The Tor Browser: comparison security/nss/tests/ssl/ssl.sh

--1:000000000000
+:ad49772d0664
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+########################################################################
+#
+# mozilla/security/nss/tests/ssl/ssl.sh
+#
+# Script to test NSS SSL
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+############################## ssl_init ################################
+# local shell function to initialize this script
+########################################################################
+ssl_init()
+{
+SCRIPTNAME=ssl.sh      # sourced - $0 would point to all.sh
+if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+fi
+if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+cd ../common
+. ./init.sh
+fi
+if [ -z "${IOPR_SSL_SOURCED}" ]; then
+. ../iopr/ssl_iopr.sh
+fi
+if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+cd ../cert
+. ./cert.sh
+fi
+SCRIPTNAME=ssl.sh
+echo "$SCRIPTNAME: SSL tests ==============================="
+grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
+html_head "SSL Test failure"
+Exit 8 "Fatal - cert.sh needs to pass first"
+}
+if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
+html_head "SSL Test failure"
+Exit 8 "Fatal - SSL of cert.sh needs to pass first"
+}
+fi
+PORT=${PORT-8443}
+NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
+nss_ssl_run="stapling cov auth stress"
+NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
+# Test case files
+SSLCOV=${QADIR}/ssl/sslcov.txt
+SSLAUTH=${QADIR}/ssl/sslauth.txt
+SSLSTRESS=${QADIR}/ssl/sslstress.txt
+REQUEST_FILE=${QADIR}/ssl/sslreq.dat
+#temparary files
+SERVEROUTFILE=${TMP}/tests_server.$$
+SERVERPID=${TMP}/tests_pid.$$
+R_SERVERPID=../tests_pid.$$
+TEMPFILES="$TMPFILES ${SERVEROUTFILE}  ${SERVERPID}"
+fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
+#fileout=1
+#verbose="-v" #FIXME - see where this is usefull
+USER_NICKNAME=TestUser
+NORM_EXT=""
+if [ -z "$NSS_DISABLE_ECC" ] ; then
+ECC_STRING=" - with ECC"
+else
+ECC_STRING=""
+fi
+CSHORT="-c ABCDEF:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"
+CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"
+if [ "${OS_ARCH}" != "WINNT" ]; then
+ulimit -n 1000 # make sure we have enough file descriptors
+fi
+cd ${CLIENTDIR}
+}
+########################### is_selfserv_alive ##########################
+# local shell function to exit with a fatal error if selfserver is not
+# running
+########################################################################
+is_selfserv_alive()
+{
+if [ ! -f "${SERVERPID}" ]; then
+echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
+sleep 5
+if [ ! -f "${SERVERPID}" ]; then
+Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
+fi
+fi
+if [ "${OS_ARCH}" = "WINNT" ] && \
+[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+PID=${SHELL_SERVERPID}
+else
+PID=`cat ${SERVERPID}`
+fi
+echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
+echo "selfserv with PID ${PID} found at `date`"
+}
+########################### wait_for_selfserv ##########################
+# local shell function to wait until selfserver is running and initialized
+########################################################################
+wait_for_selfserv()
+{
+echo "trying to connect to selfserv at `date`"
+echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+echo "        -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
+${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
+if [ $? -ne 0 ]; then
+sleep 5
+echo "retrying to connect to selfserv at `date`"
+echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+echo "        -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
+${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
+if [ $? -ne 0 ]; then
+html_failed "Waiting for Server"
+fi
+fi
+is_selfserv_alive
+}
+########################### kill_selfserv ##############################
+# local shell function to kill the selfserver after the tests are done
+########################################################################
+kill_selfserv()
+{
+if [ "${OS_ARCH}" = "WINNT" ] && \
+[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+PID=${SHELL_SERVERPID}
+else
+PID=`cat ${SERVERPID}`
+fi
+echo "trying to kill selfserv with PID ${PID} at `date`"
+if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
+echo "${KILL} ${PID}"
+${KILL} ${PID}
+else
+echo "${KILL} -USR1 ${PID}"
+${KILL} -USR1 ${PID}
+fi
+wait ${PID}
+if [ ${fileout} -eq 1 ]; then
+cat ${SERVEROUTFILE}
+fi
+# On Linux selfserv needs up to 30 seconds to fully die and free
+# the port.  Wait until the port is free. (Bug 129701)
+if [ "${OS_ARCH}" = "Linux" ]; then
+echo "selfserv -b -p ${PORT} 2>/dev/null;"
+until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
+echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
+sleep 1
+done
+fi
+echo "selfserv with PID ${PID} killed at `date`"
+rm ${SERVERPID}
+html_detect_core "kill_selfserv core detection step"
+}
+########################### start_selfserv #############################
+# local shell function to start the selfserver with the parameters required
+# for this test and log information (parameters, start time)
+# also: wait until the server is up and running
+########################################################################
+start_selfserv()
+{
+if [ -n "$testname" ] ; then
+echo "$SCRIPTNAME: $testname ----"
+fi
+sparam=`echo $sparam | sed -e 's;_; ;g'`
+if [ -z "$NSS_DISABLE_ECC" ] && \
+[ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1"  ] ; then
+ECC_OPTIONS="-e ${HOSTADDR}-ec"
+else
+ECC_OPTIONS=""
+fi
+if [ "$1" = "mixed" ]; then
+ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
+fi
+echo "selfserv starting at `date`"
+echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
+echo "         ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
+if [ ${fileout} -eq 1 ]; then
+${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
+> ${SERVEROUTFILE} 2>&1 &
+RET=$?
+else
+${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
+RET=$?
+fi
+# The PID $! returned by the MKS or Cygwin shell is not the PID of
+# the real background process, but rather the PID of a helper
+# process (sh.exe).  MKS's kill command has a bug: invoking kill
+# on the helper process does not terminate the real background
+# process.  Our workaround has been to have selfserv save its PID
+# in the ${SERVERPID} file and "kill" that PID instead.  But this
+# doesn't work under Cygwin; its kill command doesn't recognize
+# the PID of the real background process, but it does work on the
+# PID of the helper process.  So we save the value of $! in the
+# SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
+# file under Cygwin.  (In fact, this should work in any shell
+# other than the MKS shell.)
+SHELL_SERVERPID=$!
+wait_for_selfserv
+if [ "${OS_ARCH}" = "WINNT" ] && \
+[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+PID=${SHELL_SERVERPID}
+else
+PID=`cat ${SERVERPID}`
+fi
+echo "selfserv with PID ${PID} started at `date`"
+}
+############################## ssl_cov #################################
+# local shell function to perform SSL Cipher Coverage tests
+########################################################################
+ssl_cov()
+{
+html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+testname=""
+if [ -z "$NSS_DISABLE_ECC" ] ; then
+sparam="$CLONG"
+else
+sparam="$CSHORT"
+fi
+mixed=0
+start_selfserv # Launch the server
+VMIN="ssl2"
+VMAX="tls1.1"
+exec < ${SSLCOV}
+while read ectype testmax param testname
+do
+echo "${testname}" | grep "EXPORT" > /dev/null
+EXP=$?
+echo "${testname}" | grep "SSL2" > /dev/null
+SSL2=$?
+if [ "${SSL2}" -eq 0 ] ; then
+# We cannot use asynchronous cert verification with SSL2
+SSL2_FLAGS=-O
+VMIN="ssl2"
+else
+# Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
+# default in libssl but it is enabled by default in tstclnt; we want
+# to test the libssl default whenever possible.
+SSL2_FLAGS=
+VMIN="ssl3"
+fi
+if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then
+echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then
+echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
+echo "$SCRIPTNAME: running $testname ----------------------------"
+VMAX="ssl3"
+if [ "$testmax" = "TLS10" ]; then
+VMAX="tls1.0"
+fi
+if [ "$testmax" = "TLS11" ]; then
+VMAX="tls1.1"
+fi
+if [ "$testmax" = "TLS12" ]; then
+VMAX="tls1.2"
+fi
+# These five tests need an EC cert signed with RSA
+# This requires a different certificate loaded in selfserv
+# due to a (current) NSS limitation of only loaded one cert
+# per type so the default selfserv setup will not work.
+#:C00B TLS ECDH RSA WITH NULL SHA
+#:C00C TLS ECDH RSA WITH RC4 128 SHA
+#:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA
+#:C00E TLS ECDH RSA WITH AES 128 CBC SHA
+#:C00F TLS ECDH RSA WITH AES 256 CBC SHA
+if [ $mixed -eq 0 ]; then
+if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
+kill_selfserv
+start_selfserv mixed
+mixed=1
+else
+is_selfserv_alive
+fi
+else
+if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
+is_selfserv_alive
+else
+kill_selfserv
+start_selfserv
+mixed=0
+fi
+fi
+echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} \\"
+echo "        -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}"
+rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} -f \
+-d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \
+>${TMP}/$HOST.tmp.$$  2>&1
+ret=$?
+cat ${TMP}/$HOST.tmp.$$
+rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+html_msg $ret 0 "${testname}" \
+"produced a returncode of $ret, expected is 0"
+fi
+done
+kill_selfserv
+html "</TABLE><BR>"
+}
+############################## ssl_auth ################################
+# local shell function to perform SSL  Client Authentication tests
+########################################################################
+ssl_auth()
+{
+html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+exec < ${SSLAUTH}
+while read ectype value sparam cparam testname
+do
+[ -z "$ectype" ] && continue
+echo "${testname}" | grep "don't require client auth" > /dev/null
+CAUTH=$?
+if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
+echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
+echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+elif [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
+echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+if [ "$ectype" = "SNI" ]; then
+cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+fi
+start_selfserv
+echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
+echo "        ${cparam}  < ${REQUEST_FILE}"
+rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \
+-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} \
+>${TMP}/$HOST.tmp.$$  2>&1
+ret=$?
+cat ${TMP}/$HOST.tmp.$$
+rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+#workaround for bug #402058
+[ $ret -ne 0 ] && ret=1
+[ $value -ne 0 ] && value=1
+html_msg $ret $value "${testname}" \
+"produced a returncode of $ret, expected is $value"
+kill_selfserv
+fi
+done
+html "</TABLE><BR>"
+}
+ssl_stapling_sub()
+{
+testname=$1
+SO=$2
+value=$3
+if [ "$NORM_EXT" = "Extended Test" ] ; then
+	# these tests use the ext_client directory for tstclnt,
+	# which doesn't contain the required "TestCA" for server cert
+	# verification, I don't know if it would be OK to add it...
+	echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+	return 0
+fi
+if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+	return 0
+fi
+SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
+SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
+P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
+echo "${testname}"
+start_selfserv
+echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
+echo "        -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
+rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+	    -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
+	    >${TMP}/$HOST.tmp.$$  2>&1
+ret=$?
+cat ${TMP}/$HOST.tmp.$$
+rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+# hopefully no workaround for bug #402058 needed here?
+# (see commands in ssl_auth
+html_msg $ret $value "${testname}" \
+	    "produced a returncode of $ret, expected is $value"
+kill_selfserv
+SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
+}
+ssl_stapling_stress()
+{
+testname="Stress OCSP stapling, server uses random status"
+SO="-A TestCA -T random"
+value=0
+if [ "$NORM_EXT" = "Extended Test" ] ; then
+	# these tests use the ext_client directory for tstclnt,
+	# which doesn't contain the required "TestCA" for server cert
+	# verification, I don't know if it would be OK to add it...
+	echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+	return 0
+fi
+if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+	return 0
+fi
+SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
+SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
+P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
+echo "${testname}"
+start_selfserv
+echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"
+echo "         -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}"
+echo "strsclnt started at `date`"
+${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
+	    -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}
+ret=$?
+echo "strsclnt completed at `date`"
+html_msg $ret $value \
+	    "${testname}" \
+	    "produced a returncode of $ret, expected is $value."
+kill_selfserv
+SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
+}
+############################ ssl_stapling ##############################
+# local shell function to perform SSL Cert Status (OCSP Stapling) tests
+########################################################################
+ssl_stapling()
+{
+html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+# tstclnt Exit code:
+# 0: have fresh and valid revocation data, status good
+# 1: cert failed to verify, prior to revocation checking
+# 2: missing, old or invalid revocation data
+# 3: have fresh and valid revocation data, status revoked
+# selfserv modes
+# good, revoked, unkown: Include locally signed response. Requires: -A
+# failure: Include OCSP failure status, such as "try later" (unsigned)
+# badsig: use a good status but with an invalid signature
+# corrupted: stapled cert status is an invalid block of data
+ssl_stapling_sub "OCSP stapling, signed response, good status"     "-A TestCA -T good"      0
+ssl_stapling_sub "OCSP stapling, signed response, revoked status"  "-A TestCA -T revoked"   3
+ssl_stapling_sub "OCSP stapling, signed response, unknown status"  "-A TestCA -T unknown"   2
+ssl_stapling_sub "OCSP stapling, unsigned failure response"        "-A TestCA -T failure"   2
+ssl_stapling_sub "OCSP stapling, good status, bad signature"       "-A TestCA -T badsig"    2
+ssl_stapling_sub "OCSP stapling, invalid cert status data"         "-A TestCA -T corrupted" 2
+ssl_stapling_sub "Valid cert, Server doesn't staple"               ""                       2
+ssl_stapling_stress
+html "</TABLE><BR>"
+}
+############################## ssl_stress ##############################
+# local shell function to perform SSL stress test
+########################################################################
+ssl_stress()
+{
+html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+exec < ${SSLSTRESS}
+while read ectype value sparam cparam testname
+do
+if [ -z "$ectype" ]; then
+# silently ignore blank lines
+continue
+fi
+echo "${testname}" | grep "SSL2" > /dev/null
+SSL2=$?
+echo "${testname}" | grep "client auth" > /dev/null
+CAUTH=$?
+if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then
+echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
+echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+elif [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
+echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then
+echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
+echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+if [ "$ectype" = "SNI" ]; then
+cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+fi
+# These tests need the mixed cert
+# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
+# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
+p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`;
+if [ "$p" = "-c_:C00E" ]; then
+start_selfserv mixed
+else
+start_selfserv
+fi
+if [ "`uname -n`" = "sjsu" ] ; then
+echo "debugging disapering selfserv... ps -ef | grep selfserv"
+ps -ef | grep selfserv
+fi
+echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
+echo "         $verbose ${HOSTADDR}"
+echo "strsclnt started at `date`"
+${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
+$verbose ${HOSTADDR}
+ret=$?
+echo "strsclnt completed at `date`"
+html_msg $ret $value \
+"${testname}" \
+"produced a returncode of $ret, expected is $value. "
+if [ "`uname -n`" = "sjsu" ] ; then
+echo "debugging disapering selfserv... ps -ef | grep selfserv"
+ps -ef | grep selfserv
+fi
+kill_selfserv
+fi
+done
+html "</TABLE><BR>"
+}
+############################ ssl_crl_ssl ###############################
+# local shell function to perform SSL test with/out revoked certs tests
+########################################################################
+ssl_crl_ssl()
+{
+html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+# Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
+# Cert number $UNREVOKED_CERT_GRP_1 was not revoked
+CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
+CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
+UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
+exec < ${SSLAUTH}
+while read ectype value sparam cparam testname
+do
+[ "$ectype" = "" ] && continue
+if [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
+echo "$SCRIPTNAME: skipping $testname (ECC only)"
+elif [ "$ectype" = "SNI" ]; then
+continue
+elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+	servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+	pwd=`echo $cparam | grep nss`
+	user=`echo $cparam | grep TestUser`
+	_cparam=$cparam
+	case $servarg in
+	    1) if [ -z "$pwd" -o -z "$user" ]; then
+rev_modvalue=0
+else
+	         rev_modvalue=254
+fi
+;;
+	    2) rev_modvalue=254 ;;
+	    3) if [ -z "$pwd" -o -z "$user" ]; then
+		rev_modvalue=0
+		else
+		rev_modvalue=1
+		fi
+		;;
+	    4) rev_modvalue=1 ;;
+	esac
+	TEMP_NUM=0
+	while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
+	  do
+	  CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
+	  TEMP_NUM=`expr $TEMP_NUM + 1`
+	  USER_NICKNAME="TestUser${CURR_SER_NUM}"
+	  cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+	  start_selfserv
+	  echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
+	  echo "        ${cparam}  < ${REQUEST_FILE}"
+	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+	  ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+	      -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
+	      >${TMP}/$HOST.tmp.$$  2>&1
+	  ret=$?
+	  cat ${TMP}/$HOST.tmp.$$
+	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+	  if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
+	      modvalue=$rev_modvalue
+testAddMsg="revoked"
+	  else
+testAddMsg="not revoked"
+	      modvalue=$value
+	  fi
+	  html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
+		"produced a returncode of $ret, expected is $modvalue"
+	  kill_selfserv
+	done
+fi
+done
+html "</TABLE><BR>"
+}
+############################# is_revoked ###############################
+# local shell function to check if certificate is revoked
+########################################################################
+is_revoked() {
+certNum=$1
+currLoadedGrp=$2
+found=0
+ownerGrp=1
+while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
+do
+currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
+currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
+currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
+if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
+found=1
+else
+ownerGrp=`expr $ownerGrp + 1`
+fi
+done
+if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
+return 1
+fi
+if [ $found -eq 0 ]; then
+return 1
+fi
+unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
+if [ $certNum -eq $unrevokedGrpCert ]; then
+return 1
+fi
+return 0
+}
+########################### load_group_crl #############################
+# local shell function to load CRL
+########################################################################
+load_group_crl() {
+group=$1
+ectype=$2
+OUTFILE_TMP=${TMP}/$HOST.tmp.$$
+grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
+grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
+grpEnd=`expr $grpBegin + $grpRange - 1`
+if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
+ret=1
+return 1;
+fi
+# Add -ec suffix for ECC
+if [ "$ectype" = "ECC" ] ; then
+ecsuffix="-ec"
+eccomment="ECC "
+else
+ecsuffix=""
+eccomment=""
+fi
+if [ "$RELOAD_CRL" != "" ]; then
+if [ $group -eq 1 ]; then
+echo "==================== Resetting to group 1 crl ==================="
+kill_selfserv
+start_selfserv
+is_selfserv_alive
+fi
+echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
+echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
+echo "          -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
+echo "Request:"
+echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
+echo ""
+echo "RELOAD time $i"
+REQF=${R_CLIENTDIR}.crlreq
+cat > ${REQF} <<_EOF_REQUEST_
+GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
+_EOF_REQUEST_
+${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f  \
+-d ${R_CLIENTDIR} -v -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
+>${OUTFILE_TMP}  2>&1 < ${REQF}
+cat ${OUTFILE_TMP}
+grep "CRL ReCache Error" ${OUTFILE_TMP}
+if [ $? -eq 0 ]; then
+ret=1
+return 1
+fi
+else
+echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
+kill_selfserv
+CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
+crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
+-p ../tests.pw.928
+ret=$?
+if [ "$ret" -eq 0 ]; then
+	    html_passed "${CU_ACTION}"
+return 1
+fi
+start_selfserv
+fi
+is_selfserv_alive
+ret=$?
+echo "================= CRL Reloaded ============="
+}
+########################### ssl_crl_cache ##############################
+# local shell function to perform SSL test for crl cache functionality
+# with/out revoked certs
+########################################################################
+ssl_crl_cache()
+{
+html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+SSLAUTH_TMP=${TMP}/authin.tl.tmp
+SERV_ARG=-r_-r
+rm -f ${SSLAUTH_TMP}
+echo ${SSLAUTH_TMP}
+grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
+echo $?
+while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
+do
+sparam=$SERV_ARG
+start_selfserv
+exec < ${SSLAUTH_TMP}
+while read ectype value sparam cparam testname
+do
+[ "$ectype" = "" ] && continue
+if [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
+echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+elif [ "$ectype" = "SNI" ]; then
+continue
+else
+servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+pwd=`echo $cparam | grep nss`
+user=`echo $cparam | grep TestUser`
+_cparam=$cparam
+case $servarg in
+1) if [ -z "$pwd" -o -z "$user" ]; then
+rev_modvalue=0
+else
+rev_modvalue=254
+fi
+;;
+2) rev_modvalue=254 ;;
+3) if [ -z "$pwd" -o -z "$user" ]; then
+rev_modvalue=0
+else
+rev_modvalue=1
+fi
+;;
+4) rev_modvalue=1 ;;
+	  esac
+TEMP_NUM=0
+LOADED_GRP=1
+while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
+do
+while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
+do
+CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
+TEMP_NUM=`expr $TEMP_NUM + 1`
+USER_NICKNAME="TestUser${CURR_SER_NUM}"
+cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+echo "Server Args: $SERV_ARG"
+echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
+echo "        ${cparam}  < ${REQUEST_FILE}"
+rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+	        -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
+>${TMP}/$HOST.tmp.$$  2>&1
+ret=$?
+cat ${TMP}/$HOST.tmp.$$
+rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
+isRevoked=$?
+if [ $isRevoked -eq 0 ]; then
+modvalue=$rev_modvalue
+testAddMsg="revoked"
+else
+modvalue=$value
+testAddMsg="not revoked"
+fi
+is_selfserv_alive
+ss_status=$?
+if [ "$ss_status" -ne 0 ]; then
+html_msg $ret $modvalue \
+"${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
+"produced a returncode of $ret, expected is $modvalue. " \
+"selfserv is not alive!"
+else
+html_msg $ret $modvalue \
+"${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
+"produced a returncode of $ret, expected is $modvalue"
+fi
+done
+LOADED_GRP=`expr $LOADED_GRP + 1`
+TEMP_NUM=0
+if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
+load_group_crl $LOADED_GRP $ectype
+html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
+"produced a returncode of $ret, expected is 0"
+fi
+done
+# Restart selfserv to roll back to two initial group 1 crls
+# TestCA CRL and TestCA-ec CRL
+kill_selfserv
+start_selfserv
+fi
+done
+kill_selfserv
+SERV_ARG="${SERV_ARG}_-r"
+rm -f ${SSLAUTH_TMP}
+grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus  > ${SSLAUTH_TMP}
+done
+TEMPFILES=${SSLAUTH_TMP}
+html "</TABLE><BR>"
+}
+############################## ssl_cleanup #############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+ssl_cleanup()
+{
+rm $SERVERPID 2>/dev/null
+cd ${QADIR}
+. common/cleanup.sh
+}
+############################## ssl_run #################################
+# local shell function to run coverage, authentication and stress tests
+########################################################################
+ssl_run()
+{
+for SSL_RUN in ${NSS_SSL_RUN}
+do
+case "${SSL_RUN}" in
+"stapling")
+ssl_stapling
+;;
+"cov")
+ssl_cov
+;;
+"auth")
+ssl_auth
+;;
+"stress")
+ssl_stress
+;;
+esac
+done
+}
+############################ ssl_run_all ###############################
+# local shell function to run both standard and extended ssl tests
+########################################################################
+ssl_run_all()
+{
+ORIG_SERVERDIR=$SERVERDIR
+ORIG_CLIENTDIR=$CLIENTDIR
+ORIG_R_SERVERDIR=$R_SERVERDIR
+ORIG_R_CLIENTDIR=$R_CLIENTDIR
+ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
+ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
+USER_NICKNAME=TestUser
+NORM_EXT=""
+cd ${CLIENTDIR}
+ssl_run
+SERVERDIR=$EXT_SERVERDIR
+CLIENTDIR=$EXT_CLIENTDIR
+R_SERVERDIR=$R_EXT_SERVERDIR
+R_CLIENTDIR=$R_EXT_CLIENTDIR
+P_R_SERVERDIR=$P_R_EXT_SERVERDIR
+P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
+USER_NICKNAME=ExtendedSSLUser
+NORM_EXT="Extended Test"
+cd ${CLIENTDIR}
+ssl_run
+# the next round of ssl tests will only run if these vars are reset
+SERVERDIR=$ORIG_SERVERDIR
+CLIENTDIR=$ORIG_CLIENTDIR
+R_SERVERDIR=$ORIG_R_SERVERDIR
+R_CLIENTDIR=$ORIG_R_CLIENTDIR
+P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
+P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
+USER_NICKNAME=TestUser
+NORM_EXT=
+cd ${QADIR}/ssl
+}
+############################ ssl_set_fips ##############################
+# local shell function to set FIPS mode on/off
+########################################################################
+ssl_set_fips()
+{
+CLTSRV=$1
+ONOFF=$2
+if [ ${CLTSRV} = "server" ]; then
+DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
+else
+DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}"
+fi
+if [ "${ONOFF}" = "on" ]; then
+FIPSMODE=true
+RET_EXP=0
+else
+FIPSMODE=false
+RET_EXP=1
+fi
+html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
+for DBDIR in ${DBDIRS}
+do
+EXT_OPT=
+echo ${DBDIR} | grep ext > /dev/null
+if [ $? -eq 0 ]; then
+EXT_OPT="extended "
+fi
+echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
+echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
+${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
+RET=$?
+html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
+"produced a returncode of ${RET}, expected is 0"
+echo "modutil -dbdir ${DBDIR} -list"
+DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
+RET=$?
+html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
+"produced a returncode of ${RET}, expected is 0"
+echo "${DBLIST}" | grep "FIPS PKCS #11"
+RET=$?
+html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
+"produced a returncode of ${RET}, expected is ${RET_EXP}"
+done
+html "</TABLE><BR>"
+}
+############################ ssl_set_fips ##############################
+# local shell function to run all tests set in NSS_SSL_TESTS variable
+########################################################################
+ssl_run_tests()
+{
+for SSL_TEST in ${NSS_SSL_TESTS}
+do
+case "${SSL_TEST}" in
+"crl")
+ssl_crl_ssl
+ssl_crl_cache
+;;
+"iopr")
+ssl_iopr_run
+;;
+*)
+SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
+CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
+case "${SERVER_MODE}" in
+"normal")
+SERVER_OPTIONS=
+;;
+"bypass")
+SERVER_OPTIONS="-B -s"
+;;
+"fips")
+SERVER_OPTIONS=
+ssl_set_fips server on
+;;
+*)
+echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
+continue
+;;
+esac
+case "${CLIENT_MODE}" in
+"normal")
+CLIENT_OPTIONS=
+;;
+"bypass")
+CLIENT_OPTIONS="-B -s"
+;;
+"fips")
+SERVER_OPTIONS=
+ssl_set_fips client on
+;;
+*)
+echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
+continue
+;;
+esac
+ssl_run_all
+if [ "${SERVER_MODE}" = "fips" ]; then
+ssl_set_fips server off
+fi
+if [ "${CLIENT_MODE}" = "fips" ]; then
+ssl_set_fips client off
+fi
+;;
+esac
+done
+}
+################################# main #################################
+ssl_init
+ssl_run_tests
+ssl_cleanup

The Tor Browser / file comparison

comparison: security/nss/tests/ssl/ssl.sh

security/nss/tests/ssl/ssl.sh