PageRenderTime 65ms CodeModel.GetById 18ms app.highlight 40ms RepoModel.GetById 1ms app.codeStats 0ms

/security/nss/tests/ssl/ssl.sh

http://github.com/zpao/v8monkey
Shell | 1009 lines | 884 code | 33 blank | 92 comment | 28 complexity | c0ffee1163f07554395ae739887a6712 MD5 | raw file
   1#! /bin/bash
   2#
   3# ***** BEGIN LICENSE BLOCK *****
   4# Version: MPL 1.1/GPL 2.0/LGPL 2.1
   5#
   6# The contents of this file are subject to the Mozilla Public License Version
   7# 1.1 (the "License"); you may not use this file except in compliance with
   8# the License. You may obtain a copy of the License at
   9# http://www.mozilla.org/MPL/
  10#
  11# Software distributed under the License is distributed on an "AS IS" basis,
  12# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  13# for the specific language governing rights and limitations under the
  14# License.
  15#
  16# The Original Code is the Netscape security libraries.
  17#
  18# The Initial Developer of the Original Code is
  19# Netscape Communications Corporation.
  20# Portions created by the Initial Developer are Copyright (C) 1994-2009
  21# the Initial Developer. All Rights Reserved.
  22#
  23# Contributor(s):
  24#   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
  25#   Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
  26#
  27# Alternatively, the contents of this file may be used under the terms of
  28# either the GNU General Public License Version 2 or later (the "GPL"), or
  29# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  30# in which case the provisions of the GPL or the LGPL are applicable instead
  31# of those above. If you wish to allow use of your version of this file only
  32# under the terms of either the GPL or the LGPL, and not to allow others to
  33# use your version of this file under the terms of the MPL, indicate your
  34# decision by deleting the provisions above and replace them with the notice
  35# and other provisions required by the GPL or the LGPL. If you do not delete
  36# the provisions above, a recipient may use your version of this file under
  37# the terms of any one of the MPL, the GPL or the LGPL.
  38#
  39# ***** END LICENSE BLOCK *****
  40
  41########################################################################
  42#
  43# mozilla/security/nss/tests/ssl/ssl.sh
  44#
  45# Script to test NSS SSL
  46#
  47# needs to work on all Unix and Windows platforms
  48#
  49# special strings
  50# ---------------
  51#   FIXME ... known problems, search for this string
  52#   NOTE .... unexpected behavior
  53#
  54########################################################################
  55
  56############################## ssl_init ################################
  57# local shell function to initialize this script
  58########################################################################
  59ssl_init()
  60{
  61  SCRIPTNAME=ssl.sh      # sourced - $0 would point to all.sh
  62
  63  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
  64      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
  65  fi
  66  
  67  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
  68      cd ../common
  69      . ./init.sh
  70  fi
  71  if [ -z "${IOPR_SSL_SOURCED}" ]; then
  72      . ../iopr/ssl_iopr.sh
  73  fi
  74  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
  75      cd ../cert
  76      . ./cert.sh
  77  fi
  78  SCRIPTNAME=ssl.sh
  79  echo "$SCRIPTNAME: SSL tests ==============================="
  80
  81  grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
  82      html_head "SSL Test failure"
  83      Exit 8 "Fatal - cert.sh needs to pass first"
  84  }
  85
  86  if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
  87      grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
  88          html_head "SSL Test failure"
  89          Exit 8 "Fatal - SSL of cert.sh needs to pass first"
  90      }
  91  fi
  92
  93  PORT=${PORT-8443}
  94  NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
  95  nss_ssl_run="cov auth stress"
  96  NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
  97
  98  # Test case files
  99  SSLCOV=${QADIR}/ssl/sslcov.txt
 100  SSLAUTH=${QADIR}/ssl/sslauth.txt
 101  SSLSTRESS=${QADIR}/ssl/sslstress.txt
 102  REQUEST_FILE=${QADIR}/ssl/sslreq.dat
 103
 104  #temparary files
 105  SERVEROUTFILE=${TMP}/tests_server.$$
 106  SERVERPID=${TMP}/tests_pid.$$
 107
 108  R_SERVERPID=../tests_pid.$$
 109
 110  TEMPFILES="$TMPFILES ${SERVEROUTFILE}  ${SERVERPID}"
 111
 112  fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
 113  #fileout=1
 114  #verbose="-v" #FIXME - see where this is usefull
 115
 116  USER_NICKNAME=TestUser
 117  NORM_EXT=""
 118
 119  if [ -n "$NSS_ENABLE_ECC" ] ; then
 120      ECC_STRING=" - with ECC"
 121  else
 122      ECC_STRING=""
 123  fi
 124
 125  CSHORT="-c ABCDEF:0041:0084cdefgijklmnvyz"
 126  CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:0041:0084cdefgijklmnvyz"
 127
 128  if [ "${OS_ARCH}" != "WINNT" ]; then
 129      ulimit -n 1000 # make sure we have enough file descriptors
 130  fi
 131
 132  cd ${CLIENTDIR}
 133}
 134
 135########################### is_selfserv_alive ##########################
 136# local shell function to exit with a fatal error if selfserver is not
 137# running
 138########################################################################
 139is_selfserv_alive()
 140{
 141  if [ ! -f "${SERVERPID}" ]; then
 142      echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
 143      sleep 5
 144      if [ ! -f "${SERVERPID}" ]; then
 145          Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
 146      fi
 147  fi
 148  
 149  if [ "${OS_ARCH}" = "WINNT" ] && \
 150     [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
 151      PID=${SHELL_SERVERPID}
 152  else
 153      PID=`cat ${SERVERPID}`
 154  fi
 155
 156  echo "kill -0 ${PID} >/dev/null 2>/dev/null" 
 157  kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
 158
 159  echo "selfserv with PID ${PID} found at `date`"
 160}
 161
 162########################### wait_for_selfserv ##########################
 163# local shell function to wait until selfserver is running and initialized
 164########################################################################
 165wait_for_selfserv()
 166{
 167  echo "trying to connect to selfserv at `date`"
 168  echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
 169  echo "        -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
 170  ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
 171          -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
 172  if [ $? -ne 0 ]; then
 173      sleep 5
 174      echo "retrying to connect to selfserv at `date`"
 175      echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
 176      echo "        -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
 177      ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
 178              -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
 179      if [ $? -ne 0 ]; then
 180          html_failed "Waiting for Server"
 181      fi
 182  fi
 183  is_selfserv_alive
 184}
 185
 186########################### kill_selfserv ##############################
 187# local shell function to kill the selfserver after the tests are done
 188########################################################################
 189kill_selfserv()
 190{
 191  if [ "${OS_ARCH}" = "WINNT" ] && \
 192     [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
 193      PID=${SHELL_SERVERPID}
 194  else
 195      PID=`cat ${SERVERPID}`
 196  fi
 197
 198  echo "trying to kill selfserv with PID ${PID} at `date`"
 199
 200  if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
 201      echo "${KILL} ${PID}"
 202      ${KILL} ${PID}
 203  else
 204      echo "${KILL} -USR1 ${PID}"
 205      ${KILL} -USR1 ${PID}
 206  fi
 207  wait ${PID}
 208  if [ ${fileout} -eq 1 ]; then
 209      cat ${SERVEROUTFILE}
 210  fi
 211
 212  # On Linux selfserv needs up to 30 seconds to fully die and free
 213  # the port.  Wait until the port is free. (Bug 129701)
 214  if [ "${OS_ARCH}" = "Linux" ]; then
 215      echo "selfserv -b -p ${PORT} 2>/dev/null;"
 216      until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
 217          echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
 218          sleep 1
 219      done
 220  fi
 221
 222  echo "selfserv with PID ${PID} killed at `date`"
 223
 224  rm ${SERVERPID}
 225  html_detect_core "kill_selfserv core detection step"
 226}
 227
 228########################### start_selfserv #############################
 229# local shell function to start the selfserver with the parameters required 
 230# for this test and log information (parameters, start time)
 231# also: wait until the server is up and running
 232########################################################################
 233start_selfserv()
 234{
 235  if [ -n "$testname" ] ; then
 236      echo "$SCRIPTNAME: $testname ----"
 237  fi
 238  sparam=`echo $sparam | sed -e 's;_; ;g'`
 239  if [ -n "$NSS_ENABLE_ECC" ] && \
 240     [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1"  ] ; then
 241      ECC_OPTIONS="-e ${HOSTADDR}-ec"
 242  else
 243      ECC_OPTIONS=""
 244  fi
 245  if [ "$1" = "mixed" ]; then
 246      ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
 247  fi
 248  echo "selfserv starting at `date`"
 249  echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
 250  echo "         ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
 251  if [ ${fileout} -eq 1 ]; then
 252      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
 253               ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
 254               > ${SERVEROUTFILE} 2>&1 &
 255      RET=$?
 256  else
 257      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
 258               ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
 259      RET=$?
 260  fi
 261
 262  # The PID $! returned by the MKS or Cygwin shell is not the PID of
 263  # the real background process, but rather the PID of a helper
 264  # process (sh.exe).  MKS's kill command has a bug: invoking kill
 265  # on the helper process does not terminate the real background
 266  # process.  Our workaround has been to have selfserv save its PID
 267  # in the ${SERVERPID} file and "kill" that PID instead.  But this
 268  # doesn't work under Cygwin; its kill command doesn't recognize
 269  # the PID of the real background process, but it does work on the
 270  # PID of the helper process.  So we save the value of $! in the
 271  # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
 272  # file under Cygwin.  (In fact, this should work in any shell
 273  # other than the MKS shell.)
 274  SHELL_SERVERPID=$!
 275  wait_for_selfserv
 276
 277  if [ "${OS_ARCH}" = "WINNT" ] && \
 278     [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
 279      PID=${SHELL_SERVERPID}
 280  else
 281      PID=`cat ${SERVERPID}`
 282  fi
 283
 284  echo "selfserv with PID ${PID} started at `date`"
 285}
 286
 287############################## ssl_cov #################################
 288# local shell function to perform SSL Cipher Coverage tests
 289########################################################################
 290ssl_cov()
 291{
 292  html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
 293
 294  testname=""
 295  if [ -n "$NSS_ENABLE_ECC" ] ; then
 296      sparam="$CLONG"
 297  else
 298      sparam="$CSHORT"
 299  fi
 300
 301  mixed=0
 302  start_selfserv # Launch the server
 303               
 304  exec < ${SSLCOV}
 305  while read ectype tls param testname
 306  do
 307      echo "${testname}" | grep "EXPORT" > /dev/null 
 308      EXP=$?
 309      echo "${testname}" | grep "SSL2" > /dev/null
 310      SSL2=$?
 311
 312      if [ "${SSL2}" -eq 0 ] ; then
 313          # We cannot use asynchronous cert verification with SSL2
 314          SSL2_FLAGS=-O
 315      else
 316          # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
 317          # default in libssl but it is enabled by default in tstclnt; we want
 318          # to test the libssl default whenever possible.
 319          SSL2_FLAGS=-2
 320      fi
 321      
 322      if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then
 323          echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
 324      elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
 325          echo "$SCRIPTNAME: skipping  $testname (ECC only)"
 326      elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then
 327          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
 328      elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
 329          echo "$SCRIPTNAME: running $testname ----------------------------"
 330          TLS_FLAG=-T
 331          if [ "$tls" = "TLS" ]; then
 332              TLS_FLAG=""
 333          fi
 334
 335# These five tests need an EC cert signed with RSA
 336# This requires a different certificate loaded in selfserv
 337# due to a (current) NSS limitation of only loaded one cert
 338# per type so the default selfserv setup will not work.
 339#:C00B TLS ECDH RSA WITH NULL SHA
 340#:C00C TLS ECDH RSA WITH RC4 128 SHA
 341#:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA
 342#:C00E TLS ECDH RSA WITH AES 128 CBC SHA
 343#:C00F TLS ECDH RSA WITH AES 256 CBC SHA
 344
 345          if [ $mixed -eq 0 ]; then
 346            if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
 347              kill_selfserv
 348              start_selfserv mixed
 349              mixed=1
 350            else
 351              is_selfserv_alive
 352            fi
 353          else 
 354            if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
 355              is_selfserv_alive
 356            else
 357              kill_selfserv
 358              start_selfserv
 359              mixed=0
 360            fi
 361          fi
 362
 363          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${SSL2_FLAGS} ${CLIENT_OPTIONS} \\"
 364          echo "        -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}"
 365
 366          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 367          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${SSL2_FLAGS} ${CLIENT_OPTIONS} -f \
 368                  -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \
 369                  >${TMP}/$HOST.tmp.$$  2>&1
 370          ret=$?
 371          cat ${TMP}/$HOST.tmp.$$ 
 372          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 373          html_msg $ret 0 "${testname}" \
 374                   "produced a returncode of $ret, expected is 0"
 375      fi
 376  done
 377
 378  kill_selfserv
 379  html "</TABLE><BR>"
 380}
 381
 382############################## ssl_auth ################################
 383# local shell function to perform SSL  Client Authentication tests
 384########################################################################
 385ssl_auth()
 386{
 387  html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
 388
 389  exec < ${SSLAUTH}
 390  while read ectype value sparam cparam testname
 391  do
 392      [ -z "$ectype" ] && continue
 393      echo "${testname}" | grep "don't require client auth" > /dev/null
 394      CAUTH=$?
 395
 396      if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
 397          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
 398      elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
 399          echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
 400      elif [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
 401          echo "$SCRIPTNAME: skipping  $testname (ECC only)"
 402      elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
 403          cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
 404          if [ "$ectype" = "SNI" ]; then
 405              cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
 406              sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
 407          fi
 408          start_selfserv
 409
 410          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
 411          echo "        ${cparam}  < ${REQUEST_FILE}"
 412          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 413          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \
 414                  -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} \
 415                  >${TMP}/$HOST.tmp.$$  2>&1
 416          ret=$?
 417          cat ${TMP}/$HOST.tmp.$$ 
 418          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 419
 420          #workaround for bug #402058
 421          [ $ret -ne 0 ] && ret=1
 422          [ $value -ne 0 ] && value=1
 423
 424          html_msg $ret $value "${testname}" \
 425                   "produced a returncode of $ret, expected is $value"
 426          kill_selfserv
 427      fi
 428  done
 429
 430  html "</TABLE><BR>"
 431}
 432
 433
 434############################## ssl_stress ##############################
 435# local shell function to perform SSL stress test
 436########################################################################
 437ssl_stress()
 438{
 439  html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
 440
 441  exec < ${SSLSTRESS}
 442  while read ectype value sparam cparam testname
 443  do
 444      if [ -z "$ectype" ]; then
 445          # silently ignore blank lines
 446          continue
 447      fi
 448
 449      echo "${testname}" | grep "SSL2" > /dev/null
 450      SSL2=$?
 451      echo "${testname}" | grep "client auth" > /dev/null
 452      CAUTH=$?
 453
 454      if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then
 455          echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
 456      elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
 457          echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
 458      elif [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
 459          echo "$SCRIPTNAME: skipping  $testname (ECC only)"
 460      elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then
 461          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
 462      elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
 463          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
 464      elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
 465          cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
 466          if [ "$ectype" = "SNI" ]; then
 467              cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
 468              sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
 469          fi
 470
 471# These tests need the mixed cert 
 472# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
 473# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
 474          p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`;
 475          if [ "$p" = "-c_:C00E" ]; then
 476              start_selfserv mixed
 477          else
 478              start_selfserv
 479          fi
 480
 481          if [ "`uname -n`" = "sjsu" ] ; then
 482              echo "debugging disapering selfserv... ps -ef | grep selfserv"
 483              ps -ef | grep selfserv
 484          fi
 485
 486          echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
 487          echo "         $verbose ${HOSTADDR}"
 488          echo "strsclnt started at `date`"
 489          ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
 490                   $verbose ${HOSTADDR}
 491          ret=$?
 492          echo "strsclnt completed at `date`"
 493          html_msg $ret $value \
 494                   "${testname}" \
 495                   "produced a returncode of $ret, expected is $value. "
 496          if [ "`uname -n`" = "sjsu" ] ; then
 497              echo "debugging disapering selfserv... ps -ef | grep selfserv"
 498              ps -ef | grep selfserv
 499          fi
 500          kill_selfserv
 501      fi
 502  done
 503
 504  html "</TABLE><BR>"
 505}
 506
 507############################ ssl_crl_ssl ###############################
 508# local shell function to perform SSL test with/out revoked certs tests
 509########################################################################
 510ssl_crl_ssl()
 511{
 512  html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
 513  
 514  # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
 515  # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
 516  CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
 517  CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
 518  UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
 519
 520  exec < ${SSLAUTH}
 521  while read ectype value sparam cparam testname
 522  do
 523    [ "$ectype" = "" ] && continue
 524    if [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
 525        echo "$SCRIPTNAME: skipping $testname (ECC only)"
 526    elif [ "$ectype" = "SNI" ]; then
 527        continue
 528    elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
 529	servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
 530	pwd=`echo $cparam | grep nss`
 531	user=`echo $cparam | grep TestUser`
 532	_cparam=$cparam
 533	case $servarg in
 534	    1) if [ -z "$pwd" -o -z "$user" ]; then
 535                 rev_modvalue=0
 536               else
 537	         rev_modvalue=254
 538               fi
 539               ;;
 540	    2) rev_modvalue=254 ;;
 541	    3) if [ -z "$pwd" -o -z "$user" ]; then
 542		rev_modvalue=0
 543		else
 544		rev_modvalue=1
 545		fi
 546		;;
 547	    4) rev_modvalue=1 ;;
 548	esac
 549	TEMP_NUM=0
 550	while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
 551	  do
 552	  CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
 553	  TEMP_NUM=`expr $TEMP_NUM + 1`
 554	  USER_NICKNAME="TestUser${CURR_SER_NUM}"
 555	  cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
 556	  start_selfserv
 557	  
 558	  echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
 559	  echo "        ${cparam}  < ${REQUEST_FILE}"
 560	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 561	  ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
 562	      -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
 563	      >${TMP}/$HOST.tmp.$$  2>&1
 564	  ret=$?
 565	  cat ${TMP}/$HOST.tmp.$$ 
 566	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 567	  if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
 568	      modvalue=$rev_modvalue
 569              testAddMsg="revoked"
 570	  else
 571              testAddMsg="not revoked"
 572	      modvalue=$value
 573	  fi
 574	  
 575	  html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
 576		"produced a returncode of $ret, expected is $modvalue"
 577	  kill_selfserv
 578	done
 579    fi
 580  done
 581
 582  html "</TABLE><BR>"
 583}
 584
 585############################# is_revoked ###############################
 586# local shell function to check if certificate is revoked
 587########################################################################
 588is_revoked() {
 589    certNum=$1
 590    currLoadedGrp=$2
 591    
 592    found=0
 593    ownerGrp=1
 594    while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
 595      do
 596      currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
 597      currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
 598      currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
 599      if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
 600          found=1
 601      else
 602          ownerGrp=`expr $ownerGrp + 1`
 603      fi
 604    done
 605    if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
 606        return 1
 607    fi
 608    if [ $found -eq 0 ]; then
 609        return 1
 610    fi
 611    unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
 612    if [ $certNum -eq $unrevokedGrpCert ]; then
 613        return 1
 614    fi
 615    return 0
 616}
 617
 618########################### load_group_crl #############################
 619# local shell function to load CRL 
 620########################################################################
 621load_group_crl() {
 622    group=$1
 623    ectype=$2
 624
 625    OUTFILE_TMP=${TMP}/$HOST.tmp.$$
 626    grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
 627    grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
 628    grpEnd=`expr $grpBegin + $grpRange - 1`
 629    
 630    if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
 631        ret=1
 632        return 1;
 633    fi
 634    
 635    # Add -ec suffix for ECC
 636    if [ "$ectype" = "ECC" ] ; then
 637      ecsuffix="-ec"
 638      eccomment="ECC "
 639    else
 640      ecsuffix=""
 641      eccomment=""
 642    fi
 643    
 644    if [ "$RELOAD_CRL" != "" ]; then
 645        if [ $group -eq 1 ]; then
 646            echo "==================== Resetting to group 1 crl ==================="
 647            kill_selfserv
 648            start_selfserv
 649            is_selfserv_alive
 650        fi
 651        echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
 652
 653        echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
 654        echo "          -2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
 655        echo "Request:"
 656        echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
 657        echo ""
 658        echo "RELOAD time $i"
 659        ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f  \
 660            -d ${R_CLIENTDIR} -v -2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
 661	    >${OUTFILE_TMP}  2>&1 <<_EOF_REQUEST_
 662GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
 663
 664_EOF_REQUEST_
 665        cat ${OUTFILE_TMP}
 666        grep "CRL ReCache Error" ${OUTFILE_TMP}
 667        if [ $? -eq 0 ]; then
 668            ret=1
 669            return 1
 670        fi
 671    else
 672        echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
 673
 674        kill_selfserv
 675        CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
 676        crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
 677             -p ../tests.pw.928
 678        ret=$?
 679        if [ "$ret" -eq 0 ]; then
 680	    html_passed "${CU_ACTION}"
 681            return 1
 682        fi
 683        start_selfserv        
 684    fi
 685    is_selfserv_alive
 686    ret=$?
 687    echo "================= CRL Reloaded ============="
 688}
 689
 690########################### ssl_crl_cache ##############################
 691# local shell function to perform SSL test for crl cache functionality
 692# with/out revoked certs 
 693########################################################################
 694ssl_crl_cache()
 695{
 696  html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
 697  SSLAUTH_TMP=${TMP}/authin.tl.tmp
 698  SERV_ARG=-r_-r
 699  rm -f ${SSLAUTH_TMP}
 700  echo ${SSLAUTH_TMP}
 701
 702  grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
 703  echo $?
 704  while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
 705    do
 706    sparam=$SERV_ARG
 707    start_selfserv
 708    exec < ${SSLAUTH_TMP}
 709    while read ectype value sparam cparam testname
 710      do
 711      [ "$ectype" = "" ] && continue
 712      if [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
 713        echo "$SCRIPTNAME: skipping  $testname (ECC only)"
 714      elif [ "$ectype" = "SNI" ]; then
 715          continue
 716      else
 717        servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
 718        pwd=`echo $cparam | grep nss`
 719        user=`echo $cparam | grep TestUser`
 720        _cparam=$cparam
 721        case $servarg in
 722            1) if [ -z "$pwd" -o -z "$user" ]; then
 723                rev_modvalue=0
 724                else
 725                rev_modvalue=254
 726                fi
 727                ;;
 728            2) rev_modvalue=254 ;;
 729
 730            3) if [ -z "$pwd" -o -z "$user" ]; then
 731                rev_modvalue=0
 732                else
 733                rev_modvalue=1
 734                fi
 735                ;;
 736            4) rev_modvalue=1 ;;
 737	  esac
 738        TEMP_NUM=0
 739        LOADED_GRP=1
 740        while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
 741          do
 742          while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
 743            do
 744            CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
 745            TEMP_NUM=`expr $TEMP_NUM + 1`
 746            USER_NICKNAME="TestUser${CURR_SER_NUM}"
 747            cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
 748
 749            echo "Server Args: $SERV_ARG"
 750            echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
 751            echo "        ${cparam}  < ${REQUEST_FILE}"
 752            rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 753            ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
 754	        -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
 755                >${TMP}/$HOST.tmp.$$  2>&1
 756            ret=$?
 757            cat ${TMP}/$HOST.tmp.$$ 
 758            rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 759            is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
 760            isRevoked=$?
 761            if [ $isRevoked -eq 0 ]; then
 762                modvalue=$rev_modvalue
 763                testAddMsg="revoked"
 764            else
 765                modvalue=$value
 766                testAddMsg="not revoked"
 767            fi
 768
 769            is_selfserv_alive
 770            ss_status=$?
 771            if [ "$ss_status" -ne 0 ]; then
 772                html_msg $ret $modvalue \
 773                    "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
 774                    "produced a returncode of $ret, expected is $modvalue. " \
 775                    "selfserv is not alive!"
 776            else
 777                html_msg $ret $modvalue \
 778                    "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
 779                    "produced a returncode of $ret, expected is $modvalue"
 780            fi
 781          done
 782          LOADED_GRP=`expr $LOADED_GRP + 1`
 783          TEMP_NUM=0
 784          if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
 785              load_group_crl $LOADED_GRP $ectype
 786              html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
 787                  "produced a returncode of $ret, expected is 0"
 788          fi
 789        done
 790        # Restart selfserv to roll back to two initial group 1 crls
 791        # TestCA CRL and TestCA-ec CRL 
 792        kill_selfserv
 793        start_selfserv
 794      fi
 795    done
 796    kill_selfserv
 797    SERV_ARG="${SERV_ARG}_-r"
 798    rm -f ${SSLAUTH_TMP}
 799    grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus  > ${SSLAUTH_TMP}
 800  done
 801  TEMPFILES=${SSLAUTH_TMP}
 802  html "</TABLE><BR>"
 803}
 804
 805
 806############################## ssl_cleanup #############################
 807# local shell function to finish this script (no exit since it might be
 808# sourced)
 809########################################################################
 810ssl_cleanup()
 811{
 812  rm $SERVERPID 2>/dev/null
 813  cd ${QADIR}
 814  . common/cleanup.sh
 815}
 816
 817############################## ssl_run #################################
 818# local shell function to run coverage, authentication and stress tests
 819########################################################################
 820ssl_run()
 821{
 822    for SSL_RUN in ${NSS_SSL_RUN}
 823    do
 824        case "${SSL_RUN}" in
 825        "cov")
 826            ssl_cov
 827            ;;
 828        "auth")
 829            ssl_auth
 830            ;;
 831        "stress")
 832            ssl_stress
 833            ;;
 834         esac
 835    done
 836}
 837
 838############################ ssl_run_all ###############################
 839# local shell function to run both standard and extended ssl tests
 840########################################################################
 841ssl_run_all()
 842{
 843    ORIG_SERVERDIR=$SERVERDIR
 844    ORIG_CLIENTDIR=$CLIENTDIR
 845    ORIG_R_SERVERDIR=$R_SERVERDIR
 846    ORIG_R_CLIENTDIR=$R_CLIENTDIR
 847    ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
 848    ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
 849
 850    USER_NICKNAME=TestUser
 851    NORM_EXT=""
 852    cd ${CLIENTDIR}
 853
 854    ssl_run
 855
 856    SERVERDIR=$EXT_SERVERDIR
 857    CLIENTDIR=$EXT_CLIENTDIR
 858    R_SERVERDIR=$R_EXT_SERVERDIR
 859    R_CLIENTDIR=$R_EXT_CLIENTDIR
 860    P_R_SERVERDIR=$P_R_EXT_SERVERDIR
 861    P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
 862
 863    USER_NICKNAME=ExtendedSSLUser
 864    NORM_EXT="Extended Test"
 865    cd ${CLIENTDIR}
 866    
 867    ssl_run
 868
 869    # the next round of ssl tests will only run if these vars are reset
 870    SERVERDIR=$ORIG_SERVERDIR
 871    CLIENTDIR=$ORIG_CLIENTDIR
 872    R_SERVERDIR=$ORIG_R_SERVERDIR
 873    R_CLIENTDIR=$ORIG_R_CLIENTDIR
 874    P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
 875    P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
 876
 877    USER_NICKNAME=TestUser
 878    NORM_EXT=
 879    cd ${QADIR}/ssl
 880}
 881
 882############################ ssl_set_fips ##############################
 883# local shell function to set FIPS mode on/off
 884########################################################################
 885ssl_set_fips()
 886{
 887    CLTSRV=$1
 888    ONOFF=$2
 889
 890    if [ ${CLTSRV} = "server" ]; then
 891        DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
 892    else
 893        DBDIRS="${CLIETNDIR} ${EXT_CLIENTDIR}"
 894    fi
 895    
 896    if [ "${ONOFF}" = "on" ]; then
 897        FIPSMODE=true
 898        RET_EXP=0
 899    else
 900        FIPSMODE=false
 901        RET_EXP=1
 902    fi
 903
 904    html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
 905
 906    for DBDIR in ${DBDIRS}
 907    do
 908        EXT_OPT=
 909        echo ${DBDIR} | grep ext > /dev/null
 910        if [ $? -eq 0 ]; then
 911            EXT_OPT="extended "
 912        fi
 913
 914        echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
 915
 916        echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
 917        ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
 918        RET=$?  
 919        html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
 920                 "produced a returncode of ${RET}, expected is 0"
 921  
 922        echo "modutil -dbdir ${DBDIR} -list"
 923        DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
 924        RET=$?  
 925        html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
 926                 "produced a returncode of ${RET}, expected is 0"
 927
 928        echo "${DBLIST}" | grep "FIPS PKCS #11"
 929        RET=$?
 930        html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
 931                 "produced a returncode of ${RET}, expected is ${RET_EXP}"
 932    done
 933
 934    html "</TABLE><BR>"
 935}
 936
 937############################ ssl_set_fips ##############################
 938# local shell function to run all tests set in NSS_SSL_TESTS variable 
 939########################################################################
 940ssl_run_tests()
 941{
 942    for SSL_TEST in ${NSS_SSL_TESTS}
 943    do
 944        case "${SSL_TEST}" in
 945        "crl")
 946            ssl_crl_ssl
 947            ssl_crl_cache
 948            ;;
 949        "iopr")
 950            ssl_iopr_run
 951            ;;
 952        *)
 953            SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
 954            CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
 955
 956            case "${SERVER_MODE}" in
 957            "normal")
 958                SERVER_OPTIONS=
 959                ;;
 960            "bypass")
 961                SERVER_OPTIONS="-B -s"
 962                ;;
 963            "fips")
 964                SERVER_OPTIONS=
 965                ssl_set_fips server on
 966                ;;
 967            *)
 968                echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
 969                continue
 970                ;;
 971            esac
 972
 973            case "${CLIENT_MODE}" in
 974            "normal")
 975                CLIENT_OPTIONS=
 976                ;;
 977            "bypass")
 978                CLIENT_OPTIONS="-B -s"
 979                ;;
 980            "fips")
 981                SERVER_OPTIONS=
 982                ssl_set_fips client on
 983                ;;
 984            *)
 985                echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
 986                continue
 987                ;;
 988            esac
 989
 990            ssl_run_all
 991
 992            if [ "${SERVER_MODE}" = "fips" ]; then
 993                ssl_set_fips server off
 994            fi
 995
 996            if [ "${CLIENT_MODE}" = "fips" ]; then
 997                ssl_set_fips client off
 998            fi
 999            ;;
1000        esac
1001    done
1002}
1003
1004################################# main #################################
1005
1006ssl_init
1007ssl_run_tests
1008ssl_cleanup
1009