diff options
Diffstat (limited to '')
-rwxr-xr-x | security/nss/tests/ssl/ssl.sh | 1701 | ||||
-rwxr-xr-x | security/nss/tests/ssl/ssl_dist_stress.sh | 313 | ||||
-rw-r--r-- | security/nss/tests/ssl/sslauth.txt | 84 | ||||
-rw-r--r-- | security/nss/tests/ssl/sslcov.txt | 155 | ||||
-rw-r--r-- | security/nss/tests/ssl/sslpolicy.txt | 208 | ||||
-rw-r--r-- | security/nss/tests/ssl/sslreq.dat | 2 | ||||
-rw-r--r-- | security/nss/tests/ssl/sslreq.txt | 2 | ||||
-rw-r--r-- | security/nss/tests/ssl/sslstress.txt | 81 | ||||
-rwxr-xr-x | security/nss/tests/ssl_gtests/ssl_gtests.sh | 155 |
9 files changed, 2701 insertions, 0 deletions
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh new file mode 100755 index 0000000000..0fa24a2c6d --- /dev/null +++ b/security/nss/tests/ssl/ssl.sh @@ -0,0 +1,1701 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/ssl/ssl.sh +# +# Script to test NSS SSL +# +# Needs to work on all Unix and Windows platforms +# +# Testing schema: +# --------------- +# all.sh ~ (main) +# | | +# +------------+------------+-----------+ ~ run_cycles +# | | | | | +# standard pkix upgradedb sharedb ~ run_cycle_* +# ... | ... ... | +# +------+------+-----> ~ run_tests +# | | | | +# ... ssl ... ~ ssl.sh +# | | +# +-------+-------+-----------------+ ~ ssl_run_tests +# | | | | | +# crl iopr policy permute(normal,fips) ~ ssl_run_test_* +# | | | | | +# +------+------+------+------+---+-+-+-+----> ~ ssl_run +# | | | | | | | +# stapling cov auth stress dtls ... ~ ssl_run_* +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## ssl_init ################################ +# local shell function to initialize this script +######################################################################## +ssl_init() +{ + SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ -z "${IOPR_SSL_SOURCED}" ]; then + . ../iopr/ssl_iopr.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + SCRIPTNAME=ssl.sh + echo "$SCRIPTNAME: SSL tests ===============================" + + grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || { + html_head "SSL Test failure" + Exit 8 "Fatal - cert.sh needs to pass first" + } + + if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then + grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || { + html_head "SSL Test failure" + Exit 8 "Fatal - SSL of cert.sh needs to pass first" + } + fi + + PORT=${PORT-8443} + # Avoid port conflicts when multiple tests are running on the same machine. + if [ -n "$NSS_TASKCLUSTER_MAC" ]; then + cwd=$(cd $(dirname $0); pwd -P) + padd=$(echo $cwd | cut -d "/" -f4 | sed 's/[^0-9]//g') + PORT=$(($PORT + $padd)) + fi + NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} + nss_ssl_run="stapling signed_cert_timestamps cov auth dtls scheme exporter" + NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} + + # Test case files + SSLCOV=${QADIR}/ssl/sslcov.txt + SSLAUTH=${QADIR}/ssl/sslauth.txt + SSLSTRESS=${QADIR}/ssl/sslstress.txt + SSLPOLICY=${QADIR}/ssl/sslpolicy.txt + REQUEST_FILE=${QADIR}/ssl/sslreq.dat + + #temparary files + SERVEROUTFILE=${TMP}/tests_server.$$ + SERVERPID=${TMP}/tests_pid.$$ + + R_SERVERPID=../tests_pid.$$ + + TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}" + + fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't + #fileout=1 + #verbose="-v" #FIXME - see where this is usefull + + USER_NICKNAME=TestUser + NORM_EXT="" + + EC_SUITES=":C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D" + EC_SUITES="${EC_SUITES}:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027" + EC_SUITES="${EC_SUITES}:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA" + + NON_EC_SUITES=":0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B" + NON_EC_SUITES="${NON_EC_SUITES}:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdeinvyz" + TLS13_SUITES=":1301:1302:1303" + + # List of cipher suites to test, including ECC cipher suites. + CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}" + TLS13_CIPHER_SUITES="-c ${TLS13_SUITES}${EC_SUITES}${NON_EC_SUITES}" + + # in fips mode, turn off curve25519 until it's NIST approved + FIPS_OPTIONS="-I P256,P384,P521,FF2048,FF3072,FF4096,FF6144,FF8192" + + # in non-fips mode, tstclnt may run without the db password in some + # cases, but in fips mode it's always needed + CLIENT_PW="" + CLIENT_PW_FIPS="-w nss" + CLIENT_PW_NORMAL="" + + if [ "${OS_ARCH}" != "WINNT" ]; then + ulimit -n 1000 # make sure we have enough file descriptors + fi + + cd ${CLIENTDIR} +} + +########################### is_selfserv_alive ########################## +# local shell function to exit with a fatal error if selfserver is not +# running +######################################################################## +is_selfserv_alive() +{ + if [ ! -f "${SERVERPID}" ]; then + echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist" + sleep 5 + if [ ! -f "${SERVERPID}" ]; then + Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist" + fi + fi + + if [ "${OS_ARCH}" = "WINNT" ] && \ + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then + PID=${SHELL_SERVERPID} + else + PID=`cat ${SERVERPID}` + fi + + echo "kill -0 ${PID} >/dev/null 2>/dev/null" + kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" + + echo "selfserv with PID ${PID} found at `date`" +} + +########################### wait_for_selfserv ########################## +# local shell function to wait until selfserver is running and initialized +######################################################################## +wait_for_selfserv() +{ + #verbose="-v" + echo "trying to connect to selfserv at `date`" + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" + echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}" + ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} + if [ $? -ne 0 ]; then + sleep 5 + echo "retrying to connect to selfserv at `date`" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" + echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}" + ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} + if [ $? -ne 0 ]; then + html_failed "Waiting for Server" + fi + fi + is_selfserv_alive +} + +########################### kill_selfserv ############################## +# local shell function to kill the selfserver after the tests are done +######################################################################## +kill_selfserv() +{ + if [ "${OS_ARCH}" = "WINNT" ] && \ + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then + PID=${SHELL_SERVERPID} + else + PID=`cat ${SERVERPID}` + fi + + echo "trying to kill selfserv with PID ${PID} at `date`" + + if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then + echo "${KILL} ${PID}" + ${KILL} ${PID} + else + echo "${KILL} -USR1 ${PID}" + ${KILL} -USR1 ${PID} + fi + wait ${PID} + if [ ${fileout} -eq 1 ]; then + cat ${SERVEROUTFILE} + fi + + # On Linux selfserv needs up to 30 seconds to fully die and free + # the port. Wait until the port is free. (Bug 129701) + if [ "${OS_ARCH}" = "Linux" ]; then + echo "selfserv -b -p ${PORT} 2>/dev/null;" + until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do + echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;" + sleep 1 + done + fi + + echo "selfserv with PID ${PID} killed at `date`" + + rm ${SERVERPID} + html_detect_core "kill_selfserv core detection step" +} + +########################### start_selfserv ############################# +# local shell function to start the selfserver with the parameters required +# for this test and log information (parameters, start time) +# also: wait until the server is up and running +######################################################################## +start_selfserv() +{ + if [ -n "$testname" ] ; then + echo "$SCRIPTNAME: $testname ----" + fi + if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then + ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec" + else + ECC_OPTIONS="" + fi + if [ -z "$RSA_PSS_CERT" -o "$RSA_PSS_CERT" != "1" ] ; then + RSA_OPTIONS="-n ${HOSTADDR}" + else + RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss" + fi + SERVER_VMIN=${SERVER_VMIN-ssl3} + SERVER_VMAX=${SERVER_VMAX-tls1.2} + echo "selfserv starting at `date`" + echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\" + echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID}\\" + echo " -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 &" + if [ ${fileout} -eq 1 ]; then + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 \ + > ${SERVEROUTFILE} 2>&1 & + RET=$? + else + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 & + RET=$? + fi + + # The PID $! returned by the MKS or Cygwin shell is not the PID of + # the real background process, but rather the PID of a helper + # process (sh.exe). MKS's kill command has a bug: invoking kill + # on the helper process does not terminate the real background + # process. Our workaround has been to have selfserv save its PID + # in the ${SERVERPID} file and "kill" that PID instead. But this + # doesn't work under Cygwin; its kill command doesn't recognize + # the PID of the real background process, but it does work on the + # PID of the helper process. So we save the value of $! in the + # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID} + # file under Cygwin. (In fact, this should work in any shell + # other than the MKS shell.) + SHELL_SERVERPID=$! + wait_for_selfserv + + if [ "${OS_ARCH}" = "WINNT" ] && \ + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then + PID=${SHELL_SERVERPID} + else + PID=`cat ${SERVERPID}` + fi + + echo "selfserv with PID ${PID} started at `date`" +} + +ignore_blank_lines() +{ + LC_ALL=C egrep -v '^[[:space:]]*(#|$)' "$1" +} + +############################## ssl_cov ################################# +# local shell function to perform SSL Cipher Coverage tests +######################################################################## +ssl_cov() +{ + verbose_save=${verbose} + verbose="-v" + html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="" + + SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} + if [ "${SERVER_MODE}" = "fips" ] ; then + SERVER_OPTIONS="${SERVER_OPTIONS} ${FIPS_OPTIONS}" + fi + SAVE_CLIENT_OPTIONS=${CLIENT_OPTIONS} + if [ "${CLIENT_MODE}" = "fips" ] ; then + CLIENT_OPTIONS="${CLIENT_OPTIONS} ${FIPS_OPTIONS}" + fi + + start_selfserv $CIPHER_SUITES # Launch the server + + VMIN="ssl3" + VMAX="tls1.1" + # can't use a pipe here, because we may have to restart selfserv, and + # doing so hides the server pid environment variable in the subshell in + # cygwin, which means we can't kill selfserv at the end here. + SSL_COV_TMP=$(mktemp /tmp/ssl_cov.XXXXXX) + ignore_blank_lines ${SSLCOV} > ${SSL_COV_TMP} + while read ectype testmax param testname + do + echo "${testname}" | grep "EXPORT" > /dev/null + EXP=$? + + # RSA-PSS tests are handled in a separate function + case $testname in + *RSA-PSS) + continue + ;; + esac + + echo "$SCRIPTNAME: running $testname ----------------------------" + VMAX="ssl3" + if [ "$testmax" = "TLS10" ]; then + VMAX="tls1.0" + fi + if [ "$testmax" = "TLS11" ]; then + VMAX="tls1.1" + fi + if [ "$testmax" = "TLS12" ]; then + VMAX="tls1.2" + fi + if [ "$testmax" = "TLS13" ]; then + # if our selfserv can only do up to tls1.2 + # restart it so it can do tls1.3, This requires + # moving VMIN up to tls1.0 because you can't enable SSL3 and + # TLS 1.3. + if [ "$VMIN" = "ssl3" ]; then + SERVER_VMIN="tls1.0" + SERVER_VMAX="tls1.3" + kill_selfserv + start_selfserv ${TLS13_CIPHER_SUITES} + unset SERVER_VMIN + unset SERVER_VMAX + VMIN="tls1.0" + fi + VMAX="tls1.3" + fi + # if we are testing ssl3 and our server can only do down to tls1.1, + # restart it to enable ssl3 + if [ "$VMAX" = "ssl3" -a "$VMIN" = "tls1.1" ]; then + kill_selfserv + start_selfserv $CIPHER_SUITES + VMIN="ssl3" + fi + + + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + html_msg $ret 0 "${testname}" \ + "produced a returncode of $ret, expected is 0" + done < ${SSL_COV_TMP} + rm -f ${SSL_COV_TMP} + + SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} + CLIENT_OPTIONS=${SAVE_CLIENT_OPTIONS} + verbose=${verbose_save} + kill_selfserv + html "</TABLE><BR>" +} + +ssl_cov_rsa_pss() +{ + #verbose="-v" + html_head "SSL Cipher Coverage (RSA-PSS) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="" + + if [ "$NORM_EXT" = "Extended Test" ] ; then + echo "$SCRIPTNAME: skipping SSL Cipher Coverage (RSA-PSS) for $NORM_EXT" + return 0 + fi + + RSA_PSS_CERT=1 + NO_ECC_CERTS=1 + start_selfserv $CIPHER_SUITES + RSA_PSS_CERT=0 + NO_ECC_CERTS=0 + + VMIN="tls1.2" + VMAX="tls1.2" + + ignore_blank_lines ${SSLCOV} | \ + while read ectype testmax param testname + do + case $testname in + *RSA-PSS) + ;; + *) + continue + ;; + esac + + echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------" + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + html_msg $ret 0 "${testname}" \ + "produced a returncode of $ret, expected is 0" + done + + kill_selfserv + html "</TABLE><BR>" +} + +############################## ssl_auth ################################ +# local shell function to perform SSL Client Authentication tests +######################################################################## +ssl_auth() +{ + #verbose="-v" + html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + ignore_blank_lines ${SSLAUTH} | \ + while read ectype value sparam cparam testname + do + echo "${testname}" | grep "don't require client auth" > /dev/null + CAUTH=$? + echo "${testname}" | grep "TLS 1.3" > /dev/null + TLS13=$? + + if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" + elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + else + cparam=`echo $cparam | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" ` + if [ "$ectype" = "SNI" ]; then + cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` + sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` + fi + # SSL3 cannot be used with TLS 1.3 + unset SERVER_VMIN + unset SERVER_VMAX + if [ $TLS13 -eq 0 ] ; then + SERVER_VMIN=tls1.0 + SERVER_VMAX=tls1.3 + fi + start_selfserv `echo "$sparam" | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g'` + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + + #workaround for bug #402058 + [ $ret -ne 0 ] && ret=1 + [ $value -ne 0 ] && value=1 + + html_msg $ret $value "${testname}" \ + "produced a returncode of $ret, expected is $value" + kill_selfserv + fi + done + + html "</TABLE><BR>" +} + +ssl_stapling_sub() +{ + #verbose="-v" + testname=$1 + SO=$2 + value=$3 + + if [ "$NORM_EXT" = "Extended Test" ] ; then + # these tests use the ext_client directory for tstclnt, + # which doesn't contain the required "TestCA" for server cert + # verification, I don't know if it would be OK to add it... + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + return 0 + fi + + SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} + SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}" + + SAVE_P_R_SERVERDIR=${P_R_SERVERDIR} + P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/ + + echo "${testname}" + + start_selfserv + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -c v -T -O -F -M 1 -V ssl3:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + + # hopefully no workaround for bug #402058 needed here? + # (see commands in ssl_auth + + html_msg $ret $value "${testname}" \ + "produced a returncode of $ret, expected is $value" + kill_selfserv + + SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} + P_R_SERVERDIR=${SAVE_P_R_SERVERDIR} +} + +ssl_stapling_stress() +{ + testname="Stress OCSP stapling, server uses random status" + SO="-A TestCA -T random" + value=0 + + if [ "$NORM_EXT" = "Extended Test" ] ; then + # these tests use the ext_client directory for tstclnt, + # which doesn't contain the required "TestCA" for server cert + # verification, I don't know if it would be OK to add it... + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + return 0 + fi + + SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} + SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}" + + SAVE_P_R_SERVERDIR=${P_R_SERVERDIR} + P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/ + + echo "${testname}" + start_selfserv + + echo "strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\" + echo " -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}" + echo "strsclnt started at `date`" + ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \ + -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR} + ret=$? + + echo "strsclnt completed at `date`" + html_msg $ret $value \ + "${testname}" \ + "produced a returncode of $ret, expected is $value." + kill_selfserv + + SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} + P_R_SERVERDIR=${SAVE_P_R_SERVERDIR} +} + +############################ ssl_stapling ############################## +# local shell function to perform SSL Cert Status (OCSP Stapling) tests +######################################################################## +ssl_stapling() +{ + html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + # tstclnt Exit code: + # 0: have fresh and valid revocation data, status good + # 1: cert failed to verify, prior to revocation checking + # 2: missing, old or invalid revocation data + # 3: have fresh and valid revocation data, status revoked + + # selfserv modes + # good, revoked, unkown: Include locally signed response. Requires: -A + # failure: Include OCSP failure status, such as "try later" (unsigned) + # badsig: use a good status but with an invalid signature + # corrupted: stapled cert status is an invalid block of data + + ssl_stapling_sub "OCSP stapling, signed response, good status" "-A TestCA -T good" 0 + ssl_stapling_sub "OCSP stapling, signed response, revoked status" "-A TestCA -T revoked" 3 + ssl_stapling_sub "OCSP stapling, signed response, unknown status" "-A TestCA -T unknown" 2 + ssl_stapling_sub "OCSP stapling, unsigned failure response" "-A TestCA -T failure" 2 + ssl_stapling_sub "OCSP stapling, good status, bad signature" "-A TestCA -T badsig" 2 + ssl_stapling_sub "OCSP stapling, invalid cert status data" "-A TestCA -T corrupted" 2 + ssl_stapling_sub "Valid cert, Server doesn't staple" "" 2 + + ssl_stapling_stress + + html "</TABLE><BR>" +} + +############################ ssl_signed_cert_timestamps ################# +# local shell function to perform SSL Signed Certificate Timestamp tests +######################################################################### +ssl_signed_cert_timestamps() +{ + #verbose="-v" + html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="ssl_signed_cert_timestamps" + value=0 + + echo "${testname}" + + start_selfserv + + # Since we don't have server-side support, this test only covers advertising the + # extension in the client hello. + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -U -V tls1.0:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + + html_msg $ret $value "${testname}" \ + "produced a returncode of $ret, expected is $value" + kill_selfserv + html "</TABLE><BR>" +} + + +############################## ssl_stress ############################## +# local shell function to perform SSL stress test +######################################################################## +ssl_stress() +{ + html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + ignore_blank_lines ${SSLSTRESS} | \ + while read ectype value sparam cparam testname + do + echo "${testname}" | grep "client auth" > /dev/null + CAUTH=$? + echo "${testname}" | grep "no login" > /dev/null + NOLOGIN=$? + + if [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" + elif [ "${NOLOGIN}" -eq 0 ] && \ + [ "${CLIENT_MODE}" = "fips" -o "$NORM_EXT" = "Extended Test" ] ; then + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + else + cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` + if [ "$ectype" = "SNI" ]; then + cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` + sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` + fi + + start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` + + if [ "`uname -n`" = "sjsu" ] ; then + echo "debugging disappearing selfserv... ps -ef | grep selfserv" + ps -ef | grep selfserv + fi + + if [ "${NOLOGIN}" -eq 0 ] ; then + dbdir=${P_R_NOLOGINDIR} + else + dbdir=${P_R_CLIENTDIR} + fi + + echo "strsclnt -4 -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \\" + echo " -V ssl3:tls1.2 $verbose ${HOSTADDR}" + echo "strsclnt started at `date`" + ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \ + -V ssl3:tls1.2 $verbose ${HOSTADDR} + ret=$? + echo "strsclnt completed at `date`" + html_msg $ret $value \ + "${testname}" \ + "produced a returncode of $ret, expected is $value. " + if [ "`uname -n`" = "sjsu" ] ; then + echo "debugging disapering selfserv... ps -ef | grep selfserv" + ps -ef | grep selfserv + fi + kill_selfserv + fi + done + + html "</TABLE><BR>" +} + +############################ ssl_crl_ssl ############################### +# local shell function to perform SSL test with/out revoked certs tests +######################################################################## +ssl_crl_ssl() +{ + #verbose="-v" + html_head "CRL SSL Client Tests $NORM_EXT" + + # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it. + # Cert number $UNREVOKED_CERT_GRP_1 was not revoked + CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN + CRL_GROUP_RANGE=$CRL_GRP_1_RANGE + UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1 + + ignore_blank_lines ${SSLAUTH} | \ + while read ectype value sparam cparam testname + do + echo "${testname}" | grep "TLS 1.3" > /dev/null + TLS13=$? + if [ "$ectype" = "SNI" ]; then + continue + else + # SSL3 cannot be used with TLS 1.3 + unset SERVER_VMIN + unset SERVER_VMAX + if [ $TLS13 -eq 0 ] ; then + SERVER_VMIN=tls1.0 + SERVER_VMAX=tls1.3 + fi + servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` + pwd=`echo $cparam | grep nss` + # did we select TestUser? + user=`echo $cparam | grep TestUser` + # did we explicitly select a cert? + auto=`echo $cparam | grep '\\-n'` + _cparam=$cparam + case $servarg in + 1) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=254 + fi + ;; + 2) if [ -z "$auto" ]; then + rev_modvalue=0 + else + rev_modvalue=254 + fi + ;; + 3) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=1 + fi + ;; + 4) if [ -z "$auto" ]; then + rev_modvalue=0 + else + rev_modvalue=1 + fi + ;; + esac + TEMP_NUM=0 + while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ] + do + CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}` + TEMP_NUM=`expr $TEMP_NUM + 1` + USER_NICKNAME="TestUser${CURR_SER_NUM}" + cparam=`echo $_cparam | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" ` + start_selfserv `echo "$sparam" | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g'` + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then + modvalue=$rev_modvalue + testAddMsg="revoked" + else + testAddMsg="not revoked" + modvalue=$value + fi + + html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue" + kill_selfserv + done + fi + done + + html "</TABLE><BR>" +} + +############################# setup_policy ############################# +# local shell function to create policy configuration +######################################################################## +setup_policy() +{ + policy="$1" + outdir="$2" + OUTFILE="${outdir}/pkcs11.txt" + cat > "$OUTFILE" << ++EOF++ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) +++EOF++ + echo "config=${policy}" >> "$OUTFILE" + echo "" >> "$OUTFILE" + echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so" >> "$OUTFILE" + cat >> "$OUTFILE" << ++EOF++ +name=RootCerts +NSS=trustOrder=100 +++EOF++ + + echo "******************************Testing with: " + cat "$OUTFILE" + echo "******************************" +} + +############################## ssl_policy ############################## +# local shell function to perform SSL Policy tests +######################################################################## +ssl_policy() +{ + #verbose="-v" + html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="" + + if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then + html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized" + return 1; + fi + + echo "Saving pkcs11.txt" + cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav + + start_selfserv $CIPHER_SUITES + + ignore_blank_lines ${SSLPOLICY} | \ + while read value ectype testmax param policy testname + do + VMIN="ssl3" + + echo "$SCRIPTNAME: running $testname ----------------------------" + VMAX="ssl3" + if [ "$testmax" = "TLS10" ]; then + VMAX="tls1.0" + fi + if [ "$testmax" = "TLS11" ]; then + VMAX="tls1.1" + fi + if [ "$testmax" = "TLS12" ]; then + VMAX="tls1.2" + fi + + # load the policy + policy=`echo ${policy} | sed -e 's;_; ;g'` + setup_policy "$policy" ${P_R_CLIENTDIR} + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + + #workaround for bug #402058 + [ $ret -ne 0 ] && ret=1 + [ ${value} -ne 0 ] && value=1 + + html_msg $ret ${value} "${testname}" \ + "produced a returncode of $ret, expected is ${value}" + done + cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt + + kill_selfserv + html "</TABLE><BR>" +} + +list_enabled_suites() +{ + echo "SSL_DIR=${P_R_CLIENTDIR} ${BINDIR}/listsuites" + SSL_DIR="${P_R_CLIENTDIR}" ${BINDIR}/listsuites | tail -n+3 | \ + sed -n -e '/^TLS_/h' -e '/^ .*Enabled.*/{g;p}' | sed 's/:$//' +} + +############################## ssl_policy_listsuites ################### +# local shell function to perform SSL Policy tests, using listsuites +######################################################################## +ssl_policy_listsuites() +{ + #verbose="-v" + html_head "SSL POLICY LISTSUITES $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="" + + if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then + html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized" + return 1; + fi + + echo "Saving pkcs11.txt" + cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav + + # Disallow all explicitly + testname="listsuites with all cipher disallowed by policy" + setup_policy "disallow=all" ${P_R_CLIENTDIR} + RET_EXP=1 + list_enabled_suites | grep '^TLS_' + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + # Disallow RSA in key exchange explicitly + testname="listsuites with rsa cipher disallowed by policy" + setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_CLIENTDIR} + RET_EXP=1 + list_enabled_suites | grep '^TLS_RSA_' + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + # allow by policy, but disable by default + testname="listsuites with all ciphers enabled by policy but disabled by default" + setup_policy "allow=all disable=all" ${P_R_CLIENTDIR} + RET_EXP=1 + list_enabled_suites | grep '^TLS_' + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + # allow by policy, but disable by default just rsa-kea + testname="listsuites with all ciphers enabled by policy but rsa disabled by default" + setup_policy "allow=all disable=rsa/ssl-key-exchange" ${P_R_CLIENTDIR} + RET_EXP=1 + list_enabled_suites | grep '^TLS_RSA_' + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + # list_enabled_suites tries to set a policy value explicitly, This will + # cause list_enabled_suites to fail if we lock the policy + testname="listsuites with policy locked" + setup_policy "allow=all flags=policy-lock" ${P_R_CLIENTDIR} + RET_EXP=1 + SSL_DIR="${P_R_CLIENTDIR}" ${BINDIR}/listsuites + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt + + html "</TABLE><BR>" +} + +ssl_policy_pkix_ocsp() +{ + #verbose="-v" + html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"} + NSS_ENABLE_PKIX_VERIFY="1" + export NSS_ENABLE_PKIX_VERIFY + + testname="" + + if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then + html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized" + return 1; + fi + + echo "Saving pkcs11.txt" + cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav + + # Disallow sha1 explicitly. This will test if we are trying to verify the sha1 signature + # on the GlobalSign root during OCSP processing + setup_policy "disallow=sha1" ${P_R_SERVERDIR} + RET_EXP=0 + echo " vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out" + vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out + # make sure we have the domain mismatch, not bad signature error + echo "grep 12276 ${P_R_SERVERDIR}/vfy.out" + grep 12276 ${P_R_SERVERDIR}/vfy.out + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + if [ "${PKIX_SAVE}" = "unset" ]; then + unset NSS_ENABLE_PKIX_VERIFY + else + NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE} + export NSS_ENABLE_PKIX_VERIFY + fi + cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt + + html "</TABLE><BR>" + +} + +############################## ssl_policy_selfserv ##################### +# local shell function to perform SSL Policy tests, using selfserv +######################################################################## +ssl_policy_selfserv() +{ + #verbose="-v" + html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="" + + if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then + html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized" + return 1; + fi + + echo "Saving pkcs11.txt" + cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav + + # Disallow RSA in key exchange explicitly + testname="Disallow RSA key exchange explicitly" + setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR} + + SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} + # make sure policy is working in the multiprocess case is working on + # UNIX-like OS's. Other OS's can't properly clean up the child processes + # when our test suite kills the parent, so just use the single process + # self serve for them + if [ "${OS_ARCH}" != "WINNT" -a "${OS_ARCH}" != "WIN95" -a "${OS_ARCH}" != "OS2" ]; then + SERVER_OPTIONS="-M 3 ${SERVER_OPTIONS}" + fi + + start_selfserv $CIPHER_SUITES + + SERVER_OPTIONS="${SAVE_SERVER_OPTIONS}" + VMIN="ssl3" + VMAX="tls1.2" + + # Try to connect to the server with a ciphersuite using RSA in key exchange + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + RET_EXP=254 + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + RET=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt + + kill_selfserv + html "</TABLE><BR>" +} + +############################# is_revoked ############################### +# local shell function to check if certificate is revoked +######################################################################## +is_revoked() { + certNum=$1 + currLoadedGrp=$2 + + found=0 + ownerGrp=1 + while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ] + do + currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}` + currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}` + currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1` + if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then + found=1 + else + ownerGrp=`expr $ownerGrp + 1` + fi + done + if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then + return 1 + fi + if [ $found -eq 0 ]; then + return 1 + fi + unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}` + if [ $certNum -eq $unrevokedGrpCert ]; then + return 1 + fi + return 0 +} + +########################### load_group_crl ############################# +# local shell function to load CRL +######################################################################## +load_group_crl() { + #verbose="-v" + group=$1 + ectype=$2 + + OUTFILE_TMP=${TMP}/$HOST.tmp.$$ + grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}` + grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}` + grpEnd=`expr $grpBegin + $grpRange - 1` + + if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then + ret=1 + return 1; + fi + + # Add -ec suffix for ECC + if [ "$ectype" = "ECC" ] ; then + ecsuffix="-ec" + eccomment="ECC " + else + ecsuffix="" + eccomment="" + fi + + if [ "$RELOAD_CRL" != "" ]; then + if [ $group -eq 1 ]; then + echo "==================== Resetting to group 1 crl ===================" + kill_selfserv + start_selfserv + is_selfserv_alive + fi + echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd =============" + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" + echo " -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}" + echo "Request:" + echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}" + echo "" + echo "RELOAD time $i" + + REQF=${R_CLIENTDIR}.crlreq + cat > ${REQF} <<_EOF_REQUEST_ +GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} + +_EOF_REQUEST_ + + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f \ + -d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \ + >${OUTFILE_TMP} 2>&1 < ${REQF} + + cat ${OUTFILE_TMP} + grep "CRL ReCache Error" ${OUTFILE_TMP} + if [ $? -eq 0 ]; then + ret=1 + return 1 + fi + else + echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv =====" + + kill_selfserv + CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd" + crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \ + -p ../tests.pw.928 + ret=$? + if [ "$ret" -eq 0 ]; then + html_passed "${CU_ACTION}" + return 1 + fi + start_selfserv + fi + is_selfserv_alive + ret=$? + echo "================= CRL Reloaded =============" +} + + +########################### ssl_crl_cache ############################## +# local shell function to perform SSL test for crl cache functionality +# with/out revoked certs +######################################################################## +ssl_crl_cache() +{ + #verbose="-v" + html_head "Cache CRL SSL Client Tests $NORM_EXT" + SSLAUTH_TMP=${TMP}/authin.tl.tmp + SERV_ARG=-r_-r + rm -f ${SSLAUTH_TMP} + echo ${SSLAUTH_TMP} + + grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus | grep -v 'post hs' > ${SSLAUTH_TMP} + echo $? + while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ] + do + start_selfserv `echo $SERV_ARG | sed -e 's,_, ,g'` + exec < ${SSLAUTH_TMP} + while read ectype value sparam cparam testname + do + [ "$ectype" = "" ] && continue + if [ "$ectype" = "SNI" ]; then + continue + else + servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` + pwd=`echo $cparam | grep nss` + user=`echo $cparam | grep TestUser` + _cparam=$cparam + case $servarg in + 1) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=254 + fi + ;; + 2) rev_modvalue=254 ;; + + 3) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=1 + fi + ;; + 4) rev_modvalue=1 ;; + esac + TEMP_NUM=0 + LOADED_GRP=1 + while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ] + do + while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ] + do + CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}` + TEMP_NUM=`expr $TEMP_NUM + 1` + USER_NICKNAME="TestUser${CURR_SER_NUM}" + cparam=`echo $_cparam | sed -e 's;\([^\]\)_;\1 ;g' -e 's;\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" ` + + echo "Server Args: $SERV_ARG" + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + is_revoked ${CURR_SER_NUM} ${LOADED_GRP} + isRevoked=$? + if [ $isRevoked -eq 0 ]; then + modvalue=$rev_modvalue + testAddMsg="revoked" + else + modvalue=$value + testAddMsg="not revoked" + fi + + is_selfserv_alive + ss_status=$? + if [ "$ss_status" -ne 0 ]; then + html_msg $ret $modvalue \ + "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue. " \ + "selfserv is not alive!" + else + html_msg $ret $modvalue \ + "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue" + fi + done + LOADED_GRP=`expr $LOADED_GRP + 1` + TEMP_NUM=0 + if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then + load_group_crl $LOADED_GRP $ectype + html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \ + "produced a returncode of $ret, expected is 0" + fi + done + # Restart selfserv to roll back to two initial group 1 crls + # TestCA CRL and TestCA-ec CRL + kill_selfserv + start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` + fi + done + kill_selfserv + SERV_ARG="${SERV_ARG}_-r" + rm -f ${SSLAUTH_TMP} + grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP} + done + TEMPFILES=${SSLAUTH_TMP} + html "</TABLE><BR>" +} + +############################ ssl_dtls ################################### +# local shell function to test tstclnt acting as client and server for DTLS +######################################################################### +ssl_dtls() +{ + #verbose="-v" + html_head "SSL DTLS $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="ssl_dtls" + value=0 + + echo "${testname}" + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \\" + echo " -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss < ${REQUEST_FILE} &" + + (sleep 2; cat ${REQUEST_FILE}) | ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \ + -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss 2>&1 & + + PID=$! + + sleep 1 + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \\" + echo " -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q ${CLIENT_PW} < ${REQUEST_FILE}" + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 + ret=$? + html_msg $ret $value "${testname}" \ + "produced a returncode of $ret, expected is $value" + + kill ${PID} + + html "</TABLE><BR>" +} + +############################ ssl_scheme ################################### +# local shell function to test tstclnt and selfserv handling of signature schemes +######################################################################### +ssl_scheme() +{ + html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + NO_ECC_CERTS=1 + schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256") + for sscheme in "${schemes[@]}"; do + for cscheme in "${schemes[@]}"; do + testname="ssl_scheme server='$sscheme' client='$cscheme'" + echo "${testname}" + + start_selfserv -V tls1.2:tls1.2 -J "$sscheme" + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -V tls1.2:tls1.2 -J "$cscheme" ${CLIENT_PW} < ${REQUEST_FILE}" + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 + ret=$? + # If both schemes include just one option and those options don't + # match, then the test should fail; otherwise, assume that it works. + if [ "${cscheme#*,}" = "$cscheme" -a \ + "${sscheme#*,}" = "$sscheme" -a \ + "$cscheme" != "$sscheme" ]; then + expected=254 + else + expected=0 + fi + html_msg $ret $expected "${testname}" \ + "produced a returncode of $ret, expected is $expected" + kill_selfserv + done + done + NO_ECC_CERTS=0 + + html "</TABLE><BR>" +} + +############################ ssl_scheme_stress ########################## +# local shell function to test strsclnt and selfserv handling of signature schemes +######################################################################### +ssl_scheme_stress() +{ + html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + NO_ECC_CERTS=1 + schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256") + for sscheme in "${schemes[@]}"; do + for cscheme in "${schemes[@]}"; do + testname="ssl_scheme server='$sscheme' client='$cscheme'" + echo "${testname}" + + start_selfserv -V tls1.2:tls1.2 -J "$sscheme" + + echo "strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} ${CLIENT_PW} < ${REQUEST_FILE}" + ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 + ret=$? + # If both schemes include just one option and those options don't + # match, then the test should fail; otherwise, assume that it works. + if [ "${cscheme#*,}" = "$cscheme" -a \ + "${sscheme#*,}" = "$sscheme" -a \ + "$cscheme" != "$sscheme" ]; then + expected=1 + else + expected=0 + fi + html_msg $ret $expected "${testname}" \ + "produced a returncode of $ret, expected is $expected" + kill_selfserv + done + done + NO_ECC_CERTS=0 + + html "</TABLE><BR>" +} + +############################ ssl_exporter ################################### +# local shell function to test tstclnt and selfserv handling of TLS exporter +######################################################################### +ssl_exporter() +{ + html_head "SSL EXPORTER $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + save_fileout=${fileout} + fileout=1 + SAVE_SERVEROUTFILE=${SERVEROUTFILE} + SERVEROUTFILE=server.out + exporters=("label" "label:10" "label:10:0xdeadbeef" "0x666f6f2c:10:0xdeadbeef" "label1:10:0xdeadbeef,label2:10") + for exporter in "${exporters[@]}"; do + start_selfserv -V tls1.2:tls1.2 -x "$exporter" + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -V tls1.2:tls1.2 -x $exporter ${CLIENT_PW} < ${REQUEST_FILE}" + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -x "$exporter" ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 > client.out + kill_selfserv + diff <(LC_ALL=C grep -A1 "^ *Keying Material:" server.out) \ + <(LC_ALL=C grep -A1 "^ *Keying Material:" client.out) + ret=$? + html_msg $ret 0 "${testname}" \ + "produced a returncode of $ret, expected is 0" + done + SERVEROUTFILE=${SAVE_SERVEROUTFILE} + fileout=${save_fileout} + + html "</TABLE><BR>" +} + +############################## ssl_cleanup ############################# +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +ssl_cleanup() +{ + rm $SERVERPID 2>/dev/null + cd ${QADIR} + . common/cleanup.sh +} + +############################## ssl_run ################################# +# local shell function to run coverage, authentication and stress tests +######################################################################## +ssl_run() +{ + for SSL_RUN in ${NSS_SSL_RUN} + do + case "${SSL_RUN}" in + "stapling") + if [ -z "$NSS_DISABLE_LIBPKIX" ]; then + ssl_stapling + fi + ;; + "signed_cert_timestamps") + ssl_signed_cert_timestamps + ;; + "cov") + ssl_cov + ssl_cov_rsa_pss + ;; + "auth") + ssl_auth + ;; + "stress") + ssl_stress + ;; + "dtls") + ssl_dtls + ;; + "scheme") + ssl_scheme + ssl_scheme_stress + ;; + "exporter") + ssl_exporter + ;; + esac + done +} + +############################ ssl_run_all ############################### +# local shell function to run both standard and extended ssl tests +######################################################################## +ssl_run_all() +{ + ORIG_SERVERDIR=$SERVERDIR + ORIG_CLIENTDIR=$CLIENTDIR + ORIG_R_SERVERDIR=$R_SERVERDIR + ORIG_R_CLIENTDIR=$R_CLIENTDIR + ORIG_P_R_SERVERDIR=$P_R_SERVERDIR + ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR + + # Exercise PKCS#11 URI parsing. The token actually changes its name + # in FIPS mode, so cope with that. Note there's also semicolon in here + # but it doesn't need escaping/quoting; the shell copes. + if [ "${CLIENT_MODE}" = "fips" ]; then + USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser" + else + USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser" + fi + NORM_EXT="" + cd ${CLIENTDIR} + + ssl_run + + SERVERDIR=$EXT_SERVERDIR + CLIENTDIR=$EXT_CLIENTDIR + R_SERVERDIR=$R_EXT_SERVERDIR + R_CLIENTDIR=$R_EXT_CLIENTDIR + P_R_SERVERDIR=$P_R_EXT_SERVERDIR + P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR + + # A different URI test; specify CKA_LABEL but not the token. + USER_NICKNAME="pkcs11:object=ExtendedSSLUser" + NORM_EXT="Extended Test" + cd ${CLIENTDIR} + + ssl_run + + # the next round of ssl tests will only run if these vars are reset + SERVERDIR=$ORIG_SERVERDIR + CLIENTDIR=$ORIG_CLIENTDIR + R_SERVERDIR=$ORIG_R_SERVERDIR + R_CLIENTDIR=$ORIG_R_CLIENTDIR + P_R_SERVERDIR=$ORIG_P_R_SERVERDIR + P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR + + USER_NICKNAME=TestUser + NORM_EXT= + cd ${QADIR}/ssl +} + +############################ ssl_set_fips ############################## +# local shell function to set FIPS mode on/off +######################################################################## +ssl_set_fips() +{ + CLTSRV=$1 + ONOFF=$2 + + if [ ${CLTSRV} = "server" ]; then + DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}" + else + DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}" + fi + + if [ "${ONOFF}" = "on" ]; then + FIPSMODE=true + RET_EXP=0 + else + FIPSMODE=false + RET_EXP=1 + fi + + html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}" + + for DBDIR in ${DBDIRS} + do + EXT_OPT= + echo ${DBDIR} | grep ext > /dev/null + if [ $? -eq 0 ]; then + EXT_OPT="extended " + fi + + echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}" + + echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force" + ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1 + RET=$? + html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \ + "produced a returncode of ${RET}, expected is 0" + + echo "modutil -dbdir ${DBDIR} -list" + DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1` + RET=$? + html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \ + "produced a returncode of ${RET}, expected is 0" + + echo "${DBLIST}" | grep "FIPS PKCS #11" + RET=$? + html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \ + "produced a returncode of ${RET}, expected is ${RET_EXP}" + done + + html "</TABLE><BR>" +} + +############################ ssl_set_fips ############################## +# local shell function to run all tests set in NSS_SSL_TESTS variable +######################################################################## +ssl_run_tests() +{ + for SSL_TEST in ${NSS_SSL_TESTS} + do + case "${SSL_TEST}" in + "policy") + if [ "${TEST_MODE}" = "SHARED_DB" ] ; then + ssl_policy_listsuites + ssl_policy_selfserv + ssl_policy_pkix_ocsp + ssl_policy + fi + ;; + "crl") + ssl_crl_ssl + ssl_crl_cache + ;; + "iopr") + ssl_iopr_run + ;; + *) + SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1` + CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2` + + case "${SERVER_MODE}" in + "normal") + SERVER_OPTIONS= + ;; + "fips") + SERVER_OPTIONS= + ssl_set_fips server on + ;; + *) + html_failed "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}" + return 1 + ;; + esac + + case "${CLIENT_MODE}" in + "normal") + CLIENT_OPTIONS= + CLIENT_PW=${CLIENT_PW_NORMAL} + ;; + "fips") + CLIENT_OPTIONS= + CLIENT_PW=${CLIENT_PW_FIPS} + ssl_set_fips client on + ;; + *) + html_failed "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}" + return 1 + ;; + esac + + ssl_run_all + + if [ "${SERVER_MODE}" = "fips" ]; then + ssl_set_fips server off + fi + + if [ "${CLIENT_MODE}" = "fips" ]; then + ssl_set_fips client off + fi + ;; + esac + done +} + +################################# main ################################# + +ssl_init +ssl_run_tests +ssl_cleanup diff --git a/security/nss/tests/ssl/ssl_dist_stress.sh b/security/nss/tests/ssl/ssl_dist_stress.sh new file mode 100755 index 0000000000..a67dfcbac5 --- /dev/null +++ b/security/nss/tests/ssl/ssl_dist_stress.sh @@ -0,0 +1,313 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/ssl/ssl_dist_stress.sh +# +# Script to test NSS SSL - distributed stresstest - this script needs to +# source the regular ssl.sh (for shellfunctions, certs and variables +# initialisation) +# create certs +# start server +# start itself via rsh on different systems to connect back to the server +# +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## ssl_ds_init ############################# +# local shell function to initialize this script +######################################################################## +ssl_ds_init() +{ + if [ -z "$GLOB_MIN_CERT" ] ; then + GLOB_MIN_CERT=0 + fi + if [ -z "$GLOB_MAX_CERT" ] ; then + GLOB_MAX_CERT=200 + fi + IP_PARAM="" + CD_QADIR_SSL="" + + + if [ -n "$1" ] ; then + ssl_ds_eval_opts $* + fi + SCRIPTNAME=ssl_dist_stress.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + ssl_init # let some other script do the hard work (initialize, generate certs, ... + + SCRIPTNAME=ssl_dist_stress.sh + echo "$SCRIPTNAME: SSL distributed stress tests ===============================" + +} + +######################### ssl_ds_usage ################################# +# local shell function to explain the usage +######################################################################## +ssl_ds_usage() +{ + echo "Usage: `basename $1`" + echo " -host hostname " + echo " ...host who runs the server, for distributed stress test" + echo " -stress " + echo " ...runs the server sider of the distributed stress test" + echo " -dir unixdirectory " + echo " ...lets the server side of the distributed stress test" + echo " know where to find the scritp to start on the remote side" + echo " -certnum start-end" + echo " ... provides the range of certs for distributed stress test" + echo " for example -certnum 10-20 will connect 10 times" + echo " no blanks in the range string (not 10 - 20)" + echo " valid range ${GLOB_MIN_CERT}-${GLOB_MAX_CERT}" + echo " -? ...prints this text" + exit 1 #does not need to be Exit, very early in script +} + +######################### ssl_ds_eval_opts ############################# +# local shell function to deal with options and parameters +######################################################################## +ssl_ds_eval_opts() +{ + #use $0 not $SCRIPTNAM<E, too early, SCRIPTNAME not yet set + + while [ -n "$1" ] + do + case $1 in + -host) + BUILD_OPT=1 + export BUILD_OPT + DO_REM_ST="TRUE" + shift + SERVERHOST=$1 + HOST=$1 + if [ -z $SERVERHOST ] ; then + echo "$0 `uname -n`: -host requires hostname" + ssl_ds_usage + fi + echo "$0 `uname -n`: host $HOST ($1)" + ;; + -certn*) + shift + rangeOK=`echo $1 | sed -e 's/[0-9][0-9]*-[0-9][0-9]*/OK/'` + MIN_CERT=`echo $1 | sed -e 's/-[0-9][0-9]*//' -e 's/^00*//'` + MAX_CERT=`echo $1 | sed -e 's/[0-9][0-9]*-//' -e 's/^00*//'` + if [ -z "$rangeOK" -o "$rangeOK" != "OK" -o \ + -z "$MIN_CERT" -o -z "$MAX_CERT" -o \ + "$MIN_CERT" -gt "$MAX_CERT" -o \ + "$MIN_CERT" -lt "$GLOB_MIN_CERT" -o \ + "$MAX_CERT" -gt "$GLOB_MAX_CERT" ] ; then + echo "$0 `uname -n`: -certn range not valid" + ssl_ds_usage + fi + echo "$0 `uname -n`: will use certs from $MIN_CERT to $MAX_CERT" + ;; + -server|-stress|-dist*st*) + BUILD_OPT=1 + export BUILD_OPT + DO_DIST_ST="TRUE" + ;; + -dir|-unixdir|-uxdir|-qadir) + shift + UX_DIR=$1 + #FIXME - we need a default unixdir + if [ -z "$UX_DIR" ] ; then # -o ! -d "$UX_DIR" ] ; then can't do, Win doesn't know... + echo "$0 `uname -n`: -dir requires directoryname " + ssl_ds_usage + fi + CD_QADIR_SSL="cd $UX_DIR" + ;; + -ip*) + shift + IP_ADDRESS=$1 + if [ -z "$IP_ADDRESS" ] ; then + echo "$0 `uname -n`: -ip requires ip-address " + ssl_ds_usage + fi + USE_IP=TRUE + IP_PARAM="-ip $IP_ADDRESS" + ;; + -h|-help|"-?"|*) + ssl_ds_usage + ;; + esac + shift + done +} + +############################## ssl_ds_rem_stress ####################### +# local shell function to perform the client part of the SSL stress test +######################################################################## + +ssl_ds_rem_stress() +{ + testname="SSL remote part of Stress test (`uname -n`)" + echo "$SCRIPTNAME `uname -n`: $testname" + + #cp -r "${CLIENTDIR}" /tmp/ssl_ds.$$ #FIXME + #cd /tmp/ssl_ds.$$ + #verbose="-v" + + cd ${CLIENTDIR} + + CONTINUE=$MAX_CERT + while [ $CONTINUE -ge $MIN_CERT ] + do + echo "strsclnt -D -p ${PORT} -d ${P_R_CLIENTDIR} -w nss -c 1 $verbose " + echo " -n TestUser$CONTINUE ${HOSTADDR} #`uname -n`" + ${BINDIR}/strsclnt -D -p ${PORT} -d . -w nss -c 1 $verbose \ + -n "TestUser$CONTINUE" ${HOSTADDR} & + #${HOSTADDR} & + CONTINUE=`expr $CONTINUE - 1 ` + #sleep 4 #give process time to start up + done + + html_msg 0 0 "${testname}" #FIXME +} + +######################### ssl_ds_dist_stress ########################### +# local shell function to perform the server part of the new, distributed +# SSL stress test +######################################################################## + +ssl_ds_dist_stress() +{ + max_clientlist=" + box-200 + washer-200 + dryer-200 + hornet-50 + shabadoo-50 + y2sun2-10 + galileo-10 + shame-10 + axilla-10 + columbus-10 + smarch-10 + nugget-10 + charm-10 + hp64-10 + biggayal-10 + orville-10 + kwyjibo-10 + hbombaix-10 + raven-10 + jordan-10 + phaedrus-10 + louie-10 + trex-10 + compaqtor-10" + + #clientlist=" huey-2 dewey-2 hornet-2 shabadoo-2" #FIXME ADJUST + clientlist=" box-200 washer-200 huey-200 dewey-200 hornet-200 shabadoo-200 louie-200" + #clientlist=" box-2 huey-2 " + #clientlist="washer-200 huey-200 dewey-200 hornet-200 " + + html_head "SSL Distributed Stress Test" + + testname="SSL distributed Stress test" + + echo cd "${CLIENTDIR}" + cd "${CLIENTDIR}" + if [ -z "CD_QADIR_SSL" ] ; then + CD_QADIR_SSL="cd $QADIR/ssl" + else + cp -r $HOSTDIR $HOSTDIR/../../../../../booboo_Solaris8/mozilla/tests_results/security + fi + + #sparam=" -t 128 -D -r " + sparam=" -t 16 -D -r -r -y " + start_selfserv + + for c in $clientlist + do + client=`echo $c | sed -e "s/-.*//"` + number=`echo $c | sed -e "s/.*-//"` + CLIENT_OK="TRUE" + echo $client + ping $client >/dev/null || CLIENT_OK="FALSE" + if [ "$CLIENT_OK" = "FALSE" ] ; then + echo "$SCRIPTNAME `uname -n`: $client can't be reached - skipping" + else + get_certrange $number + echo "$SCRIPTNAME `uname -n`: $RSH $client -l svbld \\ " + echo " \" $CD_QADIR_SSL ;ssl_dist_stress.sh \\" + echo " -host $HOST -certnum $CERTRANGE $IP_PARAM \" " + $RSH $client -l svbld \ + " $CD_QADIR_SSL;ssl_dist_stress.sh -host $HOST -certnum $CERTRANGE $IP_PARAM " & + fi + done + + echo cd "${CLIENTDIR}" + cd "${CLIENTDIR}" + + sleep 500 # give the clients time to finish #FIXME ADJUST + + echo "GET /stop HTTP/1.0\n\n" > stdin.txt #check to make sure it has /r/n + echo "tstclnt -h $HOSTADDR -p 8443 -d ${P_R_CLIENTDIR} -n TestUser0 " + echo " -w nss -f < stdin.txt" + ${BINDIR}/tstclnt -h $HOSTADDR -p 8443 -d ${P_R_CLIENTDIR} -n TestUser0 \ + -w nss -f < stdin.txt + + html_msg 0 0 "${testname}" + html "</TABLE><BR>" +} + +############################ get_certrange ############################# +# local shell function to find the range of certs that the next remote +# client is supposed to use (only for server side of the dist stress test +######################################################################## +get_certrange() +{ + rangeOK=`echo $1 | sed -e 's/[0-9][0-9]*/OK/'` + if [ -z "$rangeOK" -o "$rangeOK" != "OK" -o $1 = "OK" ] ; then + range=10 + echo "$SCRIPTNAME `uname -n`: $1 is not a valid number of certs " + echo " defaulting to 10 for $client" + else + range=$1 + if [ $range -gt $GLOB_MAX_CERT ] ; then + range=$GLOB_MAX_CERT + fi + fi + if [ -z "$FROM_CERT" ] ; then # start new on top of the cert stack + FROM_CERT=$GLOB_MAX_CERT + elif [ `expr $FROM_CERT - $range + 1 ` -lt 0 ] ; then + FROM_CERT=$GLOB_MAX_CERT # dont let it fall below 0 on the TO_CERT + + fi + TO_CERT=`expr $FROM_CERT - $range + 1 ` + if [ $TO_CERT -lt 0 ] ; then # it's not that I'm bad in math, I just + TO_CERT=0 # don't trust expr... + fi + CERTRANGE="${TO_CERT}-${FROM_CERT}" + FROM_CERT=`expr ${TO_CERT} - 1 ` #start the next client one below +} + + +################## main ################################################# + +DO_DIST_ST="TRUE" +. ./ssl.sh +ssl_ds_init $* +if [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then + ssl_ds_rem_stress + exit 0 #no cleanup on purpose +elif [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then + ssl_ds_dist_stress +fi +ssl_cleanup diff --git a/security/nss/tests/ssl/sslauth.txt b/security/nss/tests/ssl/sslauth.txt new file mode 100644 index 0000000000..61e4a6c6d4 --- /dev/null +++ b/security/nss/tests/ssl/sslauth.txt @@ -0,0 +1,84 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file defines the tests for client auth. +# +# expected +# Enable return server client Test Case name +# ECC value params params +# ------- ------ ------ ------ --------------- + noECC 0 -r -V_ssl3:tls1.2_-w_nss_-n_none TLS Request don't require client auth (client does not provide auth) + noECC 0 -r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Request don't require client auth (bad password) + noECC 0 -r -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Request don't require client auth (client auth) + noECC 254 -r_-r -V_ssl3:tls1.2_-w_nss_-n_none TLS Require client auth (client does not provide auth) + noECC 254 -r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Require client auth (bad password) + noECC 0 -r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser_ TLS Require client auth (client auth) + noECC 0 -r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) + noECC 0 -r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) + noECC 0 -r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) + noECC 254 -r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth) + noECC 254 -r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) + noECC 0 -r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth) + noECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth) + noECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth) + noECC 1 -r_-r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth) + noECC 1 -r_-r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Require client auth on 2nd hs (client auth) + noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Request don't require client auth on 2nd hs (client does not provide auth) + noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Request don't require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Request don't require client auth on 2nd hs (client auth) + noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Require client auth on 2nd hs (client does not provide auth) + noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Require client auth on 2nd hs (client auth) + noECC 0 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth) + noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) + noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth) + noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth) + noECC 0 -r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Request don't require client auth on post hs (client auth) + noECC 0 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Require client auth on post hs (client auth) + noECC 0 -r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Request don't require client auth on post hs (client does not provide auth) + noECC 1 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Require client auth on post hs (client does not provide auth) + noECC 0 -r_-r_-r_-E_-u -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Request don't require client auth on post hs with session ticket (client auth) + noECC 0 -r_-r_-J_rsa\\_pkcs1\\_sha256 -V_tls1.2:_-w_nss TLS 1.2 Require client auth auto select(RSA) (client auth) +# +# Use EC cert for client authentication +# + ECC 0 -r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password) + ECC 0 -r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth) + ECC 254 -r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password) + ECC 0 -r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth) + ECC 0 -r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password) + ECC 0 -r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth) + ECC 254 -r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password) + ECC 0 -r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth) + ECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec_ TLS Require client auth on 2nd hs (EC) (client auth) + ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth) + ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth) + ECC 0 -r_-r_-J_ecdsa\\_secp256r1\\_sha256 -V_tls1.2:_-w_nss TLS 1.2 Require client auth auto select(EC) (client auth) + ECC 0 -r_-r_-J_ecdsa\\_secp256r1\\_sha256,ecdsa\\_secp384r1\\_sha384 -V_tls1.3:_-w_nss TLS 1.3 Require client auth auto select (EC) (client auth) +# +# SNI Tests +# + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI + SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI + SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions + SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI + SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI + SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS + SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS + SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt new file mode 100644 index 0000000000..ca79a5e09c --- /dev/null +++ b/security/nss/tests/ssl/sslcov.txt @@ -0,0 +1,155 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file enables test coverage of the various SSL ciphers +# +# Enable Enable Cipher Test Name +# EC TLS +# + noECC SSL3 c SSL3_RSA_WITH_RC4_128_MD5 + noECC SSL3 d SSL3_RSA_WITH_3DES_EDE_CBC_SHA + noECC SSL3 e SSL3_RSA_WITH_DES_CBC_SHA + noECC SSL3 i SSL3_RSA_WITH_NULL_MD5 + noECC SSL3 n SSL3_RSA_WITH_RC4_128_SHA + noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA + noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA + noECC SSL3 z SSL3_RSA_WITH_NULL_SHA + noECC TLS12 :009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + noECC TLS12 :00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 + noECC TLS12 :009D TLS_RSA_WITH_AES_256_GCM_SHA384 +# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA +# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA +# + noECC TLS10 c TLS_RSA_WITH_RC4_128_MD5 + noECC TLS10 d TLS_RSA_WITH_3DES_EDE_CBC_SHA + noECC TLS10 e TLS_RSA_WITH_DES_CBC_SHA + noECC TLS10 i TLS_RSA_WITH_NULL_MD5 + noECC TLS10 n TLS_RSA_WITH_RC4_128_SHA + noECC TLS10 v TLS_RSA_WITH_AES_128_CBC_SHA + noECC TLS10 y TLS_RSA_WITH_AES_256_CBC_SHA + noECC TLS10 z TLS_RSA_WITH_NULL_SHA +# noECC TLS10 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA +# noECC TLS10 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA +# +# + noECC TLS11 c TLS11_RSA_WITH_RC4_128_MD5 + noECC TLS11 d TLS11_RSA_WITH_3DES_EDE_CBC_SHA + noECC TLS11 e TLS11_RSA_WITH_DES_CBC_SHA + noECC TLS11 i TLS11_RSA_WITH_NULL_MD5 + noECC TLS11 n TLS11_RSA_WITH_RC4_128_SHA + noECC TLS11 v TLS11_RSA_WITH_AES_128_CBC_SHA + noECC TLS11 y TLS11_RSA_WITH_AES_256_CBC_SHA + noECC TLS11 z TLS11_RSA_WITH_NULL_SHA +# + noECC TLS12 c TLS12_RSA_WITH_RC4_128_MD5 + noECC TLS12 d TLS12_RSA_WITH_3DES_EDE_CBC_SHA + noECC TLS12 e TLS12_RSA_WITH_DES_CBC_SHA + noECC TLS12 i TLS12_RSA_WITH_NULL_MD5 + noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA + noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA + noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA + noECC TLS12 z TLS12_RSA_WITH_NULL_SHA + noECC TLS12 :0016 TLS12_DHE_RSA_WITH_3DES_EDE_CBC_SHA + noECC TLS12 :0032 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA + noECC TLS12 :0033 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA + noECC TLS12 :0038 TLS12_DHE_DSS_WITH_AES_256_CBC_SHA + noECC TLS12 :0039 TLS12_DHE_RSA_WITH_AES_256_CBC_SHA + noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256 + noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256 + noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256 + noECC TLS12 :0040 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA256 + noECC TLS12 :0067 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA256 + noECC TLS12 :006A TLS12_DHE_DSS_WITH_AES_256_CBC_SHA256 + noECC TLS12 :006B TLS12_DHE_RSA_WITH_AES_256_CBC_SHA256 + noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256 + noECC TLS12 :009E TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256 + noECC TLS12 :00A2 TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256 + noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + noECC TLS13 :1301 TLS13_DHE_WITH_AES_128_GCM_SHA256 + noECC TLS13 :1302 TLS13_DHE_WITH_AES_256_GCM_SHA384 + noECC TLS13 :1303 TLS13_DHE_WITH_CHACHA20_POLY1305_SHA256 +# +# ECC ciphers (TLS) +# + ECC TLS10 :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA + ECC TLS10 :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA + ECC TLS10 :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS10 :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS10 :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS10 :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA + ECC TLS10 :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + ECC TLS10 :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS10 :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS10 :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS10 :C00B TLS_ECDH_RSA_WITH_NULL_SHA + ECC TLS10 :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA + ECC TLS10 :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS10 :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + ECC TLS10 :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + ECC TLS10 :C010 TLS_ECDHE_RSA_WITH_NULL_SHA + ECC TLS10 :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA + ECC TLS10 :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS10 :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + ECC TLS10 :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +# + ECC TLS11 :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA + ECC TLS11 :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA + ECC TLS11 :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS11 :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS11 :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS11 :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA + ECC TLS11 :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA + ECC TLS11 :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS11 :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS11 :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS11 :C00B TLS11_ECDH_RSA_WITH_NULL_SHA + ECC TLS11 :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA + ECC TLS11 :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS11 :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA + ECC TLS11 :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA + ECC TLS11 :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA + ECC TLS11 :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA + ECC TLS11 :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS11 :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA + ECC TLS11 :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA +# + ECC TLS12 :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA + ECC TLS12 :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA + ECC TLS12 :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS12 :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS12 :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA + ECC TLS12 :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA + ECC TLS12 :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS12 :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS12 :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C00B TLS12_ECDH_RSA_WITH_NULL_SHA + ECC TLS12 :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA + ECC TLS12 :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS12 :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA + ECC TLS12 :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA + ECC TLS12 :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA + ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA + ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + ECC TLS12 :C024 TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + ECC TLS12 :C028 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +# +# Test against server with RSA-PSS server certificate +# + ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - RSA-PSS + ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - RSA-PSS +# test TLS 1.3 + ECC TLS13 :1301 TLS13_ECDHE_WITH_AES_128_GCM_SHA256 + ECC TLS13 :1302 TLS13_ECDHE_WITH_AES_256_GCM_SHA384 + ECC TLS13 :1303 TLS13_ECDHE_WITH_CHACHA20_POLY1305_SHA256 diff --git a/security/nss/tests/ssl/sslpolicy.txt b/security/nss/tests/ssl/sslpolicy.txt new file mode 100644 index 0000000000..558b9f55df --- /dev/null +++ b/security/nss/tests/ssl/sslpolicy.txt @@ -0,0 +1,208 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file enables policy testing +# +# The policy string is set to the config= line in the pkcs11.txt +# it currently has 2 keywords: +# +# disallow= turn off the use of this algorithm by policy. (implies disable) +# allow= allow this algorithm to by used if selected by policy. +# disable= turn off the use of this algorithm even if allowed by policy +# (application can override) +# enable= turn off this algorithm by default (implies allow) +# flags= policy-lock: can't change policy with NSS_SetAlgorithmPolicy, +# NSS_SetOption, or SSL_SetCipherPolicy +# ssl-lock: can't change the cipher suite settings with the application. +# +# The syntax is disallow=algorithm{/uses}:algorithm{/uses} +# where {} signifies an optional element +# +# valid algorithms are: +# ECC curves: +# PRIME192V1 +# PRIME192V2 +# PRIME192V3 +# PRIME239V1 +# PRIME239V2 +# PRIME239V3 +# PRIME256V1 +# SECP112R1 +# SECP112R2 +# SECP128R1 +# SECP128R2 +# SECP160K1 +# SECP160R1 +# SECP160R2 +# SECP192K1 +# SECP192R1 +# SECP224K1 +# SECP256K1 +# SECP256R1 +# SECP384R1 +# SECP521R1 +# C2PNB163V1 +# C2PNB163V2 +# C2PNB163V3 +# C2PNB176V1 +# C2TNB191V1 +# C2TNB191V2 +# C2TNB191V3 +# C2ONB191V4 +# C2ONB191V5 +# C2PNB208W1 +# C2TNB239V1 +# C2TNB239V2 +# C2TNB239V3 +# C2ONB239V4 +# C2ONB239V5 +# C2PNB272W1 +# C2PNB304W1 +# C2TNB359V1 +# C2PNB368W1 +# C2TNB431R1 +# SECT113R1 +# SECT131R1 +# SECT131R1 +# SECT131R2 +# SECT163K1 +# SECT163R1 +# SECT163R2 +# SECT193R1 +# SECT193R2 +# SECT233K1 +# SECT233R1 +# SECT239K1 +# SECT283K1 +# SECT283R1 +# SECT409K1 +# SECT409R1 +# SECT571K1 +# SECT571R1 +# Signatures: +# DSA +# RSA-PKCS +# RSA-PSS +# ECDSA +# Hashes: +# MD2 +# MD4 +# MD5 +# SHA1 +# SHA224 +# SHA256 +# SHA384 +# SHA512 +# MACs: +# HMAC-SHA1 +# HMAC-SHA224 +# HMAC-SHA256 +# HMAC-SHA384 +# HMAC-SHA512 +# HMAC-MD5 +# Ciphers: +# AES128-CBC +# AES192-CBC +# AES256-CBC +# AES128-GCM +# AES192-GCM +# AES256-GCM +# CAMELLIA128-CBC +# CAMELLIA192-CBC +# CAMELLIA256-CBC +# SEED-CBC +# DES-EDE3-CBC +# DES-40-CBC +# DES-CBC +# NULL-CIPHER +# RC2 +# RC4 +# IDEA +# Key exchange +# RSA +# RSA-EXPORT +# DHE-RSA +# DHE-DSS +# DH-RSA +# DH-DSS +# ECDHE-ECDSA +# ECDHE-RSA +# ECDH-ECDSA +# ECDH-RSA +# SSL Versions +# SSL2.0 +# SSL3.0 +# TLS1.0 +# TLS1.1 +# TLS1.2 +# DTLS1.1 +# DTLS1.2 +# Include all of the above: +# ALL +#----------------------------------------------- +# Uses are: +# ssl +# ssl-key-exchange +# key-exchange (includes ssl-key-exchange) +# cert-signature +# all-signature (includes cert-signature) +# signature (all signatures off, some signature allowed based on other option) +# all (includes all of the above) +#----------------------------------------------- +# In addition there are the following options: +# min-rsa +# min-dh +# min-dsa +# they have the following syntax: +# allow=min-rsa=512:min-dh=1024 +# +# in the following tests, we use the cipher suite 'd': +# d SSL3 RSA WITH 3DES EDE CBC SHA (=:000a). +# NOTE: the certificates used in validation are rsa-pkcs1/sha256 signed. +# +# Exp Enable Enable Cipher Config Policy Test Name +# Ret EC TLS +# turn on single cipher + 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy + 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/all-signature:rsa-pkcs/all-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy + 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:dsa/all:rsa-pss/all:ecdsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly + 1 noECC SSL3 d disallow=all Disallow All Explicitly +# turn off signature only + 1 noECC SSL3 d disallow=all/signature Disallow all signatures with Explicitly + 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Explicitly + 1 noECC SSL3 d disallow=sha256/cert-signature Disallow SHA256 Certificate signature Explicitly + 1 noECC SSL3 d disallow=sha256/signature Disallow All SHA256 signatures Explicitly + 1 noECC SSL3 d disallow=sha256/all-signature Disallow Any SHA256 signature Explicitly + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:dsa/all:ecdsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly +# turn off single cipher + 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly +# turn off H-Mac + 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly + 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly +# turn off key exchange + 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchange Signatures Implicitly +# turn off version + 1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly + 0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly + 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL + 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL +# test default settings +# NOTE: tstclient will attempt to overide the defaults, so we detect we +# were successful by locking in our settings + 0 noECC SSL3 d allow=all_disable=all Disable all by default, application override + 1 noECC SSL3 d allow=all_disable=all_flags=ssl-lock,policy-lock Disable all by default, prevent application from enabling + 0 noECC SSL3 d allow=all_disable=all_flags=policy-lock Disable all by default, lock policy (application can still change the ciphers) +# explicitly enable :002f RSA_AES_128_CBC_SHA1 and lock it in + 0 noECC SSL3 d allow=all_disable=all_enable=hmac-sha1:sha256:rsa-pkcs:rsa:aes128-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0_flags=ssl-lock Lock in a different ciphersuite that the one the application asks for diff --git a/security/nss/tests/ssl/sslreq.dat b/security/nss/tests/ssl/sslreq.dat new file mode 100644 index 0000000000..2f7ad7736e --- /dev/null +++ b/security/nss/tests/ssl/sslreq.dat @@ -0,0 +1,2 @@ +GET / HTTP/1.0
+
diff --git a/security/nss/tests/ssl/sslreq.txt b/security/nss/tests/ssl/sslreq.txt new file mode 100644 index 0000000000..c1da607c07 --- /dev/null +++ b/security/nss/tests/ssl/sslreq.txt @@ -0,0 +1,2 @@ +GET / HTTP/1.0 + diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt new file mode 100644 index 0000000000..44794f10f6 --- /dev/null +++ b/security/nss/tests/ssl/sslstress.txt @@ -0,0 +1,81 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file defines the stress tests for SSL/TLS. +# +# expected +# Enable return server client Test Case name +# ECC value params params +# ------- ------ ------ ------ --------------- + noECC 0 _ -c_1000_-C_c_-V_ssl3:ssl3 Stress SSL3 RC4 128 with MD5 + noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 + noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) + noECC 0 -u -V_ssl3:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) + SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) + +# +# add client auth versions here... +# + noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) + noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth, no login) + noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) + noECC 0 -r_-r_-u -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) + SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) + SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) + +# +# ############################ ECC ciphers ############################ +# + ECC 0 -c_:C009 -V_ssl3:tls1.2_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C023 -V_ssl3:tls1.2_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse) + ECC 0 -c_:C02B -V_ssl3:tls1.2_-c_100_-C_:C02B_-N Stress TLS ECDHE-ECDSA AES 128 GCM (no reuse) + ECC 0 -c_:C004 -V_ssl3:tls1.2_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C00E -V_ssl3:tls1.2_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C013 -V_ssl3:tls1.2_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA + ECC 0 -c_:C027 -V_ssl3:tls1.2_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256 + ECC 0 -c_:C02F -V_ssl3:tls1.2_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM + ECC 0 -c_:C004_-u -V_ssl3:tls1.2_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket) + ECC 0 -c_:C009_-u -V_ssl3:tls1.2_-c_100_-C_:C009_-u Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (session ticket) +# +# add client auth versions here... +# + ECC 0 -r_-r_-c_:C009 -V_ssl3:tls1.2_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C013 -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth) + ECC 0 -r_-r_-c_:C004 -V_ssl3:tls1.2_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C00E -V_ssl3:tls1.2_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C013 -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth) + ECC 0 -r_-r_-c_:C013_-u -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth) + +# +# ############################ DHE ciphers ############################ +# + noECC 0 -c_:0016 -V_ssl3:tls1.2_-c_100_-C_:0016_-N Stress TLS DHE_RSA_WITH_3DES_EDE_CBC_SHA (no reuse) + noECC 0 -c_:0033 -V_ssl3:tls1.2_-c_1000_-C_:0033 Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA + + + noECC 0 -c_:0039 -V_ssl3:tls1.2_-c_100_-C_:0039_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA (no reuse) + noECC 0 -c_:0040 -V_ssl3:tls1.2_-c_100_-C_:0040_-N Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA256 (no reuse) + +# noECC 0 -c_:0038_-u -V_ssl3:tls1.2_-c_1000_-C_:0038_-u Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (session ticket) +# use the above session ticket test, once session tickets with DHE_DSS are working + noECC 0 -c_:0038 -V_ssl3:tls1.2_-c_1000_-C_:0038_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (no reuse) + +# noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 +# use the above reuse test, once the session cache with DHE_DSS is working + noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 (no reuse + + noECC 0 -c_:006B -V_ssl3:tls1.2_-c_100_-C_:006B_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA256 (no reuse) + noECC 0 -c_:009E -V_ssl3:tls1.2_-c_100_-C_:009E_-N Stress TLS DHE_RSA_WITH_AES_128_GCM_SHA256 (no reuse) + noECC 0 -c_:009F -V_ssl3:tls1.2_-c_100_-C_:009F_-N Stress TLS DHE_RSA_WITH_AES_256_GCM_SHA384 (no reuse) +# +# add client auth versions here... +# + noECC 0 -r_-r_-c_:0032 -V_ssl3:tls1.2_-c_100_-C_:0032_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA (no reuse, client auth) + noECC 0 -r_-r_-c_:0067 -V_ssl3:tls1.2_-c_1000_-C_:0067_-n_TestUser-dsamixed Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA256 (client auth) + +# noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (session ticket, client auth) +# noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (session ticket, client auth) +# use the above session ticket test, once session tickets with DHE_DSS are working + noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (no reuse, client auth) + noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (no reuse, client auth) diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh new file mode 100755 index 0000000000..d2e8c7a4f3 --- /dev/null +++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh @@ -0,0 +1,155 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# tests/ssl_gtests/ssl_gtests.sh +# +# Script to drive the ssl gtest unit tests +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +ssl_gtest_certs() { + mkdir -p "${SSLGTESTDIR}" + cd "${SSLGTESTDIR}" + + PROFILEDIR=`pwd` + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + PROFILEDIR=`cygpath -m "${PROFILEDIR}"` + fi + + ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1 + html_msg $? 0 "create ssl_gtest database" + + pushd "${QADIR}" + . common/certsetup.sh + popd + + counter=0 + make_cert client rsa sign + make_cert rsa rsa sign kex + make_cert rsa2048 rsa2048 sign kex + make_cert rsa8192 rsa8192 sign kex + make_cert rsa_sign rsa sign + make_cert rsa_pss rsapss sign + make_cert rsa_pss384 rsapss384 sign + make_cert rsa_pss512 rsapss512 sign + make_cert rsa_pss_noparam rsapss_noparam sign + make_cert rsa_decrypt rsa kex + make_cert ecdsa256 p256 sign + make_cert ecdsa384 p384 sign + make_cert ecdsa521 p521 sign + make_cert ecdh_ecdsa p256 kex + make_cert rsa_ca rsa_ca ca + make_cert rsa_chain rsa_chain sign + make_cert rsa_pss_ca rsapss_ca ca + make_cert rsa_pss_chain rsapss_chain sign + make_cert rsa_ca_rsa_pss_chain rsa_ca_rsapss_chain sign + make_cert ecdh_rsa ecdh_rsa kex + make_cert dsa dsa sign + make_cert delegator_ecdsa256 delegator_p256 sign + make_cert delegator_rsae2048 delegator_rsae2048 sign + make_cert delegator_rsa_pss2048 delegator_rsa_pss2048 sign +} + +############################## ssl_gtest_init ########################## +# local shell function to initialize this script +######################################################################## +ssl_gtest_init() +{ + SCRIPTNAME=ssl_gtest.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + + SCRIPTNAME=ssl_gtest.sh + html_head SSL Gtests + + if [ ! -d "${SSLGTESTDIR}" ]; then + ssl_gtest_certs + fi + + cd "${SSLGTESTDIR}" +} + +########################## ssl_gtest_start ######################### +# Local function to actually start the test +#################################################################### +ssl_gtest_start() +{ + if [ ! -f ${BINDIR}/ssl_gtest ]; then + html_unknown "Skipping ssl_gtest (not built)" + return + fi + + SSLGTESTREPORT="${SSLGTESTDIR}/report.xml" + + local nshards=1 + local prefix="" + local postfix="" + + export -f parallel_fallback + + # Determine the number of chunks. + if [ -n "$GTESTFILTER" ]; then + echo "DEBUG: Not parallelizing ssl_gtests because \$GTESTFILTER is set" + elif type parallel 2>/dev/null; then + nshards=$(parallel --number-of-cores || 1) + fi + + if [ "$nshards" != 1 ]; then + local indices=$(for ((i=0; i<$nshards; i++)); do echo $i; done) + prefix="parallel -j$nshards --line-buffer --halt soon,fail=1" + postfix="\&\& exit 0 \|\| exit 1 ::: $indices" + fi + + echo "DEBUG: ssl_gtests will be divided into $nshards chunk(s)" + + # Run tests. + ${prefix:-parallel_fallback} \ + GTEST_SHARD_INDEX={} \ + GTEST_TOTAL_SHARDS=$nshards \ + DYLD_LIBRARY_PATH="${DIST}/${OBJDIR}/lib" \ + ${BINDIR}/ssl_gtest -d "${SSLGTESTDIR}" \ + --gtest_output=xml:"${SSLGTESTREPORT}.{}" \ + --gtest_filter="${GTESTFILTER-*}" \ + $postfix + + html_msg $? 0 "ssl_gtests ran successfully" + + # Parse XML report(s). + gtest_parse_report "${SSLGTESTREPORT}".* +} + +# Helper function used when 'parallel' isn't available. +parallel_fallback() +{ + eval "${@//\{\}/0}" +} + +ssl_gtest_cleanup() +{ + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# +cd "$(dirname "$0")" +ssl_gtest_init +ssl_gtest_start +ssl_gtest_cleanup |