security/nss/tests/ssl/ssl.sh@6474c204b198 (annotated)
security/nss/tests/ssl/ssl.sh
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rwxr-xr-x
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | #! /bin/bash |
| michael@0 | 2 | # |
| michael@0 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 5 | # file, You can obtain one at http://mozilla.org/MPL/2.0/. |
| michael@0 | 6 | |
| michael@0 | 7 | ######################################################################## |
| michael@0 | 8 | # |
| michael@0 | 9 | # mozilla/security/nss/tests/ssl/ssl.sh |
| michael@0 | 10 | # |
| michael@0 | 11 | # Script to test NSS SSL |
| michael@0 | 12 | # |
| michael@0 | 13 | # needs to work on all Unix and Windows platforms |
| michael@0 | 14 | # |
| michael@0 | 15 | # special strings |
| michael@0 | 16 | # --------------- |
| michael@0 | 17 | # FIXME ... known problems, search for this string |
| michael@0 | 18 | # NOTE .... unexpected behavior |
| michael@0 | 19 | # |
| michael@0 | 20 | ######################################################################## |
| michael@0 | 21 | |
| michael@0 | 22 | ############################## ssl_init ################################ |
| michael@0 | 23 | # local shell function to initialize this script |
| michael@0 | 24 | ######################################################################## |
| michael@0 | 25 | ssl_init() |
| michael@0 | 26 | { |
| michael@0 | 27 | SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh |
| michael@0 | 28 | |
| michael@0 | 29 | if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for |
| michael@0 | 30 | CLEANUP="${SCRIPTNAME}" # cleaning this script will do it |
| michael@0 | 31 | fi |
| michael@0 | 32 | |
| michael@0 | 33 | if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then |
| michael@0 | 34 | cd ../common |
| michael@0 | 35 | . ./init.sh |
| michael@0 | 36 | fi |
| michael@0 | 37 | if [ -z "${IOPR_SSL_SOURCED}" ]; then |
| michael@0 | 38 | . ../iopr/ssl_iopr.sh |
| michael@0 | 39 | fi |
| michael@0 | 40 | if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here |
| michael@0 | 41 | cd ../cert |
| michael@0 | 42 | . ./cert.sh |
| michael@0 | 43 | fi |
| michael@0 | 44 | SCRIPTNAME=ssl.sh |
| michael@0 | 45 | echo "$SCRIPTNAME: SSL tests ===============================" |
| michael@0 | 46 | |
| michael@0 | 47 | grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || { |
| michael@0 | 48 | html_head "SSL Test failure" |
| michael@0 | 49 | Exit 8 "Fatal - cert.sh needs to pass first" |
| michael@0 | 50 | } |
| michael@0 | 51 | |
| michael@0 | 52 | if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then |
| michael@0 | 53 | grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || { |
| michael@0 | 54 | html_head "SSL Test failure" |
| michael@0 | 55 | Exit 8 "Fatal - SSL of cert.sh needs to pass first" |
| michael@0 | 56 | } |
| michael@0 | 57 | fi |
| michael@0 | 58 | |
| michael@0 | 59 | PORT=${PORT-8443} |
| michael@0 | 60 | NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} |
| michael@0 | 61 | nss_ssl_run="stapling cov auth stress" |
| michael@0 | 62 | NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} |
| michael@0 | 63 | |
| michael@0 | 64 | # Test case files |
| michael@0 | 65 | SSLCOV=${QADIR}/ssl/sslcov.txt |
| michael@0 | 66 | SSLAUTH=${QADIR}/ssl/sslauth.txt |
| michael@0 | 67 | SSLSTRESS=${QADIR}/ssl/sslstress.txt |
| michael@0 | 68 | REQUEST_FILE=${QADIR}/ssl/sslreq.dat |
| michael@0 | 69 | |
| michael@0 | 70 | #temparary files |
| michael@0 | 71 | SERVEROUTFILE=${TMP}/tests_server.$$ |
| michael@0 | 72 | SERVERPID=${TMP}/tests_pid.$$ |
| michael@0 | 73 | |
| michael@0 | 74 | R_SERVERPID=../tests_pid.$$ |
| michael@0 | 75 | |
| michael@0 | 76 | TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}" |
| michael@0 | 77 | |
| michael@0 | 78 | fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't |
| michael@0 | 79 | #fileout=1 |
| michael@0 | 80 | #verbose="-v" #FIXME - see where this is usefull |
| michael@0 | 81 | |
| michael@0 | 82 | USER_NICKNAME=TestUser |
| michael@0 | 83 | NORM_EXT="" |
| michael@0 | 84 | |
| michael@0 | 85 | if [ -z "$NSS_DISABLE_ECC" ] ; then |
| michael@0 | 86 | ECC_STRING=" - with ECC" |
| michael@0 | 87 | else |
| michael@0 | 88 | ECC_STRING="" |
| michael@0 | 89 | fi |
| michael@0 | 90 | |
| michael@0 | 91 | CSHORT="-c ABCDEF:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz" |
| michael@0 | 92 | CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz" |
| michael@0 | 93 | |
| michael@0 | 94 | if [ "${OS_ARCH}" != "WINNT" ]; then |
| michael@0 | 95 | ulimit -n 1000 # make sure we have enough file descriptors |
| michael@0 | 96 | fi |
| michael@0 | 97 | |
| michael@0 | 98 | cd ${CLIENTDIR} |
| michael@0 | 99 | } |
| michael@0 | 100 | |
| michael@0 | 101 | ########################### is_selfserv_alive ########################## |
| michael@0 | 102 | # local shell function to exit with a fatal error if selfserver is not |
| michael@0 | 103 | # running |
| michael@0 | 104 | ######################################################################## |
| michael@0 | 105 | is_selfserv_alive() |
| michael@0 | 106 | { |
| michael@0 | 107 | if [ ! -f "${SERVERPID}" ]; then |
| michael@0 | 108 | echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist" |
| michael@0 | 109 | sleep 5 |
| michael@0 | 110 | if [ ! -f "${SERVERPID}" ]; then |
| michael@0 | 111 | Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist" |
| michael@0 | 112 | fi |
| michael@0 | 113 | fi |
| michael@0 | 114 | |
| michael@0 | 115 | if [ "${OS_ARCH}" = "WINNT" ] && \ |
| michael@0 | 116 | [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then |
| michael@0 | 117 | PID=${SHELL_SERVERPID} |
| michael@0 | 118 | else |
| michael@0 | 119 | PID=`cat ${SERVERPID}` |
| michael@0 | 120 | fi |
| michael@0 | 121 | |
| michael@0 | 122 | echo "kill -0 ${PID} >/dev/null 2>/dev/null" |
| michael@0 | 123 | kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" |
| michael@0 | 124 | |
| michael@0 | 125 | echo "selfserv with PID ${PID} found at `date`" |
| michael@0 | 126 | } |
| michael@0 | 127 | |
| michael@0 | 128 | ########################### wait_for_selfserv ########################## |
| michael@0 | 129 | # local shell function to wait until selfserver is running and initialized |
| michael@0 | 130 | ######################################################################## |
| michael@0 | 131 | wait_for_selfserv() |
| michael@0 | 132 | { |
| michael@0 | 133 | echo "trying to connect to selfserv at `date`" |
| michael@0 | 134 | echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" |
| michael@0 | 135 | echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}" |
| michael@0 | 136 | ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ |
| michael@0 | 137 | -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} |
| michael@0 | 138 | if [ $? -ne 0 ]; then |
| michael@0 | 139 | sleep 5 |
| michael@0 | 140 | echo "retrying to connect to selfserv at `date`" |
| michael@0 | 141 | echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" |
| michael@0 | 142 | echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}" |
| michael@0 | 143 | ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ |
| michael@0 | 144 | -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} |
| michael@0 | 145 | if [ $? -ne 0 ]; then |
| michael@0 | 146 | html_failed "Waiting for Server" |
| michael@0 | 147 | fi |
| michael@0 | 148 | fi |
| michael@0 | 149 | is_selfserv_alive |
| michael@0 | 150 | } |
| michael@0 | 151 | |
| michael@0 | 152 | ########################### kill_selfserv ############################## |
| michael@0 | 153 | # local shell function to kill the selfserver after the tests are done |
| michael@0 | 154 | ######################################################################## |
| michael@0 | 155 | kill_selfserv() |
| michael@0 | 156 | { |
| michael@0 | 157 | if [ "${OS_ARCH}" = "WINNT" ] && \ |
| michael@0 | 158 | [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then |
| michael@0 | 159 | PID=${SHELL_SERVERPID} |
| michael@0 | 160 | else |
| michael@0 | 161 | PID=`cat ${SERVERPID}` |
| michael@0 | 162 | fi |
| michael@0 | 163 | |
| michael@0 | 164 | echo "trying to kill selfserv with PID ${PID} at `date`" |
| michael@0 | 165 | |
| michael@0 | 166 | if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then |
| michael@0 | 167 | echo "${KILL} ${PID}" |
| michael@0 | 168 | ${KILL} ${PID} |
| michael@0 | 169 | else |
| michael@0 | 170 | echo "${KILL} -USR1 ${PID}" |
| michael@0 | 171 | ${KILL} -USR1 ${PID} |
| michael@0 | 172 | fi |
| michael@0 | 173 | wait ${PID} |
| michael@0 | 174 | if [ ${fileout} -eq 1 ]; then |
| michael@0 | 175 | cat ${SERVEROUTFILE} |
| michael@0 | 176 | fi |
| michael@0 | 177 | |
| michael@0 | 178 | # On Linux selfserv needs up to 30 seconds to fully die and free |
| michael@0 | 179 | # the port. Wait until the port is free. (Bug 129701) |
| michael@0 | 180 | if [ "${OS_ARCH}" = "Linux" ]; then |
| michael@0 | 181 | echo "selfserv -b -p ${PORT} 2>/dev/null;" |
| michael@0 | 182 | until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do |
| michael@0 | 183 | echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;" |
| michael@0 | 184 | sleep 1 |
| michael@0 | 185 | done |
| michael@0 | 186 | fi |
| michael@0 | 187 | |
| michael@0 | 188 | echo "selfserv with PID ${PID} killed at `date`" |
| michael@0 | 189 | |
| michael@0 | 190 | rm ${SERVERPID} |
| michael@0 | 191 | html_detect_core "kill_selfserv core detection step" |
| michael@0 | 192 | } |
| michael@0 | 193 | |
| michael@0 | 194 | ########################### start_selfserv ############################# |
| michael@0 | 195 | # local shell function to start the selfserver with the parameters required |
| michael@0 | 196 | # for this test and log information (parameters, start time) |
| michael@0 | 197 | # also: wait until the server is up and running |
| michael@0 | 198 | ######################################################################## |
| michael@0 | 199 | start_selfserv() |
| michael@0 | 200 | { |
| michael@0 | 201 | if [ -n "$testname" ] ; then |
| michael@0 | 202 | echo "$SCRIPTNAME: $testname ----" |
| michael@0 | 203 | fi |
| michael@0 | 204 | sparam=`echo $sparam | sed -e 's;_; ;g'` |
| michael@0 | 205 | if [ -z "$NSS_DISABLE_ECC" ] && \ |
| michael@0 | 206 | [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then |
| michael@0 | 207 | ECC_OPTIONS="-e ${HOSTADDR}-ec" |
| michael@0 | 208 | else |
| michael@0 | 209 | ECC_OPTIONS="" |
| michael@0 | 210 | fi |
| michael@0 | 211 | if [ "$1" = "mixed" ]; then |
| michael@0 | 212 | ECC_OPTIONS="-e ${HOSTADDR}-ecmixed" |
| michael@0 | 213 | fi |
| michael@0 | 214 | echo "selfserv starting at `date`" |
| michael@0 | 215 | echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" |
| michael@0 | 216 | echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &" |
| michael@0 | 217 | if [ ${fileout} -eq 1 ]; then |
| michael@0 | 218 | ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ |
| michael@0 | 219 | ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \ |
| michael@0 | 220 | > ${SERVEROUTFILE} 2>&1 & |
| michael@0 | 221 | RET=$? |
| michael@0 | 222 | else |
| michael@0 | 223 | ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ |
| michael@0 | 224 | ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose & |
| michael@0 | 225 | RET=$? |
| michael@0 | 226 | fi |
| michael@0 | 227 | |
| michael@0 | 228 | # The PID $! returned by the MKS or Cygwin shell is not the PID of |
| michael@0 | 229 | # the real background process, but rather the PID of a helper |
| michael@0 | 230 | # process (sh.exe). MKS's kill command has a bug: invoking kill |
| michael@0 | 231 | # on the helper process does not terminate the real background |
| michael@0 | 232 | # process. Our workaround has been to have selfserv save its PID |
| michael@0 | 233 | # in the ${SERVERPID} file and "kill" that PID instead. But this |
| michael@0 | 234 | # doesn't work under Cygwin; its kill command doesn't recognize |
| michael@0 | 235 | # the PID of the real background process, but it does work on the |
| michael@0 | 236 | # PID of the helper process. So we save the value of $! in the |
| michael@0 | 237 | # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID} |
| michael@0 | 238 | # file under Cygwin. (In fact, this should work in any shell |
| michael@0 | 239 | # other than the MKS shell.) |
| michael@0 | 240 | SHELL_SERVERPID=$! |
| michael@0 | 241 | wait_for_selfserv |
| michael@0 | 242 | |
| michael@0 | 243 | if [ "${OS_ARCH}" = "WINNT" ] && \ |
| michael@0 | 244 | [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then |
| michael@0 | 245 | PID=${SHELL_SERVERPID} |
| michael@0 | 246 | else |
| michael@0 | 247 | PID=`cat ${SERVERPID}` |
| michael@0 | 248 | fi |
| michael@0 | 249 | |
| michael@0 | 250 | echo "selfserv with PID ${PID} started at `date`" |
| michael@0 | 251 | } |
| michael@0 | 252 | |
| michael@0 | 253 | ############################## ssl_cov ################################# |
| michael@0 | 254 | # local shell function to perform SSL Cipher Coverage tests |
| michael@0 | 255 | ######################################################################## |
| michael@0 | 256 | ssl_cov() |
| michael@0 | 257 | { |
| michael@0 | 258 | html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" |
| michael@0 | 259 | |
| michael@0 | 260 | testname="" |
| michael@0 | 261 | if [ -z "$NSS_DISABLE_ECC" ] ; then |
| michael@0 | 262 | sparam="$CLONG" |
| michael@0 | 263 | else |
| michael@0 | 264 | sparam="$CSHORT" |
| michael@0 | 265 | fi |
| michael@0 | 266 | |
| michael@0 | 267 | mixed=0 |
| michael@0 | 268 | start_selfserv # Launch the server |
| michael@0 | 269 | |
| michael@0 | 270 | VMIN="ssl2" |
| michael@0 | 271 | VMAX="tls1.1" |
| michael@0 | 272 | |
| michael@0 | 273 | exec < ${SSLCOV} |
| michael@0 | 274 | while read ectype testmax param testname |
| michael@0 | 275 | do |
| michael@0 | 276 | echo "${testname}" | grep "EXPORT" > /dev/null |
| michael@0 | 277 | EXP=$? |
| michael@0 | 278 | echo "${testname}" | grep "SSL2" > /dev/null |
| michael@0 | 279 | SSL2=$? |
| michael@0 | 280 | |
| michael@0 | 281 | if [ "${SSL2}" -eq 0 ] ; then |
| michael@0 | 282 | # We cannot use asynchronous cert verification with SSL2 |
| michael@0 | 283 | SSL2_FLAGS=-O |
| michael@0 | 284 | VMIN="ssl2" |
| michael@0 | 285 | else |
| michael@0 | 286 | # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by |
| michael@0 | 287 | # default in libssl but it is enabled by default in tstclnt; we want |
| michael@0 | 288 | # to test the libssl default whenever possible. |
| michael@0 | 289 | SSL2_FLAGS= |
| michael@0 | 290 | VMIN="ssl3" |
| michael@0 | 291 | fi |
| michael@0 | 292 | |
| michael@0 | 293 | if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then |
| michael@0 | 294 | echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" |
| michael@0 | 295 | elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then |
| michael@0 | 296 | echo "$SCRIPTNAME: skipping $testname (ECC only)" |
| michael@0 | 297 | elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then |
| michael@0 | 298 | echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" |
| michael@0 | 299 | elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then |
| michael@0 | 300 | echo "$SCRIPTNAME: running $testname ----------------------------" |
| michael@0 | 301 | VMAX="ssl3" |
| michael@0 | 302 | if [ "$testmax" = "TLS10" ]; then |
| michael@0 | 303 | VMAX="tls1.0" |
| michael@0 | 304 | fi |
| michael@0 | 305 | if [ "$testmax" = "TLS11" ]; then |
| michael@0 | 306 | VMAX="tls1.1" |
| michael@0 | 307 | fi |
| michael@0 | 308 | if [ "$testmax" = "TLS12" ]; then |
| michael@0 | 309 | VMAX="tls1.2" |
| michael@0 | 310 | fi |
| michael@0 | 311 | |
| michael@0 | 312 | # These five tests need an EC cert signed with RSA |
| michael@0 | 313 | # This requires a different certificate loaded in selfserv |
| michael@0 | 314 | # due to a (current) NSS limitation of only loaded one cert |
| michael@0 | 315 | # per type so the default selfserv setup will not work. |
| michael@0 | 316 | #:C00B TLS ECDH RSA WITH NULL SHA |
| michael@0 | 317 | #:C00C TLS ECDH RSA WITH RC4 128 SHA |
| michael@0 | 318 | #:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA |
| michael@0 | 319 | #:C00E TLS ECDH RSA WITH AES 128 CBC SHA |
| michael@0 | 320 | #:C00F TLS ECDH RSA WITH AES 256 CBC SHA |
| michael@0 | 321 | |
| michael@0 | 322 | if [ $mixed -eq 0 ]; then |
| michael@0 | 323 | if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then |
| michael@0 | 324 | kill_selfserv |
| michael@0 | 325 | start_selfserv mixed |
| michael@0 | 326 | mixed=1 |
| michael@0 | 327 | else |
| michael@0 | 328 | is_selfserv_alive |
| michael@0 | 329 | fi |
| michael@0 | 330 | else |
| michael@0 | 331 | if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then |
| michael@0 | 332 | is_selfserv_alive |
| michael@0 | 333 | else |
| michael@0 | 334 | kill_selfserv |
| michael@0 | 335 | start_selfserv |
| michael@0 | 336 | mixed=0 |
| michael@0 | 337 | fi |
| michael@0 | 338 | fi |
| michael@0 | 339 | |
| michael@0 | 340 | echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} \\" |
| michael@0 | 341 | echo " -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}" |
| michael@0 | 342 | |
| michael@0 | 343 | rm ${TMP}/$HOST.tmp.$$ 2>/dev/null |
| michael@0 | 344 | ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} -f \ |
| michael@0 | 345 | -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \ |
| michael@0 | 346 | >${TMP}/$HOST.tmp.$$ 2>&1 |
| michael@0 | 347 | ret=$? |
| michael@0 | 348 | cat ${TMP}/$HOST.tmp.$$ |
| michael@0 | 349 | rm ${TMP}/$HOST.tmp.$$ 2>/dev/null |
| michael@0 | 350 | html_msg $ret 0 "${testname}" \ |
| michael@0 | 351 | "produced a returncode of $ret, expected is 0" |
| michael@0 | 352 | fi |
| michael@0 | 353 | done |
| michael@0 | 354 | |
| michael@0 | 355 | kill_selfserv |
| michael@0 | 356 | html "</TABLE><BR>" |
| michael@0 | 357 | } |
| michael@0 | 358 | |
| michael@0 | 359 | ############################## ssl_auth ################################ |
| michael@0 | 360 | # local shell function to perform SSL Client Authentication tests |
| michael@0 | 361 | ######################################################################## |
| michael@0 | 362 | ssl_auth() |
| michael@0 | 363 | { |
| michael@0 | 364 | html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" |
| michael@0 | 365 | |
| michael@0 | 366 | exec < ${SSLAUTH} |
| michael@0 | 367 | while read ectype value sparam cparam testname |
| michael@0 | 368 | do |
| michael@0 | 369 | [ -z "$ectype" ] && continue |
| michael@0 | 370 | echo "${testname}" | grep "don't require client auth" > /dev/null |
| michael@0 | 371 | CAUTH=$? |
| michael@0 | 372 | |
| michael@0 | 373 | if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then |
| michael@0 | 374 | echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" |
| michael@0 | 375 | elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then |
| michael@0 | 376 | echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" |
| michael@0 | 377 | elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then |
| michael@0 | 378 | echo "$SCRIPTNAME: skipping $testname (ECC only)" |
| michael@0 | 379 | elif [ "`echo $ectype | cut -b 1`" != "#" ]; then |
| michael@0 | 380 | cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` |
| michael@0 | 381 | if [ "$ectype" = "SNI" ]; then |
| michael@0 | 382 | cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` |
| michael@0 | 383 | sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` |
| michael@0 | 384 | fi |
| michael@0 | 385 | start_selfserv |
| michael@0 | 386 | |
| michael@0 | 387 | echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\" |
| michael@0 | 388 | echo " ${cparam} < ${REQUEST_FILE}" |
| michael@0 | 389 | rm ${TMP}/$HOST.tmp.$$ 2>/dev/null |
| michael@0 | 390 | ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \ |
| michael@0 | 391 | -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} \ |
| michael@0 | 392 | >${TMP}/$HOST.tmp.$$ 2>&1 |
| michael@0 | 393 | ret=$? |
| michael@0 | 394 | cat ${TMP}/$HOST.tmp.$$ |
| michael@0 | 395 | rm ${TMP}/$HOST.tmp.$$ 2>/dev/null |
| michael@0 | 396 | |
| michael@0 | 397 | #workaround for bug #402058 |
| michael@0 | 398 | [ $ret -ne 0 ] && ret=1 |
| michael@0 | 399 | [ $value -ne 0 ] && value=1 |
| michael@0 | 400 | |
| michael@0 | 401 | html_msg $ret $value "${testname}" \ |
| michael@0 | 402 | "produced a returncode of $ret, expected is $value" |
| michael@0 | 403 | kill_selfserv |
| michael@0 | 404 | fi |
| michael@0 | 405 | done |
| michael@0 | 406 | |
| michael@0 | 407 | html "</TABLE><BR>" |
| michael@0 | 408 | } |
| michael@0 | 409 | |
| michael@0 | 410 | ssl_stapling_sub() |
| michael@0 | 411 | { |
| michael@0 | 412 | testname=$1 |
| michael@0 | 413 | SO=$2 |
| michael@0 | 414 | value=$3 |
| michael@0 | 415 | |
| michael@0 | 416 | if [ "$NORM_EXT" = "Extended Test" ] ; then |
| michael@0 | 417 | # these tests use the ext_client directory for tstclnt, |
| michael@0 | 418 | # which doesn't contain the required "TestCA" for server cert |
| michael@0 | 419 | # verification, I don't know if it would be OK to add it... |
| michael@0 | 420 | echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" |
| michael@0 | 421 | return 0 |
| michael@0 | 422 | fi |
| michael@0 | 423 | if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then |
| michael@0 | 424 | echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" |
| michael@0 | 425 | return 0 |
| michael@0 | 426 | fi |
| michael@0 | 427 | |
| michael@0 | 428 | SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} |
| michael@0 | 429 | SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}" |
| michael@0 | 430 | |
| michael@0 | 431 | SAVE_P_R_SERVERDIR=${P_R_SERVERDIR} |
| michael@0 | 432 | P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/ |
| michael@0 | 433 | |
| michael@0 | 434 | echo "${testname}" |
| michael@0 | 435 | |
| michael@0 | 436 | start_selfserv |
| michael@0 | 437 | |
| michael@0 | 438 | echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\" |
| michael@0 | 439 | echo " -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}" |
| michael@0 | 440 | rm ${TMP}/$HOST.tmp.$$ 2>/dev/null |
| michael@0 | 441 | ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ |
| michael@0 | 442 | -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \ |
| michael@0 | 443 | >${TMP}/$HOST.tmp.$$ 2>&1 |
| michael@0 | 444 | ret=$? |
| michael@0 | 445 | cat ${TMP}/$HOST.tmp.$$ |
| michael@0 | 446 | rm ${TMP}/$HOST.tmp.$$ 2>/dev/null |
| michael@0 | 447 | |
| michael@0 | 448 | # hopefully no workaround for bug #402058 needed here? |
| michael@0 | 449 | # (see commands in ssl_auth |
| michael@0 | 450 | |
| michael@0 | 451 | html_msg $ret $value "${testname}" \ |
| michael@0 | 452 | "produced a returncode of $ret, expected is $value" |
| michael@0 | 453 | kill_selfserv |
| michael@0 | 454 | |
| michael@0 | 455 | SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} |
| michael@0 | 456 | P_R_SERVERDIR=${SAVE_P_R_SERVERDIR} |
| michael@0 | 457 | } |
| michael@0 | 458 | |
| michael@0 | 459 | ssl_stapling_stress() |
| michael@0 | 460 | { |
| michael@0 | 461 | testname="Stress OCSP stapling, server uses random status" |
| michael@0 | 462 | SO="-A TestCA -T random" |
| michael@0 | 463 | value=0 |
| michael@0 | 464 | |
| michael@0 | 465 | if [ "$NORM_EXT" = "Extended Test" ] ; then |
| michael@0 | 466 | # these tests use the ext_client directory for tstclnt, |
| michael@0 | 467 | # which doesn't contain the required "TestCA" for server cert |
| michael@0 | 468 | # verification, I don't know if it would be OK to add it... |
| michael@0 | 469 | echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" |
| michael@0 | 470 | return 0 |
| michael@0 | 471 | fi |
| michael@0 | 472 | if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then |
| michael@0 | 473 | echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" |
| michael@0 | 474 | return 0 |
| michael@0 | 475 | fi |
| michael@0 | 476 | |
| michael@0 | 477 | SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} |
| michael@0 | 478 | SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}" |
| michael@0 | 479 | |
| michael@0 | 480 | SAVE_P_R_SERVERDIR=${P_R_SERVERDIR} |
| michael@0 | 481 | P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/ |
| michael@0 | 482 | |
| michael@0 | 483 | echo "${testname}" |
| michael@0 | 484 | start_selfserv |
| michael@0 | 485 | |
| michael@0 | 486 | echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\" |
| michael@0 | 487 | echo " -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}" |
| michael@0 | 488 | echo "strsclnt started at `date`" |
| michael@0 | 489 | ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \ |
| michael@0 | 490 | -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR} |
| michael@0 | 491 | ret=$? |
| michael@0 | 492 | |
| michael@0 | 493 | echo "strsclnt completed at `date`" |
| michael@0 | 494 | html_msg $ret $value \ |
| michael@0 | 495 | "${testname}" \ |
| michael@0 | 496 | "produced a returncode of $ret, expected is $value." |
| michael@0 | 497 | kill_selfserv |
| michael@0 | 498 | |
| michael@0 | 499 | SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} |
| michael@0 | 500 | P_R_SERVERDIR=${SAVE_P_R_SERVERDIR} |
| michael@0 | 501 | } |
| michael@0 | 502 | |
| michael@0 | 503 | ############################ ssl_stapling ############################## |
| michael@0 | 504 | # local shell function to perform SSL Cert Status (OCSP Stapling) tests |
| michael@0 | 505 | ######################################################################## |
| michael@0 | 506 | ssl_stapling() |
| michael@0 | 507 | { |
| michael@0 | 508 | html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" |
| michael@0 | 509 | |
| michael@0 | 510 | # tstclnt Exit code: |
| michael@0 | 511 | # 0: have fresh and valid revocation data, status good |
| michael@0 | 512 | # 1: cert failed to verify, prior to revocation checking |
| michael@0 | 513 | # 2: missing, old or invalid revocation data |
| michael@0 | 514 | # 3: have fresh and valid revocation data, status revoked |
| michael@0 | 515 | |
| michael@0 | 516 | # selfserv modes |
| michael@0 | 517 | # good, revoked, unkown: Include locally signed response. Requires: -A |
| michael@0 | 518 | # failure: Include OCSP failure status, such as "try later" (unsigned) |
| michael@0 | 519 | # badsig: use a good status but with an invalid signature |
| michael@0 | 520 | # corrupted: stapled cert status is an invalid block of data |
| michael@0 | 521 | |
| michael@0 | 522 | ssl_stapling_sub "OCSP stapling, signed response, good status" "-A TestCA -T good" 0 |
| michael@0 | 523 | ssl_stapling_sub "OCSP stapling, signed response, revoked status" "-A TestCA -T revoked" 3 |
| michael@0 | 524 | ssl_stapling_sub "OCSP stapling, signed response, unknown status" "-A TestCA -T unknown" 2 |
| michael@0 | 525 | ssl_stapling_sub "OCSP stapling, unsigned failure response" "-A TestCA -T failure" 2 |
| michael@0 | 526 | ssl_stapling_sub "OCSP stapling, good status, bad signature" "-A TestCA -T badsig" 2 |
| michael@0 | 527 | ssl_stapling_sub "OCSP stapling, invalid cert status data" "-A TestCA -T corrupted" 2 |
| michael@0 | 528 | ssl_stapling_sub "Valid cert, Server doesn't staple" "" 2 |
| michael@0 | 529 | |
| michael@0 | 530 | ssl_stapling_stress |
| michael@0 | 531 | |
| michael@0 | 532 | html "</TABLE><BR>" |
| michael@0 | 533 | } |
| michael@0 | 534 | |
| michael@0 | 535 | |
| michael@0 | 536 | ############################## ssl_stress ############################## |
| michael@0 | 537 | # local shell function to perform SSL stress test |
| michael@0 | 538 | ######################################################################## |
| michael@0 | 539 | ssl_stress() |
| michael@0 | 540 | { |
| michael@0 | 541 | html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" |
| michael@0 | 542 | |
| michael@0 | 543 | exec < ${SSLSTRESS} |
| michael@0 | 544 | while read ectype value sparam cparam testname |
| michael@0 | 545 | do |
| michael@0 | 546 | if [ -z "$ectype" ]; then |
| michael@0 | 547 | # silently ignore blank lines |
| michael@0 | 548 | continue |
| michael@0 | 549 | fi |
| michael@0 | 550 | |
| michael@0 | 551 | echo "${testname}" | grep "SSL2" > /dev/null |
| michael@0 | 552 | SSL2=$? |
| michael@0 | 553 | echo "${testname}" | grep "client auth" > /dev/null |
| michael@0 | 554 | CAUTH=$? |
| michael@0 | 555 | |
| michael@0 | 556 | if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then |
| michael@0 | 557 | echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" |
| michael@0 | 558 | elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then |
| michael@0 | 559 | echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" |
| michael@0 | 560 | elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then |
| michael@0 | 561 | echo "$SCRIPTNAME: skipping $testname (ECC only)" |
| michael@0 | 562 | elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then |
| michael@0 | 563 | echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" |
| michael@0 | 564 | elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then |
| michael@0 | 565 | echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" |
| michael@0 | 566 | elif [ "`echo $ectype | cut -b 1`" != "#" ]; then |
| michael@0 | 567 | cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` |
| michael@0 | 568 | if [ "$ectype" = "SNI" ]; then |
| michael@0 | 569 | cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` |
| michael@0 | 570 | sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` |
| michael@0 | 571 | fi |
| michael@0 | 572 | |
| michael@0 | 573 | # These tests need the mixed cert |
| michael@0 | 574 | # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) |
| michael@0 | 575 | # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth) |
| michael@0 | 576 | p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`; |
| michael@0 | 577 | if [ "$p" = "-c_:C00E" ]; then |
| michael@0 | 578 | start_selfserv mixed |
| michael@0 | 579 | else |
| michael@0 | 580 | start_selfserv |
| michael@0 | 581 | fi |
| michael@0 | 582 | |
| michael@0 | 583 | if [ "`uname -n`" = "sjsu" ] ; then |
| michael@0 | 584 | echo "debugging disapering selfserv... ps -ef | grep selfserv" |
| michael@0 | 585 | ps -ef | grep selfserv |
| michael@0 | 586 | fi |
| michael@0 | 587 | |
| michael@0 | 588 | echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\" |
| michael@0 | 589 | echo " $verbose ${HOSTADDR}" |
| michael@0 | 590 | echo "strsclnt started at `date`" |
| michael@0 | 591 | ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \ |
| michael@0 | 592 | $verbose ${HOSTADDR} |
| michael@0 | 593 | ret=$? |
| michael@0 | 594 | echo "strsclnt completed at `date`" |
| michael@0 | 595 | html_msg $ret $value \ |
| michael@0 | 596 | "${testname}" \ |
| michael@0 | 597 | "produced a returncode of $ret, expected is $value. " |
| michael@0 | 598 | if [ "`uname -n`" = "sjsu" ] ; then |
| michael@0 | 599 | echo "debugging disapering selfserv... ps -ef | grep selfserv" |
| michael@0 | 600 | ps -ef | grep selfserv |
| michael@0 | 601 | fi |
| michael@0 | 602 | kill_selfserv |
| michael@0 | 603 | fi |
| michael@0 | 604 | done |
| michael@0 | 605 | |
| michael@0 | 606 | html "</TABLE><BR>" |
| michael@0 | 607 | } |
| michael@0 | 608 | |
| michael@0 | 609 | ############################ ssl_crl_ssl ############################### |
| michael@0 | 610 | # local shell function to perform SSL test with/out revoked certs tests |
| michael@0 | 611 | ######################################################################## |
| michael@0 | 612 | ssl_crl_ssl() |
| michael@0 | 613 | { |
| michael@0 | 614 | html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING" |
| michael@0 | 615 | |
| michael@0 | 616 | # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it. |
| michael@0 | 617 | # Cert number $UNREVOKED_CERT_GRP_1 was not revoked |
| michael@0 | 618 | CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN |
| michael@0 | 619 | CRL_GROUP_RANGE=$CRL_GRP_1_RANGE |
| michael@0 | 620 | UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1 |
| michael@0 | 621 | |
| michael@0 | 622 | exec < ${SSLAUTH} |
| michael@0 | 623 | while read ectype value sparam cparam testname |
| michael@0 | 624 | do |
| michael@0 | 625 | [ "$ectype" = "" ] && continue |
| michael@0 | 626 | if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then |
| michael@0 | 627 | echo "$SCRIPTNAME: skipping $testname (ECC only)" |
| michael@0 | 628 | elif [ "$ectype" = "SNI" ]; then |
| michael@0 | 629 | continue |
| michael@0 | 630 | elif [ "`echo $ectype | cut -b 1`" != "#" ]; then |
| michael@0 | 631 | servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` |
| michael@0 | 632 | pwd=`echo $cparam | grep nss` |
| michael@0 | 633 | user=`echo $cparam | grep TestUser` |
| michael@0 | 634 | _cparam=$cparam |
| michael@0 | 635 | case $servarg in |
| michael@0 | 636 | 1) if [ -z "$pwd" -o -z "$user" ]; then |
| michael@0 | 637 | rev_modvalue=0 |
| michael@0 | 638 | else |
| michael@0 | 639 | rev_modvalue=254 |
| michael@0 | 640 | fi |
| michael@0 | 641 | ;; |
| michael@0 | 642 | 2) rev_modvalue=254 ;; |
| michael@0 | 643 | 3) if [ -z "$pwd" -o -z "$user" ]; then |
| michael@0 | 644 | rev_modvalue=0 |
| michael@0 | 645 | else |
| michael@0 | 646 | rev_modvalue=1 |
| michael@0 | 647 | fi |
| michael@0 | 648 | ;; |
| michael@0 | 649 | 4) rev_modvalue=1 ;; |
| michael@0 | 650 | esac |
| michael@0 | 651 | TEMP_NUM=0 |
| michael@0 | 652 | while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ] |
| michael@0 | 653 | do |
| michael@0 | 654 | CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}` |
| michael@0 | 655 | TEMP_NUM=`expr $TEMP_NUM + 1` |
| michael@0 | 656 | USER_NICKNAME="TestUser${CURR_SER_NUM}" |
| michael@0 | 657 | cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` |
| michael@0 | 658 | start_selfserv |
| michael@0 | 659 | |
| michael@0 | 660 | echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\" |
| michael@0 | 661 | echo " ${cparam} < ${REQUEST_FILE}" |
| michael@0 | 662 | rm ${TMP}/$HOST.tmp.$$ 2>/dev/null |
| michael@0 | 663 | ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ |
| michael@0 | 664 | -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \ |
| michael@0 | 665 | >${TMP}/$HOST.tmp.$$ 2>&1 |
| michael@0 | 666 | ret=$? |
| michael@0 | 667 | cat ${TMP}/$HOST.tmp.$$ |
| michael@0 | 668 | rm ${TMP}/$HOST.tmp.$$ 2>/dev/null |
| michael@0 | 669 | if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then |
| michael@0 | 670 | modvalue=$rev_modvalue |
| michael@0 | 671 | testAddMsg="revoked" |
| michael@0 | 672 | else |
| michael@0 | 673 | testAddMsg="not revoked" |
| michael@0 | 674 | modvalue=$value |
| michael@0 | 675 | fi |
| michael@0 | 676 | |
| michael@0 | 677 | html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \ |
| michael@0 | 678 | "produced a returncode of $ret, expected is $modvalue" |
| michael@0 | 679 | kill_selfserv |
| michael@0 | 680 | done |
| michael@0 | 681 | fi |
| michael@0 | 682 | done |
| michael@0 | 683 | |
| michael@0 | 684 | html "</TABLE><BR>" |
| michael@0 | 685 | } |
| michael@0 | 686 | |
| michael@0 | 687 | ############################# is_revoked ############################### |
| michael@0 | 688 | # local shell function to check if certificate is revoked |
| michael@0 | 689 | ######################################################################## |
| michael@0 | 690 | is_revoked() { |
| michael@0 | 691 | certNum=$1 |
| michael@0 | 692 | currLoadedGrp=$2 |
| michael@0 | 693 | |
| michael@0 | 694 | found=0 |
| michael@0 | 695 | ownerGrp=1 |
| michael@0 | 696 | while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ] |
| michael@0 | 697 | do |
| michael@0 | 698 | currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}` |
| michael@0 | 699 | currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}` |
| michael@0 | 700 | currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1` |
| michael@0 | 701 | if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then |
| michael@0 | 702 | found=1 |
| michael@0 | 703 | else |
| michael@0 | 704 | ownerGrp=`expr $ownerGrp + 1` |
| michael@0 | 705 | fi |
| michael@0 | 706 | done |
| michael@0 | 707 | if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then |
| michael@0 | 708 | return 1 |
| michael@0 | 709 | fi |
| michael@0 | 710 | if [ $found -eq 0 ]; then |
| michael@0 | 711 | return 1 |
| michael@0 | 712 | fi |
| michael@0 | 713 | unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}` |
| michael@0 | 714 | if [ $certNum -eq $unrevokedGrpCert ]; then |
| michael@0 | 715 | return 1 |
| michael@0 | 716 | fi |
| michael@0 | 717 | return 0 |
| michael@0 | 718 | } |
| michael@0 | 719 | |
| michael@0 | 720 | ########################### load_group_crl ############################# |
| michael@0 | 721 | # local shell function to load CRL |
| michael@0 | 722 | ######################################################################## |
| michael@0 | 723 | load_group_crl() { |
| michael@0 | 724 | group=$1 |
| michael@0 | 725 | ectype=$2 |
| michael@0 | 726 | |
| michael@0 | 727 | OUTFILE_TMP=${TMP}/$HOST.tmp.$$ |
| michael@0 | 728 | grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}` |
| michael@0 | 729 | grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}` |
| michael@0 | 730 | grpEnd=`expr $grpBegin + $grpRange - 1` |
| michael@0 | 731 | |
| michael@0 | 732 | if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then |
| michael@0 | 733 | ret=1 |
| michael@0 | 734 | return 1; |
| michael@0 | 735 | fi |
| michael@0 | 736 | |
| michael@0 | 737 | # Add -ec suffix for ECC |
| michael@0 | 738 | if [ "$ectype" = "ECC" ] ; then |
| michael@0 | 739 | ecsuffix="-ec" |
| michael@0 | 740 | eccomment="ECC " |
| michael@0 | 741 | else |
| michael@0 | 742 | ecsuffix="" |
| michael@0 | 743 | eccomment="" |
| michael@0 | 744 | fi |
| michael@0 | 745 | |
| michael@0 | 746 | if [ "$RELOAD_CRL" != "" ]; then |
| michael@0 | 747 | if [ $group -eq 1 ]; then |
| michael@0 | 748 | echo "==================== Resetting to group 1 crl ===================" |
| michael@0 | 749 | kill_selfserv |
| michael@0 | 750 | start_selfserv |
| michael@0 | 751 | is_selfserv_alive |
| michael@0 | 752 | fi |
| michael@0 | 753 | echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd =============" |
| michael@0 | 754 | |
| michael@0 | 755 | echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\" |
| michael@0 | 756 | echo " -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}" |
| michael@0 | 757 | echo "Request:" |
| michael@0 | 758 | echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}" |
| michael@0 | 759 | echo "" |
| michael@0 | 760 | echo "RELOAD time $i" |
| michael@0 | 761 | |
| michael@0 | 762 | REQF=${R_CLIENTDIR}.crlreq |
| michael@0 | 763 | cat > ${REQF} <<_EOF_REQUEST_ |
| michael@0 | 764 | GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} |
| michael@0 | 765 | |
| michael@0 | 766 | _EOF_REQUEST_ |
| michael@0 | 767 | |
| michael@0 | 768 | ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \ |
| michael@0 | 769 | -d ${R_CLIENTDIR} -v -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \ |
| michael@0 | 770 | >${OUTFILE_TMP} 2>&1 < ${REQF} |
| michael@0 | 771 | |
| michael@0 | 772 | cat ${OUTFILE_TMP} |
| michael@0 | 773 | grep "CRL ReCache Error" ${OUTFILE_TMP} |
| michael@0 | 774 | if [ $? -eq 0 ]; then |
| michael@0 | 775 | ret=1 |
| michael@0 | 776 | return 1 |
| michael@0 | 777 | fi |
| michael@0 | 778 | else |
| michael@0 | 779 | echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv =====" |
| michael@0 | 780 | |
| michael@0 | 781 | kill_selfserv |
| michael@0 | 782 | CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd" |
| michael@0 | 783 | crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \ |
| michael@0 | 784 | -p ../tests.pw.928 |
| michael@0 | 785 | ret=$? |
| michael@0 | 786 | if [ "$ret" -eq 0 ]; then |
| michael@0 | 787 | html_passed "${CU_ACTION}" |
| michael@0 | 788 | return 1 |
| michael@0 | 789 | fi |
| michael@0 | 790 | start_selfserv |
| michael@0 | 791 | fi |
| michael@0 | 792 | is_selfserv_alive |
| michael@0 | 793 | ret=$? |
| michael@0 | 794 | echo "================= CRL Reloaded =============" |
| michael@0 | 795 | } |
| michael@0 | 796 | |
| michael@0 | 797 | ########################### ssl_crl_cache ############################## |
| michael@0 | 798 | # local shell function to perform SSL test for crl cache functionality |
| michael@0 | 799 | # with/out revoked certs |
| michael@0 | 800 | ######################################################################## |
| michael@0 | 801 | ssl_crl_cache() |
| michael@0 | 802 | { |
| michael@0 | 803 | html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING" |
| michael@0 | 804 | SSLAUTH_TMP=${TMP}/authin.tl.tmp |
| michael@0 | 805 | SERV_ARG=-r_-r |
| michael@0 | 806 | rm -f ${SSLAUTH_TMP} |
| michael@0 | 807 | echo ${SSLAUTH_TMP} |
| michael@0 | 808 | |
| michael@0 | 809 | grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP} |
| michael@0 | 810 | echo $? |
| michael@0 | 811 | while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ] |
| michael@0 | 812 | do |
| michael@0 | 813 | sparam=$SERV_ARG |
| michael@0 | 814 | start_selfserv |
| michael@0 | 815 | exec < ${SSLAUTH_TMP} |
| michael@0 | 816 | while read ectype value sparam cparam testname |
| michael@0 | 817 | do |
| michael@0 | 818 | [ "$ectype" = "" ] && continue |
| michael@0 | 819 | if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then |
| michael@0 | 820 | echo "$SCRIPTNAME: skipping $testname (ECC only)" |
| michael@0 | 821 | elif [ "$ectype" = "SNI" ]; then |
| michael@0 | 822 | continue |
| michael@0 | 823 | else |
| michael@0 | 824 | servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` |
| michael@0 | 825 | pwd=`echo $cparam | grep nss` |
| michael@0 | 826 | user=`echo $cparam | grep TestUser` |
| michael@0 | 827 | _cparam=$cparam |
| michael@0 | 828 | case $servarg in |
| michael@0 | 829 | 1) if [ -z "$pwd" -o -z "$user" ]; then |
| michael@0 | 830 | rev_modvalue=0 |
| michael@0 | 831 | else |
| michael@0 | 832 | rev_modvalue=254 |
| michael@0 | 833 | fi |
| michael@0 | 834 | ;; |
| michael@0 | 835 | 2) rev_modvalue=254 ;; |
| michael@0 | 836 | |
| michael@0 | 837 | 3) if [ -z "$pwd" -o -z "$user" ]; then |
| michael@0 | 838 | rev_modvalue=0 |
| michael@0 | 839 | else |
| michael@0 | 840 | rev_modvalue=1 |
| michael@0 | 841 | fi |
| michael@0 | 842 | ;; |
| michael@0 | 843 | 4) rev_modvalue=1 ;; |
| michael@0 | 844 | esac |
| michael@0 | 845 | TEMP_NUM=0 |
| michael@0 | 846 | LOADED_GRP=1 |
| michael@0 | 847 | while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ] |
| michael@0 | 848 | do |
| michael@0 | 849 | while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ] |
| michael@0 | 850 | do |
| michael@0 | 851 | CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}` |
| michael@0 | 852 | TEMP_NUM=`expr $TEMP_NUM + 1` |
| michael@0 | 853 | USER_NICKNAME="TestUser${CURR_SER_NUM}" |
| michael@0 | 854 | cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` |
| michael@0 | 855 | |
| michael@0 | 856 | echo "Server Args: $SERV_ARG" |
| michael@0 | 857 | echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\" |
| michael@0 | 858 | echo " ${cparam} < ${REQUEST_FILE}" |
| michael@0 | 859 | rm ${TMP}/$HOST.tmp.$$ 2>/dev/null |
| michael@0 | 860 | ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ |
| michael@0 | 861 | -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \ |
| michael@0 | 862 | >${TMP}/$HOST.tmp.$$ 2>&1 |
| michael@0 | 863 | ret=$? |
| michael@0 | 864 | cat ${TMP}/$HOST.tmp.$$ |
| michael@0 | 865 | rm ${TMP}/$HOST.tmp.$$ 2>/dev/null |
| michael@0 | 866 | is_revoked ${CURR_SER_NUM} ${LOADED_GRP} |
| michael@0 | 867 | isRevoked=$? |
| michael@0 | 868 | if [ $isRevoked -eq 0 ]; then |
| michael@0 | 869 | modvalue=$rev_modvalue |
| michael@0 | 870 | testAddMsg="revoked" |
| michael@0 | 871 | else |
| michael@0 | 872 | modvalue=$value |
| michael@0 | 873 | testAddMsg="not revoked" |
| michael@0 | 874 | fi |
| michael@0 | 875 | |
| michael@0 | 876 | is_selfserv_alive |
| michael@0 | 877 | ss_status=$? |
| michael@0 | 878 | if [ "$ss_status" -ne 0 ]; then |
| michael@0 | 879 | html_msg $ret $modvalue \ |
| michael@0 | 880 | "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ |
| michael@0 | 881 | "produced a returncode of $ret, expected is $modvalue. " \ |
| michael@0 | 882 | "selfserv is not alive!" |
| michael@0 | 883 | else |
| michael@0 | 884 | html_msg $ret $modvalue \ |
| michael@0 | 885 | "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ |
| michael@0 | 886 | "produced a returncode of $ret, expected is $modvalue" |
| michael@0 | 887 | fi |
| michael@0 | 888 | done |
| michael@0 | 889 | LOADED_GRP=`expr $LOADED_GRP + 1` |
| michael@0 | 890 | TEMP_NUM=0 |
| michael@0 | 891 | if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then |
| michael@0 | 892 | load_group_crl $LOADED_GRP $ectype |
| michael@0 | 893 | html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \ |
| michael@0 | 894 | "produced a returncode of $ret, expected is 0" |
| michael@0 | 895 | fi |
| michael@0 | 896 | done |
| michael@0 | 897 | # Restart selfserv to roll back to two initial group 1 crls |
| michael@0 | 898 | # TestCA CRL and TestCA-ec CRL |
| michael@0 | 899 | kill_selfserv |
| michael@0 | 900 | start_selfserv |
| michael@0 | 901 | fi |
| michael@0 | 902 | done |
| michael@0 | 903 | kill_selfserv |
| michael@0 | 904 | SERV_ARG="${SERV_ARG}_-r" |
| michael@0 | 905 | rm -f ${SSLAUTH_TMP} |
| michael@0 | 906 | grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP} |
| michael@0 | 907 | done |
| michael@0 | 908 | TEMPFILES=${SSLAUTH_TMP} |
| michael@0 | 909 | html "</TABLE><BR>" |
| michael@0 | 910 | } |
| michael@0 | 911 | |
| michael@0 | 912 | |
| michael@0 | 913 | ############################## ssl_cleanup ############################# |
| michael@0 | 914 | # local shell function to finish this script (no exit since it might be |
| michael@0 | 915 | # sourced) |
| michael@0 | 916 | ######################################################################## |
| michael@0 | 917 | ssl_cleanup() |
| michael@0 | 918 | { |
| michael@0 | 919 | rm $SERVERPID 2>/dev/null |
| michael@0 | 920 | cd ${QADIR} |
| michael@0 | 921 | . common/cleanup.sh |
| michael@0 | 922 | } |
| michael@0 | 923 | |
| michael@0 | 924 | ############################## ssl_run ################################# |
| michael@0 | 925 | # local shell function to run coverage, authentication and stress tests |
| michael@0 | 926 | ######################################################################## |
| michael@0 | 927 | ssl_run() |
| michael@0 | 928 | { |
| michael@0 | 929 | for SSL_RUN in ${NSS_SSL_RUN} |
| michael@0 | 930 | do |
| michael@0 | 931 | case "${SSL_RUN}" in |
| michael@0 | 932 | "stapling") |
| michael@0 | 933 | ssl_stapling |
| michael@0 | 934 | ;; |
| michael@0 | 935 | "cov") |
| michael@0 | 936 | ssl_cov |
| michael@0 | 937 | ;; |
| michael@0 | 938 | "auth") |
| michael@0 | 939 | ssl_auth |
| michael@0 | 940 | ;; |
| michael@0 | 941 | "stress") |
| michael@0 | 942 | ssl_stress |
| michael@0 | 943 | ;; |
| michael@0 | 944 | esac |
| michael@0 | 945 | done |
| michael@0 | 946 | } |
| michael@0 | 947 | |
| michael@0 | 948 | ############################ ssl_run_all ############################### |
| michael@0 | 949 | # local shell function to run both standard and extended ssl tests |
| michael@0 | 950 | ######################################################################## |
| michael@0 | 951 | ssl_run_all() |
| michael@0 | 952 | { |
| michael@0 | 953 | ORIG_SERVERDIR=$SERVERDIR |
| michael@0 | 954 | ORIG_CLIENTDIR=$CLIENTDIR |
| michael@0 | 955 | ORIG_R_SERVERDIR=$R_SERVERDIR |
| michael@0 | 956 | ORIG_R_CLIENTDIR=$R_CLIENTDIR |
| michael@0 | 957 | ORIG_P_R_SERVERDIR=$P_R_SERVERDIR |
| michael@0 | 958 | ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR |
| michael@0 | 959 | |
| michael@0 | 960 | USER_NICKNAME=TestUser |
| michael@0 | 961 | NORM_EXT="" |
| michael@0 | 962 | cd ${CLIENTDIR} |
| michael@0 | 963 | |
| michael@0 | 964 | ssl_run |
| michael@0 | 965 | |
| michael@0 | 966 | SERVERDIR=$EXT_SERVERDIR |
| michael@0 | 967 | CLIENTDIR=$EXT_CLIENTDIR |
| michael@0 | 968 | R_SERVERDIR=$R_EXT_SERVERDIR |
| michael@0 | 969 | R_CLIENTDIR=$R_EXT_CLIENTDIR |
| michael@0 | 970 | P_R_SERVERDIR=$P_R_EXT_SERVERDIR |
| michael@0 | 971 | P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR |
| michael@0 | 972 | |
| michael@0 | 973 | USER_NICKNAME=ExtendedSSLUser |
| michael@0 | 974 | NORM_EXT="Extended Test" |
| michael@0 | 975 | cd ${CLIENTDIR} |
| michael@0 | 976 | |
| michael@0 | 977 | ssl_run |
| michael@0 | 978 | |
| michael@0 | 979 | # the next round of ssl tests will only run if these vars are reset |
| michael@0 | 980 | SERVERDIR=$ORIG_SERVERDIR |
| michael@0 | 981 | CLIENTDIR=$ORIG_CLIENTDIR |
| michael@0 | 982 | R_SERVERDIR=$ORIG_R_SERVERDIR |
| michael@0 | 983 | R_CLIENTDIR=$ORIG_R_CLIENTDIR |
| michael@0 | 984 | P_R_SERVERDIR=$ORIG_P_R_SERVERDIR |
| michael@0 | 985 | P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR |
| michael@0 | 986 | |
| michael@0 | 987 | USER_NICKNAME=TestUser |
| michael@0 | 988 | NORM_EXT= |
| michael@0 | 989 | cd ${QADIR}/ssl |
| michael@0 | 990 | } |
| michael@0 | 991 | |
| michael@0 | 992 | ############################ ssl_set_fips ############################## |
| michael@0 | 993 | # local shell function to set FIPS mode on/off |
| michael@0 | 994 | ######################################################################## |
| michael@0 | 995 | ssl_set_fips() |
| michael@0 | 996 | { |
| michael@0 | 997 | CLTSRV=$1 |
| michael@0 | 998 | ONOFF=$2 |
| michael@0 | 999 | |
| michael@0 | 1000 | if [ ${CLTSRV} = "server" ]; then |
| michael@0 | 1001 | DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}" |
| michael@0 | 1002 | else |
| michael@0 | 1003 | DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}" |
| michael@0 | 1004 | fi |
| michael@0 | 1005 | |
| michael@0 | 1006 | if [ "${ONOFF}" = "on" ]; then |
| michael@0 | 1007 | FIPSMODE=true |
| michael@0 | 1008 | RET_EXP=0 |
| michael@0 | 1009 | else |
| michael@0 | 1010 | FIPSMODE=false |
| michael@0 | 1011 | RET_EXP=1 |
| michael@0 | 1012 | fi |
| michael@0 | 1013 | |
| michael@0 | 1014 | html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}" |
| michael@0 | 1015 | |
| michael@0 | 1016 | for DBDIR in ${DBDIRS} |
| michael@0 | 1017 | do |
| michael@0 | 1018 | EXT_OPT= |
| michael@0 | 1019 | echo ${DBDIR} | grep ext > /dev/null |
| michael@0 | 1020 | if [ $? -eq 0 ]; then |
| michael@0 | 1021 | EXT_OPT="extended " |
| michael@0 | 1022 | fi |
| michael@0 | 1023 | |
| michael@0 | 1024 | echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}" |
| michael@0 | 1025 | |
| michael@0 | 1026 | echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force" |
| michael@0 | 1027 | ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1 |
| michael@0 | 1028 | RET=$? |
| michael@0 | 1029 | html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \ |
| michael@0 | 1030 | "produced a returncode of ${RET}, expected is 0" |
| michael@0 | 1031 | |
| michael@0 | 1032 | echo "modutil -dbdir ${DBDIR} -list" |
| michael@0 | 1033 | DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1` |
| michael@0 | 1034 | RET=$? |
| michael@0 | 1035 | html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \ |
| michael@0 | 1036 | "produced a returncode of ${RET}, expected is 0" |
| michael@0 | 1037 | |
| michael@0 | 1038 | echo "${DBLIST}" | grep "FIPS PKCS #11" |
| michael@0 | 1039 | RET=$? |
| michael@0 | 1040 | html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \ |
| michael@0 | 1041 | "produced a returncode of ${RET}, expected is ${RET_EXP}" |
| michael@0 | 1042 | done |
| michael@0 | 1043 | |
| michael@0 | 1044 | html "</TABLE><BR>" |
| michael@0 | 1045 | } |
| michael@0 | 1046 | |
| michael@0 | 1047 | ############################ ssl_set_fips ############################## |
| michael@0 | 1048 | # local shell function to run all tests set in NSS_SSL_TESTS variable |
| michael@0 | 1049 | ######################################################################## |
| michael@0 | 1050 | ssl_run_tests() |
| michael@0 | 1051 | { |
| michael@0 | 1052 | for SSL_TEST in ${NSS_SSL_TESTS} |
| michael@0 | 1053 | do |
| michael@0 | 1054 | case "${SSL_TEST}" in |
| michael@0 | 1055 | "crl") |
| michael@0 | 1056 | ssl_crl_ssl |
| michael@0 | 1057 | ssl_crl_cache |
| michael@0 | 1058 | ;; |
| michael@0 | 1059 | "iopr") |
| michael@0 | 1060 | ssl_iopr_run |
| michael@0 | 1061 | ;; |
| michael@0 | 1062 | *) |
| michael@0 | 1063 | SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1` |
| michael@0 | 1064 | CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2` |
| michael@0 | 1065 | |
| michael@0 | 1066 | case "${SERVER_MODE}" in |
| michael@0 | 1067 | "normal") |
| michael@0 | 1068 | SERVER_OPTIONS= |
| michael@0 | 1069 | ;; |
| michael@0 | 1070 | "bypass") |
| michael@0 | 1071 | SERVER_OPTIONS="-B -s" |
| michael@0 | 1072 | ;; |
| michael@0 | 1073 | "fips") |
| michael@0 | 1074 | SERVER_OPTIONS= |
| michael@0 | 1075 | ssl_set_fips server on |
| michael@0 | 1076 | ;; |
| michael@0 | 1077 | *) |
| michael@0 | 1078 | echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}" |
| michael@0 | 1079 | continue |
| michael@0 | 1080 | ;; |
| michael@0 | 1081 | esac |
| michael@0 | 1082 | |
| michael@0 | 1083 | case "${CLIENT_MODE}" in |
| michael@0 | 1084 | "normal") |
| michael@0 | 1085 | CLIENT_OPTIONS= |
| michael@0 | 1086 | ;; |
| michael@0 | 1087 | "bypass") |
| michael@0 | 1088 | CLIENT_OPTIONS="-B -s" |
| michael@0 | 1089 | ;; |
| michael@0 | 1090 | "fips") |
| michael@0 | 1091 | SERVER_OPTIONS= |
| michael@0 | 1092 | ssl_set_fips client on |
| michael@0 | 1093 | ;; |
| michael@0 | 1094 | *) |
| michael@0 | 1095 | echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}" |
| michael@0 | 1096 | continue |
| michael@0 | 1097 | ;; |
| michael@0 | 1098 | esac |
| michael@0 | 1099 | |
| michael@0 | 1100 | ssl_run_all |
| michael@0 | 1101 | |
| michael@0 | 1102 | if [ "${SERVER_MODE}" = "fips" ]; then |
| michael@0 | 1103 | ssl_set_fips server off |
| michael@0 | 1104 | fi |
| michael@0 | 1105 | |
| michael@0 | 1106 | if [ "${CLIENT_MODE}" = "fips" ]; then |
| michael@0 | 1107 | ssl_set_fips client off |
| michael@0 | 1108 | fi |
| michael@0 | 1109 | ;; |
| michael@0 | 1110 | esac |
| michael@0 | 1111 | done |
| michael@0 | 1112 | } |
| michael@0 | 1113 | |
| michael@0 | 1114 | ################################# main ################################# |
| michael@0 | 1115 | |
| michael@0 | 1116 | ssl_init |
| michael@0 | 1117 | ssl_run_tests |
| michael@0 | 1118 | ssl_cleanup |
| michael@0 | 1119 |
