search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 469739 - Add support for displaying Vista UAC shield icon; r=joe sr=vladimir
[wine-gecko.git] / security / nss / tests / ssl / ssl.sh
blob27a1aa6bd8d7ca085de9e11f749cabec8964ab37
1 #! /bin/bash
2 #
3 # ***** BEGIN LICENSE BLOCK *****
4 # Version: MPL 1.1/GPL 2.0/LGPL 2.1
5 #
6 # The contents of this file are subject to the Mozilla Public License Version
7 # 1.1 (the "License"); you may not use this file except in compliance with
8 # the License. You may obtain a copy of the License at
9 # http://www.mozilla.org/MPL/
10 #
11 # Software distributed under the License is distributed on an "AS IS" basis,
12 # WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
13 # for the specific language governing rights and limitations under the
14 # License.
15 #
16 # The Original Code is the Netscape security libraries.
17 #
18 # The Initial Developer of the Original Code is
19 # Netscape Communications Corporation.
20 # Portions created by the Initial Developer are Copyright (C) 1994-2000
21 # the Initial Developer. All Rights Reserved.
22 #
23 # Contributor(s):
24 # Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
25 # Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
26 #
27 # Alternatively, the contents of this file may be used under the terms of
28 # either the GNU General Public License Version 2 or later (the "GPL"), or
29 # the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 # in which case the provisions of the GPL or the LGPL are applicable instead
31 # of those above. If you wish to allow use of your version of this file only
32 # under the terms of either the GPL or the LGPL, and not to allow others to
33 # use your version of this file under the terms of the MPL, indicate your
34 # decision by deleting the provisions above and replace them with the notice
35 # and other provisions required by the GPL or the LGPL. If you do not delete
36 # the provisions above, a recipient may use your version of this file under
37 # the terms of any one of the MPL, the GPL or the LGPL.
38 #
39 # ***** END LICENSE BLOCK *****
40
41 ########################################################################
42 #
43 # mozilla/security/nss/tests/ssl/ssl.sh
44 #
45 # Script to test NSS SSL
46 #
47 # needs to work on all Unix and Windows platforms
48 #
49 # special strings
50 # ---------------
51 # FIXME ... known problems, search for this string
52 # NOTE .... unexpected behavior
53 #
54 ########################################################################
55
56 ############################## ssl_init ################################
57 # local shell function to initialize this script
58 ########################################################################
59 ssl_init()
60 {
61 SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh
62
63 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
64 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
65 fi
66
67 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
68 cd ../common
69 . ./init.sh
70 fi
71 if [ -z "${IOPR_SSL_SOURCED}" ]; then
72 . ../iopr/ssl_iopr.sh
73 fi
74 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
75 cd ../cert
76 . ./cert.sh
77 fi
78 SCRIPTNAME=ssl.sh
79 echo "$SCRIPTNAME: SSL tests ==============================="
80
81 grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
82 html_head "SSL Test failure"
83 Exit 8 "Fatal - cert.sh needs to pass first"
84 }
85
86 if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
87 grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
88 html_head "SSL Test failure"
89 Exit 8 "Fatal - SSL of cert.sh needs to pass first"
90 }
91 fi
92
93 PORT=${PORT-8443}
94
95 # Test case files
96 SSLCOV=${QADIR}/ssl/sslcov.txt
97 SSLAUTH=${QADIR}/ssl/sslauth.txt
98 SSLSTRESS=${QADIR}/ssl/sslstress.txt
99 REQUEST_FILE=${QADIR}/ssl/sslreq.dat
100
101 #temparary files
102 SERVEROUTFILE=${TMP}/tests_server.$$
103 SERVERPID=${TMP}/tests_pid.$$
104
105 R_SERVERPID=../tests_pid.$$
106
107 TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}"
108
109 fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
110 #fileout=1
111 #verbose="-v" #FIXME - see where this is usefull
112
113 USER_NICKNAME=TestUser
114 NORM_EXT=""
115
116 if [ -n "$NSS_ENABLE_ECC" ] ; then
117 ECC_STRING=" - with ECC"
118 else
119 ECC_STRING=""
120 fi
121
122 CSHORT="-c ABCDEF:0041:0084cdefgijklmnvyz"
123 CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:0041:0084cdefgijklmnvyz"
124
125 if [ "${OS_ARCH}" != "WINNT" ]; then
126 ulimit -n 1000 # make sure we have enough file descriptors
127 fi
128
129 cd ${CLIENTDIR}
130 }
131
132 ########################### is_selfserv_alive ##########################
133 # local shell function to exit with a fatal error if selfserver is not
134 # running
135 ########################################################################
136 is_selfserv_alive()
137 {
138 if [ ! -f "${SERVERPID}" ]; then
139 echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
140 sleep 5
141 if [ ! -f "${SERVERPID}" ]; then
142 Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
143 fi
144 fi
145
146 if [ "${OS_ARCH}" = "WINNT" ] && \
147 [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
148 PID=${SHELL_SERVERPID}
149 else
150 PID=`cat ${SERVERPID}`
151 fi
152
153 echo "kill -0 ${PID} >/dev/null 2>/dev/null"
154 kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
155
156 echo "selfserv with PID ${PID} found at `date`"
157 }
158
159 ########################### wait_for_selfserv ##########################
160 # local shell function to wait until selfserver is running and initialized
161 ########################################################################
162 wait_for_selfserv()
163 {
164 echo "trying to connect to selfserv at `date`"
165 echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
166 echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
167 ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
168 -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
169 if [ $? -ne 0 ]; then
170 sleep 5
171 echo "retrying to connect to selfserv at `date`"
172 echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
173 echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
174 ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
175 -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
176 if [ $? -ne 0 ]; then
177 html_failed "Waiting for Server"
178 fi
179 fi
180 is_selfserv_alive
181 }
182
183 ########################### kill_selfserv ##############################
184 # local shell function to kill the selfserver after the tests are done
185 ########################################################################
186 kill_selfserv()
187 {
188 if [ "${OS_ARCH}" = "WINNT" ] && \
189 [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
190 PID=${SHELL_SERVERPID}
191 else
192 PID=`cat ${SERVERPID}`
193 fi
194
195 echo "trying to kill selfserv with PID ${PID} at `date`"
196
197 if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
198 echo "${KILL} ${PID}"
199 ${KILL} ${PID}
200 else
201 echo "${KILL} -USR1 ${PID}"
202 ${KILL} -USR1 ${PID}
203 fi
204 wait ${PID}
205 if [ ${fileout} -eq 1 ]; then
206 cat ${SERVEROUTFILE}
207 fi
208
209 # On Linux selfserv needs up to 30 seconds to fully die and free
210 # the port. Wait until the port is free. (Bug 129701)
211 if [ "${OS_ARCH}" = "Linux" ]; then
212 echo "selfserv -b -p ${PORT} 2>/dev/null;"
213 until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
214 echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
215 sleep 1
216 done
217 fi
218
219 echo "selfserv with PID ${PID} killed at `date`"
220
221 rm ${SERVERPID}
222 html_detect_core "kill_selfserv core detection step"
223 }
224
225 ########################### start_selfserv #############################
226 # local shell function to start the selfserver with the parameters required
227 # for this test and log information (parameters, start time)
228 # also: wait until the server is up and running
229 ########################################################################
230 start_selfserv()
231 {
232 if [ -n "$testname" ] ; then
233 echo "$SCRIPTNAME: $testname ----"
234 fi
235 sparam=`echo $sparam | sed -e 's;_; ;g'`
236 if [ -n "$NSS_ENABLE_ECC" ] && \
237 [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
238 ECC_OPTIONS="-e ${HOSTADDR}-ec"
239 else
240 ECC_OPTIONS=""
241 fi
242 if [ "$1" = "mixed" ]; then
243 ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
244 fi
245 echo "selfserv starting at `date`"
246 echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
247 echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
248 if [ ${fileout} -eq 1 ]; then
249 ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
250 ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
251 > ${SERVEROUTFILE} 2>&1 &
252 RET=$?
253 else
254 ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
255 ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
256 RET=$?
257 fi
258
259 # The PID $! returned by the MKS or Cygwin shell is not the PID of
260 # the real background process, but rather the PID of a helper
261 # process (sh.exe). MKS's kill command has a bug: invoking kill
262 # on the helper process does not terminate the real background
263 # process. Our workaround has been to have selfserv save its PID
264 # in the ${SERVERPID} file and "kill" that PID instead. But this
265 # doesn't work under Cygwin; its kill command doesn't recognize
266 # the PID of the real background process, but it does work on the
267 # PID of the helper process. So we save the value of $! in the
268 # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
269 # file under Cygwin. (In fact, this should work in any shell
270 # other than the MKS shell.)
271 SHELL_SERVERPID=$!
272 wait_for_selfserv
273
274 if [ "${OS_ARCH}" = "WINNT" ] && \
275 [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
276 PID=${SHELL_SERVERPID}
277 else
278 PID=`cat ${SERVERPID}`
279 fi
280
281 echo "selfserv with PID ${PID} started at `date`"
282 }
283
284 ############################## ssl_cov #################################
285 # local shell function to perform SSL Cipher Coverage tests
286 ########################################################################
287 ssl_cov()
288 {
289 html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
290
291 testname=""
292 if [ -n "$NSS_ENABLE_ECC" ] ; then
293 sparam="$CLONG"
294 else
295 sparam="$CSHORT"
296 fi
297
298 mixed=0
299 start_selfserv # Launch the server
300
301 exec < ${SSLCOV}
302 while read ectype tls param testname
303 do
304 echo "${testname}" | grep "EXPORT" > /dev/null
305 EXP=$?
306 echo "${testname}" | grep "SSL2" > /dev/null
307 SSL2=$?
308
309 if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then
310 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
311 elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
312 echo "$SCRIPTNAME: skipping $testname (ECC only)"
313 elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then
314 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
315 elif [ "$ectype" != "#" ] ; then
316 echo "$SCRIPTNAME: running $testname ----------------------------"
317 TLS_FLAG=-T
318 if [ "$tls" = "TLS" ]; then
319 TLS_FLAG=""
320 fi
321
322 # These five tests need an EC cert signed with RSA
323 # This requires a different certificate loaded in selfserv
324 # due to a (current) NSS limitation of only loaded one cert
325 # per type so the default selfserv setup will not work.
326 #:C00B TLS ECDH RSA WITH NULL SHA
327 #:C00C TLS ECDH RSA WITH RC4 128 SHA
328 #:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA
329 #:C00E TLS ECDH RSA WITH AES 128 CBC SHA
330 #:C00F TLS ECDH RSA WITH AES 256 CBC SHA
331
332 if [ $mixed -eq 0 ]; then
333 if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
334 kill_selfserv
335 start_selfserv mixed
336 mixed=1
337 else
338 is_selfserv_alive
339 fi
340 else
341 if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
342 is_selfserv_alive
343 else
344 kill_selfserv
345 start_selfserv
346 mixed=0
347 fi
348 fi
349
350 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} \\"
351 echo " -f -d ${P_R_CLIENTDIR} -w nss < ${REQUEST_FILE}"
352
353 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
354 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} -f \
355 -d ${P_R_CLIENTDIR} -w nss < ${REQUEST_FILE} \
356 >${TMP}/$HOST.tmp.$$ 2>&1
357 ret=$?
358 cat ${TMP}/$HOST.tmp.$$
359 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
360 html_msg $ret 0 "${testname}" \
361 "produced a returncode of $ret, expected is 0"
362 fi
363 done
364
365 kill_selfserv
366 html "</TABLE><BR>"
367 }
368
369 ############################## ssl_auth ################################
370 # local shell function to perform SSL Client Authentication tests
371 ########################################################################
372 ssl_auth()
373 {
374 html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
375
376 exec < ${SSLAUTH}
377 while read ectype value sparam cparam testname
378 do
379 echo "${testname}" | grep "don't require client auth" > /dev/null
380 CAUTH=$?
381
382 if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
383 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
384 elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
385 echo "$SCRIPTNAME: skipping $testname (ECC only)"
386 elif [ "$ectype" != "#" ]; then
387 cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
388 start_selfserv
389
390 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} \\"
391 echo " ${cparam} < ${REQUEST_FILE}"
392 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
393 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \
394 -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
395 >${TMP}/$HOST.tmp.$$ 2>&1
396 ret=$?
397 cat ${TMP}/$HOST.tmp.$$
398 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
399
400 #workaround for bug #402058
401 [ $ret -ne 0 ] && ret=1
402 [ $value -ne 0 ] && value=1
403
404 html_msg $ret $value "${testname}" \
405 "produced a returncode of $ret, expected is $value"
406 kill_selfserv
407 fi
408 done
409
410 html "</TABLE><BR>"
411 }
412
413
414 ############################## ssl_stress ##############################
415 # local shell function to perform SSL stress test
416 ########################################################################
417 ssl_stress()
418 {
419 html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
420
421 exec < ${SSLSTRESS}
422 while read ectype value sparam cparam testname
423 do
424 if [ -z "$ectype" ]; then
425 # silently ignore blank lines
426 continue
427 fi
428
429 echo "${testname}" | grep "SSL2" > /dev/null
430 SSL2=$?
431 echo "${testname}" | grep "client auth" > /dev/null
432 CAUTH=$?
433
434 if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then
435 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
436 elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
437 echo "$SCRIPTNAME: skipping $testname (ECC only)"
438 elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then
439 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
440 elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
441 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
442 elif [ "$ectype" != "#" ]; then
443 cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
444
445 # These tests need the mixed cert
446 # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
447 # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
448 p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`;
449 if [ "$p" = "-c_:C00E" ]; then
450 start_selfserv mixed
451 else
452 start_selfserv
453 fi
454
455 if [ "`uname -n`" = "sjsu" ] ; then
456 echo "debugging disapering selfserv... ps -ef | grep selfserv"
457 ps -ef | grep selfserv
458 fi
459
460 echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
461 echo " $verbose ${HOSTADDR}"
462 echo "strsclnt started at `date`"
463 ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
464 $verbose ${HOSTADDR}
465 ret=$?
466 echo "strsclnt completed at `date`"
467 html_msg $ret $value \
468 "${testname}" \
469 "produced a returncode of $ret, expected is $value. "
470 if [ "`uname -n`" = "sjsu" ] ; then
471 echo "debugging disapering selfserv... ps -ef | grep selfserv"
472 ps -ef | grep selfserv
473 fi
474 kill_selfserv
475 fi
476 done
477
478 html "</TABLE><BR>"
479 }
480
481 ############################ ssl_crl_ssl ###############################
482 # local shell function to perform SSL test with/out revoked certs tests
483 ########################################################################
484 ssl_crl_ssl()
485 {
486 html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
487
488 # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
489 # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
490 CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
491 CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
492 UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
493
494 exec < ${SSLAUTH}
495 while read ectype value sparam cparam testname
496 do
497 if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
498 echo "$SCRIPTNAME: skipping $testname (ECC only)"
499 elif [ "$ectype" != "#" ]; then
500 servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
501 pwd=`echo $cparam | grep nss`
502 user=`echo $cparam | grep TestUser`
503 _cparam=$cparam
504 case $servarg in
505 1) if [ -z "$pwd" -o -z "$user" ]; then
506 rev_modvalue=0
507 else
508 rev_modvalue=254
509 fi
510 ;;
511 2) rev_modvalue=254 ;;
512 3) if [ -z "$pwd" -o -z "$user" ]; then
513 rev_modvalue=0
514 else
515 rev_modvalue=1
516 fi
517 ;;
518 4) rev_modvalue=1 ;;
519 esac
520 TEMP_NUM=0
521 while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
522 do
523 CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
524 TEMP_NUM=`expr $TEMP_NUM + 1`
525 USER_NICKNAME="TestUser${CURR_SER_NUM}"
526 cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
527 start_selfserv
528
529 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\"
530 echo " ${cparam} < ${REQUEST_FILE}"
531 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
532 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
533 -d ${R_CLIENTDIR} < ${REQUEST_FILE} \
534 >${TMP}/$HOST.tmp.$$ 2>&1
535 ret=$?
536 cat ${TMP}/$HOST.tmp.$$
537 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
538 if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
539 modvalue=$rev_modvalue
540 testAddMsg="revoked"
541 else
542 testAddMsg="not revoked"
543 modvalue=$value
544 fi
545
546 html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
547 "produced a returncode of $ret, expected is $modvalue"
548 kill_selfserv
549 done
550 fi
551 done
552
553 html "</TABLE><BR>"
554 }
555
556 ############################# is_revoked ###############################
557 # local shell function to check if certificate is revoked
558 ########################################################################
559 is_revoked() {
560 certNum=$1
561 currLoadedGrp=$2
562
563 found=0
564 ownerGrp=1
565 while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
566 do
567 currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
568 currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
569 currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
570 if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
571 found=1
572 else
573 ownerGrp=`expr $ownerGrp + 1`
574 fi
575 done
576 if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
577 return 1
578 fi
579 if [ $found -eq 0 ]; then
580 return 1
581 fi
582 unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
583 if [ $certNum -eq $unrevokedGrpCert ]; then
584 return 1
585 fi
586 return 0
587 }
588
589 ########################### load_group_crl #############################
590 # local shell function to load CRL
591 ########################################################################
592 load_group_crl() {
593 group=$1
594 ectype=$2
595
596 OUTFILE_TMP=${TMP}/$HOST.tmp.$$
597 grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
598 grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
599 grpEnd=`expr $grpBegin + $grpRange - 1`
600
601 if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
602 ret=1
603 return 1;
604 fi
605
606 # Add -ec suffix for ECC
607 if [ "$ectype" = "ECC" ] ; then
608 ecsuffix="-ec"
609 eccomment="ECC "
610 else
611 ecsuffix=""
612 eccomment=""
613 fi
614
615 if [ "$RELOAD_CRL" != "" ]; then
616 if [ $group -eq 1 ]; then
617 echo "==================== Resetting to group 1 crl ==================="
618 kill_selfserv
619 start_selfserv
620 is_selfserv_alive
621 fi
622 echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
623
624 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\"
625 echo " -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
626 echo "Request:"
627 echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
628 echo ""
629 echo "RELOAD time $i"
630 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \
631 -d ${R_CLIENTDIR} -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
632 >${OUTFILE_TMP} 2>&1 <<_EOF_REQUEST_
633 GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
634
635 _EOF_REQUEST_
636 cat ${OUTFILE_TMP}
637 grep "CRL ReCache Error" ${OUTFILE_TMP}
638 if [ $? -eq 0 ]; then
639 ret=1
640 return 1
641 fi
642 else
643 echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
644
645 kill_selfserv
646 CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
647 crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
648 -p ../tests.pw.928
649 ret=$?
650 if [ "$ret" -eq 0 ]; then
651 html_passed "${CU_ACTION}"
652 return 1
653 fi
654 start_selfserv
655 fi
656 is_selfserv_alive
657 ret=$?
658 echo "================= CRL Reloaded ============="
659 }
660
661 ########################### ssl_crl_cache ##############################
662 # local shell function to perform SSL test for crl cache functionality
663 # with/out revoked certs
664 ########################################################################
665 ssl_crl_cache()
666 {
667 html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
668 SSLAUTH_TMP=${TMP}/authin.tl.tmp
669 SERV_ARG=-r_-r
670 rm -f ${SSLAUTH_TMP}
671 echo ${SSLAUTH_TMP}
672
673 grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
674 echo $?
675 while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
676 do
677 sparam=$SERV_ARG
678 start_selfserv
679 exec < ${SSLAUTH_TMP}
680 while read ectype value sparam cparam testname
681 do
682 if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
683 echo "$SCRIPTNAME: skipping $testname (ECC only)"
684 else
685 servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
686 pwd=`echo $cparam | grep nss`
687 user=`echo $cparam | grep TestUser`
688 _cparam=$cparam
689 case $servarg in
690 1) if [ -z "$pwd" -o -z "$user" ]; then
691 rev_modvalue=0
692 else
693 rev_modvalue=254
694 fi
695 ;;
696 2) rev_modvalue=254 ;;
697
698 3) if [ -z "$pwd" -o -z "$user" ]; then
699 rev_modvalue=0
700 else
701 rev_modvalue=1
702 fi
703 ;;
704 4) rev_modvalue=1 ;;
705 esac
706 TEMP_NUM=0
707 LOADED_GRP=1
708 while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
709 do
710 while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
711 do
712 CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
713 TEMP_NUM=`expr $TEMP_NUM + 1`
714 USER_NICKNAME="TestUser${CURR_SER_NUM}"
715 cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
716
717 echo "Server Args: $SERV_ARG"
718 echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\"
719 echo " ${cparam} < ${REQUEST_FILE}"
720 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
721 ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
722 -d ${R_CLIENTDIR} < ${REQUEST_FILE} \
723 >${TMP}/$HOST.tmp.$$ 2>&1
724 ret=$?
725 cat ${TMP}/$HOST.tmp.$$
726 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
727 is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
728 isRevoked=$?
729 if [ $isRevoked -eq 0 ]; then
730 modvalue=$rev_modvalue
731 testAddMsg="revoked"
732 else
733 modvalue=$value
734 testAddMsg="not revoked"
735 fi
736
737 is_selfserv_alive
738 ss_status=$?
739 if [ "$ss_status" -ne 0 ]; then
740 html_msg $ret $modvalue \
741 "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
742 "produced a returncode of $ret, expected is $modvalue. " \
743 "selfserv is not alive!"
744 else
745 html_msg $ret $modvalue \
746 "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
747 "produced a returncode of $ret, expected is $modvalue"
748 fi
749 done
750 LOADED_GRP=`expr $LOADED_GRP + 1`
751 TEMP_NUM=0
752 if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
753 load_group_crl $LOADED_GRP $ectype
754 html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
755 "produced a returncode of $ret, expected is 0"
756 fi
757 done
758 # Restart selfserv to roll back to two initial group 1 crls
759 # TestCA CRL and TestCA-ec CRL
760 kill_selfserv
761 start_selfserv
762 fi
763 done
764 kill_selfserv
765 SERV_ARG="${SERV_ARG}_-r"
766 rm -f ${SSLAUTH_TMP}
767 grep -- " $SERV_ARG " ${SSLAUTH} | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
768 done
769 TEMPFILES=${SSLAUTH_TMP}
770 html "</TABLE><BR>"
771 }
772
773
774 ############################## ssl_cleanup #############################
775 # local shell function to finish this script (no exit since it might be
776 # sourced)
777 ########################################################################
778 ssl_cleanup()
779 {
780 rm $SERVERPID 2>/dev/null
781 cd ${QADIR}
782 . common/cleanup.sh
783 }
784
785 ############################## ssl_run #################################
786 # local shell function to run coverage, authentication and stress tests
787 ########################################################################
788 ssl_run()
789 {
790 for SSL_RUN in ${NSS_SSL_RUN}
791 do
792 case "${SSL_RUN}" in
793 "cov")
794 ssl_cov
795 ;;
796 "auth")
797 ssl_auth
798 ;;
799 "stress")
800 ssl_stress
801 ;;
802 esac
803 done
804 }
805
806 ############################ ssl_run_all ###############################
807 # local shell function to run both standard and extended ssl tests
808 ########################################################################
809 ssl_run_all()
810 {
811 ORIG_SERVERDIR=$SERVERDIR
812 ORIG_CLIENTDIR=$CLIENTDIR
813 ORIG_R_SERVERDIR=$R_SERVERDIR
814 ORIG_R_CLIENTDIR=$R_CLIENTDIR
815 ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
816 ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
817
818 USER_NICKNAME=TestUser
819 NORM_EXT=""
820 cd ${CLIENTDIR}
821
822 ssl_run
823
824 SERVERDIR=$EXT_SERVERDIR
825 CLIENTDIR=$EXT_CLIENTDIR
826 R_SERVERDIR=$R_EXT_SERVERDIR
827 R_CLIENTDIR=$R_EXT_CLIENTDIR
828 P_R_SERVERDIR=$P_R_EXT_SERVERDIR
829 P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
830
831 USER_NICKNAME=ExtendedSSLUser
832 NORM_EXT="Extended Test"
833 cd ${CLIENTDIR}
834
835 ssl_run
836
837 # the next round of ssl tests will only run if these vars are reset
838 SERVERDIR=$ORIG_SERVERDIR
839 CLIENTDIR=$ORIG_CLIENTDIR
840 R_SERVERDIR=$ORIG_R_SERVERDIR
841 R_CLIENTDIR=$ORIG_R_CLIENTDIR
842 P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
843 P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
844
845 USER_NICKNAME=TestUser
846 NORM_EXT=
847 cd ${QADIR}/ssl
848 }
849
850 ############################ ssl_set_fips ##############################
851 # local shell function to set FIPS mode on/off
852 ########################################################################
853 ssl_set_fips()
854 {
855 CLTSRV=$1
856 ONOFF=$2
857
858 if [ ${CLTSRV} = "server" ]; then
859 DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
860 else
861 DBDIRS="${CLIETNDIR} ${EXT_CLIENTDIR}"
862 fi
863
864 if [ "${ONOFF}" = "on" ]; then
865 FIPSMODE=true
866 RET_EXP=0
867 else
868 FIPSMODE=false
869 RET_EXP=1
870 fi
871
872 html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
873
874 for DBDIR in ${DBDIRS}
875 do
876 EXT_OPT=
877 echo ${DBDIR} | grep ext > /dev/null
878 if [ $? -eq 0 ]; then
879 EXT_OPT="extended "
880 fi
881
882 echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
883
884 echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
885 ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
886 RET=$?
887 html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
888 "produced a returncode of ${RET}, expected is 0"
889
890 echo "modutil -dbdir ${DBDIR} -list"
891 DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
892 RET=$?
893 html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
894 "produced a returncode of ${RET}, expected is 0"
895
896 echo "${DBLIST}" | grep "FIPS PKCS #11"
897 RET=$?
898 html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
899 "produced a returncode of ${RET}, expected is ${RET_EXP}"
900 done
901
902 html "</TABLE><BR>"
903 }
904
905 ############################ ssl_set_fips ##############################
906 # local shell function to run all tests set in NSS_SSL_TESTS variable
907 ########################################################################
908 ssl_run_tests()
909 {
910 for SSL_TEST in ${NSS_SSL_TESTS}
911 do
912 case "${SSL_TEST}" in
913 "crl")
914 ssl_crl_ssl
915 ssl_crl_cache
916 ;;
917 "iopr")
918 ssl_iopr_run
919 ;;
920 *)
921 SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
922 CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
923
924 case "${SERVER_MODE}" in
925 "normal")
926 SERVER_OPTIONS=
927 ;;
928 "bypass")
929 SERVER_OPTIONS="-B -s"
930 ;;
931 "fips")
932 SERVER_OPTIONS=
933 ssl_set_fips server on
934 ;;
935 *)
936 echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
937 continue
938 ;;
939 esac
940
941 case "${CLIENT_MODE}" in
942 "normal")
943 CLIENT_OPTIONS=
944 ;;
945 "bypass")
946 CLIENT_OPTIONS="-B -s"
947 ;;
948 "fips")
949 SERVER_OPTIONS=
950 ssl_set_fips client on
951 ;;
952 *)
953 echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
954 continue
955 ;;
956 esac
957
958 ssl_run_all
959
960 if [ "${SERVER_MODE}" = "fips" ]; then
961 ssl_set_fips server off
962 fi
963
964 if [ "${CLIENT_MODE}" = "fips" ]; then
965 ssl_set_fips client off
966 fi
967 ;;
968 esac
969 done
970 }
971
972 ################################# main #################################
973
974 ssl_init
975 ssl_run_tests
976 ssl_cleanup
977
Wine Gecko package