summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/iopr
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
commit36d22d82aa202bb199967e9512281e9a53db42c9 (patch)
tree105e8c98ddea1c1e4784a60a5a6410fa416be2de /security/nss/tests/iopr
parentInitial commit. (diff)
downloadfirefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz
firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--security/nss/tests/iopr/cert_iopr.sh405
-rw-r--r--security/nss/tests/iopr/ocsp_iopr.sh231
-rw-r--r--security/nss/tests/iopr/server_scr/apache_unix.cfg47
-rw-r--r--security/nss/tests/iopr/server_scr/cert_gen.sh367
-rw-r--r--security/nss/tests/iopr/server_scr/cipher.list98
-rw-r--r--security/nss/tests/iopr/server_scr/client.cgi526
-rw-r--r--security/nss/tests/iopr/server_scr/config17
-rw-r--r--security/nss/tests/iopr/server_scr/iis_windows.cfg33
-rw-r--r--security/nss/tests/iopr/server_scr/iopr_server.cfg67
-rw-r--r--security/nss/tests/iopr/server_scr/sslreq.dat2
-rw-r--r--security/nss/tests/iopr/ssl_iopr.sh643
11 files changed, 2436 insertions, 0 deletions
diff --git a/security/nss/tests/iopr/cert_iopr.sh b/security/nss/tests/iopr/cert_iopr.sh
new file mode 100644
index 0000000000..b162a2d81c
--- /dev/null
+++ b/security/nss/tests/iopr/cert_iopr.sh
@@ -0,0 +1,405 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/iopr/cert_iopr.sh
+#
+# Certificate generating and handeling for NSS interoperability QA. This file
+# is included from cert.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+########################################################################
+
+IOPR_CERT_SOURCED=1
+
+########################################################################
+# function wraps calls to pk12util, also: writes action and options
+# to stdout.
+# Params are the same as to pk12util.
+# Returns pk12util status
+#
+pk12u()
+{
+ echo "${CU_ACTION} --------------------------"
+
+ echo "pk12util $@"
+ ${BINDIR}/pk12util $@
+ RET=$?
+
+ return $RET
+}
+
+########################################################################
+# Initializes nss db directory and files if they don't exists
+# Params:
+# $1 - directory location
+#
+createDBDir() {
+ trgDir=$1
+
+ if [ -z "`ls $trgDir | grep db`" ]; then
+ trgDir=`cd ${trgDir}; pwd`
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ trgDir=`cygpath -m ${trgDir}`
+ fi
+
+ CU_ACTION="Initializing DB at ${trgDir}"
+ certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Loading root cert module to Cert DB at ${trgDir}"
+ modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+ fi
+}
+########################################################################
+# takes care of downloading config, cert and crl files from remote
+# location.
+# Params:
+# $1 - name of the host file will be downloaded from
+# $2 - path to the file as it appeared in url
+# $3 - target directory the file will be saved at.
+# Returns tstclnt status.
+#
+download_file() {
+ host=$1
+ filePath=$2
+ trgDir=$3
+
+ file=$trgDir/`basename $filePath`
+
+ createDBDir $trgDir || return $RET
+
+# echo wget -O $file http://${host}${filePath}
+# wget -O $file http://${host}${filePath}
+# ret=$?
+
+ req=$file.$$
+ echo "GET $filePath HTTP/1.0" > $req
+ echo >> $req
+
+ echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
+ -v -w ${R_PWFILE} -o
+ ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
+ -v -w ${R_PWFILE} -o < $req > $file
+ ret=$?
+ rm -f $_tmp;
+ return $ret
+}
+
+########################################################################
+# Uses pk12util, certutil of cerlutil to import files to an nss db located
+# at <dir>(the value of $1 parameter). Chooses a utility to use based on
+# a file extension. Initializing a db if it does not exists.
+# Params:
+# $1 - db location directory
+# $2 - file name to import
+# $3 - nick name an object in the file will be associated with
+# $4 - trust arguments
+# Returns status of import
+#
+importFile() {
+ dir=$1\
+ file=$2
+ certName=$3
+ certTrust=$4
+
+ [ ! -d $dir ] && mkdir -p $dir;
+
+ createDBDir $dir || return $RET
+
+ case `basename $file | sed 's/^.*\.//'` in
+ p12)
+ CU_ACTION="Importing p12 $file to DB at $dir"
+ pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr
+ [ $? -ne 0 ] && return 1
+ CU_ACTION="Modifying trust for cert $certName at $dir"
+ certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}"
+ return $?
+ ;;
+
+ crl)
+ CU_ACTION="Importing crl $file to DB at $dir"
+ crlu -d ${dir} -I -n TestCA -i $file
+ return $?
+ ;;
+
+ crt | cert)
+ CU_ACTION="Importing cert $certName with trust $certTrust to $dir"
+ certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \
+ -i "$file"
+ return $?
+ ;;
+
+ *)
+ echo "Unknown file extension: $file:"
+ return 1
+ ;;
+ esac
+}
+
+
+#########################################################################
+# Downloads and installs test certs and crl from a remote webserver.
+# Generates server cert for reverse testing if reverse test run is turned on.
+# Params:
+# $1 - host name to download files from.
+# $2 - directory at which CA cert will be installed and used for
+# signing a server cert.
+# $3 - path to a config file in webserver context.
+# $4 - ssl server db location
+# $5 - ssl client db location
+# $5 - ocsp client db location
+#
+# Returns 0 upon success, otherwise, failed command error code.
+#
+download_install_certs() {
+ host=$1
+ caDir=$2
+ confPath=$3
+ sslServerDir=$4
+ sslClientDir=$5
+ ocspClientDir=$6
+
+ [ ! -d "$caDir" ] && mkdir -p $caDir;
+
+ #=======================================================
+ # Getting config file
+ #
+ download_file $host "$confPath/iopr_server.cfg" $caDir
+ RET=$?
+ if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then
+ html_failed "Fail to download website config file(ws: $host)"
+ return 1
+ fi
+
+ . $caDir/iopr_server.cfg
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to source config file(ws: $host)"
+ return $RET
+ fi
+
+ #=======================================================
+ # Getting CA file
+ #
+
+ #----------------- !!!WARNING!!! -----------------------
+ # Do NOT copy this scenario. CA should never accompany its
+ # cert with the private key when deliver cert to a customer.
+ #----------------- !!!WARNING!!! -----------------------
+
+ download_file $host $certDir/$caCertName.p12 $caDir
+ RET=$?
+ if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then
+ html_failed "Fail to download $caCertName cert(ws: $host)"
+ return 1
+ fi
+ tmpFiles="$caDir/$caCertName.p12"
+
+ importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import $caCertName cert to CA DB(ws: $host)"
+ return $RET
+ fi
+
+ CU_ACTION="Exporting Root CA cert(ws: $host)"
+ certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert
+ if [ "$RET" -ne 0 ]; then
+ Exit 7 "Fatal - failed to export $caCertName cert"
+ fi
+
+ #=======================================================
+ # Check what tests we want to run
+ #
+ doSslTests=0; doOcspTests=0
+ # XXX remove "_new" from variables below
+ [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1
+ [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1
+
+ if [ $doSslTests -eq 1 ]; then
+ if [ "$reverseRunCGIScript" ]; then
+ [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir;
+ #=======================================================
+ # Import CA cert to server DB
+ #
+ importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \
+ "TC,C,C"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import server-client-CA cert to \
+ server DB(ws: $host)"
+ return $RET
+ fi
+
+ #=======================================================
+ # Creating server cert
+ #
+ CERTNAME=$HOSTADDR
+
+ CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, \
+ L=Mountain View, ST=California, C=US"
+ certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
+ -o $sslServerDir/req 2>&1
+ tmpFiles="$tmpFiles $sslServerDir/req"
+
+ # NOTE:
+ # For possible time synchronization problems (bug 444308) we generate
+ # certificates valid also some time in past (-w -1)
+
+ CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
+ certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \
+ -d "${caDir}" \
+ -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \
+ -f "${R_PWFILE}" 2>&1
+
+ importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",,"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import $CERTNAME cert to server\
+ DB(ws: $host)"
+ return $RET
+ fi
+ tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
+
+ #=======================================================
+ # Download and import CA crl to server DB
+ #
+ download_file $host "$certDir/$caCrlName.crl" $sslServerDir
+ RET=$?
+ if [ $? -ne 0 ]; then
+ html_failed "Fail to download $caCertName crl\
+ (ws: $host)"
+ return $RET
+ fi
+ tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl"
+
+ importFile $sslServerDir $sslServerDir/TestCA.crl
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import TestCA crt to server\
+ DB(ws: $host)"
+ return $RET
+ fi
+ fi # if [ "$reverseRunCGIScript" ]
+
+ [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir;
+ #=======================================================
+ # Import CA cert to ssl client DB
+ #
+ importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \
+ "TC,C,C"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import server-client-CA cert to \
+ server DB(ws: $host)"
+ return $RET
+ fi
+ fi
+
+ if [ $doOcspTests -eq 1 ]; then
+ [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir;
+ #=======================================================
+ # Import CA cert to ocsp client DB
+ #
+ importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \
+ "TC,C,C"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import server-client-CA cert to \
+ server DB(ws: $host)"
+ return $RET
+ fi
+ fi
+
+ #=======================================================
+ # Import client certs to client DB
+ #
+ for fileName in $downloadFiles; do
+ certName=`echo $fileName | sed 's/\..*//'`
+
+ if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then
+ clientDir=$ocspClientDir
+ elif [ $doSslTests -eq 1 ]; then
+ clientDir=$sslClientDir
+ else
+ continue
+ fi
+
+ download_file $host "$certDir/$fileName" $clientDir
+ RET=$?
+ if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then
+ html_failed "Fail to download $certName cert(ws: $host)"
+ return $RET
+ fi
+ tmpFiles="$tmpFiles $clientDir/$fileName"
+
+ importFile $clientDir $clientDir/$fileName $certName ",,"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import $certName cert to client DB\
+ (ws: $host)"
+ return $RET
+ fi
+ done
+
+ rm -f $tmpFiles
+
+ return 0
+}
+
+
+#########################################################################
+# Initial point for downloading config, cert, crl files for multiple hosts
+# involved in interoperability testing. Called from nss/tests/cert/cert.sh
+# It will only proceed with downloading if environment variable
+# IOPR_HOSTADDR_LIST is set and has a value of host names separated by space.
+#
+# Returns 1 if interoperability testing is off, 0 otherwise.
+#
+cert_iopr_setup() {
+
+ if [ "$IOPR" -ne 1 ]; then
+ return 1
+ fi
+ num=1
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '`
+ while [ "$IOPR_HOST_PARAM" ]; do
+ IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
+ IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
+ [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443
+ IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'`
+ [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr"
+
+ echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\
+ $IOPR_CONF_PATH"
+
+ download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \
+ ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \
+ ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \
+ ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
+ if [ $? -ne 0 ]; then
+ echo "wsFlags=\"NOIOPR $wsParam\"" >> \
+ ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
+ fi
+ num=`expr $num + 1`
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+ done
+
+ return 0
+}
diff --git a/security/nss/tests/iopr/ocsp_iopr.sh b/security/nss/tests/iopr/ocsp_iopr.sh
new file mode 100644
index 0000000000..dcc6e1ffbd
--- /dev/null
+++ b/security/nss/tests/iopr/ocsp_iopr.sh
@@ -0,0 +1,231 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/iopr/ocsp_iopr.sh
+#
+# NSS SSL interoperability QA. This file is included from ssl.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+########################################################################
+IOPR_OCSP_SOURCED=1
+
+########################################################################
+# The funtion works with variables defined in interoperability
+# configuration file that gets downloaded from a webserver.
+# The function sets test parameters defind for a particular type
+# of testing.
+#
+# No return value
+#
+setTestParam() {
+ type=$1
+ testParam=`eval 'echo $'${type}Param`
+ testDescription=`eval 'echo $'${type}Descr`
+ testProto=`eval 'echo $'${type}Proto`
+ testPort=`eval 'echo $'${type}Port`
+ testResponder=`eval 'echo $'${type}ResponderCert`
+ testValidCertNames=`eval 'echo $'${type}ValidCertNames`
+ testRevokedCertNames=`eval 'echo $'${type}RevokedCertNames`
+ testStatUnknownCertNames=`eval 'echo $'${type}StatUnknownCertNames`
+}
+
+########################################################################
+# The funtion checks status of a cert using ocspclnt.
+# Params:
+# dbDir - nss cert db location
+# cert - cert in question
+# respUrl - responder url is available
+# defRespCert - trusted responder cert
+#
+# Return values:
+# 0 - test passed, 1 - otherwise.
+#
+ocsp_get_cert_status() {
+ dbDir=$1
+ cert=$2
+ respUrl=$3
+ defRespCert=$4
+
+ if [ -n "$respUrl" -o -n "$defRespCert" ]; then
+ if [ -z "$respUrl" -o -z "$defRespCert" ]; then
+ html_failed "Incorrect test params"
+ return 1
+ fi
+ clntParam="-l $respUrl -t $defRespCert"
+ fi
+
+ if [ -z "${MEMLEAK_DBG}" ]; then
+ outFile=$dbDir/ocsptest.out.$$
+ echo "ocspclnt -d $dbDir -S $cert $clntParam"
+ ${BINDIR}/ocspclnt -d $dbDir -S $cert $clntParam >$outFile 2>&1
+ ret=$?
+ echo "ocspclnt output:"
+ cat $outFile
+ [ -z "`grep succeeded $outFile`" ] && ret=1
+
+ rm -f $outFile
+ return $ret
+ fi
+
+ OCSP_ATTR="-d $dbDir -S $cert $clntParam"
+ ${RUN_COMMAND_DBG} ${BINDIR}/ocspclnt ${OCSP_ATTR}
+}
+
+########################################################################
+# The funtion checks status of a cert using ocspclnt.
+# Params:
+# testType - type of the test based on type of used responder
+# servName - FQDM of the responder server
+# dbDir - nss cert db location
+#
+# No return value
+#
+ocsp_iopr() {
+ testType=$1
+ servName=$2
+ dbDir=$3
+
+ setTestParam $testType
+ if [ "`echo $testParam | grep NOCOV`" != "" ]; then
+ echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \
+ "run by server configuration"
+ return 0
+ fi
+
+ if [ -z "${MEMLEAK_DBG}" ]; then
+ html_head "OCSP testing with responder at $IOPR_HOSTADDR. <br>" \
+ "Test Type: $testDescription"
+ fi
+
+ if [ -n "$testResponder" ]; then
+ responderUrl="$testProto://$servName:$testPort"
+ else
+ responderUrl=""
+ fi
+
+ if [ -z "${MEMLEAK_DBG}" ]; then
+ for certName in $testValidCertNames; do
+ ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+ "$testResponder"
+ html_msg $? 0 "Getting status of a valid cert ($certName)" \
+ "produced a returncode of $ret, expected is 0."
+ done
+
+ for certName in $testRevokedCertNames; do
+ ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+ "$testResponder"
+ html_msg $? 1 "Getting status of a unvalid cert ($certName)" \
+ "produced a returncode of $ret, expected is 1."
+ done
+
+ for certName in $testStatUnknownCertNames; do
+ ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+ "$testResponder"
+ html_msg $? 1 "Getting status of a cert with unknown status " \
+ "($certName) produced a returncode of $ret, expected is 1."
+ done
+ else
+ for certName in $testValidCertNames $testRevokedCertNames \
+ $testStatUnknownCertName; do
+ ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+ "$testResponder"
+ done
+ fi
+}
+
+#####################################################################
+# Initial point for running ocsp test againt multiple hosts involved in
+# interoperability testing. Called from nss/tests/ocsp/ocsp.sh
+# It will only proceed with test run for a specific host if environment variable
+# IOPR_HOSTADDR_LIST was set, had the host name in the list
+# and all needed file were successfully downloaded and installed for the host.
+#
+# Returns 1 if interoperability testing is off, 0 otherwise.
+#
+ocsp_iopr_run() {
+ NO_ECC_CERTS=1 # disable ECC for interoperability tests
+
+ if [ "$IOPR" -ne 1 ]; then
+ return 1
+ fi
+ cd ${CLIENTDIR}
+
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ html_head "Memory leak checking - IOPR"
+ fi
+
+ num=1
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+ while [ "$IOPR_HOST_PARAM" ]; do
+ IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
+ IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
+ [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443
+
+ . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
+ RES=$?
+
+ num=`expr $num + 1`
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+
+ if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then
+ continue
+ fi
+
+ #=======================================================
+ # Check what server is configured to run ssl tests
+ #
+ [ -z "`echo ${supportedTests_new} | grep -i ocsp`" ] && continue;
+
+ # Testing directories defined by webserver.
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ LOGNAME=iopr-${IOPR_HOSTADDR}
+ LOGFILE=${LOGDIR}/${LOGNAME}.log
+ fi
+
+ # Testing directories defined by webserver.
+ echo "Testing ocsp interoperability.
+ Client: local(tstclnt).
+ Responder: remote($IOPR_HOSTADDR)"
+
+ for ocspTestType in ${supportedTests_new}; do
+ if [ -z "`echo $ocspTestType | grep -i ocsp`" ]; then
+ continue
+ fi
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \
+ ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} 2>> ${LOGFILE}
+ else
+ ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \
+ ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
+ fi
+ done
+
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ log_parse
+ ret=$?
+ html_msg ${ret} 0 "${LOGNAME}" \
+ "produced a returncode of $ret, expected is 0"
+ fi
+
+ echo "================================================"
+ echo "Done testing ocsp interoperability with $IOPR_HOSTADDR"
+ done
+
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ html "</TABLE><BR>"
+ fi
+
+ NO_ECC_CERTS=0
+ return 0
+}
+
diff --git a/security/nss/tests/iopr/server_scr/apache_unix.cfg b/security/nss/tests/iopr/server_scr/apache_unix.cfg
new file mode 100644
index 0000000000..3992bf52d7
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/apache_unix.cfg
@@ -0,0 +1,47 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# Apache OPENSSL configuration file
+#
+
+#
+# Define what type of system this is.
+#
+$clientSys = "openssl";
+
+#
+# Cipher conversion table file
+#
+$cipherTableFile = "$certDir/cipher.list";
+
+#--------------------------------------------
+# Web server specific variables start here:
+#
+
+#
+# Location of installed openssl binary
+#
+$opensslb = "/usr/local/bin/openssl";
+
+
+#
+# General location of apache server
+#
+$apacheHttpd="/var/httpd-ssl";
+
+#
+# HTTP Request file
+#
+$reqFile = "$apacheHttpd/cgi-bin/sslreq.dat";
+
+#
+# OpenSSL certificate directory
+#
+$certDir = "$apacheHttpd/cert";
+
+#
+# CA certificate file
+#
+$caCertFile = "$certDir/serverCA.crt";
diff --git a/security/nss/tests/iopr/server_scr/cert_gen.sh b/security/nss/tests/iopr/server_scr/cert_gen.sh
new file mode 100644
index 0000000000..6611a0f416
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/cert_gen.sh
@@ -0,0 +1,367 @@
+#!/bin/bash
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+######################################################################################
+# Server and client certs and crl generator functions. Generated files placed in a <dir>
+# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
+# This functions is used for manual webserver configuration and it is not a part of
+# nss test run.
+# To create certs use the following command:
+# sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
+# Where:
+# dir - directory where to place created files
+# cert name - name of created server cert(FQDN)
+# cert req - cert request to be used for cert generation.
+#
+repAndExec() {
+ echo
+ if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
+ shift
+ echo certutil -s "$CU_SUBJECT" $@
+ certutil -s "$CU_SUBJECT" $@
+ RET=$?
+ else
+ echo $@
+ $@
+ RET=$?
+ fi
+
+ return $RET
+}
+
+setExtData() {
+ extData=$1
+
+ fldNum=0
+ extData=`echo $extData | sed 's/,/ /g'`
+ for extDT in $extData; do
+ if [ $fldNum -eq 0 ]; then
+ eval extType=$extDT
+ fldNum=1
+ continue
+ fi
+ eval data${fldNum}=$extDT
+ fldNum=`expr $fldNum + 1`
+ done
+}
+
+signCert() {
+ dir=$1
+ crtDir=$2
+ crtName=$3
+ crtSN=$4
+ req=$5
+ cuAddParam=$6
+ extList=$7
+
+ if [ -z "$certSigner" ]; then
+ certSigner=TestCA
+ fi
+
+ extCmdLine=""
+ extCmdFile=$dir/extInFile; rm -f $extCmdFile
+ touch $extCmdFile
+ extList=`echo $extList | sed 's/;/ /g'`
+ for ext in $extList; do
+ setExtData $ext
+ [ -z "$extType" ] && echo "incorrect extention format" && return 1
+ case $extType in
+ ocspDR)
+ extCmdLine="$extCmdLine -6"
+ cat <<EOF >> $extCmdFile
+5
+9
+y
+EOF
+ break
+ exit 1
+ ;;
+ AIA)
+ extCmdLine="$extCmdLine -9"
+ cat <<EOF >> $extCmdFile
+2
+7
+$data1
+0
+n
+n
+EOF
+ break
+ ;;
+ *)
+ echo "Unsupported extension type: $extType"
+ break
+ ;;
+ esac
+ done
+ echo "cmdLine: $extCmdLine"
+ echo "cmdFile: "`cat $extCmdFile`
+ repAndExec \
+ certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
+ -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
+ return $RET
+}
+
+createSignedCert() {
+ dir=$1
+ certDir=$2
+ certName=$3
+ certSN=$4
+ certSubj=$5
+ keyType=$6
+ extList=$7
+
+ echo Creating cert $certName-$keyType with SN=$certSN
+
+ CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ repAndExec \
+ certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
+ -k $keyType -o $dir/req 2>&1
+ [ "$RET" -ne 0 ] && return $RET
+
+ signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ rm -f $dir/req
+
+ repAndExec \
+ certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
+ -i "$dir/${certName}-$keyType.crt" 2>&1
+ [ "$RET" -ne 0 ] && return $RET
+
+ cp "$dir/${certName}-$keyType.crt" $certDir
+
+ repAndExec \
+ pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
+ -k ${PW_FILE} -W iopr
+ [ "$RET" -ne 0 ] && return $RET
+ return 0
+}
+
+generateAndExportSSLCerts() {
+ dir=$1
+ certDir=$2
+ serverName=$3
+ servCertReq=$4
+
+ if [ "$servCertReq" -a -f $servCertReq ]; then
+ grep REQUEST $servCertReq >/dev/null 2>&1
+ signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+ fi
+
+ certName=$serverName
+ createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=TestUser510
+ createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=TestUser511
+ createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=TestUser512
+ createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=TestUser513
+ createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+}
+
+generateAndExportOCSPCerts() {
+ dir=$1
+ certDir=$2
+
+ certName=ocspTrustedResponder
+ createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspDesignatedResponder
+ createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspTRTestUser514
+ createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspTRTestUser516
+ createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspRCATestUser518
+ createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2561
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspRCATestUser520
+ createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2561
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspDRTestUser522
+ createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2562
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspDRTestUser524
+ createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2562
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ generateAndExportCACert $dir "" TestCA-unknown
+ [ $? -ne 0 ] && return $ret
+
+ certSigner=TestCA-unknown
+
+ certName=ocspTRUnkownIssuerCert
+ createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspRCAUnkownIssuerCert
+ createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2561
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspDRUnkownIssuerCert
+ createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2562
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certSigner=""
+
+ return 0
+}
+
+generateAndExportCACert() {
+ dir=$1
+ certDirL=$2
+ caName=$3
+
+ certName=TestCA
+ [ "$caName" ] && certName=$caName
+ CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ repAndExec \
+ certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
+ -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
+5
+6
+9
+n
+y
+-1
+n
+EOF
+
+ if [ "$certDirL" ]; then
+ repAndExec \
+ certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt
+ [ "$RET" -ne 0 ] && return $RET
+
+ repAndExec \
+ pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
+ [ "$RET" -ne 0 ] && return $RET
+ fi
+}
+
+
+generateCerts() {
+ certDir=$1
+ serverName=$2
+ reuseCACert=$3
+ servCertReq=$4
+
+ [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
+ [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
+
+ mkdir -p $certDir
+ [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
+
+
+ dir=/tmp/db.$$
+ if [ -z "$reuseCACert" ]; then
+ if [ -d "$dir" ]; then
+ rm -f $dir
+ fi
+
+ PW_FILE=$dir/nss.pwd
+ NOISE_FILE=$dir/nss.noise
+
+ mkdir -p $dir
+ [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
+
+ echo nss > $PW_FILE
+ date >> ${NOISE_FILE} 2>&1
+
+ repAndExec \
+ certutil -d $dir -N -f $PW_FILE
+ [ "$RET" -ne 0 ] && return $RET
+
+ generateAndExportCACert $dir $certDir
+ [ "$RET" -ne 0 ] && return $RET
+ else
+ dir=$reuseCACert
+ PW_FILE=$dir/nss.pwd
+ NOISE_FILE=$dir/nss.noise
+ hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
+ [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
+ return $RET;
+ fi
+
+ generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
+ [ "$RET" -ne 0 ] && return $RET
+
+ generateAndExportOCSPCerts $dir $certDir
+ [ "$RET" -ne 0 ] && return $RET
+
+ crlUpdate=`date +%Y%m%d%H%M%SZ`
+ crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
+ repAndExec \
+ crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI
+update=$crlUpdate
+nextupdate=$crlNextUpdate
+addcert 509-511 $crlUpdate
+addcert 516 $crlUpdate
+addcert 520 $crlUpdate
+addcert 524 $crlUpdate
+EOF_CRLINI
+ [ "$RET" -ne 0 ] && return $RET
+
+ rm -rf $dir
+ return 0
+}
+
+
+if [ -z "$1" -o -z "$2" ]; then
+ echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
+ exit 1
+fi
+generateCerts $1 $2 "$3" $4
+exit $?
diff --git a/security/nss/tests/iopr/server_scr/cipher.list b/security/nss/tests/iopr/server_scr/cipher.list
new file mode 100644
index 0000000000..668084c37a
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/cipher.list
@@ -0,0 +1,98 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+nss openssl iis
+
+#
+# SSL v3.0 cipher suites.
+#
+SSL3_RSA_WITH_NULL_MD5 NULL-MD5 i
+SSL3_RSA_WITH_NULL_SHA NULL-SHA z
+SSL3_RSA_WITH_RC4_128_MD5 RC4-MD5 c
+SSL3_RSA_WITH_RC4_128_SHA RC4-SHA n
+SSL3_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
+SSL3_RSA_WITH_DES_CBC_SHA DES-CBC-SHA e
+SSL3_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA d
+
+SSL3_DH_DSS_WITH_DES_CBC_SHA Not_implemented.
+SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented.
+SSL3_DH_RSA_WITH_DES_CBC_SHA Not_implemented.
+SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented.
+SSL3_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA s
+SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA q
+SSL3_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA
+SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA
+
+SSL3_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
+SSL3_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA
+SSL3_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
+
+SSL3_FORTEZZA_KEA_WITH_NULL_SHA Not_implemented.
+SSL3_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not_implemented.
+SSL3_FORTEZZA_KEA_WITH_RC4_128_SHA Not_implemented.
+
+#
+# Next four added to have ciphers below for SSL3 protocol
+#
+SSL3_RSA_WITH_AES_128_CBC_SHA AES128-SHA
+SSL3_RSA_WITH_AES_256_CBC_SHA AES256-SHA
+
+#
+#TLS v1.0 cipher suites.
+#
+TLS_RSA_WITH_NULL_MD5 NULL-MD5
+TLS_RSA_WITH_NULL_SHA NULL-SHA
+TLS_RSA_WITH_RC4_128_MD5 RC4-MD5
+TLS_RSA_WITH_RC4_128_SHA RC4-SHA
+TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
+TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA
+TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
+
+TLS_DH_DSS_WITH_DES_CBC_SHA Not_implemented.
+TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented.
+TLS_DH_RSA_WITH_DES_CBC_SHA Not_implemented.
+TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented.
+TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA
+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA
+TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA
+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA
+
+TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
+TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA
+TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
+
+#
+#AES ciphersuites from RFC3268, extending TLS v1.0
+#
+
+TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
+TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
+
+TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA
+TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA
+TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA
+TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA
+
+TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA
+TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA
+TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA
+TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA
+
+TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA
+TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA
+
+#
+#Additional cipher suites
+#
+#Note: these ciphers can also be used in SSL v3.
+#
+TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA
+
+#
+# FIPS cipher list
+#
+TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented
+TLS_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented
+SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented
+SSL3_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented
diff --git a/security/nss/tests/iopr/server_scr/client.cgi b/security/nss/tests/iopr/server_scr/client.cgi
new file mode 100644
index 0000000000..581ad06d1e
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/client.cgi
@@ -0,0 +1,526 @@
+#!/usr/bin/perl
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#--------------------------------------------------------------
+# cgi script that parses request argument to appropriate
+# open ssl or tstclntw options and starts ssl client.
+#
+
+use CGI qw/:standard/;
+
+use subs qw(debug);
+
+#--------------------------------------------------------------
+# Prints out an error string and exits the script with an
+# exitStatus.
+# Param:
+# str : an error string
+# exitStat: an exit status of the program
+#
+sub svr_error {
+ my ($str, $exitStat) = @_;
+
+ if (!defined $str || $str eq "") {
+ $str = $ERR;
+ }
+ print "SERVER ERROR: $str\n";
+ if ($exitStat) {
+ print end_html if ($osDataArr{wservRun});
+ exit $exitStat;
+ }
+}
+
+#--------------------------------------------------------------
+# Prints out a debug message
+# Params:
+# str: debug message
+# inVal: additional value to print(optional)
+#
+sub debug {
+ my ($str, $inVal) = @_;
+
+ print "-- DEBUG: $str ($inVal)\n" if ($DEBUG == 1);
+}
+
+
+#--------------------------------------------------------------
+# Initializes execution context depending on a webserver the
+# script is running under.
+#
+sub init {
+ %osDataArr = (
+ loadSupportedCipthersFn => \&osSpecific,
+ cipherIsSupportedFn => \&verifyCipherSupport,
+ cipherListFn => \&convertCipher,
+ buildCipherTableFn => \&buildCipherTable,
+ execCmdFn => \&osSpecific,
+ );
+
+ $scriptName = $ENV{'SCRIPT_NAME'};
+ if (!defined $scriptName) {
+ $DEBUG=1;
+ debug "Debug is ON";
+ }
+ $DEBUG=1;
+
+ $svrSoft = $ENV{'SERVER_SOFTWARE'};
+ if (defined $svrSoft) {
+ $_ = $svrSoft;
+ /.*Microsoft.*/ && ($osDataArr{wserv} = "IIS");
+ /.*Apache.*/ && ($osDataArr{wserv} = "Apache");
+ $osDataArr{wservRun} = 1;
+ } else {
+ $osDataArr{wserv} = "Apache";
+ $osDataArr{wservRun} = 0;
+ }
+}
+
+#--------------------------------------------------------------
+# Function-spigot to handle errors is OS specific functions are
+# not implemented for a particular OS.
+# Returns:
+# always returns 0(failure)
+#
+sub osSpecific {
+ $ERR = "This function should be swapped to os specific function.";
+ return 0;
+}
+
+#--------------------------------------------------------------
+# Sets os specific execution context values.
+# Returns:
+# 1 upon success, or 0 upon failure(if OS was not recognized)
+#
+sub setFunctRefs {
+
+ debug("Entering setFunctRefs function", $osDataArr{wserv});
+
+ if ($osDataArr{wserv} eq "Apache") {
+ $osDataArr{osConfigFile} = "apache_unix.cfg";
+ $osDataArr{suppCiphersCmd} = '$opensslb ciphers ALL:NULL';
+ $osDataArr{clientRunCmd} = '$opensslb s_client -host $in_host -port $in_port -cert $certDir/$in_cert.crt -key $certDir/$in_cert.key -CAfile $caCertFile $proto $ciphers -ign_eof < $reqFile';
+ $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Unix;
+ $osDataArr{execCmdFn} = \&execClientCmd_Unix;
+ } elsif ($osDataArr{wserv} eq "IIS") {
+ $osDataArr{osConfigFile} = "iis_windows.cfg";
+ $osDataArr{suppCiphersCmd} = '$tstclntwb';
+ $osDataArr{clientRunCmd} = '$tstclntwb -h $in_host -p $in_port -n $in_cert $proto $ciphers < $reqFile';
+ $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Win;
+ $osDataArr{execCmdFn} = \&execClientCmd_Win;
+ } else {
+ $ERR = "Unknown Web Server type.";
+ return 0;
+ }
+ return 1;
+}
+
+#--------------------------------------------------------------
+# Parses data from HTTP request. Will print a form if request
+# does not contain sufficient number of parameters.
+# Returns:
+# 1 if request has sufficient number of parameters
+# 0 if not.
+sub getReqData {
+ my $debug = param('debug');
+ $in_host = param('host');
+ $in_port = param('port');
+ $in_cert = param('cert');
+ $in_cipher = param('cipher');
+
+ if (!$osDataArr{wservRun}) {
+ $in_host="goa1";
+ $in_port="443";
+ $in_cert="TestUser511";
+ $in_cipher = "SSL3_RSA_WITH_NULL_SHA";
+ }
+
+ debug("Entering getReqData function", "$in_port:$in_host:$in_cert:$in_cipher");
+
+ if (defined $debug && $debug == "debug on") {
+ $DEBUG = 1;
+ }
+
+ if (!defined $in_host || $in_host eq "" ||
+ !defined $in_port || $in_port eq "" ||
+ !defined $in_cert || $in_cert eq "") {
+ if ($osDataArr{wservRun}) {
+ print h1('Command description form:'),
+ start_form(-method=>"get"),
+ "Host: ",textfield('host'),p,
+ "Port: ",textfield('port'),p,
+ "Cert: ",textfield('cert'),p,
+ "Cipher: ",textfield('cipher'),p,
+ checkbox_group(-name=>'debug',
+ -values=>['debug on ']),
+ submit,
+ end_form,
+ hr;
+ } else {
+ print "Printing html form to get client arguments\n";
+ }
+ $ERR = "the following parameters are required: host, port, cert";
+ return 0;
+ } else {
+ print "<pre>" if ($osDataArr{wservRun});
+ return 1;
+ }
+}
+
+
+#--------------------------------------------------------------
+# Building cipher conversion table from file based on the OS.
+# Params:
+# tfile: cipher conversion file.
+# sysName: system name
+# tblPrt: returned pointer to a table.
+sub buildCipherTable {
+ my ($tfile, $sysName, $tblPrt) = @_;
+ my @retArr = @$tblPrt;
+ my %table, %rtable;
+ my $strCount = 0;
+
+ debug("Entering getReqData function", "$tfile:$sysName:$tblPrt");
+
+ ($ERR = "No system name supplied" && return 0) if ($sysName =~ /^$/);
+ if (!open(TFILE, "$tfile")) {
+ $ERR = "Missing cipher conversion table file.";
+ return 0;
+ }
+ foreach (<TFILE>) {
+ chop;
+ /^#.*/ && next;
+ /^\s*$/ && next;
+ if ($strCount++ == 0) {
+ my @sysArr = split /\s+/;
+ $colCount = 0;
+ for (;$colCount <= $#sysArr;$colCount++) {
+ last if ($sysArr[$colCount] =~ /(.*:|^)$sysName.*/);
+ }
+ next;
+ }
+ my @ciphArr = split /\s+/, $_;
+ $table{$ciphArr[0]} = $ciphArr[$colCount];
+ $rtable{$ciphArr[$colCount]} = $ciphArr[0];
+ }
+ close(TFILE);
+ $cipherTablePtr[0] = \%table;
+ $cipherTablePtr[1] = \%rtable;
+ return 1
+}
+
+#--------------------------------------------------------------
+# Client configuration function. Loads client configuration file.
+# Initiates cipher table. Loads cipher list supported by ssl client.
+#
+sub configClient {
+
+ debug "Entering configClient function";
+
+ my $res = &setFunctRefs();
+ return $res if (!$res);
+
+ open(CFILE, $osDataArr{'osConfigFile'}) ||
+ ($ERR = "Missing configuration file." && return 0);
+ foreach (<CFILE>) {
+ /^#.*/ && next;
+ chop;
+ eval $_;
+ }
+ close(CFILE);
+
+ local @cipherTablePtr = ();
+ $osDataArr{'buildCipherTableFn'}->($cipherTableFile, $clientSys) || return 0;
+ $osDataArr{cipherTable} = $cipherTablePtr[0];
+ $osDataArr{rcipherTable} = $cipherTablePtr[1];
+
+ local $suppCiphersTablePrt;
+ &{$osDataArr{'loadSupportedCipthersFn'}} || return 0;
+ $osDataArr{suppCiphersTable} = $suppCiphersTablePrt;
+}
+
+#--------------------------------------------------------------
+# Verifies that a particular cipher is supported.
+# Params:
+# checkCipher: cipher name
+# Returns:
+# 1 - cipher is supported(also echos the cipher).
+# 0 - not supported.
+#
+sub verifyCipherSupport {
+ my ($checkCipher) = @_;
+ my @suppCiphersTable = @{$osDataArr{suppCiphersTable}};
+
+ debug("Entering verifyCipherSupport", $checkCipher);
+ foreach (@suppCiphersTable) {
+ return 1 if ($checkCipher eq $_);
+ }
+ $ERR = "cipher is not supported.";
+ return 0;
+}
+
+#--------------------------------------------------------------
+# Converts long(?name of the type?) cipher name to
+# openssl/tstclntw cipher name.
+# Returns:
+# 0 if cipher was not listed. 1 upon success.
+#
+sub convertCipher {
+ my ($cipher) = @_;
+ my @retList;
+ my $resStr;
+ my %cipherTable = %{$osDataArr{cipherTable}};
+
+ debug("Entering convertCipher", $cipher);
+ if (defined $cipher) {
+ my $cphr = $cipherTable{$cipher};
+ if (!defined $cphr) {
+ $ERR = "cipher is not listed.";
+ return 0;
+ }
+ &{$osDataArr{'cipherIsSupportedFn'}}($cphr) || return 0;
+ $ciphers = "$cphr";
+ return 1;
+ }
+ return 0;
+}
+
+#################################################################
+# UNIX Apache Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Unix {
+ my @arr, @suppCiphersTable;
+
+ debug "Entering getSupportedCipherList_Unix function";
+
+ eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+ if (!open (OUT, "$sLisrCmd|")) {
+ $ERR="Can not run command to verify supported cipher list.";
+ return 0;
+ }
+ @arr = <OUT>;
+ chop $arr[0];
+ @suppCiphersTable = split /:/, $arr[0];
+ debug("Supported ciphers", $arr[0]);
+ $suppCiphersTablePrt = \@suppCiphersTable;
+ close(OUT);
+ return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Unix {
+ my $proto;
+ local $ciphers;
+
+ debug "Entering execClientCmd_Unix";
+ if (defined $in_cipher && $in_cipher ne "") {
+ my @arr = split /_/, $in_cipher, 2;
+ $proto = "-".$arr[0];
+ $proto =~ tr /SLT/slt/;
+ $proto = "-tls1" if ($proto eq "-tls");
+ return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+ $ciphers = "-cipher $ciphers";
+ debug("Return from cipher conversion", "$ciphers");
+ }
+
+ eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+ debug("Executing command", $command);
+ if (!open CMD_OUT, "$command 2>&1 |") {
+ $ERR = "can not launch client";
+ return 0;
+ }
+
+ my @cmdOutArr = <CMD_OUT>;
+
+ foreach (@cmdOutArr) {
+ print $_;
+ }
+
+ my $haveVerify = 0;
+ my $haveErrors = 0;
+ foreach (@cmdOutArr) {
+ chop;
+ if (/unknown option/) {
+ $haveErrors++;
+ svr_error "unknown option\n";
+ next;
+ }
+ if (/:no ciphers available/) {
+ $haveErrors++;
+ svr_error "no cipthers available\n";
+ next;
+ }
+ if (/verify error:/) {
+ $haveErrors++;
+ svr_error "unable to do verification\n";
+ next;
+ }
+ if (/alert certificate revoked:/) {
+ $haveErrors++;
+ svr_error "attempt to connect with revoked sertificate\n";
+ next;
+ }
+ if (/(error|ERROR)/) {
+ $haveErrors++;
+ svr_error "found errors in server log\n";
+ next;
+ }
+ /verify return:1/ && ($haveVerify = 1);
+ }
+ if ($haveVerify == 0) {
+ svr_error "no 'verify return:1' found in server log\n";
+ $haveErrors++;
+ }
+
+ if ($haveErrors > 0) {
+ $ERR = "Have $haveErrors server errors";
+ debug "Exiting execClientCmd_Unix";
+ return 0;
+ }
+ debug "Exiting execClientCmd_Unix";
+ return 1;
+}
+
+#################################################################
+# Windows IIS Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Win {
+ my @arr, @suppCiphersTable;
+
+ debug "Entering getSupportedCipherList_Win function";
+
+ eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+ if (!open (OUT, "$sLisrCmd|")) {
+ $ERR="Can not run command to verify supported cipher list.";
+ return 0;
+ }
+ my $startCipherList = 0;
+ foreach (<OUT>) {
+ chop;
+ if ($startCipherList) {
+ /^([a-zA-Z])\s+/ && push @suppCiphersTable, $1;
+ next;
+ }
+ /.*from list below.*/ && ($startCipherList = 1);
+ }
+ debug("Supported ciphers", join ':', @suppCiphersTable);
+ $suppCiphersTablePrt = \@suppCiphersTable;
+ close(OUT);
+ return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Win {
+ my $proto;
+ local $ciphers;
+
+ debug "Entering execClientCmd_Win";
+ if (defined $in_cipher && $in_cipher ne "") {
+ my @arr = split /_/, $in_cipher, 2;
+ $proto = "-2 -3 -T";
+
+ $proto =~ s/-T// if ($arr[0] eq "TLS");
+ $proto =~ s/-3// if ($arr[0] eq "SSL3");
+ $proto =~ s/-2// if ($arr[0] eq "SSL2");
+ return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+ $ciphers = "-c $ciphers";
+ debug("Return from cipher conversion", $ciphers);
+ }
+
+ eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+ debug("Executing command", $command);
+ if (!open CMD_OUT, "$command 2>&1 |") {
+ $ERR = "can not launch client";
+ return 0;
+ }
+
+ my @cmdOutArr = <CMD_OUT>;
+
+ foreach (@cmdOutArr) {
+ print $_;
+ }
+
+ my $haveVerify = 0;
+ my $haveErrors = 0;
+ foreach (@cmdOutArr) {
+ chop;
+ if (/unknown option/) {
+ $haveErrors++;
+ svr_error "unknown option\n";
+ next;
+ }
+ if (/Error performing handshake/) {
+ $haveErrors++;
+ svr_error "Error performing handshake\n";
+ next;
+ }
+ if (/Error creating credentials/) {
+ $haveErrors++;
+ svr_error "Error creating credentials\n";
+ next;
+ }
+ if (/Error .* authenticating server credentials!/) {
+ $haveErrors++;
+ svr_error "Error authenticating server credentials\n";
+ next;
+ }
+ if (/(error|ERROR|Error)/) {
+ $haveErrors++;
+ svr_error "found errors in server log\n";
+ next;
+ }
+ }
+
+ if ($haveErrors > 0) {
+ $ERR = "Have $haveErrors server errors";
+ debug "Exiting execClientCmd_Win";
+ return 0;
+ }
+ debug "Exiting execClientCmd_Win";
+ return 1;
+}
+
+#################################################################
+# Main line of execution
+#----------------------------------------------------------------
+&init;
+
+if ($osDataArr{wservRun}) {
+ print header('text/html').
+ start_html('iopr client');
+}
+
+print "SCRIPT=OK\n";
+
+if (!&getReqData) {
+ svr_error($ERR, 1);
+}
+
+if (!&configClient) {
+ svr_error($ERR, 1);
+}
+
+&{$osDataArr{'execCmdFn'}} || svr_error;
+
+if ($osDataArr{wservRun}) {
+ print "</pre>";
+ print end_html;
+}
diff --git a/security/nss/tests/iopr/server_scr/config b/security/nss/tests/iopr/server_scr/config
new file mode 100644
index 0000000000..9e65b926c8
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/config
@@ -0,0 +1,17 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+certDir=/iopr
+caCertName=TestCA
+caCrlName=TestCA
+userCertNames="TestUser510 TestUser511"
+userRevokedCertNames="TestUser510"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+supportedTests="SslSingleHs"
+# SslSingleHs: ssl single handshake with out client cert auth
+SslSingleHsPort=443
+SslSingleHsUrl=/
+SslSingleHsParam=NOAUTH:NOCOV:NOCRL
+#ParamSslSingleHandshakeWithOutClientCertAuth="443 / NOAUTH:NOCOV:NOCRL"
+#ParamSslSingleHandshakeWithOutClientCertAuth="443 /"
diff --git a/security/nss/tests/iopr/server_scr/iis_windows.cfg b/security/nss/tests/iopr/server_scr/iis_windows.cfg
new file mode 100644
index 0000000000..76499b8b61
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/iis_windows.cfg
@@ -0,0 +1,33 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# IIS windows configuration file
+#
+
+#
+# Define what type of system this is.
+#
+$clientSys = "iis";
+
+#
+# Cipher conversion table file
+#
+$cipherTableFile = "cipher.list";
+
+#--------------------------------------------
+# Web server specific variables start here:
+#
+
+#
+# Location of installed tstclntb binary
+#
+$tstclntwb = "./tstclntw.exe";
+
+#
+# HTTP Request file
+#
+$reqFile = "sslreq.dat";
+
+
diff --git a/security/nss/tests/iopr/server_scr/iopr_server.cfg b/security/nss/tests/iopr/server_scr/iopr_server.cfg
new file mode 100644
index 0000000000..2b196e0154
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/iopr_server.cfg
@@ -0,0 +1,67 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+certDir=/iopr
+caCertName=TestCA
+caCrlName=TestCA
+
+#old values
+userCertNames="TestUser510-rsa TestUser512-rsa"
+userRevokedCertNames="TestUser510-rsa"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+#reverseTestParam=NOREVALL
+supportedTests="SslSingleHs SslSecondHs"
+#supportedTests="SslSecondHs"
+
+
+downloadFiles="TestUser510-rsa.p12 TestUser512-rsa.p12 ocspTrustedResponder-rsa.crt ocspTRTestUser514-rsa.crt ocspTRTestUser516-rsa.crt ocspRCATestUser518-rsa.crt ocspRCATestUser520-rsa.crt ocspDRTestUser522-rsa.crt ocspDRTestUser524-rsa.crt ocspTRUnknownIssuerCert-rsa.crt ocspRCAUnknownIssuerCert-rsa.crt ocspDRUnknownIssuerCert-rsa.crt"
+# Keep a space at the end of
+SslClntValidCertName="TestUser512-rsa"
+SslClntRevokedCertName="TestUser510-rsa"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+#reverseTestParam=NOREVALL
+
+supportedTests_new="SslSingleHs SslSecondHs OcspTrustedResponder OcspResponderCA OcspDesinatedResponder"
+
+#
+# SslSingleHs: ssl single handshake with out client cert auth
+SslSingleHsDescr="ssl with single handshake without client cert auth"
+SslSingleHsPort=443
+SslSingleHsUrl=/iopr_test/test_pg.html
+SslSingleHsParam=NOAUTH
+
+#
+# SslSecondHs: ssl with secondary hs when accessing direcory
+# that requires cert verification
+SslSecondHsDescr="ssl with secondary hs when accessing direcory that requires cert verification"
+SslSecondHsPort=443
+SslSecondHsUrl=/iopr_test_2hs/test_pg.html
+SslSecondHsParam=NOCOV
+
+#
+# OcspTrustedResponder - trusted responder key is used to sign OCSP response
+#
+OcspTrustedResponderDescr="trusted responder key is used to sign OCSP response"
+OcspTrustedResponderProto=http
+OcspTrustedResponderPort=2560
+OcspTrustedResponderResponderCert=ocspTrustedResponder-rsa
+OcspTrustedResponderValidCertNames="ocspTRTestUser516-rsa"
+OcspTrustedResponderRevokedCertNames="ocspTRTestUser514-rsa"
+OcspTrustedResponderStatUnknownCertNames="ocspTRUnknownIssuerCert-rsa"
+
+#
+# OcspResponderCA - CA key is used to sign OCSP response
+#
+OcspResponderCADescr="CA key is used to sign OCSP response"
+OcspResponderCAValidCertNames="ocspRCATestUser518-rsa"
+OcspResponderCARevokedCertNames="ocspRCATestUser520-rsa"
+OcspResponderCAStatUnknownCertNames="ocspRCAUnknownIssuerCert-rsa"
+
+#
+# OcspDesinatedResponder - CA Designated Responder key is used to sign OCSP response
+#
+OcspDesinatedResponderDescr="CA Designated Responder key is used to sign OCSP response"
+OcspDesinatedResponderValidCertNames="ocspDRTestUser522-rsa"
+OcspDesinatedResponderRevokedCertNames="ocspDRTestUser524-rsa"
+OcspDesinatedResponderStatUnknownCertNames="ocspDRUnknownIssuerCert-rsa"
diff --git a/security/nss/tests/iopr/server_scr/sslreq.dat b/security/nss/tests/iopr/server_scr/sslreq.dat
new file mode 100644
index 0000000000..2f7ad7736e
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/sslreq.dat
@@ -0,0 +1,2 @@
+GET / HTTP/1.0
+
diff --git a/security/nss/tests/iopr/ssl_iopr.sh b/security/nss/tests/iopr/ssl_iopr.sh
new file mode 100644
index 0000000000..0f9742662d
--- /dev/null
+++ b/security/nss/tests/iopr/ssl_iopr.sh
@@ -0,0 +1,643 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/iopr/ssl_iopr.sh
+#
+# NSS SSL interoperability QA. This file is included from ssl.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+########################################################################
+IOPR_SSL_SOURCED=1
+
+########################################################################
+# The functions works with variables defined in interoperability
+# configuration file that was downloaded from a webserver.
+# It tries to find unrevoked cert based on value of variable
+# "SslClntValidCertName" defined in the configuration file.
+# Params NONE.
+# Returns 0 if found, 1 otherwise.
+#
+setValidCert() {
+ testUser=$SslClntValidCertName
+ [ -z "$testUser" ] && return 1
+ return 0
+}
+
+########################################################################
+# The funtions works with variables defined in interoperability
+# configuration file that was downloaded from a webserver.
+# The function sets port, url, param and description test parameters
+# that was defind for a particular type of testing.
+# Params:
+# $1 - supported types of testing. Currently have maximum
+# of two: forward and reverse. But more can be defined.
+# No return value
+#
+setTestParam() {
+ type=$1
+ sslPort=`eval 'echo $'${type}Port`
+ sslUrl=`eval 'echo $'${type}Url`
+ testParam=`eval 'echo $'${type}Param`
+ testDescription=`eval 'echo $'${type}Descr`
+ [ -z "$sslPort" ] && sslPort=443
+ [ -z "$sslUrl" ] && sslUrl="/iopr_test/test_pg.html"
+ [ "$sslUrl" = "/" ] && sslUrl="/test_pg.html"
+}
+
+
+#######################################################################
+# local shell function to perform SSL Cipher Suite Coverage tests
+# in interoperability mode. Tests run against web server by using nss
+# test client
+# Params:
+# $1 - supported type of testing.
+# $2 - testing host
+# $3 - nss db location
+# No return value
+#
+ssl_iopr_cov_ext_server()
+{
+ testType=$1
+ host=$2
+ dbDir=$3
+
+ setTestParam $testType
+ if [ "`echo $testParam | grep NOCOV`" != "" ]; then
+ echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \
+ "run by server configuration"
+ return 0
+ fi
+
+ html_head "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR" \
+ "$BYPASS_STRING $NORM_EXT): $testDescription"
+
+ setValidCert; ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Fail to find valid test cert(ws: $host)"
+ return $ret
+ fi
+
+ SSL_REQ_FILE=${TMP}/sslreq.dat.$$
+ echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
+ echo >> $SSL_REQ_FILE
+
+ while read ecc tls param testname therest; do
+ [ -z "$ecc" -o "$ecc" = "#" -o "`echo $testname | grep FIPS`" -o \
+ "$ecc" = "ECC" ] && continue;
+
+ echo "$SCRIPTNAME: running $testname ----------------------------"
+ TLS_FLAG=-T
+ if [ "$tls" = "TLS" ]; then
+ TLS_FLAG=""
+ fi
+
+ resFile=${TMP}/$HOST.tmpRes.$$
+ rm $resFile 2>/dev/null
+
+ echo "tstclnt -p ${sslPort} -h ${host} -c ${param} ${TLS_FLAG} \\"
+ echo " -n $testUser -v -w nss ${CLIEN_OPTIONS} -f \\"
+ echo " -d ${dbDir} < ${SSL_REQ_FILE} > $resFile"
+
+ ${BINDIR}/tstclnt -p ${sslPort} -h ${host} -c ${param} \
+ ${TLS_FLAG} ${CLIEN_OPTIONS} -f -n $testUser -v -w nss \
+ -d ${dbDir} < ${SSL_REQ_FILE} >$resFile 2>&1
+ ret=$?
+ grep "ACCESS=OK" $resFile
+ test $? -eq 0 -a $ret -eq 0
+ ret=$?
+ [ $ret -ne 0 ] && cat $resFile
+ rm -f $resFile 2>/dev/null
+ html_msg $ret 0 "${testname}"
+ done < ${SSLCOV}
+ rm -f $SSL_REQ_FILE 2>/dev/null
+
+ html "</TABLE><BR>"
+}
+
+#######################################################################
+# local shell function to perform SSL Client Authentication tests
+# in interoperability mode. Tests run against web server by using nss
+# test client
+# Params:
+# $1 - supported type of testing.
+# $2 - testing host
+# $3 - nss db location
+# No return value
+#
+ssl_iopr_auth_ext_server()
+{
+ testType=$1
+ host=$2
+ dbDir=$3
+
+ setTestParam $testType
+ if [ "`echo $testParam | grep NOAUTH`" != "" ]; then
+ echo "SSL Client Authentication WebServ($IOPR_HOSTADDR) excluded from " \
+ "run by server configuration"
+ return 0
+ fi
+
+ html_head "SSL Client Authentication WebServ($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT):
+ $testDescription"
+
+ setValidCert;ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Fail to find valid test cert(ws: $host)"
+ return $ret
+ fi
+
+ SSL_REQ_FILE=${TMP}/sslreq.dat.$$
+ echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
+ echo >> $SSL_REQ_FILE
+
+ SSLAUTH_TMP=${TMP}/authin.tl.tmp
+ grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" > ${SSLAUTH_TMP}
+
+ while read ecc value sparam cparam testname; do
+ [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+
+ cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" `
+
+ echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \\"
+ echo " -d ${dbDir} -v < ${SSL_REQ_FILE}"
+
+ resFile=${TMP}/$HOST.tmp.$$
+ rm $rsFile 2>/dev/null
+
+ ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \
+ -d ${dbDir} -v < ${SSL_REQ_FILE} >$resFile 2>&1
+ ret=$?
+ grep "ACCESS=OK" $resFile
+ test $? -eq 0 -a $ret -eq 0
+ ret=$?
+ [ $ret -ne 0 ] && cat $resFile
+ rm $resFile 2>/dev/null
+
+ html_msg $ret $value "${testname}. Client params: $cparam"\
+ "produced a returncode of $ret, expected is $value"
+ done < ${SSLAUTH_TMP}
+ rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE}
+
+ html "</TABLE><BR>"
+}
+
+########################################################################
+# local shell function to perform SSL interoperability test with/out
+# revoked certs tests. Tests run against web server by using nss
+# test client
+# Params:
+# $1 - supported type of testing.
+# $2 - testing host
+# $3 - nss db location
+# No return value
+#
+ssl_iopr_crl_ext_server()
+{
+ testType=$1
+ host=$2
+ dbDir=$3
+
+ setTestParam $testType
+ if [ "`echo $testParam | grep NOCRL`" != "" ]; then
+ echo "CRL SSL Client Tests of WebServerv($IOPR_HOSTADDR) excluded from " \
+ "run by server configuration"
+ return 0
+ fi
+
+ html_head "CRL SSL Client Tests of WebServer($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT): $testDescription"
+
+ SSL_REQ_FILE=${TMP}/sslreq.dat.$$
+ echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
+ echo >> $SSL_REQ_FILE
+
+ SSLAUTH_TMP=${TMP}/authin.tl.tmp
+ grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" | grep -v bogus | \
+ grep -v none > ${SSLAUTH_TMP}
+
+ while read ecc value sparam _cparam testname; do
+ [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+
+ rev_modvalue=254
+ for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
+ cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" `
+
+ echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} \\"
+ echo " -f -d ${dbDir} -v ${cparam} < ${SSL_REQ_FILE}"
+ resFile=${TMP}/$HOST.tmp.$$
+ rm -f $resFile 2>/dev/null
+ ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \
+ -d ${dbDir} -v < ${SSL_REQ_FILE} \
+ > $resFile 2>&1
+ ret=$?
+ grep "ACCESS=OK" $resFile
+ test $? -eq 0 -a $ret -eq 0
+ ret=$?
+ [ $ret -ne 0 ] && ret=$rev_modvalue;
+ [ $ret -ne 0 ] && cat $resFile
+ rm -f $resFile 2>/dev/null
+
+ if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
+ modvalue=$rev_modvalue
+ testAddMsg="revoked"
+ else
+ testAddMsg="not revoked"
+ modvalue=$value
+ fi
+ html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue"
+ done
+ done < ${SSLAUTH_TMP}
+ rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE}
+
+ html "</TABLE><BR>"
+}
+
+
+########################################################################
+# local shell function to perform SSL Cipher Coverage tests of nss server
+# by invoking remote test client on web server side.
+# Invoked only if reverse testing is supported by web server.
+# Params:
+# $1 - remote web server host
+# $2 - open port to connect to invoke CGI script
+# $3 - host where selfserv is running(name of the host nss tests
+# are running)
+# $4 - port where selfserv is running
+# $5 - selfserv nss db location
+# No return value
+#
+ssl_iopr_cov_ext_client()
+{
+ host=$1
+ port=$2
+ sslHost=$3
+ sslPort=$4
+ serDbDir=$5
+
+ html_head "SSL Cipher Coverage of SelfServ $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
+
+ setValidCert
+ ret=$?
+ if [ $res -ne 0 ]; then
+ html_failed "Fail to find valid test cert(ws: $host)"
+ return $ret
+ fi
+
+ # P_R_SERVERDIR switch require for selfserv to work.
+ # Will be restored after test
+ OR_P_R_SERVERDIR=$P_R_SERVERDIR
+ P_R_SERVERDIR=$serDbDir
+ OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
+ P_R_CLIENTDIR=$serDbDir
+ testname=""
+ sparam="-vvvc ABCDEFcdefgijklmnvyz"
+ # Launch the server
+ start_selfserv
+
+ while read ecc tls param cipher therest; do
+ [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+ echo "============= Beginning of the test ===================="
+ echo
+
+ is_selfserv_alive
+
+ TEST_IN=${TMP}/${HOST}_IN.tmp.$$
+ TEST_OUT=${TMP}/$HOST.tmp.$$
+ rm -f $TEST_IN $TEST_OUT 2>/dev/null
+
+ echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser&cipher=$cipher HTTP/1.0" > $TEST_IN
+ echo >> $TEST_IN
+
+ echo "------- Request ----------------------"
+ cat $TEST_IN
+ echo "------- Command ----------------------"
+ echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+ -h $host \< $TEST_IN \>\> $TEST_OUT
+
+ ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+ -h $host <$TEST_IN > $TEST_OUT
+
+ echo "------- Server output Begin ----------"
+ cat $TEST_OUT
+ echo "------- Server output End ----------"
+
+ echo "Checking for errors in log file..."
+ grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
+ if [ $? -eq 0 ]; then
+ grep "cipher is not supported" $TEST_OUT 2>&1 >/dev/null
+ if [ $? -eq 0 ]; then
+ echo "Skiping test: no support for the cipher $cipher on server side"
+ continue
+ fi
+
+ grep -i "SERVER ERROR:" $TEST_OUT
+ ret=$?
+ if [ $ret -eq 0 ]; then
+ echo "Found problems. Reseting exit code to failure."
+
+ ret=1
+ else
+ ret=0
+ fi
+ else
+ echo "Script was not executed. Reseting exit code to failure."
+ ret=11
+ fi
+
+ html_msg $ret 0 "Test ${cipher}. Server params: $sparam " \
+ " produced a returncode of $ret, expected is 0"
+ rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
+ done < ${SSLCOV}
+ kill_selfserv
+
+ P_R_SERVERDIR=$OR_P_R_SERVERDIR
+ P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
+
+ rm -f ${TEST_IN} ${TEST_OUT}
+ html "</TABLE><BR>"
+}
+
+########################################################################
+# local shell function to perform SSL Authentication tests of nss server
+# by invoking remove test client on web server side
+# Invoked only if reverse testing is supported by web server.
+# Params:
+# $1 - remote web server host
+# $2 - open port to connect to invoke CGI script
+# $3 - host where selfserv is running(name of the host nss tests
+# are running)
+# $4 - port where selfserv is running
+# $5 - selfserv nss db location
+# No return value
+#
+ssl_iopr_auth_ext_client()
+{
+ host=$1
+ port=$2
+ sslHost=$3
+ sslPort=$4
+ serDbDir=$5
+
+ html_head "SSL Client Authentication with Selfserv from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
+
+ setValidCert
+ ret=$?
+ if [ $res -ne 0 ]; then
+ html_failed "Fail to find valid test cert(ws: $host)"
+ return $ret
+ fi
+
+ OR_P_R_SERVERDIR=$P_R_SERVERDIR
+ P_R_SERVERDIR=${serDbDir}
+ OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
+ P_R_CLIENTDIR=${serDbDir}
+
+ SSLAUTH_TMP=${TMP}/authin.tl.tmp
+
+ grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP}
+
+ while read ecc value sparam cparam testname; do
+ [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+
+ echo "Server params: $sparam"
+ sparam=$sparam" -vvvc ABCDEFcdefgijklmnvyz"
+ start_selfserv
+
+ TEST_IN=${TMP}/$HOST_IN.tmp.$$
+ TEST_OUT=${TMP}/$HOST.tmp.$$
+ rm -f $TEST_IN $TEST_OUT 2>/dev/null
+
+ echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN
+ echo >> $TEST_IN
+
+ echo "------- Request ----------------------"
+ cat $TEST_IN
+ echo "------- Command ----------------------"
+ echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+ -h $host \< $TEST_IN \>\> $TEST_OUT
+
+ ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+ -h $host <$TEST_IN > $TEST_OUT
+
+ echo "------- Server output Begin ----------"
+ cat $TEST_OUT
+ echo "------- Server output End ----------"
+
+ echo "Checking for errors in log file..."
+ grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
+ if [ $? -eq 0 ]; then
+ echo "Checking for error in log file..."
+ grep -i "SERVER ERROR:" $TEST_OUT
+ ret=$?
+ if [ $ret -eq 0 ]; then
+ echo "Found problems. Reseting exit code to failure."
+ ret=1
+ else
+ ret=0
+ fi
+ else
+ echo "Script was not executed. Reseting exit code to failure."
+ ret=11
+ fi
+
+ html_msg $ret $value "${testname}. Server params: $sparam"\
+ "produced a returncode of $ret, expected is $value"
+ kill_selfserv
+ rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
+ done < ${SSLAUTH_TMP}
+
+ P_R_SERVERDIR=$OR_P_R_SERVERDIR
+ P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
+
+ rm -f ${SSLAUTH_TMP} ${TEST_IN} ${TEST_OUT}
+ html "</TABLE><BR>"
+}
+
+#########################################################################
+# local shell function to perform SSL CRL testing of nss server
+# by invoking remote test client on web server side
+# Invoked only if reverse testing is supported by web server.
+# Params:
+# $1 - remote web server host
+# $2 - open port to connect to invoke CGI script
+# $3 - host where selfserv is running(name of the host nss tests
+# are running)
+# $4 - port where selfserv is running
+# $5 - selfserv nss db location
+# No return value
+#
+ssl_iopr_crl_ext_client()
+{
+ host=$1
+ port=$2
+ sslHost=$3
+ sslPort=$4
+ serDbDir=$5
+
+ html_head "CRL SSL Selfserv Tests from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
+
+ OR_P_R_SERVERDIR=$P_R_SERVERDIR
+ P_R_SERVERDIR=${serDbDir}
+ OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
+ P_R_CLIENTDIR=$serDbDir
+
+ SSLAUTH_TMP=${TMP}/authin.tl.tmp
+ grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP}
+
+ while read ecc value sparam _cparam testname; do
+ [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+ sparam="$sparam -vvvc ABCDEFcdefgijklmnvyz"
+ start_selfserv
+
+ for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
+
+ is_selfserv_alive
+
+ TEST_IN=${TMP}/${HOST}_IN.tmp.$$
+ TEST_OUT=${TMP}/$HOST.tmp.$$
+ rm -f $TEST_IN $TEST_OUT 2>/dev/null
+
+ echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN
+ echo >> $TEST_IN
+
+ echo "------- Request ----------------------"
+ cat $TEST_IN
+ echo "------- Command ----------------------"
+ echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+ -h ${host} \< $TEST_IN \>\> $TEST_OUT
+
+ ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+ -h ${host} <$TEST_IN > $TEST_OUT
+ echo "------- Request ----------------------"
+ cat $TEST_IN
+ echo "------- Server output Begin ----------"
+ cat $TEST_OUT
+ echo "------- Server output End ----------"
+
+ echo "Checking for errors in log file..."
+ grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
+ if [ $? -eq 0 ]; then
+ grep -i "SERVER ERROR:" $TEST_OUT
+ ret=$?
+ if [ $ret -eq 0 ]; then
+ echo "Found problems. Reseting exit code to failure."
+ ret=1
+ else
+ ret=0
+ fi
+ else
+ echo "Script was not executed. Reseting exit code to failure."
+ ret=11
+ fi
+
+ if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
+ modvalue=1
+ testAddMsg="revoked"
+ else
+ testAddMsg="not revoked"
+ modvalue=0
+ fi
+
+ html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue(selfserv args: $sparam)"
+ rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
+ done
+ kill_selfserv
+ done < ${SSLAUTH_TMP}
+
+ P_R_SERVERDIR=$OR_P_R_SERVERDIR
+ P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
+
+ rm -f ${SSLAUTH_TMP}
+ html "</TABLE><BR>"
+}
+
+#####################################################################
+# Initial point for running ssl test againt multiple hosts involved in
+# interoperability testing. Called from nss/tests/ssl/ssl.sh
+# It will only proceed with test run for a specific host if environment variable
+# IOPR_HOSTADDR_LIST was set, had the host name in the list
+# and all needed file were successfully downloaded and installed for the host.
+#
+# Returns 1 if interoperability testing is off, 0 otherwise.
+#
+ssl_iopr_run() {
+ if [ "$IOPR" -ne 1 ]; then
+ return 1
+ fi
+ cd ${CLIENTDIR}
+
+ ORIG_ECC_CERT=${NO_ECC_CERTS}
+ NO_ECC_CERTS=1 # disable ECC for interoperability tests
+
+ NSS_SSL_ENABLE_RENEGOTIATION=u
+ export NSS_SSL_ENABLE_RENEGOTIATION
+
+ num=1
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+ while [ "$IOPR_HOST_PARAM" ]; do
+ IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
+ IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
+ [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443
+
+ . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
+ RES=$?
+
+ if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then
+ num=`expr $num + 1`
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+ continue
+ fi
+
+ #=======================================================
+ # Check if server is capable to run ssl tests
+ #
+ [ -z "`echo ${supportedTests_new} | grep -i ssl`" ] && continue;
+
+ # Testing directories defined by webserver.
+ echo "Testing ssl interoperability.
+ Client: local(tstclnt).
+ Server: remote($IOPR_HOSTADDR:$IOPR_OPEN_PORT)"
+
+ for sslTestType in ${supportedTests_new}; do
+ if [ -z "`echo $sslTestType | grep -i ssl`" ]; then
+ continue
+ fi
+ ssl_iopr_cov_ext_server $sslTestType ${IOPR_HOSTADDR} \
+ ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
+ ssl_iopr_auth_ext_server $sslTestType ${IOPR_HOSTADDR} \
+ ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
+ ssl_iopr_crl_ext_server $sslTestType ${IOPR_HOSTADDR} \
+ ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
+ done
+
+
+ # Testing selfserv with client located at the webserver.
+ echo "Testing ssl interoperability.
+ Client: remote($IOPR_HOSTADDR:$PORT)
+ Server: local(selfserv)"
+ ssl_iopr_cov_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
+ ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
+ ssl_iopr_auth_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
+ ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
+ ssl_iopr_crl_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
+ ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
+ echo "================================================"
+ echo "Done testing interoperability with $IOPR_HOSTADDR"
+ num=`expr $num + 1`
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+ done
+ NO_ECC_CERTS=${ORIG_ECC_CERTS}
+ return 0
+}
+