diff options
author | Robert Relyea <rrelyea@redhat.com> | 2015-12-15 09:33:00 -0800 |
---|---|---|
committer | Robert Relyea <rrelyea@redhat.com> | 2015-12-15 09:33:00 -0800 |
commit | cb498a841fe463e937f915db0e5102ab17470fc3 (patch) | |
tree | dc6c24776f4c99070637f1417ce4d01946edf825 /tests/ssl | |
parent | 95da51969b89add904c2b8928868d6ddad7202a8 (diff) | |
download | nss-hg-cb498a841fe463e937f915db0e5102ab17470fc3.tar.gz |
Bug 1009429 - enhancement: Make the algorithm selection in NSS more flexible
0007-Apply-the-NSS-policies-read-by-the-config-parameter
+ test cases
Diffstat (limited to 'tests/ssl')
-rwxr-xr-x | tests/ssl/ssl.sh | 128 | ||||
-rw-r--r-- | tests/ssl/sslpolicy.txt | 174 |
2 files changed, 302 insertions, 0 deletions
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh index ffa826109..f7f9ad89a 100755 --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh @@ -65,6 +65,7 @@ ssl_init() SSLCOV=${QADIR}/ssl/sslcov.txt SSLAUTH=${QADIR}/ssl/sslauth.txt SSLSTRESS=${QADIR}/ssl/sslstress.txt + SSLPOLICY=${QADIR}/ssl/sslpolicy.txt REQUEST_FILE=${QADIR}/ssl/sslreq.dat #temparary files @@ -722,6 +723,127 @@ ssl_crl_ssl() html "</TABLE><BR>" } +############################## ssl_cov ################################# +# local shell function to perform SSL Policy tests +######################################################################## +ssl_policy() +{ + html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" + + testname="" + if [ -z "$NSS_DISABLE_ECC" ] ; then + sparam="$CLONG" + else + sparam="$CSHORT" + fi + + if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then + return; + fi + + echo "Saving pkcs11.txt" + cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav + + mixed=0 + start_selfserv # Launch the server + + VMIN="ssl3" + VMAX="tls1.2" + + exec < ${SSLPOLICY} + while read value ectype testmax param policy testname + do + SSL2_FLAGS= + VMIN="ssl3" + + if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "`echo $value | cut -b 1`" != "#" ] ; then + echo "$SCRIPTNAME: running $testname ----------------------------" + VMAX="ssl3" + if [ "$testmax" = "TLS10" ]; then + VMAX="tls1.0" + fi + if [ "$testmax" = "TLS11" ]; then + VMAX="tls1.1" + fi + if [ "$testmax" = "TLS12" ]; then + VMAX="tls1.2" + fi + +# These five tests need an EC cert signed with RSA +# This requires a different certificate loaded in selfserv +# due to a (current) NSS limitation of only loaded one cert +# per type so the default selfserv setup will not work. +#:C00B TLS ECDH RSA WITH NULL SHA +#:C00C TLS ECDH RSA WITH RC4 128 SHA +#:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA +#:C00E TLS ECDH RSA WITH AES 128 CBC SHA +#:C00F TLS ECDH RSA WITH AES 256 CBC SHA + + if [ $mixed -eq 0 ]; then + if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then + kill_selfserv + start_selfserv mixed + mixed=1 + else + is_selfserv_alive + fi + else + if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then + is_selfserv_alive + else + kill_selfserv + start_selfserv + mixed=0 + fi + fi + + # load the policy + policy=`echo ${policy} | sed -e 's;_; ;g'` + + cat > ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) +++EOF++ + echo "config=${policy}" >> ${P_R_CLIENTDIR}/pkcs11.txt + echo "" >> ${P_R_CLIENTDIR}/pkcs11.txt + echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so"" >> ${P_R_CLIENTDIR}/pkcs11.txt >> ${P_R_CLIENTDIR}/pkcs11.txt + cat >> ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++ +name=RootCerts +NSS=trustOrder=100 +++EOF++ + + echo "******************************Testing with: " + cat ${P_R_CLIENTDIR}/pkcs11.txt + echo "******************************" + + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + + #workaround for bug #402058 + [ $ret -ne 0 ] && ret=1 + [ ${value} -ne 0 ] && value=1 + + html_msg $ret ${value} "${testname}" \ + "produced a returncode of $ret, expected is ${value}" + fi + done + cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt + + kill_selfserv + html "</TABLE><BR>" +} ############################# is_revoked ############################### # local shell function to check if certificate is revoked ######################################################################## @@ -832,6 +954,7 @@ _EOF_REQUEST_ echo "================= CRL Reloaded =============" } + ########################### ssl_crl_cache ############################## # local shell function to perform SSL test for crl cache functionality # with/out revoked certs @@ -1093,6 +1216,11 @@ ssl_run_tests() for SSL_TEST in ${NSS_SSL_TESTS} do case "${SSL_TEST}" in + "policy") + if [ "${TEST_MODE}" = "SHARED_DB" ] ; then + ssl_policy + fi + ;; "crl") ssl_crl_ssl ssl_crl_cache diff --git a/tests/ssl/sslpolicy.txt b/tests/ssl/sslpolicy.txt new file mode 100644 index 000000000..82c15d2af --- /dev/null +++ b/tests/ssl/sslpolicy.txt @@ -0,0 +1,174 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file enables policy testing +# +# The policy string is set to the config= line in the pkcs11.txt +# it currently has 2 keywords: +# +# disallow= turn off the use of this algorithm by policy. +# allow= allow this algorithm to by used if selected by policy. +# +# The syntax is disallow=algorithm{/uses}:algorithm{/uses} +# where {} signifies an optional element +# +# valid algorithms are: +# ECC curves: +# PRIME192V1 +# PRIME192V2 +# PRIME192V3 +# PRIME239V1 +# PRIME239V2 +# PRIME239V3 +# PRIME256V1 +# SECP112R1 +# SECP112R2 +# SECP128R1 +# SECP128R2 +# SECP160K1 +# SECP160R1 +# SECP160R2 +# SECP192K1 +# SECP192R1 +# SECP224K1 +# SECP256K1 +# SECP256R1 +# SECP384R1 +# SECP521R1 +# C2PNB163V1 +# C2PNB163V2 +# C2PNB163V3 +# C2PNB176V1 +# C2TNB191V1 +# C2TNB191V2 +# C2TNB191V3 +# C2ONB191V4 +# C2ONB191V5 +# C2PNB208W1 +# C2TNB239V1 +# C2TNB239V2 +# C2TNB239V3 +# C2ONB239V4 +# C2ONB239V5 +# C2PNB272W1 +# C2PNB304W1 +# C2TNB359V1 +# C2PNB368W1 +# C2TNB431R1 +# SECT113R1 +# SECT131R1 +# SECT131R1 +# SECT131R2 +# SECT163K1 +# SECT163R1 +# SECT163R2 +# SECT193R1 +# SECT193R2 +# SECT233K1 +# SECT233R1 +# SECT239K1 +# SECT283K1 +# SECT283R1 +# SECT409K1 +# SECT409R1 +# SECT571K1 +# SECT571R1 +# Hashes: +# MD2 +# MD4 +# MD5 +# SHA1 +# SHA224 +# SHA256 +# SHA384 +# SHA512 +# MACs: +# HMAC-SHA1 +# HMAC-SHA224 +# HMAC-SHA256 +# HMAC-SHA384 +# HMAC-SHA512 +# HMAC-MD5 +# Ciphers: +# AES128-CBC +# AES192-CBC +# AES256-CBC +# AES128-GCM +# AES192-GCM +# AES256-GCM +# CAMELLIA128-CBC +# CAMELLIA192-CBC +# CAMELLIA256-CBC +# SEED-CBC +# DES-EDE3-CBC +# DES-40-CBC +# DES-CBC +# NULL-CIPHER +# RC2 +# RC4 +# IDEA +# Key exchange +# RSA +# RSA-EXPORT +# DHE-RSA +# DHE-DSS +# DH-RSA +# DH-DSS +# ECDHE-ECDSA +# ECDHE-RSA +# ECDH-ECDSA +# ECDH-RSA +# SSL Versions +# SSL2.0 +# SSL3.0 +# TLS1.0 +# TLS1.1 +# TLS1.2 +# DTLS1.1 +# DTLS1.2 +# Include all of the above: +# ALL +#----------------------------------------------- +# Uses are: +# ssl +# ssl-key-exchange +# key-exchange (includes ssl-key-exchange) +# cert-signature +# signature (includes cert-signature) +# all (includes all of the above) +#----------------------------------------------- +# In addition there are the following options: +# min-rsa +# min-dh +# min-dsa +# they have the following syntax: +# allow=min-rsa=512:min-dh=1024 +# +# Exp Enable Enable Cipher Config Policy Test Name +# Ret EC TLS +# turn on single cipher + 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy + 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy + 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly + 1 noECC SSL3 d disallow=all Disallow All Explicitly. +# turn off signature only + 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly. + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow. + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly. +# turn off single cipher + 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow. + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly. +# turn off H-Mac + 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly + 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow. + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly. +# turn off key exchange + 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly. + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow. + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly. +# turn off version + 1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow. + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly. |