1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/tests/ssl/ssl.sh Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,1119 @@
1.4 +#! /bin/bash
1.5 +#
1.6 +# This Source Code Form is subject to the terms of the Mozilla Public
1.7 +# License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.9 +
1.10 +########################################################################
1.11 +#
1.12 +# mozilla/security/nss/tests/ssl/ssl.sh
1.13 +#
1.14 +# Script to test NSS SSL
1.15 +#
1.16 +# needs to work on all Unix and Windows platforms
1.17 +#
1.18 +# special strings
1.19 +# ---------------
1.20 +# FIXME ... known problems, search for this string
1.21 +# NOTE .... unexpected behavior
1.22 +#
1.23 +########################################################################
1.24 +
1.25 +############################## ssl_init ################################
1.26 +# local shell function to initialize this script
1.27 +########################################################################
1.28 +ssl_init()
1.29 +{
1.30 + SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh
1.31 +
1.32 + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
1.33 + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
1.34 + fi
1.35 +
1.36 + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
1.37 + cd ../common
1.38 + . ./init.sh
1.39 + fi
1.40 + if [ -z "${IOPR_SSL_SOURCED}" ]; then
1.41 + . ../iopr/ssl_iopr.sh
1.42 + fi
1.43 + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
1.44 + cd ../cert
1.45 + . ./cert.sh
1.46 + fi
1.47 + SCRIPTNAME=ssl.sh
1.48 + echo "$SCRIPTNAME: SSL tests ==============================="
1.49 +
1.50 + grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
1.51 + html_head "SSL Test failure"
1.52 + Exit 8 "Fatal - cert.sh needs to pass first"
1.53 + }
1.54 +
1.55 + if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
1.56 + grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
1.57 + html_head "SSL Test failure"
1.58 + Exit 8 "Fatal - SSL of cert.sh needs to pass first"
1.59 + }
1.60 + fi
1.61 +
1.62 + PORT=${PORT-8443}
1.63 + NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
1.64 + nss_ssl_run="stapling cov auth stress"
1.65 + NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
1.66 +
1.67 + # Test case files
1.68 + SSLCOV=${QADIR}/ssl/sslcov.txt
1.69 + SSLAUTH=${QADIR}/ssl/sslauth.txt
1.70 + SSLSTRESS=${QADIR}/ssl/sslstress.txt
1.71 + REQUEST_FILE=${QADIR}/ssl/sslreq.dat
1.72 +
1.73 + #temparary files
1.74 + SERVEROUTFILE=${TMP}/tests_server.$$
1.75 + SERVERPID=${TMP}/tests_pid.$$
1.76 +
1.77 + R_SERVERPID=../tests_pid.$$
1.78 +
1.79 + TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}"
1.80 +
1.81 + fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
1.82 + #fileout=1
1.83 + #verbose="-v" #FIXME - see where this is usefull
1.84 +
1.85 + USER_NICKNAME=TestUser
1.86 + NORM_EXT=""
1.87 +
1.88 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.89 + ECC_STRING=" - with ECC"
1.90 + else
1.91 + ECC_STRING=""
1.92 + fi
1.93 +
1.94 + CSHORT="-c ABCDEF:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"
1.95 + CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"
1.96 +
1.97 + if [ "${OS_ARCH}" != "WINNT" ]; then
1.98 + ulimit -n 1000 # make sure we have enough file descriptors
1.99 + fi
1.100 +
1.101 + cd ${CLIENTDIR}
1.102 +}
1.103 +
1.104 +########################### is_selfserv_alive ##########################
1.105 +# local shell function to exit with a fatal error if selfserver is not
1.106 +# running
1.107 +########################################################################
1.108 +is_selfserv_alive()
1.109 +{
1.110 + if [ ! -f "${SERVERPID}" ]; then
1.111 + echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
1.112 + sleep 5
1.113 + if [ ! -f "${SERVERPID}" ]; then
1.114 + Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
1.115 + fi
1.116 + fi
1.117 +
1.118 + if [ "${OS_ARCH}" = "WINNT" ] && \
1.119 + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
1.120 + PID=${SHELL_SERVERPID}
1.121 + else
1.122 + PID=`cat ${SERVERPID}`
1.123 + fi
1.124 +
1.125 + echo "kill -0 ${PID} >/dev/null 2>/dev/null"
1.126 + kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
1.127 +
1.128 + echo "selfserv with PID ${PID} found at `date`"
1.129 +}
1.130 +
1.131 +########################### wait_for_selfserv ##########################
1.132 +# local shell function to wait until selfserver is running and initialized
1.133 +########################################################################
1.134 +wait_for_selfserv()
1.135 +{
1.136 + echo "trying to connect to selfserv at `date`"
1.137 + echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
1.138 + echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
1.139 + ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
1.140 + -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
1.141 + if [ $? -ne 0 ]; then
1.142 + sleep 5
1.143 + echo "retrying to connect to selfserv at `date`"
1.144 + echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
1.145 + echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
1.146 + ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
1.147 + -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
1.148 + if [ $? -ne 0 ]; then
1.149 + html_failed "Waiting for Server"
1.150 + fi
1.151 + fi
1.152 + is_selfserv_alive
1.153 +}
1.154 +
1.155 +########################### kill_selfserv ##############################
1.156 +# local shell function to kill the selfserver after the tests are done
1.157 +########################################################################
1.158 +kill_selfserv()
1.159 +{
1.160 + if [ "${OS_ARCH}" = "WINNT" ] && \
1.161 + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
1.162 + PID=${SHELL_SERVERPID}
1.163 + else
1.164 + PID=`cat ${SERVERPID}`
1.165 + fi
1.166 +
1.167 + echo "trying to kill selfserv with PID ${PID} at `date`"
1.168 +
1.169 + if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
1.170 + echo "${KILL} ${PID}"
1.171 + ${KILL} ${PID}
1.172 + else
1.173 + echo "${KILL} -USR1 ${PID}"
1.174 + ${KILL} -USR1 ${PID}
1.175 + fi
1.176 + wait ${PID}
1.177 + if [ ${fileout} -eq 1 ]; then
1.178 + cat ${SERVEROUTFILE}
1.179 + fi
1.180 +
1.181 + # On Linux selfserv needs up to 30 seconds to fully die and free
1.182 + # the port. Wait until the port is free. (Bug 129701)
1.183 + if [ "${OS_ARCH}" = "Linux" ]; then
1.184 + echo "selfserv -b -p ${PORT} 2>/dev/null;"
1.185 + until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
1.186 + echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
1.187 + sleep 1
1.188 + done
1.189 + fi
1.190 +
1.191 + echo "selfserv with PID ${PID} killed at `date`"
1.192 +
1.193 + rm ${SERVERPID}
1.194 + html_detect_core "kill_selfserv core detection step"
1.195 +}
1.196 +
1.197 +########################### start_selfserv #############################
1.198 +# local shell function to start the selfserver with the parameters required
1.199 +# for this test and log information (parameters, start time)
1.200 +# also: wait until the server is up and running
1.201 +########################################################################
1.202 +start_selfserv()
1.203 +{
1.204 + if [ -n "$testname" ] ; then
1.205 + echo "$SCRIPTNAME: $testname ----"
1.206 + fi
1.207 + sparam=`echo $sparam | sed -e 's;_; ;g'`
1.208 + if [ -z "$NSS_DISABLE_ECC" ] && \
1.209 + [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
1.210 + ECC_OPTIONS="-e ${HOSTADDR}-ec"
1.211 + else
1.212 + ECC_OPTIONS=""
1.213 + fi
1.214 + if [ "$1" = "mixed" ]; then
1.215 + ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
1.216 + fi
1.217 + echo "selfserv starting at `date`"
1.218 + echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
1.219 + echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
1.220 + if [ ${fileout} -eq 1 ]; then
1.221 + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
1.222 + ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
1.223 + > ${SERVEROUTFILE} 2>&1 &
1.224 + RET=$?
1.225 + else
1.226 + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
1.227 + ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
1.228 + RET=$?
1.229 + fi
1.230 +
1.231 + # The PID $! returned by the MKS or Cygwin shell is not the PID of
1.232 + # the real background process, but rather the PID of a helper
1.233 + # process (sh.exe). MKS's kill command has a bug: invoking kill
1.234 + # on the helper process does not terminate the real background
1.235 + # process. Our workaround has been to have selfserv save its PID
1.236 + # in the ${SERVERPID} file and "kill" that PID instead. But this
1.237 + # doesn't work under Cygwin; its kill command doesn't recognize
1.238 + # the PID of the real background process, but it does work on the
1.239 + # PID of the helper process. So we save the value of $! in the
1.240 + # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
1.241 + # file under Cygwin. (In fact, this should work in any shell
1.242 + # other than the MKS shell.)
1.243 + SHELL_SERVERPID=$!
1.244 + wait_for_selfserv
1.245 +
1.246 + if [ "${OS_ARCH}" = "WINNT" ] && \
1.247 + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
1.248 + PID=${SHELL_SERVERPID}
1.249 + else
1.250 + PID=`cat ${SERVERPID}`
1.251 + fi
1.252 +
1.253 + echo "selfserv with PID ${PID} started at `date`"
1.254 +}
1.255 +
1.256 +############################## ssl_cov #################################
1.257 +# local shell function to perform SSL Cipher Coverage tests
1.258 +########################################################################
1.259 +ssl_cov()
1.260 +{
1.261 + html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
1.262 +
1.263 + testname=""
1.264 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.265 + sparam="$CLONG"
1.266 + else
1.267 + sparam="$CSHORT"
1.268 + fi
1.269 +
1.270 + mixed=0
1.271 + start_selfserv # Launch the server
1.272 +
1.273 + VMIN="ssl2"
1.274 + VMAX="tls1.1"
1.275 +
1.276 + exec < ${SSLCOV}
1.277 + while read ectype testmax param testname
1.278 + do
1.279 + echo "${testname}" | grep "EXPORT" > /dev/null
1.280 + EXP=$?
1.281 + echo "${testname}" | grep "SSL2" > /dev/null
1.282 + SSL2=$?
1.283 +
1.284 + if [ "${SSL2}" -eq 0 ] ; then
1.285 + # We cannot use asynchronous cert verification with SSL2
1.286 + SSL2_FLAGS=-O
1.287 + VMIN="ssl2"
1.288 + else
1.289 + # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
1.290 + # default in libssl but it is enabled by default in tstclnt; we want
1.291 + # to test the libssl default whenever possible.
1.292 + SSL2_FLAGS=
1.293 + VMIN="ssl3"
1.294 + fi
1.295 +
1.296 + if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then
1.297 + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
1.298 + elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
1.299 + echo "$SCRIPTNAME: skipping $testname (ECC only)"
1.300 + elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then
1.301 + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
1.302 + elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
1.303 + echo "$SCRIPTNAME: running $testname ----------------------------"
1.304 + VMAX="ssl3"
1.305 + if [ "$testmax" = "TLS10" ]; then
1.306 + VMAX="tls1.0"
1.307 + fi
1.308 + if [ "$testmax" = "TLS11" ]; then
1.309 + VMAX="tls1.1"
1.310 + fi
1.311 + if [ "$testmax" = "TLS12" ]; then
1.312 + VMAX="tls1.2"
1.313 + fi
1.314 +
1.315 +# These five tests need an EC cert signed with RSA
1.316 +# This requires a different certificate loaded in selfserv
1.317 +# due to a (current) NSS limitation of only loaded one cert
1.318 +# per type so the default selfserv setup will not work.
1.319 +#:C00B TLS ECDH RSA WITH NULL SHA
1.320 +#:C00C TLS ECDH RSA WITH RC4 128 SHA
1.321 +#:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA
1.322 +#:C00E TLS ECDH RSA WITH AES 128 CBC SHA
1.323 +#:C00F TLS ECDH RSA WITH AES 256 CBC SHA
1.324 +
1.325 + if [ $mixed -eq 0 ]; then
1.326 + if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
1.327 + kill_selfserv
1.328 + start_selfserv mixed
1.329 + mixed=1
1.330 + else
1.331 + is_selfserv_alive
1.332 + fi
1.333 + else
1.334 + if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
1.335 + is_selfserv_alive
1.336 + else
1.337 + kill_selfserv
1.338 + start_selfserv
1.339 + mixed=0
1.340 + fi
1.341 + fi
1.342 +
1.343 + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} \\"
1.344 + echo " -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}"
1.345 +
1.346 + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
1.347 + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} -f \
1.348 + -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \
1.349 + >${TMP}/$HOST.tmp.$$ 2>&1
1.350 + ret=$?
1.351 + cat ${TMP}/$HOST.tmp.$$
1.352 + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
1.353 + html_msg $ret 0 "${testname}" \
1.354 + "produced a returncode of $ret, expected is 0"
1.355 + fi
1.356 + done
1.357 +
1.358 + kill_selfserv
1.359 + html "</TABLE><BR>"
1.360 +}
1.361 +
1.362 +############################## ssl_auth ################################
1.363 +# local shell function to perform SSL Client Authentication tests
1.364 +########################################################################
1.365 +ssl_auth()
1.366 +{
1.367 + html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
1.368 +
1.369 + exec < ${SSLAUTH}
1.370 + while read ectype value sparam cparam testname
1.371 + do
1.372 + [ -z "$ectype" ] && continue
1.373 + echo "${testname}" | grep "don't require client auth" > /dev/null
1.374 + CAUTH=$?
1.375 +
1.376 + if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
1.377 + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
1.378 + elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
1.379 + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
1.380 + elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
1.381 + echo "$SCRIPTNAME: skipping $testname (ECC only)"
1.382 + elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
1.383 + cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
1.384 + if [ "$ectype" = "SNI" ]; then
1.385 + cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
1.386 + sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
1.387 + fi
1.388 + start_selfserv
1.389 +
1.390 + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
1.391 + echo " ${cparam} < ${REQUEST_FILE}"
1.392 + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
1.393 + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \
1.394 + -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} \
1.395 + >${TMP}/$HOST.tmp.$$ 2>&1
1.396 + ret=$?
1.397 + cat ${TMP}/$HOST.tmp.$$
1.398 + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
1.399 +
1.400 + #workaround for bug #402058
1.401 + [ $ret -ne 0 ] && ret=1
1.402 + [ $value -ne 0 ] && value=1
1.403 +
1.404 + html_msg $ret $value "${testname}" \
1.405 + "produced a returncode of $ret, expected is $value"
1.406 + kill_selfserv
1.407 + fi
1.408 + done
1.409 +
1.410 + html "</TABLE><BR>"
1.411 +}
1.412 +
1.413 +ssl_stapling_sub()
1.414 +{
1.415 + testname=$1
1.416 + SO=$2
1.417 + value=$3
1.418 +
1.419 + if [ "$NORM_EXT" = "Extended Test" ] ; then
1.420 + # these tests use the ext_client directory for tstclnt,
1.421 + # which doesn't contain the required "TestCA" for server cert
1.422 + # verification, I don't know if it would be OK to add it...
1.423 + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
1.424 + return 0
1.425 + fi
1.426 + if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
1.427 + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
1.428 + return 0
1.429 + fi
1.430 +
1.431 + SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
1.432 + SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
1.433 +
1.434 + SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
1.435 + P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
1.436 +
1.437 + echo "${testname}"
1.438 +
1.439 + start_selfserv
1.440 +
1.441 + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
1.442 + echo " -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
1.443 + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
1.444 + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
1.445 + -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
1.446 + >${TMP}/$HOST.tmp.$$ 2>&1
1.447 + ret=$?
1.448 + cat ${TMP}/$HOST.tmp.$$
1.449 + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
1.450 +
1.451 + # hopefully no workaround for bug #402058 needed here?
1.452 + # (see commands in ssl_auth
1.453 +
1.454 + html_msg $ret $value "${testname}" \
1.455 + "produced a returncode of $ret, expected is $value"
1.456 + kill_selfserv
1.457 +
1.458 + SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
1.459 + P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
1.460 +}
1.461 +
1.462 +ssl_stapling_stress()
1.463 +{
1.464 + testname="Stress OCSP stapling, server uses random status"
1.465 + SO="-A TestCA -T random"
1.466 + value=0
1.467 +
1.468 + if [ "$NORM_EXT" = "Extended Test" ] ; then
1.469 + # these tests use the ext_client directory for tstclnt,
1.470 + # which doesn't contain the required "TestCA" for server cert
1.471 + # verification, I don't know if it would be OK to add it...
1.472 + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
1.473 + return 0
1.474 + fi
1.475 + if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
1.476 + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
1.477 + return 0
1.478 + fi
1.479 +
1.480 + SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
1.481 + SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
1.482 +
1.483 + SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
1.484 + P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
1.485 +
1.486 + echo "${testname}"
1.487 + start_selfserv
1.488 +
1.489 + echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"
1.490 + echo " -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}"
1.491 + echo "strsclnt started at `date`"
1.492 + ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
1.493 + -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}
1.494 + ret=$?
1.495 +
1.496 + echo "strsclnt completed at `date`"
1.497 + html_msg $ret $value \
1.498 + "${testname}" \
1.499 + "produced a returncode of $ret, expected is $value."
1.500 + kill_selfserv
1.501 +
1.502 + SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
1.503 + P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
1.504 +}
1.505 +
1.506 +############################ ssl_stapling ##############################
1.507 +# local shell function to perform SSL Cert Status (OCSP Stapling) tests
1.508 +########################################################################
1.509 +ssl_stapling()
1.510 +{
1.511 + html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
1.512 +
1.513 + # tstclnt Exit code:
1.514 + # 0: have fresh and valid revocation data, status good
1.515 + # 1: cert failed to verify, prior to revocation checking
1.516 + # 2: missing, old or invalid revocation data
1.517 + # 3: have fresh and valid revocation data, status revoked
1.518 +
1.519 + # selfserv modes
1.520 + # good, revoked, unkown: Include locally signed response. Requires: -A
1.521 + # failure: Include OCSP failure status, such as "try later" (unsigned)
1.522 + # badsig: use a good status but with an invalid signature
1.523 + # corrupted: stapled cert status is an invalid block of data
1.524 +
1.525 + ssl_stapling_sub "OCSP stapling, signed response, good status" "-A TestCA -T good" 0
1.526 + ssl_stapling_sub "OCSP stapling, signed response, revoked status" "-A TestCA -T revoked" 3
1.527 + ssl_stapling_sub "OCSP stapling, signed response, unknown status" "-A TestCA -T unknown" 2
1.528 + ssl_stapling_sub "OCSP stapling, unsigned failure response" "-A TestCA -T failure" 2
1.529 + ssl_stapling_sub "OCSP stapling, good status, bad signature" "-A TestCA -T badsig" 2
1.530 + ssl_stapling_sub "OCSP stapling, invalid cert status data" "-A TestCA -T corrupted" 2
1.531 + ssl_stapling_sub "Valid cert, Server doesn't staple" "" 2
1.532 +
1.533 + ssl_stapling_stress
1.534 +
1.535 + html "</TABLE><BR>"
1.536 +}
1.537 +
1.538 +
1.539 +############################## ssl_stress ##############################
1.540 +# local shell function to perform SSL stress test
1.541 +########################################################################
1.542 +ssl_stress()
1.543 +{
1.544 + html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
1.545 +
1.546 + exec < ${SSLSTRESS}
1.547 + while read ectype value sparam cparam testname
1.548 + do
1.549 + if [ -z "$ectype" ]; then
1.550 + # silently ignore blank lines
1.551 + continue
1.552 + fi
1.553 +
1.554 + echo "${testname}" | grep "SSL2" > /dev/null
1.555 + SSL2=$?
1.556 + echo "${testname}" | grep "client auth" > /dev/null
1.557 + CAUTH=$?
1.558 +
1.559 + if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then
1.560 + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
1.561 + elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
1.562 + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
1.563 + elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
1.564 + echo "$SCRIPTNAME: skipping $testname (ECC only)"
1.565 + elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then
1.566 + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
1.567 + elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
1.568 + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
1.569 + elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
1.570 + cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
1.571 + if [ "$ectype" = "SNI" ]; then
1.572 + cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
1.573 + sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
1.574 + fi
1.575 +
1.576 +# These tests need the mixed cert
1.577 +# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
1.578 +# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
1.579 + p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`;
1.580 + if [ "$p" = "-c_:C00E" ]; then
1.581 + start_selfserv mixed
1.582 + else
1.583 + start_selfserv
1.584 + fi
1.585 +
1.586 + if [ "`uname -n`" = "sjsu" ] ; then
1.587 + echo "debugging disapering selfserv... ps -ef | grep selfserv"
1.588 + ps -ef | grep selfserv
1.589 + fi
1.590 +
1.591 + echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
1.592 + echo " $verbose ${HOSTADDR}"
1.593 + echo "strsclnt started at `date`"
1.594 + ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
1.595 + $verbose ${HOSTADDR}
1.596 + ret=$?
1.597 + echo "strsclnt completed at `date`"
1.598 + html_msg $ret $value \
1.599 + "${testname}" \
1.600 + "produced a returncode of $ret, expected is $value. "
1.601 + if [ "`uname -n`" = "sjsu" ] ; then
1.602 + echo "debugging disapering selfserv... ps -ef | grep selfserv"
1.603 + ps -ef | grep selfserv
1.604 + fi
1.605 + kill_selfserv
1.606 + fi
1.607 + done
1.608 +
1.609 + html "</TABLE><BR>"
1.610 +}
1.611 +
1.612 +############################ ssl_crl_ssl ###############################
1.613 +# local shell function to perform SSL test with/out revoked certs tests
1.614 +########################################################################
1.615 +ssl_crl_ssl()
1.616 +{
1.617 + html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
1.618 +
1.619 + # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
1.620 + # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
1.621 + CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
1.622 + CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
1.623 + UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
1.624 +
1.625 + exec < ${SSLAUTH}
1.626 + while read ectype value sparam cparam testname
1.627 + do
1.628 + [ "$ectype" = "" ] && continue
1.629 + if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
1.630 + echo "$SCRIPTNAME: skipping $testname (ECC only)"
1.631 + elif [ "$ectype" = "SNI" ]; then
1.632 + continue
1.633 + elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
1.634 + servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
1.635 + pwd=`echo $cparam | grep nss`
1.636 + user=`echo $cparam | grep TestUser`
1.637 + _cparam=$cparam
1.638 + case $servarg in
1.639 + 1) if [ -z "$pwd" -o -z "$user" ]; then
1.640 + rev_modvalue=0
1.641 + else
1.642 + rev_modvalue=254
1.643 + fi
1.644 + ;;
1.645 + 2) rev_modvalue=254 ;;
1.646 + 3) if [ -z "$pwd" -o -z "$user" ]; then
1.647 + rev_modvalue=0
1.648 + else
1.649 + rev_modvalue=1
1.650 + fi
1.651 + ;;
1.652 + 4) rev_modvalue=1 ;;
1.653 + esac
1.654 + TEMP_NUM=0
1.655 + while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
1.656 + do
1.657 + CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
1.658 + TEMP_NUM=`expr $TEMP_NUM + 1`
1.659 + USER_NICKNAME="TestUser${CURR_SER_NUM}"
1.660 + cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
1.661 + start_selfserv
1.662 +
1.663 + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
1.664 + echo " ${cparam} < ${REQUEST_FILE}"
1.665 + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
1.666 + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
1.667 + -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
1.668 + >${TMP}/$HOST.tmp.$$ 2>&1
1.669 + ret=$?
1.670 + cat ${TMP}/$HOST.tmp.$$
1.671 + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
1.672 + if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
1.673 + modvalue=$rev_modvalue
1.674 + testAddMsg="revoked"
1.675 + else
1.676 + testAddMsg="not revoked"
1.677 + modvalue=$value
1.678 + fi
1.679 +
1.680 + html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
1.681 + "produced a returncode of $ret, expected is $modvalue"
1.682 + kill_selfserv
1.683 + done
1.684 + fi
1.685 + done
1.686 +
1.687 + html "</TABLE><BR>"
1.688 +}
1.689 +
1.690 +############################# is_revoked ###############################
1.691 +# local shell function to check if certificate is revoked
1.692 +########################################################################
1.693 +is_revoked() {
1.694 + certNum=$1
1.695 + currLoadedGrp=$2
1.696 +
1.697 + found=0
1.698 + ownerGrp=1
1.699 + while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
1.700 + do
1.701 + currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
1.702 + currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
1.703 + currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
1.704 + if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
1.705 + found=1
1.706 + else
1.707 + ownerGrp=`expr $ownerGrp + 1`
1.708 + fi
1.709 + done
1.710 + if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
1.711 + return 1
1.712 + fi
1.713 + if [ $found -eq 0 ]; then
1.714 + return 1
1.715 + fi
1.716 + unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
1.717 + if [ $certNum -eq $unrevokedGrpCert ]; then
1.718 + return 1
1.719 + fi
1.720 + return 0
1.721 +}
1.722 +
1.723 +########################### load_group_crl #############################
1.724 +# local shell function to load CRL
1.725 +########################################################################
1.726 +load_group_crl() {
1.727 + group=$1
1.728 + ectype=$2
1.729 +
1.730 + OUTFILE_TMP=${TMP}/$HOST.tmp.$$
1.731 + grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
1.732 + grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
1.733 + grpEnd=`expr $grpBegin + $grpRange - 1`
1.734 +
1.735 + if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
1.736 + ret=1
1.737 + return 1;
1.738 + fi
1.739 +
1.740 + # Add -ec suffix for ECC
1.741 + if [ "$ectype" = "ECC" ] ; then
1.742 + ecsuffix="-ec"
1.743 + eccomment="ECC "
1.744 + else
1.745 + ecsuffix=""
1.746 + eccomment=""
1.747 + fi
1.748 +
1.749 + if [ "$RELOAD_CRL" != "" ]; then
1.750 + if [ $group -eq 1 ]; then
1.751 + echo "==================== Resetting to group 1 crl ==================="
1.752 + kill_selfserv
1.753 + start_selfserv
1.754 + is_selfserv_alive
1.755 + fi
1.756 + echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
1.757 +
1.758 + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
1.759 + echo " -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
1.760 + echo "Request:"
1.761 + echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
1.762 + echo ""
1.763 + echo "RELOAD time $i"
1.764 +
1.765 + REQF=${R_CLIENTDIR}.crlreq
1.766 + cat > ${REQF} <<_EOF_REQUEST_
1.767 +GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
1.768 +
1.769 +_EOF_REQUEST_
1.770 +
1.771 + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \
1.772 + -d ${R_CLIENTDIR} -v -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
1.773 + >${OUTFILE_TMP} 2>&1 < ${REQF}
1.774 +
1.775 + cat ${OUTFILE_TMP}
1.776 + grep "CRL ReCache Error" ${OUTFILE_TMP}
1.777 + if [ $? -eq 0 ]; then
1.778 + ret=1
1.779 + return 1
1.780 + fi
1.781 + else
1.782 + echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
1.783 +
1.784 + kill_selfserv
1.785 + CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
1.786 + crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
1.787 + -p ../tests.pw.928
1.788 + ret=$?
1.789 + if [ "$ret" -eq 0 ]; then
1.790 + html_passed "${CU_ACTION}"
1.791 + return 1
1.792 + fi
1.793 + start_selfserv
1.794 + fi
1.795 + is_selfserv_alive
1.796 + ret=$?
1.797 + echo "================= CRL Reloaded ============="
1.798 +}
1.799 +
1.800 +########################### ssl_crl_cache ##############################
1.801 +# local shell function to perform SSL test for crl cache functionality
1.802 +# with/out revoked certs
1.803 +########################################################################
1.804 +ssl_crl_cache()
1.805 +{
1.806 + html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
1.807 + SSLAUTH_TMP=${TMP}/authin.tl.tmp
1.808 + SERV_ARG=-r_-r
1.809 + rm -f ${SSLAUTH_TMP}
1.810 + echo ${SSLAUTH_TMP}
1.811 +
1.812 + grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
1.813 + echo $?
1.814 + while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
1.815 + do
1.816 + sparam=$SERV_ARG
1.817 + start_selfserv
1.818 + exec < ${SSLAUTH_TMP}
1.819 + while read ectype value sparam cparam testname
1.820 + do
1.821 + [ "$ectype" = "" ] && continue
1.822 + if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
1.823 + echo "$SCRIPTNAME: skipping $testname (ECC only)"
1.824 + elif [ "$ectype" = "SNI" ]; then
1.825 + continue
1.826 + else
1.827 + servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
1.828 + pwd=`echo $cparam | grep nss`
1.829 + user=`echo $cparam | grep TestUser`
1.830 + _cparam=$cparam
1.831 + case $servarg in
1.832 + 1) if [ -z "$pwd" -o -z "$user" ]; then
1.833 + rev_modvalue=0
1.834 + else
1.835 + rev_modvalue=254
1.836 + fi
1.837 + ;;
1.838 + 2) rev_modvalue=254 ;;
1.839 +
1.840 + 3) if [ -z "$pwd" -o -z "$user" ]; then
1.841 + rev_modvalue=0
1.842 + else
1.843 + rev_modvalue=1
1.844 + fi
1.845 + ;;
1.846 + 4) rev_modvalue=1 ;;
1.847 + esac
1.848 + TEMP_NUM=0
1.849 + LOADED_GRP=1
1.850 + while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
1.851 + do
1.852 + while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
1.853 + do
1.854 + CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
1.855 + TEMP_NUM=`expr $TEMP_NUM + 1`
1.856 + USER_NICKNAME="TestUser${CURR_SER_NUM}"
1.857 + cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
1.858 +
1.859 + echo "Server Args: $SERV_ARG"
1.860 + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
1.861 + echo " ${cparam} < ${REQUEST_FILE}"
1.862 + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
1.863 + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
1.864 + -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
1.865 + >${TMP}/$HOST.tmp.$$ 2>&1
1.866 + ret=$?
1.867 + cat ${TMP}/$HOST.tmp.$$
1.868 + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
1.869 + is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
1.870 + isRevoked=$?
1.871 + if [ $isRevoked -eq 0 ]; then
1.872 + modvalue=$rev_modvalue
1.873 + testAddMsg="revoked"
1.874 + else
1.875 + modvalue=$value
1.876 + testAddMsg="not revoked"
1.877 + fi
1.878 +
1.879 + is_selfserv_alive
1.880 + ss_status=$?
1.881 + if [ "$ss_status" -ne 0 ]; then
1.882 + html_msg $ret $modvalue \
1.883 + "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
1.884 + "produced a returncode of $ret, expected is $modvalue. " \
1.885 + "selfserv is not alive!"
1.886 + else
1.887 + html_msg $ret $modvalue \
1.888 + "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
1.889 + "produced a returncode of $ret, expected is $modvalue"
1.890 + fi
1.891 + done
1.892 + LOADED_GRP=`expr $LOADED_GRP + 1`
1.893 + TEMP_NUM=0
1.894 + if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
1.895 + load_group_crl $LOADED_GRP $ectype
1.896 + html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
1.897 + "produced a returncode of $ret, expected is 0"
1.898 + fi
1.899 + done
1.900 + # Restart selfserv to roll back to two initial group 1 crls
1.901 + # TestCA CRL and TestCA-ec CRL
1.902 + kill_selfserv
1.903 + start_selfserv
1.904 + fi
1.905 + done
1.906 + kill_selfserv
1.907 + SERV_ARG="${SERV_ARG}_-r"
1.908 + rm -f ${SSLAUTH_TMP}
1.909 + grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
1.910 + done
1.911 + TEMPFILES=${SSLAUTH_TMP}
1.912 + html "</TABLE><BR>"
1.913 +}
1.914 +
1.915 +
1.916 +############################## ssl_cleanup #############################
1.917 +# local shell function to finish this script (no exit since it might be
1.918 +# sourced)
1.919 +########################################################################
1.920 +ssl_cleanup()
1.921 +{
1.922 + rm $SERVERPID 2>/dev/null
1.923 + cd ${QADIR}
1.924 + . common/cleanup.sh
1.925 +}
1.926 +
1.927 +############################## ssl_run #################################
1.928 +# local shell function to run coverage, authentication and stress tests
1.929 +########################################################################
1.930 +ssl_run()
1.931 +{
1.932 + for SSL_RUN in ${NSS_SSL_RUN}
1.933 + do
1.934 + case "${SSL_RUN}" in
1.935 + "stapling")
1.936 + ssl_stapling
1.937 + ;;
1.938 + "cov")
1.939 + ssl_cov
1.940 + ;;
1.941 + "auth")
1.942 + ssl_auth
1.943 + ;;
1.944 + "stress")
1.945 + ssl_stress
1.946 + ;;
1.947 + esac
1.948 + done
1.949 +}
1.950 +
1.951 +############################ ssl_run_all ###############################
1.952 +# local shell function to run both standard and extended ssl tests
1.953 +########################################################################
1.954 +ssl_run_all()
1.955 +{
1.956 + ORIG_SERVERDIR=$SERVERDIR
1.957 + ORIG_CLIENTDIR=$CLIENTDIR
1.958 + ORIG_R_SERVERDIR=$R_SERVERDIR
1.959 + ORIG_R_CLIENTDIR=$R_CLIENTDIR
1.960 + ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
1.961 + ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
1.962 +
1.963 + USER_NICKNAME=TestUser
1.964 + NORM_EXT=""
1.965 + cd ${CLIENTDIR}
1.966 +
1.967 + ssl_run
1.968 +
1.969 + SERVERDIR=$EXT_SERVERDIR
1.970 + CLIENTDIR=$EXT_CLIENTDIR
1.971 + R_SERVERDIR=$R_EXT_SERVERDIR
1.972 + R_CLIENTDIR=$R_EXT_CLIENTDIR
1.973 + P_R_SERVERDIR=$P_R_EXT_SERVERDIR
1.974 + P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
1.975 +
1.976 + USER_NICKNAME=ExtendedSSLUser
1.977 + NORM_EXT="Extended Test"
1.978 + cd ${CLIENTDIR}
1.979 +
1.980 + ssl_run
1.981 +
1.982 + # the next round of ssl tests will only run if these vars are reset
1.983 + SERVERDIR=$ORIG_SERVERDIR
1.984 + CLIENTDIR=$ORIG_CLIENTDIR
1.985 + R_SERVERDIR=$ORIG_R_SERVERDIR
1.986 + R_CLIENTDIR=$ORIG_R_CLIENTDIR
1.987 + P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
1.988 + P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
1.989 +
1.990 + USER_NICKNAME=TestUser
1.991 + NORM_EXT=
1.992 + cd ${QADIR}/ssl
1.993 +}
1.994 +
1.995 +############################ ssl_set_fips ##############################
1.996 +# local shell function to set FIPS mode on/off
1.997 +########################################################################
1.998 +ssl_set_fips()
1.999 +{
1.1000 + CLTSRV=$1
1.1001 + ONOFF=$2
1.1002 +
1.1003 + if [ ${CLTSRV} = "server" ]; then
1.1004 + DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
1.1005 + else
1.1006 + DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}"
1.1007 + fi
1.1008 +
1.1009 + if [ "${ONOFF}" = "on" ]; then
1.1010 + FIPSMODE=true
1.1011 + RET_EXP=0
1.1012 + else
1.1013 + FIPSMODE=false
1.1014 + RET_EXP=1
1.1015 + fi
1.1016 +
1.1017 + html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
1.1018 +
1.1019 + for DBDIR in ${DBDIRS}
1.1020 + do
1.1021 + EXT_OPT=
1.1022 + echo ${DBDIR} | grep ext > /dev/null
1.1023 + if [ $? -eq 0 ]; then
1.1024 + EXT_OPT="extended "
1.1025 + fi
1.1026 +
1.1027 + echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
1.1028 +
1.1029 + echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
1.1030 + ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
1.1031 + RET=$?
1.1032 + html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
1.1033 + "produced a returncode of ${RET}, expected is 0"
1.1034 +
1.1035 + echo "modutil -dbdir ${DBDIR} -list"
1.1036 + DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
1.1037 + RET=$?
1.1038 + html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
1.1039 + "produced a returncode of ${RET}, expected is 0"
1.1040 +
1.1041 + echo "${DBLIST}" | grep "FIPS PKCS #11"
1.1042 + RET=$?
1.1043 + html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
1.1044 + "produced a returncode of ${RET}, expected is ${RET_EXP}"
1.1045 + done
1.1046 +
1.1047 + html "</TABLE><BR>"
1.1048 +}
1.1049 +
1.1050 +############################ ssl_set_fips ##############################
1.1051 +# local shell function to run all tests set in NSS_SSL_TESTS variable
1.1052 +########################################################################
1.1053 +ssl_run_tests()
1.1054 +{
1.1055 + for SSL_TEST in ${NSS_SSL_TESTS}
1.1056 + do
1.1057 + case "${SSL_TEST}" in
1.1058 + "crl")
1.1059 + ssl_crl_ssl
1.1060 + ssl_crl_cache
1.1061 + ;;
1.1062 + "iopr")
1.1063 + ssl_iopr_run
1.1064 + ;;
1.1065 + *)
1.1066 + SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
1.1067 + CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
1.1068 +
1.1069 + case "${SERVER_MODE}" in
1.1070 + "normal")
1.1071 + SERVER_OPTIONS=
1.1072 + ;;
1.1073 + "bypass")
1.1074 + SERVER_OPTIONS="-B -s"
1.1075 + ;;
1.1076 + "fips")
1.1077 + SERVER_OPTIONS=
1.1078 + ssl_set_fips server on
1.1079 + ;;
1.1080 + *)
1.1081 + echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
1.1082 + continue
1.1083 + ;;
1.1084 + esac
1.1085 +
1.1086 + case "${CLIENT_MODE}" in
1.1087 + "normal")
1.1088 + CLIENT_OPTIONS=
1.1089 + ;;
1.1090 + "bypass")
1.1091 + CLIENT_OPTIONS="-B -s"
1.1092 + ;;
1.1093 + "fips")
1.1094 + SERVER_OPTIONS=
1.1095 + ssl_set_fips client on
1.1096 + ;;
1.1097 + *)
1.1098 + echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
1.1099 + continue
1.1100 + ;;
1.1101 + esac
1.1102 +
1.1103 + ssl_run_all
1.1104 +
1.1105 + if [ "${SERVER_MODE}" = "fips" ]; then
1.1106 + ssl_set_fips server off
1.1107 + fi
1.1108 +
1.1109 + if [ "${CLIENT_MODE}" = "fips" ]; then
1.1110 + ssl_set_fips client off
1.1111 + fi
1.1112 + ;;
1.1113 + esac
1.1114 + done
1.1115 +}
1.1116 +
1.1117 +################################# main #################################
1.1118 +
1.1119 +ssl_init
1.1120 +ssl_run_tests
1.1121 +ssl_cleanup
1.1122 +
