/security/nss/tests/ssl/ssl.sh
Shell | 1009 lines | 884 code | 33 blank | 92 comment | 28 complexity | c0ffee1163f07554395ae739887a6712 MD5 | raw file
1#! /bin/bash 2# 3# ***** BEGIN LICENSE BLOCK ***** 4# Version: MPL 1.1/GPL 2.0/LGPL 2.1 5# 6# The contents of this file are subject to the Mozilla Public License Version 7# 1.1 (the "License"); you may not use this file except in compliance with 8# the License. You may obtain a copy of the License at 9# http://www.mozilla.org/MPL/ 10# 11# Software distributed under the License is distributed on an "AS IS" basis, 12# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 13# for the specific language governing rights and limitations under the 14# License. 15# 16# The Original Code is the Netscape security libraries. 17# 18# The Initial Developer of the Original Code is 19# Netscape Communications Corporation. 20# Portions created by the Initial Developer are Copyright (C) 1994-2009 21# the Initial Developer. All Rights Reserved. 22# 23# Contributor(s): 24# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories 25# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems 26# 27# Alternatively, the contents of this file may be used under the terms of 28# either the GNU General Public License Version 2 or later (the "GPL"), or 29# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), 30# in which case the provisions of the GPL or the LGPL are applicable instead 31# of those above. If you wish to allow use of your version of this file only 32# under the terms of either the GPL or the LGPL, and not to allow others to 33# use your version of this file under the terms of the MPL, indicate your 34# decision by deleting the provisions above and replace them with the notice 35# and other provisions required by the GPL or the LGPL. If you do not delete 36# the provisions above, a recipient may use your version of this file under 37# the terms of any one of the MPL, the GPL or the LGPL. 38# 39# ***** END LICENSE BLOCK ***** 40 41######################################################################## 42# 43# mozilla/security/nss/tests/ssl/ssl.sh 44# 45# Script to test NSS SSL 46# 47# needs to work on all Unix and Windows platforms 48# 49# special strings 50# --------------- 51# FIXME ... known problems, search for this string 52# NOTE .... unexpected behavior 53# 54######################################################################## 55 56############################## ssl_init ################################ 57# local shell function to initialize this script 58######################################################################## 59ssl_init() 60{ 61 SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh 62 63 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for 64 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it 65 fi 66 67 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then 68 cd ../common 69 . ./init.sh 70 fi 71 if [ -z "${IOPR_SSL_SOURCED}" ]; then 72 . ../iopr/ssl_iopr.sh 73 fi 74 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here 75 cd ../cert 76 . ./cert.sh 77 fi 78 SCRIPTNAME=ssl.sh 79 echo "$SCRIPTNAME: SSL tests ===============================" 80 81 grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || { 82 html_head "SSL Test failure" 83 Exit 8 "Fatal - cert.sh needs to pass first" 84 } 85 86 if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then 87 grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || { 88 html_head "SSL Test failure" 89 Exit 8 "Fatal - SSL of cert.sh needs to pass first" 90 } 91 fi 92 93 PORT=${PORT-8443} 94 NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} 95 nss_ssl_run="cov auth stress" 96 NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} 97 98 # Test case files 99 SSLCOV=${QADIR}/ssl/sslcov.txt 100 SSLAUTH=${QADIR}/ssl/sslauth.txt 101 SSLSTRESS=${QADIR}/ssl/sslstress.txt 102 REQUEST_FILE=${QADIR}/ssl/sslreq.dat 103 104 #temparary files 105 SERVEROUTFILE=${TMP}/tests_server.$$ 106 SERVERPID=${TMP}/tests_pid.$$ 107 108 R_SERVERPID=../tests_pid.$$ 109 110 TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}" 111 112 fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't 113 #fileout=1 114 #verbose="-v" #FIXME - see where this is usefull 115 116 USER_NICKNAME=TestUser 117 NORM_EXT="" 118 119 if [ -n "$NSS_ENABLE_ECC" ] ; then 120 ECC_STRING=" - with ECC" 121 else 122 ECC_STRING="" 123 fi 124 125 CSHORT="-c ABCDEF:0041:0084cdefgijklmnvyz" 126 CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:0041:0084cdefgijklmnvyz" 127 128 if [ "${OS_ARCH}" != "WINNT" ]; then 129 ulimit -n 1000 # make sure we have enough file descriptors 130 fi 131 132 cd ${CLIENTDIR} 133} 134 135########################### is_selfserv_alive ########################## 136# local shell function to exit with a fatal error if selfserver is not 137# running 138######################################################################## 139is_selfserv_alive() 140{ 141 if [ ! -f "${SERVERPID}" ]; then 142 echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist" 143 sleep 5 144 if [ ! -f "${SERVERPID}" ]; then 145 Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist" 146 fi 147 fi 148 149 if [ "${OS_ARCH}" = "WINNT" ] && \ 150 [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then 151 PID=${SHELL_SERVERPID} 152 else 153 PID=`cat ${SERVERPID}` 154 fi 155 156 echo "kill -0 ${PID} >/dev/null 2>/dev/null" 157 kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" 158 159 echo "selfserv with PID ${PID} found at `date`" 160} 161 162########################### wait_for_selfserv ########################## 163# local shell function to wait until selfserver is running and initialized 164######################################################################## 165wait_for_selfserv() 166{ 167 echo "trying to connect to selfserv at `date`" 168 echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" 169 echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}" 170 ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ 171 -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} 172 if [ $? -ne 0 ]; then 173 sleep 5 174 echo "retrying to connect to selfserv at `date`" 175 echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" 176 echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}" 177 ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ 178 -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} 179 if [ $? -ne 0 ]; then 180 html_failed "Waiting for Server" 181 fi 182 fi 183 is_selfserv_alive 184} 185 186########################### kill_selfserv ############################## 187# local shell function to kill the selfserver after the tests are done 188######################################################################## 189kill_selfserv() 190{ 191 if [ "${OS_ARCH}" = "WINNT" ] && \ 192 [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then 193 PID=${SHELL_SERVERPID} 194 else 195 PID=`cat ${SERVERPID}` 196 fi 197 198 echo "trying to kill selfserv with PID ${PID} at `date`" 199 200 if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then 201 echo "${KILL} ${PID}" 202 ${KILL} ${PID} 203 else 204 echo "${KILL} -USR1 ${PID}" 205 ${KILL} -USR1 ${PID} 206 fi 207 wait ${PID} 208 if [ ${fileout} -eq 1 ]; then 209 cat ${SERVEROUTFILE} 210 fi 211 212 # On Linux selfserv needs up to 30 seconds to fully die and free 213 # the port. Wait until the port is free. (Bug 129701) 214 if [ "${OS_ARCH}" = "Linux" ]; then 215 echo "selfserv -b -p ${PORT} 2>/dev/null;" 216 until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do 217 echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;" 218 sleep 1 219 done 220 fi 221 222 echo "selfserv with PID ${PID} killed at `date`" 223 224 rm ${SERVERPID} 225 html_detect_core "kill_selfserv core detection step" 226} 227 228########################### start_selfserv ############################# 229# local shell function to start the selfserver with the parameters required 230# for this test and log information (parameters, start time) 231# also: wait until the server is up and running 232######################################################################## 233start_selfserv() 234{ 235 if [ -n "$testname" ] ; then 236 echo "$SCRIPTNAME: $testname ----" 237 fi 238 sparam=`echo $sparam | sed -e 's;_; ;g'` 239 if [ -n "$NSS_ENABLE_ECC" ] && \ 240 [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then 241 ECC_OPTIONS="-e ${HOSTADDR}-ec" 242 else 243 ECC_OPTIONS="" 244 fi 245 if [ "$1" = "mixed" ]; then 246 ECC_OPTIONS="-e ${HOSTADDR}-ecmixed" 247 fi 248 echo "selfserv starting at `date`" 249 echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" 250 echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &" 251 if [ ${fileout} -eq 1 ]; then 252 ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ 253 ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \ 254 > ${SERVEROUTFILE} 2>&1 & 255 RET=$? 256 else 257 ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ 258 ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose & 259 RET=$? 260 fi 261 262 # The PID $! returned by the MKS or Cygwin shell is not the PID of 263 # the real background process, but rather the PID of a helper 264 # process (sh.exe). MKS's kill command has a bug: invoking kill 265 # on the helper process does not terminate the real background 266 # process. Our workaround has been to have selfserv save its PID 267 # in the ${SERVERPID} file and "kill" that PID instead. But this 268 # doesn't work under Cygwin; its kill command doesn't recognize 269 # the PID of the real background process, but it does work on the 270 # PID of the helper process. So we save the value of $! in the 271 # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID} 272 # file under Cygwin. (In fact, this should work in any shell 273 # other than the MKS shell.) 274 SHELL_SERVERPID=$! 275 wait_for_selfserv 276 277 if [ "${OS_ARCH}" = "WINNT" ] && \ 278 [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then 279 PID=${SHELL_SERVERPID} 280 else 281 PID=`cat ${SERVERPID}` 282 fi 283 284 echo "selfserv with PID ${PID} started at `date`" 285} 286 287############################## ssl_cov ################################# 288# local shell function to perform SSL Cipher Coverage tests 289######################################################################## 290ssl_cov() 291{ 292 html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" 293 294 testname="" 295 if [ -n "$NSS_ENABLE_ECC" ] ; then 296 sparam="$CLONG" 297 else 298 sparam="$CSHORT" 299 fi 300 301 mixed=0 302 start_selfserv # Launch the server 303 304 exec < ${SSLCOV} 305 while read ectype tls param testname 306 do 307 echo "${testname}" | grep "EXPORT" > /dev/null 308 EXP=$? 309 echo "${testname}" | grep "SSL2" > /dev/null 310 SSL2=$? 311 312 if [ "${SSL2}" -eq 0 ] ; then 313 # We cannot use asynchronous cert verification with SSL2 314 SSL2_FLAGS=-O 315 else 316 # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by 317 # default in libssl but it is enabled by default in tstclnt; we want 318 # to test the libssl default whenever possible. 319 SSL2_FLAGS=-2 320 fi 321 322 if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then 323 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" 324 elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then 325 echo "$SCRIPTNAME: skipping $testname (ECC only)" 326 elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then 327 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" 328 elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then 329 echo "$SCRIPTNAME: running $testname ----------------------------" 330 TLS_FLAG=-T 331 if [ "$tls" = "TLS" ]; then 332 TLS_FLAG="" 333 fi 334 335# These five tests need an EC cert signed with RSA 336# This requires a different certificate loaded in selfserv 337# due to a (current) NSS limitation of only loaded one cert 338# per type so the default selfserv setup will not work. 339#:C00B TLS ECDH RSA WITH NULL SHA 340#:C00C TLS ECDH RSA WITH RC4 128 SHA 341#:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA 342#:C00E TLS ECDH RSA WITH AES 128 CBC SHA 343#:C00F TLS ECDH RSA WITH AES 256 CBC SHA 344 345 if [ $mixed -eq 0 ]; then 346 if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then 347 kill_selfserv 348 start_selfserv mixed 349 mixed=1 350 else 351 is_selfserv_alive 352 fi 353 else 354 if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then 355 is_selfserv_alive 356 else 357 kill_selfserv 358 start_selfserv 359 mixed=0 360 fi 361 fi 362 363 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${SSL2_FLAGS} ${CLIENT_OPTIONS} \\" 364 echo " -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}" 365 366 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 367 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${SSL2_FLAGS} ${CLIENT_OPTIONS} -f \ 368 -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \ 369 >${TMP}/$HOST.tmp.$$ 2>&1 370 ret=$? 371 cat ${TMP}/$HOST.tmp.$$ 372 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 373 html_msg $ret 0 "${testname}" \ 374 "produced a returncode of $ret, expected is 0" 375 fi 376 done 377 378 kill_selfserv 379 html "</TABLE><BR>" 380} 381 382############################## ssl_auth ################################ 383# local shell function to perform SSL Client Authentication tests 384######################################################################## 385ssl_auth() 386{ 387 html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" 388 389 exec < ${SSLAUTH} 390 while read ectype value sparam cparam testname 391 do 392 [ -z "$ectype" ] && continue 393 echo "${testname}" | grep "don't require client auth" > /dev/null 394 CAUTH=$? 395 396 if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then 397 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" 398 elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then 399 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" 400 elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then 401 echo "$SCRIPTNAME: skipping $testname (ECC only)" 402 elif [ "`echo $ectype | cut -b 1`" != "#" ]; then 403 cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` 404 if [ "$ectype" = "SNI" ]; then 405 cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` 406 sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` 407 fi 408 start_selfserv 409 410 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\" 411 echo " ${cparam} < ${REQUEST_FILE}" 412 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 413 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \ 414 -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} \ 415 >${TMP}/$HOST.tmp.$$ 2>&1 416 ret=$? 417 cat ${TMP}/$HOST.tmp.$$ 418 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 419 420 #workaround for bug #402058 421 [ $ret -ne 0 ] && ret=1 422 [ $value -ne 0 ] && value=1 423 424 html_msg $ret $value "${testname}" \ 425 "produced a returncode of $ret, expected is $value" 426 kill_selfserv 427 fi 428 done 429 430 html "</TABLE><BR>" 431} 432 433 434############################## ssl_stress ############################## 435# local shell function to perform SSL stress test 436######################################################################## 437ssl_stress() 438{ 439 html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" 440 441 exec < ${SSLSTRESS} 442 while read ectype value sparam cparam testname 443 do 444 if [ -z "$ectype" ]; then 445 # silently ignore blank lines 446 continue 447 fi 448 449 echo "${testname}" | grep "SSL2" > /dev/null 450 SSL2=$? 451 echo "${testname}" | grep "client auth" > /dev/null 452 CAUTH=$? 453 454 if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then 455 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" 456 elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then 457 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" 458 elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then 459 echo "$SCRIPTNAME: skipping $testname (ECC only)" 460 elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then 461 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" 462 elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then 463 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" 464 elif [ "`echo $ectype | cut -b 1`" != "#" ]; then 465 cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` 466 if [ "$ectype" = "SNI" ]; then 467 cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` 468 sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` 469 fi 470 471# These tests need the mixed cert 472# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) 473# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth) 474 p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`; 475 if [ "$p" = "-c_:C00E" ]; then 476 start_selfserv mixed 477 else 478 start_selfserv 479 fi 480 481 if [ "`uname -n`" = "sjsu" ] ; then 482 echo "debugging disapering selfserv... ps -ef | grep selfserv" 483 ps -ef | grep selfserv 484 fi 485 486 echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\" 487 echo " $verbose ${HOSTADDR}" 488 echo "strsclnt started at `date`" 489 ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \ 490 $verbose ${HOSTADDR} 491 ret=$? 492 echo "strsclnt completed at `date`" 493 html_msg $ret $value \ 494 "${testname}" \ 495 "produced a returncode of $ret, expected is $value. " 496 if [ "`uname -n`" = "sjsu" ] ; then 497 echo "debugging disapering selfserv... ps -ef | grep selfserv" 498 ps -ef | grep selfserv 499 fi 500 kill_selfserv 501 fi 502 done 503 504 html "</TABLE><BR>" 505} 506 507############################ ssl_crl_ssl ############################### 508# local shell function to perform SSL test with/out revoked certs tests 509######################################################################## 510ssl_crl_ssl() 511{ 512 html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING" 513 514 # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it. 515 # Cert number $UNREVOKED_CERT_GRP_1 was not revoked 516 CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN 517 CRL_GROUP_RANGE=$CRL_GRP_1_RANGE 518 UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1 519 520 exec < ${SSLAUTH} 521 while read ectype value sparam cparam testname 522 do 523 [ "$ectype" = "" ] && continue 524 if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then 525 echo "$SCRIPTNAME: skipping $testname (ECC only)" 526 elif [ "$ectype" = "SNI" ]; then 527 continue 528 elif [ "`echo $ectype | cut -b 1`" != "#" ]; then 529 servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` 530 pwd=`echo $cparam | grep nss` 531 user=`echo $cparam | grep TestUser` 532 _cparam=$cparam 533 case $servarg in 534 1) if [ -z "$pwd" -o -z "$user" ]; then 535 rev_modvalue=0 536 else 537 rev_modvalue=254 538 fi 539 ;; 540 2) rev_modvalue=254 ;; 541 3) if [ -z "$pwd" -o -z "$user" ]; then 542 rev_modvalue=0 543 else 544 rev_modvalue=1 545 fi 546 ;; 547 4) rev_modvalue=1 ;; 548 esac 549 TEMP_NUM=0 550 while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ] 551 do 552 CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}` 553 TEMP_NUM=`expr $TEMP_NUM + 1` 554 USER_NICKNAME="TestUser${CURR_SER_NUM}" 555 cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` 556 start_selfserv 557 558 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\" 559 echo " ${cparam} < ${REQUEST_FILE}" 560 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 561 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ 562 -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \ 563 >${TMP}/$HOST.tmp.$$ 2>&1 564 ret=$? 565 cat ${TMP}/$HOST.tmp.$$ 566 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 567 if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then 568 modvalue=$rev_modvalue 569 testAddMsg="revoked" 570 else 571 testAddMsg="not revoked" 572 modvalue=$value 573 fi 574 575 html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \ 576 "produced a returncode of $ret, expected is $modvalue" 577 kill_selfserv 578 done 579 fi 580 done 581 582 html "</TABLE><BR>" 583} 584 585############################# is_revoked ############################### 586# local shell function to check if certificate is revoked 587######################################################################## 588is_revoked() { 589 certNum=$1 590 currLoadedGrp=$2 591 592 found=0 593 ownerGrp=1 594 while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ] 595 do 596 currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}` 597 currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}` 598 currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1` 599 if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then 600 found=1 601 else 602 ownerGrp=`expr $ownerGrp + 1` 603 fi 604 done 605 if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then 606 return 1 607 fi 608 if [ $found -eq 0 ]; then 609 return 1 610 fi 611 unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}` 612 if [ $certNum -eq $unrevokedGrpCert ]; then 613 return 1 614 fi 615 return 0 616} 617 618########################### load_group_crl ############################# 619# local shell function to load CRL 620######################################################################## 621load_group_crl() { 622 group=$1 623 ectype=$2 624 625 OUTFILE_TMP=${TMP}/$HOST.tmp.$$ 626 grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}` 627 grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}` 628 grpEnd=`expr $grpBegin + $grpRange - 1` 629 630 if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then 631 ret=1 632 return 1; 633 fi 634 635 # Add -ec suffix for ECC 636 if [ "$ectype" = "ECC" ] ; then 637 ecsuffix="-ec" 638 eccomment="ECC " 639 else 640 ecsuffix="" 641 eccomment="" 642 fi 643 644 if [ "$RELOAD_CRL" != "" ]; then 645 if [ $group -eq 1 ]; then 646 echo "==================== Resetting to group 1 crl ===================" 647 kill_selfserv 648 start_selfserv 649 is_selfserv_alive 650 fi 651 echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd =============" 652 653 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\" 654 echo " -2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}" 655 echo "Request:" 656 echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}" 657 echo "" 658 echo "RELOAD time $i" 659 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \ 660 -d ${R_CLIENTDIR} -v -2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \ 661 >${OUTFILE_TMP} 2>&1 <<_EOF_REQUEST_ 662GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} 663 664_EOF_REQUEST_ 665 cat ${OUTFILE_TMP} 666 grep "CRL ReCache Error" ${OUTFILE_TMP} 667 if [ $? -eq 0 ]; then 668 ret=1 669 return 1 670 fi 671 else 672 echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv =====" 673 674 kill_selfserv 675 CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd" 676 crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \ 677 -p ../tests.pw.928 678 ret=$? 679 if [ "$ret" -eq 0 ]; then 680 html_passed "${CU_ACTION}" 681 return 1 682 fi 683 start_selfserv 684 fi 685 is_selfserv_alive 686 ret=$? 687 echo "================= CRL Reloaded =============" 688} 689 690########################### ssl_crl_cache ############################## 691# local shell function to perform SSL test for crl cache functionality 692# with/out revoked certs 693######################################################################## 694ssl_crl_cache() 695{ 696 html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING" 697 SSLAUTH_TMP=${TMP}/authin.tl.tmp 698 SERV_ARG=-r_-r 699 rm -f ${SSLAUTH_TMP} 700 echo ${SSLAUTH_TMP} 701 702 grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP} 703 echo $? 704 while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ] 705 do 706 sparam=$SERV_ARG 707 start_selfserv 708 exec < ${SSLAUTH_TMP} 709 while read ectype value sparam cparam testname 710 do 711 [ "$ectype" = "" ] && continue 712 if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then 713 echo "$SCRIPTNAME: skipping $testname (ECC only)" 714 elif [ "$ectype" = "SNI" ]; then 715 continue 716 else 717 servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` 718 pwd=`echo $cparam | grep nss` 719 user=`echo $cparam | grep TestUser` 720 _cparam=$cparam 721 case $servarg in 722 1) if [ -z "$pwd" -o -z "$user" ]; then 723 rev_modvalue=0 724 else 725 rev_modvalue=254 726 fi 727 ;; 728 2) rev_modvalue=254 ;; 729 730 3) if [ -z "$pwd" -o -z "$user" ]; then 731 rev_modvalue=0 732 else 733 rev_modvalue=1 734 fi 735 ;; 736 4) rev_modvalue=1 ;; 737 esac 738 TEMP_NUM=0 739 LOADED_GRP=1 740 while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ] 741 do 742 while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ] 743 do 744 CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}` 745 TEMP_NUM=`expr $TEMP_NUM + 1` 746 USER_NICKNAME="TestUser${CURR_SER_NUM}" 747 cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` 748 749 echo "Server Args: $SERV_ARG" 750 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\" 751 echo " ${cparam} < ${REQUEST_FILE}" 752 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 753 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ 754 -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \ 755 >${TMP}/$HOST.tmp.$$ 2>&1 756 ret=$? 757 cat ${TMP}/$HOST.tmp.$$ 758 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 759 is_revoked ${CURR_SER_NUM} ${LOADED_GRP} 760 isRevoked=$? 761 if [ $isRevoked -eq 0 ]; then 762 modvalue=$rev_modvalue 763 testAddMsg="revoked" 764 else 765 modvalue=$value 766 testAddMsg="not revoked" 767 fi 768 769 is_selfserv_alive 770 ss_status=$? 771 if [ "$ss_status" -ne 0 ]; then 772 html_msg $ret $modvalue \ 773 "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ 774 "produced a returncode of $ret, expected is $modvalue. " \ 775 "selfserv is not alive!" 776 else 777 html_msg $ret $modvalue \ 778 "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ 779 "produced a returncode of $ret, expected is $modvalue" 780 fi 781 done 782 LOADED_GRP=`expr $LOADED_GRP + 1` 783 TEMP_NUM=0 784 if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then 785 load_group_crl $LOADED_GRP $ectype 786 html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \ 787 "produced a returncode of $ret, expected is 0" 788 fi 789 done 790 # Restart selfserv to roll back to two initial group 1 crls 791 # TestCA CRL and TestCA-ec CRL 792 kill_selfserv 793 start_selfserv 794 fi 795 done 796 kill_selfserv 797 SERV_ARG="${SERV_ARG}_-r" 798 rm -f ${SSLAUTH_TMP} 799 grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP} 800 done 801 TEMPFILES=${SSLAUTH_TMP} 802 html "</TABLE><BR>" 803} 804 805 806############################## ssl_cleanup ############################# 807# local shell function to finish this script (no exit since it might be 808# sourced) 809######################################################################## 810ssl_cleanup() 811{ 812 rm $SERVERPID 2>/dev/null 813 cd ${QADIR} 814 . common/cleanup.sh 815} 816 817############################## ssl_run ################################# 818# local shell function to run coverage, authentication and stress tests 819######################################################################## 820ssl_run() 821{ 822 for SSL_RUN in ${NSS_SSL_RUN} 823 do 824 case "${SSL_RUN}" in 825 "cov") 826 ssl_cov 827 ;; 828 "auth") 829 ssl_auth 830 ;; 831 "stress") 832 ssl_stress 833 ;; 834 esac 835 done 836} 837 838############################ ssl_run_all ############################### 839# local shell function to run both standard and extended ssl tests 840######################################################################## 841ssl_run_all() 842{ 843 ORIG_SERVERDIR=$SERVERDIR 844 ORIG_CLIENTDIR=$CLIENTDIR 845 ORIG_R_SERVERDIR=$R_SERVERDIR 846 ORIG_R_CLIENTDIR=$R_CLIENTDIR 847 ORIG_P_R_SERVERDIR=$P_R_SERVERDIR 848 ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR 849 850 USER_NICKNAME=TestUser 851 NORM_EXT="" 852 cd ${CLIENTDIR} 853 854 ssl_run 855 856 SERVERDIR=$EXT_SERVERDIR 857 CLIENTDIR=$EXT_CLIENTDIR 858 R_SERVERDIR=$R_EXT_SERVERDIR 859 R_CLIENTDIR=$R_EXT_CLIENTDIR 860 P_R_SERVERDIR=$P_R_EXT_SERVERDIR 861 P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR 862 863 USER_NICKNAME=ExtendedSSLUser 864 NORM_EXT="Extended Test" 865 cd ${CLIENTDIR} 866 867 ssl_run 868 869 # the next round of ssl tests will only run if these vars are reset 870 SERVERDIR=$ORIG_SERVERDIR 871 CLIENTDIR=$ORIG_CLIENTDIR 872 R_SERVERDIR=$ORIG_R_SERVERDIR 873 R_CLIENTDIR=$ORIG_R_CLIENTDIR 874 P_R_SERVERDIR=$ORIG_P_R_SERVERDIR 875 P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR 876 877 USER_NICKNAME=TestUser 878 NORM_EXT= 879 cd ${QADIR}/ssl 880} 881 882############################ ssl_set_fips ############################## 883# local shell function to set FIPS mode on/off 884######################################################################## 885ssl_set_fips() 886{ 887 CLTSRV=$1 888 ONOFF=$2 889 890 if [ ${CLTSRV} = "server" ]; then 891 DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}" 892 else 893 DBDIRS="${CLIETNDIR} ${EXT_CLIENTDIR}" 894 fi 895 896 if [ "${ONOFF}" = "on" ]; then 897 FIPSMODE=true 898 RET_EXP=0 899 else 900 FIPSMODE=false 901 RET_EXP=1 902 fi 903 904 html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}" 905 906 for DBDIR in ${DBDIRS} 907 do 908 EXT_OPT= 909 echo ${DBDIR} | grep ext > /dev/null 910 if [ $? -eq 0 ]; then 911 EXT_OPT="extended " 912 fi 913 914 echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}" 915 916 echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force" 917 ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1 918 RET=$? 919 html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \ 920 "produced a returncode of ${RET}, expected is 0" 921 922 echo "modutil -dbdir ${DBDIR} -list" 923 DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1` 924 RET=$? 925 html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \ 926 "produced a returncode of ${RET}, expected is 0" 927 928 echo "${DBLIST}" | grep "FIPS PKCS #11" 929 RET=$? 930 html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \ 931 "produced a returncode of ${RET}, expected is ${RET_EXP}" 932 done 933 934 html "</TABLE><BR>" 935} 936 937############################ ssl_set_fips ############################## 938# local shell function to run all tests set in NSS_SSL_TESTS variable 939######################################################################## 940ssl_run_tests() 941{ 942 for SSL_TEST in ${NSS_SSL_TESTS} 943 do 944 case "${SSL_TEST}" in 945 "crl") 946 ssl_crl_ssl 947 ssl_crl_cache 948 ;; 949 "iopr") 950 ssl_iopr_run 951 ;; 952 *) 953 SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1` 954 CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2` 955 956 case "${SERVER_MODE}" in 957 "normal") 958 SERVER_OPTIONS= 959 ;; 960 "bypass") 961 SERVER_OPTIONS="-B -s" 962 ;; 963 "fips") 964 SERVER_OPTIONS= 965 ssl_set_fips server on 966 ;; 967 *) 968 echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}" 969 continue 970 ;; 971 esac 972 973 case "${CLIENT_MODE}" in 974 "normal") 975 CLIENT_OPTIONS= 976 ;; 977 "bypass") 978 CLIENT_OPTIONS="-B -s" 979 ;; 980 "fips") 981 SERVER_OPTIONS= 982 ssl_set_fips client on 983 ;; 984 *) 985 echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}" 986 continue 987 ;; 988 esac 989 990 ssl_run_all 991 992 if [ "${SERVER_MODE}" = "fips" ]; then 993 ssl_set_fips server off 994 fi 995 996 if [ "${CLIENT_MODE}" = "fips" ]; then 997 ssl_set_fips client off 998 fi 999 ;; 1000 esac 1001 done 1002} 1003 1004################################# main ################################# 1005 1006ssl_init 1007ssl_run_tests 1008ssl_cleanup 1009