SSL3_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA +SSL3_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA + +SSL3_FORTEZZA_KEA_WITH_NULL_SHA Not_implemented. +SSL3_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not_implemented. +SSL3_FORTEZZA_KEA_WITH_RC4_128_SHA Not_implemented. + +# +# Next four added to have ciphers below for SSL3 protocol +# +SSL3_RSA_WITH_AES_128_CBC_SHA AES128-SHA +SSL3_RSA_WITH_AES_256_CBC_SHA AES256-SHA + +# +#TLS v1.0 cipher suites. +# +TLS_RSA_WITH_NULL_MD5 NULL-MD5 +TLS_RSA_WITH_NULL_SHA NULL-SHA +TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 +TLS_RSA_WITH_RC4_128_SHA RC4-SHA +TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA +TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA +TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA + +TLS_DH_DSS_WITH_DES_CBC_SHA Not_implemented. +TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented. +TLS_DH_RSA_WITH_DES_CBC_SHA Not_implemented. +TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented. +TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA +TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA +TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA +TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA + +TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 +TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA +TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA + +# +#AES ciphersuites from RFC3268, extending TLS v1.0 +# + +TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA +TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA + +TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA +TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA +TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA +TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA + +TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA +TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA +TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA +TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA + +TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA +TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA + +# +#Additional cipher suites +# +#Note: these ciphers can also be used in SSL v3. +# +TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA + +# +# FIPS cipher list +# +TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented +TLS_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented +SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented +SSL3_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented diff --git a/security/nss/tests/iopr/server_scr/client.cgi b/security/nss/tests/iopr/server_scr/client.cgi new file mode 100644 index 000000000..581ad06d1 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/client.cgi @@ -0,0 +1,526 @@ +#!/usr/bin/perl + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +#-------------------------------------------------------------- +# cgi script that parses request argument to appropriate +# open ssl or tstclntw options and starts ssl client. +# + +use CGI qw/:standard/; + +use subs qw(debug); + +#-------------------------------------------------------------- +# Prints out an error string and exits the script with an +# exitStatus. +# Param: +# str : an error string +# exitStat: an exit status of the program +# +sub svr_error { + my ($str, $exitStat) = @_; + + if (!defined $str || $str eq "") { + $str = $ERR; + } + print "SERVER ERROR: $str\n"; + if ($exitStat) { + print end_html if ($osDataArr{wservRun}); + exit $exitStat; + } +} + +#-------------------------------------------------------------- +# Prints out a debug message +# Params: +# str: debug message +# inVal: additional value to print(optional) +# +sub debug { + my ($str, $inVal) = @_; + + print "-- DEBUG: $str ($inVal)\n" if ($DEBUG == 1); +} + + +#-------------------------------------------------------------- +# Initializes execution context depending on a webserver the +# script is running under. +# +sub init { + %osDataArr = ( + loadSupportedCipthersFn => \&osSpecific, + cipherIsSupportedFn => \&verifyCipherSupport, + cipherListFn => \&convertCipher, + buildCipherTableFn => \&buildCipherTable, + execCmdFn => \&osSpecific, + ); + + $scriptName = $ENV{'SCRIPT_NAME'}; + if (!defined $scriptName) { + $DEBUG=1; + debug "Debug is ON"; + } + $DEBUG=1; + + $svrSoft = $ENV{'SERVER_SOFTWARE'}; + if (defined $svrSoft) { + $_ = $svrSoft; + /.*Microsoft.*/ && ($osDataArr{wserv} = "IIS"); + /.*Apache.*/ && ($osDataArr{wserv} = "Apache"); + $osDataArr{wservRun} = 1; + } else { + $osDataArr{wserv} = "Apache"; + $osDataArr{wservRun} = 0; + } +} + +#-------------------------------------------------------------- +# Function-spigot to handle errors is OS specific functions are +# not implemented for a particular OS. +# Returns: +# always returns 0(failure) +# +sub osSpecific { + $ERR = "This function should be swapped to os specific function."; + return 0; +} + +#-------------------------------------------------------------- +# Sets os specific execution context values. +# Returns: +# 1 upon success, or 0 upon failure(if OS was not recognized) +# +sub setFunctRefs { + + debug("Entering setFunctRefs function", $osDataArr{wserv}); + + if ($osDataArr{wserv} eq "Apache") { + $osDataArr{osConfigFile} = "apache_unix.cfg"; + $osDataArr{suppCiphersCmd} = '$opensslb ciphers ALL:NULL'; + $osDataArr{clientRunCmd} = '$opensslb s_client -host $in_host -port $in_port -cert $certDir/$in_cert.crt -key $certDir/$in_cert.key -CAfile $caCertFile $proto $ciphers -ign_eof < $reqFile'; + $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Unix; + $osDataArr{execCmdFn} = \&execClientCmd_Unix; + } elsif ($osDataArr{wserv} eq "IIS") { + $osDataArr{osConfigFile} = "iis_windows.cfg"; + $osDataArr{suppCiphersCmd} = '$tstclntwb'; + $osDataArr{clientRunCmd} = '$tstclntwb -h $in_host -p $in_port -n $in_cert $proto $ciphers < $reqFile'; + $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Win; + $osDataArr{execCmdFn} = \&execClientCmd_Win; + } else { + $ERR = "Unknown Web Server type."; + return 0; + } + return 1; +} + +#-------------------------------------------------------------- +# Parses data from HTTP request. Will print a form if request +# does not contain sufficient number of parameters. +# Returns: +# 1 if request has sufficient number of parameters +# 0 if not. +sub getReqData { + my $debug = param('debug'); + $in_host = param('host'); + $in_port = param('port'); + $in_cert = param('cert'); + $in_cipher = param('cipher'); + + if (!$osDataArr{wservRun}) { + $in_host="goa1"; + $in_port="443"; + $in_cert="TestUser511"; + $in_cipher = "SSL3_RSA_WITH_NULL_SHA"; + } + + debug("Entering getReqData function", "$in_port:$in_host:$in_cert:$in_cipher"); + + if (defined $debug && $debug == "debug on") { + $DEBUG = 1; + } + + if (!defined $in_host || $in_host eq "" || + !defined $in_port || $in_port eq "" || + !defined $in_cert || $in_cert eq "") { + if ($osDataArr{wservRun}) { + print h1('Command description form:'), + start_form(-method=>"get"), + "Host: ",textfield('host'),p, + "Port: ",textfield('port'),p, + "Cert: ",textfield('cert'),p, + "Cipher: ",textfield('cipher'),p, + checkbox_group(-name=>'debug', + -values=>['debug on ']), + submit, + end_form, + hr; + } else { + print "Printing html form to get client arguments\n"; + } + $ERR = "the following parameters are required: host, port, cert"; + return 0; + } else { + print "
" if ($osDataArr{wservRun});
+        return 1;
+    }
+}
+
+
+#--------------------------------------------------------------
+# Building cipher conversion table from file based on the OS.
+# Params:
+#     tfile: cipher conversion file.
+#     sysName: system name
+#     tblPrt: returned pointer to a table.
+sub buildCipherTable {
+    my ($tfile, $sysName, $tblPrt) = @_;
+    my @retArr = @$tblPrt;
+    my %table, %rtable;
+    my $strCount = 0;
+
+    debug("Entering getReqData function", "$tfile:$sysName:$tblPrt");
+
+    ($ERR = "No system name supplied" && return 0) if ($sysName =~ /^$/);
+    if (!open(TFILE, "$tfile")) {
+        $ERR = "Missing cipher conversion table file.";
+        return 0;
+    }
+    foreach () {
+        chop;
+        /^#.*/ && next;
+        /^\s*$/ && next;
+        if ($strCount++ == 0) {
+            my @sysArr =  split /\s+/;
+            $colCount = 0;
+            for (;$colCount <= $#sysArr;$colCount++) {
+                last if ($sysArr[$colCount] =~ /(.*:|^)$sysName.*/);
+            }
+            next;
+        }
+        my @ciphArr =  split /\s+/, $_;
+        $table{$ciphArr[0]} = $ciphArr[$colCount];
+        $rtable{$ciphArr[$colCount]} = $ciphArr[0];
+    }
+    close(TFILE);
+    $cipherTablePtr[0] = \%table;
+    $cipherTablePtr[1] = \%rtable;
+    return 1
+}
+
+#--------------------------------------------------------------
+# Client configuration function. Loads client configuration file.
+# Initiates cipher table. Loads cipher list supported by ssl client.
+#
+sub configClient {
+
+    debug "Entering configClient function";
+
+    my $res = &setFunctRefs();
+    return $res if (!$res);
+
+    open(CFILE, $osDataArr{'osConfigFile'}) ||
+        ($ERR = "Missing configuration file." && return 0);
+    foreach () {
+        /^#.*/ && next;
+        chop;
+        eval $_;
+    }
+    close(CFILE);
+   
+    local @cipherTablePtr = ();
+    $osDataArr{'buildCipherTableFn'}->($cipherTableFile, $clientSys) || return 0;
+    $osDataArr{cipherTable} = $cipherTablePtr[0];
+    $osDataArr{rcipherTable} = $cipherTablePtr[1];
+    
+    local $suppCiphersTablePrt;
+    &{$osDataArr{'loadSupportedCipthersFn'}} || return 0;
+    $osDataArr{suppCiphersTable} = $suppCiphersTablePrt;
+}
+
+#--------------------------------------------------------------
+# Verifies that a particular cipher is supported.
+# Params:
+#    checkCipher: cipher name
+# Returns:
+#    1 - cipher is supported(also echos the cipher).
+#    0 - not supported.
+#
+sub verifyCipherSupport {
+    my ($checkCipher) = @_;
+    my @suppCiphersTable = @{$osDataArr{suppCiphersTable}};
+
+    debug("Entering verifyCipherSupport", $checkCipher);
+    foreach (@suppCiphersTable) {
+        return 1 if ($checkCipher eq $_);
+    }
+    $ERR = "cipher is not supported.";
+    return 0;
+}
+
+#--------------------------------------------------------------
+# Converts long(?name of the type?) cipher name to 
+# openssl/tstclntw cipher name.
+# Returns:
+#   0 if cipher was not listed. 1 upon success.
+#
+sub convertCipher {
+    my ($cipher) = @_;
+    my @retList;
+    my $resStr;
+    my %cipherTable = %{$osDataArr{cipherTable}};
+
+    debug("Entering convertCipher", $cipher);
+    if (defined $cipher) {
+        my $cphr = $cipherTable{$cipher};
+        if (!defined $cphr) {
+            $ERR = "cipher is not listed.";
+            return 0;
+        }        
+        &{$osDataArr{'cipherIsSupportedFn'}}($cphr) || return 0;
+        $ciphers = "$cphr";
+        return 1;
+    }
+    return 0;
+}
+
+#################################################################
+#  UNIX Apache Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Unix {
+    my @arr, @suppCiphersTable;
+
+    debug "Entering getSupportedCipherList_Unix function";
+
+    eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+    if (!open (OUT, "$sLisrCmd|")) {
+        $ERR="Can not run command to verify supported cipher list.";
+        return 0;
+    }
+    @arr = ;
+    chop $arr[0];
+    @suppCiphersTable = split /:/, $arr[0];
+    debug("Supported ciphers", $arr[0]);
+    $suppCiphersTablePrt = \@suppCiphersTable;
+    close(OUT);
+    return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Unix {
+    my $proto;
+    local $ciphers;
+
+    debug "Entering execClientCmd_Unix";
+    if (defined $in_cipher && $in_cipher ne "") {
+        my @arr = split /_/, $in_cipher, 2;
+        $proto = "-".$arr[0];
+        $proto =~ tr /SLT/slt/;
+        $proto = "-tls1" if ($proto eq "-tls");
+        return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+        $ciphers = "-cipher $ciphers";
+        debug("Return from cipher conversion", "$ciphers");
+    }
+
+    eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+    debug("Executing command", $command);
+    if (!open CMD_OUT, "$command 2>&1 |") {
+       $ERR = "can not launch client";
+       return 0;
+    }
+
+    my @cmdOutArr = ;
+    
+    foreach (@cmdOutArr) {
+        print $_;
+    }
+
+    my $haveVerify = 0;
+    my $haveErrors = 0;
+    foreach (@cmdOutArr) {
+        chop;
+        if (/unknown option/) {
+            $haveErrors++;
+            svr_error "unknown option\n";
+            next;
+        }
+        if (/:no ciphers available/) {
+            $haveErrors++;
+            svr_error "no cipthers available\n";
+            next;
+        }
+        if (/verify error:/) {
+            $haveErrors++;
+            svr_error "unable to do verification\n";
+            next;
+        }
+        if (/alert certificate revoked:/) {
+            $haveErrors++;
+            svr_error "attempt to connect with revoked sertificate\n";
+            next;
+        }
+        if (/(error|ERROR)/) {
+            $haveErrors++;
+            svr_error "found errors in server log\n";
+            next;
+        }
+        /verify return:1/ && ($haveVerify = 1);
+    }
+     if ($haveVerify == 0) {
+         svr_error "no 'verify return:1' found in server log\n";
+         $haveErrors++;
+     }
+
+    if ($haveErrors > 0) {
+        $ERR = "Have $haveErrors server errors";
+        debug "Exiting execClientCmd_Unix";
+        return 0;
+    }
+    debug "Exiting execClientCmd_Unix";
+    return 1;
+}
+
+#################################################################
+#  Windows IIS Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Win {
+    my @arr, @suppCiphersTable;
+
+    debug "Entering getSupportedCipherList_Win function";
+
+    eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+    if (!open (OUT, "$sLisrCmd|")) {
+        $ERR="Can not run command to verify supported cipher list.";
+        return 0;
+    }
+    my $startCipherList = 0;
+    foreach () {
+        chop;
+        if ($startCipherList) {
+            /^([a-zA-Z])\s+/ && push @suppCiphersTable, $1;
+            next;
+        }
+        /.*from list below.*/ && ($startCipherList = 1);
+    }
+    debug("Supported ciphers", join ':', @suppCiphersTable);
+    $suppCiphersTablePrt = \@suppCiphersTable;
+    close(OUT);
+    return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Win {
+    my $proto;
+    local $ciphers;
+
+    debug "Entering execClientCmd_Win";
+    if (defined $in_cipher && $in_cipher ne "") {
+        my @arr = split /_/, $in_cipher, 2;
+        $proto = "-2 -3 -T";
+
+        $proto =~ s/-T// if ($arr[0] eq "TLS");
+        $proto =~ s/-3// if ($arr[0] eq "SSL3");
+        $proto =~ s/-2// if ($arr[0] eq "SSL2");
+	return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+        $ciphers = "-c $ciphers";
+        debug("Return from cipher conversion", $ciphers);
+    }
+
+    eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+    debug("Executing command", $command);
+    if (!open CMD_OUT, "$command 2>&1 |") {
+        $ERR = "can not launch client";
+        return 0;
+    }
+
+    my @cmdOutArr = ;
+    
+    foreach (@cmdOutArr) {
+        print $_;
+    }
+
+    my $haveVerify = 0;
+    my $haveErrors = 0;
+    foreach (@cmdOutArr) {
+        chop;
+        if (/unknown option/) {
+            $haveErrors++;
+            svr_error "unknown option\n";
+            next;
+        }
+        if (/Error performing handshake/) {
+            $haveErrors++;
+            svr_error "Error performing handshake\n";
+            next;
+        }
+        if (/Error creating credentials/) {
+            $haveErrors++;
+            svr_error "Error creating credentials\n";
+            next;
+        }
+        if (/Error .* authenticating server credentials!/) {
+            $haveErrors++;
+            svr_error "Error authenticating server credentials\n";
+            next;
+        }
+        if (/(error|ERROR|Error)/) {
+            $haveErrors++;
+            svr_error "found errors in server log\n";
+            next;
+        }
+    }
+
+    if ($haveErrors > 0) {
+        $ERR = "Have $haveErrors server errors";
+        debug "Exiting execClientCmd_Win";
+        return 0;
+    }
+    debug "Exiting execClientCmd_Win";
+    return 1;
+}
+
+#################################################################
+#  Main line of execution
+#----------------------------------------------------------------
+&init;
+
+if ($osDataArr{wservRun}) {
+    print header('text/html').
+        start_html('iopr client');
+}
+ 
+print "SCRIPT=OK\n";
+
+if (!&getReqData) { 
+    svr_error($ERR, 1);
+}
+
+if (!&configClient) { 
+    svr_error($ERR, 1);
+}
+
+&{$osDataArr{'execCmdFn'}} || svr_error;
+
+if ($osDataArr{wservRun}) {
+    print "
"; + print end_html; +} diff --git a/security/nss/tests/iopr/server_scr/config b/security/nss/tests/iopr/server_scr/config new file mode 100644 index 000000000..9e65b926c --- /dev/null +++ b/security/nss/tests/iopr/server_scr/config @@ -0,0 +1,17 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +certDir=/iopr +caCertName=TestCA +caCrlName=TestCA +userCertNames="TestUser510 TestUser511" +userRevokedCertNames="TestUser510" +reverseRunCGIScript="/cgi-bin/client.cgi" +supportedTests="SslSingleHs" +# SslSingleHs: ssl single handshake with out client cert auth +SslSingleHsPort=443 +SslSingleHsUrl=/ +SslSingleHsParam=NOAUTH:NOCOV:NOCRL +#ParamSslSingleHandshakeWithOutClientCertAuth="443 / NOAUTH:NOCOV:NOCRL" +#ParamSslSingleHandshakeWithOutClientCertAuth="443 /" diff --git a/security/nss/tests/iopr/server_scr/iis_windows.cfg b/security/nss/tests/iopr/server_scr/iis_windows.cfg new file mode 100644 index 000000000..76499b8b6 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/iis_windows.cfg @@ -0,0 +1,33 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# IIS windows configuration file +# + +# +# Define what type of system this is. +# +$clientSys = "iis"; + +# +# Cipher conversion table file +# +$cipherTableFile = "cipher.list"; + +#-------------------------------------------- +# Web server specific variables start here: +# + +# +# Location of installed tstclntb binary +# +$tstclntwb = "./tstclntw.exe"; + +# +# HTTP Request file +# +$reqFile = "sslreq.dat"; + + diff --git a/security/nss/tests/iopr/server_scr/iopr_server.cfg b/security/nss/tests/iopr/server_scr/iopr_server.cfg new file mode 100644 index 000000000..2b196e015 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/iopr_server.cfg @@ -0,0 +1,67 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +certDir=/iopr +caCertName=TestCA +caCrlName=TestCA + +#old values +userCertNames="TestUser510-rsa TestUser512-rsa" +userRevokedCertNames="TestUser510-rsa" +reverseRunCGIScript="/cgi-bin/client.cgi" +#reverseTestParam=NOREVALL +supportedTests="SslSingleHs SslSecondHs" +#supportedTests="SslSecondHs" + + +downloadFiles="TestUser510-rsa.p12 TestUser512-rsa.p12 ocspTrustedResponder-rsa.crt ocspTRTestUser514-rsa.crt ocspTRTestUser516-rsa.crt ocspRCATestUser518-rsa.crt ocspRCATestUser520-rsa.crt ocspDRTestUser522-rsa.crt ocspDRTestUser524-rsa.crt ocspTRUnknownIssuerCert-rsa.crt ocspRCAUnknownIssuerCert-rsa.crt ocspDRUnknownIssuerCert-rsa.crt" +# Keep a space at the end of +SslClntValidCertName="TestUser512-rsa" +SslClntRevokedCertName="TestUser510-rsa" +reverseRunCGIScript="/cgi-bin/client.cgi" +#reverseTestParam=NOREVALL + +supportedTests_new="SslSingleHs SslSecondHs OcspTrustedResponder OcspResponderCA OcspDesinatedResponder" + +# +# SslSingleHs: ssl single handshake with out client cert auth +SslSingleHsDescr="ssl with single handshake without client cert auth" +SslSingleHsPort=443 +SslSingleHsUrl=/iopr_test/test_pg.html +SslSingleHsParam=NOAUTH + +# +# SslSecondHs: ssl with secondary hs when accessing direcory +# that requires cert verification +SslSecondHsDescr="ssl with secondary hs when accessing direcory that requires cert verification" +SslSecondHsPort=443 +SslSecondHsUrl=/iopr_test_2hs/test_pg.html +SslSecondHsParam=NOCOV + +# +# OcspTrustedResponder - trusted responder key is used to sign OCSP response +# +OcspTrustedResponderDescr="trusted responder key is used to sign OCSP response" +OcspTrustedResponderProto=http +OcspTrustedResponderPort=2560 +OcspTrustedResponderResponderCert=ocspTrustedResponder-rsa +OcspTrustedResponderValidCertNames="ocspTRTestUser516-rsa" +OcspTrustedResponderRevokedCertNames="ocspTRTestUser514-rsa" +OcspTrustedResponderStatUnknownCertNames="ocspTRUnknownIssuerCert-rsa" + +# +# OcspResponderCA - CA key is used to sign OCSP response +# +OcspResponderCADescr="CA key is used to sign OCSP response" +OcspResponderCAValidCertNames="ocspRCATestUser518-rsa" +OcspResponderCARevokedCertNames="ocspRCATestUser520-rsa" +OcspResponderCAStatUnknownCertNames="ocspRCAUnknownIssuerCert-rsa" + +# +# OcspDesinatedResponder - CA Designated Responder key is used to sign OCSP response +# +OcspDesinatedResponderDescr="CA Designated Responder key is used to sign OCSP response" +OcspDesinatedResponderValidCertNames="ocspDRTestUser522-rsa" +OcspDesinatedResponderRevokedCertNames="ocspDRTestUser524-rsa" +OcspDesinatedResponderStatUnknownCertNames="ocspDRUnknownIssuerCert-rsa" diff --git a/security/nss/tests/iopr/server_scr/sslreq.dat b/security/nss/tests/iopr/server_scr/sslreq.dat new file mode 100644 index 000000000..2f7ad7736 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/sslreq.dat @@ -0,0 +1,2 @@ +GET / HTTP/1.0 + -- cgit v1.2.3