diff options
Diffstat (limited to '')
| -rw-r--r-- | security/nss/tests/iopr/server_scr/apache_unix.cfg | 47 | ||||
| -rw-r--r-- | security/nss/tests/iopr/server_scr/cert_gen.sh | 367 | ||||
| -rw-r--r-- | security/nss/tests/iopr/server_scr/cipher.list | 98 | ||||
| -rw-r--r-- | security/nss/tests/iopr/server_scr/client.cgi | 526 | ||||
| -rw-r--r-- | security/nss/tests/iopr/server_scr/config | 17 | ||||
| -rw-r--r-- | security/nss/tests/iopr/server_scr/iis_windows.cfg | 33 | ||||
| -rw-r--r-- | security/nss/tests/iopr/server_scr/iopr_server.cfg | 67 | ||||
| -rw-r--r-- | security/nss/tests/iopr/server_scr/sslreq.dat | 2 |
8 files changed, 1157 insertions, 0 deletions
diff --git a/security/nss/tests/iopr/server_scr/apache_unix.cfg b/security/nss/tests/iopr/server_scr/apache_unix.cfg new file mode 100644 index 0000000000..3992bf52d7 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/apache_unix.cfg @@ -0,0 +1,47 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# Apache OPENSSL configuration file +# + +# +# Define what type of system this is. +# +$clientSys = "openssl"; + +# +# Cipher conversion table file +# +$cipherTableFile = "$certDir/cipher.list"; + +#-------------------------------------------- +# Web server specific variables start here: +# + +# +# Location of installed openssl binary +# +$opensslb = "/usr/local/bin/openssl"; + + +# +# General location of apache server +# +$apacheHttpd="/var/httpd-ssl"; + +# +# HTTP Request file +# +$reqFile = "$apacheHttpd/cgi-bin/sslreq.dat"; + +# +# OpenSSL certificate directory +# +$certDir = "$apacheHttpd/cert"; + +# +# CA certificate file +# +$caCertFile = "$certDir/serverCA.crt"; diff --git a/security/nss/tests/iopr/server_scr/cert_gen.sh b/security/nss/tests/iopr/server_scr/cert_gen.sh new file mode 100644 index 0000000000..6611a0f416 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/cert_gen.sh @@ -0,0 +1,367 @@ +#!/bin/bash + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +###################################################################################### +# Server and client certs and crl generator functions. Generated files placed in a <dir> +# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory. +# This functions is used for manual webserver configuration and it is not a part of +# nss test run. +# To create certs use the following command: +# sh cert_iopr.sh cert_gen <dir> <cert name> [cert req] +# Where: +# dir - directory where to place created files +# cert name - name of created server cert(FQDN) +# cert req - cert request to be used for cert generation. +# +repAndExec() { + echo + if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then + shift + echo certutil -s "$CU_SUBJECT" $@ + certutil -s "$CU_SUBJECT" $@ + RET=$? + else + echo $@ + $@ + RET=$? + fi + + return $RET +} + +setExtData() { + extData=$1 + + fldNum=0 + extData=`echo $extData | sed 's/,/ /g'` + for extDT in $extData; do + if [ $fldNum -eq 0 ]; then + eval extType=$extDT + fldNum=1 + continue + fi + eval data${fldNum}=$extDT + fldNum=`expr $fldNum + 1` + done +} + +signCert() { + dir=$1 + crtDir=$2 + crtName=$3 + crtSN=$4 + req=$5 + cuAddParam=$6 + extList=$7 + + if [ -z "$certSigner" ]; then + certSigner=TestCA + fi + + extCmdLine="" + extCmdFile=$dir/extInFile; rm -f $extCmdFile + touch $extCmdFile + extList=`echo $extList | sed 's/;/ /g'` + for ext in $extList; do + setExtData $ext + [ -z "$extType" ] && echo "incorrect extention format" && return 1 + case $extType in + ocspDR) + extCmdLine="$extCmdLine -6" + cat <<EOF >> $extCmdFile +5 +9 +y +EOF + break + exit 1 + ;; + AIA) + extCmdLine="$extCmdLine -9" + cat <<EOF >> $extCmdFile +2 +7 +$data1 +0 +n +n +EOF + break + ;; + *) + echo "Unsupported extension type: $extType" + break + ;; + esac + done + echo "cmdLine: $extCmdLine" + echo "cmdFile: "`cat $extCmdFile` + repAndExec \ + certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \ + -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1 + return $RET +} + +createSignedCert() { + dir=$1 + certDir=$2 + certName=$3 + certSN=$4 + certSubj=$5 + keyType=$6 + extList=$7 + + echo Creating cert $certName-$keyType with SN=$certSN + + CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + repAndExec \ + certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \ + -k $keyType -o $dir/req 2>&1 + [ "$RET" -ne 0 ] && return $RET + + signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList + ret=$? + [ "$ret" -ne 0 ] && return $ret + + rm -f $dir/req + + repAndExec \ + certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \ + -i "$dir/${certName}-$keyType.crt" 2>&1 + [ "$RET" -ne 0 ] && return $RET + + cp "$dir/${certName}-$keyType.crt" $certDir + + repAndExec \ + pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \ + -k ${PW_FILE} -W iopr + [ "$RET" -ne 0 ] && return $RET + return 0 +} + +generateAndExportSSLCerts() { + dir=$1 + certDir=$2 + serverName=$3 + servCertReq=$4 + + if [ "$servCertReq" -a -f $servCertReq ]; then + grep REQUEST $servCertReq >/dev/null 2>&1 + signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a` + ret=$? + [ "$ret" -ne 0 ] && return $ret + fi + + certName=$serverName + createSignedCert $dir $certDir $certName 500 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + createSignedCert $dir $certDir $certName 501 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser510 + createSignedCert $dir $certDir $certName 510 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser511 + createSignedCert $dir $certDir $certName 511 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser512 + createSignedCert $dir $certDir $certName 512 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser513 + createSignedCert $dir $certDir $certName 513 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret +} + +generateAndExportOCSPCerts() { + dir=$1 + certDir=$2 + + certName=ocspTrustedResponder + createSignedCert $dir $certDir $certName 525 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDesignatedResponder + createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspTRTestUser514 + createSignedCert $dir $certDir $certName 514 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspTRTestUser516 + createSignedCert $dir $certDir $certName 516 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCATestUser518 + createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCATestUser520 + createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRTestUser522 + createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRTestUser524 + createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + generateAndExportCACert $dir "" TestCA-unknown + [ $? -ne 0 ] && return $ret + + certSigner=TestCA-unknown + + certName=ocspTRUnkownIssuerCert + createSignedCert $dir $certDir $certName 531 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCAUnkownIssuerCert + createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRUnkownIssuerCert + createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certSigner="" + + return 0 +} + +generateAndExportCACert() { + dir=$1 + certDirL=$2 + caName=$3 + + certName=TestCA + [ "$caName" ] && certName=$caName + CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + repAndExec \ + certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \ + -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF +5 +6 +9 +n +y +-1 +n +EOF + + if [ "$certDirL" ]; then + repAndExec \ + certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt + [ "$RET" -ne 0 ] && return $RET + + repAndExec \ + pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr + [ "$RET" -ne 0 ] && return $RET + fi +} + + +generateCerts() { + certDir=$1 + serverName=$2 + reuseCACert=$3 + servCertReq=$4 + + [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1 + [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1 + + mkdir -p $certDir + [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1 + + + dir=/tmp/db.$$ + if [ -z "$reuseCACert" ]; then + if [ -d "$dir" ]; then + rm -f $dir + fi + + PW_FILE=$dir/nss.pwd + NOISE_FILE=$dir/nss.noise + + mkdir -p $dir + [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1 + + echo nss > $PW_FILE + date >> ${NOISE_FILE} 2>&1 + + repAndExec \ + certutil -d $dir -N -f $PW_FILE + [ "$RET" -ne 0 ] && return $RET + + generateAndExportCACert $dir $certDir + [ "$RET" -ne 0 ] && return $RET + else + dir=$reuseCACert + PW_FILE=$dir/nss.pwd + NOISE_FILE=$dir/nss.noise + hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu` + [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \ + return $RET; + fi + + generateAndExportSSLCerts $dir $certDir $serverName $servCertReq + [ "$RET" -ne 0 ] && return $RET + + generateAndExportOCSPCerts $dir $certDir + [ "$RET" -ne 0 ] && return $RET + + crlUpdate=`date +%Y%m%d%H%M%SZ` + crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'` + repAndExec \ + crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI +update=$crlUpdate +nextupdate=$crlNextUpdate +addcert 509-511 $crlUpdate +addcert 516 $crlUpdate +addcert 520 $crlUpdate +addcert 524 $crlUpdate +EOF_CRLINI + [ "$RET" -ne 0 ] && return $RET + + rm -rf $dir + return 0 +} + + +if [ -z "$1" -o -z "$2" ]; then + echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]" + exit 1 +fi +generateCerts $1 $2 "$3" $4 +exit $? diff --git a/security/nss/tests/iopr/server_scr/cipher.list b/security/nss/tests/iopr/server_scr/cipher.list new file mode 100644 index 0000000000..668084c37a --- /dev/null +++ b/security/nss/tests/iopr/server_scr/cipher.list @@ -0,0 +1,98 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +nss openssl iis + +# +# SSL v3.0 cipher suites. +# +SSL3_RSA_WITH_NULL_MD5 NULL-MD5 i +SSL3_RSA_WITH_NULL_SHA NULL-SHA z +SSL3_RSA_WITH_RC4_128_MD5 RC4-MD5 c +SSL3_RSA_WITH_RC4_128_SHA RC4-SHA n +SSL3_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA +SSL3_RSA_WITH_DES_CBC_SHA DES-CBC-SHA e +SSL3_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA d + +SSL3_DH_DSS_WITH_DES_CBC_SHA Not_implemented. +SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented. +SSL3_DH_RSA_WITH_DES_CBC_SHA Not_implemented. +SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented. +SSL3_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA s +SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA q +SSL3_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA +SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA + +SSL3_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 +SSL3_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA +SSL3_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA + +SSL3_FORTEZZA_KEA_WITH_NULL_SHA Not_implemented. +SSL3_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not_implemented. +SSL3_FORTEZZA_KEA_WITH_RC4_128_SHA Not_implemented. + +# +# Next four added to have ciphers below for SSL3 protocol +# +SSL3_RSA_WITH_AES_128_CBC_SHA AES128-SHA +SSL3_RSA_WITH_AES_256_CBC_SHA AES256-SHA + +# +#TLS v1.0 cipher suites. +# +TLS_RSA_WITH_NULL_MD5 NULL-MD5 +TLS_RSA_WITH_NULL_SHA NULL-SHA +TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 +TLS_RSA_WITH_RC4_128_SHA RC4-SHA +TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA +TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA +TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA + +TLS_DH_DSS_WITH_DES_CBC_SHA Not_implemented. +TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented. +TLS_DH_RSA_WITH_DES_CBC_SHA Not_implemented. +TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented. +TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA +TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA +TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA +TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA + +TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 +TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA +TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA + +# +#AES ciphersuites from RFC3268, extending TLS v1.0 +# + +TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA +TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA + +TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA +TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA +TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA +TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA + +TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA +TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA +TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA +TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA + +TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA +TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA + +# +#Additional cipher suites +# +#Note: these ciphers can also be used in SSL v3. +# +TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA + +# +# FIPS cipher list +# +TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented +TLS_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented +SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented +SSL3_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented diff --git a/security/nss/tests/iopr/server_scr/client.cgi b/security/nss/tests/iopr/server_scr/client.cgi new file mode 100644 index 0000000000..581ad06d1e --- /dev/null +++ b/security/nss/tests/iopr/server_scr/client.cgi @@ -0,0 +1,526 @@ +#!/usr/bin/perl + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +#-------------------------------------------------------------- +# cgi script that parses request argument to appropriate +# open ssl or tstclntw options and starts ssl client. +# + +use CGI qw/:standard/; + +use subs qw(debug); + +#-------------------------------------------------------------- +# Prints out an error string and exits the script with an +# exitStatus. +# Param: +# str : an error string +# exitStat: an exit status of the program +# +sub svr_error { + my ($str, $exitStat) = @_; + + if (!defined $str || $str eq "") { + $str = $ERR; + } + print "SERVER ERROR: $str\n"; + if ($exitStat) { + print end_html if ($osDataArr{wservRun}); + exit $exitStat; + } +} + +#-------------------------------------------------------------- +# Prints out a debug message +# Params: +# str: debug message +# inVal: additional value to print(optional) +# +sub debug { + my ($str, $inVal) = @_; + + print "-- DEBUG: $str ($inVal)\n" if ($DEBUG == 1); +} + + +#-------------------------------------------------------------- +# Initializes execution context depending on a webserver the +# script is running under. +# +sub init { + %osDataArr = ( + loadSupportedCipthersFn => \&osSpecific, + cipherIsSupportedFn => \&verifyCipherSupport, + cipherListFn => \&convertCipher, + buildCipherTableFn => \&buildCipherTable, + execCmdFn => \&osSpecific, + ); + + $scriptName = $ENV{'SCRIPT_NAME'}; + if (!defined $scriptName) { + $DEBUG=1; + debug "Debug is ON"; + } + $DEBUG=1; + + $svrSoft = $ENV{'SERVER_SOFTWARE'}; + if (defined $svrSoft) { + $_ = $svrSoft; + /.*Microsoft.*/ && ($osDataArr{wserv} = "IIS"); + /.*Apache.*/ && ($osDataArr{wserv} = "Apache"); + $osDataArr{wservRun} = 1; + } else { + $osDataArr{wserv} = "Apache"; + $osDataArr{wservRun} = 0; + } +} + +#-------------------------------------------------------------- +# Function-spigot to handle errors is OS specific functions are +# not implemented for a particular OS. +# Returns: +# always returns 0(failure) +# +sub osSpecific { + $ERR = "This function should be swapped to os specific function."; + return 0; +} + +#-------------------------------------------------------------- +# Sets os specific execution context values. +# Returns: +# 1 upon success, or 0 upon failure(if OS was not recognized) +# +sub setFunctRefs { + + debug("Entering setFunctRefs function", $osDataArr{wserv}); + + if ($osDataArr{wserv} eq "Apache") { + $osDataArr{osConfigFile} = "apache_unix.cfg"; + $osDataArr{suppCiphersCmd} = '$opensslb ciphers ALL:NULL'; + $osDataArr{clientRunCmd} = '$opensslb s_client -host $in_host -port $in_port -cert $certDir/$in_cert.crt -key $certDir/$in_cert.key -CAfile $caCertFile $proto $ciphers -ign_eof < $reqFile'; + $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Unix; + $osDataArr{execCmdFn} = \&execClientCmd_Unix; + } elsif ($osDataArr{wserv} eq "IIS") { + $osDataArr{osConfigFile} = "iis_windows.cfg"; + $osDataArr{suppCiphersCmd} = '$tstclntwb'; + $osDataArr{clientRunCmd} = '$tstclntwb -h $in_host -p $in_port -n $in_cert $proto $ciphers < $reqFile'; + $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Win; + $osDataArr{execCmdFn} = \&execClientCmd_Win; + } else { + $ERR = "Unknown Web Server type."; + return 0; + } + return 1; +} + +#-------------------------------------------------------------- +# Parses data from HTTP request. Will print a form if request +# does not contain sufficient number of parameters. +# Returns: +# 1 if request has sufficient number of parameters +# 0 if not. +sub getReqData { + my $debug = param('debug'); + $in_host = param('host'); + $in_port = param('port'); + $in_cert = param('cert'); + $in_cipher = param('cipher'); + + if (!$osDataArr{wservRun}) { + $in_host="goa1"; + $in_port="443"; + $in_cert="TestUser511"; + $in_cipher = "SSL3_RSA_WITH_NULL_SHA"; + } + + debug("Entering getReqData function", "$in_port:$in_host:$in_cert:$in_cipher"); + + if (defined $debug && $debug == "debug on") { + $DEBUG = 1; + } + + if (!defined $in_host || $in_host eq "" || + !defined $in_port || $in_port eq "" || + !defined $in_cert || $in_cert eq "") { + if ($osDataArr{wservRun}) { + print h1('Command description form:'), + start_form(-method=>"get"), + "Host: ",textfield('host'),p, + "Port: ",textfield('port'),p, + "Cert: ",textfield('cert'),p, + "Cipher: ",textfield('cipher'),p, + checkbox_group(-name=>'debug', + -values=>['debug on ']), + submit, + end_form, + hr; + } else { + print "Printing html form to get client arguments\n"; + } + $ERR = "the following parameters are required: host, port, cert"; + return 0; + } else { + print "<pre>" if ($osDataArr{wservRun}); + return 1; + } +} + + +#-------------------------------------------------------------- +# Building cipher conversion table from file based on the OS. +# Params: +# tfile: cipher conversion file. +# sysName: system name +# tblPrt: returned pointer to a table. +sub buildCipherTable { + my ($tfile, $sysName, $tblPrt) = @_; + my @retArr = @$tblPrt; + my %table, %rtable; + my $strCount = 0; + + debug("Entering getReqData function", "$tfile:$sysName:$tblPrt"); + + ($ERR = "No system name supplied" && return 0) if ($sysName =~ /^$/); + if (!open(TFILE, "$tfile")) { + $ERR = "Missing cipher conversion table file."; + return 0; + } + foreach (<TFILE>) { + chop; + /^#.*/ && next; + /^\s*$/ && next; + if ($strCount++ == 0) { + my @sysArr = split /\s+/; + $colCount = 0; + for (;$colCount <= $#sysArr;$colCount++) { + last if ($sysArr[$colCount] =~ /(.*:|^)$sysName.*/); + } + next; + } + my @ciphArr = split /\s+/, $_; + $table{$ciphArr[0]} = $ciphArr[$colCount]; + $rtable{$ciphArr[$colCount]} = $ciphArr[0]; + } + close(TFILE); + $cipherTablePtr[0] = \%table; + $cipherTablePtr[1] = \%rtable; + return 1 +} + +#-------------------------------------------------------------- +# Client configuration function. Loads client configuration file. +# Initiates cipher table. Loads cipher list supported by ssl client. +# +sub configClient { + + debug "Entering configClient function"; + + my $res = &setFunctRefs(); + return $res if (!$res); + + open(CFILE, $osDataArr{'osConfigFile'}) || + ($ERR = "Missing configuration file." && return 0); + foreach (<CFILE>) { + /^#.*/ && next; + chop; + eval $_; + } + close(CFILE); + + local @cipherTablePtr = (); + $osDataArr{'buildCipherTableFn'}->($cipherTableFile, $clientSys) || return 0; + $osDataArr{cipherTable} = $cipherTablePtr[0]; + $osDataArr{rcipherTable} = $cipherTablePtr[1]; + + local $suppCiphersTablePrt; + &{$osDataArr{'loadSupportedCipthersFn'}} || return 0; + $osDataArr{suppCiphersTable} = $suppCiphersTablePrt; +} + +#-------------------------------------------------------------- +# Verifies that a particular cipher is supported. +# Params: +# checkCipher: cipher name +# Returns: +# 1 - cipher is supported(also echos the cipher). +# 0 - not supported. +# +sub verifyCipherSupport { + my ($checkCipher) = @_; + my @suppCiphersTable = @{$osDataArr{suppCiphersTable}}; + + debug("Entering verifyCipherSupport", $checkCipher); + foreach (@suppCiphersTable) { + return 1 if ($checkCipher eq $_); + } + $ERR = "cipher is not supported."; + return 0; +} + +#-------------------------------------------------------------- +# Converts long(?name of the type?) cipher name to +# openssl/tstclntw cipher name. +# Returns: +# 0 if cipher was not listed. 1 upon success. +# +sub convertCipher { + my ($cipher) = @_; + my @retList; + my $resStr; + my %cipherTable = %{$osDataArr{cipherTable}}; + + debug("Entering convertCipher", $cipher); + if (defined $cipher) { + my $cphr = $cipherTable{$cipher}; + if (!defined $cphr) { + $ERR = "cipher is not listed."; + return 0; + } + &{$osDataArr{'cipherIsSupportedFn'}}($cphr) || return 0; + $ciphers = "$cphr"; + return 1; + } + return 0; +} + +################################################################# +# UNIX Apache Specific functions +#---------------------------------------------------------------- + +#-------------------------------------------------------------- +# Executes ssl client command to get a list of ciphers supported +# by client. +# +sub getSupportedCipherList_Unix { + my @arr, @suppCiphersTable; + + debug "Entering getSupportedCipherList_Unix function"; + + eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"'; + if (!open (OUT, "$sLisrCmd|")) { + $ERR="Can not run command to verify supported cipher list."; + return 0; + } + @arr = <OUT>; + chop $arr[0]; + @suppCiphersTable = split /:/, $arr[0]; + debug("Supported ciphers", $arr[0]); + $suppCiphersTablePrt = \@suppCiphersTable; + close(OUT); + return 1; +} + +#-------------------------------------------------------------- +# Lunches ssl client command in response to a request. +# +# +sub execClientCmd_Unix { + my $proto; + local $ciphers; + + debug "Entering execClientCmd_Unix"; + if (defined $in_cipher && $in_cipher ne "") { + my @arr = split /_/, $in_cipher, 2; + $proto = "-".$arr[0]; + $proto =~ tr /SLT/slt/; + $proto = "-tls1" if ($proto eq "-tls"); + return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher)); + $ciphers = "-cipher $ciphers"; + debug("Return from cipher conversion", "$ciphers"); + } + + eval '$command = "'.$osDataArr{'clientRunCmd'}.'"'; + debug("Executing command", $command); + if (!open CMD_OUT, "$command 2>&1 |") { + $ERR = "can not launch client"; + return 0; + } + + my @cmdOutArr = <CMD_OUT>; + + foreach (@cmdOutArr) { + print $_; + } + + my $haveVerify = 0; + my $haveErrors = 0; + foreach (@cmdOutArr) { + chop; + if (/unknown option/) { + $haveErrors++; + svr_error "unknown option\n"; + next; + } + if (/:no ciphers available/) { + $haveErrors++; + svr_error "no cipthers available\n"; + next; + } + if (/verify error:/) { + $haveErrors++; + svr_error "unable to do verification\n"; + next; + } + if (/alert certificate revoked:/) { + $haveErrors++; + svr_error "attempt to connect with revoked sertificate\n"; + next; + } + if (/(error|ERROR)/) { + $haveErrors++; + svr_error "found errors in server log\n"; + next; + } + /verify return:1/ && ($haveVerify = 1); + } + if ($haveVerify == 0) { + svr_error "no 'verify return:1' found in server log\n"; + $haveErrors++; + } + + if ($haveErrors > 0) { + $ERR = "Have $haveErrors server errors"; + debug "Exiting execClientCmd_Unix"; + return 0; + } + debug "Exiting execClientCmd_Unix"; + return 1; +} + +################################################################# +# Windows IIS Specific functions +#---------------------------------------------------------------- + +#-------------------------------------------------------------- +# Executes ssl client command to get a list of ciphers supported +# by client. +# +sub getSupportedCipherList_Win { + my @arr, @suppCiphersTable; + + debug "Entering getSupportedCipherList_Win function"; + + eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"'; + if (!open (OUT, "$sLisrCmd|")) { + $ERR="Can not run command to verify supported cipher list."; + return 0; + } + my $startCipherList = 0; + foreach (<OUT>) { + chop; + if ($startCipherList) { + /^([a-zA-Z])\s+/ && push @suppCiphersTable, $1; + next; + } + /.*from list below.*/ && ($startCipherList = 1); + } + debug("Supported ciphers", join ':', @suppCiphersTable); + $suppCiphersTablePrt = \@suppCiphersTable; + close(OUT); + return 1; +} + +#-------------------------------------------------------------- +# Lunches ssl client command in response to a request. +# +# +sub execClientCmd_Win { + my $proto; + local $ciphers; + + debug "Entering execClientCmd_Win"; + if (defined $in_cipher && $in_cipher ne "") { + my @arr = split /_/, $in_cipher, 2; + $proto = "-2 -3 -T"; + + $proto =~ s/-T// if ($arr[0] eq "TLS"); + $proto =~ s/-3// if ($arr[0] eq "SSL3"); + $proto =~ s/-2// if ($arr[0] eq "SSL2"); + return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher)); + $ciphers = "-c $ciphers"; + debug("Return from cipher conversion", $ciphers); + } + + eval '$command = "'.$osDataArr{'clientRunCmd'}.'"'; + debug("Executing command", $command); + if (!open CMD_OUT, "$command 2>&1 |") { + $ERR = "can not launch client"; + return 0; + } + + my @cmdOutArr = <CMD_OUT>; + + foreach (@cmdOutArr) { + print $_; + } + + my $haveVerify = 0; + my $haveErrors = 0; + foreach (@cmdOutArr) { + chop; + if (/unknown option/) { + $haveErrors++; + svr_error "unknown option\n"; + next; + } + if (/Error performing handshake/) { + $haveErrors++; + svr_error "Error performing handshake\n"; + next; + } + if (/Error creating credentials/) { + $haveErrors++; + svr_error "Error creating credentials\n"; + next; + } + if (/Error .* authenticating server credentials!/) { + $haveErrors++; + svr_error "Error authenticating server credentials\n"; + next; + } + if (/(error|ERROR|Error)/) { + $haveErrors++; + svr_error "found errors in server log\n"; + next; + } + } + + if ($haveErrors > 0) { + $ERR = "Have $haveErrors server errors"; + debug "Exiting execClientCmd_Win"; + return 0; + } + debug "Exiting execClientCmd_Win"; + return 1; +} + +################################################################# +# Main line of execution +#---------------------------------------------------------------- +&init; + +if ($osDataArr{wservRun}) { + print header('text/html'). + start_html('iopr client'); +} + +print "SCRIPT=OK\n"; + +if (!&getReqData) { + svr_error($ERR, 1); +} + +if (!&configClient) { + svr_error($ERR, 1); +} + +&{$osDataArr{'execCmdFn'}} || svr_error; + +if ($osDataArr{wservRun}) { + print "</pre>"; + print end_html; +} diff --git a/security/nss/tests/iopr/server_scr/config b/security/nss/tests/iopr/server_scr/config new file mode 100644 index 0000000000..9e65b926c8 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/config @@ -0,0 +1,17 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +certDir=/iopr +caCertName=TestCA +caCrlName=TestCA +userCertNames="TestUser510 TestUser511" +userRevokedCertNames="TestUser510" +reverseRunCGIScript="/cgi-bin/client.cgi" +supportedTests="SslSingleHs" +# SslSingleHs: ssl single handshake with out client cert auth +SslSingleHsPort=443 +SslSingleHsUrl=/ +SslSingleHsParam=NOAUTH:NOCOV:NOCRL +#ParamSslSingleHandshakeWithOutClientCertAuth="443 / NOAUTH:NOCOV:NOCRL" +#ParamSslSingleHandshakeWithOutClientCertAuth="443 /" diff --git a/security/nss/tests/iopr/server_scr/iis_windows.cfg b/security/nss/tests/iopr/server_scr/iis_windows.cfg new file mode 100644 index 0000000000..76499b8b61 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/iis_windows.cfg @@ -0,0 +1,33 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# IIS windows configuration file +# + +# +# Define what type of system this is. +# +$clientSys = "iis"; + +# +# Cipher conversion table file +# +$cipherTableFile = "cipher.list"; + +#-------------------------------------------- +# Web server specific variables start here: +# + +# +# Location of installed tstclntb binary +# +$tstclntwb = "./tstclntw.exe"; + +# +# HTTP Request file +# +$reqFile = "sslreq.dat"; + + diff --git a/security/nss/tests/iopr/server_scr/iopr_server.cfg b/security/nss/tests/iopr/server_scr/iopr_server.cfg new file mode 100644 index 0000000000..2b196e0154 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/iopr_server.cfg @@ -0,0 +1,67 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +certDir=/iopr +caCertName=TestCA +caCrlName=TestCA + +#old values +userCertNames="TestUser510-rsa TestUser512-rsa" +userRevokedCertNames="TestUser510-rsa" +reverseRunCGIScript="/cgi-bin/client.cgi" +#reverseTestParam=NOREVALL +supportedTests="SslSingleHs SslSecondHs" +#supportedTests="SslSecondHs" + + +downloadFiles="TestUser510-rsa.p12 TestUser512-rsa.p12 ocspTrustedResponder-rsa.crt ocspTRTestUser514-rsa.crt ocspTRTestUser516-rsa.crt ocspRCATestUser518-rsa.crt ocspRCATestUser520-rsa.crt ocspDRTestUser522-rsa.crt ocspDRTestUser524-rsa.crt ocspTRUnknownIssuerCert-rsa.crt ocspRCAUnknownIssuerCert-rsa.crt ocspDRUnknownIssuerCert-rsa.crt" +# Keep a space at the end of +SslClntValidCertName="TestUser512-rsa" +SslClntRevokedCertName="TestUser510-rsa" +reverseRunCGIScript="/cgi-bin/client.cgi" +#reverseTestParam=NOREVALL + +supportedTests_new="SslSingleHs SslSecondHs OcspTrustedResponder OcspResponderCA OcspDesinatedResponder" + +# +# SslSingleHs: ssl single handshake with out client cert auth +SslSingleHsDescr="ssl with single handshake without client cert auth" +SslSingleHsPort=443 +SslSingleHsUrl=/iopr_test/test_pg.html +SslSingleHsParam=NOAUTH + +# +# SslSecondHs: ssl with secondary hs when accessing direcory +# that requires cert verification +SslSecondHsDescr="ssl with secondary hs when accessing direcory that requires cert verification" +SslSecondHsPort=443 +SslSecondHsUrl=/iopr_test_2hs/test_pg.html +SslSecondHsParam=NOCOV + +# +# OcspTrustedResponder - trusted responder key is used to sign OCSP response +# +OcspTrustedResponderDescr="trusted responder key is used to sign OCSP response" +OcspTrustedResponderProto=http +OcspTrustedResponderPort=2560 +OcspTrustedResponderResponderCert=ocspTrustedResponder-rsa +OcspTrustedResponderValidCertNames="ocspTRTestUser516-rsa" +OcspTrustedResponderRevokedCertNames="ocspTRTestUser514-rsa" +OcspTrustedResponderStatUnknownCertNames="ocspTRUnknownIssuerCert-rsa" + +# +# OcspResponderCA - CA key is used to sign OCSP response +# +OcspResponderCADescr="CA key is used to sign OCSP response" +OcspResponderCAValidCertNames="ocspRCATestUser518-rsa" +OcspResponderCARevokedCertNames="ocspRCATestUser520-rsa" +OcspResponderCAStatUnknownCertNames="ocspRCAUnknownIssuerCert-rsa" + +# +# OcspDesinatedResponder - CA Designated Responder key is used to sign OCSP response +# +OcspDesinatedResponderDescr="CA Designated Responder key is used to sign OCSP response" +OcspDesinatedResponderValidCertNames="ocspDRTestUser522-rsa" +OcspDesinatedResponderRevokedCertNames="ocspDRTestUser524-rsa" +OcspDesinatedResponderStatUnknownCertNames="ocspDRUnknownIssuerCert-rsa" diff --git a/security/nss/tests/iopr/server_scr/sslreq.dat b/security/nss/tests/iopr/server_scr/sslreq.dat new file mode 100644 index 0000000000..2f7ad7736e --- /dev/null +++ b/security/nss/tests/iopr/server_scr/sslreq.dat @@ -0,0 +1,2 @@ +GET / HTTP/1.0
+
|