The Tor Browser / file revision

 #! /bin/bash

 #

 # This Source Code Form is subject to the terms of the Mozilla Public

 # License, v. 2.0. If a copy of the MPL was not distributed with this

 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

 ########################################################################

 #

 # mozilla/security/nss/tests/ssl/ssl.sh

 #

 # Script to test NSS SSL

 #

 # needs to work on all Unix and Windows platforms

 #

 # special strings

 # ---------------

 #   FIXME ... known problems, search for this string

 #   NOTE .... unexpected behavior

 #

 ########################################################################

 ############################## ssl_init ################################

 # local shell function to initialize this script

 ########################################################################

 ssl_init()

 {

   SCRIPTNAME=ssl.sh      # sourced - $0 would point to all.sh

   if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for

       CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it

   fi

   if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then

       cd ../common

       . ./init.sh

   fi

   if [ -z "${IOPR_SSL_SOURCED}" ]; then

       . ../iopr/ssl_iopr.sh

   fi

   if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here

       cd ../cert

       . ./cert.sh

   fi

   SCRIPTNAME=ssl.sh

   echo "$SCRIPTNAME: SSL tests ==============================="

   grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {

       html_head "SSL Test failure"

       Exit 8 "Fatal - cert.sh needs to pass first"

   }

   if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then

       grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {

           html_head "SSL Test failure"

           Exit 8 "Fatal - SSL of cert.sh needs to pass first"

       }

   fi

   PORT=${PORT-8443}

   NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}

   nss_ssl_run="stapling cov auth stress"

   NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}

   # Test case files

   SSLCOV=${QADIR}/ssl/sslcov.txt

   SSLAUTH=${QADIR}/ssl/sslauth.txt

   SSLSTRESS=${QADIR}/ssl/sslstress.txt

   REQUEST_FILE=${QADIR}/ssl/sslreq.dat

   #temparary files

   SERVEROUTFILE=${TMP}/tests_server.$$

   SERVERPID=${TMP}/tests_pid.$$

   R_SERVERPID=../tests_pid.$$

   TEMPFILES="$TMPFILES ${SERVEROUTFILE}  ${SERVERPID}"

   fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't

   #fileout=1

   #verbose="-v" #FIXME - see where this is usefull

   USER_NICKNAME=TestUser

   NORM_EXT=""

   if [ -z "$NSS_DISABLE_ECC" ] ; then

       ECC_STRING=" - with ECC"

   else

       ECC_STRING=""

   fi

   CSHORT="-c ABCDEF:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"

   CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"

   if [ "${OS_ARCH}" != "WINNT" ]; then

       ulimit -n 1000 # make sure we have enough file descriptors

   fi

   cd ${CLIENTDIR}

 }

 ########################### is_selfserv_alive ##########################

 # local shell function to exit with a fatal error if selfserver is not

 # running

 ########################################################################

 is_selfserv_alive()

 {

   if [ ! -f "${SERVERPID}" ]; then

       echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"

       sleep 5

       if [ ! -f "${SERVERPID}" ]; then

           Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"

       fi

   fi

   if [ "${OS_ARCH}" = "WINNT" ] && \

      [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then

       PID=${SHELL_SERVERPID}

   else

       PID=`cat ${SERVERPID}`

   fi

   echo "kill -0 ${PID} >/dev/null 2>/dev/null" 

   kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"

   echo "selfserv with PID ${PID} found at `date`"

 }

 ########################### wait_for_selfserv ##########################

 # local shell function to wait until selfserver is running and initialized

 ########################################################################

 wait_for_selfserv()

 {

   echo "trying to connect to selfserv at `date`"

   echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"

   echo "        -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"

   ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \

           -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}

   if [ $? -ne 0 ]; then

       sleep 5

       echo "retrying to connect to selfserv at `date`"

       echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"

       echo "        -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"

       ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \

               -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}

       if [ $? -ne 0 ]; then

           html_failed "Waiting for Server"

       fi

   fi

   is_selfserv_alive

 }

 ########################### kill_selfserv ##############################

 # local shell function to kill the selfserver after the tests are done

 ########################################################################

 kill_selfserv()

 {

   if [ "${OS_ARCH}" = "WINNT" ] && \

      [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then

       PID=${SHELL_SERVERPID}

   else

       PID=`cat ${SERVERPID}`

   fi

   echo "trying to kill selfserv with PID ${PID} at `date`"

   if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then

       echo "${KILL} ${PID}"

       ${KILL} ${PID}

   else

       echo "${KILL} -USR1 ${PID}"

       ${KILL} -USR1 ${PID}

   fi

   wait ${PID}

   if [ ${fileout} -eq 1 ]; then

       cat ${SERVEROUTFILE}

   fi

   # On Linux selfserv needs up to 30 seconds to fully die and free

   # the port.  Wait until the port is free. (Bug 129701)

   if [ "${OS_ARCH}" = "Linux" ]; then

       echo "selfserv -b -p ${PORT} 2>/dev/null;"

       until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do

           echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"

           sleep 1

       done

   fi

   echo "selfserv with PID ${PID} killed at `date`"

   rm ${SERVERPID}

   html_detect_core "kill_selfserv core detection step"

 }

 ########################### start_selfserv #############################

 # local shell function to start the selfserver with the parameters required 

 # for this test and log information (parameters, start time)

 # also: wait until the server is up and running

 ########################################################################

 start_selfserv()

 {

   if [ -n "$testname" ] ; then

       echo "$SCRIPTNAME: $testname ----"

   fi

   sparam=`echo $sparam | sed -e 's;_; ;g'`

   if [ -z "$NSS_DISABLE_ECC" ] && \

      [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1"  ] ; then

       ECC_OPTIONS="-e ${HOSTADDR}-ec"

   else

       ECC_OPTIONS=""

   fi

   if [ "$1" = "mixed" ]; then

       ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"

   fi

   echo "selfserv starting at `date`"

   echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"

   echo "         ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"

   if [ ${fileout} -eq 1 ]; then

       ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \

                ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \

                > ${SERVEROUTFILE} 2>&1 &

       RET=$?

   else

       ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \

                ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &

       RET=$?

   fi

   # The PID $! returned by the MKS or Cygwin shell is not the PID of

   # the real background process, but rather the PID of a helper

   # process (sh.exe).  MKS's kill command has a bug: invoking kill

   # on the helper process does not terminate the real background

   # process.  Our workaround has been to have selfserv save its PID

   # in the ${SERVERPID} file and "kill" that PID instead.  But this

   # doesn't work under Cygwin; its kill command doesn't recognize

   # the PID of the real background process, but it does work on the

   # PID of the helper process.  So we save the value of $! in the

   # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}

   # file under Cygwin.  (In fact, this should work in any shell

   # other than the MKS shell.)

   SHELL_SERVERPID=$!

   wait_for_selfserv

   if [ "${OS_ARCH}" = "WINNT" ] && \

      [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then

       PID=${SHELL_SERVERPID}

   else

       PID=`cat ${SERVERPID}`

   fi

   echo "selfserv with PID ${PID} started at `date`"

 }

 ############################## ssl_cov #################################

 # local shell function to perform SSL Cipher Coverage tests

 ########################################################################

 ssl_cov()

 {

   html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"

   testname=""

   if [ -z "$NSS_DISABLE_ECC" ] ; then

       sparam="$CLONG"

   else

       sparam="$CSHORT"

   fi

   mixed=0

   start_selfserv # Launch the server

   VMIN="ssl2"

   VMAX="tls1.1"

   exec < ${SSLCOV}

   while read ectype testmax param testname

   do

       echo "${testname}" | grep "EXPORT" > /dev/null 

       EXP=$?

       echo "${testname}" | grep "SSL2" > /dev/null

       SSL2=$?

       if [ "${SSL2}" -eq 0 ] ; then

           # We cannot use asynchronous cert verification with SSL2

           SSL2_FLAGS=-O

           VMIN="ssl2"

       else

           # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by

           # default in libssl but it is enabled by default in tstclnt; we want

           # to test the libssl default whenever possible.

           SSL2_FLAGS=

           VMIN="ssl3"

       fi

       if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then

           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"

       elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then

           echo "$SCRIPTNAME: skipping  $testname (ECC only)"

       elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then

           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"

       elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then

           echo "$SCRIPTNAME: running $testname ----------------------------"

           VMAX="ssl3"

           if [ "$testmax" = "TLS10" ]; then

               VMAX="tls1.0"

           fi

           if [ "$testmax" = "TLS11" ]; then

               VMAX="tls1.1"

           fi

           if [ "$testmax" = "TLS12" ]; then

               VMAX="tls1.2"

           fi

 # These five tests need an EC cert signed with RSA

 # This requires a different certificate loaded in selfserv

 # due to a (current) NSS limitation of only loaded one cert

 # per type so the default selfserv setup will not work.

 #:C00B TLS ECDH RSA WITH NULL SHA

 #:C00C TLS ECDH RSA WITH RC4 128 SHA

 #:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA

 #:C00E TLS ECDH RSA WITH AES 128 CBC SHA

 #:C00F TLS ECDH RSA WITH AES 256 CBC SHA

           if [ $mixed -eq 0 ]; then

             if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then

               kill_selfserv

               start_selfserv mixed

               mixed=1

             else

               is_selfserv_alive

             fi

           else 

             if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then

               is_selfserv_alive

             else

               kill_selfserv

               start_selfserv

               mixed=0

             fi

           fi

           echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} \\"

           echo "        -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}"

           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null

           ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} -f \

                   -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \

                   >${TMP}/$HOST.tmp.$$  2>&1

           ret=$?

           cat ${TMP}/$HOST.tmp.$$ 

           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null

           html_msg $ret 0 "${testname}" \

                    "produced a returncode of $ret, expected is 0"

       fi

   done

   kill_selfserv

   html "</TABLE><BR>"

 }

 ############################## ssl_auth ################################

 # local shell function to perform SSL  Client Authentication tests

 ########################################################################

 ssl_auth()

 {

   html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"

   exec < ${SSLAUTH}

   while read ectype value sparam cparam testname

   do

       [ -z "$ectype" ] && continue

       echo "${testname}" | grep "don't require client auth" > /dev/null

       CAUTH=$?

       if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then

           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"

       elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then

           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"

       elif [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then

           echo "$SCRIPTNAME: skipping  $testname (ECC only)"

       elif [ "`echo $ectype | cut -b 1`" != "#" ]; then

           cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `

           if [ "$ectype" = "SNI" ]; then

               cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `

               sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `

           fi

           start_selfserv

           echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"

           echo "        ${cparam}  < ${REQUEST_FILE}"

           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null

           ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \

                   -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} \

                   >${TMP}/$HOST.tmp.$$  2>&1

           ret=$?

           cat ${TMP}/$HOST.tmp.$$ 

           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null

           #workaround for bug #402058

           [ $ret -ne 0 ] && ret=1

           [ $value -ne 0 ] && value=1

           html_msg $ret $value "${testname}" \

                    "produced a returncode of $ret, expected is $value"

           kill_selfserv

       fi

   done

   html "</TABLE><BR>"

 }

 ssl_stapling_sub()

 {

     testname=$1

     SO=$2

     value=$3

     if [ "$NORM_EXT" = "Extended Test" ] ; then

 	# these tests use the ext_client directory for tstclnt,

 	# which doesn't contain the required "TestCA" for server cert

 	# verification, I don't know if it would be OK to add it...

 	echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"

 	return 0

     fi

     if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then

           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"

 	return 0

     fi

     SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}

     SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"

     SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}

     P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/

     echo "${testname}"

     start_selfserv

     echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"

     echo "        -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"

     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null

     ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \

 	    -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \

 	    >${TMP}/$HOST.tmp.$$  2>&1

     ret=$?

     cat ${TMP}/$HOST.tmp.$$

     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null

     # hopefully no workaround for bug #402058 needed here?

     # (see commands in ssl_auth

     html_msg $ret $value "${testname}" \

 	    "produced a returncode of $ret, expected is $value"

     kill_selfserv

     SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}

     P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}

 }

 ssl_stapling_stress()

 {

     testname="Stress OCSP stapling, server uses random status"

     SO="-A TestCA -T random"

     value=0

     if [ "$NORM_EXT" = "Extended Test" ] ; then

 	# these tests use the ext_client directory for tstclnt,

 	# which doesn't contain the required "TestCA" for server cert

 	# verification, I don't know if it would be OK to add it...

 	echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"

 	return 0

     fi

     if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then

           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"

 	return 0

     fi

     SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}

     SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"

     SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}

     P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/

     echo "${testname}"

     start_selfserv

     echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"

     echo "         -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}"

     echo "strsclnt started at `date`"

     ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \

 	    -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}

     ret=$?

     echo "strsclnt completed at `date`"

     html_msg $ret $value \

 	    "${testname}" \

 	    "produced a returncode of $ret, expected is $value."

     kill_selfserv

     SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}

     P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}

 }

 ############################ ssl_stapling ##############################

 # local shell function to perform SSL Cert Status (OCSP Stapling) tests

 ########################################################################

 ssl_stapling()

 {

   html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"

   # tstclnt Exit code:

   # 0: have fresh and valid revocation data, status good

   # 1: cert failed to verify, prior to revocation checking

   # 2: missing, old or invalid revocation data

   # 3: have fresh and valid revocation data, status revoked

   # selfserv modes

   # good, revoked, unkown: Include locally signed response. Requires: -A

   # failure: Include OCSP failure status, such as "try later" (unsigned)

   # badsig: use a good status but with an invalid signature

   # corrupted: stapled cert status is an invalid block of data

   ssl_stapling_sub "OCSP stapling, signed response, good status"     "-A TestCA -T good"      0

   ssl_stapling_sub "OCSP stapling, signed response, revoked status"  "-A TestCA -T revoked"   3

   ssl_stapling_sub "OCSP stapling, signed response, unknown status"  "-A TestCA -T unknown"   2

   ssl_stapling_sub "OCSP stapling, unsigned failure response"        "-A TestCA -T failure"   2

   ssl_stapling_sub "OCSP stapling, good status, bad signature"       "-A TestCA -T badsig"    2

   ssl_stapling_sub "OCSP stapling, invalid cert status data"         "-A TestCA -T corrupted" 2

   ssl_stapling_sub "Valid cert, Server doesn't staple"               ""                       2

   ssl_stapling_stress

   html "</TABLE><BR>"

 }

 ############################## ssl_stress ##############################

 # local shell function to perform SSL stress test

 ########################################################################

 ssl_stress()

 {

   html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"

   exec < ${SSLSTRESS}

   while read ectype value sparam cparam testname

   do

       if [ -z "$ectype" ]; then

           # silently ignore blank lines

           continue

       fi

       echo "${testname}" | grep "SSL2" > /dev/null

       SSL2=$?

       echo "${testname}" | grep "client auth" > /dev/null

       CAUTH=$?

       if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then

           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"

       elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then

           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"

       elif [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then

           echo "$SCRIPTNAME: skipping  $testname (ECC only)"

       elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then

           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"

       elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then

           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"

       elif [ "`echo $ectype | cut -b 1`" != "#" ]; then

           cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `

           if [ "$ectype" = "SNI" ]; then

               cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `

               sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `

           fi

 # These tests need the mixed cert 

 # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)

 # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)

           p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`;

           if [ "$p" = "-c_:C00E" ]; then

               start_selfserv mixed

           else

               start_selfserv

           fi

           if [ "`uname -n`" = "sjsu" ] ; then

               echo "debugging disapering selfserv... ps -ef | grep selfserv"

               ps -ef | grep selfserv

           fi

           echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"

           echo "         $verbose ${HOSTADDR}"

           echo "strsclnt started at `date`"

           ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \

                    $verbose ${HOSTADDR}

           ret=$?

           echo "strsclnt completed at `date`"

           html_msg $ret $value \

                    "${testname}" \

                    "produced a returncode of $ret, expected is $value. "

           if [ "`uname -n`" = "sjsu" ] ; then

               echo "debugging disapering selfserv... ps -ef | grep selfserv"

               ps -ef | grep selfserv

           fi

           kill_selfserv

       fi

   done

   html "</TABLE><BR>"

 }

 ############################ ssl_crl_ssl ###############################

 # local shell function to perform SSL test with/out revoked certs tests

 ########################################################################

 ssl_crl_ssl()

 {

   html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"

   # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.

   # Cert number $UNREVOKED_CERT_GRP_1 was not revoked

   CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN

   CRL_GROUP_RANGE=$CRL_GRP_1_RANGE

   UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1

   exec < ${SSLAUTH}

   while read ectype value sparam cparam testname

   do

     [ "$ectype" = "" ] && continue

     if [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then

         echo "$SCRIPTNAME: skipping $testname (ECC only)"

     elif [ "$ectype" = "SNI" ]; then

         continue

     elif [ "`echo $ectype | cut -b 1`" != "#" ]; then

 	servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`

 	pwd=`echo $cparam | grep nss`

 	user=`echo $cparam | grep TestUser`

 	_cparam=$cparam

 	case $servarg in

 	    1) if [ -z "$pwd" -o -z "$user" ]; then

                  rev_modvalue=0

                else

 	         rev_modvalue=254

                fi

                ;;

 	    2) rev_modvalue=254 ;;

 	    3) if [ -z "$pwd" -o -z "$user" ]; then

 		rev_modvalue=0

 		else

 		rev_modvalue=1

 		fi

 		;;

 	    4) rev_modvalue=1 ;;

 	esac

 	TEMP_NUM=0

 	while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]

 	  do

 	  CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`

 	  TEMP_NUM=`expr $TEMP_NUM + 1`

 	  USER_NICKNAME="TestUser${CURR_SER_NUM}"

 	  cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `

 	  start_selfserv

 	  echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"

 	  echo "        ${cparam}  < ${REQUEST_FILE}"

 	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null

 	  ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \

 	      -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \

 	      >${TMP}/$HOST.tmp.$$  2>&1

 	  ret=$?

 	  cat ${TMP}/$HOST.tmp.$$ 

 	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null

 	  if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then

 	      modvalue=$rev_modvalue

               testAddMsg="revoked"

 	  else

               testAddMsg="not revoked"

 	      modvalue=$value

 	  fi

 	  html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \

 		"produced a returncode of $ret, expected is $modvalue"

 	  kill_selfserv

 	done

     fi

   done

   html "</TABLE><BR>"

 }

 ############################# is_revoked ###############################

 # local shell function to check if certificate is revoked

 ########################################################################

 is_revoked() {

     certNum=$1

     currLoadedGrp=$2

     found=0

     ownerGrp=1

     while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]

       do

       currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`

       currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`

       currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`

       if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then

           found=1

       else

           ownerGrp=`expr $ownerGrp + 1`

       fi

     done

     if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then

         return 1

     fi

     if [ $found -eq 0 ]; then

         return 1

     fi

     unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`

     if [ $certNum -eq $unrevokedGrpCert ]; then

         return 1

     fi

     return 0

 }

 ########################### load_group_crl #############################

 # local shell function to load CRL 

 ########################################################################

 load_group_crl() {

     group=$1

     ectype=$2

     OUTFILE_TMP=${TMP}/$HOST.tmp.$$

     grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`

     grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`

     grpEnd=`expr $grpBegin + $grpRange - 1`

     if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then

         ret=1

         return 1;

     fi

     # Add -ec suffix for ECC

     if [ "$ectype" = "ECC" ] ; then

       ecsuffix="-ec"

       eccomment="ECC "

     else

       ecsuffix=""

       eccomment=""

     fi

     if [ "$RELOAD_CRL" != "" ]; then

         if [ $group -eq 1 ]; then

             echo "==================== Resetting to group 1 crl ==================="

             kill_selfserv

             start_selfserv

             is_selfserv_alive

         fi

         echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="

         echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"

         echo "          -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"

         echo "Request:"

         echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"

         echo ""

         echo "RELOAD time $i"

         REQF=${R_CLIENTDIR}.crlreq

         cat > ${REQF} <<_EOF_REQUEST_

 GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}

 _EOF_REQUEST_

         ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f  \

             -d ${R_CLIENTDIR} -v -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \

             >${OUTFILE_TMP}  2>&1 < ${REQF}

         cat ${OUTFILE_TMP}

         grep "CRL ReCache Error" ${OUTFILE_TMP}

         if [ $? -eq 0 ]; then

             ret=1

             return 1

         fi

     else

         echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="

         kill_selfserv

         CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"

         crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \

              -p ../tests.pw.928

         ret=$?

         if [ "$ret" -eq 0 ]; then

 	    html_passed "${CU_ACTION}"

             return 1

         fi

         start_selfserv        

     fi

     is_selfserv_alive

     ret=$?

     echo "================= CRL Reloaded ============="

 }

 ########################### ssl_crl_cache ##############################

 # local shell function to perform SSL test for crl cache functionality

 # with/out revoked certs 

 ########################################################################

 ssl_crl_cache()

 {

   html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"

   SSLAUTH_TMP=${TMP}/authin.tl.tmp

   SERV_ARG=-r_-r

   rm -f ${SSLAUTH_TMP}

   echo ${SSLAUTH_TMP}

   grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}

   echo $?

   while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]

     do

     sparam=$SERV_ARG

     start_selfserv

     exec < ${SSLAUTH_TMP}

     while read ectype value sparam cparam testname

       do

       [ "$ectype" = "" ] && continue

       if [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then

         echo "$SCRIPTNAME: skipping  $testname (ECC only)"

       elif [ "$ectype" = "SNI" ]; then

           continue

       else

         servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`

         pwd=`echo $cparam | grep nss`

         user=`echo $cparam | grep TestUser`

         _cparam=$cparam

         case $servarg in

             1) if [ -z "$pwd" -o -z "$user" ]; then

                 rev_modvalue=0

                 else

                 rev_modvalue=254

                 fi

                 ;;

             2) rev_modvalue=254 ;;

             3) if [ -z "$pwd" -o -z "$user" ]; then

                 rev_modvalue=0

                 else

                 rev_modvalue=1

                 fi

                 ;;

             4) rev_modvalue=1 ;;

 	  esac

         TEMP_NUM=0

         LOADED_GRP=1

         while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]

           do

           while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]

             do

             CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`

             TEMP_NUM=`expr $TEMP_NUM + 1`

             USER_NICKNAME="TestUser${CURR_SER_NUM}"

             cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `

             echo "Server Args: $SERV_ARG"

             echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"

             echo "        ${cparam}  < ${REQUEST_FILE}"

             rm ${TMP}/$HOST.tmp.$$ 2>/dev/null

             ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \

 	        -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \

                 >${TMP}/$HOST.tmp.$$  2>&1

             ret=$?

             cat ${TMP}/$HOST.tmp.$$ 

             rm ${TMP}/$HOST.tmp.$$ 2>/dev/null

             is_revoked ${CURR_SER_NUM} ${LOADED_GRP}

             isRevoked=$?

             if [ $isRevoked -eq 0 ]; then

                 modvalue=$rev_modvalue

                 testAddMsg="revoked"

             else

                 modvalue=$value

                 testAddMsg="not revoked"

             fi

             is_selfserv_alive

             ss_status=$?

             if [ "$ss_status" -ne 0 ]; then

                 html_msg $ret $modvalue \

                     "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \

                     "produced a returncode of $ret, expected is $modvalue. " \

                     "selfserv is not alive!"

             else

                 html_msg $ret $modvalue \

                     "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \

                     "produced a returncode of $ret, expected is $modvalue"

             fi

           done

           LOADED_GRP=`expr $LOADED_GRP + 1`

           TEMP_NUM=0

           if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then

               load_group_crl $LOADED_GRP $ectype

               html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \

                   "produced a returncode of $ret, expected is 0"

           fi

         done

         # Restart selfserv to roll back to two initial group 1 crls

         # TestCA CRL and TestCA-ec CRL 

         kill_selfserv

         start_selfserv

       fi

     done

     kill_selfserv

     SERV_ARG="${SERV_ARG}_-r"

     rm -f ${SSLAUTH_TMP}

     grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus  > ${SSLAUTH_TMP}

   done

   TEMPFILES=${SSLAUTH_TMP}

   html "</TABLE><BR>"

 }

 ############################## ssl_cleanup #############################

 # local shell function to finish this script (no exit since it might be

 # sourced)

 ########################################################################

 ssl_cleanup()

 {

   rm $SERVERPID 2>/dev/null

   cd ${QADIR}

   . common/cleanup.sh

 }

 ############################## ssl_run #################################

 # local shell function to run coverage, authentication and stress tests

 ########################################################################

 ssl_run()

 {

     for SSL_RUN in ${NSS_SSL_RUN}

     do

         case "${SSL_RUN}" in

         "stapling")

             ssl_stapling

             ;;

         "cov")

             ssl_cov

             ;;

         "auth")

             ssl_auth

             ;;

         "stress")

             ssl_stress

             ;;

          esac

     done

 }

 ############################ ssl_run_all ###############################

 # local shell function to run both standard and extended ssl tests

 ########################################################################

 ssl_run_all()

 {

     ORIG_SERVERDIR=$SERVERDIR

     ORIG_CLIENTDIR=$CLIENTDIR

     ORIG_R_SERVERDIR=$R_SERVERDIR

     ORIG_R_CLIENTDIR=$R_CLIENTDIR

     ORIG_P_R_SERVERDIR=$P_R_SERVERDIR

     ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR

     USER_NICKNAME=TestUser

     NORM_EXT=""

     cd ${CLIENTDIR}

     ssl_run

     SERVERDIR=$EXT_SERVERDIR

     CLIENTDIR=$EXT_CLIENTDIR

     R_SERVERDIR=$R_EXT_SERVERDIR

     R_CLIENTDIR=$R_EXT_CLIENTDIR

     P_R_SERVERDIR=$P_R_EXT_SERVERDIR

     P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR

     USER_NICKNAME=ExtendedSSLUser

     NORM_EXT="Extended Test"

     cd ${CLIENTDIR}

     ssl_run

     # the next round of ssl tests will only run if these vars are reset

     SERVERDIR=$ORIG_SERVERDIR

     CLIENTDIR=$ORIG_CLIENTDIR

     R_SERVERDIR=$ORIG_R_SERVERDIR

     R_CLIENTDIR=$ORIG_R_CLIENTDIR

     P_R_SERVERDIR=$ORIG_P_R_SERVERDIR

     P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR

     USER_NICKNAME=TestUser

     NORM_EXT=

     cd ${QADIR}/ssl

 }

 ############################ ssl_set_fips ##############################

 # local shell function to set FIPS mode on/off

 ########################################################################

 ssl_set_fips()

 {

     CLTSRV=$1

     ONOFF=$2

     if [ ${CLTSRV} = "server" ]; then

         DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"

     else

         DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}"

     fi

     if [ "${ONOFF}" = "on" ]; then

         FIPSMODE=true

         RET_EXP=0

     else

         FIPSMODE=false

         RET_EXP=1

     fi

     html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"

     for DBDIR in ${DBDIRS}

     do

         EXT_OPT=

         echo ${DBDIR} | grep ext > /dev/null

         if [ $? -eq 0 ]; then

             EXT_OPT="extended "

         fi

         echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"

         echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"

         ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1

         RET=$?  

         html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \

                  "produced a returncode of ${RET}, expected is 0"

         echo "modutil -dbdir ${DBDIR} -list"

         DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`

         RET=$?  

         html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \

                  "produced a returncode of ${RET}, expected is 0"

         echo "${DBLIST}" | grep "FIPS PKCS #11"

         RET=$?

         html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \

                  "produced a returncode of ${RET}, expected is ${RET_EXP}"

     done

     html "</TABLE><BR>"

 }

 ############################ ssl_set_fips ##############################

 # local shell function to run all tests set in NSS_SSL_TESTS variable 

 ########################################################################

 ssl_run_tests()

 {

     for SSL_TEST in ${NSS_SSL_TESTS}

     do

         case "${SSL_TEST}" in

         "crl")

             ssl_crl_ssl

             ssl_crl_cache

             ;;

         "iopr")

             ssl_iopr_run

             ;;

         *)

             SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`

             CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`

             case "${SERVER_MODE}" in

             "normal")

                 SERVER_OPTIONS=

                 ;;

             "bypass")

                 SERVER_OPTIONS="-B -s"

                 ;;

             "fips")

                 SERVER_OPTIONS=

                 ssl_set_fips server on

                 ;;

             *)

                 echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"

                 continue

                 ;;

             esac

             case "${CLIENT_MODE}" in

             "normal")

                 CLIENT_OPTIONS=

                 ;;

             "bypass")

                 CLIENT_OPTIONS="-B -s"

                 ;;

             "fips")

                 SERVER_OPTIONS=

                 ssl_set_fips client on

                 ;;

             *)

                 echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"

                 continue

                 ;;

             esac

             ssl_run_all

             if [ "${SERVER_MODE}" = "fips" ]; then

                 ssl_set_fips server off

             fi

             if [ "${CLIENT_MODE}" = "fips" ]; then

                 ssl_set_fips client off

             fi

             ;;

         esac

     done

 }

 ################################# main #################################

 ssl_init

 ssl_run_tests

 ssl_cleanup