michael@0: #! /bin/bash
michael@0: #
michael@0: # This Source Code Form is subject to the terms of the Mozilla Public
michael@0: # License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0: # file, You can obtain one at http://mozilla.org/MPL/2.0/.
michael@0:
michael@0: ########################################################################
michael@0: #
michael@0: # mozilla/security/nss/tests/ssl/ssl.sh
michael@0: #
michael@0: # Script to test NSS SSL
michael@0: #
michael@0: # needs to work on all Unix and Windows platforms
michael@0: #
michael@0: # special strings
michael@0: # ---------------
michael@0: # FIXME ... known problems, search for this string
michael@0: # NOTE .... unexpected behavior
michael@0: #
michael@0: ########################################################################
michael@0:
michael@0: ############################## ssl_init ################################
michael@0: # local shell function to initialize this script
michael@0: ########################################################################
michael@0: ssl_init()
michael@0: {
michael@0: SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh
michael@0:
michael@0: if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
michael@0: CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
michael@0: fi
michael@0:
michael@0: if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
michael@0: cd ../common
michael@0: . ./init.sh
michael@0: fi
michael@0: if [ -z "${IOPR_SSL_SOURCED}" ]; then
michael@0: . ../iopr/ssl_iopr.sh
michael@0: fi
michael@0: if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
michael@0: cd ../cert
michael@0: . ./cert.sh
michael@0: fi
michael@0: SCRIPTNAME=ssl.sh
michael@0: echo "$SCRIPTNAME: SSL tests ==============================="
michael@0:
michael@0: grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
michael@0: html_head "SSL Test failure"
michael@0: Exit 8 "Fatal - cert.sh needs to pass first"
michael@0: }
michael@0:
michael@0: if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
michael@0: grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
michael@0: html_head "SSL Test failure"
michael@0: Exit 8 "Fatal - SSL of cert.sh needs to pass first"
michael@0: }
michael@0: fi
michael@0:
michael@0: PORT=${PORT-8443}
michael@0: NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
michael@0: nss_ssl_run="stapling cov auth stress"
michael@0: NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
michael@0:
michael@0: # Test case files
michael@0: SSLCOV=${QADIR}/ssl/sslcov.txt
michael@0: SSLAUTH=${QADIR}/ssl/sslauth.txt
michael@0: SSLSTRESS=${QADIR}/ssl/sslstress.txt
michael@0: REQUEST_FILE=${QADIR}/ssl/sslreq.dat
michael@0:
michael@0: #temparary files
michael@0: SERVEROUTFILE=${TMP}/tests_server.$$
michael@0: SERVERPID=${TMP}/tests_pid.$$
michael@0:
michael@0: R_SERVERPID=../tests_pid.$$
michael@0:
michael@0: TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}"
michael@0:
michael@0: fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
michael@0: #fileout=1
michael@0: #verbose="-v" #FIXME - see where this is usefull
michael@0:
michael@0: USER_NICKNAME=TestUser
michael@0: NORM_EXT=""
michael@0:
michael@0: if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0: ECC_STRING=" - with ECC"
michael@0: else
michael@0: ECC_STRING=""
michael@0: fi
michael@0:
michael@0: CSHORT="-c ABCDEF:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"
michael@0: CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"
michael@0:
michael@0: if [ "${OS_ARCH}" != "WINNT" ]; then
michael@0: ulimit -n 1000 # make sure we have enough file descriptors
michael@0: fi
michael@0:
michael@0: cd ${CLIENTDIR}
michael@0: }
michael@0:
michael@0: ########################### is_selfserv_alive ##########################
michael@0: # local shell function to exit with a fatal error if selfserver is not
michael@0: # running
michael@0: ########################################################################
michael@0: is_selfserv_alive()
michael@0: {
michael@0: if [ ! -f "${SERVERPID}" ]; then
michael@0: echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
michael@0: sleep 5
michael@0: if [ ! -f "${SERVERPID}" ]; then
michael@0: Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
michael@0: fi
michael@0: fi
michael@0:
michael@0: if [ "${OS_ARCH}" = "WINNT" ] && \
michael@0: [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
michael@0: PID=${SHELL_SERVERPID}
michael@0: else
michael@0: PID=`cat ${SERVERPID}`
michael@0: fi
michael@0:
michael@0: echo "kill -0 ${PID} >/dev/null 2>/dev/null"
michael@0: kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
michael@0:
michael@0: echo "selfserv with PID ${PID} found at `date`"
michael@0: }
michael@0:
michael@0: ########################### wait_for_selfserv ##########################
michael@0: # local shell function to wait until selfserver is running and initialized
michael@0: ########################################################################
michael@0: wait_for_selfserv()
michael@0: {
michael@0: echo "trying to connect to selfserv at `date`"
michael@0: echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
michael@0: echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
michael@0: ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
michael@0: -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
michael@0: if [ $? -ne 0 ]; then
michael@0: sleep 5
michael@0: echo "retrying to connect to selfserv at `date`"
michael@0: echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
michael@0: echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
michael@0: ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
michael@0: -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
michael@0: if [ $? -ne 0 ]; then
michael@0: html_failed "Waiting for Server"
michael@0: fi
michael@0: fi
michael@0: is_selfserv_alive
michael@0: }
michael@0:
michael@0: ########################### kill_selfserv ##############################
michael@0: # local shell function to kill the selfserver after the tests are done
michael@0: ########################################################################
michael@0: kill_selfserv()
michael@0: {
michael@0: if [ "${OS_ARCH}" = "WINNT" ] && \
michael@0: [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
michael@0: PID=${SHELL_SERVERPID}
michael@0: else
michael@0: PID=`cat ${SERVERPID}`
michael@0: fi
michael@0:
michael@0: echo "trying to kill selfserv with PID ${PID} at `date`"
michael@0:
michael@0: if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
michael@0: echo "${KILL} ${PID}"
michael@0: ${KILL} ${PID}
michael@0: else
michael@0: echo "${KILL} -USR1 ${PID}"
michael@0: ${KILL} -USR1 ${PID}
michael@0: fi
michael@0: wait ${PID}
michael@0: if [ ${fileout} -eq 1 ]; then
michael@0: cat ${SERVEROUTFILE}
michael@0: fi
michael@0:
michael@0: # On Linux selfserv needs up to 30 seconds to fully die and free
michael@0: # the port. Wait until the port is free. (Bug 129701)
michael@0: if [ "${OS_ARCH}" = "Linux" ]; then
michael@0: echo "selfserv -b -p ${PORT} 2>/dev/null;"
michael@0: until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
michael@0: echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
michael@0: sleep 1
michael@0: done
michael@0: fi
michael@0:
michael@0: echo "selfserv with PID ${PID} killed at `date`"
michael@0:
michael@0: rm ${SERVERPID}
michael@0: html_detect_core "kill_selfserv core detection step"
michael@0: }
michael@0:
michael@0: ########################### start_selfserv #############################
michael@0: # local shell function to start the selfserver with the parameters required
michael@0: # for this test and log information (parameters, start time)
michael@0: # also: wait until the server is up and running
michael@0: ########################################################################
michael@0: start_selfserv()
michael@0: {
michael@0: if [ -n "$testname" ] ; then
michael@0: echo "$SCRIPTNAME: $testname ----"
michael@0: fi
michael@0: sparam=`echo $sparam | sed -e 's;_; ;g'`
michael@0: if [ -z "$NSS_DISABLE_ECC" ] && \
michael@0: [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
michael@0: ECC_OPTIONS="-e ${HOSTADDR}-ec"
michael@0: else
michael@0: ECC_OPTIONS=""
michael@0: fi
michael@0: if [ "$1" = "mixed" ]; then
michael@0: ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
michael@0: fi
michael@0: echo "selfserv starting at `date`"
michael@0: echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
michael@0: echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
michael@0: if [ ${fileout} -eq 1 ]; then
michael@0: ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
michael@0: ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
michael@0: > ${SERVEROUTFILE} 2>&1 &
michael@0: RET=$?
michael@0: else
michael@0: ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
michael@0: ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
michael@0: RET=$?
michael@0: fi
michael@0:
michael@0: # The PID $! returned by the MKS or Cygwin shell is not the PID of
michael@0: # the real background process, but rather the PID of a helper
michael@0: # process (sh.exe). MKS's kill command has a bug: invoking kill
michael@0: # on the helper process does not terminate the real background
michael@0: # process. Our workaround has been to have selfserv save its PID
michael@0: # in the ${SERVERPID} file and "kill" that PID instead. But this
michael@0: # doesn't work under Cygwin; its kill command doesn't recognize
michael@0: # the PID of the real background process, but it does work on the
michael@0: # PID of the helper process. So we save the value of $! in the
michael@0: # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
michael@0: # file under Cygwin. (In fact, this should work in any shell
michael@0: # other than the MKS shell.)
michael@0: SHELL_SERVERPID=$!
michael@0: wait_for_selfserv
michael@0:
michael@0: if [ "${OS_ARCH}" = "WINNT" ] && \
michael@0: [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
michael@0: PID=${SHELL_SERVERPID}
michael@0: else
michael@0: PID=`cat ${SERVERPID}`
michael@0: fi
michael@0:
michael@0: echo "selfserv with PID ${PID} started at `date`"
michael@0: }
michael@0:
michael@0: ############################## ssl_cov #################################
michael@0: # local shell function to perform SSL Cipher Coverage tests
michael@0: ########################################################################
michael@0: ssl_cov()
michael@0: {
michael@0: html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
michael@0:
michael@0: testname=""
michael@0: if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0: sparam="$CLONG"
michael@0: else
michael@0: sparam="$CSHORT"
michael@0: fi
michael@0:
michael@0: mixed=0
michael@0: start_selfserv # Launch the server
michael@0:
michael@0: VMIN="ssl2"
michael@0: VMAX="tls1.1"
michael@0:
michael@0: exec < ${SSLCOV}
michael@0: while read ectype testmax param testname
michael@0: do
michael@0: echo "${testname}" | grep "EXPORT" > /dev/null
michael@0: EXP=$?
michael@0: echo "${testname}" | grep "SSL2" > /dev/null
michael@0: SSL2=$?
michael@0:
michael@0: if [ "${SSL2}" -eq 0 ] ; then
michael@0: # We cannot use asynchronous cert verification with SSL2
michael@0: SSL2_FLAGS=-O
michael@0: VMIN="ssl2"
michael@0: else
michael@0: # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
michael@0: # default in libssl but it is enabled by default in tstclnt; we want
michael@0: # to test the libssl default whenever possible.
michael@0: SSL2_FLAGS=
michael@0: VMIN="ssl3"
michael@0: fi
michael@0:
michael@0: if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
michael@0: elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname (ECC only)"
michael@0: elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
michael@0: elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
michael@0: echo "$SCRIPTNAME: running $testname ----------------------------"
michael@0: VMAX="ssl3"
michael@0: if [ "$testmax" = "TLS10" ]; then
michael@0: VMAX="tls1.0"
michael@0: fi
michael@0: if [ "$testmax" = "TLS11" ]; then
michael@0: VMAX="tls1.1"
michael@0: fi
michael@0: if [ "$testmax" = "TLS12" ]; then
michael@0: VMAX="tls1.2"
michael@0: fi
michael@0:
michael@0: # These five tests need an EC cert signed with RSA
michael@0: # This requires a different certificate loaded in selfserv
michael@0: # due to a (current) NSS limitation of only loaded one cert
michael@0: # per type so the default selfserv setup will not work.
michael@0: #:C00B TLS ECDH RSA WITH NULL SHA
michael@0: #:C00C TLS ECDH RSA WITH RC4 128 SHA
michael@0: #:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA
michael@0: #:C00E TLS ECDH RSA WITH AES 128 CBC SHA
michael@0: #:C00F TLS ECDH RSA WITH AES 256 CBC SHA
michael@0:
michael@0: if [ $mixed -eq 0 ]; then
michael@0: if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
michael@0: kill_selfserv
michael@0: start_selfserv mixed
michael@0: mixed=1
michael@0: else
michael@0: is_selfserv_alive
michael@0: fi
michael@0: else
michael@0: if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
michael@0: is_selfserv_alive
michael@0: else
michael@0: kill_selfserv
michael@0: start_selfserv
michael@0: mixed=0
michael@0: fi
michael@0: fi
michael@0:
michael@0: echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} \\"
michael@0: echo " -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}"
michael@0:
michael@0: rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0: ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} -f \
michael@0: -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \
michael@0: >${TMP}/$HOST.tmp.$$ 2>&1
michael@0: ret=$?
michael@0: cat ${TMP}/$HOST.tmp.$$
michael@0: rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0: html_msg $ret 0 "${testname}" \
michael@0: "produced a returncode of $ret, expected is 0"
michael@0: fi
michael@0: done
michael@0:
michael@0: kill_selfserv
michael@0: html "
"
michael@0: }
michael@0:
michael@0: ############################## ssl_auth ################################
michael@0: # local shell function to perform SSL Client Authentication tests
michael@0: ########################################################################
michael@0: ssl_auth()
michael@0: {
michael@0: html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
michael@0:
michael@0: exec < ${SSLAUTH}
michael@0: while read ectype value sparam cparam testname
michael@0: do
michael@0: [ -z "$ectype" ] && continue
michael@0: echo "${testname}" | grep "don't require client auth" > /dev/null
michael@0: CAUTH=$?
michael@0:
michael@0: if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
michael@0: elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
michael@0: elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname (ECC only)"
michael@0: elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
michael@0: cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
michael@0: if [ "$ectype" = "SNI" ]; then
michael@0: cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
michael@0: sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
michael@0: fi
michael@0: start_selfserv
michael@0:
michael@0: echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
michael@0: echo " ${cparam} < ${REQUEST_FILE}"
michael@0: rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0: ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \
michael@0: -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} \
michael@0: >${TMP}/$HOST.tmp.$$ 2>&1
michael@0: ret=$?
michael@0: cat ${TMP}/$HOST.tmp.$$
michael@0: rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0:
michael@0: #workaround for bug #402058
michael@0: [ $ret -ne 0 ] && ret=1
michael@0: [ $value -ne 0 ] && value=1
michael@0:
michael@0: html_msg $ret $value "${testname}" \
michael@0: "produced a returncode of $ret, expected is $value"
michael@0: kill_selfserv
michael@0: fi
michael@0: done
michael@0:
michael@0: html "
"
michael@0: }
michael@0:
michael@0: ssl_stapling_sub()
michael@0: {
michael@0: testname=$1
michael@0: SO=$2
michael@0: value=$3
michael@0:
michael@0: if [ "$NORM_EXT" = "Extended Test" ] ; then
michael@0: # these tests use the ext_client directory for tstclnt,
michael@0: # which doesn't contain the required "TestCA" for server cert
michael@0: # verification, I don't know if it would be OK to add it...
michael@0: echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
michael@0: return 0
michael@0: fi
michael@0: if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
michael@0: return 0
michael@0: fi
michael@0:
michael@0: SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
michael@0: SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
michael@0:
michael@0: SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
michael@0: P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
michael@0:
michael@0: echo "${testname}"
michael@0:
michael@0: start_selfserv
michael@0:
michael@0: echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
michael@0: echo " -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
michael@0: rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0: ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
michael@0: -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
michael@0: >${TMP}/$HOST.tmp.$$ 2>&1
michael@0: ret=$?
michael@0: cat ${TMP}/$HOST.tmp.$$
michael@0: rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0:
michael@0: # hopefully no workaround for bug #402058 needed here?
michael@0: # (see commands in ssl_auth
michael@0:
michael@0: html_msg $ret $value "${testname}" \
michael@0: "produced a returncode of $ret, expected is $value"
michael@0: kill_selfserv
michael@0:
michael@0: SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
michael@0: P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
michael@0: }
michael@0:
michael@0: ssl_stapling_stress()
michael@0: {
michael@0: testname="Stress OCSP stapling, server uses random status"
michael@0: SO="-A TestCA -T random"
michael@0: value=0
michael@0:
michael@0: if [ "$NORM_EXT" = "Extended Test" ] ; then
michael@0: # these tests use the ext_client directory for tstclnt,
michael@0: # which doesn't contain the required "TestCA" for server cert
michael@0: # verification, I don't know if it would be OK to add it...
michael@0: echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
michael@0: return 0
michael@0: fi
michael@0: if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
michael@0: return 0
michael@0: fi
michael@0:
michael@0: SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
michael@0: SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
michael@0:
michael@0: SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
michael@0: P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
michael@0:
michael@0: echo "${testname}"
michael@0: start_selfserv
michael@0:
michael@0: echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"
michael@0: echo " -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}"
michael@0: echo "strsclnt started at `date`"
michael@0: ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
michael@0: -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}
michael@0: ret=$?
michael@0:
michael@0: echo "strsclnt completed at `date`"
michael@0: html_msg $ret $value \
michael@0: "${testname}" \
michael@0: "produced a returncode of $ret, expected is $value."
michael@0: kill_selfserv
michael@0:
michael@0: SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
michael@0: P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
michael@0: }
michael@0:
michael@0: ############################ ssl_stapling ##############################
michael@0: # local shell function to perform SSL Cert Status (OCSP Stapling) tests
michael@0: ########################################################################
michael@0: ssl_stapling()
michael@0: {
michael@0: html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
michael@0:
michael@0: # tstclnt Exit code:
michael@0: # 0: have fresh and valid revocation data, status good
michael@0: # 1: cert failed to verify, prior to revocation checking
michael@0: # 2: missing, old or invalid revocation data
michael@0: # 3: have fresh and valid revocation data, status revoked
michael@0:
michael@0: # selfserv modes
michael@0: # good, revoked, unkown: Include locally signed response. Requires: -A
michael@0: # failure: Include OCSP failure status, such as "try later" (unsigned)
michael@0: # badsig: use a good status but with an invalid signature
michael@0: # corrupted: stapled cert status is an invalid block of data
michael@0:
michael@0: ssl_stapling_sub "OCSP stapling, signed response, good status" "-A TestCA -T good" 0
michael@0: ssl_stapling_sub "OCSP stapling, signed response, revoked status" "-A TestCA -T revoked" 3
michael@0: ssl_stapling_sub "OCSP stapling, signed response, unknown status" "-A TestCA -T unknown" 2
michael@0: ssl_stapling_sub "OCSP stapling, unsigned failure response" "-A TestCA -T failure" 2
michael@0: ssl_stapling_sub "OCSP stapling, good status, bad signature" "-A TestCA -T badsig" 2
michael@0: ssl_stapling_sub "OCSP stapling, invalid cert status data" "-A TestCA -T corrupted" 2
michael@0: ssl_stapling_sub "Valid cert, Server doesn't staple" "" 2
michael@0:
michael@0: ssl_stapling_stress
michael@0:
michael@0: html "
"
michael@0: }
michael@0:
michael@0:
michael@0: ############################## ssl_stress ##############################
michael@0: # local shell function to perform SSL stress test
michael@0: ########################################################################
michael@0: ssl_stress()
michael@0: {
michael@0: html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
michael@0:
michael@0: exec < ${SSLSTRESS}
michael@0: while read ectype value sparam cparam testname
michael@0: do
michael@0: if [ -z "$ectype" ]; then
michael@0: # silently ignore blank lines
michael@0: continue
michael@0: fi
michael@0:
michael@0: echo "${testname}" | grep "SSL2" > /dev/null
michael@0: SSL2=$?
michael@0: echo "${testname}" | grep "client auth" > /dev/null
michael@0: CAUTH=$?
michael@0:
michael@0: if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
michael@0: elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
michael@0: elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname (ECC only)"
michael@0: elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
michael@0: elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
michael@0: elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
michael@0: cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
michael@0: if [ "$ectype" = "SNI" ]; then
michael@0: cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
michael@0: sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
michael@0: fi
michael@0:
michael@0: # These tests need the mixed cert
michael@0: # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
michael@0: # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
michael@0: p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`;
michael@0: if [ "$p" = "-c_:C00E" ]; then
michael@0: start_selfserv mixed
michael@0: else
michael@0: start_selfserv
michael@0: fi
michael@0:
michael@0: if [ "`uname -n`" = "sjsu" ] ; then
michael@0: echo "debugging disapering selfserv... ps -ef | grep selfserv"
michael@0: ps -ef | grep selfserv
michael@0: fi
michael@0:
michael@0: echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
michael@0: echo " $verbose ${HOSTADDR}"
michael@0: echo "strsclnt started at `date`"
michael@0: ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
michael@0: $verbose ${HOSTADDR}
michael@0: ret=$?
michael@0: echo "strsclnt completed at `date`"
michael@0: html_msg $ret $value \
michael@0: "${testname}" \
michael@0: "produced a returncode of $ret, expected is $value. "
michael@0: if [ "`uname -n`" = "sjsu" ] ; then
michael@0: echo "debugging disapering selfserv... ps -ef | grep selfserv"
michael@0: ps -ef | grep selfserv
michael@0: fi
michael@0: kill_selfserv
michael@0: fi
michael@0: done
michael@0:
michael@0: html "
"
michael@0: }
michael@0:
michael@0: ############################ ssl_crl_ssl ###############################
michael@0: # local shell function to perform SSL test with/out revoked certs tests
michael@0: ########################################################################
michael@0: ssl_crl_ssl()
michael@0: {
michael@0: html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
michael@0:
michael@0: # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
michael@0: # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
michael@0: CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
michael@0: CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
michael@0: UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
michael@0:
michael@0: exec < ${SSLAUTH}
michael@0: while read ectype value sparam cparam testname
michael@0: do
michael@0: [ "$ectype" = "" ] && continue
michael@0: if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname (ECC only)"
michael@0: elif [ "$ectype" = "SNI" ]; then
michael@0: continue
michael@0: elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
michael@0: servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
michael@0: pwd=`echo $cparam | grep nss`
michael@0: user=`echo $cparam | grep TestUser`
michael@0: _cparam=$cparam
michael@0: case $servarg in
michael@0: 1) if [ -z "$pwd" -o -z "$user" ]; then
michael@0: rev_modvalue=0
michael@0: else
michael@0: rev_modvalue=254
michael@0: fi
michael@0: ;;
michael@0: 2) rev_modvalue=254 ;;
michael@0: 3) if [ -z "$pwd" -o -z "$user" ]; then
michael@0: rev_modvalue=0
michael@0: else
michael@0: rev_modvalue=1
michael@0: fi
michael@0: ;;
michael@0: 4) rev_modvalue=1 ;;
michael@0: esac
michael@0: TEMP_NUM=0
michael@0: while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
michael@0: do
michael@0: CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
michael@0: TEMP_NUM=`expr $TEMP_NUM + 1`
michael@0: USER_NICKNAME="TestUser${CURR_SER_NUM}"
michael@0: cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
michael@0: start_selfserv
michael@0:
michael@0: echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
michael@0: echo " ${cparam} < ${REQUEST_FILE}"
michael@0: rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0: ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
michael@0: -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
michael@0: >${TMP}/$HOST.tmp.$$ 2>&1
michael@0: ret=$?
michael@0: cat ${TMP}/$HOST.tmp.$$
michael@0: rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0: if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
michael@0: modvalue=$rev_modvalue
michael@0: testAddMsg="revoked"
michael@0: else
michael@0: testAddMsg="not revoked"
michael@0: modvalue=$value
michael@0: fi
michael@0:
michael@0: html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
michael@0: "produced a returncode of $ret, expected is $modvalue"
michael@0: kill_selfserv
michael@0: done
michael@0: fi
michael@0: done
michael@0:
michael@0: html "
"
michael@0: }
michael@0:
michael@0: ############################# is_revoked ###############################
michael@0: # local shell function to check if certificate is revoked
michael@0: ########################################################################
michael@0: is_revoked() {
michael@0: certNum=$1
michael@0: currLoadedGrp=$2
michael@0:
michael@0: found=0
michael@0: ownerGrp=1
michael@0: while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
michael@0: do
michael@0: currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
michael@0: currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
michael@0: currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
michael@0: if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
michael@0: found=1
michael@0: else
michael@0: ownerGrp=`expr $ownerGrp + 1`
michael@0: fi
michael@0: done
michael@0: if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
michael@0: return 1
michael@0: fi
michael@0: if [ $found -eq 0 ]; then
michael@0: return 1
michael@0: fi
michael@0: unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
michael@0: if [ $certNum -eq $unrevokedGrpCert ]; then
michael@0: return 1
michael@0: fi
michael@0: return 0
michael@0: }
michael@0:
michael@0: ########################### load_group_crl #############################
michael@0: # local shell function to load CRL
michael@0: ########################################################################
michael@0: load_group_crl() {
michael@0: group=$1
michael@0: ectype=$2
michael@0:
michael@0: OUTFILE_TMP=${TMP}/$HOST.tmp.$$
michael@0: grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
michael@0: grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
michael@0: grpEnd=`expr $grpBegin + $grpRange - 1`
michael@0:
michael@0: if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
michael@0: ret=1
michael@0: return 1;
michael@0: fi
michael@0:
michael@0: # Add -ec suffix for ECC
michael@0: if [ "$ectype" = "ECC" ] ; then
michael@0: ecsuffix="-ec"
michael@0: eccomment="ECC "
michael@0: else
michael@0: ecsuffix=""
michael@0: eccomment=""
michael@0: fi
michael@0:
michael@0: if [ "$RELOAD_CRL" != "" ]; then
michael@0: if [ $group -eq 1 ]; then
michael@0: echo "==================== Resetting to group 1 crl ==================="
michael@0: kill_selfserv
michael@0: start_selfserv
michael@0: is_selfserv_alive
michael@0: fi
michael@0: echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
michael@0:
michael@0: echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
michael@0: echo " -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
michael@0: echo "Request:"
michael@0: echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
michael@0: echo ""
michael@0: echo "RELOAD time $i"
michael@0:
michael@0: REQF=${R_CLIENTDIR}.crlreq
michael@0: cat > ${REQF} <<_EOF_REQUEST_
michael@0: GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
michael@0:
michael@0: _EOF_REQUEST_
michael@0:
michael@0: ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \
michael@0: -d ${R_CLIENTDIR} -v -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
michael@0: >${OUTFILE_TMP} 2>&1 < ${REQF}
michael@0:
michael@0: cat ${OUTFILE_TMP}
michael@0: grep "CRL ReCache Error" ${OUTFILE_TMP}
michael@0: if [ $? -eq 0 ]; then
michael@0: ret=1
michael@0: return 1
michael@0: fi
michael@0: else
michael@0: echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
michael@0:
michael@0: kill_selfserv
michael@0: CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
michael@0: crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
michael@0: -p ../tests.pw.928
michael@0: ret=$?
michael@0: if [ "$ret" -eq 0 ]; then
michael@0: html_passed "${CU_ACTION}"
michael@0: return 1
michael@0: fi
michael@0: start_selfserv
michael@0: fi
michael@0: is_selfserv_alive
michael@0: ret=$?
michael@0: echo "================= CRL Reloaded ============="
michael@0: }
michael@0:
michael@0: ########################### ssl_crl_cache ##############################
michael@0: # local shell function to perform SSL test for crl cache functionality
michael@0: # with/out revoked certs
michael@0: ########################################################################
michael@0: ssl_crl_cache()
michael@0: {
michael@0: html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
michael@0: SSLAUTH_TMP=${TMP}/authin.tl.tmp
michael@0: SERV_ARG=-r_-r
michael@0: rm -f ${SSLAUTH_TMP}
michael@0: echo ${SSLAUTH_TMP}
michael@0:
michael@0: grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
michael@0: echo $?
michael@0: while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
michael@0: do
michael@0: sparam=$SERV_ARG
michael@0: start_selfserv
michael@0: exec < ${SSLAUTH_TMP}
michael@0: while read ectype value sparam cparam testname
michael@0: do
michael@0: [ "$ectype" = "" ] && continue
michael@0: if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
michael@0: echo "$SCRIPTNAME: skipping $testname (ECC only)"
michael@0: elif [ "$ectype" = "SNI" ]; then
michael@0: continue
michael@0: else
michael@0: servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
michael@0: pwd=`echo $cparam | grep nss`
michael@0: user=`echo $cparam | grep TestUser`
michael@0: _cparam=$cparam
michael@0: case $servarg in
michael@0: 1) if [ -z "$pwd" -o -z "$user" ]; then
michael@0: rev_modvalue=0
michael@0: else
michael@0: rev_modvalue=254
michael@0: fi
michael@0: ;;
michael@0: 2) rev_modvalue=254 ;;
michael@0:
michael@0: 3) if [ -z "$pwd" -o -z "$user" ]; then
michael@0: rev_modvalue=0
michael@0: else
michael@0: rev_modvalue=1
michael@0: fi
michael@0: ;;
michael@0: 4) rev_modvalue=1 ;;
michael@0: esac
michael@0: TEMP_NUM=0
michael@0: LOADED_GRP=1
michael@0: while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
michael@0: do
michael@0: while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
michael@0: do
michael@0: CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
michael@0: TEMP_NUM=`expr $TEMP_NUM + 1`
michael@0: USER_NICKNAME="TestUser${CURR_SER_NUM}"
michael@0: cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
michael@0:
michael@0: echo "Server Args: $SERV_ARG"
michael@0: echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
michael@0: echo " ${cparam} < ${REQUEST_FILE}"
michael@0: rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0: ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
michael@0: -d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
michael@0: >${TMP}/$HOST.tmp.$$ 2>&1
michael@0: ret=$?
michael@0: cat ${TMP}/$HOST.tmp.$$
michael@0: rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
michael@0: is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
michael@0: isRevoked=$?
michael@0: if [ $isRevoked -eq 0 ]; then
michael@0: modvalue=$rev_modvalue
michael@0: testAddMsg="revoked"
michael@0: else
michael@0: modvalue=$value
michael@0: testAddMsg="not revoked"
michael@0: fi
michael@0:
michael@0: is_selfserv_alive
michael@0: ss_status=$?
michael@0: if [ "$ss_status" -ne 0 ]; then
michael@0: html_msg $ret $modvalue \
michael@0: "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
michael@0: "produced a returncode of $ret, expected is $modvalue. " \
michael@0: "selfserv is not alive!"
michael@0: else
michael@0: html_msg $ret $modvalue \
michael@0: "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
michael@0: "produced a returncode of $ret, expected is $modvalue"
michael@0: fi
michael@0: done
michael@0: LOADED_GRP=`expr $LOADED_GRP + 1`
michael@0: TEMP_NUM=0
michael@0: if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
michael@0: load_group_crl $LOADED_GRP $ectype
michael@0: html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
michael@0: "produced a returncode of $ret, expected is 0"
michael@0: fi
michael@0: done
michael@0: # Restart selfserv to roll back to two initial group 1 crls
michael@0: # TestCA CRL and TestCA-ec CRL
michael@0: kill_selfserv
michael@0: start_selfserv
michael@0: fi
michael@0: done
michael@0: kill_selfserv
michael@0: SERV_ARG="${SERV_ARG}_-r"
michael@0: rm -f ${SSLAUTH_TMP}
michael@0: grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
michael@0: done
michael@0: TEMPFILES=${SSLAUTH_TMP}
michael@0: html "
"
michael@0: }
michael@0:
michael@0:
michael@0: ############################## ssl_cleanup #############################
michael@0: # local shell function to finish this script (no exit since it might be
michael@0: # sourced)
michael@0: ########################################################################
michael@0: ssl_cleanup()
michael@0: {
michael@0: rm $SERVERPID 2>/dev/null
michael@0: cd ${QADIR}
michael@0: . common/cleanup.sh
michael@0: }
michael@0:
michael@0: ############################## ssl_run #################################
michael@0: # local shell function to run coverage, authentication and stress tests
michael@0: ########################################################################
michael@0: ssl_run()
michael@0: {
michael@0: for SSL_RUN in ${NSS_SSL_RUN}
michael@0: do
michael@0: case "${SSL_RUN}" in
michael@0: "stapling")
michael@0: ssl_stapling
michael@0: ;;
michael@0: "cov")
michael@0: ssl_cov
michael@0: ;;
michael@0: "auth")
michael@0: ssl_auth
michael@0: ;;
michael@0: "stress")
michael@0: ssl_stress
michael@0: ;;
michael@0: esac
michael@0: done
michael@0: }
michael@0:
michael@0: ############################ ssl_run_all ###############################
michael@0: # local shell function to run both standard and extended ssl tests
michael@0: ########################################################################
michael@0: ssl_run_all()
michael@0: {
michael@0: ORIG_SERVERDIR=$SERVERDIR
michael@0: ORIG_CLIENTDIR=$CLIENTDIR
michael@0: ORIG_R_SERVERDIR=$R_SERVERDIR
michael@0: ORIG_R_CLIENTDIR=$R_CLIENTDIR
michael@0: ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
michael@0: ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
michael@0:
michael@0: USER_NICKNAME=TestUser
michael@0: NORM_EXT=""
michael@0: cd ${CLIENTDIR}
michael@0:
michael@0: ssl_run
michael@0:
michael@0: SERVERDIR=$EXT_SERVERDIR
michael@0: CLIENTDIR=$EXT_CLIENTDIR
michael@0: R_SERVERDIR=$R_EXT_SERVERDIR
michael@0: R_CLIENTDIR=$R_EXT_CLIENTDIR
michael@0: P_R_SERVERDIR=$P_R_EXT_SERVERDIR
michael@0: P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
michael@0:
michael@0: USER_NICKNAME=ExtendedSSLUser
michael@0: NORM_EXT="Extended Test"
michael@0: cd ${CLIENTDIR}
michael@0:
michael@0: ssl_run
michael@0:
michael@0: # the next round of ssl tests will only run if these vars are reset
michael@0: SERVERDIR=$ORIG_SERVERDIR
michael@0: CLIENTDIR=$ORIG_CLIENTDIR
michael@0: R_SERVERDIR=$ORIG_R_SERVERDIR
michael@0: R_CLIENTDIR=$ORIG_R_CLIENTDIR
michael@0: P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
michael@0: P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
michael@0:
michael@0: USER_NICKNAME=TestUser
michael@0: NORM_EXT=
michael@0: cd ${QADIR}/ssl
michael@0: }
michael@0:
michael@0: ############################ ssl_set_fips ##############################
michael@0: # local shell function to set FIPS mode on/off
michael@0: ########################################################################
michael@0: ssl_set_fips()
michael@0: {
michael@0: CLTSRV=$1
michael@0: ONOFF=$2
michael@0:
michael@0: if [ ${CLTSRV} = "server" ]; then
michael@0: DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
michael@0: else
michael@0: DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}"
michael@0: fi
michael@0:
michael@0: if [ "${ONOFF}" = "on" ]; then
michael@0: FIPSMODE=true
michael@0: RET_EXP=0
michael@0: else
michael@0: FIPSMODE=false
michael@0: RET_EXP=1
michael@0: fi
michael@0:
michael@0: html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
michael@0:
michael@0: for DBDIR in ${DBDIRS}
michael@0: do
michael@0: EXT_OPT=
michael@0: echo ${DBDIR} | grep ext > /dev/null
michael@0: if [ $? -eq 0 ]; then
michael@0: EXT_OPT="extended "
michael@0: fi
michael@0:
michael@0: echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
michael@0:
michael@0: echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
michael@0: ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
michael@0: RET=$?
michael@0: html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
michael@0: "produced a returncode of ${RET}, expected is 0"
michael@0:
michael@0: echo "modutil -dbdir ${DBDIR} -list"
michael@0: DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
michael@0: RET=$?
michael@0: html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
michael@0: "produced a returncode of ${RET}, expected is 0"
michael@0:
michael@0: echo "${DBLIST}" | grep "FIPS PKCS #11"
michael@0: RET=$?
michael@0: html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
michael@0: "produced a returncode of ${RET}, expected is ${RET_EXP}"
michael@0: done
michael@0:
michael@0: html "
"
michael@0: }
michael@0:
michael@0: ############################ ssl_set_fips ##############################
michael@0: # local shell function to run all tests set in NSS_SSL_TESTS variable
michael@0: ########################################################################
michael@0: ssl_run_tests()
michael@0: {
michael@0: for SSL_TEST in ${NSS_SSL_TESTS}
michael@0: do
michael@0: case "${SSL_TEST}" in
michael@0: "crl")
michael@0: ssl_crl_ssl
michael@0: ssl_crl_cache
michael@0: ;;
michael@0: "iopr")
michael@0: ssl_iopr_run
michael@0: ;;
michael@0: *)
michael@0: SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
michael@0: CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
michael@0:
michael@0: case "${SERVER_MODE}" in
michael@0: "normal")
michael@0: SERVER_OPTIONS=
michael@0: ;;
michael@0: "bypass")
michael@0: SERVER_OPTIONS="-B -s"
michael@0: ;;
michael@0: "fips")
michael@0: SERVER_OPTIONS=
michael@0: ssl_set_fips server on
michael@0: ;;
michael@0: *)
michael@0: echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
michael@0: continue
michael@0: ;;
michael@0: esac
michael@0:
michael@0: case "${CLIENT_MODE}" in
michael@0: "normal")
michael@0: CLIENT_OPTIONS=
michael@0: ;;
michael@0: "bypass")
michael@0: CLIENT_OPTIONS="-B -s"
michael@0: ;;
michael@0: "fips")
michael@0: SERVER_OPTIONS=
michael@0: ssl_set_fips client on
michael@0: ;;
michael@0: *)
michael@0: echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
michael@0: continue
michael@0: ;;
michael@0: esac
michael@0:
michael@0: ssl_run_all
michael@0:
michael@0: if [ "${SERVER_MODE}" = "fips" ]; then
michael@0: ssl_set_fips server off
michael@0: fi
michael@0:
michael@0: if [ "${CLIENT_MODE}" = "fips" ]; then
michael@0: ssl_set_fips client off
michael@0: fi
michael@0: ;;
michael@0: esac
michael@0: done
michael@0: }
michael@0:
michael@0: ################################# main #################################
michael@0:
michael@0: ssl_init
michael@0: ssl_run_tests
michael@0: ssl_cleanup
michael@0: