summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/ssl
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xsecurity/nss/tests/ssl/ssl.sh1701
-rwxr-xr-xsecurity/nss/tests/ssl/ssl_dist_stress.sh313
-rw-r--r--security/nss/tests/ssl/sslauth.txt84
-rw-r--r--security/nss/tests/ssl/sslcov.txt155
-rw-r--r--security/nss/tests/ssl/sslpolicy.txt208
-rw-r--r--security/nss/tests/ssl/sslreq.dat2
-rw-r--r--security/nss/tests/ssl/sslreq.txt2
-rw-r--r--security/nss/tests/ssl/sslstress.txt81
-rwxr-xr-xsecurity/nss/tests/ssl_gtests/ssl_gtests.sh155
9 files changed, 2701 insertions, 0 deletions
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh
new file mode 100755
index 0000000000..0fa24a2c6d
--- /dev/null
+++ b/security/nss/tests/ssl/ssl.sh
@@ -0,0 +1,1701 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/ssl/ssl.sh
+#
+# Script to test NSS SSL
+#
+# Needs to work on all Unix and Windows platforms
+#
+# Testing schema:
+# ---------------
+# all.sh ~ (main)
+# | |
+# +------------+------------+-----------+ ~ run_cycles
+# | | | | |
+# standard pkix upgradedb sharedb ~ run_cycle_*
+# ... | ... ... |
+# +------+------+-----> ~ run_tests
+# | | | |
+# ... ssl ... ~ ssl.sh
+# | |
+# +-------+-------+-----------------+ ~ ssl_run_tests
+# | | | | |
+# crl iopr policy permute(normal,fips) ~ ssl_run_test_*
+# | | | | |
+# +------+------+------+------+---+-+-+-+----> ~ ssl_run
+# | | | | | | |
+# stapling cov auth stress dtls ... ~ ssl_run_*
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ssl_init ################################
+# local shell function to initialize this script
+########################################################################
+ssl_init()
+{
+ SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ -z "${IOPR_SSL_SOURCED}" ]; then
+ . ../iopr/ssl_iopr.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ../cert
+ . ./cert.sh
+ fi
+ SCRIPTNAME=ssl.sh
+ echo "$SCRIPTNAME: SSL tests ==============================="
+
+ grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
+ html_head "SSL Test failure"
+ Exit 8 "Fatal - cert.sh needs to pass first"
+ }
+
+ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+ grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
+ html_head "SSL Test failure"
+ Exit 8 "Fatal - SSL of cert.sh needs to pass first"
+ }
+ fi
+
+ PORT=${PORT-8443}
+ # Avoid port conflicts when multiple tests are running on the same machine.
+ if [ -n "$NSS_TASKCLUSTER_MAC" ]; then
+ cwd=$(cd $(dirname $0); pwd -P)
+ padd=$(echo $cwd | cut -d "/" -f4 | sed 's/[^0-9]//g')
+ PORT=$(($PORT + $padd))
+ fi
+ NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
+ nss_ssl_run="stapling signed_cert_timestamps cov auth dtls scheme exporter"
+ NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
+
+ # Test case files
+ SSLCOV=${QADIR}/ssl/sslcov.txt
+ SSLAUTH=${QADIR}/ssl/sslauth.txt
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
+ SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
+ REQUEST_FILE=${QADIR}/ssl/sslreq.dat
+
+ #temparary files
+ SERVEROUTFILE=${TMP}/tests_server.$$
+ SERVERPID=${TMP}/tests_pid.$$
+
+ R_SERVERPID=../tests_pid.$$
+
+ TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}"
+
+ fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
+ #fileout=1
+ #verbose="-v" #FIXME - see where this is usefull
+
+ USER_NICKNAME=TestUser
+ NORM_EXT=""
+
+ EC_SUITES=":C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D"
+ EC_SUITES="${EC_SUITES}:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027"
+ EC_SUITES="${EC_SUITES}:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA"
+
+ NON_EC_SUITES=":0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B"
+ NON_EC_SUITES="${NON_EC_SUITES}:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdeinvyz"
+ TLS13_SUITES=":1301:1302:1303"
+
+ # List of cipher suites to test, including ECC cipher suites.
+ CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}"
+ TLS13_CIPHER_SUITES="-c ${TLS13_SUITES}${EC_SUITES}${NON_EC_SUITES}"
+
+ # in fips mode, turn off curve25519 until it's NIST approved
+ FIPS_OPTIONS="-I P256,P384,P521,FF2048,FF3072,FF4096,FF6144,FF8192"
+
+ # in non-fips mode, tstclnt may run without the db password in some
+ # cases, but in fips mode it's always needed
+ CLIENT_PW=""
+ CLIENT_PW_FIPS="-w nss"
+ CLIENT_PW_NORMAL=""
+
+ if [ "${OS_ARCH}" != "WINNT" ]; then
+ ulimit -n 1000 # make sure we have enough file descriptors
+ fi
+
+ cd ${CLIENTDIR}
+}
+
+########################### is_selfserv_alive ##########################
+# local shell function to exit with a fatal error if selfserver is not
+# running
+########################################################################
+is_selfserv_alive()
+{
+ if [ ! -f "${SERVERPID}" ]; then
+ echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
+ sleep 5
+ if [ ! -f "${SERVERPID}" ]; then
+ Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
+ fi
+ fi
+
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_SERVERPID}
+ else
+ PID=`cat ${SERVERPID}`
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
+
+ echo "selfserv with PID ${PID} found at `date`"
+}
+
+########################### wait_for_selfserv ##########################
+# local shell function to wait until selfserver is running and initialized
+########################################################################
+wait_for_selfserv()
+{
+ #verbose="-v"
+ echo "trying to connect to selfserv at `date`"
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+ echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
+ ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+ if [ $? -ne 0 ]; then
+ sleep 5
+ echo "retrying to connect to selfserv at `date`"
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+ echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
+ ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+ if [ $? -ne 0 ]; then
+ html_failed "Waiting for Server"
+ fi
+ fi
+ is_selfserv_alive
+}
+
+########################### kill_selfserv ##############################
+# local shell function to kill the selfserver after the tests are done
+########################################################################
+kill_selfserv()
+{
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_SERVERPID}
+ else
+ PID=`cat ${SERVERPID}`
+ fi
+
+ echo "trying to kill selfserv with PID ${PID} at `date`"
+
+ if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
+ echo "${KILL} ${PID}"
+ ${KILL} ${PID}
+ else
+ echo "${KILL} -USR1 ${PID}"
+ ${KILL} -USR1 ${PID}
+ fi
+ wait ${PID}
+ if [ ${fileout} -eq 1 ]; then
+ cat ${SERVEROUTFILE}
+ fi
+
+ # On Linux selfserv needs up to 30 seconds to fully die and free
+ # the port. Wait until the port is free. (Bug 129701)
+ if [ "${OS_ARCH}" = "Linux" ]; then
+ echo "selfserv -b -p ${PORT} 2>/dev/null;"
+ until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
+ echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
+ sleep 1
+ done
+ fi
+
+ echo "selfserv with PID ${PID} killed at `date`"
+
+ rm ${SERVERPID}
+ html_detect_core "kill_selfserv core detection step"
+}
+
+########################### start_selfserv #############################
+# local shell function to start the selfserver with the parameters required
+# for this test and log information (parameters, start time)
+# also: wait until the server is up and running
+########################################################################
+start_selfserv()
+{
+ if [ -n "$testname" ] ; then
+ echo "$SCRIPTNAME: $testname ----"
+ fi
+ if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
+ ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec"
+ else
+ ECC_OPTIONS=""
+ fi
+ if [ -z "$RSA_PSS_CERT" -o "$RSA_PSS_CERT" != "1" ] ; then
+ RSA_OPTIONS="-n ${HOSTADDR}"
+ else
+ RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss"
+ fi
+ SERVER_VMIN=${SERVER_VMIN-ssl3}
+ SERVER_VMAX=${SERVER_VMAX-tls1.2}
+ echo "selfserv starting at `date`"
+ echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\"
+ echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID}\\"
+ echo " -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 &"
+ if [ ${fileout} -eq 1 ]; then
+ ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 \
+ > ${SERVEROUTFILE} 2>&1 &
+ RET=$?
+ else
+ ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 &
+ RET=$?
+ fi
+
+ # The PID $! returned by the MKS or Cygwin shell is not the PID of
+ # the real background process, but rather the PID of a helper
+ # process (sh.exe). MKS's kill command has a bug: invoking kill
+ # on the helper process does not terminate the real background
+ # process. Our workaround has been to have selfserv save its PID
+ # in the ${SERVERPID} file and "kill" that PID instead. But this
+ # doesn't work under Cygwin; its kill command doesn't recognize
+ # the PID of the real background process, but it does work on the
+ # PID of the helper process. So we save the value of $! in the
+ # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
+ # file under Cygwin. (In fact, this should work in any shell
+ # other than the MKS shell.)
+ SHELL_SERVERPID=$!
+ wait_for_selfserv
+
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_SERVERPID}
+ else
+ PID=`cat ${SERVERPID}`
+ fi
+
+ echo "selfserv with PID ${PID} started at `date`"
+}
+
+ignore_blank_lines()
+{
+ LC_ALL=C egrep -v '^[[:space:]]*(#|$)' "$1"
+}
+
+############################## ssl_cov #################################
+# local shell function to perform SSL Cipher Coverage tests
+########################################################################
+ssl_cov()
+{
+ verbose_save=${verbose}
+ verbose="-v"
+ html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ testname=""
+
+ SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+ if [ "${SERVER_MODE}" = "fips" ] ; then
+ SERVER_OPTIONS="${SERVER_OPTIONS} ${FIPS_OPTIONS}"
+ fi
+ SAVE_CLIENT_OPTIONS=${CLIENT_OPTIONS}
+ if [ "${CLIENT_MODE}" = "fips" ] ; then
+ CLIENT_OPTIONS="${CLIENT_OPTIONS} ${FIPS_OPTIONS}"
+ fi
+
+ start_selfserv $CIPHER_SUITES # Launch the server
+
+ VMIN="ssl3"
+ VMAX="tls1.1"
+ # can't use a pipe here, because we may have to restart selfserv, and
+ # doing so hides the server pid environment variable in the subshell in
+ # cygwin, which means we can't kill selfserv at the end here.
+ SSL_COV_TMP=$(mktemp /tmp/ssl_cov.XXXXXX)
+ ignore_blank_lines ${SSLCOV} > ${SSL_COV_TMP}
+ while read ectype testmax param testname
+ do
+ echo "${testname}" | grep "EXPORT" > /dev/null
+ EXP=$?
+
+ # RSA-PSS tests are handled in a separate function
+ case $testname in
+ *RSA-PSS)
+ continue
+ ;;
+ esac
+
+ echo "$SCRIPTNAME: running $testname ----------------------------"
+ VMAX="ssl3"
+ if [ "$testmax" = "TLS10" ]; then
+ VMAX="tls1.0"
+ fi
+ if [ "$testmax" = "TLS11" ]; then
+ VMAX="tls1.1"
+ fi
+ if [ "$testmax" = "TLS12" ]; then
+ VMAX="tls1.2"
+ fi
+ if [ "$testmax" = "TLS13" ]; then
+ # if our selfserv can only do up to tls1.2
+ # restart it so it can do tls1.3, This requires
+ # moving VMIN up to tls1.0 because you can't enable SSL3 and
+ # TLS 1.3.
+ if [ "$VMIN" = "ssl3" ]; then
+ SERVER_VMIN="tls1.0"
+ SERVER_VMAX="tls1.3"
+ kill_selfserv
+ start_selfserv ${TLS13_CIPHER_SUITES}
+ unset SERVER_VMIN
+ unset SERVER_VMAX
+ VMIN="tls1.0"
+ fi
+ VMAX="tls1.3"
+ fi
+ # if we are testing ssl3 and our server can only do down to tls1.1,
+ # restart it to enable ssl3
+ if [ "$VMAX" = "ssl3" -a "$VMIN" = "tls1.1" ]; then
+ kill_selfserv
+ start_selfserv $CIPHER_SUITES
+ VMIN="ssl3"
+ fi
+
+
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ html_msg $ret 0 "${testname}" \
+ "produced a returncode of $ret, expected is 0"
+ done < ${SSL_COV_TMP}
+ rm -f ${SSL_COV_TMP}
+
+ SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+ CLIENT_OPTIONS=${SAVE_CLIENT_OPTIONS}
+ verbose=${verbose_save}
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+
+ssl_cov_rsa_pss()
+{
+ #verbose="-v"
+ html_head "SSL Cipher Coverage (RSA-PSS) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ testname=""
+
+ if [ "$NORM_EXT" = "Extended Test" ] ; then
+ echo "$SCRIPTNAME: skipping SSL Cipher Coverage (RSA-PSS) for $NORM_EXT"
+ return 0
+ fi
+
+ RSA_PSS_CERT=1
+ NO_ECC_CERTS=1
+ start_selfserv $CIPHER_SUITES
+ RSA_PSS_CERT=0
+ NO_ECC_CERTS=0
+
+ VMIN="tls1.2"
+ VMAX="tls1.2"
+
+ ignore_blank_lines ${SSLCOV} | \
+ while read ectype testmax param testname
+ do
+ case $testname in
+ *RSA-PSS)
+ ;;
+ *)
+ continue
+ ;;
+ esac
+
+ echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------"
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ html_msg $ret 0 "${testname}" \
+ "produced a returncode of $ret, expected is 0"
+ done
+
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+
+############################## ssl_auth ################################
+# local shell function to perform SSL Client Authentication tests
+########################################################################
+ssl_auth()
+{
+ #verbose="-v"
+ html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ ignore_blank_lines ${SSLAUTH} | \
+ while read ectype value sparam cparam testname
+ do
+ echo "${testname}" | grep "don't require client auth" > /dev/null
+ CAUTH=$?
+ echo "${testname}" | grep "TLS 1.3" > /dev/null
+ TLS13=$?
+
+ if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ else
+ cparam=`echo $cparam | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" `
+ if [ "$ectype" = "SNI" ]; then
+ cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+ sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+ fi
+ # SSL3 cannot be used with TLS 1.3
+ unset SERVER_VMIN
+ unset SERVER_VMAX
+ if [ $TLS13 -eq 0 ] ; then
+ SERVER_VMIN=tls1.0
+ SERVER_VMAX=tls1.3
+ fi
+ start_selfserv `echo "$sparam" | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g'`
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " ${cparam} < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ #workaround for bug #402058
+ [ $ret -ne 0 ] && ret=1
+ [ $value -ne 0 ] && value=1
+
+ html_msg $ret $value "${testname}" \
+ "produced a returncode of $ret, expected is $value"
+ kill_selfserv
+ fi
+ done
+
+ html "</TABLE><BR>"
+}
+
+ssl_stapling_sub()
+{
+ #verbose="-v"
+ testname=$1
+ SO=$2
+ value=$3
+
+ if [ "$NORM_EXT" = "Extended Test" ] ; then
+ # these tests use the ext_client directory for tstclnt,
+ # which doesn't contain the required "TestCA" for server cert
+ # verification, I don't know if it would be OK to add it...
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ return 0
+ fi
+
+ SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+ SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
+
+ SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
+ P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
+
+ echo "${testname}"
+
+ start_selfserv
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " -c v -T -O -F -M 1 -V ssl3:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ # hopefully no workaround for bug #402058 needed here?
+ # (see commands in ssl_auth
+
+ html_msg $ret $value "${testname}" \
+ "produced a returncode of $ret, expected is $value"
+ kill_selfserv
+
+ SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+ P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
+}
+
+ssl_stapling_stress()
+{
+ testname="Stress OCSP stapling, server uses random status"
+ SO="-A TestCA -T random"
+ value=0
+
+ if [ "$NORM_EXT" = "Extended Test" ] ; then
+ # these tests use the ext_client directory for tstclnt,
+ # which doesn't contain the required "TestCA" for server cert
+ # verification, I don't know if it would be OK to add it...
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ return 0
+ fi
+
+ SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+ SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
+
+ SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
+ P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
+
+ echo "${testname}"
+ start_selfserv
+
+ echo "strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"
+ echo " -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}"
+ echo "strsclnt started at `date`"
+ ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
+ -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}
+ ret=$?
+
+ echo "strsclnt completed at `date`"
+ html_msg $ret $value \
+ "${testname}" \
+ "produced a returncode of $ret, expected is $value."
+ kill_selfserv
+
+ SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+ P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
+}
+
+############################ ssl_stapling ##############################
+# local shell function to perform SSL Cert Status (OCSP Stapling) tests
+########################################################################
+ssl_stapling()
+{
+ html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ # tstclnt Exit code:
+ # 0: have fresh and valid revocation data, status good
+ # 1: cert failed to verify, prior to revocation checking
+ # 2: missing, old or invalid revocation data
+ # 3: have fresh and valid revocation data, status revoked
+
+ # selfserv modes
+ # good, revoked, unkown: Include locally signed response. Requires: -A
+ # failure: Include OCSP failure status, such as "try later" (unsigned)
+ # badsig: use a good status but with an invalid signature
+ # corrupted: stapled cert status is an invalid block of data
+
+ ssl_stapling_sub "OCSP stapling, signed response, good status" "-A TestCA -T good" 0
+ ssl_stapling_sub "OCSP stapling, signed response, revoked status" "-A TestCA -T revoked" 3
+ ssl_stapling_sub "OCSP stapling, signed response, unknown status" "-A TestCA -T unknown" 2
+ ssl_stapling_sub "OCSP stapling, unsigned failure response" "-A TestCA -T failure" 2
+ ssl_stapling_sub "OCSP stapling, good status, bad signature" "-A TestCA -T badsig" 2
+ ssl_stapling_sub "OCSP stapling, invalid cert status data" "-A TestCA -T corrupted" 2
+ ssl_stapling_sub "Valid cert, Server doesn't staple" "" 2
+
+ ssl_stapling_stress
+
+ html "</TABLE><BR>"
+}
+
+############################ ssl_signed_cert_timestamps #################
+# local shell function to perform SSL Signed Certificate Timestamp tests
+#########################################################################
+ssl_signed_cert_timestamps()
+{
+ #verbose="-v"
+ html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ testname="ssl_signed_cert_timestamps"
+ value=0
+
+ echo "${testname}"
+
+ start_selfserv
+
+ # Since we don't have server-side support, this test only covers advertising the
+ # extension in the client hello.
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " -U -V tls1.0:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ html_msg $ret $value "${testname}" \
+ "produced a returncode of $ret, expected is $value"
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+
+
+############################## ssl_stress ##############################
+# local shell function to perform SSL stress test
+########################################################################
+ssl_stress()
+{
+ html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ ignore_blank_lines ${SSLSTRESS} | \
+ while read ectype value sparam cparam testname
+ do
+ echo "${testname}" | grep "client auth" > /dev/null
+ CAUTH=$?
+ echo "${testname}" | grep "no login" > /dev/null
+ NOLOGIN=$?
+
+ if [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ elif [ "${NOLOGIN}" -eq 0 ] && \
+ [ "${CLIENT_MODE}" = "fips" -o "$NORM_EXT" = "Extended Test" ] ; then
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ else
+ cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+ if [ "$ectype" = "SNI" ]; then
+ cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+ sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+ fi
+
+ start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
+
+ if [ "`uname -n`" = "sjsu" ] ; then
+ echo "debugging disappearing selfserv... ps -ef | grep selfserv"
+ ps -ef | grep selfserv
+ fi
+
+ if [ "${NOLOGIN}" -eq 0 ] ; then
+ dbdir=${P_R_NOLOGINDIR}
+ else
+ dbdir=${P_R_CLIENTDIR}
+ fi
+
+ echo "strsclnt -4 -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \\"
+ echo " -V ssl3:tls1.2 $verbose ${HOSTADDR}"
+ echo "strsclnt started at `date`"
+ ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \
+ -V ssl3:tls1.2 $verbose ${HOSTADDR}
+ ret=$?
+ echo "strsclnt completed at `date`"
+ html_msg $ret $value \
+ "${testname}" \
+ "produced a returncode of $ret, expected is $value. "
+ if [ "`uname -n`" = "sjsu" ] ; then
+ echo "debugging disapering selfserv... ps -ef | grep selfserv"
+ ps -ef | grep selfserv
+ fi
+ kill_selfserv
+ fi
+ done
+
+ html "</TABLE><BR>"
+}
+
+############################ ssl_crl_ssl ###############################
+# local shell function to perform SSL test with/out revoked certs tests
+########################################################################
+ssl_crl_ssl()
+{
+ #verbose="-v"
+ html_head "CRL SSL Client Tests $NORM_EXT"
+
+ # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
+ # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
+ CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
+ CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
+ UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
+
+ ignore_blank_lines ${SSLAUTH} | \
+ while read ectype value sparam cparam testname
+ do
+ echo "${testname}" | grep "TLS 1.3" > /dev/null
+ TLS13=$?
+ if [ "$ectype" = "SNI" ]; then
+ continue
+ else
+ # SSL3 cannot be used with TLS 1.3
+ unset SERVER_VMIN
+ unset SERVER_VMAX
+ if [ $TLS13 -eq 0 ] ; then
+ SERVER_VMIN=tls1.0
+ SERVER_VMAX=tls1.3
+ fi
+ servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+ pwd=`echo $cparam | grep nss`
+ # did we select TestUser?
+ user=`echo $cparam | grep TestUser`
+ # did we explicitly select a cert?
+ auto=`echo $cparam | grep '\\-n'`
+ _cparam=$cparam
+ case $servarg in
+ 1) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=254
+ fi
+ ;;
+ 2) if [ -z "$auto" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=254
+ fi
+ ;;
+ 3) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=1
+ fi
+ ;;
+ 4) if [ -z "$auto" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=1
+ fi
+ ;;
+ esac
+ TEMP_NUM=0
+ while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
+ do
+ CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
+ TEMP_NUM=`expr $TEMP_NUM + 1`
+ USER_NICKNAME="TestUser${CURR_SER_NUM}"
+ cparam=`echo $_cparam | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" `
+ start_selfserv `echo "$sparam" | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g'`
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo " ${cparam} < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+ -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
+ modvalue=$rev_modvalue
+ testAddMsg="revoked"
+ else
+ testAddMsg="not revoked"
+ modvalue=$value
+ fi
+
+ html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue"
+ kill_selfserv
+ done
+ fi
+ done
+
+ html "</TABLE><BR>"
+}
+
+############################# setup_policy #############################
+# local shell function to create policy configuration
+########################################################################
+setup_policy()
+{
+ policy="$1"
+ outdir="$2"
+ OUTFILE="${outdir}/pkcs11.txt"
+ cat > "$OUTFILE" << ++EOF++
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+++EOF++
+ echo "config=${policy}" >> "$OUTFILE"
+ echo "" >> "$OUTFILE"
+ echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so" >> "$OUTFILE"
+ cat >> "$OUTFILE" << ++EOF++
+name=RootCerts
+NSS=trustOrder=100
+++EOF++
+
+ echo "******************************Testing with: "
+ cat "$OUTFILE"
+ echo "******************************"
+}
+
+############################## ssl_policy ##############################
+# local shell function to perform SSL Policy tests
+########################################################################
+ssl_policy()
+{
+ #verbose="-v"
+ html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ testname=""
+
+ if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
+ html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized"
+ return 1;
+ fi
+
+ echo "Saving pkcs11.txt"
+ cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
+
+ start_selfserv $CIPHER_SUITES
+
+ ignore_blank_lines ${SSLPOLICY} | \
+ while read value ectype testmax param policy testname
+ do
+ VMIN="ssl3"
+
+ echo "$SCRIPTNAME: running $testname ----------------------------"
+ VMAX="ssl3"
+ if [ "$testmax" = "TLS10" ]; then
+ VMAX="tls1.0"
+ fi
+ if [ "$testmax" = "TLS11" ]; then
+ VMAX="tls1.1"
+ fi
+ if [ "$testmax" = "TLS12" ]; then
+ VMAX="tls1.2"
+ fi
+
+ # load the policy
+ policy=`echo ${policy} | sed -e 's;_; ;g'`
+ setup_policy "$policy" ${P_R_CLIENTDIR}
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ #workaround for bug #402058
+ [ $ret -ne 0 ] && ret=1
+ [ ${value} -ne 0 ] && value=1
+
+ html_msg $ret ${value} "${testname}" \
+ "produced a returncode of $ret, expected is ${value}"
+ done
+ cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt
+
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+
+list_enabled_suites()
+{
+ echo "SSL_DIR=${P_R_CLIENTDIR} ${BINDIR}/listsuites"
+ SSL_DIR="${P_R_CLIENTDIR}" ${BINDIR}/listsuites | tail -n+3 | \
+ sed -n -e '/^TLS_/h' -e '/^ .*Enabled.*/{g;p}' | sed 's/:$//'
+}
+
+############################## ssl_policy_listsuites ###################
+# local shell function to perform SSL Policy tests, using listsuites
+########################################################################
+ssl_policy_listsuites()
+{
+ #verbose="-v"
+ html_head "SSL POLICY LISTSUITES $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ testname=""
+
+ if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
+ html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized"
+ return 1;
+ fi
+
+ echo "Saving pkcs11.txt"
+ cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
+
+ # Disallow all explicitly
+ testname="listsuites with all cipher disallowed by policy"
+ setup_policy "disallow=all" ${P_R_CLIENTDIR}
+ RET_EXP=1
+ list_enabled_suites | grep '^TLS_'
+ RET=$?
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
+ # Disallow RSA in key exchange explicitly
+ testname="listsuites with rsa cipher disallowed by policy"
+ setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_CLIENTDIR}
+ RET_EXP=1
+ list_enabled_suites | grep '^TLS_RSA_'
+ RET=$?
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
+ # allow by policy, but disable by default
+ testname="listsuites with all ciphers enabled by policy but disabled by default"
+ setup_policy "allow=all disable=all" ${P_R_CLIENTDIR}
+ RET_EXP=1
+ list_enabled_suites | grep '^TLS_'
+ RET=$?
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
+ # allow by policy, but disable by default just rsa-kea
+ testname="listsuites with all ciphers enabled by policy but rsa disabled by default"
+ setup_policy "allow=all disable=rsa/ssl-key-exchange" ${P_R_CLIENTDIR}
+ RET_EXP=1
+ list_enabled_suites | grep '^TLS_RSA_'
+ RET=$?
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
+ # list_enabled_suites tries to set a policy value explicitly, This will
+ # cause list_enabled_suites to fail if we lock the policy
+ testname="listsuites with policy locked"
+ setup_policy "allow=all flags=policy-lock" ${P_R_CLIENTDIR}
+ RET_EXP=1
+ SSL_DIR="${P_R_CLIENTDIR}" ${BINDIR}/listsuites
+ RET=$?
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
+ cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt
+
+ html "</TABLE><BR>"
+}
+
+ssl_policy_pkix_ocsp()
+{
+ #verbose="-v"
+ html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
+ NSS_ENABLE_PKIX_VERIFY="1"
+ export NSS_ENABLE_PKIX_VERIFY
+
+ testname=""
+
+ if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
+ html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
+ return 1;
+ fi
+
+ echo "Saving pkcs11.txt"
+ cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav
+
+ # Disallow sha1 explicitly. This will test if we are trying to verify the sha1 signature
+ # on the GlobalSign root during OCSP processing
+ setup_policy "disallow=sha1" ${P_R_SERVERDIR}
+ RET_EXP=0
+ echo " vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out"
+ vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out
+ # make sure we have the domain mismatch, not bad signature error
+ echo "grep 12276 ${P_R_SERVERDIR}/vfy.out"
+ grep 12276 ${P_R_SERVERDIR}/vfy.out
+ RET=$?
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
+ if [ "${PKIX_SAVE}" = "unset" ]; then
+ unset NSS_ENABLE_PKIX_VERIFY
+ else
+ NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
+ export NSS_ENABLE_PKIX_VERIFY
+ fi
+ cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
+
+ html "</TABLE><BR>"
+
+}
+
+############################## ssl_policy_selfserv #####################
+# local shell function to perform SSL Policy tests, using selfserv
+########################################################################
+ssl_policy_selfserv()
+{
+ #verbose="-v"
+ html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ testname=""
+
+ if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
+ html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
+ return 1;
+ fi
+
+ echo "Saving pkcs11.txt"
+ cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav
+
+ # Disallow RSA in key exchange explicitly
+ testname="Disallow RSA key exchange explicitly"
+ setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR}
+
+ SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+ # make sure policy is working in the multiprocess case is working on
+ # UNIX-like OS's. Other OS's can't properly clean up the child processes
+ # when our test suite kills the parent, so just use the single process
+ # self serve for them
+ if [ "${OS_ARCH}" != "WINNT" -a "${OS_ARCH}" != "WIN95" -a "${OS_ARCH}" != "OS2" ]; then
+ SERVER_OPTIONS="-M 3 ${SERVER_OPTIONS}"
+ fi
+
+ start_selfserv $CIPHER_SUITES
+
+ SERVER_OPTIONS="${SAVE_SERVER_OPTIONS}"
+ VMIN="ssl3"
+ VMAX="tls1.2"
+
+ # Try to connect to the server with a ciphersuite using RSA in key exchange
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ RET_EXP=254
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ RET=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
+ cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
+
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+
+############################# is_revoked ###############################
+# local shell function to check if certificate is revoked
+########################################################################
+is_revoked() {
+ certNum=$1
+ currLoadedGrp=$2
+
+ found=0
+ ownerGrp=1
+ while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
+ do
+ currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
+ currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
+ currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
+ if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
+ found=1
+ else
+ ownerGrp=`expr $ownerGrp + 1`
+ fi
+ done
+ if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
+ return 1
+ fi
+ if [ $found -eq 0 ]; then
+ return 1
+ fi
+ unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
+ if [ $certNum -eq $unrevokedGrpCert ]; then
+ return 1
+ fi
+ return 0
+}
+
+########################### load_group_crl #############################
+# local shell function to load CRL
+########################################################################
+load_group_crl() {
+ #verbose="-v"
+ group=$1
+ ectype=$2
+
+ OUTFILE_TMP=${TMP}/$HOST.tmp.$$
+ grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
+ grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
+ grpEnd=`expr $grpBegin + $grpRange - 1`
+
+ if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
+ ret=1
+ return 1;
+ fi
+
+ # Add -ec suffix for ECC
+ if [ "$ectype" = "ECC" ] ; then
+ ecsuffix="-ec"
+ eccomment="ECC "
+ else
+ ecsuffix=""
+ eccomment=""
+ fi
+
+ if [ "$RELOAD_CRL" != "" ]; then
+ if [ $group -eq 1 ]; then
+ echo "==================== Resetting to group 1 crl ==================="
+ kill_selfserv
+ start_selfserv
+ is_selfserv_alive
+ fi
+ echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo " -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
+ echo "Request:"
+ echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
+ echo ""
+ echo "RELOAD time $i"
+
+ REQF=${R_CLIENTDIR}.crlreq
+ cat > ${REQF} <<_EOF_REQUEST_
+GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
+
+_EOF_REQUEST_
+
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f \
+ -d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
+ >${OUTFILE_TMP} 2>&1 < ${REQF}
+
+ cat ${OUTFILE_TMP}
+ grep "CRL ReCache Error" ${OUTFILE_TMP}
+ if [ $? -eq 0 ]; then
+ ret=1
+ return 1
+ fi
+ else
+ echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
+
+ kill_selfserv
+ CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
+ crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
+ -p ../tests.pw.928
+ ret=$?
+ if [ "$ret" -eq 0 ]; then
+ html_passed "${CU_ACTION}"
+ return 1
+ fi
+ start_selfserv
+ fi
+ is_selfserv_alive
+ ret=$?
+ echo "================= CRL Reloaded ============="
+}
+
+
+########################### ssl_crl_cache ##############################
+# local shell function to perform SSL test for crl cache functionality
+# with/out revoked certs
+########################################################################
+ssl_crl_cache()
+{
+ #verbose="-v"
+ html_head "Cache CRL SSL Client Tests $NORM_EXT"
+ SSLAUTH_TMP=${TMP}/authin.tl.tmp
+ SERV_ARG=-r_-r
+ rm -f ${SSLAUTH_TMP}
+ echo ${SSLAUTH_TMP}
+
+ grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus | grep -v 'post hs' > ${SSLAUTH_TMP}
+ echo $?
+ while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
+ do
+ start_selfserv `echo $SERV_ARG | sed -e 's,_, ,g'`
+ exec < ${SSLAUTH_TMP}
+ while read ectype value sparam cparam testname
+ do
+ [ "$ectype" = "" ] && continue
+ if [ "$ectype" = "SNI" ]; then
+ continue
+ else
+ servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+ pwd=`echo $cparam | grep nss`
+ user=`echo $cparam | grep TestUser`
+ _cparam=$cparam
+ case $servarg in
+ 1) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=254
+ fi
+ ;;
+ 2) rev_modvalue=254 ;;
+
+ 3) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=1
+ fi
+ ;;
+ 4) rev_modvalue=1 ;;
+ esac
+ TEMP_NUM=0
+ LOADED_GRP=1
+ while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
+ do
+ while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
+ do
+ CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
+ TEMP_NUM=`expr $TEMP_NUM + 1`
+ USER_NICKNAME="TestUser${CURR_SER_NUM}"
+ cparam=`echo $_cparam | sed -e 's;\([^\]\)_;\1 ;g' -e 's;\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" `
+
+ echo "Server Args: $SERV_ARG"
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo " ${cparam} < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+ -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
+ isRevoked=$?
+ if [ $isRevoked -eq 0 ]; then
+ modvalue=$rev_modvalue
+ testAddMsg="revoked"
+ else
+ modvalue=$value
+ testAddMsg="not revoked"
+ fi
+
+ is_selfserv_alive
+ ss_status=$?
+ if [ "$ss_status" -ne 0 ]; then
+ html_msg $ret $modvalue \
+ "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue. " \
+ "selfserv is not alive!"
+ else
+ html_msg $ret $modvalue \
+ "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue"
+ fi
+ done
+ LOADED_GRP=`expr $LOADED_GRP + 1`
+ TEMP_NUM=0
+ if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
+ load_group_crl $LOADED_GRP $ectype
+ html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
+ "produced a returncode of $ret, expected is 0"
+ fi
+ done
+ # Restart selfserv to roll back to two initial group 1 crls
+ # TestCA CRL and TestCA-ec CRL
+ kill_selfserv
+ start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
+ fi
+ done
+ kill_selfserv
+ SERV_ARG="${SERV_ARG}_-r"
+ rm -f ${SSLAUTH_TMP}
+ grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
+ done
+ TEMPFILES=${SSLAUTH_TMP}
+ html "</TABLE><BR>"
+}
+
+############################ ssl_dtls ###################################
+# local shell function to test tstclnt acting as client and server for DTLS
+#########################################################################
+ssl_dtls()
+{
+ #verbose="-v"
+ html_head "SSL DTLS $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ testname="ssl_dtls"
+ value=0
+
+ echo "${testname}"
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \\"
+ echo " -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss < ${REQUEST_FILE} &"
+
+ (sleep 2; cat ${REQUEST_FILE}) | ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \
+ -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss 2>&1 &
+
+ PID=$!
+
+ sleep 1
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \\"
+ echo " -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q ${CLIENT_PW} < ${REQUEST_FILE}"
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q ${CLIENT_PW} < ${REQUEST_FILE} 2>&1
+ ret=$?
+ html_msg $ret $value "${testname}" \
+ "produced a returncode of $ret, expected is $value"
+
+ kill ${PID}
+
+ html "</TABLE><BR>"
+}
+
+############################ ssl_scheme ###################################
+# local shell function to test tstclnt and selfserv handling of signature schemes
+#########################################################################
+ssl_scheme()
+{
+ html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ NO_ECC_CERTS=1
+ schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256")
+ for sscheme in "${schemes[@]}"; do
+ for cscheme in "${schemes[@]}"; do
+ testname="ssl_scheme server='$sscheme' client='$cscheme'"
+ echo "${testname}"
+
+ start_selfserv -V tls1.2:tls1.2 -J "$sscheme"
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " -V tls1.2:tls1.2 -J "$cscheme" ${CLIENT_PW} < ${REQUEST_FILE}"
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${CLIENT_PW} < ${REQUEST_FILE} 2>&1
+ ret=$?
+ # If both schemes include just one option and those options don't
+ # match, then the test should fail; otherwise, assume that it works.
+ if [ "${cscheme#*,}" = "$cscheme" -a \
+ "${sscheme#*,}" = "$sscheme" -a \
+ "$cscheme" != "$sscheme" ]; then
+ expected=254
+ else
+ expected=0
+ fi
+ html_msg $ret $expected "${testname}" \
+ "produced a returncode of $ret, expected is $expected"
+ kill_selfserv
+ done
+ done
+ NO_ECC_CERTS=0
+
+ html "</TABLE><BR>"
+}
+
+############################ ssl_scheme_stress ##########################
+# local shell function to test strsclnt and selfserv handling of signature schemes
+#########################################################################
+ssl_scheme_stress()
+{
+ html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ NO_ECC_CERTS=1
+ schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256")
+ for sscheme in "${schemes[@]}"; do
+ for cscheme in "${schemes[@]}"; do
+ testname="ssl_scheme server='$sscheme' client='$cscheme'"
+ echo "${testname}"
+
+ start_selfserv -V tls1.2:tls1.2 -J "$sscheme"
+
+ echo "strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} ${CLIENT_PW} < ${REQUEST_FILE}"
+ ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} ${CLIENT_PW} < ${REQUEST_FILE} 2>&1
+ ret=$?
+ # If both schemes include just one option and those options don't
+ # match, then the test should fail; otherwise, assume that it works.
+ if [ "${cscheme#*,}" = "$cscheme" -a \
+ "${sscheme#*,}" = "$sscheme" -a \
+ "$cscheme" != "$sscheme" ]; then
+ expected=1
+ else
+ expected=0
+ fi
+ html_msg $ret $expected "${testname}" \
+ "produced a returncode of $ret, expected is $expected"
+ kill_selfserv
+ done
+ done
+ NO_ECC_CERTS=0
+
+ html "</TABLE><BR>"
+}
+
+############################ ssl_exporter ###################################
+# local shell function to test tstclnt and selfserv handling of TLS exporter
+#########################################################################
+ssl_exporter()
+{
+ html_head "SSL EXPORTER $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ save_fileout=${fileout}
+ fileout=1
+ SAVE_SERVEROUTFILE=${SERVEROUTFILE}
+ SERVEROUTFILE=server.out
+ exporters=("label" "label:10" "label:10:0xdeadbeef" "0x666f6f2c:10:0xdeadbeef" "label1:10:0xdeadbeef,label2:10")
+ for exporter in "${exporters[@]}"; do
+ start_selfserv -V tls1.2:tls1.2 -x "$exporter"
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " -V tls1.2:tls1.2 -x $exporter ${CLIENT_PW} < ${REQUEST_FILE}"
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -x "$exporter" ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 > client.out
+ kill_selfserv
+ diff <(LC_ALL=C grep -A1 "^ *Keying Material:" server.out) \
+ <(LC_ALL=C grep -A1 "^ *Keying Material:" client.out)
+ ret=$?
+ html_msg $ret 0 "${testname}" \
+ "produced a returncode of $ret, expected is 0"
+ done
+ SERVEROUTFILE=${SAVE_SERVEROUTFILE}
+ fileout=${save_fileout}
+
+ html "</TABLE><BR>"
+}
+
+############################## ssl_cleanup #############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+ssl_cleanup()
+{
+ rm $SERVERPID 2>/dev/null
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+############################## ssl_run #################################
+# local shell function to run coverage, authentication and stress tests
+########################################################################
+ssl_run()
+{
+ for SSL_RUN in ${NSS_SSL_RUN}
+ do
+ case "${SSL_RUN}" in
+ "stapling")
+ if [ -z "$NSS_DISABLE_LIBPKIX" ]; then
+ ssl_stapling
+ fi
+ ;;
+ "signed_cert_timestamps")
+ ssl_signed_cert_timestamps
+ ;;
+ "cov")
+ ssl_cov
+ ssl_cov_rsa_pss
+ ;;
+ "auth")
+ ssl_auth
+ ;;
+ "stress")
+ ssl_stress
+ ;;
+ "dtls")
+ ssl_dtls
+ ;;
+ "scheme")
+ ssl_scheme
+ ssl_scheme_stress
+ ;;
+ "exporter")
+ ssl_exporter
+ ;;
+ esac
+ done
+}
+
+############################ ssl_run_all ###############################
+# local shell function to run both standard and extended ssl tests
+########################################################################
+ssl_run_all()
+{
+ ORIG_SERVERDIR=$SERVERDIR
+ ORIG_CLIENTDIR=$CLIENTDIR
+ ORIG_R_SERVERDIR=$R_SERVERDIR
+ ORIG_R_CLIENTDIR=$R_CLIENTDIR
+ ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
+ ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
+
+ # Exercise PKCS#11 URI parsing. The token actually changes its name
+ # in FIPS mode, so cope with that. Note there's also semicolon in here
+ # but it doesn't need escaping/quoting; the shell copes.
+ if [ "${CLIENT_MODE}" = "fips" ]; then
+ USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser"
+ else
+ USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser"
+ fi
+ NORM_EXT=""
+ cd ${CLIENTDIR}
+
+ ssl_run
+
+ SERVERDIR=$EXT_SERVERDIR
+ CLIENTDIR=$EXT_CLIENTDIR
+ R_SERVERDIR=$R_EXT_SERVERDIR
+ R_CLIENTDIR=$R_EXT_CLIENTDIR
+ P_R_SERVERDIR=$P_R_EXT_SERVERDIR
+ P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
+
+ # A different URI test; specify CKA_LABEL but not the token.
+ USER_NICKNAME="pkcs11:object=ExtendedSSLUser"
+ NORM_EXT="Extended Test"
+ cd ${CLIENTDIR}
+
+ ssl_run
+
+ # the next round of ssl tests will only run if these vars are reset
+ SERVERDIR=$ORIG_SERVERDIR
+ CLIENTDIR=$ORIG_CLIENTDIR
+ R_SERVERDIR=$ORIG_R_SERVERDIR
+ R_CLIENTDIR=$ORIG_R_CLIENTDIR
+ P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
+ P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
+
+ USER_NICKNAME=TestUser
+ NORM_EXT=
+ cd ${QADIR}/ssl
+}
+
+############################ ssl_set_fips ##############################
+# local shell function to set FIPS mode on/off
+########################################################################
+ssl_set_fips()
+{
+ CLTSRV=$1
+ ONOFF=$2
+
+ if [ ${CLTSRV} = "server" ]; then
+ DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
+ else
+ DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}"
+ fi
+
+ if [ "${ONOFF}" = "on" ]; then
+ FIPSMODE=true
+ RET_EXP=0
+ else
+ FIPSMODE=false
+ RET_EXP=1
+ fi
+
+ html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
+
+ for DBDIR in ${DBDIRS}
+ do
+ EXT_OPT=
+ echo ${DBDIR} | grep ext > /dev/null
+ if [ $? -eq 0 ]; then
+ EXT_OPT="extended "
+ fi
+
+ echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
+
+ echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
+ ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
+ RET=$?
+ html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
+ "produced a returncode of ${RET}, expected is 0"
+
+ echo "modutil -dbdir ${DBDIR} -list"
+ DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
+ RET=$?
+ html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
+ "produced a returncode of ${RET}, expected is 0"
+
+ echo "${DBLIST}" | grep "FIPS PKCS #11"
+ RET=$?
+ html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
+ "produced a returncode of ${RET}, expected is ${RET_EXP}"
+ done
+
+ html "</TABLE><BR>"
+}
+
+############################ ssl_set_fips ##############################
+# local shell function to run all tests set in NSS_SSL_TESTS variable
+########################################################################
+ssl_run_tests()
+{
+ for SSL_TEST in ${NSS_SSL_TESTS}
+ do
+ case "${SSL_TEST}" in
+ "policy")
+ if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+ ssl_policy_listsuites
+ ssl_policy_selfserv
+ ssl_policy_pkix_ocsp
+ ssl_policy
+ fi
+ ;;
+ "crl")
+ ssl_crl_ssl
+ ssl_crl_cache
+ ;;
+ "iopr")
+ ssl_iopr_run
+ ;;
+ *)
+ SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
+ CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
+
+ case "${SERVER_MODE}" in
+ "normal")
+ SERVER_OPTIONS=
+ ;;
+ "fips")
+ SERVER_OPTIONS=
+ ssl_set_fips server on
+ ;;
+ *)
+ html_failed "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
+ return 1
+ ;;
+ esac
+
+ case "${CLIENT_MODE}" in
+ "normal")
+ CLIENT_OPTIONS=
+ CLIENT_PW=${CLIENT_PW_NORMAL}
+ ;;
+ "fips")
+ CLIENT_OPTIONS=
+ CLIENT_PW=${CLIENT_PW_FIPS}
+ ssl_set_fips client on
+ ;;
+ *)
+ html_failed "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
+ return 1
+ ;;
+ esac
+
+ ssl_run_all
+
+ if [ "${SERVER_MODE}" = "fips" ]; then
+ ssl_set_fips server off
+ fi
+
+ if [ "${CLIENT_MODE}" = "fips" ]; then
+ ssl_set_fips client off
+ fi
+ ;;
+ esac
+ done
+}
+
+################################# main #################################
+
+ssl_init
+ssl_run_tests
+ssl_cleanup
diff --git a/security/nss/tests/ssl/ssl_dist_stress.sh b/security/nss/tests/ssl/ssl_dist_stress.sh
new file mode 100755
index 0000000000..a67dfcbac5
--- /dev/null
+++ b/security/nss/tests/ssl/ssl_dist_stress.sh
@@ -0,0 +1,313 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/ssl/ssl_dist_stress.sh
+#
+# Script to test NSS SSL - distributed stresstest - this script needs to
+# source the regular ssl.sh (for shellfunctions, certs and variables
+# initialisation)
+# create certs
+# start server
+# start itself via rsh on different systems to connect back to the server
+#
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ssl_ds_init #############################
+# local shell function to initialize this script
+########################################################################
+ssl_ds_init()
+{
+ if [ -z "$GLOB_MIN_CERT" ] ; then
+ GLOB_MIN_CERT=0
+ fi
+ if [ -z "$GLOB_MAX_CERT" ] ; then
+ GLOB_MAX_CERT=200
+ fi
+ IP_PARAM=""
+ CD_QADIR_SSL=""
+
+
+ if [ -n "$1" ] ; then
+ ssl_ds_eval_opts $*
+ fi
+ SCRIPTNAME=ssl_dist_stress.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ ssl_init # let some other script do the hard work (initialize, generate certs, ...
+
+ SCRIPTNAME=ssl_dist_stress.sh
+ echo "$SCRIPTNAME: SSL distributed stress tests ==============================="
+
+}
+
+######################### ssl_ds_usage #################################
+# local shell function to explain the usage
+########################################################################
+ssl_ds_usage()
+{
+ echo "Usage: `basename $1`"
+ echo " -host hostname "
+ echo " ...host who runs the server, for distributed stress test"
+ echo " -stress "
+ echo " ...runs the server sider of the distributed stress test"
+ echo " -dir unixdirectory "
+ echo " ...lets the server side of the distributed stress test"
+ echo " know where to find the scritp to start on the remote side"
+ echo " -certnum start-end"
+ echo " ... provides the range of certs for distributed stress test"
+ echo " for example -certnum 10-20 will connect 10 times"
+ echo " no blanks in the range string (not 10 - 20)"
+ echo " valid range ${GLOB_MIN_CERT}-${GLOB_MAX_CERT}"
+ echo " -? ...prints this text"
+ exit 1 #does not need to be Exit, very early in script
+}
+
+######################### ssl_ds_eval_opts #############################
+# local shell function to deal with options and parameters
+########################################################################
+ssl_ds_eval_opts()
+{
+ #use $0 not $SCRIPTNAM<E, too early, SCRIPTNAME not yet set
+
+ while [ -n "$1" ]
+ do
+ case $1 in
+ -host)
+ BUILD_OPT=1
+ export BUILD_OPT
+ DO_REM_ST="TRUE"
+ shift
+ SERVERHOST=$1
+ HOST=$1
+ if [ -z $SERVERHOST ] ; then
+ echo "$0 `uname -n`: -host requires hostname"
+ ssl_ds_usage
+ fi
+ echo "$0 `uname -n`: host $HOST ($1)"
+ ;;
+ -certn*)
+ shift
+ rangeOK=`echo $1 | sed -e 's/[0-9][0-9]*-[0-9][0-9]*/OK/'`
+ MIN_CERT=`echo $1 | sed -e 's/-[0-9][0-9]*//' -e 's/^00*//'`
+ MAX_CERT=`echo $1 | sed -e 's/[0-9][0-9]*-//' -e 's/^00*//'`
+ if [ -z "$rangeOK" -o "$rangeOK" != "OK" -o \
+ -z "$MIN_CERT" -o -z "$MAX_CERT" -o \
+ "$MIN_CERT" -gt "$MAX_CERT" -o \
+ "$MIN_CERT" -lt "$GLOB_MIN_CERT" -o \
+ "$MAX_CERT" -gt "$GLOB_MAX_CERT" ] ; then
+ echo "$0 `uname -n`: -certn range not valid"
+ ssl_ds_usage
+ fi
+ echo "$0 `uname -n`: will use certs from $MIN_CERT to $MAX_CERT"
+ ;;
+ -server|-stress|-dist*st*)
+ BUILD_OPT=1
+ export BUILD_OPT
+ DO_DIST_ST="TRUE"
+ ;;
+ -dir|-unixdir|-uxdir|-qadir)
+ shift
+ UX_DIR=$1
+ #FIXME - we need a default unixdir
+ if [ -z "$UX_DIR" ] ; then # -o ! -d "$UX_DIR" ] ; then can't do, Win doesn't know...
+ echo "$0 `uname -n`: -dir requires directoryname "
+ ssl_ds_usage
+ fi
+ CD_QADIR_SSL="cd $UX_DIR"
+ ;;
+ -ip*)
+ shift
+ IP_ADDRESS=$1
+ if [ -z "$IP_ADDRESS" ] ; then
+ echo "$0 `uname -n`: -ip requires ip-address "
+ ssl_ds_usage
+ fi
+ USE_IP=TRUE
+ IP_PARAM="-ip $IP_ADDRESS"
+ ;;
+ -h|-help|"-?"|*)
+ ssl_ds_usage
+ ;;
+ esac
+ shift
+ done
+}
+
+############################## ssl_ds_rem_stress #######################
+# local shell function to perform the client part of the SSL stress test
+########################################################################
+
+ssl_ds_rem_stress()
+{
+ testname="SSL remote part of Stress test (`uname -n`)"
+ echo "$SCRIPTNAME `uname -n`: $testname"
+
+ #cp -r "${CLIENTDIR}" /tmp/ssl_ds.$$ #FIXME
+ #cd /tmp/ssl_ds.$$
+ #verbose="-v"
+
+ cd ${CLIENTDIR}
+
+ CONTINUE=$MAX_CERT
+ while [ $CONTINUE -ge $MIN_CERT ]
+ do
+ echo "strsclnt -D -p ${PORT} -d ${P_R_CLIENTDIR} -w nss -c 1 $verbose "
+ echo " -n TestUser$CONTINUE ${HOSTADDR} #`uname -n`"
+ ${BINDIR}/strsclnt -D -p ${PORT} -d . -w nss -c 1 $verbose \
+ -n "TestUser$CONTINUE" ${HOSTADDR} &
+ #${HOSTADDR} &
+ CONTINUE=`expr $CONTINUE - 1 `
+ #sleep 4 #give process time to start up
+ done
+
+ html_msg 0 0 "${testname}" #FIXME
+}
+
+######################### ssl_ds_dist_stress ###########################
+# local shell function to perform the server part of the new, distributed
+# SSL stress test
+########################################################################
+
+ssl_ds_dist_stress()
+{
+ max_clientlist="
+ box-200
+ washer-200
+ dryer-200
+ hornet-50
+ shabadoo-50
+ y2sun2-10
+ galileo-10
+ shame-10
+ axilla-10
+ columbus-10
+ smarch-10
+ nugget-10
+ charm-10
+ hp64-10
+ biggayal-10
+ orville-10
+ kwyjibo-10
+ hbombaix-10
+ raven-10
+ jordan-10
+ phaedrus-10
+ louie-10
+ trex-10
+ compaqtor-10"
+
+ #clientlist=" huey-2 dewey-2 hornet-2 shabadoo-2" #FIXME ADJUST
+ clientlist=" box-200 washer-200 huey-200 dewey-200 hornet-200 shabadoo-200 louie-200"
+ #clientlist=" box-2 huey-2 "
+ #clientlist="washer-200 huey-200 dewey-200 hornet-200 "
+
+ html_head "SSL Distributed Stress Test"
+
+ testname="SSL distributed Stress test"
+
+ echo cd "${CLIENTDIR}"
+ cd "${CLIENTDIR}"
+ if [ -z "CD_QADIR_SSL" ] ; then
+ CD_QADIR_SSL="cd $QADIR/ssl"
+ else
+ cp -r $HOSTDIR $HOSTDIR/../../../../../booboo_Solaris8/mozilla/tests_results/security
+ fi
+
+ #sparam=" -t 128 -D -r "
+ sparam=" -t 16 -D -r -r -y "
+ start_selfserv
+
+ for c in $clientlist
+ do
+ client=`echo $c | sed -e "s/-.*//"`
+ number=`echo $c | sed -e "s/.*-//"`
+ CLIENT_OK="TRUE"
+ echo $client
+ ping $client >/dev/null || CLIENT_OK="FALSE"
+ if [ "$CLIENT_OK" = "FALSE" ] ; then
+ echo "$SCRIPTNAME `uname -n`: $client can't be reached - skipping"
+ else
+ get_certrange $number
+ echo "$SCRIPTNAME `uname -n`: $RSH $client -l svbld \\ "
+ echo " \" $CD_QADIR_SSL ;ssl_dist_stress.sh \\"
+ echo " -host $HOST -certnum $CERTRANGE $IP_PARAM \" "
+ $RSH $client -l svbld \
+ " $CD_QADIR_SSL;ssl_dist_stress.sh -host $HOST -certnum $CERTRANGE $IP_PARAM " &
+ fi
+ done
+
+ echo cd "${CLIENTDIR}"
+ cd "${CLIENTDIR}"
+
+ sleep 500 # give the clients time to finish #FIXME ADJUST
+
+ echo "GET /stop HTTP/1.0\n\n" > stdin.txt #check to make sure it has /r/n
+ echo "tstclnt -h $HOSTADDR -p 8443 -d ${P_R_CLIENTDIR} -n TestUser0 "
+ echo " -w nss -f < stdin.txt"
+ ${BINDIR}/tstclnt -h $HOSTADDR -p 8443 -d ${P_R_CLIENTDIR} -n TestUser0 \
+ -w nss -f < stdin.txt
+
+ html_msg 0 0 "${testname}"
+ html "</TABLE><BR>"
+}
+
+############################ get_certrange #############################
+# local shell function to find the range of certs that the next remote
+# client is supposed to use (only for server side of the dist stress test
+########################################################################
+get_certrange()
+{
+ rangeOK=`echo $1 | sed -e 's/[0-9][0-9]*/OK/'`
+ if [ -z "$rangeOK" -o "$rangeOK" != "OK" -o $1 = "OK" ] ; then
+ range=10
+ echo "$SCRIPTNAME `uname -n`: $1 is not a valid number of certs "
+ echo " defaulting to 10 for $client"
+ else
+ range=$1
+ if [ $range -gt $GLOB_MAX_CERT ] ; then
+ range=$GLOB_MAX_CERT
+ fi
+ fi
+ if [ -z "$FROM_CERT" ] ; then # start new on top of the cert stack
+ FROM_CERT=$GLOB_MAX_CERT
+ elif [ `expr $FROM_CERT - $range + 1 ` -lt 0 ] ; then
+ FROM_CERT=$GLOB_MAX_CERT # dont let it fall below 0 on the TO_CERT
+
+ fi
+ TO_CERT=`expr $FROM_CERT - $range + 1 `
+ if [ $TO_CERT -lt 0 ] ; then # it's not that I'm bad in math, I just
+ TO_CERT=0 # don't trust expr...
+ fi
+ CERTRANGE="${TO_CERT}-${FROM_CERT}"
+ FROM_CERT=`expr ${TO_CERT} - 1 ` #start the next client one below
+}
+
+
+################## main #################################################
+
+DO_DIST_ST="TRUE"
+. ./ssl.sh
+ssl_ds_init $*
+if [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then
+ ssl_ds_rem_stress
+ exit 0 #no cleanup on purpose
+elif [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
+ ssl_ds_dist_stress
+fi
+ssl_cleanup
diff --git a/security/nss/tests/ssl/sslauth.txt b/security/nss/tests/ssl/sslauth.txt
new file mode 100644
index 0000000000..61e4a6c6d4
--- /dev/null
+++ b/security/nss/tests/ssl/sslauth.txt
@@ -0,0 +1,84 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file defines the tests for client auth.
+#
+# expected
+# Enable return server client Test Case name
+# ECC value params params
+# ------- ------ ------ ------ ---------------
+ noECC 0 -r -V_ssl3:tls1.2_-w_nss_-n_none TLS Request don't require client auth (client does not provide auth)
+ noECC 0 -r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
+ noECC 0 -r -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Request don't require client auth (client auth)
+ noECC 254 -r_-r -V_ssl3:tls1.2_-w_nss_-n_none TLS Require client auth (client does not provide auth)
+ noECC 254 -r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Require client auth (bad password)
+ noECC 0 -r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser_ TLS Require client auth (client auth)
+ noECC 0 -r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
+ noECC 0 -r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
+ noECC 0 -r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
+ noECC 254 -r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
+ noECC 254 -r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
+ noECC 0 -r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
+ noECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth)
+ noECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password)
+ noECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth)
+ noECC 1 -r_-r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth)
+ noECC 1 -r_-r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password)
+ noECC 0 -r_-r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Require client auth on 2nd hs (client auth)
+ noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Request don't require client auth on 2nd hs (client does not provide auth)
+ noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Request don't require client auth on 2nd hs (bad password)
+ noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Request don't require client auth on 2nd hs (client auth)
+ noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Require client auth on 2nd hs (client does not provide auth)
+ noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Require client auth on 2nd hs (bad password)
+ noECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Require client auth on 2nd hs (client auth)
+ noECC 0 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
+ noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
+ noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
+ noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth)
+ noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
+ noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
+ noECC 0 -r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Request don't require client auth on post hs (client auth)
+ noECC 0 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Require client auth on post hs (client auth)
+ noECC 0 -r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Request don't require client auth on post hs (client does not provide auth)
+ noECC 1 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Require client auth on post hs (client does not provide auth)
+ noECC 0 -r_-r_-r_-E_-u -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Request don't require client auth on post hs with session ticket (client auth)
+ noECC 0 -r_-r_-J_rsa\\_pkcs1\\_sha256 -V_tls1.2:_-w_nss TLS 1.2 Require client auth auto select(RSA) (client auth)
+#
+# Use EC cert for client authentication
+#
+ ECC 0 -r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password)
+ ECC 0 -r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth)
+ ECC 254 -r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
+ ECC 0 -r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth)
+ ECC 0 -r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password)
+ ECC 0 -r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth)
+ ECC 254 -r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
+ ECC 0 -r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth)
+ ECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password)
+ ECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth)
+ ECC 1 -r_-r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Require client auth on 2nd hs (EC) (bad password)
+ ECC 0 -r_-r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec_ TLS Require client auth on 2nd hs (EC) (client auth)
+ ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (bad password)
+ ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
+ ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
+ ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
+ ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
+ ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
+ ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
+ ECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
+ ECC 0 -r_-r_-J_ecdsa\\_secp256r1\\_sha256 -V_tls1.2:_-w_nss TLS 1.2 Require client auth auto select(EC) (client auth)
+ ECC 0 -r_-r_-J_ecdsa\\_secp256r1\\_sha256,ecdsa\\_secp384r1\\_sha384 -V_tls1.3:_-w_nss TLS 1.3 Require client auth auto select (EC) (client auth)
+#
+# SNI Tests
+#
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt
new file mode 100644
index 0000000000..ca79a5e09c
--- /dev/null
+++ b/security/nss/tests/ssl/sslcov.txt
@@ -0,0 +1,155 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables test coverage of the various SSL ciphers
+#
+# Enable Enable Cipher Test Name
+# EC TLS
+#
+ noECC SSL3 c SSL3_RSA_WITH_RC4_128_MD5
+ noECC SSL3 d SSL3_RSA_WITH_3DES_EDE_CBC_SHA
+ noECC SSL3 e SSL3_RSA_WITH_DES_CBC_SHA
+ noECC SSL3 i SSL3_RSA_WITH_NULL_MD5
+ noECC SSL3 n SSL3_RSA_WITH_RC4_128_SHA
+ noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA
+ noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA
+ noECC SSL3 z SSL3_RSA_WITH_NULL_SHA
+ noECC TLS12 :009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ noECC TLS12 :00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
+ noECC TLS12 :009D TLS_RSA_WITH_AES_256_GCM_SHA384
+# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#
+ noECC TLS10 c TLS_RSA_WITH_RC4_128_MD5
+ noECC TLS10 d TLS_RSA_WITH_3DES_EDE_CBC_SHA
+ noECC TLS10 e TLS_RSA_WITH_DES_CBC_SHA
+ noECC TLS10 i TLS_RSA_WITH_NULL_MD5
+ noECC TLS10 n TLS_RSA_WITH_RC4_128_SHA
+ noECC TLS10 v TLS_RSA_WITH_AES_128_CBC_SHA
+ noECC TLS10 y TLS_RSA_WITH_AES_256_CBC_SHA
+ noECC TLS10 z TLS_RSA_WITH_NULL_SHA
+# noECC TLS10 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+# noECC TLS10 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#
+#
+ noECC TLS11 c TLS11_RSA_WITH_RC4_128_MD5
+ noECC TLS11 d TLS11_RSA_WITH_3DES_EDE_CBC_SHA
+ noECC TLS11 e TLS11_RSA_WITH_DES_CBC_SHA
+ noECC TLS11 i TLS11_RSA_WITH_NULL_MD5
+ noECC TLS11 n TLS11_RSA_WITH_RC4_128_SHA
+ noECC TLS11 v TLS11_RSA_WITH_AES_128_CBC_SHA
+ noECC TLS11 y TLS11_RSA_WITH_AES_256_CBC_SHA
+ noECC TLS11 z TLS11_RSA_WITH_NULL_SHA
+#
+ noECC TLS12 c TLS12_RSA_WITH_RC4_128_MD5
+ noECC TLS12 d TLS12_RSA_WITH_3DES_EDE_CBC_SHA
+ noECC TLS12 e TLS12_RSA_WITH_DES_CBC_SHA
+ noECC TLS12 i TLS12_RSA_WITH_NULL_MD5
+ noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA
+ noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA
+ noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA
+ noECC TLS12 z TLS12_RSA_WITH_NULL_SHA
+ noECC TLS12 :0016 TLS12_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ noECC TLS12 :0032 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA
+ noECC TLS12 :0033 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA
+ noECC TLS12 :0038 TLS12_DHE_DSS_WITH_AES_256_CBC_SHA
+ noECC TLS12 :0039 TLS12_DHE_RSA_WITH_AES_256_CBC_SHA
+ noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256
+ noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256
+ noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256
+ noECC TLS12 :0040 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA256
+ noECC TLS12 :0067 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA256
+ noECC TLS12 :006A TLS12_DHE_DSS_WITH_AES_256_CBC_SHA256
+ noECC TLS12 :006B TLS12_DHE_RSA_WITH_AES_256_CBC_SHA256
+ noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256
+ noECC TLS12 :009E TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256
+ noECC TLS12 :00A2 TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256
+ noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ noECC TLS13 :1301 TLS13_DHE_WITH_AES_128_GCM_SHA256
+ noECC TLS13 :1302 TLS13_DHE_WITH_AES_256_GCM_SHA384
+ noECC TLS13 :1303 TLS13_DHE_WITH_CHACHA20_POLY1305_SHA256
+#
+# ECC ciphers (TLS)
+#
+ ECC TLS10 :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA
+ ECC TLS10 :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+ ECC TLS10 :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS10 :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ ECC TLS10 :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ ECC TLS10 :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA
+ ECC TLS10 :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+ ECC TLS10 :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS10 :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ ECC TLS10 :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ ECC TLS10 :C00B TLS_ECDH_RSA_WITH_NULL_SHA
+ ECC TLS10 :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA
+ ECC TLS10 :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS10 :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS10 :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+ ECC TLS10 :C010 TLS_ECDHE_RSA_WITH_NULL_SHA
+ ECC TLS10 :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA
+ ECC TLS10 :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS10 :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS10 :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#
+ ECC TLS11 :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA
+ ECC TLS11 :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA
+ ECC TLS11 :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS11 :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ ECC TLS11 :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ ECC TLS11 :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA
+ ECC TLS11 :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA
+ ECC TLS11 :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS11 :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ ECC TLS11 :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ ECC TLS11 :C00B TLS11_ECDH_RSA_WITH_NULL_SHA
+ ECC TLS11 :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA
+ ECC TLS11 :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS11 :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS11 :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA
+ ECC TLS11 :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA
+ ECC TLS11 :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA
+ ECC TLS11 :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS11 :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS11 :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#
+ ECC TLS12 :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA
+ ECC TLS12 :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA
+ ECC TLS12 :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS12 :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ ECC TLS12 :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ ECC TLS12 :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA
+ ECC TLS12 :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA
+ ECC TLS12 :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS12 :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ ECC TLS12 :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ ECC TLS12 :C00B TLS12_ECDH_RSA_WITH_NULL_SHA
+ ECC TLS12 :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA
+ ECC TLS12 :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS12 :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS12 :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA
+ ECC TLS12 :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA
+ ECC TLS12 :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA
+ ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+ ECC TLS12 :C024 TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ ECC TLS12 :C028 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+#
+# Test against server with RSA-PSS server certificate
+#
+ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - RSA-PSS
+ ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - RSA-PSS
+# test TLS 1.3
+ ECC TLS13 :1301 TLS13_ECDHE_WITH_AES_128_GCM_SHA256
+ ECC TLS13 :1302 TLS13_ECDHE_WITH_AES_256_GCM_SHA384
+ ECC TLS13 :1303 TLS13_ECDHE_WITH_CHACHA20_POLY1305_SHA256
diff --git a/security/nss/tests/ssl/sslpolicy.txt b/security/nss/tests/ssl/sslpolicy.txt
new file mode 100644
index 0000000000..558b9f55df
--- /dev/null
+++ b/security/nss/tests/ssl/sslpolicy.txt
@@ -0,0 +1,208 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables policy testing
+#
+# The policy string is set to the config= line in the pkcs11.txt
+# it currently has 2 keywords:
+#
+# disallow= turn off the use of this algorithm by policy. (implies disable)
+# allow= allow this algorithm to by used if selected by policy.
+# disable= turn off the use of this algorithm even if allowed by policy
+# (application can override)
+# enable= turn off this algorithm by default (implies allow)
+# flags= policy-lock: can't change policy with NSS_SetAlgorithmPolicy,
+# NSS_SetOption, or SSL_SetCipherPolicy
+# ssl-lock: can't change the cipher suite settings with the application.
+#
+# The syntax is disallow=algorithm{/uses}:algorithm{/uses}
+# where {} signifies an optional element
+#
+# valid algorithms are:
+# ECC curves:
+# PRIME192V1
+# PRIME192V2
+# PRIME192V3
+# PRIME239V1
+# PRIME239V2
+# PRIME239V3
+# PRIME256V1
+# SECP112R1
+# SECP112R2
+# SECP128R1
+# SECP128R2
+# SECP160K1
+# SECP160R1
+# SECP160R2
+# SECP192K1
+# SECP192R1
+# SECP224K1
+# SECP256K1
+# SECP256R1
+# SECP384R1
+# SECP521R1
+# C2PNB163V1
+# C2PNB163V2
+# C2PNB163V3
+# C2PNB176V1
+# C2TNB191V1
+# C2TNB191V2
+# C2TNB191V3
+# C2ONB191V4
+# C2ONB191V5
+# C2PNB208W1
+# C2TNB239V1
+# C2TNB239V2
+# C2TNB239V3
+# C2ONB239V4
+# C2ONB239V5
+# C2PNB272W1
+# C2PNB304W1
+# C2TNB359V1
+# C2PNB368W1
+# C2TNB431R1
+# SECT113R1
+# SECT131R1
+# SECT131R1
+# SECT131R2
+# SECT163K1
+# SECT163R1
+# SECT163R2
+# SECT193R1
+# SECT193R2
+# SECT233K1
+# SECT233R1
+# SECT239K1
+# SECT283K1
+# SECT283R1
+# SECT409K1
+# SECT409R1
+# SECT571K1
+# SECT571R1
+# Signatures:
+# DSA
+# RSA-PKCS
+# RSA-PSS
+# ECDSA
+# Hashes:
+# MD2
+# MD4
+# MD5
+# SHA1
+# SHA224
+# SHA256
+# SHA384
+# SHA512
+# MACs:
+# HMAC-SHA1
+# HMAC-SHA224
+# HMAC-SHA256
+# HMAC-SHA384
+# HMAC-SHA512
+# HMAC-MD5
+# Ciphers:
+# AES128-CBC
+# AES192-CBC
+# AES256-CBC
+# AES128-GCM
+# AES192-GCM
+# AES256-GCM
+# CAMELLIA128-CBC
+# CAMELLIA192-CBC
+# CAMELLIA256-CBC
+# SEED-CBC
+# DES-EDE3-CBC
+# DES-40-CBC
+# DES-CBC
+# NULL-CIPHER
+# RC2
+# RC4
+# IDEA
+# Key exchange
+# RSA
+# RSA-EXPORT
+# DHE-RSA
+# DHE-DSS
+# DH-RSA
+# DH-DSS
+# ECDHE-ECDSA
+# ECDHE-RSA
+# ECDH-ECDSA
+# ECDH-RSA
+# SSL Versions
+# SSL2.0
+# SSL3.0
+# TLS1.0
+# TLS1.1
+# TLS1.2
+# DTLS1.1
+# DTLS1.2
+# Include all of the above:
+# ALL
+#-----------------------------------------------
+# Uses are:
+# ssl
+# ssl-key-exchange
+# key-exchange (includes ssl-key-exchange)
+# cert-signature
+# all-signature (includes cert-signature)
+# signature (all signatures off, some signature allowed based on other option)
+# all (includes all of the above)
+#-----------------------------------------------
+# In addition there are the following options:
+# min-rsa
+# min-dh
+# min-dsa
+# they have the following syntax:
+# allow=min-rsa=512:min-dh=1024
+#
+# in the following tests, we use the cipher suite 'd':
+# d SSL3 RSA WITH 3DES EDE CBC SHA (=:000a).
+# NOTE: the certificates used in validation are rsa-pkcs1/sha256 signed.
+#
+# Exp Enable Enable Cipher Config Policy Test Name
+# Ret EC TLS
+# turn on single cipher
+ 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
+ 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/all-signature:rsa-pkcs/all-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
+ 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:dsa/all:rsa-pss/all:ecdsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
+ 1 noECC SSL3 d disallow=all Disallow All Explicitly
+# turn off signature only
+ 1 noECC SSL3 d disallow=all/signature Disallow all signatures with Explicitly
+ 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Explicitly
+ 1 noECC SSL3 d disallow=sha256/cert-signature Disallow SHA256 Certificate signature Explicitly
+ 1 noECC SSL3 d disallow=sha256/signature Disallow All SHA256 signatures Explicitly
+ 1 noECC SSL3 d disallow=sha256/all-signature Disallow Any SHA256 signature Explicitly
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:dsa/all:ecdsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly
+# turn off single cipher
+ 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly
+# turn off H-Mac
+ 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly
+ 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly
+# turn off key exchange
+ 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchange Signatures Implicitly
+# turn off version
+ 1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
+ 0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
+ 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
+ 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
+# test default settings
+# NOTE: tstclient will attempt to overide the defaults, so we detect we
+# were successful by locking in our settings
+ 0 noECC SSL3 d allow=all_disable=all Disable all by default, application override
+ 1 noECC SSL3 d allow=all_disable=all_flags=ssl-lock,policy-lock Disable all by default, prevent application from enabling
+ 0 noECC SSL3 d allow=all_disable=all_flags=policy-lock Disable all by default, lock policy (application can still change the ciphers)
+# explicitly enable :002f RSA_AES_128_CBC_SHA1 and lock it in
+ 0 noECC SSL3 d allow=all_disable=all_enable=hmac-sha1:sha256:rsa-pkcs:rsa:aes128-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0_flags=ssl-lock Lock in a different ciphersuite that the one the application asks for
diff --git a/security/nss/tests/ssl/sslreq.dat b/security/nss/tests/ssl/sslreq.dat
new file mode 100644
index 0000000000..2f7ad7736e
--- /dev/null
+++ b/security/nss/tests/ssl/sslreq.dat
@@ -0,0 +1,2 @@
+GET / HTTP/1.0
+
diff --git a/security/nss/tests/ssl/sslreq.txt b/security/nss/tests/ssl/sslreq.txt
new file mode 100644
index 0000000000..c1da607c07
--- /dev/null
+++ b/security/nss/tests/ssl/sslreq.txt
@@ -0,0 +1,2 @@
+GET / HTTP/1.0
+
diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt
new file mode 100644
index 0000000000..44794f10f6
--- /dev/null
+++ b/security/nss/tests/ssl/sslstress.txt
@@ -0,0 +1,81 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file defines the stress tests for SSL/TLS.
+#
+# expected
+# Enable return server client Test Case name
+# ECC value params params
+# ------- ------ ------ ------ ---------------
+ noECC 0 _ -c_1000_-C_c_-V_ssl3:ssl3 Stress SSL3 RC4 128 with MD5
+ noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
+ noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
+ noECC 0 -u -V_ssl3:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
+ SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
+
+#
+# add client auth versions here...
+#
+ noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
+ noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth, no login)
+ noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
+ noECC 0 -r_-r_-u -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
+ SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
+ SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
+
+#
+# ############################ ECC ciphers ############################
+#
+ ECC 0 -c_:C009 -V_ssl3:tls1.2_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse)
+ ECC 0 -c_:C023 -V_ssl3:tls1.2_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse)
+ ECC 0 -c_:C02B -V_ssl3:tls1.2_-c_100_-C_:C02B_-N Stress TLS ECDHE-ECDSA AES 128 GCM (no reuse)
+ ECC 0 -c_:C004 -V_ssl3:tls1.2_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse)
+ ECC 0 -c_:C00E -V_ssl3:tls1.2_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
+ ECC 0 -c_:C013 -V_ssl3:tls1.2_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA
+ ECC 0 -c_:C027 -V_ssl3:tls1.2_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256
+ ECC 0 -c_:C02F -V_ssl3:tls1.2_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM
+ ECC 0 -c_:C004_-u -V_ssl3:tls1.2_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket)
+ ECC 0 -c_:C009_-u -V_ssl3:tls1.2_-c_100_-C_:C009_-u Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (session ticket)
+#
+# add client auth versions here...
+#
+ ECC 0 -r_-r_-c_:C009 -V_ssl3:tls1.2_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth)
+ ECC 0 -r_-r_-c_:C013 -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth)
+ ECC 0 -r_-r_-c_:C004 -V_ssl3:tls1.2_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth)
+ ECC 0 -r_-r_-c_:C00E -V_ssl3:tls1.2_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
+ ECC 0 -r_-r_-c_:C013 -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth)
+ ECC 0 -r_-r_-c_:C013_-u -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth)
+
+#
+# ############################ DHE ciphers ############################
+#
+ noECC 0 -c_:0016 -V_ssl3:tls1.2_-c_100_-C_:0016_-N Stress TLS DHE_RSA_WITH_3DES_EDE_CBC_SHA (no reuse)
+ noECC 0 -c_:0033 -V_ssl3:tls1.2_-c_1000_-C_:0033 Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA
+
+
+ noECC 0 -c_:0039 -V_ssl3:tls1.2_-c_100_-C_:0039_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA (no reuse)
+ noECC 0 -c_:0040 -V_ssl3:tls1.2_-c_100_-C_:0040_-N Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA256 (no reuse)
+
+# noECC 0 -c_:0038_-u -V_ssl3:tls1.2_-c_1000_-C_:0038_-u Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (session ticket)
+# use the above session ticket test, once session tickets with DHE_DSS are working
+ noECC 0 -c_:0038 -V_ssl3:tls1.2_-c_1000_-C_:0038_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (no reuse)
+
+# noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256
+# use the above reuse test, once the session cache with DHE_DSS is working
+ noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 (no reuse
+
+ noECC 0 -c_:006B -V_ssl3:tls1.2_-c_100_-C_:006B_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA256 (no reuse)
+ noECC 0 -c_:009E -V_ssl3:tls1.2_-c_100_-C_:009E_-N Stress TLS DHE_RSA_WITH_AES_128_GCM_SHA256 (no reuse)
+ noECC 0 -c_:009F -V_ssl3:tls1.2_-c_100_-C_:009F_-N Stress TLS DHE_RSA_WITH_AES_256_GCM_SHA384 (no reuse)
+#
+# add client auth versions here...
+#
+ noECC 0 -r_-r_-c_:0032 -V_ssl3:tls1.2_-c_100_-C_:0032_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA (no reuse, client auth)
+ noECC 0 -r_-r_-c_:0067 -V_ssl3:tls1.2_-c_1000_-C_:0067_-n_TestUser-dsamixed Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA256 (client auth)
+
+# noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (session ticket, client auth)
+# noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (session ticket, client auth)
+# use the above session ticket test, once session tickets with DHE_DSS are working
+ noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (no reuse, client auth)
+ noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (no reuse, client auth)
diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh
new file mode 100755
index 0000000000..d2e8c7a4f3
--- /dev/null
+++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh
@@ -0,0 +1,155 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/ssl_gtests/ssl_gtests.sh
+#
+# Script to drive the ssl gtest unit tests
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+ssl_gtest_certs() {
+ mkdir -p "${SSLGTESTDIR}"
+ cd "${SSLGTESTDIR}"
+
+ PROFILEDIR=`pwd`
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ PROFILEDIR=`cygpath -m "${PROFILEDIR}"`
+ fi
+
+ ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1
+ html_msg $? 0 "create ssl_gtest database"
+
+ pushd "${QADIR}"
+ . common/certsetup.sh
+ popd
+
+ counter=0
+ make_cert client rsa sign
+ make_cert rsa rsa sign kex
+ make_cert rsa2048 rsa2048 sign kex
+ make_cert rsa8192 rsa8192 sign kex
+ make_cert rsa_sign rsa sign
+ make_cert rsa_pss rsapss sign
+ make_cert rsa_pss384 rsapss384 sign
+ make_cert rsa_pss512 rsapss512 sign
+ make_cert rsa_pss_noparam rsapss_noparam sign
+ make_cert rsa_decrypt rsa kex
+ make_cert ecdsa256 p256 sign
+ make_cert ecdsa384 p384 sign
+ make_cert ecdsa521 p521 sign
+ make_cert ecdh_ecdsa p256 kex
+ make_cert rsa_ca rsa_ca ca
+ make_cert rsa_chain rsa_chain sign
+ make_cert rsa_pss_ca rsapss_ca ca
+ make_cert rsa_pss_chain rsapss_chain sign
+ make_cert rsa_ca_rsa_pss_chain rsa_ca_rsapss_chain sign
+ make_cert ecdh_rsa ecdh_rsa kex
+ make_cert dsa dsa sign
+ make_cert delegator_ecdsa256 delegator_p256 sign
+ make_cert delegator_rsae2048 delegator_rsae2048 sign
+ make_cert delegator_rsa_pss2048 delegator_rsa_pss2048 sign
+}
+
+############################## ssl_gtest_init ##########################
+# local shell function to initialize this script
+########################################################################
+ssl_gtest_init()
+{
+ SCRIPTNAME=ssl_gtest.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+
+ SCRIPTNAME=ssl_gtest.sh
+ html_head SSL Gtests
+
+ if [ ! -d "${SSLGTESTDIR}" ]; then
+ ssl_gtest_certs
+ fi
+
+ cd "${SSLGTESTDIR}"
+}
+
+########################## ssl_gtest_start #########################
+# Local function to actually start the test
+####################################################################
+ssl_gtest_start()
+{
+ if [ ! -f ${BINDIR}/ssl_gtest ]; then
+ html_unknown "Skipping ssl_gtest (not built)"
+ return
+ fi
+
+ SSLGTESTREPORT="${SSLGTESTDIR}/report.xml"
+
+ local nshards=1
+ local prefix=""
+ local postfix=""
+
+ export -f parallel_fallback
+
+ # Determine the number of chunks.
+ if [ -n "$GTESTFILTER" ]; then
+ echo "DEBUG: Not parallelizing ssl_gtests because \$GTESTFILTER is set"
+ elif type parallel 2>/dev/null; then
+ nshards=$(parallel --number-of-cores || 1)
+ fi
+
+ if [ "$nshards" != 1 ]; then
+ local indices=$(for ((i=0; i<$nshards; i++)); do echo $i; done)
+ prefix="parallel -j$nshards --line-buffer --halt soon,fail=1"
+ postfix="\&\& exit 0 \|\| exit 1 ::: $indices"
+ fi
+
+ echo "DEBUG: ssl_gtests will be divided into $nshards chunk(s)"
+
+ # Run tests.
+ ${prefix:-parallel_fallback} \
+ GTEST_SHARD_INDEX={} \
+ GTEST_TOTAL_SHARDS=$nshards \
+ DYLD_LIBRARY_PATH="${DIST}/${OBJDIR}/lib" \
+ ${BINDIR}/ssl_gtest -d "${SSLGTESTDIR}" \
+ --gtest_output=xml:"${SSLGTESTREPORT}.{}" \
+ --gtest_filter="${GTESTFILTER-*}" \
+ $postfix
+
+ html_msg $? 0 "ssl_gtests ran successfully"
+
+ # Parse XML report(s).
+ gtest_parse_report "${SSLGTESTREPORT}".*
+}
+
+# Helper function used when 'parallel' isn't available.
+parallel_fallback()
+{
+ eval "${@//\{\}/0}"
+}
+
+ssl_gtest_cleanup()
+{
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+cd "$(dirname "$0")"
+ssl_gtest_init
+ssl_gtest_start
+ssl_gtest_cleanup