/security/nss/tests/ssl/ssl.sh
http://github.com/zpao/v8monkey · Shell · 1009 lines · 884 code · 33 blank · 92 comment · 28 complexity · c0ffee1163f07554395ae739887a6712 MD5 · raw file
- #! /bin/bash
- #
- # ***** BEGIN LICENSE BLOCK *****
- # Version: MPL 1.1/GPL 2.0/LGPL 2.1
- #
- # The contents of this file are subject to the Mozilla Public License Version
- # 1.1 (the "License"); you may not use this file except in compliance with
- # the License. You may obtain a copy of the License at
- # http://www.mozilla.org/MPL/
- #
- # Software distributed under the License is distributed on an "AS IS" basis,
- # WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- # for the specific language governing rights and limitations under the
- # License.
- #
- # The Original Code is the Netscape security libraries.
- #
- # The Initial Developer of the Original Code is
- # Netscape Communications Corporation.
- # Portions created by the Initial Developer are Copyright (C) 1994-2009
- # the Initial Developer. All Rights Reserved.
- #
- # Contributor(s):
- # Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- # Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
- #
- # Alternatively, the contents of this file may be used under the terms of
- # either the GNU General Public License Version 2 or later (the "GPL"), or
- # the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- # in which case the provisions of the GPL or the LGPL are applicable instead
- # of those above. If you wish to allow use of your version of this file only
- # under the terms of either the GPL or the LGPL, and not to allow others to
- # use your version of this file under the terms of the MPL, indicate your
- # decision by deleting the provisions above and replace them with the notice
- # and other provisions required by the GPL or the LGPL. If you do not delete
- # the provisions above, a recipient may use your version of this file under
- # the terms of any one of the MPL, the GPL or the LGPL.
- #
- # ***** END LICENSE BLOCK *****
- ########################################################################
- #
- # mozilla/security/nss/tests/ssl/ssl.sh
- #
- # Script to test NSS SSL
- #
- # needs to work on all Unix and Windows platforms
- #
- # special strings
- # ---------------
- # FIXME ... known problems, search for this string
- # NOTE .... unexpected behavior
- #
- ########################################################################
- ############################## ssl_init ################################
- # local shell function to initialize this script
- ########################################################################
- ssl_init()
- {
- SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh
- if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
- CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
- fi
-
- if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
- cd ../common
- . ./init.sh
- fi
- if [ -z "${IOPR_SSL_SOURCED}" ]; then
- . ../iopr/ssl_iopr.sh
- fi
- if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
- cd ../cert
- . ./cert.sh
- fi
- SCRIPTNAME=ssl.sh
- echo "$SCRIPTNAME: SSL tests ==============================="
- grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
- html_head "SSL Test failure"
- Exit 8 "Fatal - cert.sh needs to pass first"
- }
- if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
- grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
- html_head "SSL Test failure"
- Exit 8 "Fatal - SSL of cert.sh needs to pass first"
- }
- fi
- PORT=${PORT-8443}
- NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
- nss_ssl_run="cov auth stress"
- NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
- # Test case files
- SSLCOV=${QADIR}/ssl/sslcov.txt
- SSLAUTH=${QADIR}/ssl/sslauth.txt
- SSLSTRESS=${QADIR}/ssl/sslstress.txt
- REQUEST_FILE=${QADIR}/ssl/sslreq.dat
- #temparary files
- SERVEROUTFILE=${TMP}/tests_server.$$
- SERVERPID=${TMP}/tests_pid.$$
- R_SERVERPID=../tests_pid.$$
- TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}"
- fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
- #fileout=1
- #verbose="-v" #FIXME - see where this is usefull
- USER_NICKNAME=TestUser
- NORM_EXT=""
- if [ -n "$NSS_ENABLE_ECC" ] ; then
- ECC_STRING=" - with ECC"
- else
- ECC_STRING=""
- fi
- CSHORT="-c ABCDEF:0041:0084cdefgijklmnvyz"
- CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:0041:0084cdefgijklmnvyz"
- if [ "${OS_ARCH}" != "WINNT" ]; then
- ulimit -n 1000 # make sure we have enough file descriptors
- fi
- cd ${CLIENTDIR}
- }
- ########################### is_selfserv_alive ##########################
- # local shell function to exit with a fatal error if selfserver is not
- # running
- ########################################################################
- is_selfserv_alive()
- {
- if [ ! -f "${SERVERPID}" ]; then
- echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
- sleep 5
- if [ ! -f "${SERVERPID}" ]; then
- Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
- fi
- fi
-
- if [ "${OS_ARCH}" = "WINNT" ] && \
- [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
- PID=${SHELL_SERVERPID}
- else
- PID=`cat ${SERVERPID}`
- fi
- echo "kill -0 ${PID} >/dev/null 2>/dev/null"
- kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
- echo "selfserv with PID ${PID} found at `date`"
- }
- ########################### wait_for_selfserv ##########################
- # local shell function to wait until selfserver is running and initialized
- ########################################################################
- wait_for_selfserv()
- {
- echo "trying to connect to selfserv at `date`"
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
- echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
- ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
- -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
- if [ $? -ne 0 ]; then
- sleep 5
- echo "retrying to connect to selfserv at `date`"
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
- echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
- ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
- -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
- if [ $? -ne 0 ]; then
- html_failed "Waiting for Server"
- fi
- fi
- is_selfserv_alive
- }
- ########################### kill_selfserv ##############################
- # local shell function to kill the selfserver after the tests are done
- ########################################################################
- kill_selfserv()
- {
- if [ "${OS_ARCH}" = "WINNT" ] && \
- [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
- PID=${SHELL_SERVERPID}
- else
- PID=`cat ${SERVERPID}`
- fi
- echo "trying to kill selfserv with PID ${PID} at `date`"
- if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
- echo "${KILL} ${PID}"
- ${KILL} ${PID}
- else
- echo "${KILL} -USR1 ${PID}"
- ${KILL} -USR1 ${PID}
- fi
- wait ${PID}
- if [ ${fileout} -eq 1 ]; then
- cat ${SERVEROUTFILE}
- fi
- # On Linux selfserv needs up to 30 seconds to fully die and free
- # the port. Wait until the port is free. (Bug 129701)
- if [ "${OS_ARCH}" = "Linux" ]; then
- echo "selfserv -b -p ${PORT} 2>/dev/null;"
- until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
- echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
- sleep 1
- done
- fi
- echo "selfserv with PID ${PID} killed at `date`"
- rm ${SERVERPID}
- html_detect_core "kill_selfserv core detection step"
- }
- ########################### start_selfserv #############################
- # local shell function to start the selfserver with the parameters required
- # for this test and log information (parameters, start time)
- # also: wait until the server is up and running
- ########################################################################
- start_selfserv()
- {
- if [ -n "$testname" ] ; then
- echo "$SCRIPTNAME: $testname ----"
- fi
- sparam=`echo $sparam | sed -e 's;_; ;g'`
- if [ -n "$NSS_ENABLE_ECC" ] && \
- [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
- ECC_OPTIONS="-e ${HOSTADDR}-ec"
- else
- ECC_OPTIONS=""
- fi
- if [ "$1" = "mixed" ]; then
- ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
- fi
- echo "selfserv starting at `date`"
- echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
- echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
- if [ ${fileout} -eq 1 ]; then
- ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
- ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
- > ${SERVEROUTFILE} 2>&1 &
- RET=$?
- else
- ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
- ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
- RET=$?
- fi
- # The PID $! returned by the MKS or Cygwin shell is not the PID of
- # the real background process, but rather the PID of a helper
- # process (sh.exe). MKS's kill command has a bug: invoking kill
- # on the helper process does not terminate the real background
- # process. Our workaround has been to have selfserv save its PID
- # in the ${SERVERPID} file and "kill" that PID instead. But this
- # doesn't work under Cygwin; its kill command doesn't recognize
- # the PID of the real background process, but it does work on the
- # PID of the helper process. So we save the value of $! in the
- # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
- # file under Cygwin. (In fact, this should work in any shell
- # other than the MKS shell.)
- SHELL_SERVERPID=$!
- wait_for_selfserv
- if [ "${OS_ARCH}" = "WINNT" ] && \
- [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
- PID=${SHELL_SERVERPID}
- else
- PID=`cat ${SERVERPID}`
- fi
- echo "selfserv with PID ${PID} started at `date`"
- }
- ############################## ssl_cov #################################
- # local shell function to perform SSL Cipher Coverage tests
- ########################################################################
- ssl_cov()
- {
- html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
- testname=""
- if [ -n "$NSS_ENABLE_ECC" ] ; then
- sparam="$CLONG"
- else
- sparam="$CSHORT"
- fi
- mixed=0
- start_selfserv # Launch the server
-
- exec < ${SSLCOV}
- while read ectype tls param testname
- do
- echo "${testname}" | grep "EXPORT" > /dev/null
- EXP=$?
- echo "${testname}" | grep "SSL2" > /dev/null
- SSL2=$?
- if [ "${SSL2}" -eq 0 ] ; then
- # We cannot use asynchronous cert verification with SSL2
- SSL2_FLAGS=-O
- else
- # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
- # default in libssl but it is enabled by default in tstclnt; we want
- # to test the libssl default whenever possible.
- SSL2_FLAGS=-2
- fi
-
- if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then
- echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
- elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
- echo "$SCRIPTNAME: skipping $testname (ECC only)"
- elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then
- echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
- elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
- echo "$SCRIPTNAME: running $testname ----------------------------"
- TLS_FLAG=-T
- if [ "$tls" = "TLS" ]; then
- TLS_FLAG=""
- fi
- # These five tests need an EC cert signed with RSA
- # This requires a different certificate loaded in selfserv
- # due to a (current) NSS limitation of only loaded one cert
- # per type so the default selfserv setup will not work.
- #:C00B TLS ECDH RSA WITH NULL SHA
- #:C00C TLS ECDH RSA WITH RC4 128 SHA
- #:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA
- #:C00E TLS ECDH RSA WITH AES 128 CBC SHA
- #:C00F TLS ECDH RSA WITH AES 256 CBC SHA
- if [ $mixed -eq 0 ]; then
- if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
- kill_selfserv
- start_selfserv mixed
- mixed=1
- else
- is_selfserv_alive
- fi
- else
- if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
- is_selfserv_alive
- else
- kill_selfserv
- start_selfserv
- mixed=0
- fi
- fi
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${SSL2_FLAGS} ${CLIENT_OPTIONS} \\"
- echo " -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}"
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${SSL2_FLAGS} ${CLIENT_OPTIONS} -f \
- -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \
- >${TMP}/$HOST.tmp.$$ 2>&1
- ret=$?
- cat ${TMP}/$HOST.tmp.$$
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- html_msg $ret 0 "${testname}" \
- "produced a returncode of $ret, expected is 0"
- fi
- done
- kill_selfserv
- html "</TABLE><BR>"
- }
- ############################## ssl_auth ################################
- # local shell function to perform SSL Client Authentication tests
- ########################################################################
- ssl_auth()
- {
- html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
- exec < ${SSLAUTH}
- while read ectype value sparam cparam testname
- do
- [ -z "$ectype" ] && continue
- echo "${testname}" | grep "don't require client auth" > /dev/null
- CAUTH=$?
- if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
- echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
- elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
- echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
- elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
- echo "$SCRIPTNAME: skipping $testname (ECC only)"
- elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
- cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
- if [ "$ectype" = "SNI" ]; then
- cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
- sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
- fi
- start_selfserv
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
- echo " ${cparam} < ${REQUEST_FILE}"
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \
- -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} \
- >${TMP}/$HOST.tmp.$$ 2>&1
- ret=$?
- cat ${TMP}/$HOST.tmp.$$
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- #workaround for bug #402058
- [ $ret -ne 0 ] && ret=1
- [ $value -ne 0 ] && value=1
- html_msg $ret $value "${testname}" \
- "produced a returncode of $ret, expected is $value"
- kill_selfserv
- fi
- done
- html "</TABLE><BR>"
- }
- ############################## ssl_stress ##############################
- # local shell function to perform SSL stress test
- ########################################################################
- ssl_stress()
- {
- html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
- exec < ${SSLSTRESS}
- while read ectype value sparam cparam testname
- do
- if [ -z "$ectype" ]; then
- # silently ignore blank lines
- continue
- fi
- echo "${testname}" | grep "SSL2" > /dev/null
- SSL2=$?
- echo "${testname}" | grep "client auth" > /dev/null
- CAUTH=$?
- if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then
- echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
- elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
- echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
- elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
- echo "$SCRIPTNAME: skipping $testname (ECC only)"
- elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then
- echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
- elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
- echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
- elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
- cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
- if [ "$ectype" = "SNI" ]; then
- cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
- sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
- fi
- # These tests need the mixed cert
- # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
- # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
- p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`;
- if [ "$p" = "-c_:C00E" ]; then
- start_selfserv mixed
- else
- start_selfserv
- fi
- if [ "`uname -n`" = "sjsu" ] ; then
- echo "debugging disapering selfserv... ps -ef | grep selfserv"
- ps -ef | grep selfserv
- fi
- echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
- echo " $verbose ${HOSTADDR}"
- echo "strsclnt started at `date`"
- ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
- $verbose ${HOSTADDR}
- ret=$?
- echo "strsclnt completed at `date`"
- html_msg $ret $value \
- "${testname}" \
- "produced a returncode of $ret, expected is $value. "
- if [ "`uname -n`" = "sjsu" ] ; then
- echo "debugging disapering selfserv... ps -ef | grep selfserv"
- ps -ef | grep selfserv
- fi
- kill_selfserv
- fi
- done
- html "</TABLE><BR>"
- }
- ############################ ssl_crl_ssl ###############################
- # local shell function to perform SSL test with/out revoked certs tests
- ########################################################################
- ssl_crl_ssl()
- {
- html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
-
- # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
- # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
- CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
- CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
- UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
- exec < ${SSLAUTH}
- while read ectype value sparam cparam testname
- do
- [ "$ectype" = "" ] && continue
- if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
- echo "$SCRIPTNAME: skipping $testname (ECC only)"
- elif [ "$ectype" = "SNI" ]; then
- continue
- elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
- servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
- pwd=`echo $cparam | grep nss`
- user=`echo $cparam | grep TestUser`
- _cparam=$cparam
- case $servarg in
- 1) if [ -z "$pwd" -o -z "$user" ]; then
- rev_modvalue=0
- else
- rev_modvalue=254
- fi
- ;;
- 2) rev_modvalue=254 ;;
- 3) if [ -z "$pwd" -o -z "$user" ]; then
- rev_modvalue=0
- else
- rev_modvalue=1
- fi
- ;;
- 4) rev_modvalue=1 ;;
- esac
- TEMP_NUM=0
- while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
- do
- CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
- TEMP_NUM=`expr $TEMP_NUM + 1`
- USER_NICKNAME="TestUser${CURR_SER_NUM}"
- cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
- start_selfserv
-
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
- echo " ${cparam} < ${REQUEST_FILE}"
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
- -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
- >${TMP}/$HOST.tmp.$$ 2>&1
- ret=$?
- cat ${TMP}/$HOST.tmp.$$
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
- modvalue=$rev_modvalue
- testAddMsg="revoked"
- else
- testAddMsg="not revoked"
- modvalue=$value
- fi
-
- html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
- "produced a returncode of $ret, expected is $modvalue"
- kill_selfserv
- done
- fi
- done
- html "</TABLE><BR>"
- }
- ############################# is_revoked ###############################
- # local shell function to check if certificate is revoked
- ########################################################################
- is_revoked() {
- certNum=$1
- currLoadedGrp=$2
-
- found=0
- ownerGrp=1
- while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
- do
- currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
- currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
- currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
- if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
- found=1
- else
- ownerGrp=`expr $ownerGrp + 1`
- fi
- done
- if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
- return 1
- fi
- if [ $found -eq 0 ]; then
- return 1
- fi
- unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
- if [ $certNum -eq $unrevokedGrpCert ]; then
- return 1
- fi
- return 0
- }
- ########################### load_group_crl #############################
- # local shell function to load CRL
- ########################################################################
- load_group_crl() {
- group=$1
- ectype=$2
- OUTFILE_TMP=${TMP}/$HOST.tmp.$$
- grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
- grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
- grpEnd=`expr $grpBegin + $grpRange - 1`
-
- if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
- ret=1
- return 1;
- fi
-
- # Add -ec suffix for ECC
- if [ "$ectype" = "ECC" ] ; then
- ecsuffix="-ec"
- eccomment="ECC "
- else
- ecsuffix=""
- eccomment=""
- fi
-
- if [ "$RELOAD_CRL" != "" ]; then
- if [ $group -eq 1 ]; then
- echo "==================== Resetting to group 1 crl ==================="
- kill_selfserv
- start_selfserv
- is_selfserv_alive
- fi
- echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
- echo " -2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
- echo "Request:"
- echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
- echo ""
- echo "RELOAD time $i"
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \
- -d ${R_CLIENTDIR} -v -2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
- >${OUTFILE_TMP} 2>&1 <<_EOF_REQUEST_
- GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
- _EOF_REQUEST_
- cat ${OUTFILE_TMP}
- grep "CRL ReCache Error" ${OUTFILE_TMP}
- if [ $? -eq 0 ]; then
- ret=1
- return 1
- fi
- else
- echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
- kill_selfserv
- CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
- crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
- -p ../tests.pw.928
- ret=$?
- if [ "$ret" -eq 0 ]; then
- html_passed "${CU_ACTION}"
- return 1
- fi
- start_selfserv
- fi
- is_selfserv_alive
- ret=$?
- echo "================= CRL Reloaded ============="
- }
- ########################### ssl_crl_cache ##############################
- # local shell function to perform SSL test for crl cache functionality
- # with/out revoked certs
- ########################################################################
- ssl_crl_cache()
- {
- html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
- SSLAUTH_TMP=${TMP}/authin.tl.tmp
- SERV_ARG=-r_-r
- rm -f ${SSLAUTH_TMP}
- echo ${SSLAUTH_TMP}
- grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
- echo $?
- while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
- do
- sparam=$SERV_ARG
- start_selfserv
- exec < ${SSLAUTH_TMP}
- while read ectype value sparam cparam testname
- do
- [ "$ectype" = "" ] && continue
- if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
- echo "$SCRIPTNAME: skipping $testname (ECC only)"
- elif [ "$ectype" = "SNI" ]; then
- continue
- else
- servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
- pwd=`echo $cparam | grep nss`
- user=`echo $cparam | grep TestUser`
- _cparam=$cparam
- case $servarg in
- 1) if [ -z "$pwd" -o -z "$user" ]; then
- rev_modvalue=0
- else
- rev_modvalue=254
- fi
- ;;
- 2) rev_modvalue=254 ;;
- 3) if [ -z "$pwd" -o -z "$user" ]; then
- rev_modvalue=0
- else
- rev_modvalue=1
- fi
- ;;
- 4) rev_modvalue=1 ;;
- esac
- TEMP_NUM=0
- LOADED_GRP=1
- while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
- do
- while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
- do
- CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
- TEMP_NUM=`expr $TEMP_NUM + 1`
- USER_NICKNAME="TestUser${CURR_SER_NUM}"
- cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
- echo "Server Args: $SERV_ARG"
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
- echo " ${cparam} < ${REQUEST_FILE}"
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
- -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
- >${TMP}/$HOST.tmp.$$ 2>&1
- ret=$?
- cat ${TMP}/$HOST.tmp.$$
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
- isRevoked=$?
- if [ $isRevoked -eq 0 ]; then
- modvalue=$rev_modvalue
- testAddMsg="revoked"
- else
- modvalue=$value
- testAddMsg="not revoked"
- fi
- is_selfserv_alive
- ss_status=$?
- if [ "$ss_status" -ne 0 ]; then
- html_msg $ret $modvalue \
- "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
- "produced a returncode of $ret, expected is $modvalue. " \
- "selfserv is not alive!"
- else
- html_msg $ret $modvalue \
- "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
- "produced a returncode of $ret, expected is $modvalue"
- fi
- done
- LOADED_GRP=`expr $LOADED_GRP + 1`
- TEMP_NUM=0
- if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
- load_group_crl $LOADED_GRP $ectype
- html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
- "produced a returncode of $ret, expected is 0"
- fi
- done
- # Restart selfserv to roll back to two initial group 1 crls
- # TestCA CRL and TestCA-ec CRL
- kill_selfserv
- start_selfserv
- fi
- done
- kill_selfserv
- SERV_ARG="${SERV_ARG}_-r"
- rm -f ${SSLAUTH_TMP}
- grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
- done
- TEMPFILES=${SSLAUTH_TMP}
- html "</TABLE><BR>"
- }
- ############################## ssl_cleanup #############################
- # local shell function to finish this script (no exit since it might be
- # sourced)
- ########################################################################
- ssl_cleanup()
- {
- rm $SERVERPID 2>/dev/null
- cd ${QADIR}
- . common/cleanup.sh
- }
- ############################## ssl_run #################################
- # local shell function to run coverage, authentication and stress tests
- ########################################################################
- ssl_run()
- {
- for SSL_RUN in ${NSS_SSL_RUN}
- do
- case "${SSL_RUN}" in
- "cov")
- ssl_cov
- ;;
- "auth")
- ssl_auth
- ;;
- "stress")
- ssl_stress
- ;;
- esac
- done
- }
- ############################ ssl_run_all ###############################
- # local shell function to run both standard and extended ssl tests
- ########################################################################
- ssl_run_all()
- {
- ORIG_SERVERDIR=$SERVERDIR
- ORIG_CLIENTDIR=$CLIENTDIR
- ORIG_R_SERVERDIR=$R_SERVERDIR
- ORIG_R_CLIENTDIR=$R_CLIENTDIR
- ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
- ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
- USER_NICKNAME=TestUser
- NORM_EXT=""
- cd ${CLIENTDIR}
- ssl_run
- SERVERDIR=$EXT_SERVERDIR
- CLIENTDIR=$EXT_CLIENTDIR
- R_SERVERDIR=$R_EXT_SERVERDIR
- R_CLIENTDIR=$R_EXT_CLIENTDIR
- P_R_SERVERDIR=$P_R_EXT_SERVERDIR
- P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
- USER_NICKNAME=ExtendedSSLUser
- NORM_EXT="Extended Test"
- cd ${CLIENTDIR}
-
- ssl_run
- # the next round of ssl tests will only run if these vars are reset
- SERVERDIR=$ORIG_SERVERDIR
- CLIENTDIR=$ORIG_CLIENTDIR
- R_SERVERDIR=$ORIG_R_SERVERDIR
- R_CLIENTDIR=$ORIG_R_CLIENTDIR
- P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
- P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
- USER_NICKNAME=TestUser
- NORM_EXT=
- cd ${QADIR}/ssl
- }
- ############################ ssl_set_fips ##############################
- # local shell function to set FIPS mode on/off
- ########################################################################
- ssl_set_fips()
- {
- CLTSRV=$1
- ONOFF=$2
- if [ ${CLTSRV} = "server" ]; then
- DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
- else
- DBDIRS="${CLIETNDIR} ${EXT_CLIENTDIR}"
- fi
-
- if [ "${ONOFF}" = "on" ]; then
- FIPSMODE=true
- RET_EXP=0
- else
- FIPSMODE=false
- RET_EXP=1
- fi
- html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
- for DBDIR in ${DBDIRS}
- do
- EXT_OPT=
- echo ${DBDIR} | grep ext > /dev/null
- if [ $? -eq 0 ]; then
- EXT_OPT="extended "
- fi
- echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
- echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
- ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
- RET=$?
- html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
- "produced a returncode of ${RET}, expected is 0"
-
- echo "modutil -dbdir ${DBDIR} -list"
- DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
- RET=$?
- html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
- "produced a returncode of ${RET}, expected is 0"
- echo "${DBLIST}" | grep "FIPS PKCS #11"
- RET=$?
- html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
- "produced a returncode of ${RET}, expected is ${RET_EXP}"
- done
- html "</TABLE><BR>"
- }
- ############################ ssl_set_fips ##############################
- # local shell function to run all tests set in NSS_SSL_TESTS variable
- ########################################################################
- ssl_run_tests()
- {
- for SSL_TEST in ${NSS_SSL_TESTS}
- do
- case "${SSL_TEST}" in
- "crl")
- ssl_crl_ssl
- ssl_crl_cache
- ;;
- "iopr")
- ssl_iopr_run
- ;;
- *)
- SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
- CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
- case "${SERVER_MODE}" in
- "normal")
- SERVER_OPTIONS=
- ;;
- "bypass")
- SERVER_OPTIONS="-B -s"
- ;;
- "fips")
- SERVER_OPTIONS=
- ssl_set_fips server on
- ;;
- *)
- echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
- continue
- ;;
- esac
- case "${CLIENT_MODE}" in
- "normal")
- CLIENT_OPTIONS=
- ;;
- "bypass")
- CLIENT_OPTIONS="-B -s"
- ;;
- "fips")
- SERVER_OPTIONS=
- ssl_set_fips client on
- ;;
- *)
- echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
- continue
- ;;
- esac
- ssl_run_all
- if [ "${SERVER_MODE}" = "fips" ]; then
- ssl_set_fips server off
- fi
- if [ "${CLIENT_MODE}" = "fips" ]; then
- ssl_set_fips client off
- fi
- ;;
- esac
- done
- }
- ################################# main #################################
- ssl_init
- ssl_run_tests
- ssl_cleanup