The Tor Browser / annotate

security/nss/tests/ssl/ssl.sh@b8a032363ba2 (annotated)

security/nss/tests/ssl/ssl.sh

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 #! /bin/bash
michael@0 2 #
michael@0 3 # This Source Code Form is subject to the terms of the Mozilla Public
michael@0 4 # License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
michael@0 6
michael@0 7 ########################################################################
michael@0 8 #
michael@0 9 # mozilla/security/nss/tests/ssl/ssl.sh
michael@0 10 #
michael@0 11 # Script to test NSS SSL
michael@0 12 #
michael@0 13 # needs to work on all Unix and Windows platforms
michael@0 14 #
michael@0 15 # special strings
michael@0 16 # ---------------
michael@0 17 # FIXME ... known problems, search for this string
michael@0 18 # NOTE .... unexpected behavior
michael@0 19 #
michael@0 20 ########################################################################
michael@0 21
michael@0 22 ############################## ssl_init ################################
michael@0 23 # local shell function to initialize this script
michael@0 24 ########################################################################
michael@0 25 ssl_init()
michael@0 26 {
michael@0 27 SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh
michael@0 28
michael@0 29 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
michael@0 30 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
michael@0 31 fi
michael@0 32
michael@0 33 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
michael@0 34 cd ../common
michael@0 35 . ./init.sh
michael@0 36 fi
michael@0 37 if [ -z "${IOPR_SSL_SOURCED}" ]; then
michael@0 38 . ../iopr/ssl_iopr.sh
michael@0 39 fi
michael@0 40 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
michael@0 41 cd ../cert
michael@0 42 . ./cert.sh
michael@0 43 fi
michael@0 44 SCRIPTNAME=ssl.sh
michael@0 45 echo "$SCRIPTNAME: SSL tests ==============================="
michael@0 46
michael@0 47 grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
michael@0 48 html_head "SSL Test failure"
michael@0 49 Exit 8 "Fatal - cert.sh needs to pass first"
michael@0 50 }
michael@0 51
michael@0 52 if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
michael@0 53 grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
michael@0 54 html_head "SSL Test failure"
michael@0 55 Exit 8 "Fatal - SSL of cert.sh needs to pass first"
michael@0 56 }
michael@0 57 fi
michael@0 58
michael@0 59 PORT=${PORT-8443}
michael@0 60 NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
michael@0 61 nss_ssl_run="stapling cov auth stress"
michael@0 62 NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
michael@0 63
michael@0 64 # Test case files
michael@0 65 SSLCOV=${QADIR}/ssl/sslcov.txt
michael@0 66 SSLAUTH=${QADIR}/ssl/sslauth.txt
michael@0 67 SSLSTRESS=${QADIR}/ssl/sslstress.txt
michael@0 68 REQUEST_FILE=${QADIR}/ssl/sslreq.dat
michael@0 69
michael@0 70 #temparary files
michael@0 71 SERVEROUTFILE=${TMP}/tests_server.$$
michael@0 72 SERVERPID=${TMP}/tests_pid.$$
michael@0 73
michael@0 74 R_SERVERPID=../tests_pid.$$
michael@0 75
michael@0 76 TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}"
michael@0 77
michael@0 78 fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
michael@0 79 #fileout=1
michael@0 80 #verbose="-v" #FIXME - see where this is usefull
michael@0 81
michael@0 82 USER_NICKNAME=TestUser
michael@0 83 NORM_EXT=""
michael@0 84
michael@0 85 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 86 ECC_STRING=" - with ECC"
michael@0 87 else
michael@0 88 ECC_STRING=""
michael@0 89 fi
michael@0 90
michael@0 91 CSHORT="-c ABCDEF:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"
michael@0 92 CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"
michael@0 93
michael@0 94 if [ "${OS_ARCH}" != "WINNT" ]; then
michael@0 95 ulimit -n 1000 # make sure we have enough file descriptors
michael@0 96 fi
michael@0 97
michael@0 98 cd ${CLIENTDIR}
michael@0 99 }
michael@0 100
michael@0 101 ########################### is_selfserv_alive ##########################
michael@0 102 # local shell function to exit with a fatal error if selfserver is not
michael@0 103 # running
michael@0 104 ########################################################################
michael@0 105 is_selfserv_alive()
michael@0 106 {
michael@0 107 if [ ! -f "${SERVERPID}" ]; then
michael@0 108 echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
michael@0 109 sleep 5
michael@0 110 if [ ! -f "${SERVERPID}" ]; then
michael@0 111 Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
michael@0 112 fi
michael@0 113 fi
michael@0 114
michael@0 115 if [ "${OS_ARCH}" = "WINNT" ] && \
michael@0 116 [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
michael@0 117 PID=${SHELL_SERVERPID}
michael@0 118 else
michael@0 119 PID=`cat ${SERVERPID}`
michael@0 120 fi
michael@0 121
michael@0 122 echo "kill -0 ${PID} >/dev/null 2>/dev/null"
michael@0 123 kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
michael@0 124
michael@0 125 echo "selfserv with PID ${PID} found at `date`"
michael@0 126 }
michael@0 127
michael@0 128 ########################### wait_for_selfserv ##########################
michael@0 129 # local shell function to wait until selfserver is running and initialized
michael@0 130 ########################################################################
michael@0 131 wait_for_selfserv()
michael@0 132 {
michael@0 133 echo "trying to connect to selfserv at `date`"
michael@0 134 echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
michael@0 135 echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
michael@0 136 ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
michael@0 137 -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
michael@0 138 if [ $? -ne 0 ]; then
michael@0 139 sleep 5
michael@0 140 echo "retrying to connect to selfserv at `date`"
michael@0 141 echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
michael@0 142 echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
michael@0 143 ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
michael@0 144 -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
michael@0 145 if [ $? -ne 0 ]; then
michael@0 146 html_failed "Waiting for Server"
michael@0 147 fi
michael@0 148 fi
michael@0 149 is_selfserv_alive
michael@0 150 }
michael@0 151
michael@0 152 ########################### kill_selfserv ##############################
michael@0 153 # local shell function to kill the selfserver after the tests are done
michael@0 154 ########################################################################
michael@0 155 kill_selfserv()
michael@0 156 {
michael@0 157 if [ "${OS_ARCH}" = "WINNT" ] && \
michael@0 158 [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
michael@0 159 PID=${SHELL_SERVERPID}
michael@0 160 else
michael@0 161 PID=`cat ${SERVERPID}`
michael@0 162 fi
michael@0 163
michael@0 164 echo "trying to kill selfserv with PID ${PID} at `date`"
michael@0 165
michael@0 166 if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
michael@0 167 echo "${KILL} ${PID}"
michael@0 168 ${KILL} ${PID}
michael@0 169 else
michael@0 170 echo "${KILL} -USR1 ${PID}"
michael@0 171 ${KILL} -USR1 ${PID}
michael@0 172 fi
michael@0 173 wait ${PID}
michael@0 174 if [ ${fileout} -eq 1 ]; then
michael@0 175 cat ${SERVEROUTFILE}
michael@0 176 fi
michael@0 177
michael@0 178 # On Linux selfserv needs up to 30 seconds to fully die and free
michael@0 179 # the port. Wait until the port is free. (Bug 129701)
michael@0 180 if [ "${OS_ARCH}" = "Linux" ]; then
michael@0 181 echo "selfserv -b -p ${PORT} 2>/dev/null;"
michael@0 182 until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
michael@0 183 echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
michael@0 184 sleep 1
michael@0 185 done
michael@0 186 fi
michael@0 187
michael@0 188 echo "selfserv with PID ${PID} killed at `date`"
michael@0 189
michael@0 190 rm ${SERVERPID}
michael@0 191 html_detect_core "kill_selfserv core detection step"
michael@0 192 }
michael@0 193
michael@0 194 ########################### start_selfserv #############################
michael@0 195 # local shell function to start the selfserver with the parameters required
michael@0 196 # for this test and log information (parameters, start time)
michael@0 197 # also: wait until the server is up and running
michael@0 198 ########################################################################
michael@0 199 start_selfserv()
michael@0 200 {
michael@0 201 if [ -n "$testname" ] ; then
michael@0 202 echo "$SCRIPTNAME: $testname ----"
michael@0 203 fi
michael@0 204 sparam=`echo $sparam | sed -e 's;_; ;g'`
michael@0 205 if [ -z "$NSS_DISABLE_ECC" ] && \
michael@0 206 [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
michael@0 207 ECC_OPTIONS="-e ${HOSTADDR}-ec"
michael@0 208 else
michael@0 209 ECC_OPTIONS=""
michael@0 210 fi
michael@0 211 if [ "$1" = "mixed" ]; then
michael@0 212 ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
michael@0 213 fi
michael@0 214 echo "selfserv starting at `date`"
michael@0 215 echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
michael@0 216 echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
michael@0 217 if [ ${fileout} -eq 1 ]; then
michael@0 218 ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
michael@0 219 ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
michael@0 220 > ${SERVEROUTFILE} 2>&1 &
michael@0 221 RET=$?
michael@0 222 else
michael@0 223 ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
michael@0 224 ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
michael@0 225 RET=$?
michael@0 226 fi
michael@0 227
michael@0 228 # The PID $! returned by the MKS or Cygwin shell is not the PID of
michael@0 229 # the real background process, but rather the PID of a helper
michael@0 230 # process (sh.exe). MKS's kill command has a bug: invoking kill
michael@0 231 # on the helper process does not terminate the real background
michael@0 232 # process. Our workaround has been to have selfserv save its PID
michael@0 233 # in the ${SERVERPID} file and "kill" that PID instead. But this
michael@0 234 # doesn't work under Cygwin; its kill command doesn't recognize
michael@0 235 # the PID of the real background process, but it does work on the
michael@0 236 # PID of the helper process. So we save the value of $! in the
michael@0 237 # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
michael@0 238 # file under Cygwin. (In fact, this should work in any shell
michael@0 239 # other than the MKS shell.)
michael@0 240 SHELL_SERVERPID=$!
michael@0 241 wait_for_selfserv
michael@0 242
michael@0 243 if [ "${OS_ARCH}" = "WINNT" ] && \
michael@0 244 [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
michael@0 245 PID=${SHELL_SERVERPID}
michael@0 246 else
michael@0 247 PID=`cat ${SERVERPID}`
michael@0 248 fi
michael@0 249
michael@0 250 echo "selfserv with PID ${PID} started at `date`"
michael@0 251 }
michael@0 252
michael@0 253 ############################## ssl_cov #################################
michael@0 254 # local shell function to perform SSL Cipher Coverage tests
michael@0 255 ########################################################################
michael@0 256 ssl_cov()
michael@0 257 {
michael@0 258 html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
michael@0 259
michael@0 260 testname=""
michael@0 261 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 262 sparam="$CLONG"
michael@0 263 else
michael@0 264 sparam="$CSHORT"
michael@0 265 fi
michael@0 266
michael@0 267 mixed=0
michael@0 268 start_selfserv # Launch the server
michael@0 269
michael@0 270 VMIN="ssl2"
michael@0 271 VMAX="tls1.1"
michael@0 272
michael@0 273 exec < ${SSLCOV}
michael@0 274 while read ectype testmax param testname
michael@0 275 do
michael@0 276 echo "${testname}" | grep "EXPORT" > /dev/null
michael@0 277 EXP=$?
michael@0 278 echo "${testname}" | grep "SSL2" > /dev/null
michael@0 279 SSL2=$?
michael@0 280
michael@0 281 if [ "${SSL2}" -eq 0 ] ; then
michael@0 282 # We cannot use asynchronous cert verification with SSL2
michael@0 283 SSL2_FLAGS=-O
michael@0 284 VMIN="ssl2"
michael@0 285 else
michael@0 286 # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
michael@0 287 # default in libssl but it is enabled by default in tstclnt; we want
michael@0 288 # to test the libssl default whenever possible.
michael@0 289 SSL2_FLAGS=
michael@0 290 VMIN="ssl3"
michael@0 291 fi
michael@0 292
michael@0 293 if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then
michael@0 294 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
michael@0 295 elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
michael@0 296 echo "$SCRIPTNAME: skipping $testname (ECC only)"
michael@0 297 elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then
michael@0 298 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
michael@0 299 elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
michael@0 300 echo "$SCRIPTNAME: running $testname ----------------------------"
michael@0 301 VMAX="ssl3"
michael@0 302 if [ "$testmax" = "TLS10" ]; then
michael@0 303 VMAX="tls1.0"
michael@0 304 fi
michael@0 305 if [ "$testmax" = "TLS11" ]; then
michael@0 306 VMAX="tls1.1"
michael@0 307 fi
michael@0 308 if [ "$testmax" = "TLS12" ]; then
michael@0 309 VMAX="tls1.2"
michael@0 310 fi
michael@0 311
michael@0 312 # These five tests need an EC cert signed with RSA
michael@0 313 # This requires a different certificate loaded in selfserv
michael@0 314 # due to a (current) NSS limitation of only loaded one cert
michael@0 315 # per type so the default selfserv setup will not work.
michael@0 316 #:C00B TLS ECDH RSA WITH NULL SHA
michael@0 317 #:C00C TLS ECDH RSA WITH RC4 128 SHA
michael@0 318 #:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA
michael@0 319 #:C00E TLS ECDH RSA WITH AES 128 CBC SHA
michael@0 320 #:C00F TLS ECDH RSA WITH AES 256 CBC SHA
michael@0 321
michael@0 322 if [ $mixed -eq 0 ]; then
michael@0 323 if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
michael@0 324 kill_selfserv
michael@0 325 start_selfserv mixed
michael@0 326 mixed=1
michael@0 327 else
michael@0 328 is_selfserv_alive
michael@0 329 fi
michael@0 330 else
michael@0 331 if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
michael@0 332 is_selfserv_alive
michael@0 333 else
michael@0 334 kill_selfserv
michael@0 335 start_selfserv
michael@0 336 mixed=0
michael@0 337 fi
michael@0 338 fi
michael@0 339
michael@0 340 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} \\"
michael@0 341 echo " -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}"
michael@0 342
michael@0 343 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0 344 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} -f \
michael@0 345 -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \
michael@0 346 >${TMP}/$HOST.tmp.$$ 2>&1
michael@0 347 ret=$?
michael@0 348 cat ${TMP}/$HOST.tmp.$$
michael@0 349 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0 350 html_msg $ret 0 "${testname}" \
michael@0 351 "produced a returncode of $ret, expected is 0"
michael@0 352 fi
michael@0 353 done
michael@0 354
michael@0 355 kill_selfserv
michael@0 356 html "</TABLE><BR>"
michael@0 357 }
michael@0 358
michael@0 359 ############################## ssl_auth ################################
michael@0 360 # local shell function to perform SSL Client Authentication tests
michael@0 361 ########################################################################
michael@0 362 ssl_auth()
michael@0 363 {
michael@0 364 html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
michael@0 365
michael@0 366 exec < ${SSLAUTH}
michael@0 367 while read ectype value sparam cparam testname
michael@0 368 do
michael@0 369 [ -z "$ectype" ] && continue
michael@0 370 echo "${testname}" | grep "don't require client auth" > /dev/null
michael@0 371 CAUTH=$?
michael@0 372
michael@0 373 if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
michael@0 374 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
michael@0 375 elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
michael@0 376 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
michael@0 377 elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
michael@0 378 echo "$SCRIPTNAME: skipping $testname (ECC only)"
michael@0 379 elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
michael@0 380 cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
michael@0 381 if [ "$ectype" = "SNI" ]; then
michael@0 382 cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
michael@0 383 sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
michael@0 384 fi
michael@0 385 start_selfserv
michael@0 386
michael@0 387 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
michael@0 388 echo " ${cparam} < ${REQUEST_FILE}"
michael@0 389 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0 390 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \
michael@0 391 -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} \
michael@0 392 >${TMP}/$HOST.tmp.$$ 2>&1
michael@0 393 ret=$?
michael@0 394 cat ${TMP}/$HOST.tmp.$$
michael@0 395 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0 396
michael@0 397 #workaround for bug #402058
michael@0 398 [ $ret -ne 0 ] && ret=1
michael@0 399 [ $value -ne 0 ] && value=1
michael@0 400
michael@0 401 html_msg $ret $value "${testname}" \
michael@0 402 "produced a returncode of $ret, expected is $value"
michael@0 403 kill_selfserv
michael@0 404 fi
michael@0 405 done
michael@0 406
michael@0 407 html "</TABLE><BR>"
michael@0 408 }
michael@0 409
michael@0 410 ssl_stapling_sub()
michael@0 411 {
michael@0 412 testname=$1
michael@0 413 SO=$2
michael@0 414 value=$3
michael@0 415
michael@0 416 if [ "$NORM_EXT" = "Extended Test" ] ; then
michael@0 417 # these tests use the ext_client directory for tstclnt,
michael@0 418 # which doesn't contain the required "TestCA" for server cert
michael@0 419 # verification, I don't know if it would be OK to add it...
michael@0 420 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
michael@0 421 return 0
michael@0 422 fi
michael@0 423 if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
michael@0 424 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
michael@0 425 return 0
michael@0 426 fi
michael@0 427
michael@0 428 SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
michael@0 429 SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
michael@0 430
michael@0 431 SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
michael@0 432 P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
michael@0 433
michael@0 434 echo "${testname}"
michael@0 435
michael@0 436 start_selfserv
michael@0 437
michael@0 438 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
michael@0 439 echo " -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
michael@0 440 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0 441 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
michael@0 442 -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
michael@0 443 >${TMP}/$HOST.tmp.$$ 2>&1
michael@0 444 ret=$?
michael@0 445 cat ${TMP}/$HOST.tmp.$$
michael@0 446 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0 447
michael@0 448 # hopefully no workaround for bug #402058 needed here?
michael@0 449 # (see commands in ssl_auth
michael@0 450
michael@0 451 html_msg $ret $value "${testname}" \
michael@0 452 "produced a returncode of $ret, expected is $value"
michael@0 453 kill_selfserv
michael@0 454
michael@0 455 SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
michael@0 456 P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
michael@0 457 }
michael@0 458
michael@0 459 ssl_stapling_stress()
michael@0 460 {
michael@0 461 testname="Stress OCSP stapling, server uses random status"
michael@0 462 SO="-A TestCA -T random"
michael@0 463 value=0
michael@0 464
michael@0 465 if [ "$NORM_EXT" = "Extended Test" ] ; then
michael@0 466 # these tests use the ext_client directory for tstclnt,
michael@0 467 # which doesn't contain the required "TestCA" for server cert
michael@0 468 # verification, I don't know if it would be OK to add it...
michael@0 469 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
michael@0 470 return 0
michael@0 471 fi
michael@0 472 if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
michael@0 473 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
michael@0 474 return 0
michael@0 475 fi
michael@0 476
michael@0 477 SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
michael@0 478 SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
michael@0 479
michael@0 480 SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
michael@0 481 P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
michael@0 482
michael@0 483 echo "${testname}"
michael@0 484 start_selfserv
michael@0 485
michael@0 486 echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"
michael@0 487 echo " -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}"
michael@0 488 echo "strsclnt started at `date`"
michael@0 489 ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
michael@0 490 -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}
michael@0 491 ret=$?
michael@0 492
michael@0 493 echo "strsclnt completed at `date`"
michael@0 494 html_msg $ret $value \
michael@0 495 "${testname}" \
michael@0 496 "produced a returncode of $ret, expected is $value."
michael@0 497 kill_selfserv
michael@0 498
michael@0 499 SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
michael@0 500 P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
michael@0 501 }
michael@0 502
michael@0 503 ############################ ssl_stapling ##############################
michael@0 504 # local shell function to perform SSL Cert Status (OCSP Stapling) tests
michael@0 505 ########################################################################
michael@0 506 ssl_stapling()
michael@0 507 {
michael@0 508 html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
michael@0 509
michael@0 510 # tstclnt Exit code:
michael@0 511 # 0: have fresh and valid revocation data, status good
michael@0 512 # 1: cert failed to verify, prior to revocation checking
michael@0 513 # 2: missing, old or invalid revocation data
michael@0 514 # 3: have fresh and valid revocation data, status revoked
michael@0 515
michael@0 516 # selfserv modes
michael@0 517 # good, revoked, unkown: Include locally signed response. Requires: -A
michael@0 518 # failure: Include OCSP failure status, such as "try later" (unsigned)
michael@0 519 # badsig: use a good status but with an invalid signature
michael@0 520 # corrupted: stapled cert status is an invalid block of data
michael@0 521
michael@0 522 ssl_stapling_sub "OCSP stapling, signed response, good status" "-A TestCA -T good" 0
michael@0 523 ssl_stapling_sub "OCSP stapling, signed response, revoked status" "-A TestCA -T revoked" 3
michael@0 524 ssl_stapling_sub "OCSP stapling, signed response, unknown status" "-A TestCA -T unknown" 2
michael@0 525 ssl_stapling_sub "OCSP stapling, unsigned failure response" "-A TestCA -T failure" 2
michael@0 526 ssl_stapling_sub "OCSP stapling, good status, bad signature" "-A TestCA -T badsig" 2
michael@0 527 ssl_stapling_sub "OCSP stapling, invalid cert status data" "-A TestCA -T corrupted" 2
michael@0 528 ssl_stapling_sub "Valid cert, Server doesn't staple" "" 2
michael@0 529
michael@0 530 ssl_stapling_stress
michael@0 531
michael@0 532 html "</TABLE><BR>"
michael@0 533 }
michael@0 534
michael@0 535
michael@0 536 ############################## ssl_stress ##############################
michael@0 537 # local shell function to perform SSL stress test
michael@0 538 ########################################################################
michael@0 539 ssl_stress()
michael@0 540 {
michael@0 541 html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
michael@0 542
michael@0 543 exec < ${SSLSTRESS}
michael@0 544 while read ectype value sparam cparam testname
michael@0 545 do
michael@0 546 if [ -z "$ectype" ]; then
michael@0 547 # silently ignore blank lines
michael@0 548 continue
michael@0 549 fi
michael@0 550
michael@0 551 echo "${testname}" | grep "SSL2" > /dev/null
michael@0 552 SSL2=$?
michael@0 553 echo "${testname}" | grep "client auth" > /dev/null
michael@0 554 CAUTH=$?
michael@0 555
michael@0 556 if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then
michael@0 557 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
michael@0 558 elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
michael@0 559 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
michael@0 560 elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
michael@0 561 echo "$SCRIPTNAME: skipping $testname (ECC only)"
michael@0 562 elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then
michael@0 563 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
michael@0 564 elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
michael@0 565 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
michael@0 566 elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
michael@0 567 cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
michael@0 568 if [ "$ectype" = "SNI" ]; then
michael@0 569 cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
michael@0 570 sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
michael@0 571 fi
michael@0 572
michael@0 573 # These tests need the mixed cert
michael@0 574 # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
michael@0 575 # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
michael@0 576 p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`;
michael@0 577 if [ "$p" = "-c_:C00E" ]; then
michael@0 578 start_selfserv mixed
michael@0 579 else
michael@0 580 start_selfserv
michael@0 581 fi
michael@0 582
michael@0 583 if [ "`uname -n`" = "sjsu" ] ; then
michael@0 584 echo "debugging disapering selfserv... ps -ef | grep selfserv"
michael@0 585 ps -ef | grep selfserv
michael@0 586 fi
michael@0 587
michael@0 588 echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
michael@0 589 echo " $verbose ${HOSTADDR}"
michael@0 590 echo "strsclnt started at `date`"
michael@0 591 ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
michael@0 592 $verbose ${HOSTADDR}
michael@0 593 ret=$?
michael@0 594 echo "strsclnt completed at `date`"
michael@0 595 html_msg $ret $value \
michael@0 596 "${testname}" \
michael@0 597 "produced a returncode of $ret, expected is $value. "
michael@0 598 if [ "`uname -n`" = "sjsu" ] ; then
michael@0 599 echo "debugging disapering selfserv... ps -ef | grep selfserv"
michael@0 600 ps -ef | grep selfserv
michael@0 601 fi
michael@0 602 kill_selfserv
michael@0 603 fi
michael@0 604 done
michael@0 605
michael@0 606 html "</TABLE><BR>"
michael@0 607 }
michael@0 608
michael@0 609 ############################ ssl_crl_ssl ###############################
michael@0 610 # local shell function to perform SSL test with/out revoked certs tests
michael@0 611 ########################################################################
michael@0 612 ssl_crl_ssl()
michael@0 613 {
michael@0 614 html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
michael@0 615
michael@0 616 # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
michael@0 617 # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
michael@0 618 CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
michael@0 619 CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
michael@0 620 UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
michael@0 621
michael@0 622 exec < ${SSLAUTH}
michael@0 623 while read ectype value sparam cparam testname
michael@0 624 do
michael@0 625 [ "$ectype" = "" ] && continue
michael@0 626 if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
michael@0 627 echo "$SCRIPTNAME: skipping $testname (ECC only)"
michael@0 628 elif [ "$ectype" = "SNI" ]; then
michael@0 629 continue
michael@0 630 elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
michael@0 631 servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
michael@0 632 pwd=`echo $cparam | grep nss`
michael@0 633 user=`echo $cparam | grep TestUser`
michael@0 634 _cparam=$cparam
michael@0 635 case $servarg in
michael@0 636 1) if [ -z "$pwd" -o -z "$user" ]; then
michael@0 637 rev_modvalue=0
michael@0 638 else
michael@0 639 rev_modvalue=254
michael@0 640 fi
michael@0 641 ;;
michael@0 642 2) rev_modvalue=254 ;;
michael@0 643 3) if [ -z "$pwd" -o -z "$user" ]; then
michael@0 644 rev_modvalue=0
michael@0 645 else
michael@0 646 rev_modvalue=1
michael@0 647 fi
michael@0 648 ;;
michael@0 649 4) rev_modvalue=1 ;;
michael@0 650 esac
michael@0 651 TEMP_NUM=0
michael@0 652 while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
michael@0 653 do
michael@0 654 CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
michael@0 655 TEMP_NUM=`expr $TEMP_NUM + 1`
michael@0 656 USER_NICKNAME="TestUser${CURR_SER_NUM}"
michael@0 657 cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
michael@0 658 start_selfserv
michael@0 659
michael@0 660 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
michael@0 661 echo " ${cparam} < ${REQUEST_FILE}"
michael@0 662 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0 663 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
michael@0 664 -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
michael@0 665 >${TMP}/$HOST.tmp.$$ 2>&1
michael@0 666 ret=$?
michael@0 667 cat ${TMP}/$HOST.tmp.$$
michael@0 668 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0 669 if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
michael@0 670 modvalue=$rev_modvalue
michael@0 671 testAddMsg="revoked"
michael@0 672 else
michael@0 673 testAddMsg="not revoked"
michael@0 674 modvalue=$value
michael@0 675 fi
michael@0 676
michael@0 677 html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
michael@0 678 "produced a returncode of $ret, expected is $modvalue"
michael@0 679 kill_selfserv
michael@0 680 done
michael@0 681 fi
michael@0 682 done
michael@0 683
michael@0 684 html "</TABLE><BR>"
michael@0 685 }
michael@0 686
michael@0 687 ############################# is_revoked ###############################
michael@0 688 # local shell function to check if certificate is revoked
michael@0 689 ########################################################################
michael@0 690 is_revoked() {
michael@0 691 certNum=$1
michael@0 692 currLoadedGrp=$2
michael@0 693
michael@0 694 found=0
michael@0 695 ownerGrp=1
michael@0 696 while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
michael@0 697 do
michael@0 698 currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
michael@0 699 currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
michael@0 700 currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
michael@0 701 if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
michael@0 702 found=1
michael@0 703 else
michael@0 704 ownerGrp=`expr $ownerGrp + 1`
michael@0 705 fi
michael@0 706 done
michael@0 707 if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
michael@0 708 return 1
michael@0 709 fi
michael@0 710 if [ $found -eq 0 ]; then
michael@0 711 return 1
michael@0 712 fi
michael@0 713 unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
michael@0 714 if [ $certNum -eq $unrevokedGrpCert ]; then
michael@0 715 return 1
michael@0 716 fi
michael@0 717 return 0
michael@0 718 }
michael@0 719
michael@0 720 ########################### load_group_crl #############################
michael@0 721 # local shell function to load CRL
michael@0 722 ########################################################################
michael@0 723 load_group_crl() {
michael@0 724 group=$1
michael@0 725 ectype=$2
michael@0 726
michael@0 727 OUTFILE_TMP=${TMP}/$HOST.tmp.$$
michael@0 728 grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
michael@0 729 grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
michael@0 730 grpEnd=`expr $grpBegin + $grpRange - 1`
michael@0 731
michael@0 732 if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
michael@0 733 ret=1
michael@0 734 return 1;
michael@0 735 fi
michael@0 736
michael@0 737 # Add -ec suffix for ECC
michael@0 738 if [ "$ectype" = "ECC" ] ; then
michael@0 739 ecsuffix="-ec"
michael@0 740 eccomment="ECC "
michael@0 741 else
michael@0 742 ecsuffix=""
michael@0 743 eccomment=""
michael@0 744 fi
michael@0 745
michael@0 746 if [ "$RELOAD_CRL" != "" ]; then
michael@0 747 if [ $group -eq 1 ]; then
michael@0 748 echo "==================== Resetting to group 1 crl ==================="
michael@0 749 kill_selfserv
michael@0 750 start_selfserv
michael@0 751 is_selfserv_alive
michael@0 752 fi
michael@0 753 echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
michael@0 754
michael@0 755 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
michael@0 756 echo " -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
michael@0 757 echo "Request:"
michael@0 758 echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
michael@0 759 echo ""
michael@0 760 echo "RELOAD time $i"
michael@0 761
michael@0 762 REQF=${R_CLIENTDIR}.crlreq
michael@0 763 cat > ${REQF} <<_EOF_REQUEST_
michael@0 764 GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
michael@0 765
michael@0 766 _EOF_REQUEST_
michael@0 767
michael@0 768 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \
michael@0 769 -d ${R_CLIENTDIR} -v -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
michael@0 770 >${OUTFILE_TMP} 2>&1 < ${REQF}
michael@0 771
michael@0 772 cat ${OUTFILE_TMP}
michael@0 773 grep "CRL ReCache Error" ${OUTFILE_TMP}
michael@0 774 if [ $? -eq 0 ]; then
michael@0 775 ret=1
michael@0 776 return 1
michael@0 777 fi
michael@0 778 else
michael@0 779 echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
michael@0 780
michael@0 781 kill_selfserv
michael@0 782 CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
michael@0 783 crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
michael@0 784 -p ../tests.pw.928
michael@0 785 ret=$?
michael@0 786 if [ "$ret" -eq 0 ]; then
michael@0 787 html_passed "${CU_ACTION}"
michael@0 788 return 1
michael@0 789 fi
michael@0 790 start_selfserv
michael@0 791 fi
michael@0 792 is_selfserv_alive
michael@0 793 ret=$?
michael@0 794 echo "================= CRL Reloaded ============="
michael@0 795 }
michael@0 796
michael@0 797 ########################### ssl_crl_cache ##############################
michael@0 798 # local shell function to perform SSL test for crl cache functionality
michael@0 799 # with/out revoked certs
michael@0 800 ########################################################################
michael@0 801 ssl_crl_cache()
michael@0 802 {
michael@0 803 html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
michael@0 804 SSLAUTH_TMP=${TMP}/authin.tl.tmp
michael@0 805 SERV_ARG=-r_-r
michael@0 806 rm -f ${SSLAUTH_TMP}
michael@0 807 echo ${SSLAUTH_TMP}
michael@0 808
michael@0 809 grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
michael@0 810 echo $?
michael@0 811 while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
michael@0 812 do
michael@0 813 sparam=$SERV_ARG
michael@0 814 start_selfserv
michael@0 815 exec < ${SSLAUTH_TMP}
michael@0 816 while read ectype value sparam cparam testname
michael@0 817 do
michael@0 818 [ "$ectype" = "" ] && continue
michael@0 819 if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
michael@0 820 echo "$SCRIPTNAME: skipping $testname (ECC only)"
michael@0 821 elif [ "$ectype" = "SNI" ]; then
michael@0 822 continue
michael@0 823 else
michael@0 824 servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
michael@0 825 pwd=`echo $cparam | grep nss`
michael@0 826 user=`echo $cparam | grep TestUser`
michael@0 827 _cparam=$cparam
michael@0 828 case $servarg in
michael@0 829 1) if [ -z "$pwd" -o -z "$user" ]; then
michael@0 830 rev_modvalue=0
michael@0 831 else
michael@0 832 rev_modvalue=254
michael@0 833 fi
michael@0 834 ;;
michael@0 835 2) rev_modvalue=254 ;;
michael@0 836
michael@0 837 3) if [ -z "$pwd" -o -z "$user" ]; then
michael@0 838 rev_modvalue=0
michael@0 839 else
michael@0 840 rev_modvalue=1
michael@0 841 fi
michael@0 842 ;;
michael@0 843 4) rev_modvalue=1 ;;
michael@0 844 esac
michael@0 845 TEMP_NUM=0
michael@0 846 LOADED_GRP=1
michael@0 847 while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
michael@0 848 do
michael@0 849 while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
michael@0 850 do
michael@0 851 CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
michael@0 852 TEMP_NUM=`expr $TEMP_NUM + 1`
michael@0 853 USER_NICKNAME="TestUser${CURR_SER_NUM}"
michael@0 854 cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
michael@0 855
michael@0 856 echo "Server Args: $SERV_ARG"
michael@0 857 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
michael@0 858 echo " ${cparam} < ${REQUEST_FILE}"
michael@0 859 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0 860 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
michael@0 861 -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
michael@0 862 >${TMP}/$HOST.tmp.$$ 2>&1
michael@0 863 ret=$?
michael@0 864 cat ${TMP}/$HOST.tmp.$$
michael@0 865 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0 866 is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
michael@0 867 isRevoked=$?
michael@0 868 if [ $isRevoked -eq 0 ]; then
michael@0 869 modvalue=$rev_modvalue
michael@0 870 testAddMsg="revoked"
michael@0 871 else
michael@0 872 modvalue=$value
michael@0 873 testAddMsg="not revoked"
michael@0 874 fi
michael@0 875
michael@0 876 is_selfserv_alive
michael@0 877 ss_status=$?
michael@0 878 if [ "$ss_status" -ne 0 ]; then
michael@0 879 html_msg $ret $modvalue \
michael@0 880 "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
michael@0 881 "produced a returncode of $ret, expected is $modvalue. " \
michael@0 882 "selfserv is not alive!"
michael@0 883 else
michael@0 884 html_msg $ret $modvalue \
michael@0 885 "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
michael@0 886 "produced a returncode of $ret, expected is $modvalue"
michael@0 887 fi
michael@0 888 done
michael@0 889 LOADED_GRP=`expr $LOADED_GRP + 1`
michael@0 890 TEMP_NUM=0
michael@0 891 if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
michael@0 892 load_group_crl $LOADED_GRP $ectype
michael@0 893 html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
michael@0 894 "produced a returncode of $ret, expected is 0"
michael@0 895 fi
michael@0 896 done
michael@0 897 # Restart selfserv to roll back to two initial group 1 crls
michael@0 898 # TestCA CRL and TestCA-ec CRL
michael@0 899 kill_selfserv
michael@0 900 start_selfserv
michael@0 901 fi
michael@0 902 done
michael@0 903 kill_selfserv
michael@0 904 SERV_ARG="${SERV_ARG}_-r"
michael@0 905 rm -f ${SSLAUTH_TMP}
michael@0 906 grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
michael@0 907 done
michael@0 908 TEMPFILES=${SSLAUTH_TMP}
michael@0 909 html "</TABLE><BR>"
michael@0 910 }
michael@0 911
michael@0 912
michael@0 913 ############################## ssl_cleanup #############################
michael@0 914 # local shell function to finish this script (no exit since it might be
michael@0 915 # sourced)
michael@0 916 ########################################################################
michael@0 917 ssl_cleanup()
michael@0 918 {
michael@0 919 rm $SERVERPID 2>/dev/null
michael@0 920 cd ${QADIR}
michael@0 921 . common/cleanup.sh
michael@0 922 }
michael@0 923
michael@0 924 ############################## ssl_run #################################
michael@0 925 # local shell function to run coverage, authentication and stress tests
michael@0 926 ########################################################################
michael@0 927 ssl_run()
michael@0 928 {
michael@0 929 for SSL_RUN in ${NSS_SSL_RUN}
michael@0 930 do
michael@0 931 case "${SSL_RUN}" in
michael@0 932 "stapling")
michael@0 933 ssl_stapling
michael@0 934 ;;
michael@0 935 "cov")
michael@0 936 ssl_cov
michael@0 937 ;;
michael@0 938 "auth")
michael@0 939 ssl_auth
michael@0 940 ;;
michael@0 941 "stress")
michael@0 942 ssl_stress
michael@0 943 ;;
michael@0 944 esac
michael@0 945 done
michael@0 946 }
michael@0 947
michael@0 948 ############################ ssl_run_all ###############################
michael@0 949 # local shell function to run both standard and extended ssl tests
michael@0 950 ########################################################################
michael@0 951 ssl_run_all()
michael@0 952 {
michael@0 953 ORIG_SERVERDIR=$SERVERDIR
michael@0 954 ORIG_CLIENTDIR=$CLIENTDIR
michael@0 955 ORIG_R_SERVERDIR=$R_SERVERDIR
michael@0 956 ORIG_R_CLIENTDIR=$R_CLIENTDIR
michael@0 957 ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
michael@0 958 ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
michael@0 959
michael@0 960 USER_NICKNAME=TestUser
michael@0 961 NORM_EXT=""
michael@0 962 cd ${CLIENTDIR}
michael@0 963
michael@0 964 ssl_run
michael@0 965
michael@0 966 SERVERDIR=$EXT_SERVERDIR
michael@0 967 CLIENTDIR=$EXT_CLIENTDIR
michael@0 968 R_SERVERDIR=$R_EXT_SERVERDIR
michael@0 969 R_CLIENTDIR=$R_EXT_CLIENTDIR
michael@0 970 P_R_SERVERDIR=$P_R_EXT_SERVERDIR
michael@0 971 P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
michael@0 972
michael@0 973 USER_NICKNAME=ExtendedSSLUser
michael@0 974 NORM_EXT="Extended Test"
michael@0 975 cd ${CLIENTDIR}
michael@0 976
michael@0 977 ssl_run
michael@0 978
michael@0 979 # the next round of ssl tests will only run if these vars are reset
michael@0 980 SERVERDIR=$ORIG_SERVERDIR
michael@0 981 CLIENTDIR=$ORIG_CLIENTDIR
michael@0 982 R_SERVERDIR=$ORIG_R_SERVERDIR
michael@0 983 R_CLIENTDIR=$ORIG_R_CLIENTDIR
michael@0 984 P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
michael@0 985 P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
michael@0 986
michael@0 987 USER_NICKNAME=TestUser
michael@0 988 NORM_EXT=
michael@0 989 cd ${QADIR}/ssl
michael@0 990 }
michael@0 991
michael@0 992 ############################ ssl_set_fips ##############################
michael@0 993 # local shell function to set FIPS mode on/off
michael@0 994 ########################################################################
michael@0 995 ssl_set_fips()
michael@0 996 {
michael@0 997 CLTSRV=$1
michael@0 998 ONOFF=$2
michael@0 999
michael@0 1000 if [ ${CLTSRV} = "server" ]; then
michael@0 1001 DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
michael@0 1002 else
michael@0 1003 DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}"
michael@0 1004 fi
michael@0 1005
michael@0 1006 if [ "${ONOFF}" = "on" ]; then
michael@0 1007 FIPSMODE=true
michael@0 1008 RET_EXP=0
michael@0 1009 else
michael@0 1010 FIPSMODE=false
michael@0 1011 RET_EXP=1
michael@0 1012 fi
michael@0 1013
michael@0 1014 html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
michael@0 1015
michael@0 1016 for DBDIR in ${DBDIRS}
michael@0 1017 do
michael@0 1018 EXT_OPT=
michael@0 1019 echo ${DBDIR} | grep ext > /dev/null
michael@0 1020 if [ $? -eq 0 ]; then
michael@0 1021 EXT_OPT="extended "
michael@0 1022 fi
michael@0 1023
michael@0 1024 echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
michael@0 1025
michael@0 1026 echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
michael@0 1027 ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
michael@0 1028 RET=$?
michael@0 1029 html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
michael@0 1030 "produced a returncode of ${RET}, expected is 0"
michael@0 1031
michael@0 1032 echo "modutil -dbdir ${DBDIR} -list"
michael@0 1033 DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
michael@0 1034 RET=$?
michael@0 1035 html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
michael@0 1036 "produced a returncode of ${RET}, expected is 0"
michael@0 1037
michael@0 1038 echo "${DBLIST}" | grep "FIPS PKCS #11"
michael@0 1039 RET=$?
michael@0 1040 html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
michael@0 1041 "produced a returncode of ${RET}, expected is ${RET_EXP}"
michael@0 1042 done
michael@0 1043
michael@0 1044 html "</TABLE><BR>"
michael@0 1045 }
michael@0 1046
michael@0 1047 ############################ ssl_set_fips ##############################
michael@0 1048 # local shell function to run all tests set in NSS_SSL_TESTS variable
michael@0 1049 ########################################################################
michael@0 1050 ssl_run_tests()
michael@0 1051 {
michael@0 1052 for SSL_TEST in ${NSS_SSL_TESTS}
michael@0 1053 do
michael@0 1054 case "${SSL_TEST}" in
michael@0 1055 "crl")
michael@0 1056 ssl_crl_ssl
michael@0 1057 ssl_crl_cache
michael@0 1058 ;;
michael@0 1059 "iopr")
michael@0 1060 ssl_iopr_run
michael@0 1061 ;;
michael@0 1062 *)
michael@0 1063 SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
michael@0 1064 CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
michael@0 1065
michael@0 1066 case "${SERVER_MODE}" in
michael@0 1067 "normal")
michael@0 1068 SERVER_OPTIONS=
michael@0 1069 ;;
michael@0 1070 "bypass")
michael@0 1071 SERVER_OPTIONS="-B -s"
michael@0 1072 ;;
michael@0 1073 "fips")
michael@0 1074 SERVER_OPTIONS=
michael@0 1075 ssl_set_fips server on
michael@0 1076 ;;
michael@0 1077 *)
michael@0 1078 echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
michael@0 1079 continue
michael@0 1080 ;;
michael@0 1081 esac
michael@0 1082
michael@0 1083 case "${CLIENT_MODE}" in
michael@0 1084 "normal")
michael@0 1085 CLIENT_OPTIONS=
michael@0 1086 ;;
michael@0 1087 "bypass")
michael@0 1088 CLIENT_OPTIONS="-B -s"
michael@0 1089 ;;
michael@0 1090 "fips")
michael@0 1091 SERVER_OPTIONS=
michael@0 1092 ssl_set_fips client on
michael@0 1093 ;;
michael@0 1094 *)
michael@0 1095 echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
michael@0 1096 continue
michael@0 1097 ;;
michael@0 1098 esac
michael@0 1099
michael@0 1100 ssl_run_all
michael@0 1101
michael@0 1102 if [ "${SERVER_MODE}" = "fips" ]; then
michael@0 1103 ssl_set_fips server off
michael@0 1104 fi
michael@0 1105
michael@0 1106 if [ "${CLIENT_MODE}" = "fips" ]; then
michael@0 1107 ssl_set_fips client off
michael@0 1108 fi
michael@0 1109 ;;
michael@0 1110 esac
michael@0 1111 done
michael@0 1112 }
michael@0 1113
michael@0 1114 ################################# main #################################
michael@0 1115
michael@0 1116 ssl_init
michael@0 1117 ssl_run_tests
michael@0 1118 ssl_cleanup
michael@0 1119

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial