/security/nss/tests/ssl/ssl.sh

http://github.com/zpao/v8monkey · Shell · 1009 lines · 884 code · 33 blank · 92 comment · 28 complexity · c0ffee1163f07554395ae739887a6712 MD5 · raw file

  1. #! /bin/bash
  2. #
  3. # ***** BEGIN LICENSE BLOCK *****
  4. # Version: MPL 1.1/GPL 2.0/LGPL 2.1
  5. #
  6. # The contents of this file are subject to the Mozilla Public License Version
  7. # 1.1 (the "License"); you may not use this file except in compliance with
  8. # the License. You may obtain a copy of the License at
  9. # http://www.mozilla.org/MPL/
  10. #
  11. # Software distributed under the License is distributed on an "AS IS" basis,
  12. # WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  13. # for the specific language governing rights and limitations under the
  14. # License.
  15. #
  16. # The Original Code is the Netscape security libraries.
  17. #
  18. # The Initial Developer of the Original Code is
  19. # Netscape Communications Corporation.
  20. # Portions created by the Initial Developer are Copyright (C) 1994-2009
  21. # the Initial Developer. All Rights Reserved.
  22. #
  23. # Contributor(s):
  24. # Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
  25. # Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
  26. #
  27. # Alternatively, the contents of this file may be used under the terms of
  28. # either the GNU General Public License Version 2 or later (the "GPL"), or
  29. # the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  30. # in which case the provisions of the GPL or the LGPL are applicable instead
  31. # of those above. If you wish to allow use of your version of this file only
  32. # under the terms of either the GPL or the LGPL, and not to allow others to
  33. # use your version of this file under the terms of the MPL, indicate your
  34. # decision by deleting the provisions above and replace them with the notice
  35. # and other provisions required by the GPL or the LGPL. If you do not delete
  36. # the provisions above, a recipient may use your version of this file under
  37. # the terms of any one of the MPL, the GPL or the LGPL.
  38. #
  39. # ***** END LICENSE BLOCK *****
  40. ########################################################################
  41. #
  42. # mozilla/security/nss/tests/ssl/ssl.sh
  43. #
  44. # Script to test NSS SSL
  45. #
  46. # needs to work on all Unix and Windows platforms
  47. #
  48. # special strings
  49. # ---------------
  50. # FIXME ... known problems, search for this string
  51. # NOTE .... unexpected behavior
  52. #
  53. ########################################################################
  54. ############################## ssl_init ################################
  55. # local shell function to initialize this script
  56. ########################################################################
  57. ssl_init()
  58. {
  59. SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh
  60. if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
  61. CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
  62. fi
  63. if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
  64. cd ../common
  65. . ./init.sh
  66. fi
  67. if [ -z "${IOPR_SSL_SOURCED}" ]; then
  68. . ../iopr/ssl_iopr.sh
  69. fi
  70. if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
  71. cd ../cert
  72. . ./cert.sh
  73. fi
  74. SCRIPTNAME=ssl.sh
  75. echo "$SCRIPTNAME: SSL tests ==============================="
  76. grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
  77. html_head "SSL Test failure"
  78. Exit 8 "Fatal - cert.sh needs to pass first"
  79. }
  80. if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
  81. grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
  82. html_head "SSL Test failure"
  83. Exit 8 "Fatal - SSL of cert.sh needs to pass first"
  84. }
  85. fi
  86. PORT=${PORT-8443}
  87. NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
  88. nss_ssl_run="cov auth stress"
  89. NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
  90. # Test case files
  91. SSLCOV=${QADIR}/ssl/sslcov.txt
  92. SSLAUTH=${QADIR}/ssl/sslauth.txt
  93. SSLSTRESS=${QADIR}/ssl/sslstress.txt
  94. REQUEST_FILE=${QADIR}/ssl/sslreq.dat
  95. #temparary files
  96. SERVEROUTFILE=${TMP}/tests_server.$$
  97. SERVERPID=${TMP}/tests_pid.$$
  98. R_SERVERPID=../tests_pid.$$
  99. TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}"
  100. fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
  101. #fileout=1
  102. #verbose="-v" #FIXME - see where this is usefull
  103. USER_NICKNAME=TestUser
  104. NORM_EXT=""
  105. if [ -n "$NSS_ENABLE_ECC" ] ; then
  106. ECC_STRING=" - with ECC"
  107. else
  108. ECC_STRING=""
  109. fi
  110. CSHORT="-c ABCDEF:0041:0084cdefgijklmnvyz"
  111. CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:0041:0084cdefgijklmnvyz"
  112. if [ "${OS_ARCH}" != "WINNT" ]; then
  113. ulimit -n 1000 # make sure we have enough file descriptors
  114. fi
  115. cd ${CLIENTDIR}
  116. }
  117. ########################### is_selfserv_alive ##########################
  118. # local shell function to exit with a fatal error if selfserver is not
  119. # running
  120. ########################################################################
  121. is_selfserv_alive()
  122. {
  123. if [ ! -f "${SERVERPID}" ]; then
  124. echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
  125. sleep 5
  126. if [ ! -f "${SERVERPID}" ]; then
  127. Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
  128. fi
  129. fi
  130. if [ "${OS_ARCH}" = "WINNT" ] && \
  131. [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
  132. PID=${SHELL_SERVERPID}
  133. else
  134. PID=`cat ${SERVERPID}`
  135. fi
  136. echo "kill -0 ${PID} >/dev/null 2>/dev/null"
  137. kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
  138. echo "selfserv with PID ${PID} found at `date`"
  139. }
  140. ########################### wait_for_selfserv ##########################
  141. # local shell function to wait until selfserver is running and initialized
  142. ########################################################################
  143. wait_for_selfserv()
  144. {
  145. echo "trying to connect to selfserv at `date`"
  146. echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
  147. echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
  148. ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
  149. -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
  150. if [ $? -ne 0 ]; then
  151. sleep 5
  152. echo "retrying to connect to selfserv at `date`"
  153. echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
  154. echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
  155. ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
  156. -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
  157. if [ $? -ne 0 ]; then
  158. html_failed "Waiting for Server"
  159. fi
  160. fi
  161. is_selfserv_alive
  162. }
  163. ########################### kill_selfserv ##############################
  164. # local shell function to kill the selfserver after the tests are done
  165. ########################################################################
  166. kill_selfserv()
  167. {
  168. if [ "${OS_ARCH}" = "WINNT" ] && \
  169. [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
  170. PID=${SHELL_SERVERPID}
  171. else
  172. PID=`cat ${SERVERPID}`
  173. fi
  174. echo "trying to kill selfserv with PID ${PID} at `date`"
  175. if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
  176. echo "${KILL} ${PID}"
  177. ${KILL} ${PID}
  178. else
  179. echo "${KILL} -USR1 ${PID}"
  180. ${KILL} -USR1 ${PID}
  181. fi
  182. wait ${PID}
  183. if [ ${fileout} -eq 1 ]; then
  184. cat ${SERVEROUTFILE}
  185. fi
  186. # On Linux selfserv needs up to 30 seconds to fully die and free
  187. # the port. Wait until the port is free. (Bug 129701)
  188. if [ "${OS_ARCH}" = "Linux" ]; then
  189. echo "selfserv -b -p ${PORT} 2>/dev/null;"
  190. until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
  191. echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
  192. sleep 1
  193. done
  194. fi
  195. echo "selfserv with PID ${PID} killed at `date`"
  196. rm ${SERVERPID}
  197. html_detect_core "kill_selfserv core detection step"
  198. }
  199. ########################### start_selfserv #############################
  200. # local shell function to start the selfserver with the parameters required
  201. # for this test and log information (parameters, start time)
  202. # also: wait until the server is up and running
  203. ########################################################################
  204. start_selfserv()
  205. {
  206. if [ -n "$testname" ] ; then
  207. echo "$SCRIPTNAME: $testname ----"
  208. fi
  209. sparam=`echo $sparam | sed -e 's;_; ;g'`
  210. if [ -n "$NSS_ENABLE_ECC" ] && \
  211. [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
  212. ECC_OPTIONS="-e ${HOSTADDR}-ec"
  213. else
  214. ECC_OPTIONS=""
  215. fi
  216. if [ "$1" = "mixed" ]; then
  217. ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
  218. fi
  219. echo "selfserv starting at `date`"
  220. echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
  221. echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
  222. if [ ${fileout} -eq 1 ]; then
  223. ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
  224. ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
  225. > ${SERVEROUTFILE} 2>&1 &
  226. RET=$?
  227. else
  228. ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
  229. ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
  230. RET=$?
  231. fi
  232. # The PID $! returned by the MKS or Cygwin shell is not the PID of
  233. # the real background process, but rather the PID of a helper
  234. # process (sh.exe). MKS's kill command has a bug: invoking kill
  235. # on the helper process does not terminate the real background
  236. # process. Our workaround has been to have selfserv save its PID
  237. # in the ${SERVERPID} file and "kill" that PID instead. But this
  238. # doesn't work under Cygwin; its kill command doesn't recognize
  239. # the PID of the real background process, but it does work on the
  240. # PID of the helper process. So we save the value of $! in the
  241. # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
  242. # file under Cygwin. (In fact, this should work in any shell
  243. # other than the MKS shell.)
  244. SHELL_SERVERPID=$!
  245. wait_for_selfserv
  246. if [ "${OS_ARCH}" = "WINNT" ] && \
  247. [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
  248. PID=${SHELL_SERVERPID}
  249. else
  250. PID=`cat ${SERVERPID}`
  251. fi
  252. echo "selfserv with PID ${PID} started at `date`"
  253. }
  254. ############################## ssl_cov #################################
  255. # local shell function to perform SSL Cipher Coverage tests
  256. ########################################################################
  257. ssl_cov()
  258. {
  259. html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
  260. testname=""
  261. if [ -n "$NSS_ENABLE_ECC" ] ; then
  262. sparam="$CLONG"
  263. else
  264. sparam="$CSHORT"
  265. fi
  266. mixed=0
  267. start_selfserv # Launch the server
  268. exec < ${SSLCOV}
  269. while read ectype tls param testname
  270. do
  271. echo "${testname}" | grep "EXPORT" > /dev/null
  272. EXP=$?
  273. echo "${testname}" | grep "SSL2" > /dev/null
  274. SSL2=$?
  275. if [ "${SSL2}" -eq 0 ] ; then
  276. # We cannot use asynchronous cert verification with SSL2
  277. SSL2_FLAGS=-O
  278. else
  279. # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
  280. # default in libssl but it is enabled by default in tstclnt; we want
  281. # to test the libssl default whenever possible.
  282. SSL2_FLAGS=-2
  283. fi
  284. if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then
  285. echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
  286. elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
  287. echo "$SCRIPTNAME: skipping $testname (ECC only)"
  288. elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then
  289. echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
  290. elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
  291. echo "$SCRIPTNAME: running $testname ----------------------------"
  292. TLS_FLAG=-T
  293. if [ "$tls" = "TLS" ]; then
  294. TLS_FLAG=""
  295. fi
  296. # These five tests need an EC cert signed with RSA
  297. # This requires a different certificate loaded in selfserv
  298. # due to a (current) NSS limitation of only loaded one cert
  299. # per type so the default selfserv setup will not work.
  300. #:C00B TLS ECDH RSA WITH NULL SHA
  301. #:C00C TLS ECDH RSA WITH RC4 128 SHA
  302. #:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA
  303. #:C00E TLS ECDH RSA WITH AES 128 CBC SHA
  304. #:C00F TLS ECDH RSA WITH AES 256 CBC SHA
  305. if [ $mixed -eq 0 ]; then
  306. if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
  307. kill_selfserv
  308. start_selfserv mixed
  309. mixed=1
  310. else
  311. is_selfserv_alive
  312. fi
  313. else
  314. if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
  315. is_selfserv_alive
  316. else
  317. kill_selfserv
  318. start_selfserv
  319. mixed=0
  320. fi
  321. fi
  322. echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${SSL2_FLAGS} ${CLIENT_OPTIONS} \\"
  323. echo " -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}"
  324. rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
  325. ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${SSL2_FLAGS} ${CLIENT_OPTIONS} -f \
  326. -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \
  327. >${TMP}/$HOST.tmp.$$ 2>&1
  328. ret=$?
  329. cat ${TMP}/$HOST.tmp.$$
  330. rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
  331. html_msg $ret 0 "${testname}" \
  332. "produced a returncode of $ret, expected is 0"
  333. fi
  334. done
  335. kill_selfserv
  336. html "</TABLE><BR>"
  337. }
  338. ############################## ssl_auth ################################
  339. # local shell function to perform SSL Client Authentication tests
  340. ########################################################################
  341. ssl_auth()
  342. {
  343. html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
  344. exec < ${SSLAUTH}
  345. while read ectype value sparam cparam testname
  346. do
  347. [ -z "$ectype" ] && continue
  348. echo "${testname}" | grep "don't require client auth" > /dev/null
  349. CAUTH=$?
  350. if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
  351. echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
  352. elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
  353. echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
  354. elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
  355. echo "$SCRIPTNAME: skipping $testname (ECC only)"
  356. elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
  357. cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
  358. if [ "$ectype" = "SNI" ]; then
  359. cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
  360. sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
  361. fi
  362. start_selfserv
  363. echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
  364. echo " ${cparam} < ${REQUEST_FILE}"
  365. rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
  366. ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \
  367. -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} \
  368. >${TMP}/$HOST.tmp.$$ 2>&1
  369. ret=$?
  370. cat ${TMP}/$HOST.tmp.$$
  371. rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
  372. #workaround for bug #402058
  373. [ $ret -ne 0 ] && ret=1
  374. [ $value -ne 0 ] && value=1
  375. html_msg $ret $value "${testname}" \
  376. "produced a returncode of $ret, expected is $value"
  377. kill_selfserv
  378. fi
  379. done
  380. html "</TABLE><BR>"
  381. }
  382. ############################## ssl_stress ##############################
  383. # local shell function to perform SSL stress test
  384. ########################################################################
  385. ssl_stress()
  386. {
  387. html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
  388. exec < ${SSLSTRESS}
  389. while read ectype value sparam cparam testname
  390. do
  391. if [ -z "$ectype" ]; then
  392. # silently ignore blank lines
  393. continue
  394. fi
  395. echo "${testname}" | grep "SSL2" > /dev/null
  396. SSL2=$?
  397. echo "${testname}" | grep "client auth" > /dev/null
  398. CAUTH=$?
  399. if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then
  400. echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
  401. elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
  402. echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
  403. elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
  404. echo "$SCRIPTNAME: skipping $testname (ECC only)"
  405. elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then
  406. echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
  407. elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
  408. echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
  409. elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
  410. cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
  411. if [ "$ectype" = "SNI" ]; then
  412. cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
  413. sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
  414. fi
  415. # These tests need the mixed cert
  416. # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
  417. # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
  418. p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`;
  419. if [ "$p" = "-c_:C00E" ]; then
  420. start_selfserv mixed
  421. else
  422. start_selfserv
  423. fi
  424. if [ "`uname -n`" = "sjsu" ] ; then
  425. echo "debugging disapering selfserv... ps -ef | grep selfserv"
  426. ps -ef | grep selfserv
  427. fi
  428. echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
  429. echo " $verbose ${HOSTADDR}"
  430. echo "strsclnt started at `date`"
  431. ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
  432. $verbose ${HOSTADDR}
  433. ret=$?
  434. echo "strsclnt completed at `date`"
  435. html_msg $ret $value \
  436. "${testname}" \
  437. "produced a returncode of $ret, expected is $value. "
  438. if [ "`uname -n`" = "sjsu" ] ; then
  439. echo "debugging disapering selfserv... ps -ef | grep selfserv"
  440. ps -ef | grep selfserv
  441. fi
  442. kill_selfserv
  443. fi
  444. done
  445. html "</TABLE><BR>"
  446. }
  447. ############################ ssl_crl_ssl ###############################
  448. # local shell function to perform SSL test with/out revoked certs tests
  449. ########################################################################
  450. ssl_crl_ssl()
  451. {
  452. html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
  453. # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
  454. # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
  455. CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
  456. CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
  457. UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
  458. exec < ${SSLAUTH}
  459. while read ectype value sparam cparam testname
  460. do
  461. [ "$ectype" = "" ] && continue
  462. if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
  463. echo "$SCRIPTNAME: skipping $testname (ECC only)"
  464. elif [ "$ectype" = "SNI" ]; then
  465. continue
  466. elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
  467. servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
  468. pwd=`echo $cparam | grep nss`
  469. user=`echo $cparam | grep TestUser`
  470. _cparam=$cparam
  471. case $servarg in
  472. 1) if [ -z "$pwd" -o -z "$user" ]; then
  473. rev_modvalue=0
  474. else
  475. rev_modvalue=254
  476. fi
  477. ;;
  478. 2) rev_modvalue=254 ;;
  479. 3) if [ -z "$pwd" -o -z "$user" ]; then
  480. rev_modvalue=0
  481. else
  482. rev_modvalue=1
  483. fi
  484. ;;
  485. 4) rev_modvalue=1 ;;
  486. esac
  487. TEMP_NUM=0
  488. while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
  489. do
  490. CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
  491. TEMP_NUM=`expr $TEMP_NUM + 1`
  492. USER_NICKNAME="TestUser${CURR_SER_NUM}"
  493. cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
  494. start_selfserv
  495. echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
  496. echo " ${cparam} < ${REQUEST_FILE}"
  497. rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
  498. ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
  499. -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
  500. >${TMP}/$HOST.tmp.$$ 2>&1
  501. ret=$?
  502. cat ${TMP}/$HOST.tmp.$$
  503. rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
  504. if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
  505. modvalue=$rev_modvalue
  506. testAddMsg="revoked"
  507. else
  508. testAddMsg="not revoked"
  509. modvalue=$value
  510. fi
  511. html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
  512. "produced a returncode of $ret, expected is $modvalue"
  513. kill_selfserv
  514. done
  515. fi
  516. done
  517. html "</TABLE><BR>"
  518. }
  519. ############################# is_revoked ###############################
  520. # local shell function to check if certificate is revoked
  521. ########################################################################
  522. is_revoked() {
  523. certNum=$1
  524. currLoadedGrp=$2
  525. found=0
  526. ownerGrp=1
  527. while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
  528. do
  529. currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
  530. currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
  531. currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
  532. if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
  533. found=1
  534. else
  535. ownerGrp=`expr $ownerGrp + 1`
  536. fi
  537. done
  538. if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
  539. return 1
  540. fi
  541. if [ $found -eq 0 ]; then
  542. return 1
  543. fi
  544. unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
  545. if [ $certNum -eq $unrevokedGrpCert ]; then
  546. return 1
  547. fi
  548. return 0
  549. }
  550. ########################### load_group_crl #############################
  551. # local shell function to load CRL
  552. ########################################################################
  553. load_group_crl() {
  554. group=$1
  555. ectype=$2
  556. OUTFILE_TMP=${TMP}/$HOST.tmp.$$
  557. grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
  558. grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
  559. grpEnd=`expr $grpBegin + $grpRange - 1`
  560. if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
  561. ret=1
  562. return 1;
  563. fi
  564. # Add -ec suffix for ECC
  565. if [ "$ectype" = "ECC" ] ; then
  566. ecsuffix="-ec"
  567. eccomment="ECC "
  568. else
  569. ecsuffix=""
  570. eccomment=""
  571. fi
  572. if [ "$RELOAD_CRL" != "" ]; then
  573. if [ $group -eq 1 ]; then
  574. echo "==================== Resetting to group 1 crl ==================="
  575. kill_selfserv
  576. start_selfserv
  577. is_selfserv_alive
  578. fi
  579. echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
  580. echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
  581. echo " -2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
  582. echo "Request:"
  583. echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
  584. echo ""
  585. echo "RELOAD time $i"
  586. ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \
  587. -d ${R_CLIENTDIR} -v -2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
  588. >${OUTFILE_TMP} 2>&1 <<_EOF_REQUEST_
  589. GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
  590. _EOF_REQUEST_
  591. cat ${OUTFILE_TMP}
  592. grep "CRL ReCache Error" ${OUTFILE_TMP}
  593. if [ $? -eq 0 ]; then
  594. ret=1
  595. return 1
  596. fi
  597. else
  598. echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
  599. kill_selfserv
  600. CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
  601. crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
  602. -p ../tests.pw.928
  603. ret=$?
  604. if [ "$ret" -eq 0 ]; then
  605. html_passed "${CU_ACTION}"
  606. return 1
  607. fi
  608. start_selfserv
  609. fi
  610. is_selfserv_alive
  611. ret=$?
  612. echo "================= CRL Reloaded ============="
  613. }
  614. ########################### ssl_crl_cache ##############################
  615. # local shell function to perform SSL test for crl cache functionality
  616. # with/out revoked certs
  617. ########################################################################
  618. ssl_crl_cache()
  619. {
  620. html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
  621. SSLAUTH_TMP=${TMP}/authin.tl.tmp
  622. SERV_ARG=-r_-r
  623. rm -f ${SSLAUTH_TMP}
  624. echo ${SSLAUTH_TMP}
  625. grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
  626. echo $?
  627. while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
  628. do
  629. sparam=$SERV_ARG
  630. start_selfserv
  631. exec < ${SSLAUTH_TMP}
  632. while read ectype value sparam cparam testname
  633. do
  634. [ "$ectype" = "" ] && continue
  635. if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
  636. echo "$SCRIPTNAME: skipping $testname (ECC only)"
  637. elif [ "$ectype" = "SNI" ]; then
  638. continue
  639. else
  640. servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
  641. pwd=`echo $cparam | grep nss`
  642. user=`echo $cparam | grep TestUser`
  643. _cparam=$cparam
  644. case $servarg in
  645. 1) if [ -z "$pwd" -o -z "$user" ]; then
  646. rev_modvalue=0
  647. else
  648. rev_modvalue=254
  649. fi
  650. ;;
  651. 2) rev_modvalue=254 ;;
  652. 3) if [ -z "$pwd" -o -z "$user" ]; then
  653. rev_modvalue=0
  654. else
  655. rev_modvalue=1
  656. fi
  657. ;;
  658. 4) rev_modvalue=1 ;;
  659. esac
  660. TEMP_NUM=0
  661. LOADED_GRP=1
  662. while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
  663. do
  664. while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
  665. do
  666. CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
  667. TEMP_NUM=`expr $TEMP_NUM + 1`
  668. USER_NICKNAME="TestUser${CURR_SER_NUM}"
  669. cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
  670. echo "Server Args: $SERV_ARG"
  671. echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
  672. echo " ${cparam} < ${REQUEST_FILE}"
  673. rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
  674. ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
  675. -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
  676. >${TMP}/$HOST.tmp.$$ 2>&1
  677. ret=$?
  678. cat ${TMP}/$HOST.tmp.$$
  679. rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
  680. is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
  681. isRevoked=$?
  682. if [ $isRevoked -eq 0 ]; then
  683. modvalue=$rev_modvalue
  684. testAddMsg="revoked"
  685. else
  686. modvalue=$value
  687. testAddMsg="not revoked"
  688. fi
  689. is_selfserv_alive
  690. ss_status=$?
  691. if [ "$ss_status" -ne 0 ]; then
  692. html_msg $ret $modvalue \
  693. "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
  694. "produced a returncode of $ret, expected is $modvalue. " \
  695. "selfserv is not alive!"
  696. else
  697. html_msg $ret $modvalue \
  698. "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
  699. "produced a returncode of $ret, expected is $modvalue"
  700. fi
  701. done
  702. LOADED_GRP=`expr $LOADED_GRP + 1`
  703. TEMP_NUM=0
  704. if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
  705. load_group_crl $LOADED_GRP $ectype
  706. html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
  707. "produced a returncode of $ret, expected is 0"
  708. fi
  709. done
  710. # Restart selfserv to roll back to two initial group 1 crls
  711. # TestCA CRL and TestCA-ec CRL
  712. kill_selfserv
  713. start_selfserv
  714. fi
  715. done
  716. kill_selfserv
  717. SERV_ARG="${SERV_ARG}_-r"
  718. rm -f ${SSLAUTH_TMP}
  719. grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
  720. done
  721. TEMPFILES=${SSLAUTH_TMP}
  722. html "</TABLE><BR>"
  723. }
  724. ############################## ssl_cleanup #############################
  725. # local shell function to finish this script (no exit since it might be
  726. # sourced)
  727. ########################################################################
  728. ssl_cleanup()
  729. {
  730. rm $SERVERPID 2>/dev/null
  731. cd ${QADIR}
  732. . common/cleanup.sh
  733. }
  734. ############################## ssl_run #################################
  735. # local shell function to run coverage, authentication and stress tests
  736. ########################################################################
  737. ssl_run()
  738. {
  739. for SSL_RUN in ${NSS_SSL_RUN}
  740. do
  741. case "${SSL_RUN}" in
  742. "cov")
  743. ssl_cov
  744. ;;
  745. "auth")
  746. ssl_auth
  747. ;;
  748. "stress")
  749. ssl_stress
  750. ;;
  751. esac
  752. done
  753. }
  754. ############################ ssl_run_all ###############################
  755. # local shell function to run both standard and extended ssl tests
  756. ########################################################################
  757. ssl_run_all()
  758. {
  759. ORIG_SERVERDIR=$SERVERDIR
  760. ORIG_CLIENTDIR=$CLIENTDIR
  761. ORIG_R_SERVERDIR=$R_SERVERDIR
  762. ORIG_R_CLIENTDIR=$R_CLIENTDIR
  763. ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
  764. ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
  765. USER_NICKNAME=TestUser
  766. NORM_EXT=""
  767. cd ${CLIENTDIR}
  768. ssl_run
  769. SERVERDIR=$EXT_SERVERDIR
  770. CLIENTDIR=$EXT_CLIENTDIR
  771. R_SERVERDIR=$R_EXT_SERVERDIR
  772. R_CLIENTDIR=$R_EXT_CLIENTDIR
  773. P_R_SERVERDIR=$P_R_EXT_SERVERDIR
  774. P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
  775. USER_NICKNAME=ExtendedSSLUser
  776. NORM_EXT="Extended Test"
  777. cd ${CLIENTDIR}
  778. ssl_run
  779. # the next round of ssl tests will only run if these vars are reset
  780. SERVERDIR=$ORIG_SERVERDIR
  781. CLIENTDIR=$ORIG_CLIENTDIR
  782. R_SERVERDIR=$ORIG_R_SERVERDIR
  783. R_CLIENTDIR=$ORIG_R_CLIENTDIR
  784. P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
  785. P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
  786. USER_NICKNAME=TestUser
  787. NORM_EXT=
  788. cd ${QADIR}/ssl
  789. }
  790. ############################ ssl_set_fips ##############################
  791. # local shell function to set FIPS mode on/off
  792. ########################################################################
  793. ssl_set_fips()
  794. {
  795. CLTSRV=$1
  796. ONOFF=$2
  797. if [ ${CLTSRV} = "server" ]; then
  798. DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
  799. else
  800. DBDIRS="${CLIETNDIR} ${EXT_CLIENTDIR}"
  801. fi
  802. if [ "${ONOFF}" = "on" ]; then
  803. FIPSMODE=true
  804. RET_EXP=0
  805. else
  806. FIPSMODE=false
  807. RET_EXP=1
  808. fi
  809. html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
  810. for DBDIR in ${DBDIRS}
  811. do
  812. EXT_OPT=
  813. echo ${DBDIR} | grep ext > /dev/null
  814. if [ $? -eq 0 ]; then
  815. EXT_OPT="extended "
  816. fi
  817. echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
  818. echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
  819. ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
  820. RET=$?
  821. html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
  822. "produced a returncode of ${RET}, expected is 0"
  823. echo "modutil -dbdir ${DBDIR} -list"
  824. DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
  825. RET=$?
  826. html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
  827. "produced a returncode of ${RET}, expected is 0"
  828. echo "${DBLIST}" | grep "FIPS PKCS #11"
  829. RET=$?
  830. html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
  831. "produced a returncode of ${RET}, expected is ${RET_EXP}"
  832. done
  833. html "</TABLE><BR>"
  834. }
  835. ############################ ssl_set_fips ##############################
  836. # local shell function to run all tests set in NSS_SSL_TESTS variable
  837. ########################################################################
  838. ssl_run_tests()
  839. {
  840. for SSL_TEST in ${NSS_SSL_TESTS}
  841. do
  842. case "${SSL_TEST}" in
  843. "crl")
  844. ssl_crl_ssl
  845. ssl_crl_cache
  846. ;;
  847. "iopr")
  848. ssl_iopr_run
  849. ;;
  850. *)
  851. SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
  852. CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
  853. case "${SERVER_MODE}" in
  854. "normal")
  855. SERVER_OPTIONS=
  856. ;;
  857. "bypass")
  858. SERVER_OPTIONS="-B -s"
  859. ;;
  860. "fips")
  861. SERVER_OPTIONS=
  862. ssl_set_fips server on
  863. ;;
  864. *)
  865. echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
  866. continue
  867. ;;
  868. esac
  869. case "${CLIENT_MODE}" in
  870. "normal")
  871. CLIENT_OPTIONS=
  872. ;;
  873. "bypass")
  874. CLIENT_OPTIONS="-B -s"
  875. ;;
  876. "fips")
  877. SERVER_OPTIONS=
  878. ssl_set_fips client on
  879. ;;
  880. *)
  881. echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
  882. continue
  883. ;;
  884. esac
  885. ssl_run_all
  886. if [ "${SERVER_MODE}" = "fips" ]; then
  887. ssl_set_fips server off
  888. fi
  889. if [ "${CLIENT_MODE}" = "fips" ]; then
  890. ssl_set_fips client off
  891. fi
  892. ;;
  893. esac
  894. done
  895. }
  896. ################################# main #################################
  897. ssl_init
  898. ssl_run_tests
  899. ssl_cleanup