Bug 1363981 - Update tests to use SSLProtocolVariant instead of Mode, r=ttaubert
authorMartin Thomson <martin.thomson@gmail.com>
Mon, 01 May 2017 08:53:54 +1000
changeset 13346 16e507e54552e881c07b4864cbf8863a49122bcc
parent 13345 47eb8450e8ea14a558c41a0c3359b2ffb5eae994
child 13347 11dde606220d799eb7cc38107b35ae9672f409ce
child 13348 f161a5fb1bf1dccabebaa719ccf134bf41224b26
push id2188
push usermartin.thomson@gmail.com
push dateFri, 12 May 2017 01:34:11 +0000
reviewersttaubert
bugs1363981
Bug 1363981 - Update tests to use SSLProtocolVariant instead of Mode, r=ttaubert
cpputil/tls_parser.h
gtests/ssl_gtest/ssl_0rtt_unittest.cc
gtests/ssl_gtest/ssl_agent_unittest.cc
gtests/ssl_gtest/ssl_auth_unittest.cc
gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
gtests/ssl_gtest/ssl_damage_unittest.cc
gtests/ssl_gtest/ssl_dhe_unittest.cc
gtests/ssl_gtest/ssl_ecdh_unittest.cc
gtests/ssl_gtest/ssl_extension_unittest.cc
gtests/ssl_gtest/ssl_gather_unittest.cc
gtests/ssl_gtest/ssl_hrr_unittest.cc
gtests/ssl_gtest/ssl_loopback_unittest.cc
gtests/ssl_gtest/ssl_resumption_unittest.cc
gtests/ssl_gtest/ssl_skip_unittest.cc
gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
gtests/ssl_gtest/ssl_version_unittest.cc
gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
gtests/ssl_gtest/test_io.cc
gtests/ssl_gtest/test_io.h
gtests/ssl_gtest/tls_agent.cc
gtests/ssl_gtest/tls_agent.h
gtests/ssl_gtest/tls_connect.cc
gtests/ssl_gtest/tls_connect.h
--- a/cpputil/tls_parser.h
+++ b/cpputil/tls_parser.h
@@ -11,17 +11,16 @@
 #include <cstring>
 #include <memory>
 #if defined(WIN32) || defined(WIN64)
 #include <winsock2.h>
 #else
 #include <arpa/inet.h>
 #endif
 #include "databuffer.h"
-
 #include "sslt.h"
 
 namespace nss_test {
 
 const uint8_t kTlsChangeCipherSpecType = 20;
 const uint8_t kTlsAlertType = 21;
 const uint8_t kTlsHandshakeType = 22;
 const uint8_t kTlsApplicationDataType = 23;
@@ -74,16 +73,20 @@ const uint8_t kTlsFakeChangeCipherSpec[]
     0x01   // Value
 };
 
 static const uint8_t kTls13PskKe = 0;
 static const uint8_t kTls13PskDhKe = 1;
 static const uint8_t kTls13PskAuth = 0;
 static const uint8_t kTls13PskSignAuth = 1;
 
+inline std::ostream& operator<<(std::ostream& os, SSLProtocolVariant v) {
+  return os << ((v == ssl_variant_stream) ? "TLS" : "DTLS");
+}
+
 inline bool IsDtls(uint16_t version) { return (version & 0x8000) == 0x8000; }
 
 inline uint16_t NormalizeTlsVersion(uint16_t version) {
   if (version == 0xfeff) {
     return 0x0302;  // special: DTLS 1.0 == TLS 1.1
   }
   if (IsDtls(version)) {
     return (version ^ 0xffff) + 0x0201;
@@ -130,15 +133,11 @@ class TlsParser {
  private:
   void consume(size_t len) { offset_ += len; }
   const uint8_t* ptr() const { return buffer_.data() + offset_; }
 
   DataBuffer buffer_;
   size_t offset_;
 };
 
-inline std::ostream& operator<<(std::ostream& os, SSLProtocolVariant v) {
-  return os << ((v == ssl_variant_stream) ? "TLS" : "DTLS");
-}
-
 }  // namespace nss_test
 
 #endif
--- a/gtests/ssl_gtest/ssl_0rtt_unittest.cc
+++ b/gtests/ssl_gtest/ssl_0rtt_unittest.cc
@@ -222,27 +222,27 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRtt
   server_->StartConnect();
 
   // We will send the early data xtn without sending actual early data. Thus
   // a 1.2 server shouldn't fail until the client sends an alert because the
   // client sends end_of_early_data only after reading the server's flight.
   client_->Set0RttEnabled(true);
 
   client_->ExpectSendAlert(kTlsAlertIllegalParameter);
-  if (mode_ == STREAM) {
+  if (variant_ == ssl_variant_stream) {
     server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   }
   client_->Handshake();
   server_->Handshake();
   ASSERT_TRUE_WAIT(
       (client_->error_code() == SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA), 2000);
 
   // DTLS will timeout as we bump the epoch when installing the early app data
   // cipher suite. Thus the encrypted alert will be ignored.
-  if (mode_ == STREAM) {
+  if (variant_ == ssl_variant_stream) {
     // The client sends an encrypted alert message.
     ASSERT_TRUE_WAIT(
         (server_->error_code() == SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA),
         2000);
   }
 }
 
 // The client should abort the connection when sending a 0-rtt handshake but
@@ -264,30 +264,30 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRtt
   client_->StartConnect();
   server_->StartConnect();
 
   // Send the early data xtn in the CH, followed by early app data. The server
   // will fail right after sending its flight, when receiving the early data.
   client_->Set0RttEnabled(true);
   ZeroRttSendReceive(true, false, [this]() {
     client_->ExpectSendAlert(kTlsAlertIllegalParameter);
-    if (mode_ == STREAM) {
+    if (variant_ == ssl_variant_stream) {
       server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
     }
     return true;
   });
 
   client_->Handshake();
   server_->Handshake();
   ASSERT_TRUE_WAIT(
       (client_->error_code() == SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA), 2000);
 
   // DTLS will timeout as we bump the epoch when installing the early app data
   // cipher suite. Thus the encrypted alert will be ignored.
-  if (mode_ == STREAM) {
+  if (variant_ == ssl_variant_stream) {
     // The server sends an alert when receiving the early app data record.
     ASSERT_TRUE_WAIT(
         (server_->error_code() == SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA),
         2000);
   }
 }
 
 static void CheckEarlyDataLimit(const std::shared_ptr<TlsAgent>& agent,
@@ -311,17 +311,17 @@ TEST_P(TlsConnectTls13, SendTooMuchEarly
   ExpectResumption(RESUME_TICKET);
 
   ExpectAlert(client_, kTlsAlertEndOfEarlyData);
   client_->Handshake();
   CheckEarlyDataLimit(client_, short_size);
 
   PRInt32 sent;
   // Writing more than the limit will succeed in TLS, but fail in DTLS.
-  if (mode_ == STREAM) {
+  if (variant_ == ssl_variant_stream) {
     sent = PR_Write(client_->ssl_fd(), big_message,
                     static_cast<PRInt32>(strlen(big_message)));
   } else {
     sent = PR_Write(client_->ssl_fd(), big_message,
                     static_cast<PRInt32>(strlen(big_message)));
     EXPECT_GE(0, sent);
     EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
 
@@ -372,31 +372,31 @@ TEST_P(TlsConnectTls13, ReceiveTooMuchEa
   EXPECT_EQ(SECSuccess,
             SSLInt_SetSocketMaxEarlyDataSize(client_->ssl_fd(), 1000));
 
   // Send message
   const char* message = "0123456789abcdef";
   const PRInt32 message_len = static_cast<PRInt32>(strlen(message));
   EXPECT_EQ(message_len, PR_Write(client_->ssl_fd(), message, message_len));
 
-  if (mode_ == STREAM) {
+  if (variant_ == ssl_variant_stream) {
     // This error isn't fatal for DTLS.
     ExpectAlert(server_, kTlsAlertUnexpectedMessage);
   }
   server_->Handshake();  // Process ClientHello, send server flight.
   server_->Handshake();  // Just to make sure that we don't read ahead.
   CheckEarlyDataLimit(server_, limit);
 
   // Attempt to read early data.
   std::vector<uint8_t> buf(strlen(message) + 1);
   EXPECT_GT(0, PR_Read(server_->ssl_fd(), buf.data(), buf.capacity()));
-  if (mode_ == STREAM) {
+  if (variant_ == ssl_variant_stream) {
     server_->CheckErrorCode(SSL_ERROR_TOO_MUCH_EARLY_DATA);
   }
 
   client_->Handshake();  // Process the handshake.
   client_->Handshake();  // Process the alert.
-  if (mode_ == STREAM) {
+  if (variant_ == ssl_variant_stream) {
     client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
   }
 }
 
 }  // namespace nss_test
--- a/gtests/ssl_gtest/ssl_agent_unittest.cc
+++ b/gtests/ssl_gtest/ssl_agent_unittest.cc
@@ -199,19 +199,20 @@ TEST_F(TlsAgentStreamTestServer, Set0Rtt
   ProcessMessage(buffer, TlsAgent::STATE_CONNECTING);
   MakeRecord(kTlsApplicationDataType, SSL_LIBRARY_VERSION_TLS_1_3,
              reinterpret_cast<const uint8_t *>(k0RttData), strlen(k0RttData),
              &buffer);
   ExpectAlert(kTlsAlertBadRecordMac);
   ProcessMessage(buffer, TlsAgent::STATE_ERROR, SSL_ERROR_BAD_MAC_READ);
 }
 
-INSTANTIATE_TEST_CASE_P(AgentTests, TlsAgentTest,
-                        ::testing::Combine(TlsAgentTestBase::kTlsRolesAll,
-                                           TlsConnectTestBase::kTlsModesStream,
-                                           TlsConnectTestBase::kTlsVAll));
+INSTANTIATE_TEST_CASE_P(
+    AgentTests, TlsAgentTest,
+    ::testing::Combine(TlsAgentTestBase::kTlsRolesAll,
+                       TlsConnectTestBase::kTlsVariantsStream,
+                       TlsConnectTestBase::kTlsVAll));
 INSTANTIATE_TEST_CASE_P(ClientTests, TlsAgentTestClient,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsVAll));
 INSTANTIATE_TEST_CASE_P(ClientTests13, TlsAgentTestClient13,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV13));
 }  // namespace nss_test
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -711,18 +711,18 @@ TEST_F(TlsAgentStreamTestServer, Configu
   EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaPss, false,
                                         &ServerCertDataRsaPkcs1Decrypt));
 
   // Configuring for only rsa_pss should work.
   EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaPss, false,
                                        &ServerCertDataRsaPss));
 }
 
-// mode, version, certificate, auth type, signature scheme
-typedef std::tuple<std::string, uint16_t, std::string, SSLAuthType,
+// variant, version, certificate, auth type, signature scheme
+typedef std::tuple<SSLProtocolVariant, uint16_t, std::string, SSLAuthType,
                    SSLSignatureScheme>
     SignatureSchemeProfile;
 
 class TlsSignatureSchemeConfiguration
     : public TlsConnectTestBase,
       public ::testing::WithParamInterface<SignatureSchemeProfile> {
  public:
   TlsSignatureSchemeConfiguration()
@@ -773,59 +773,59 @@ TEST_P(TlsSignatureSchemeConfiguration, 
   server_->SetSignatureSchemes(&signature_scheme_, 1);
   Connect();
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, auth_type_, signature_scheme_);
 }
 
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeRsa, TlsSignatureSchemeConfiguration,
     ::testing::Combine(
-        TlsConnectTestBase::kTlsModesAll, TlsConnectTestBase::kTlsV12Plus,
+        TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12Plus,
         ::testing::Values(TlsAgent::kServerRsaSign),
         ::testing::Values(ssl_auth_rsa_sign),
         ::testing::Values(ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
                           ssl_sig_rsa_pkcs1_sha512, ssl_sig_rsa_pss_sha256,
                           ssl_sig_rsa_pss_sha384)));
 // PSS with SHA-512 needs a bigger key to work.
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeBigRsa, TlsSignatureSchemeConfiguration,
-    ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                        TlsConnectTestBase::kTlsV12Plus,
                        ::testing::Values(TlsAgent::kRsa2048),
                        ::testing::Values(ssl_auth_rsa_sign),
                        ::testing::Values(ssl_sig_rsa_pss_sha512)));
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeRsaSha1, TlsSignatureSchemeConfiguration,
-    ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                        TlsConnectTestBase::kTlsV12,
                        ::testing::Values(TlsAgent::kServerRsa),
                        ::testing::Values(ssl_auth_rsa_sign),
                        ::testing::Values(ssl_sig_rsa_pkcs1_sha1)));
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeEcdsaP256, TlsSignatureSchemeConfiguration,
-    ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                        TlsConnectTestBase::kTlsV12Plus,
                        ::testing::Values(TlsAgent::kServerEcdsa256),
                        ::testing::Values(ssl_auth_ecdsa),
                        ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256)));
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration,
-    ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                        TlsConnectTestBase::kTlsV12Plus,
                        ::testing::Values(TlsAgent::kServerEcdsa384),
                        ::testing::Values(ssl_auth_ecdsa),
                        ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384)));
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration,
-    ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                        TlsConnectTestBase::kTlsV12Plus,
                        ::testing::Values(TlsAgent::kServerEcdsa521),
                        ::testing::Values(ssl_auth_ecdsa),
                        ::testing::Values(ssl_sig_ecdsa_secp521r1_sha512)));
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration,
-    ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                        TlsConnectTestBase::kTlsV12,
                        ::testing::Values(TlsAgent::kServerEcdsa256,
                                          TlsAgent::kServerEcdsa384),
                        ::testing::Values(ssl_auth_ecdsa),
                        ::testing::Values(ssl_sig_ecdsa_sha1)));
 }
--- a/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
+++ b/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
@@ -17,27 +17,27 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
 #include "tls_connect.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
-// mode, version, cipher suite
-typedef std::tuple<std::string, uint16_t, uint16_t, SSLNamedGroup,
+// variant, version, cipher suite
+typedef std::tuple<SSLProtocolVariant, uint16_t, uint16_t, SSLNamedGroup,
                    SSLSignatureScheme>
     CipherSuiteProfile;
 
 class TlsCipherSuiteTestBase : public TlsConnectTestBase {
  public:
-  TlsCipherSuiteTestBase(const std::string &mode, uint16_t version,
+  TlsCipherSuiteTestBase(SSLProtocolVariant variant, uint16_t version,
                          uint16_t cipher_suite, SSLNamedGroup group,
                          SSLSignatureScheme signature_scheme)
-      : TlsConnectTestBase(mode, version),
+      : TlsConnectTestBase(variant, version),
         cipher_suite_(cipher_suite),
         group_(group),
         signature_scheme_(signature_scheme),
         csinfo_({0}) {
     SECStatus rv =
         SSL_GetCipherSuiteInfo(cipher_suite_, &csinfo_, sizeof(csinfo_));
     EXPECT_EQ(SECSuccess, rv);
     if (rv == SECSuccess) {
@@ -254,26 +254,26 @@ TEST_P(TlsCipherSuiteTest, ReadLimit) {
   server_->ReadBytes();  // This should be OK.
 
   // The payload needs to be big enough to pass for encrypted.  In the extreme
   // case (TLS 1.3), this means 1 for payload, 1 for content type and 16 for
   // authentication tag.
   static const uint8_t payload[18] = {6};
   DataBuffer record;
   uint64_t epoch;
-  if (mode_ == DGRAM) {
+  if (variant_ == ssl_variant_datagram) {
     if (version_ == SSL_LIBRARY_VERSION_TLS_1_3) {
       epoch = 3;  // Application traffic keys.
     } else {
       epoch = 1;
     }
   } else {
     epoch = 0;
   }
-  TlsAgentTestBase::MakeRecord(mode_, kTlsApplicationDataType, version_,
+  TlsAgentTestBase::MakeRecord(variant_, kTlsApplicationDataType, version_,
                                payload, sizeof(payload), &record,
                                (epoch << 48) | record_limit());
   server_->adapter()->PacketReceived(record);
   server_->ExpectReadWriteError();
   server_->ReadBytes();
   EXPECT_EQ(SSL_ERROR_TOO_MANY_RECORDS, server_->error_code());
 }
 
@@ -291,17 +291,17 @@ TEST_P(TlsCipherSuiteTest, WriteLimit) {
 
 // This awful macro makes the test instantiations easier to read.
 #define INSTANTIATE_CIPHER_TEST_P(name, modes, versions, groups, sigalgs, ...) \
   static const uint16_t k##name##CiphersArr[] = {__VA_ARGS__};                 \
   static const ::testing::internal::ParamGenerator<uint16_t>                   \
       k##name##Ciphers = ::testing::ValuesIn(k##name##CiphersArr);             \
   INSTANTIATE_TEST_CASE_P(                                                     \
       CipherSuite##name, TlsCipherSuiteTest,                                   \
-      ::testing::Combine(TlsConnectTestBase::kTlsModes##modes,                 \
+      ::testing::Combine(TlsConnectTestBase::kTlsVariants##modes,              \
                          TlsConnectTestBase::kTls##versions, k##name##Ciphers, \
                          groups, sigalgs));
 
 static const auto kDummyNamedGroupParams = ::testing::Values(ssl_grp_none);
 static const auto kDummySignatureSchemesParams =
     ::testing::Values(ssl_sig_none);
 
 #ifndef NSS_DISABLE_TLS_1_3
@@ -400,17 +400,17 @@ inline std::ostream &operator<<(std::ost
                 << "\", key size = " << vals.keySize;
 }
 
 class SecurityStatusTest
     : public TlsCipherSuiteTestBase,
       public ::testing::WithParamInterface<SecStatusParams> {
  public:
   SecurityStatusTest()
-      : TlsCipherSuiteTestBase("TLS", GetParam().version,
+      : TlsCipherSuiteTestBase(ssl_variant_stream, GetParam().version,
                                GetParam().cipher_suite, ssl_grp_none,
                                ssl_sig_none) {}
 };
 
 // SSL_SecurityStatus produces fairly useless output when compared to
 // SSL_GetCipherSuiteInfo and SSL_GetChannelInfo, but we can't break it, so we
 // need to check it.
 TEST_P(SecurityStatusTest, CheckSecurityStatus) {
--- a/gtests/ssl_gtest/ssl_damage_unittest.cc
+++ b/gtests/ssl_gtest/ssl_damage_unittest.cc
@@ -77,17 +77,17 @@ TEST_P(TlsConnectGenericPre13, DamageSer
 TEST_P(TlsConnectTls13, DamageServerSignature) {
   EnsureTlsSetup();
   auto filter =
       std::make_shared<TlsLastByteDamager>(kTlsHandshakeCertificateVerify);
   server_->SetTlsRecordFilter(filter);
   filter->EnableDecryption();
   client_->ExpectSendAlert(kTlsAlertDecryptError);
   // The server can't read the client's alert, so it also sends an alert.
-  if (mode_ == STREAM) {
+  if (variant_ == ssl_variant_stream) {
     server_->ExpectSendAlert(kTlsAlertBadRecordMac);
     ConnectExpectFail();
     server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
   } else {
     ConnectExpectFailOneSide(TlsAgent::CLIENT);
   }
   client_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
 }
--- a/gtests/ssl_gtest/ssl_dhe_unittest.cc
+++ b/gtests/ssl_gtest/ssl_dhe_unittest.cc
@@ -267,20 +267,21 @@ class TlsDheSkeChangeYClient : public Tl
     ChangeY(input, output, 0, server_filter_->prime());
     return CHANGE;
   }
 
  private:
   std::shared_ptr<const TlsDheSkeChangeYServer> server_filter_;
 };
 
-/* This matrix includes: mode (stream/datagram), TLS version, what change to
+/* This matrix includes: variant (stream/datagram), TLS version, what change to
  * make to dh_Ys, whether the client will be configured to require DH named
  * groups.  Test all combinations. */
-typedef std::tuple<std::string, uint16_t, TlsDheSkeChangeY::ChangeYTo, bool>
+typedef std::tuple<SSLProtocolVariant, uint16_t, TlsDheSkeChangeY::ChangeYTo,
+                   bool>
     DamageDHYProfile;
 class TlsDamageDHYTest
     : public TlsConnectTestBase,
       public ::testing::WithParamInterface<DamageDHYProfile> {
  public:
   TlsDamageDHYTest()
       : TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {}
 };
@@ -353,23 +354,23 @@ static const TlsDheSkeChangeY::ChangeYTo
     TlsDheSkeChangeY::kYPMinusOne, TlsDheSkeChangeY::kYGreaterThanP,
     TlsDheSkeChangeY::kYTooLarge,  TlsDheSkeChangeY::kYZeroPad};
 static ::testing::internal::ParamGenerator<TlsDheSkeChangeY::ChangeYTo> kAllY =
     ::testing::ValuesIn(kAllYArr);
 static const bool kTrueFalseArr[] = {true, false};
 static ::testing::internal::ParamGenerator<bool> kTrueFalse =
     ::testing::ValuesIn(kTrueFalseArr);
 
-INSTANTIATE_TEST_CASE_P(DamageYStream, TlsDamageDHYTest,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesStream,
-                                           TlsConnectTestBase::kTlsV10ToV12,
-                                           kAllY, kTrueFalse));
+INSTANTIATE_TEST_CASE_P(
+    DamageYStream, TlsDamageDHYTest,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,
+                       TlsConnectTestBase::kTlsV10ToV12, kAllY, kTrueFalse));
 INSTANTIATE_TEST_CASE_P(
     DamageYDatagram, TlsDamageDHYTest,
-    ::testing::Combine(TlsConnectTestBase::kTlsModesDatagram,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram,
                        TlsConnectTestBase::kTlsV11V12, kAllY, kTrueFalse));
 
 class TlsDheSkeMakePEven : public TlsHandshakeFilter {
  public:
   virtual PacketFilter::Action FilterHandshake(
       const TlsHandshakeFilter::HandshakeHeader& header,
       const DataBuffer& input, DataBuffer* output) {
     if (header.handshake_type() != kTlsHandshakeServerKeyExchange) {
--- a/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+++ b/gtests/ssl_gtest/ssl_ecdh_unittest.cc
@@ -569,18 +569,18 @@ TEST_P(TlsConnectGenericPre13, ConnectEC
 TEST_P(TlsConnectGenericPre13, ConnectECDHEmptyClientPoint) {
   // add packet filter
   client_->SetPacketFilter(std::make_shared<ECCClientKEXFilter>());
   ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
   server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH);
 }
 
 INSTANTIATE_TEST_CASE_P(KeyExchangeTest, TlsKeyExchangeTest,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV11Plus));
 
 #ifndef NSS_DISABLE_TLS_1_3
 INSTANTIATE_TEST_CASE_P(KeyExchangeTest, TlsKeyExchangeTest13,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV13));
 #endif
 
 }  // namespace nss_test
--- a/gtests/ssl_gtest/ssl_extension_unittest.cc
+++ b/gtests/ssl_gtest/ssl_extension_unittest.cc
@@ -161,20 +161,18 @@ class TlsExtensionAppender : public TlsH
 
   const uint8_t handshake_type_;
   const uint16_t extension_;
   const DataBuffer data_;
 };
 
 class TlsExtensionTestBase : public TlsConnectTestBase {
  protected:
-  TlsExtensionTestBase(Mode mode, uint16_t version)
-      : TlsConnectTestBase(mode, version) {}
-  TlsExtensionTestBase(const std::string& mode, uint16_t version)
-      : TlsConnectTestBase(mode, version) {}
+  TlsExtensionTestBase(SSLProtocolVariant variant, uint16_t version)
+      : TlsConnectTestBase(variant, version) {}
 
   void ClientHelloErrorTest(std::shared_ptr<PacketFilter> filter,
                             uint8_t desc = kTlsAlertDecodeError) {
     client_->SetPacketFilter(filter);
     ConnectExpectAlert(server_, desc);
   }
 
   void ServerHelloErrorTest(std::shared_ptr<PacketFilter> filter,
@@ -211,39 +209,41 @@ class TlsExtensionTestBase : public TlsC
     client_->CheckErrorCode(client_error);
     server_->CheckErrorCode(server_error);
   }
 };
 
 class TlsExtensionTestDtls : public TlsExtensionTestBase,
                              public ::testing::WithParamInterface<uint16_t> {
  public:
-  TlsExtensionTestDtls() : TlsExtensionTestBase(DGRAM, GetParam()) {}
+  TlsExtensionTestDtls()
+      : TlsExtensionTestBase(ssl_variant_datagram, GetParam()) {}
 };
 
-class TlsExtensionTest12Plus
-    : public TlsExtensionTestBase,
-      public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+class TlsExtensionTest12Plus : public TlsExtensionTestBase,
+                               public ::testing::WithParamInterface<
+                                   std::tuple<SSLProtocolVariant, uint16_t>> {
  public:
   TlsExtensionTest12Plus()
       : TlsExtensionTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {
   }
 };
 
-class TlsExtensionTest12
-    : public TlsExtensionTestBase,
-      public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+class TlsExtensionTest12 : public TlsExtensionTestBase,
+                           public ::testing::WithParamInterface<
+                               std::tuple<SSLProtocolVariant, uint16_t>> {
  public:
   TlsExtensionTest12()
       : TlsExtensionTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {
   }
 };
 
-class TlsExtensionTest13 : public TlsExtensionTestBase,
-                           public ::testing::WithParamInterface<std::string> {
+class TlsExtensionTest13
+    : public TlsExtensionTestBase,
+      public ::testing::WithParamInterface<SSLProtocolVariant> {
  public:
   TlsExtensionTest13()
       : TlsExtensionTestBase(GetParam(), SSL_LIBRARY_VERSION_TLS_1_3) {}
 
   void ConnectWithBogusVersionList(const uint8_t* buf, size_t len) {
     DataBuffer versions_buf(buf, len);
     client_->SetPacketFilter(std::make_shared<TlsExtensionReplacer>(
         ssl_tls13_supported_versions_xtn, versions_buf));
@@ -261,31 +261,31 @@ class TlsExtensionTest13 : public TlsExt
         ssl_tls13_supported_versions_xtn, versions_buf));
     ConnectExpectFail();
   }
 };
 
 class TlsExtensionTest13Stream : public TlsExtensionTestBase {
  public:
   TlsExtensionTest13Stream()
-      : TlsExtensionTestBase(STREAM, SSL_LIBRARY_VERSION_TLS_1_3) {}
+      : TlsExtensionTestBase(ssl_variant_stream, SSL_LIBRARY_VERSION_TLS_1_3) {}
 };
 
-class TlsExtensionTestGeneric
-    : public TlsExtensionTestBase,
-      public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+class TlsExtensionTestGeneric : public TlsExtensionTestBase,
+                                public ::testing::WithParamInterface<
+                                    std::tuple<SSLProtocolVariant, uint16_t>> {
  public:
   TlsExtensionTestGeneric()
       : TlsExtensionTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {
   }
 };
 
-class TlsExtensionTestPre13
-    : public TlsExtensionTestBase,
-      public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+class TlsExtensionTestPre13 : public TlsExtensionTestBase,
+                              public ::testing::WithParamInterface<
+                                  std::tuple<SSLProtocolVariant, uint16_t>> {
  public:
   TlsExtensionTestPre13()
       : TlsExtensionTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {
   }
 };
 
 TEST_P(TlsExtensionTestGeneric, DamageSniLength) {
   ClientHelloErrorTest(
@@ -987,19 +987,19 @@ TEST_P(TlsExtensionTest13, EmptyVersionL
 
 TEST_P(TlsExtensionTest13, OddVersionList) {
   static const uint8_t ext[] = {0x00, 0x01, 0x00};
   ConnectWithBogusVersionList(ext, sizeof(ext));
 }
 
 // TODO: this only tests extensions in server messages.  The client can extend
 // Certificate messages, which is not checked here.
-class TlsBogusExtensionTest
-    : public TlsConnectTestBase,
-      public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+class TlsBogusExtensionTest : public TlsConnectTestBase,
+                              public ::testing::WithParamInterface<
+                                  std::tuple<SSLProtocolVariant, uint16_t>> {
  public:
   TlsBogusExtensionTest()
       : TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {}
 
  protected:
   virtual void ConnectAndFail(uint8_t message) = 0;
 
   void AddFilter(uint8_t message, uint16_t extension) {
@@ -1039,17 +1039,17 @@ class TlsBogusExtensionTest13 : public T
 
     client_->StartConnect();
     server_->StartConnect();
     client_->Handshake();  // ClientHello
     server_->Handshake();  // ServerHello
 
     client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
     client_->Handshake();
-    if (mode_ == STREAM) {
+    if (variant_ == ssl_variant_stream) {
       server_->ExpectSendAlert(kTlsAlertBadRecordMac);
     }
     server_->Handshake();
   }
 };
 
 TEST_P(TlsBogusExtensionTestPre13, AddBogusExtensionServerHello) {
   Run(kTlsHandshakeServerHello);
@@ -1134,45 +1134,48 @@ TEST_P(TlsConnectStream, IncludePadding)
 
   auto capture = std::make_shared<TlsExtensionCapture>(ssl_padding_xtn);
   client_->SetPacketFilter(capture);
   client_->StartConnect();
   client_->Handshake();
   EXPECT_TRUE(capture->captured());
 }
 
-INSTANTIATE_TEST_CASE_P(ExtensionStream, TlsExtensionTestGeneric,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesStream,
-                                           TlsConnectTestBase::kTlsVAll));
+INSTANTIATE_TEST_CASE_P(
+    ExtensionStream, TlsExtensionTestGeneric,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,
+                       TlsConnectTestBase::kTlsVAll));
 INSTANTIATE_TEST_CASE_P(
     ExtensionDatagram, TlsExtensionTestGeneric,
-    ::testing::Combine(TlsConnectTestBase::kTlsModesDatagram,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram,
                        TlsConnectTestBase::kTlsV11Plus));
 INSTANTIATE_TEST_CASE_P(ExtensionDatagramOnly, TlsExtensionTestDtls,
                         TlsConnectTestBase::kTlsV11Plus);
 
 INSTANTIATE_TEST_CASE_P(ExtensionTls12Plus, TlsExtensionTest12Plus,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV12Plus));
 
-INSTANTIATE_TEST_CASE_P(ExtensionPre13Stream, TlsExtensionTestPre13,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesStream,
-                                           TlsConnectTestBase::kTlsV10ToV12));
+INSTANTIATE_TEST_CASE_P(
+    ExtensionPre13Stream, TlsExtensionTestPre13,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,
+                       TlsConnectTestBase::kTlsV10ToV12));
 INSTANTIATE_TEST_CASE_P(ExtensionPre13Datagram, TlsExtensionTestPre13,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV11V12));
 
 INSTANTIATE_TEST_CASE_P(ExtensionTls13, TlsExtensionTest13,
-                        TlsConnectTestBase::kTlsModesAll);
+                        TlsConnectTestBase::kTlsVariantsAll);
 
-INSTANTIATE_TEST_CASE_P(BogusExtensionStream, TlsBogusExtensionTestPre13,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesStream,
-                                           TlsConnectTestBase::kTlsV10ToV12));
+INSTANTIATE_TEST_CASE_P(
+    BogusExtensionStream, TlsBogusExtensionTestPre13,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,
+                       TlsConnectTestBase::kTlsV10ToV12));
 INSTANTIATE_TEST_CASE_P(
     BogusExtensionDatagram, TlsBogusExtensionTestPre13,
-    ::testing::Combine(TlsConnectTestBase::kTlsModesDatagram,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram,
                        TlsConnectTestBase::kTlsV11V12));
 
 INSTANTIATE_TEST_CASE_P(BogusExtension13, TlsBogusExtensionTest13,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV13));
 
 }  // namespace nss_test
--- a/gtests/ssl_gtest/ssl_gather_unittest.cc
+++ b/gtests/ssl_gtest/ssl_gather_unittest.cc
@@ -6,17 +6,17 @@
 
 #include "gtest_utils.h"
 #include "tls_connect.h"
 
 namespace nss_test {
 
 class GatherV2ClientHelloTest : public TlsConnectTestBase {
  public:
-  GatherV2ClientHelloTest() : TlsConnectTestBase(STREAM, 0) {}
+  GatherV2ClientHelloTest() : TlsConnectTestBase(ssl_variant_stream, 0) {}
 
   void ConnectExpectMalformedClientHello(const DataBuffer &data) {
     EnsureTlsSetup();
     server_->ExpectSendAlert(kTlsAlertIllegalParameter);
     client_->SendDirect(data);
     server_->StartConnect();
     server_->Handshake();
     ASSERT_TRUE_WAIT(
--- a/gtests/ssl_gtest/ssl_hrr_unittest.cc
+++ b/gtests/ssl_gtest/ssl_hrr_unittest.cc
@@ -101,17 +101,17 @@ TEST_P(TlsConnectTls13, SecondClientHell
   client_->ConfigNamedGroups(groups);
   server_->ConfigNamedGroups(groups);
   client_->Set0RttEnabled(true);
   server_->Set0RttEnabled(true);
 
   // A new client that tries to resume with 0-RTT but doesn't send the
   // correct key share(s). The server will respond with an HRR.
   auto orig_client =
-      std::make_shared<TlsAgent>(client_->name(), TlsAgent::CLIENT, mode_);
+      std::make_shared<TlsAgent>(client_->name(), TlsAgent::CLIENT, variant_);
   client_.swap(orig_client);
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_3);
   client_->ConfigureSessionCache(RESUME_BOTH);
   client_->Set0RttEnabled(true);
   client_->StartConnect();
 
   // Swap in the new client.
@@ -125,17 +125,17 @@ TEST_P(TlsConnectTls13, SecondClientHell
 
   // Swap the client we created manually with the one that successfully
   // received a PSK, and try to resume with 0-RTT. The client doesn't know
   // about the HRR so it will send the early_data xtn as well as 0-RTT data.
   client_.swap(orig_client);
   orig_client.reset();
 
   // Correct the DTLS message sequence number after an HRR.
-  if (mode_ == DGRAM) {
+  if (variant_ == ssl_variant_datagram) {
     client_->SetPacketFilter(
         std::make_shared<CorrectMessageSeqAfterHrrFilter>());
   }
 
   server_->SetPeer(client_);
   client_->Handshake();
 
   // Send 0-RTT data.
@@ -248,17 +248,17 @@ TEST_F(TlsConnectTest, Select12AfterHell
   client_->StartConnect();
   server_->StartConnect();
 
   client_->Handshake();
   server_->Handshake();
 
   // Here we replace the TLS server with one that does TLS 1.2 only.
   // This will happily send the client a TLS 1.2 ServerHello.
-  server_.reset(new TlsAgent(server_->name(), TlsAgent::SERVER, mode_));
+  server_.reset(new TlsAgent(server_->name(), TlsAgent::SERVER, variant_));
   client_->SetPeer(server_);
   server_->SetPeer(client_);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_2);
   server_->StartConnect();
   ExpectAlert(client_, kTlsAlertIllegalParameter);
   Handshake();
   EXPECT_EQ(SSL_ERROR_ILLEGAL_PARAMETER_ALERT, server_->error_code());
@@ -352,17 +352,17 @@ TEST_P(HelloRetryRequestAgentTest, Handl
   ProcessMessage(hrr, TlsAgent::STATE_CONNECTING);
   const size_t cookie_pos = 2 + 2;  // cookie_xtn, extension len
   DataBuffer cookie(canned_cookie_hrr + cookie_pos,
                     sizeof(canned_cookie_hrr) - cookie_pos);
   EXPECT_EQ(cookie, capture->extension());
 }
 
 INSTANTIATE_TEST_CASE_P(HelloRetryRequestAgentTests, HelloRetryRequestAgentTest,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV13));
 #ifndef NSS_DISABLE_TLS_1_3
 INSTANTIATE_TEST_CASE_P(HelloRetryRequestKeyExchangeTests, TlsKeyExchange13,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV13));
 #endif
 
 }  // namespace nss_test
--- a/gtests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/gtests/ssl_gtest/ssl_loopback_unittest.cc
@@ -125,17 +125,17 @@ TEST_P(TlsConnectTls13, CaptureAlertClie
 
   server_->StartConnect();
   client_->StartConnect();
 
   client_->Handshake();
   client_->ExpectSendAlert(kTlsAlertDecodeError);
   server_->Handshake();
   client_->Handshake();
-  if (mode_ == STREAM) {
+  if (variant_ == ssl_variant_stream) {
     // DTLS just drops the alert it can't decrypt.
     server_->ExpectSendAlert(kTlsAlertBadRecordMac);
   }
   server_->Handshake();
   EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
   EXPECT_EQ(kTlsAlertDecodeError, alert_recorder->description());
 }
 
@@ -222,17 +222,18 @@ TEST_P(TlsConnectStream, ShortRead) {
   ASSERT_EQ(1200U, client_->received_bytes());
 }
 
 TEST_P(TlsConnectGeneric, ConnectWithCompressionMaybe) {
   EnsureTlsSetup();
   client_->EnableCompression();
   server_->EnableCompression();
   Connect();
-  EXPECT_EQ(client_->version() < SSL_LIBRARY_VERSION_TLS_1_3 && mode_ != DGRAM,
+  EXPECT_EQ(client_->version() < SSL_LIBRARY_VERSION_TLS_1_3 &&
+                variant_ != ssl_variant_datagram,
             client_->is_compressed());
   SendReceive();
 }
 
 TEST_P(TlsConnectDatagram, TestDtlsHolddownExpiry) {
   Connect();
   std::cerr << "Expiring holddown timer\n";
   SSLInt_ForceTimerExpiry(client_->ssl_fd());
@@ -315,51 +316,54 @@ TEST_F(TlsConnectStreamTls13, Tls13Faile
 TEST_F(TlsConnectStreamTls13, NegotiateShortHeaders) {
   client_->SetShortHeadersEnabled();
   server_->SetShortHeadersEnabled();
   client_->ExpectShortHeaders();
   server_->ExpectShortHeaders();
   Connect();
 }
 
-INSTANTIATE_TEST_CASE_P(GenericStream, TlsConnectGeneric,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesStream,
-                                           TlsConnectTestBase::kTlsVAll));
+INSTANTIATE_TEST_CASE_P(
+    GenericStream, TlsConnectGeneric,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,
+                       TlsConnectTestBase::kTlsVAll));
 INSTANTIATE_TEST_CASE_P(
     GenericDatagram, TlsConnectGeneric,
-    ::testing::Combine(TlsConnectTestBase::kTlsModesDatagram,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram,
                        TlsConnectTestBase::kTlsV11Plus));
 
 INSTANTIATE_TEST_CASE_P(StreamOnly, TlsConnectStream,
                         TlsConnectTestBase::kTlsVAll);
 INSTANTIATE_TEST_CASE_P(DatagramOnly, TlsConnectDatagram,
                         TlsConnectTestBase::kTlsV11Plus);
 
-INSTANTIATE_TEST_CASE_P(Pre12Stream, TlsConnectPre12,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesStream,
-                                           TlsConnectTestBase::kTlsV10V11));
+INSTANTIATE_TEST_CASE_P(
+    Pre12Stream, TlsConnectPre12,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,
+                       TlsConnectTestBase::kTlsV10V11));
 INSTANTIATE_TEST_CASE_P(
     Pre12Datagram, TlsConnectPre12,
-    ::testing::Combine(TlsConnectTestBase::kTlsModesDatagram,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram,
                        TlsConnectTestBase::kTlsV11));
 
 INSTANTIATE_TEST_CASE_P(Version12Only, TlsConnectTls12,
-                        TlsConnectTestBase::kTlsModesAll);
+                        TlsConnectTestBase::kTlsVariantsAll);
 #ifndef NSS_DISABLE_TLS_1_3
 INSTANTIATE_TEST_CASE_P(Version13Only, TlsConnectTls13,
-                        TlsConnectTestBase::kTlsModesAll);
+                        TlsConnectTestBase::kTlsVariantsAll);
 #endif
 
-INSTANTIATE_TEST_CASE_P(Pre13Stream, TlsConnectGenericPre13,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesStream,
-                                           TlsConnectTestBase::kTlsV10ToV12));
+INSTANTIATE_TEST_CASE_P(
+    Pre13Stream, TlsConnectGenericPre13,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,
+                       TlsConnectTestBase::kTlsV10ToV12));
 INSTANTIATE_TEST_CASE_P(
     Pre13Datagram, TlsConnectGenericPre13,
-    ::testing::Combine(TlsConnectTestBase::kTlsModesDatagram,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram,
                        TlsConnectTestBase::kTlsV11V12));
 INSTANTIATE_TEST_CASE_P(Pre13StreamOnly, TlsConnectStreamPre13,
                         TlsConnectTestBase::kTlsV10ToV12);
 
 INSTANTIATE_TEST_CASE_P(Version12Plus, TlsConnectTls12Plus,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV12Plus));
 
 }  // namespace nspr_test
--- a/gtests/ssl_gtest/ssl_resumption_unittest.cc
+++ b/gtests/ssl_gtest/ssl_resumption_unittest.cc
@@ -518,17 +518,17 @@ class SelectedVersionReplacer : public T
  private:
   uint16_t version_;
 };
 
 // Test how the client handles the case where the server picks a
 // lower version number on resumption.
 TEST_P(TlsConnectGenericPre13, TestResumptionOverrideVersion) {
   uint16_t override_version = 0;
-  if (mode_ == STREAM) {
+  if (variant_ == ssl_variant_stream) {
     switch (version_) {
       case SSL_LIBRARY_VERSION_TLS_1_0:
         return;  // Skip the test.
       case SSL_LIBRARY_VERSION_TLS_1_1:
         override_version = SSL_LIBRARY_VERSION_TLS_1_0;
         break;
       case SSL_LIBRARY_VERSION_TLS_1_2:
         override_version = SSL_LIBRARY_VERSION_TLS_1_1;
--- a/gtests/ssl_gtest/ssl_skip_unittest.cc
+++ b/gtests/ssl_gtest/ssl_skip_unittest.cc
@@ -73,49 +73,49 @@ class TlsHandshakeSkipFilter : public Tl
   // The type of handshake message to drop.
   uint8_t handshake_type_;
   // Whether this filter has ever skipped a handshake message.  Track this so
   // that sequence numbers on DTLS handshake messages can be rewritten in
   // subsequent calls.
   bool skipped_;
 };
 
-class TlsSkipTest
-    : public TlsConnectTestBase,
-      public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+class TlsSkipTest : public TlsConnectTestBase,
+                    public ::testing::WithParamInterface<
+                        std::tuple<SSLProtocolVariant, uint16_t>> {
  protected:
   TlsSkipTest()
       : TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {}
 
   void ServerSkipTest(std::shared_ptr<PacketFilter> filter,
                       uint8_t alert = kTlsAlertUnexpectedMessage) {
     server_->SetPacketFilter(filter);
     ConnectExpectAlert(client_, alert);
   }
 };
 
 class Tls13SkipTest : public TlsConnectTestBase,
-                      public ::testing::WithParamInterface<std::string> {
+                      public ::testing::WithParamInterface<SSLProtocolVariant> {
  protected:
   Tls13SkipTest()
       : TlsConnectTestBase(GetParam(), SSL_LIBRARY_VERSION_TLS_1_3) {}
 
   void ServerSkipTest(std::shared_ptr<TlsRecordFilter> filter, int32_t error) {
     EnsureTlsSetup();
     server_->SetTlsRecordFilter(filter);
     filter->EnableDecryption();
     client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
-    if (mode_ == STREAM) {
+    if (variant_ == ssl_variant_stream) {
       server_->ExpectSendAlert(kTlsAlertBadRecordMac);
       ConnectExpectFail();
     } else {
       ConnectExpectFailOneSide(TlsAgent::CLIENT);
     }
     client_->CheckErrorCode(error);
-    if (mode_ == STREAM) {
+    if (variant_ == ssl_variant_stream) {
       server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
     } else {
       ASSERT_EQ(TlsAgent::STATE_CONNECTING, server_->state());
     }
   }
 
   void ClientSkipTest(std::shared_ptr<TlsRecordFilter> filter, int32_t error) {
     EnsureTlsSetup();
@@ -222,17 +222,18 @@ TEST_P(Tls13SkipTest, SkipClientCertific
   client_->SetupClientAuth();
   server_->RequestClientAuth(true);
   client_->ExpectReceiveAlert(kTlsAlertUnexpectedMessage);
   ClientSkipTest(
       std::make_shared<TlsHandshakeSkipFilter>(kTlsHandshakeCertificateVerify),
       SSL_ERROR_RX_UNEXPECTED_FINISHED);
 }
 
-INSTANTIATE_TEST_CASE_P(SkipTls10, TlsSkipTest,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesStream,
-                                           TlsConnectTestBase::kTlsV10));
+INSTANTIATE_TEST_CASE_P(
+    SkipTls10, TlsSkipTest,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,
+                       TlsConnectTestBase::kTlsV10));
 INSTANTIATE_TEST_CASE_P(SkipVariants, TlsSkipTest,
-                        ::testing::Combine(TlsConnectTestBase::kTlsModesAll,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV11V12));
 INSTANTIATE_TEST_CASE_P(Skip13Variants, Tls13SkipTest,
-                        TlsConnectTestBase::kTlsModesAll);
+                        TlsConnectTestBase::kTlsVariantsAll);
 }  // namespace nss_test
--- a/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
+++ b/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
@@ -136,20 +136,21 @@ class SSLv2ClientHelloFilter : public Pa
   uint8_t reported_pad_len_;
   uint16_t client_random_len_;
   std::vector<uint16_t> ciphers_;
   bool send_escape_;
 };
 
 class SSLv2ClientHelloTestF : public TlsConnectTestBase {
  public:
-  SSLv2ClientHelloTestF() : TlsConnectTestBase(STREAM, 0), filter_(nullptr) {}
+  SSLv2ClientHelloTestF()
+      : TlsConnectTestBase(ssl_variant_stream, 0), filter_(nullptr) {}
 
-  SSLv2ClientHelloTestF(Mode mode, uint16_t version)
-      : TlsConnectTestBase(mode, version), filter_(nullptr) {}
+  SSLv2ClientHelloTestF(SSLProtocolVariant variant, uint16_t version)
+      : TlsConnectTestBase(variant, version), filter_(nullptr) {}
 
   void SetUp() {
     TlsConnectTestBase::SetUp();
     filter_ = std::make_shared<SSLv2ClientHelloFilter>(client_, version_);
     client_->SetPacketFilter(filter_);
   }
 
   void RequireSafeRenegotiation() {
@@ -188,17 +189,18 @@ class SSLv2ClientHelloTestF : public Tls
   std::shared_ptr<SSLv2ClientHelloFilter> filter_;
 };
 
 // Parameterized version of SSLv2ClientHelloTestF we can
 // use with TEST_P to test multiple TLS versions easily.
 class SSLv2ClientHelloTest : public SSLv2ClientHelloTestF,
                              public ::testing::WithParamInterface<uint16_t> {
  public:
-  SSLv2ClientHelloTest() : SSLv2ClientHelloTestF(STREAM, GetParam()) {}
+  SSLv2ClientHelloTest()
+      : SSLv2ClientHelloTestF(ssl_variant_stream, GetParam()) {}
 };
 
 // Test negotiating TLS 1.0 - 1.2.
 TEST_P(SSLv2ClientHelloTest, Connect) {
   SetAvailableCipherSuite(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
   Connect();
 }
 
--- a/gtests/ssl_gtest/ssl_version_unittest.cc
+++ b/gtests/ssl_gtest/ssl_version_unittest.cc
@@ -255,17 +255,17 @@ TEST_P(TlsConnectGeneric, AlertBeforeSer
   EnsureTlsSetup();
   client_->ExpectReceiveAlert(kTlsAlertUnrecognizedName, kTlsAlertWarning);
   client_->StartConnect();
   server_->StartConnect();
   client_->Handshake();  // Send ClientHello.
   static const uint8_t kWarningAlert[] = {kTlsAlertWarning,
                                           kTlsAlertUnrecognizedName};
   DataBuffer alert;
-  TlsAgentTestBase::MakeRecord(mode_, kTlsAlertType,
+  TlsAgentTestBase::MakeRecord(variant_, kTlsAlertType,
                                SSL_LIBRARY_VERSION_TLS_1_0, kWarningAlert,
                                PR_ARRAY_SIZE(kWarningAlert), &alert);
   client_->adapter()->PacketReceived(alert);
   Handshake();
   CheckConnected();
 }
 
 class Tls13NoSupportedVersions : public TlsConnectStreamTls12 {
--- a/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
+++ b/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
@@ -87,22 +87,18 @@ typedef std::tuple<SSLProtocolVariant,  
                    uint16_t>            // input max
     PolicyVersionRangeInput;
 
 class TestPolicyVersionRange
     : public TlsConnectTestBase,
       public ::testing::WithParamInterface<PolicyVersionRangeInput> {
  public:
   TestPolicyVersionRange()
-      : TlsConnectTestBase(((static_cast<SSLProtocolVariant>(
-                                 std::get<0>(GetParam())) == ssl_variant_stream)
-                                ? STREAM
-                                : DGRAM),
-                           0),
-        variant_(static_cast<SSLProtocolVariant>(std::get<0>(GetParam()))),
+      : TlsConnectTestBase(std::get<0>(GetParam()), 0),
+        variant_(std::get<0>(GetParam())),
         policy_("policy", std::get<1>(GetParam()), std::get<2>(GetParam())),
         input_("input", std::get<3>(GetParam()), std::get<4>(GetParam())),
         library_("supported-by-library",
                  ((variant_ == ssl_variant_stream)
                       ? SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM
                       : SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM),
                  SSL_LIBRARY_VERSION_MAX_SUPPORTED) {
     TlsConnectTestBase::SkipVersionChecks();
@@ -119,19 +115,17 @@ class TestPolicyVersionRange
     rv = NSS_OptionSet(NSS_DTLS_VERSION_MIN_POLICY, policy.min);
     ASSERT_EQ(SECSuccess, rv);
     rv = NSS_OptionSet(NSS_DTLS_VERSION_MAX_POLICY, policy.max);
     ASSERT_EQ(SECSuccess, rv);
   }
 
   void CreateDummySocket(std::shared_ptr<DummyPrSocket>* dummy_socket,
                          ScopedPRFileDesc* ssl_fd) {
-    (*dummy_socket)
-        .reset(new DummyPrSocket(
-            "dummy", (variant_ == ssl_variant_stream) ? STREAM : DGRAM));
+    (*dummy_socket).reset(new DummyPrSocket("dummy", variant_));
     *ssl_fd = (*dummy_socket)->CreateFD();
     if (variant_ == ssl_variant_stream) {
       SSL_ImportFD(nullptr, ssl_fd->get());
     } else {
       DTLS_ImportFD(nullptr, ssl_fd->get());
     }
   }
 
@@ -270,21 +264,16 @@ static const uint16_t kExpandedVersionsA
     SSL_LIBRARY_VERSION_TLS_1_3,
 #endif
     SSL_LIBRARY_VERSION_MAX_SUPPORTED + 1
     /* clang-format on */
 };
 static ::testing::internal::ParamGenerator<uint16_t> kExpandedVersions =
     ::testing::ValuesIn(kExpandedVersionsArr);
 
-static const SSLProtocolVariant kVariantsArr[] = {ssl_variant_stream,
-                                                  ssl_variant_datagram};
-static ::testing::internal::ParamGenerator<SSLProtocolVariant> kVariants =
-    ::testing::ValuesIn(kVariantsArr);
-
 TEST_P(TestPolicyVersionRange, TestAllTLSVersionsAndPolicyCombinations) {
   ASSERT_TRUE(variant_ == ssl_variant_stream ||
               variant_ == ssl_variant_datagram)
       << "testing unsupported ssl variant";
 
   std::cerr << "testing: " << variant_ << policy_ << input_ << library_
             << std::endl;
 
@@ -393,12 +382,13 @@ TEST_P(TestPolicyVersionRange, TestAllTL
 
   // Because we found overlap between policy and supported versions,
   // and because we have used SetDefault to enable at least one version,
   // it should be possible to execute an SSL/TLS connection.
   Connect();
 }
 
 INSTANTIATE_TEST_CASE_P(TLSVersionRanges, TestPolicyVersionRange,
-                        ::testing::Combine(kVariants, kExpandedVersions,
+                        ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            kExpandedVersions, kExpandedVersions,
+                                           kExpandedVersions,
                                            kExpandedVersions));
 }  // namespace nss_test
--- a/gtests/ssl_gtest/test_io.cc
+++ b/gtests/ssl_gtest/test_io.cc
@@ -35,19 +35,18 @@ ScopedPRFileDesc DummyPrSocket::CreateFD
   return DummyIOLayerMethods::CreateFD(test_fd_identity, this);
 }
 
 void DummyPrSocket::PacketReceived(const DataBuffer &packet) {
   input_.push(Packet(packet));
 }
 
 int32_t DummyPrSocket::Read(PRFileDesc *f, void *data, int32_t len) {
-  PR_ASSERT(mode_ == STREAM);
-
-  if (mode_ != STREAM) {
+  PR_ASSERT(variant_ == ssl_variant_stream);
+  if (variant_ != ssl_variant_stream) {
     PR_SetError(PR_INVALID_METHOD_ERROR, 0);
     return -1;
   }
 
   if (input_.empty()) {
     LOGV("Read --> wouldblock " << len);
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
     return -1;
@@ -70,17 +69,17 @@ int32_t DummyPrSocket::Read(PRFileDesc *
 int32_t DummyPrSocket::Recv(PRFileDesc *f, void *buf, int32_t buflen,
                             int32_t flags, PRIntervalTime to) {
   PR_ASSERT(flags == 0);
   if (flags != 0) {
     PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
     return -1;
   }
 
-  if (mode() != DGRAM) {
+  if (variant() != ssl_variant_datagram) {
     return Read(f, buf, buflen);
   }
 
   if (input_.empty()) {
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
     return -1;
   }
 
--- a/gtests/ssl_gtest/test_io.h
+++ b/gtests/ssl_gtest/test_io.h
@@ -13,16 +13,17 @@
 #include <ostream>
 #include <queue>
 #include <string>
 
 #include "databuffer.h"
 #include "dummy_io.h"
 #include "prio.h"
 #include "scoped_ptrs.h"
+#include "sslt.h"
 
 namespace nss_test {
 
 class DataBuffer;
 class DummyPrSocket;  // Fwd decl.
 
 // Allow us to inspect a packet before it is written.
 class PacketFilter {
@@ -39,27 +40,21 @@ class PacketFilter {
   //
   // A filter that modifies the data places the modified data in *output and
   // returns CHANGE.  A filter that does not modify data returns LEAVE, in which
   // case the value in *output is ignored.  A Filter can return DROP, in which
   // case the packet is dropped (and *output is ignored).
   virtual Action Filter(const DataBuffer& input, DataBuffer* output) = 0;
 };
 
-enum Mode { STREAM, DGRAM };
-
-inline std::ostream& operator<<(std::ostream& os, Mode m) {
-  return os << ((m == STREAM) ? "TLS" : "DTLS");
-}
-
 class DummyPrSocket : public DummyIOLayerMethods {
  public:
-  DummyPrSocket(const std::string& name, Mode mode)
+  DummyPrSocket(const std::string& name, SSLProtocolVariant variant)
       : name_(name),
-        mode_(mode),
+        variant_(variant),
         peer_(),
         input_(),
         filter_(nullptr),
         writeable_(true) {}
   virtual ~DummyPrSocket() {}
 
   // Create a file descriptor that will reference this object.  The fd must not
   // live longer than this adapter; call PR_Close() before.
@@ -73,17 +68,17 @@ class DummyPrSocket : public DummyIOLaye
 
   void PacketReceived(const DataBuffer& data);
   int32_t Read(PRFileDesc* f, void* data, int32_t len) override;
   int32_t Recv(PRFileDesc* f, void* buf, int32_t buflen, int32_t flags,
                PRIntervalTime to) override;
   int32_t Write(PRFileDesc* f, const void* buf, int32_t length) override;
   void CloseWrites() { writeable_ = false; }
 
-  Mode mode() const { return mode_; }
+  SSLProtocolVariant variant() const { return variant_; }
   bool readable() const { return !input_.empty(); }
 
  private:
   class Packet : public DataBuffer {
    public:
     Packet(const DataBuffer& buf) : DataBuffer(buf), offset_(0) {}
 
     void Advance(size_t delta) {
@@ -94,17 +89,17 @@ class DummyPrSocket : public DummyIOLaye
     size_t offset() const { return offset_; }
     size_t remaining() const { return len() - offset_; }
 
    private:
     size_t offset_;
   };
 
   const std::string name_;
-  Mode mode_;
+  SSLProtocolVariant variant_;
   std::weak_ptr<DummyPrSocket> peer_;
   std::queue<Packet> input_;
   std::shared_ptr<PacketFilter> filter_;
   bool writeable_;
 };
 
 // Marker interface.
 class PollTarget {};
--- a/gtests/ssl_gtest/tls_agent.cc
+++ b/gtests/ssl_gtest/tls_agent.cc
@@ -38,22 +38,23 @@ const std::string TlsAgent::kServerRsaDe
 const std::string TlsAgent::kServerRsaChain = "rsa_chain";
 const std::string TlsAgent::kServerEcdsa256 = "ecdsa256";
 const std::string TlsAgent::kServerEcdsa384 = "ecdsa384";
 const std::string TlsAgent::kServerEcdsa521 = "ecdsa521";
 const std::string TlsAgent::kServerEcdhRsa = "ecdh_rsa";
 const std::string TlsAgent::kServerEcdhEcdsa = "ecdh_ecdsa";
 const std::string TlsAgent::kServerDsa = "dsa";
 
-TlsAgent::TlsAgent(const std::string& name, Role role, Mode mode)
+TlsAgent::TlsAgent(const std::string& name, Role role,
+                   SSLProtocolVariant variant)
     : name_(name),
-      mode_(mode),
+      variant_(variant),
       role_(role),
       server_key_bits_(0),
-      adapter_(new DummyPrSocket(role_str(), mode)),
+      adapter_(new DummyPrSocket(role_str(), variant)),
       ssl_fd_(nullptr),
       state_(STATE_INIT),
       timer_handle_(nullptr),
       falsestart_enabled_(false),
       expected_version_(0),
       expected_cipher_suite_(0),
       expect_resumption_(false),
       expect_client_auth_(false),
@@ -71,18 +72,17 @@ TlsAgent::TlsAgent(const std::string& na
       expect_readwrite_error_(false),
       handshake_callback_(),
       auth_certificate_callback_(),
       sni_callback_(),
       expect_short_headers_(false),
       skip_version_checks_(false) {
   memset(&info_, 0, sizeof(info_));
   memset(&csinfo_, 0, sizeof(csinfo_));
-  SECStatus rv = SSL_VersionRangeGetDefault(
-      mode_ == STREAM ? ssl_variant_stream : ssl_variant_datagram, &vrange_);
+  SECStatus rv = SSL_VersionRangeGetDefault(variant_, &vrange_);
   EXPECT_EQ(SECSuccess, rv);
 }
 
 TlsAgent::~TlsAgent() {
   if (timer_handle_) {
     timer_handle_->Cancel();
   }
 
@@ -149,17 +149,17 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc
   // Don't set up twice
   if (ssl_fd_) return true;
 
   ScopedPRFileDesc dummy_fd(adapter_->CreateFD());
   EXPECT_NE(nullptr, dummy_fd);
   if (!dummy_fd) {
     return false;
   }
-  if (adapter_->mode() == STREAM) {
+  if (adapter_->variant() == ssl_variant_stream) {
     ssl_fd_.reset(SSL_ImportFD(modelSocket, dummy_fd.get()));
   } else {
     ssl_fd_.reset(DTLS_ImportFD(modelSocket, dummy_fd.get()));
   }
 
   EXPECT_NE(nullptr, ssl_fd_);
   if (!ssl_fd_) {
     return false;
@@ -752,17 +752,18 @@ void TlsAgent::Connected() {
   rv = SSL_GetCipherSuiteInfo(info_.cipherSuite, &csinfo_, sizeof(csinfo_));
   EXPECT_EQ(SECSuccess, rv);
   EXPECT_EQ(sizeof(csinfo_), csinfo_.length);
 
   if (expected_version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
     PRInt32 cipherSuites = SSLInt_CountTls13CipherSpecs(ssl_fd());
     // We use one ciphersuite in each direction, plus one that's kept around
     // by DTLS for retransmission.
-    PRInt32 expected = ((mode_ == DGRAM) && (role_ == CLIENT)) ? 3 : 2;
+    PRInt32 expected =
+        ((variant_ == ssl_variant_datagram) && (role_ == CLIENT)) ? 3 : 2;
     EXPECT_EQ(expected, cipherSuites);
     if (expected != cipherSuites) {
       SSLInt_PrintTls13CipherSpecs(ssl_fd());
     }
   }
 
   PRBool short_headers;
   rv = SSLInt_UsingShortHeaders(ssl_fd(), &short_headers);
@@ -830,17 +831,17 @@ void TlsAgent::Handshake() {
     Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
                              &TlsAgent::ReadableCallback);
     return;
   }
 
   int32_t err = PR_GetError();
   if (err == PR_WOULD_BLOCK_ERROR) {
     LOGV("Would have blocked");
-    if (mode_ == DGRAM) {
+    if (variant_ == ssl_variant_datagram) {
       if (timer_handle_) {
         timer_handle_->Cancel();
         timer_handle_ = nullptr;
       }
 
       PRIntervalTime timeout;
       rv = DTLS_GetHandshakeTimeout(ssl_fd(), &timeout);
       if (rv == SECSuccess) {
@@ -981,17 +982,17 @@ void TlsAgentTestBase::TearDown() {
   agent_ = nullptr;
   SSL_ClearSessionCache();
   SSL_ShutdownServerSessionIDCache();
 }
 
 void TlsAgentTestBase::Reset(const std::string& server_name) {
   agent_.reset(
       new TlsAgent(role_ == TlsAgent::CLIENT ? TlsAgent::kClient : server_name,
-                   role_, mode_));
+                   role_, variant_));
   if (version_) {
     agent_->SetVersionRange(version_, version_);
   }
   agent_->adapter()->SetPeer(sink_adapter_);
   agent_->StartConnect();
 }
 
 void TlsAgentTestBase::EnsureInit() {
@@ -1019,35 +1020,37 @@ void TlsAgentTestBase::ProcessMessage(co
 
   ASSERT_EQ(expected_state, agent_->state());
 
   if (expected_state == TlsAgent::STATE_ERROR) {
     ASSERT_EQ(error_code, agent_->error_code());
   }
 }
 
-void TlsAgentTestBase::MakeRecord(Mode mode, uint8_t type, uint16_t version,
-                                  const uint8_t* buf, size_t len,
-                                  DataBuffer* out, uint64_t seq_num) {
+void TlsAgentTestBase::MakeRecord(SSLProtocolVariant variant, uint8_t type,
+                                  uint16_t version, const uint8_t* buf,
+                                  size_t len, DataBuffer* out,
+                                  uint64_t seq_num) {
   size_t index = 0;
   index = out->Write(index, type, 1);
-  index = out->Write(
-      index, mode == STREAM ? version : TlsVersionToDtlsVersion(version), 2);
-  if (mode == DGRAM) {
+  if (variant == ssl_variant_stream) {
+    index = out->Write(index, version, 2);
+  } else {
+    index = out->Write(index, TlsVersionToDtlsVersion(version), 2);
     index = out->Write(index, seq_num >> 32, 4);
     index = out->Write(index, seq_num & PR_UINT32_MAX, 4);
   }
   index = out->Write(index, len, 2);
   out->Write(index, buf, len);
 }
 
 void TlsAgentTestBase::MakeRecord(uint8_t type, uint16_t version,
                                   const uint8_t* buf, size_t len,
                                   DataBuffer* out, uint64_t seq_num) const {
-  MakeRecord(mode_, type, version, buf, len, out, seq_num);
+  MakeRecord(variant_, type, version, buf, len, out, seq_num);
 }
 
 void TlsAgentTestBase::MakeHandshakeMessage(uint8_t hs_type,
                                             const uint8_t* data, size_t hs_len,
                                             DataBuffer* out,
                                             uint64_t seq_num) const {
   return MakeHandshakeMessageFragment(hs_type, data, hs_len, out, seq_num, 0,
                                       0);
@@ -1056,17 +1059,17 @@ void TlsAgentTestBase::MakeHandshakeMess
 void TlsAgentTestBase::MakeHandshakeMessageFragment(
     uint8_t hs_type, const uint8_t* data, size_t hs_len, DataBuffer* out,
     uint64_t seq_num, uint32_t fragment_offset,
     uint32_t fragment_length) const {
   size_t index = 0;
   if (!fragment_length) fragment_length = hs_len;
   index = out->Write(index, hs_type, 1);  // Handshake record type.
   index = out->Write(index, hs_len, 3);   // Handshake length
-  if (mode_ == DGRAM) {
+  if (variant_ == ssl_variant_datagram) {
     index = out->Write(index, seq_num, 2);
     index = out->Write(index, fragment_offset, 3);
     index = out->Write(index, fragment_length, 3);
   }
   if (data) {
     index = out->Write(index, data, fragment_length);
   } else {
     for (size_t i = 0; i < fragment_length; ++i) {
--- a/gtests/ssl_gtest/tls_agent.h
+++ b/gtests/ssl_gtest/tls_agent.h
@@ -69,17 +69,17 @@ class TlsAgent : public PollTarget {
   static const std::string kServerRsaChain;  // A cert that requires a chain.
   static const std::string kServerEcdsa256;
   static const std::string kServerEcdsa384;
   static const std::string kServerEcdsa521;
   static const std::string kServerEcdhEcdsa;
   static const std::string kServerEcdhRsa;
   static const std::string kServerDsa;
 
-  TlsAgent(const std::string& name, Role role, Mode mode);
+  TlsAgent(const std::string& name, Role role, SSLProtocolVariant variant);
   virtual ~TlsAgent();
 
   void SetPeer(std::shared_ptr<TlsAgent>& peer) {
     adapter_->SetPeer(peer->adapter_);
   }
 
   void SetTlsRecordFilter(std::shared_ptr<TlsRecordFilter> filter) {
     filter->SetAgent(this);
@@ -353,17 +353,17 @@ class TlsAgent : public PollTarget {
 
   void DisableLameGroups();
   void ConfigStrongECGroups(bool en);
   void ConfigAllDHGroups(bool en);
   void CheckCallbacks() const;
   void Connected();
 
   const std::string name_;
-  Mode mode_;
+  SSLProtocolVariant variant_;
   Role role_;
   uint16_t server_key_bits_;
   std::shared_ptr<DummyPrSocket> adapter_;
   ScopedPRFileDesc ssl_fd_;
   State state_;
   std::shared_ptr<Poller::Timer> timer_handle_;
   bool falsestart_enabled_;
   uint16_t expected_version_;
@@ -396,100 +396,100 @@ inline std::ostream& operator<<(std::ost
                                 const TlsAgent::State& state) {
   return stream << TlsAgent::state_str(state);
 }
 
 class TlsAgentTestBase : public ::testing::Test {
  public:
   static ::testing::internal::ParamGenerator<std::string> kTlsRolesAll;
 
-  TlsAgentTestBase(TlsAgent::Role role, Mode mode, uint16_t version = 0)
+  TlsAgentTestBase(TlsAgent::Role role, SSLProtocolVariant variant,
+                   uint16_t version = 0)
       : agent_(nullptr),
         role_(role),
-        mode_(mode),
+        variant_(variant),
         version_(version),
-        sink_adapter_(new DummyPrSocket("sink", mode)) {}
+        sink_adapter_(new DummyPrSocket("sink", variant)) {}
   virtual ~TlsAgentTestBase() {}
 
   void SetUp();
   void TearDown();
 
   void ExpectAlert(uint8_t alert);
 
-  static void MakeRecord(Mode mode, uint8_t type, uint16_t version,
-                         const uint8_t* buf, size_t len, DataBuffer* out,
-                         uint64_t seq_num = 0);
+  static void MakeRecord(SSLProtocolVariant variant, uint8_t type,
+                         uint16_t version, const uint8_t* buf, size_t len,
+                         DataBuffer* out, uint64_t seq_num = 0);
   void MakeRecord(uint8_t type, uint16_t version, const uint8_t* buf,
                   size_t len, DataBuffer* out, uint64_t seq_num = 0) const;
   void MakeHandshakeMessage(uint8_t hs_type, const uint8_t* data, size_t hs_len,
                             DataBuffer* out, uint64_t seq_num = 0) const;
   void MakeHandshakeMessageFragment(uint8_t hs_type, const uint8_t* data,
                                     size_t hs_len, DataBuffer* out,
                                     uint64_t seq_num, uint32_t fragment_offset,
                                     uint32_t fragment_length) const;
   static void MakeTrivialHandshakeRecord(uint8_t hs_type, size_t hs_len,
                                          DataBuffer* out);
   static inline TlsAgent::Role ToRole(const std::string& str) {
     return str == "CLIENT" ? TlsAgent::CLIENT : TlsAgent::SERVER;
   }
 
-  static inline Mode ToMode(const std::string& str) {
-    return str == "TLS" ? STREAM : DGRAM;
-  }
-
   void Init(const std::string& server_name = TlsAgent::kServerRsa);
   void Reset(const std::string& server_name = TlsAgent::kServerRsa);
 
  protected:
   void EnsureInit();
   void ProcessMessage(const DataBuffer& buffer, TlsAgent::State expected_state,
                       int32_t error_code = 0);
 
   std::unique_ptr<TlsAgent> agent_;
   TlsAgent::Role role_;
-  Mode mode_;
+  SSLProtocolVariant variant_;
   uint16_t version_;
   // This adapter is here just to accept packets from this agent.
   std::shared_ptr<DummyPrSocket> sink_adapter_;
 };
 
-class TlsAgentTest : public TlsAgentTestBase,
-                     public ::testing::WithParamInterface<
-                         std::tuple<std::string, std::string, uint16_t>> {
+class TlsAgentTest
+    : public TlsAgentTestBase,
+      public ::testing::WithParamInterface<
+          std::tuple<std::string, SSLProtocolVariant, uint16_t>> {
  public:
   TlsAgentTest()
       : TlsAgentTestBase(ToRole(std::get<0>(GetParam())),
-                         ToMode(std::get<1>(GetParam())),
-                         std::get<2>(GetParam())) {}
+                         std::get<1>(GetParam()), std::get<2>(GetParam())) {}
 };
 
-class TlsAgentTestClient
-    : public TlsAgentTestBase,
-      public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+class TlsAgentTestClient : public TlsAgentTestBase,
+                           public ::testing::WithParamInterface<
+                               std::tuple<SSLProtocolVariant, uint16_t>> {
  public:
   TlsAgentTestClient()
-      : TlsAgentTestBase(TlsAgent::CLIENT, ToMode(std::get<0>(GetParam())),
+      : TlsAgentTestBase(TlsAgent::CLIENT, std::get<0>(GetParam()),
                          std::get<1>(GetParam())) {}
 };
 
 class TlsAgentTestClient13 : public TlsAgentTestClient {};
 
 class TlsAgentStreamTestClient : public TlsAgentTestBase {
  public:
-  TlsAgentStreamTestClient() : TlsAgentTestBase(TlsAgent::CLIENT, STREAM) {}
+  TlsAgentStreamTestClient()
+      : TlsAgentTestBase(TlsAgent::CLIENT, ssl_variant_stream) {}
 };
 
 class TlsAgentStreamTestServer : public TlsAgentTestBase {
  public:
-  TlsAgentStreamTestServer() : TlsAgentTestBase(TlsAgent::SERVER, STREAM) {}
+  TlsAgentStreamTestServer()
+      : TlsAgentTestBase(TlsAgent::SERVER, ssl_variant_stream) {}
 };
 
 class TlsAgentDgramTestClient : public TlsAgentTestBase {
  public:
-  TlsAgentDgramTestClient() : TlsAgentTestBase(TlsAgent::CLIENT, DGRAM) {}
+  TlsAgentDgramTestClient()
+      : TlsAgentTestBase(TlsAgent::CLIENT, ssl_variant_datagram) {}
 };
 
 inline bool operator==(const SSLVersionRange& vr1, const SSLVersionRange& vr2) {
   return vr1.min == vr2.min && vr1.max == vr2.max;
 }
 
 }  // namespace nss_test
 
--- a/gtests/ssl_gtest/tls_connect.cc
+++ b/gtests/ssl_gtest/tls_connect.cc
@@ -15,27 +15,30 @@ extern "C" {
 #include "gtest_utils.h"
 #include "scoped_ptrs.h"
 #include "sslproto.h"
 
 extern std::string g_working_dir_path;
 
 namespace nss_test {
 
-static const std::string kTlsModesStreamArr[] = {"TLS"};
-::testing::internal::ParamGenerator<std::string>
-    TlsConnectTestBase::kTlsModesStream =
-        ::testing::ValuesIn(kTlsModesStreamArr);
-static const std::string kTlsModesDatagramArr[] = {"DTLS"};
-::testing::internal::ParamGenerator<std::string>
-    TlsConnectTestBase::kTlsModesDatagram =
-        ::testing::ValuesIn(kTlsModesDatagramArr);
-static const std::string kTlsModesAllArr[] = {"TLS", "DTLS"};
-::testing::internal::ParamGenerator<std::string>
-    TlsConnectTestBase::kTlsModesAll = ::testing::ValuesIn(kTlsModesAllArr);
+static const SSLProtocolVariant kTlsVariantsStreamArr[] = {ssl_variant_stream};
+::testing::internal::ParamGenerator<SSLProtocolVariant>
+    TlsConnectTestBase::kTlsVariantsStream =
+        ::testing::ValuesIn(kTlsVariantsStreamArr);
+static const SSLProtocolVariant kTlsVariantsDatagramArr[] = {
+    ssl_variant_datagram};
+::testing::internal::ParamGenerator<SSLProtocolVariant>
+    TlsConnectTestBase::kTlsVariantsDatagram =
+        ::testing::ValuesIn(kTlsVariantsDatagramArr);
+static const SSLProtocolVariant kTlsVariantsAllArr[] = {ssl_variant_stream,
+                                                        ssl_variant_datagram};
+::testing::internal::ParamGenerator<SSLProtocolVariant>
+    TlsConnectTestBase::kTlsVariantsAll =
+        ::testing::ValuesIn(kTlsVariantsAllArr);
 
 static const uint16_t kTlsV10Arr[] = {SSL_LIBRARY_VERSION_TLS_1_0};
 ::testing::internal::ParamGenerator<uint16_t> TlsConnectTestBase::kTlsV10 =
     ::testing::ValuesIn(kTlsV10Arr);
 static const uint16_t kTlsV11Arr[] = {SSL_LIBRARY_VERSION_TLS_1_1};
 ::testing::internal::ParamGenerator<uint16_t> TlsConnectTestBase::kTlsV11 =
     ::testing::ValuesIn(kTlsV11Arr);
 static const uint16_t kTlsV12Arr[] = {SSL_LIBRARY_VERSION_TLS_1_2};
@@ -95,41 +98,39 @@ std::string VersionString(uint16_t versi
       return "1.3";
     default:
       std::cerr << "Invalid version: " << version << std::endl;
       EXPECT_TRUE(false);
       return "";
   }
 }
 
-TlsConnectTestBase::TlsConnectTestBase(Mode mode, uint16_t version)
-    : mode_(mode),
-      client_(new TlsAgent(TlsAgent::kClient, TlsAgent::CLIENT, mode_)),
-      server_(new TlsAgent(TlsAgent::kServerRsa, TlsAgent::SERVER, mode_)),
+TlsConnectTestBase::TlsConnectTestBase(SSLProtocolVariant variant,
+                                       uint16_t version)
+    : variant_(variant),
+      client_(new TlsAgent(TlsAgent::kClient, TlsAgent::CLIENT, variant_)),
+      server_(new TlsAgent(TlsAgent::kServerRsa, TlsAgent::SERVER, variant_)),
       client_model_(nullptr),
       server_model_(nullptr),
       version_(version),
       expected_resumption_mode_(RESUME_NONE),
       session_ids_(),
       expect_extended_master_secret_(false),
       expect_early_data_accepted_(false),
       skip_version_checks_(false) {
   std::string v;
-  if (mode_ == DGRAM && version_ == SSL_LIBRARY_VERSION_TLS_1_1) {
+  if (variant_ == ssl_variant_datagram &&
+      version_ == SSL_LIBRARY_VERSION_TLS_1_1) {
     v = "1.0";
   } else {
     v = VersionString(version_);
   }
-  std::cerr << "Version: " << mode_ << " " << v << std::endl;
+  std::cerr << "Version: " << variant_ << " " << v << std::endl;
 }
 
-TlsConnectTestBase::TlsConnectTestBase(const std::string& mode,
-                                       uint16_t version)
-    : TlsConnectTestBase(TlsConnectTestBase::ToMode(mode), version) {}
-
 TlsConnectTestBase::~TlsConnectTestBase() {}
 
 // Check the group of each of the supported groups
 void TlsConnectTestBase::CheckGroups(
     const DataBuffer& groups, std::function<void(SSLNamedGroup)> check_group) {
   DuplicateGroupChecker group_set;
   uint32_t tmp = 0;
   EXPECT_TRUE(groups.Read(0, 2, &tmp));
@@ -203,18 +204,18 @@ void TlsConnectTestBase::Reset() {
   // Take a copy of the names because they are about to disappear.
   std::string server_name = server_->name();
   std::string client_name = client_->name();
   Reset(server_name, client_name);
 }
 
 void TlsConnectTestBase::Reset(const std::string& server_name,
                                const std::string& client_name) {
-  client_.reset(new TlsAgent(client_name, TlsAgent::CLIENT, mode_));
-  server_.reset(new TlsAgent(server_name, TlsAgent::SERVER, mode_));
+  client_.reset(new TlsAgent(client_name, TlsAgent::CLIENT, variant_));
+  server_.reset(new TlsAgent(server_name, TlsAgent::SERVER, variant_));
   if (skip_version_checks_) {
     client_->SkipVersionChecks();
     server_->SkipVersionChecks();
   }
 
   Init();
 }
 
@@ -509,19 +510,19 @@ void TlsConnectTestBase::EnableAlpn(cons
   server_->EnableAlpn(val, len);
 }
 
 void TlsConnectTestBase::EnsureModelSockets() {
   // Make sure models agents are available.
   if (!client_model_) {
     ASSERT_EQ(server_model_, nullptr);
     client_model_.reset(
-        new TlsAgent(TlsAgent::kClient, TlsAgent::CLIENT, mode_));
+        new TlsAgent(TlsAgent::kClient, TlsAgent::CLIENT, variant_));
     server_model_.reset(
-        new TlsAgent(TlsAgent::kServerRsa, TlsAgent::SERVER, mode_));
+        new TlsAgent(TlsAgent::kServerRsa, TlsAgent::SERVER, variant_));
     if (skip_version_checks_) {
       client_model_->SkipVersionChecks();
       server_model_->SkipVersionChecks();
     }
   }
 }
 
 void TlsConnectTestBase::CheckAlpn(const std::string& val) {
--- a/gtests/ssl_gtest/tls_connect.h
+++ b/gtests/ssl_gtest/tls_connect.h
@@ -20,32 +20,34 @@
 
 namespace nss_test {
 
 extern std::string VersionString(uint16_t version);
 
 // A generic TLS connection test base.
 class TlsConnectTestBase : public ::testing::Test {
  public:
-  static ::testing::internal::ParamGenerator<std::string> kTlsModesStream;
-  static ::testing::internal::ParamGenerator<std::string> kTlsModesDatagram;
-  static ::testing::internal::ParamGenerator<std::string> kTlsModesAll;
+  static ::testing::internal::ParamGenerator<SSLProtocolVariant>
+      kTlsVariantsStream;
+  static ::testing::internal::ParamGenerator<SSLProtocolVariant>
+      kTlsVariantsDatagram;
+  static ::testing::internal::ParamGenerator<SSLProtocolVariant>
+      kTlsVariantsAll;
   static ::testing::internal::ParamGenerator<uint16_t> kTlsV10;
   static ::testing::internal::ParamGenerator<uint16_t> kTlsV11;
   static ::testing::internal::ParamGenerator<uint16_t> kTlsV12;
   static ::testing::internal::ParamGenerator<uint16_t> kTlsV10V11;
   static ::testing::internal::ParamGenerator<uint16_t> kTlsV11V12;
   static ::testing::internal::ParamGenerator<uint16_t> kTlsV10ToV12;
   static ::testing::internal::ParamGenerator<uint16_t> kTlsV13;
   static ::testing::internal::ParamGenerator<uint16_t> kTlsV11Plus;
   static ::testing::internal::ParamGenerator<uint16_t> kTlsV12Plus;
   static ::testing::internal::ParamGenerator<uint16_t> kTlsVAll;
 
-  TlsConnectTestBase(Mode mode, uint16_t version);
-  TlsConnectTestBase(const std::string& mode, uint16_t version);
+  TlsConnectTestBase(SSLProtocolVariant variant, uint16_t version);
   virtual ~TlsConnectTestBase();
 
   void SetUp();
   void TearDown();
 
   // Initialize client and server.
   void Init();
   // Clear the statistics.
@@ -109,36 +111,32 @@ class TlsConnectTestBase : public ::test
       std::function<bool()> post_clienthello_check = nullptr);
   void Receive(size_t amount);
   void ExpectExtendedMasterSecret(bool expected);
   void ExpectEarlyDataAccepted(bool expected);
   void DisableECDHEServerKeyReuse();
   void SkipVersionChecks();
 
  protected:
-  Mode mode_;
+  SSLProtocolVariant variant_;
   std::shared_ptr<TlsAgent> client_;
   std::shared_ptr<TlsAgent> server_;
   std::unique_ptr<TlsAgent> client_model_;
   std::unique_ptr<TlsAgent> server_model_;
   uint16_t version_;
   SessionResumptionMode expected_resumption_mode_;
   std::vector<std::vector<uint8_t>> session_ids_;
 
   // A simple value of "a", "b".  Note that the preferred value of "a" is placed
   // at the end, because the NSS API follows the now defunct NPN specification,
   // which places the preferred (and default) entry at the end of the list.
   // NSS will move this final entry to the front when used with ALPN.
   const uint8_t alpn_dummy_val_[4] = {0x01, 0x62, 0x01, 0x61};
 
  private:
-  static inline Mode ToMode(const std::string& str) {
-    return str == "TLS" ? STREAM : DGRAM;
-  }
-
   void CheckResumption(SessionResumptionMode expected);
   void CheckExtendedMasterSecret();
   void CheckEarlyDataAccepted();
 
   bool expect_extended_master_secret_;
   bool expect_early_data_accepted_;
   bool skip_version_checks_;
 
@@ -154,100 +152,101 @@ class TlsConnectTestBase : public ::test
    private:
     std::set<SSLNamedGroup> groups_;
   };
 };
 
 // A non-parametrized TLS test base.
 class TlsConnectTest : public TlsConnectTestBase {
  public:
-  TlsConnectTest() : TlsConnectTestBase(STREAM, 0) {}
+  TlsConnectTest() : TlsConnectTestBase(ssl_variant_stream, 0) {}
 };
 
 // A non-parametrized DTLS-only test base.
 class DtlsConnectTest : public TlsConnectTestBase {
  public:
-  DtlsConnectTest() : TlsConnectTestBase(DGRAM, 0) {}
+  DtlsConnectTest() : TlsConnectTestBase(ssl_variant_datagram, 0) {}
 };
 
 // A TLS-only test base.
 class TlsConnectStream : public TlsConnectTestBase,
                          public ::testing::WithParamInterface<uint16_t> {
  public:
-  TlsConnectStream() : TlsConnectTestBase(STREAM, GetParam()) {}
+  TlsConnectStream() : TlsConnectTestBase(ssl_variant_stream, GetParam()) {}
 };
 
 // A TLS-only test base for tests before 1.3
 class TlsConnectStreamPre13 : public TlsConnectStream {};
 
 // A DTLS-only test base.
 class TlsConnectDatagram : public TlsConnectTestBase,
                            public ::testing::WithParamInterface<uint16_t> {
  public:
-  TlsConnectDatagram() : TlsConnectTestBase(DGRAM, GetParam()) {}
+  TlsConnectDatagram() : TlsConnectTestBase(ssl_variant_datagram, GetParam()) {}
 };
 
-// A generic test class that can be either STREAM or DGRAM and a single version
-// of TLS.  This is configured in ssl_loopback_unittest.cc.  All uses of this
-// should use TEST_P().
-class TlsConnectGeneric
-    : public TlsConnectTestBase,
-      public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+// A generic test class that can be either stream or datagram and a single
+// version of TLS.  This is configured in ssl_loopback_unittest.cc.
+class TlsConnectGeneric : public TlsConnectTestBase,
+                          public ::testing::WithParamInterface<
+                              std::tuple<SSLProtocolVariant, uint16_t>> {
  public:
   TlsConnectGeneric();
 };
 
 // A Pre TLS 1.2 generic test.
-class TlsConnectPre12
-    : public TlsConnectTestBase,
-      public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+class TlsConnectPre12 : public TlsConnectTestBase,
+                        public ::testing::WithParamInterface<
+                            std::tuple<SSLProtocolVariant, uint16_t>> {
  public:
   TlsConnectPre12();
 };
 
 // A TLS 1.2 only generic test.
-class TlsConnectTls12 : public TlsConnectTestBase,
-                        public ::testing::WithParamInterface<std::string> {
+class TlsConnectTls12
+    : public TlsConnectTestBase,
+      public ::testing::WithParamInterface<SSLProtocolVariant> {
  public:
   TlsConnectTls12();
 };
 
 // A TLS 1.2 only stream test.
 class TlsConnectStreamTls12 : public TlsConnectTestBase {
  public:
   TlsConnectStreamTls12()
-      : TlsConnectTestBase(STREAM, SSL_LIBRARY_VERSION_TLS_1_2) {}
+      : TlsConnectTestBase(ssl_variant_stream, SSL_LIBRARY_VERSION_TLS_1_2) {}
 };
 
 // A TLS 1.2+ generic test.
-class TlsConnectTls12Plus
-    : public TlsConnectTestBase,
-      public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+class TlsConnectTls12Plus : public TlsConnectTestBase,
+                            public ::testing::WithParamInterface<
+                                std::tuple<SSLProtocolVariant, uint16_t>> {
  public:
   TlsConnectTls12Plus();
 };
 
 // A TLS 1.3 only generic test.
-class TlsConnectTls13 : public TlsConnectTestBase,
-                        public ::testing::WithParamInterface<std::string> {
+class TlsConnectTls13
+    : public TlsConnectTestBase,
+      public ::testing::WithParamInterface<SSLProtocolVariant> {
  public:
   TlsConnectTls13();
 };
 
 // A TLS 1.3 only stream test.
 class TlsConnectStreamTls13 : public TlsConnectTestBase {
  public:
   TlsConnectStreamTls13()
-      : TlsConnectTestBase(STREAM, SSL_LIBRARY_VERSION_TLS_1_3) {}
+      : TlsConnectTestBase(ssl_variant_stream, SSL_LIBRARY_VERSION_TLS_1_3) {}
 };
 
 class TlsConnectDatagram13 : public TlsConnectTestBase {
  public:
   TlsConnectDatagram13()
-      : TlsConnectTestBase(DGRAM, SSL_LIBRARY_VERSION_TLS_1_3) {}
+      : TlsConnectTestBase(ssl_variant_datagram, SSL_LIBRARY_VERSION_TLS_1_3) {}
 };
 
 // A variant that is used only with Pre13.
 class TlsConnectGenericPre13 : public TlsConnectGeneric {};
 
 class TlsKeyExchangeTest : public TlsConnectGeneric {
  protected:
   std::shared_ptr<TlsExtensionCapture> groups_capture_;