mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
b49af54726
--HG-- rename : security/coreconf/AIX.mk => security/nss/coreconf/AIX.mk rename : security/coreconf/Android.mk => security/nss/coreconf/Android.mk rename : security/coreconf/BSD_OS.mk => security/nss/coreconf/BSD_OS.mk rename : security/coreconf/BeOS.mk => security/nss/coreconf/BeOS.mk rename : security/coreconf/Darwin.mk => security/nss/coreconf/Darwin.mk rename : security/coreconf/FreeBSD.mk => security/nss/coreconf/FreeBSD.mk rename : security/coreconf/HP-UX.mk => security/nss/coreconf/HP-UX.mk rename : security/coreconf/HP-UXA.09.03.mk => security/nss/coreconf/HP-UXA.09.03.mk rename : security/coreconf/HP-UXA.09.07.mk => security/nss/coreconf/HP-UXA.09.07.mk rename : security/coreconf/HP-UXA.09.mk => security/nss/coreconf/HP-UXA.09.mk rename : security/coreconf/HP-UXB.10.01.mk => security/nss/coreconf/HP-UXB.10.01.mk rename : security/coreconf/HP-UXB.10.10.mk => security/nss/coreconf/HP-UXB.10.10.mk rename : security/coreconf/HP-UXB.10.20.mk => security/nss/coreconf/HP-UXB.10.20.mk rename : security/coreconf/HP-UXB.10.30.mk => security/nss/coreconf/HP-UXB.10.30.mk rename : security/coreconf/HP-UXB.10.mk => security/nss/coreconf/HP-UXB.10.mk rename : security/coreconf/HP-UXB.11.00.mk => security/nss/coreconf/HP-UXB.11.00.mk rename : security/coreconf/HP-UXB.11.11.mk => security/nss/coreconf/HP-UXB.11.11.mk rename : security/coreconf/HP-UXB.11.20.mk => security/nss/coreconf/HP-UXB.11.20.mk rename : security/coreconf/HP-UXB.11.22.mk => security/nss/coreconf/HP-UXB.11.22.mk rename : security/coreconf/HP-UXB.11.23.mk => security/nss/coreconf/HP-UXB.11.23.mk rename : security/coreconf/HP-UXB.11.mk => security/nss/coreconf/HP-UXB.11.mk rename : security/coreconf/IRIX.mk => security/nss/coreconf/IRIX.mk rename : security/coreconf/IRIX5.2.mk => security/nss/coreconf/IRIX5.2.mk rename : security/coreconf/IRIX5.3.mk => security/nss/coreconf/IRIX5.3.mk rename : security/coreconf/IRIX5.mk => security/nss/coreconf/IRIX5.mk rename : security/coreconf/IRIX6.2.mk => security/nss/coreconf/IRIX6.2.mk rename : security/coreconf/IRIX6.3.mk => security/nss/coreconf/IRIX6.3.mk rename : security/coreconf/IRIX6.5.mk => security/nss/coreconf/IRIX6.5.mk rename : security/coreconf/IRIX6.mk => security/nss/coreconf/IRIX6.mk rename : security/coreconf/Linux.mk => security/nss/coreconf/Linux.mk rename : security/coreconf/Makefile => security/nss/coreconf/Makefile rename : security/coreconf/NCR3.0.mk => security/nss/coreconf/NCR3.0.mk rename : security/coreconf/NEC4.2.mk => security/nss/coreconf/NEC4.2.mk rename : security/coreconf/NetBSD.mk => security/nss/coreconf/NetBSD.mk rename : security/coreconf/OS2.mk => security/nss/coreconf/OS2.mk rename : security/coreconf/OSF1.mk => security/nss/coreconf/OSF1.mk rename : security/coreconf/OSF1V3.0.mk => security/nss/coreconf/OSF1V2.0.mk rename : security/coreconf/OSF1V3.0.mk => security/nss/coreconf/OSF1V3.0.mk rename : security/coreconf/OSF1V3.2.mk => security/nss/coreconf/OSF1V3.2.mk rename : security/coreconf/OSF1V4.0.mk => security/nss/coreconf/OSF1V4.0.mk rename : security/coreconf/OSF1V4.0B.mk => security/nss/coreconf/OSF1V4.0B.mk rename : security/coreconf/OSF1V4.0D.mk => security/nss/coreconf/OSF1V4.0D.mk rename : security/coreconf/OSF1V5.0.mk => security/nss/coreconf/OSF1V5.0.mk rename : security/coreconf/OSF1V5.1.mk => security/nss/coreconf/OSF1V5.1.mk rename : security/coreconf/OpenBSD.mk => security/nss/coreconf/OpenBSD.mk rename : security/coreconf/OpenUNIX.mk => security/nss/coreconf/OpenUNIX.mk rename : security/coreconf/QNX.mk => security/nss/coreconf/QNX.mk rename : security/coreconf/README => security/nss/coreconf/README rename : security/coreconf/RISCOS.mk => security/nss/coreconf/RISCOS.mk rename : security/coreconf/ReliantUNIX.mk => security/nss/coreconf/ReliantUNIX.mk rename : security/coreconf/ReliantUNIX5.4.mk => security/nss/coreconf/ReliantUNIX5.4.mk rename : security/coreconf/SCOOS5.0.mk => security/nss/coreconf/SCOOS5.0.mk rename : security/coreconf/SCO_SV3.2.mk => security/nss/coreconf/SCO_SV3.2.mk rename : security/coreconf/SunOS4.1.3_U1.mk => security/nss/coreconf/SunOS4.1.3_U1.mk rename : security/coreconf/UNIX.mk => security/nss/coreconf/UNIX.mk rename : security/coreconf/UNIXWARE2.1.mk => security/nss/coreconf/UNIXWARE2.1.mk rename : security/coreconf/WIN95.mk => security/nss/coreconf/WIN95.mk rename : security/coreconf/WINNT.mk => security/nss/coreconf/WINNT.mk rename : security/coreconf/arch.mk => security/nss/coreconf/arch.mk rename : security/coreconf/command.mk => security/nss/coreconf/command.mk rename : security/coreconf/coreconf.pl => security/nss/coreconf/coreconf.pl rename : security/coreconf/cpdist.pl => security/nss/coreconf/cpdist.pl rename : security/coreconf/headers.mk => security/nss/coreconf/headers.mk rename : security/coreconf/import.pl => security/nss/coreconf/import.pl rename : security/coreconf/jdk.mk => security/nss/coreconf/jdk.mk rename : security/coreconf/jniregen.pl => security/nss/coreconf/jniregen.pl rename : security/coreconf/location.mk => security/nss/coreconf/location.mk rename : security/coreconf/mkdepend/Makefile => security/nss/coreconf/mkdepend/Makefile rename : security/coreconf/mkdepend/cppsetup.c => security/nss/coreconf/mkdepend/cppsetup.c rename : security/coreconf/mkdepend/def.h => security/nss/coreconf/mkdepend/def.h rename : security/coreconf/mkdepend/ifparser.c => security/nss/coreconf/mkdepend/ifparser.c rename : security/coreconf/mkdepend/ifparser.h => security/nss/coreconf/mkdepend/ifparser.h rename : security/coreconf/mkdepend/imakemdep.h => security/nss/coreconf/mkdepend/imakemdep.h rename : security/coreconf/mkdepend/include.c => security/nss/coreconf/mkdepend/include.c rename : security/coreconf/mkdepend/main.c => security/nss/coreconf/mkdepend/main.c rename : security/coreconf/mkdepend/mkdepend.man => security/nss/coreconf/mkdepend/mkdepend.man rename : security/coreconf/mkdepend/parse.c => security/nss/coreconf/mkdepend/parse.c rename : security/coreconf/mkdepend/pr.c => security/nss/coreconf/mkdepend/pr.c rename : security/coreconf/module.mk => security/nss/coreconf/module.mk rename : security/coreconf/nsinstall/Makefile => security/nss/coreconf/nsinstall/Makefile rename : security/coreconf/nsinstall/nsinstall.c => security/nss/coreconf/nsinstall/nsinstall.c rename : security/coreconf/nsinstall/pathsub.c => security/nss/coreconf/nsinstall/pathsub.c rename : security/coreconf/nsinstall/pathsub.h => security/nss/coreconf/nsinstall/pathsub.h rename : security/coreconf/nsinstall/sunos4.h => security/nss/coreconf/nsinstall/sunos4.h rename : security/coreconf/outofdate.pl => security/nss/coreconf/outofdate.pl rename : security/coreconf/prefix.mk => security/nss/coreconf/prefix.mk rename : security/coreconf/release.pl => security/nss/coreconf/release.pl rename : security/coreconf/rules.mk => security/nss/coreconf/rules.mk rename : security/coreconf/ruleset.mk => security/nss/coreconf/ruleset.mk rename : security/coreconf/source.mk => security/nss/coreconf/source.mk rename : security/coreconf/suffix.mk => security/nss/coreconf/suffix.mk rename : security/coreconf/tree.mk => security/nss/coreconf/tree.mk rename : security/coreconf/version.mk => security/nss/coreconf/version.mk rename : security/coreconf/version.pl => security/nss/coreconf/version.pl rename : security/dbm/config/config.mk => security/nss/lib/dbm/config/config.mk rename : dbm/include/cdefs.h => security/nss/lib/dbm/include/cdefs.h rename : dbm/include/extern.h => security/nss/lib/dbm/include/extern.h rename : dbm/include/hash.h => security/nss/lib/dbm/include/hash.h rename : dbm/include/search.h => security/nss/lib/dbm/include/hsearch.h rename : dbm/include/mcom_db.h => security/nss/lib/dbm/include/mcom_db.h rename : dbm/include/mpool.h => security/nss/lib/dbm/include/mpool.h rename : dbm/include/ncompat.h => security/nss/lib/dbm/include/ncompat.h rename : dbm/include/page.h => security/nss/lib/dbm/include/page.h rename : dbm/include/queue.h => security/nss/lib/dbm/include/queue.h rename : dbm/include/search.h => security/nss/lib/dbm/include/search.h rename : dbm/include/winfile.h => security/nss/lib/dbm/include/winfile.h rename : dbm/src/db.c => security/nss/lib/dbm/src/db.c rename : security/dbm/src/dirent.c => security/nss/lib/dbm/src/dirent.c rename : security/dbm/src/dirent.h => security/nss/lib/dbm/src/dirent.h rename : dbm/src/h_bigkey.c => security/nss/lib/dbm/src/h_bigkey.c rename : dbm/src/h_func.c => security/nss/lib/dbm/src/h_func.c rename : dbm/src/h_log2.c => security/nss/lib/dbm/src/h_log2.c rename : dbm/src/h_page.c => security/nss/lib/dbm/src/h_page.c rename : dbm/src/hash.c => security/nss/lib/dbm/src/hash.c rename : dbm/src/hash_buf.c => security/nss/lib/dbm/src/hash_buf.c rename : dbm/src/memmove.c => security/nss/lib/dbm/src/memmove.c rename : dbm/src/mktemp.c => security/nss/lib/dbm/src/mktemp.c rename : dbm/src/snprintf.c => security/nss/lib/dbm/src/snprintf.c rename : dbm/src/strerror.c => security/nss/lib/dbm/src/strerror.c rename : dbm/tests/dbmtest.pkg => security/nss/lib/dbm/tests/dbmtest.pkg rename : dbm/tests/lots.c => security/nss/lib/dbm/tests/lots.c extra : rebase_source : 119dad5f824e8e760182047fd32e2a0d0f944172 extra : amend_source : 98e24aa51f9044d9091a26f013b643925e8f9dcf
1117 lines
36 KiB
Bash
Executable File
1117 lines
36 KiB
Bash
Executable File
#! /bin/bash
|
|
#
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
########################################################################
|
|
#
|
|
# mozilla/security/nss/tests/ssl/ssl.sh
|
|
#
|
|
# Script to test NSS SSL
|
|
#
|
|
# needs to work on all Unix and Windows platforms
|
|
#
|
|
# special strings
|
|
# ---------------
|
|
# FIXME ... known problems, search for this string
|
|
# NOTE .... unexpected behavior
|
|
#
|
|
########################################################################
|
|
|
|
############################## ssl_init ################################
|
|
# local shell function to initialize this script
|
|
########################################################################
|
|
ssl_init()
|
|
{
|
|
SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh
|
|
|
|
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
|
|
CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
|
|
fi
|
|
|
|
if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
|
|
cd ../common
|
|
. ./init.sh
|
|
fi
|
|
if [ -z "${IOPR_SSL_SOURCED}" ]; then
|
|
. ../iopr/ssl_iopr.sh
|
|
fi
|
|
if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
|
|
cd ../cert
|
|
. ./cert.sh
|
|
fi
|
|
SCRIPTNAME=ssl.sh
|
|
echo "$SCRIPTNAME: SSL tests ==============================="
|
|
|
|
grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
|
|
html_head "SSL Test failure"
|
|
Exit 8 "Fatal - cert.sh needs to pass first"
|
|
}
|
|
|
|
if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
|
|
grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
|
|
html_head "SSL Test failure"
|
|
Exit 8 "Fatal - SSL of cert.sh needs to pass first"
|
|
}
|
|
fi
|
|
|
|
PORT=${PORT-8443}
|
|
NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
|
|
nss_ssl_run="stapling cov auth stress"
|
|
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
|
|
|
|
# Test case files
|
|
SSLCOV=${QADIR}/ssl/sslcov.txt
|
|
SSLAUTH=${QADIR}/ssl/sslauth.txt
|
|
SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
|
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
|
|
|
|
#temparary files
|
|
SERVEROUTFILE=${TMP}/tests_server.$$
|
|
SERVERPID=${TMP}/tests_pid.$$
|
|
|
|
R_SERVERPID=../tests_pid.$$
|
|
|
|
TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}"
|
|
|
|
fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
|
|
#fileout=1
|
|
#verbose="-v" #FIXME - see where this is usefull
|
|
|
|
USER_NICKNAME=TestUser
|
|
NORM_EXT=""
|
|
|
|
if [ -n "$NSS_ENABLE_ECC" ] ; then
|
|
ECC_STRING=" - with ECC"
|
|
else
|
|
ECC_STRING=""
|
|
fi
|
|
|
|
CSHORT="-c ABCDEF:0041:0084cdefgijklmnvyz"
|
|
CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:0041:0084cdefgijklmnvyz"
|
|
|
|
if [ "${OS_ARCH}" != "WINNT" ]; then
|
|
ulimit -n 1000 # make sure we have enough file descriptors
|
|
fi
|
|
|
|
cd ${CLIENTDIR}
|
|
}
|
|
|
|
########################### is_selfserv_alive ##########################
|
|
# local shell function to exit with a fatal error if selfserver is not
|
|
# running
|
|
########################################################################
|
|
is_selfserv_alive()
|
|
{
|
|
if [ ! -f "${SERVERPID}" ]; then
|
|
echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
|
|
sleep 5
|
|
if [ ! -f "${SERVERPID}" ]; then
|
|
Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
|
|
fi
|
|
fi
|
|
|
|
if [ "${OS_ARCH}" = "WINNT" ] && \
|
|
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
|
|
PID=${SHELL_SERVERPID}
|
|
else
|
|
PID=`cat ${SERVERPID}`
|
|
fi
|
|
|
|
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
|
|
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
|
|
|
|
echo "selfserv with PID ${PID} found at `date`"
|
|
}
|
|
|
|
########################### wait_for_selfserv ##########################
|
|
# local shell function to wait until selfserver is running and initialized
|
|
########################################################################
|
|
wait_for_selfserv()
|
|
{
|
|
echo "trying to connect to selfserv at `date`"
|
|
echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
|
|
echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
|
|
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
|
|
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
|
|
if [ $? -ne 0 ]; then
|
|
sleep 5
|
|
echo "retrying to connect to selfserv at `date`"
|
|
echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
|
|
echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
|
|
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
|
|
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
|
|
if [ $? -ne 0 ]; then
|
|
html_failed "Waiting for Server"
|
|
fi
|
|
fi
|
|
is_selfserv_alive
|
|
}
|
|
|
|
########################### kill_selfserv ##############################
|
|
# local shell function to kill the selfserver after the tests are done
|
|
########################################################################
|
|
kill_selfserv()
|
|
{
|
|
if [ "${OS_ARCH}" = "WINNT" ] && \
|
|
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
|
|
PID=${SHELL_SERVERPID}
|
|
else
|
|
PID=`cat ${SERVERPID}`
|
|
fi
|
|
|
|
echo "trying to kill selfserv with PID ${PID} at `date`"
|
|
|
|
if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
|
|
echo "${KILL} ${PID}"
|
|
${KILL} ${PID}
|
|
else
|
|
echo "${KILL} -USR1 ${PID}"
|
|
${KILL} -USR1 ${PID}
|
|
fi
|
|
wait ${PID}
|
|
if [ ${fileout} -eq 1 ]; then
|
|
cat ${SERVEROUTFILE}
|
|
fi
|
|
|
|
# On Linux selfserv needs up to 30 seconds to fully die and free
|
|
# the port. Wait until the port is free. (Bug 129701)
|
|
if [ "${OS_ARCH}" = "Linux" ]; then
|
|
echo "selfserv -b -p ${PORT} 2>/dev/null;"
|
|
until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
|
|
echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
|
|
sleep 1
|
|
done
|
|
fi
|
|
|
|
echo "selfserv with PID ${PID} killed at `date`"
|
|
|
|
rm ${SERVERPID}
|
|
html_detect_core "kill_selfserv core detection step"
|
|
}
|
|
|
|
########################### start_selfserv #############################
|
|
# local shell function to start the selfserver with the parameters required
|
|
# for this test and log information (parameters, start time)
|
|
# also: wait until the server is up and running
|
|
########################################################################
|
|
start_selfserv()
|
|
{
|
|
if [ -n "$testname" ] ; then
|
|
echo "$SCRIPTNAME: $testname ----"
|
|
fi
|
|
sparam=`echo $sparam | sed -e 's;_; ;g'`
|
|
if [ -n "$NSS_ENABLE_ECC" ] && \
|
|
[ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
|
|
ECC_OPTIONS="-e ${HOSTADDR}-ec"
|
|
else
|
|
ECC_OPTIONS=""
|
|
fi
|
|
if [ "$1" = "mixed" ]; then
|
|
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
|
|
fi
|
|
echo "selfserv starting at `date`"
|
|
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
|
|
echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
|
|
if [ ${fileout} -eq 1 ]; then
|
|
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
|
${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
|
|
> ${SERVEROUTFILE} 2>&1 &
|
|
RET=$?
|
|
else
|
|
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
|
${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
|
|
RET=$?
|
|
fi
|
|
|
|
# The PID $! returned by the MKS or Cygwin shell is not the PID of
|
|
# the real background process, but rather the PID of a helper
|
|
# process (sh.exe). MKS's kill command has a bug: invoking kill
|
|
# on the helper process does not terminate the real background
|
|
# process. Our workaround has been to have selfserv save its PID
|
|
# in the ${SERVERPID} file and "kill" that PID instead. But this
|
|
# doesn't work under Cygwin; its kill command doesn't recognize
|
|
# the PID of the real background process, but it does work on the
|
|
# PID of the helper process. So we save the value of $! in the
|
|
# SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
|
|
# file under Cygwin. (In fact, this should work in any shell
|
|
# other than the MKS shell.)
|
|
SHELL_SERVERPID=$!
|
|
wait_for_selfserv
|
|
|
|
if [ "${OS_ARCH}" = "WINNT" ] && \
|
|
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
|
|
PID=${SHELL_SERVERPID}
|
|
else
|
|
PID=`cat ${SERVERPID}`
|
|
fi
|
|
|
|
echo "selfserv with PID ${PID} started at `date`"
|
|
}
|
|
|
|
############################## ssl_cov #################################
|
|
# local shell function to perform SSL Cipher Coverage tests
|
|
########################################################################
|
|
ssl_cov()
|
|
{
|
|
html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
|
|
|
|
testname=""
|
|
if [ -n "$NSS_ENABLE_ECC" ] ; then
|
|
sparam="$CLONG"
|
|
else
|
|
sparam="$CSHORT"
|
|
fi
|
|
|
|
mixed=0
|
|
start_selfserv # Launch the server
|
|
|
|
VMIN="ssl2"
|
|
VMAX="tls1.1"
|
|
|
|
exec < ${SSLCOV}
|
|
while read ectype testmax param testname
|
|
do
|
|
echo "${testname}" | grep "EXPORT" > /dev/null
|
|
EXP=$?
|
|
echo "${testname}" | grep "SSL2" > /dev/null
|
|
SSL2=$?
|
|
|
|
if [ "${SSL2}" -eq 0 ] ; then
|
|
# We cannot use asynchronous cert verification with SSL2
|
|
SSL2_FLAGS=-O
|
|
VMIN="ssl2"
|
|
else
|
|
# Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
|
|
# default in libssl but it is enabled by default in tstclnt; we want
|
|
# to test the libssl default whenever possible.
|
|
SSL2_FLAGS=
|
|
VMIN="ssl3"
|
|
fi
|
|
|
|
if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
|
|
elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname (ECC only)"
|
|
elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
|
|
elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
|
|
echo "$SCRIPTNAME: running $testname ----------------------------"
|
|
VMAX="ssl3"
|
|
if [ "$testmax" = "TLS10" ]; then
|
|
VMAX="tls1.0"
|
|
fi
|
|
if [ "$testmax" = "TLS11" ]; then
|
|
VMAX="tls1.1"
|
|
fi
|
|
|
|
# These five tests need an EC cert signed with RSA
|
|
# This requires a different certificate loaded in selfserv
|
|
# due to a (current) NSS limitation of only loaded one cert
|
|
# per type so the default selfserv setup will not work.
|
|
#:C00B TLS ECDH RSA WITH NULL SHA
|
|
#:C00C TLS ECDH RSA WITH RC4 128 SHA
|
|
#:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA
|
|
#:C00E TLS ECDH RSA WITH AES 128 CBC SHA
|
|
#:C00F TLS ECDH RSA WITH AES 256 CBC SHA
|
|
|
|
if [ $mixed -eq 0 ]; then
|
|
if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
|
|
kill_selfserv
|
|
start_selfserv mixed
|
|
mixed=1
|
|
else
|
|
is_selfserv_alive
|
|
fi
|
|
else
|
|
if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
|
|
is_selfserv_alive
|
|
else
|
|
kill_selfserv
|
|
start_selfserv
|
|
mixed=0
|
|
fi
|
|
fi
|
|
|
|
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} \\"
|
|
echo " -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}"
|
|
|
|
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
|
${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} -f \
|
|
-d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \
|
|
>${TMP}/$HOST.tmp.$$ 2>&1
|
|
ret=$?
|
|
cat ${TMP}/$HOST.tmp.$$
|
|
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
|
html_msg $ret 0 "${testname}" \
|
|
"produced a returncode of $ret, expected is 0"
|
|
fi
|
|
done
|
|
|
|
kill_selfserv
|
|
html "</TABLE><BR>"
|
|
}
|
|
|
|
############################## ssl_auth ################################
|
|
# local shell function to perform SSL Client Authentication tests
|
|
########################################################################
|
|
ssl_auth()
|
|
{
|
|
html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
|
|
|
|
exec < ${SSLAUTH}
|
|
while read ectype value sparam cparam testname
|
|
do
|
|
[ -z "$ectype" ] && continue
|
|
echo "${testname}" | grep "don't require client auth" > /dev/null
|
|
CAUTH=$?
|
|
|
|
if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
|
|
elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
|
|
elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname (ECC only)"
|
|
elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
|
|
cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
|
|
if [ "$ectype" = "SNI" ]; then
|
|
cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
|
|
sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
|
|
fi
|
|
start_selfserv
|
|
|
|
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
|
|
echo " ${cparam} < ${REQUEST_FILE}"
|
|
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
|
${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \
|
|
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} \
|
|
>${TMP}/$HOST.tmp.$$ 2>&1
|
|
ret=$?
|
|
cat ${TMP}/$HOST.tmp.$$
|
|
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
|
|
|
#workaround for bug #402058
|
|
[ $ret -ne 0 ] && ret=1
|
|
[ $value -ne 0 ] && value=1
|
|
|
|
html_msg $ret $value "${testname}" \
|
|
"produced a returncode of $ret, expected is $value"
|
|
kill_selfserv
|
|
fi
|
|
done
|
|
|
|
html "</TABLE><BR>"
|
|
}
|
|
|
|
ssl_stapling_sub()
|
|
{
|
|
testname=$1
|
|
SO=$2
|
|
value=$3
|
|
|
|
if [ "$NORM_EXT" = "Extended Test" ] ; then
|
|
# these tests use the ext_client directory for tstclnt,
|
|
# which doesn't contain the required "TestCA" for server cert
|
|
# verification, I don't know if it would be OK to add it...
|
|
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
|
|
return 0
|
|
fi
|
|
if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
|
|
return 0
|
|
fi
|
|
|
|
SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
|
|
SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
|
|
|
|
SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
|
|
P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
|
|
|
|
echo "${testname}"
|
|
|
|
start_selfserv
|
|
|
|
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
|
|
echo " -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
|
|
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
|
${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
|
|
-d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
|
|
>${TMP}/$HOST.tmp.$$ 2>&1
|
|
ret=$?
|
|
cat ${TMP}/$HOST.tmp.$$
|
|
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
|
|
|
# hopefully no workaround for bug #402058 needed here?
|
|
# (see commands in ssl_auth
|
|
|
|
html_msg $ret $value "${testname}" \
|
|
"produced a returncode of $ret, expected is $value"
|
|
kill_selfserv
|
|
|
|
SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
|
|
P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
|
|
}
|
|
|
|
ssl_stapling_stress()
|
|
{
|
|
testname="Stress OCSP stapling, server uses random status"
|
|
SO="-A TestCA -T random"
|
|
value=0
|
|
|
|
if [ "$NORM_EXT" = "Extended Test" ] ; then
|
|
# these tests use the ext_client directory for tstclnt,
|
|
# which doesn't contain the required "TestCA" for server cert
|
|
# verification, I don't know if it would be OK to add it...
|
|
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
|
|
return 0
|
|
fi
|
|
if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
|
|
return 0
|
|
fi
|
|
|
|
SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
|
|
SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
|
|
|
|
SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
|
|
P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
|
|
|
|
echo "${testname}"
|
|
start_selfserv
|
|
|
|
echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"
|
|
echo " -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}"
|
|
echo "strsclnt started at `date`"
|
|
${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
|
|
-c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}
|
|
ret=$?
|
|
|
|
echo "strsclnt completed at `date`"
|
|
html_msg $ret $value \
|
|
"${testname}" \
|
|
"produced a returncode of $ret, expected is $value."
|
|
kill_selfserv
|
|
|
|
SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
|
|
P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
|
|
}
|
|
|
|
############################ ssl_stapling ##############################
|
|
# local shell function to perform SSL Cert Status (OCSP Stapling) tests
|
|
########################################################################
|
|
ssl_stapling()
|
|
{
|
|
html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
|
|
|
|
# tstclnt Exit code:
|
|
# 0: have fresh and valid revocation data, status good
|
|
# 1: cert failed to verify, prior to revocation checking
|
|
# 2: missing, old or invalid revocation data
|
|
# 3: have fresh and valid revocation data, status revoked
|
|
|
|
# selfserv modes
|
|
# good, revoked, unkown: Include locally signed response. Requires: -A
|
|
# failure: Include OCSP failure status, such as "try later" (unsigned)
|
|
# badsig: use a good status but with an invalid signature
|
|
# corrupted: stapled cert status is an invalid block of data
|
|
|
|
ssl_stapling_sub "OCSP stapling, signed response, good status" "-A TestCA -T good" 0
|
|
ssl_stapling_sub "OCSP stapling, signed response, revoked status" "-A TestCA -T revoked" 3
|
|
ssl_stapling_sub "OCSP stapling, signed response, unknown status" "-A TestCA -T unknown" 2
|
|
ssl_stapling_sub "OCSP stapling, unsigned failure response" "-A TestCA -T failure" 2
|
|
ssl_stapling_sub "OCSP stapling, good status, bad signature" "-A TestCA -T badsig" 2
|
|
ssl_stapling_sub "OCSP stapling, invalid cert status data" "-A TestCA -T corrupted" 2
|
|
ssl_stapling_sub "Valid cert, Server doesn't staple" "" 2
|
|
|
|
ssl_stapling_stress
|
|
|
|
html "</TABLE><BR>"
|
|
}
|
|
|
|
|
|
############################## ssl_stress ##############################
|
|
# local shell function to perform SSL stress test
|
|
########################################################################
|
|
ssl_stress()
|
|
{
|
|
html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
|
|
|
|
exec < ${SSLSTRESS}
|
|
while read ectype value sparam cparam testname
|
|
do
|
|
if [ -z "$ectype" ]; then
|
|
# silently ignore blank lines
|
|
continue
|
|
fi
|
|
|
|
echo "${testname}" | grep "SSL2" > /dev/null
|
|
SSL2=$?
|
|
echo "${testname}" | grep "client auth" > /dev/null
|
|
CAUTH=$?
|
|
|
|
if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
|
|
elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
|
|
elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname (ECC only)"
|
|
elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
|
|
elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
|
|
elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
|
|
cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
|
|
if [ "$ectype" = "SNI" ]; then
|
|
cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
|
|
sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
|
|
fi
|
|
|
|
# These tests need the mixed cert
|
|
# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
|
|
# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
|
|
p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`;
|
|
if [ "$p" = "-c_:C00E" ]; then
|
|
start_selfserv mixed
|
|
else
|
|
start_selfserv
|
|
fi
|
|
|
|
if [ "`uname -n`" = "sjsu" ] ; then
|
|
echo "debugging disapering selfserv... ps -ef | grep selfserv"
|
|
ps -ef | grep selfserv
|
|
fi
|
|
|
|
echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
|
|
echo " $verbose ${HOSTADDR}"
|
|
echo "strsclnt started at `date`"
|
|
${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
|
|
$verbose ${HOSTADDR}
|
|
ret=$?
|
|
echo "strsclnt completed at `date`"
|
|
html_msg $ret $value \
|
|
"${testname}" \
|
|
"produced a returncode of $ret, expected is $value. "
|
|
if [ "`uname -n`" = "sjsu" ] ; then
|
|
echo "debugging disapering selfserv... ps -ef | grep selfserv"
|
|
ps -ef | grep selfserv
|
|
fi
|
|
kill_selfserv
|
|
fi
|
|
done
|
|
|
|
html "</TABLE><BR>"
|
|
}
|
|
|
|
############################ ssl_crl_ssl ###############################
|
|
# local shell function to perform SSL test with/out revoked certs tests
|
|
########################################################################
|
|
ssl_crl_ssl()
|
|
{
|
|
html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
|
|
|
|
# Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
|
|
# Cert number $UNREVOKED_CERT_GRP_1 was not revoked
|
|
CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
|
|
CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
|
|
UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
|
|
|
|
exec < ${SSLAUTH}
|
|
while read ectype value sparam cparam testname
|
|
do
|
|
[ "$ectype" = "" ] && continue
|
|
if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname (ECC only)"
|
|
elif [ "$ectype" = "SNI" ]; then
|
|
continue
|
|
elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
|
|
servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
|
|
pwd=`echo $cparam | grep nss`
|
|
user=`echo $cparam | grep TestUser`
|
|
_cparam=$cparam
|
|
case $servarg in
|
|
1) if [ -z "$pwd" -o -z "$user" ]; then
|
|
rev_modvalue=0
|
|
else
|
|
rev_modvalue=254
|
|
fi
|
|
;;
|
|
2) rev_modvalue=254 ;;
|
|
3) if [ -z "$pwd" -o -z "$user" ]; then
|
|
rev_modvalue=0
|
|
else
|
|
rev_modvalue=1
|
|
fi
|
|
;;
|
|
4) rev_modvalue=1 ;;
|
|
esac
|
|
TEMP_NUM=0
|
|
while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
|
|
do
|
|
CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
|
|
TEMP_NUM=`expr $TEMP_NUM + 1`
|
|
USER_NICKNAME="TestUser${CURR_SER_NUM}"
|
|
cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
|
|
start_selfserv
|
|
|
|
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
|
|
echo " ${cparam} < ${REQUEST_FILE}"
|
|
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
|
${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
|
|
-d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
|
|
>${TMP}/$HOST.tmp.$$ 2>&1
|
|
ret=$?
|
|
cat ${TMP}/$HOST.tmp.$$
|
|
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
|
if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
|
|
modvalue=$rev_modvalue
|
|
testAddMsg="revoked"
|
|
else
|
|
testAddMsg="not revoked"
|
|
modvalue=$value
|
|
fi
|
|
|
|
html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
|
|
"produced a returncode of $ret, expected is $modvalue"
|
|
kill_selfserv
|
|
done
|
|
fi
|
|
done
|
|
|
|
html "</TABLE><BR>"
|
|
}
|
|
|
|
############################# is_revoked ###############################
|
|
# local shell function to check if certificate is revoked
|
|
########################################################################
|
|
is_revoked() {
|
|
certNum=$1
|
|
currLoadedGrp=$2
|
|
|
|
found=0
|
|
ownerGrp=1
|
|
while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
|
|
do
|
|
currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
|
|
currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
|
|
currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
|
|
if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
|
|
found=1
|
|
else
|
|
ownerGrp=`expr $ownerGrp + 1`
|
|
fi
|
|
done
|
|
if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
|
|
return 1
|
|
fi
|
|
if [ $found -eq 0 ]; then
|
|
return 1
|
|
fi
|
|
unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
|
|
if [ $certNum -eq $unrevokedGrpCert ]; then
|
|
return 1
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
########################### load_group_crl #############################
|
|
# local shell function to load CRL
|
|
########################################################################
|
|
load_group_crl() {
|
|
group=$1
|
|
ectype=$2
|
|
|
|
OUTFILE_TMP=${TMP}/$HOST.tmp.$$
|
|
grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
|
|
grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
|
|
grpEnd=`expr $grpBegin + $grpRange - 1`
|
|
|
|
if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
|
|
ret=1
|
|
return 1;
|
|
fi
|
|
|
|
# Add -ec suffix for ECC
|
|
if [ "$ectype" = "ECC" ] ; then
|
|
ecsuffix="-ec"
|
|
eccomment="ECC "
|
|
else
|
|
ecsuffix=""
|
|
eccomment=""
|
|
fi
|
|
|
|
if [ "$RELOAD_CRL" != "" ]; then
|
|
if [ $group -eq 1 ]; then
|
|
echo "==================== Resetting to group 1 crl ==================="
|
|
kill_selfserv
|
|
start_selfserv
|
|
is_selfserv_alive
|
|
fi
|
|
echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
|
|
|
|
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
|
|
echo " -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
|
|
echo "Request:"
|
|
echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
|
|
echo ""
|
|
echo "RELOAD time $i"
|
|
|
|
REQF=${R_CLIENTDIR}.crlreq
|
|
cat > ${REQF} <<_EOF_REQUEST_
|
|
GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
|
|
|
|
_EOF_REQUEST_
|
|
|
|
${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \
|
|
-d ${R_CLIENTDIR} -v -V ssl3: -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
|
|
>${OUTFILE_TMP} 2>&1 < ${REQF}
|
|
|
|
cat ${OUTFILE_TMP}
|
|
grep "CRL ReCache Error" ${OUTFILE_TMP}
|
|
if [ $? -eq 0 ]; then
|
|
ret=1
|
|
return 1
|
|
fi
|
|
else
|
|
echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
|
|
|
|
kill_selfserv
|
|
CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
|
|
crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
|
|
-p ../tests.pw.928
|
|
ret=$?
|
|
if [ "$ret" -eq 0 ]; then
|
|
html_passed "${CU_ACTION}"
|
|
return 1
|
|
fi
|
|
start_selfserv
|
|
fi
|
|
is_selfserv_alive
|
|
ret=$?
|
|
echo "================= CRL Reloaded ============="
|
|
}
|
|
|
|
########################### ssl_crl_cache ##############################
|
|
# local shell function to perform SSL test for crl cache functionality
|
|
# with/out revoked certs
|
|
########################################################################
|
|
ssl_crl_cache()
|
|
{
|
|
html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
|
|
SSLAUTH_TMP=${TMP}/authin.tl.tmp
|
|
SERV_ARG=-r_-r
|
|
rm -f ${SSLAUTH_TMP}
|
|
echo ${SSLAUTH_TMP}
|
|
|
|
grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
|
|
echo $?
|
|
while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
|
|
do
|
|
sparam=$SERV_ARG
|
|
start_selfserv
|
|
exec < ${SSLAUTH_TMP}
|
|
while read ectype value sparam cparam testname
|
|
do
|
|
[ "$ectype" = "" ] && continue
|
|
if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
|
|
echo "$SCRIPTNAME: skipping $testname (ECC only)"
|
|
elif [ "$ectype" = "SNI" ]; then
|
|
continue
|
|
else
|
|
servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
|
|
pwd=`echo $cparam | grep nss`
|
|
user=`echo $cparam | grep TestUser`
|
|
_cparam=$cparam
|
|
case $servarg in
|
|
1) if [ -z "$pwd" -o -z "$user" ]; then
|
|
rev_modvalue=0
|
|
else
|
|
rev_modvalue=254
|
|
fi
|
|
;;
|
|
2) rev_modvalue=254 ;;
|
|
|
|
3) if [ -z "$pwd" -o -z "$user" ]; then
|
|
rev_modvalue=0
|
|
else
|
|
rev_modvalue=1
|
|
fi
|
|
;;
|
|
4) rev_modvalue=1 ;;
|
|
esac
|
|
TEMP_NUM=0
|
|
LOADED_GRP=1
|
|
while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
|
|
do
|
|
while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
|
|
do
|
|
CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
|
|
TEMP_NUM=`expr $TEMP_NUM + 1`
|
|
USER_NICKNAME="TestUser${CURR_SER_NUM}"
|
|
cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
|
|
|
|
echo "Server Args: $SERV_ARG"
|
|
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} -v \\"
|
|
echo " ${cparam} < ${REQUEST_FILE}"
|
|
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
|
${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
|
|
-d ${R_CLIENTDIR} -v < ${REQUEST_FILE} \
|
|
>${TMP}/$HOST.tmp.$$ 2>&1
|
|
ret=$?
|
|
cat ${TMP}/$HOST.tmp.$$
|
|
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
|
is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
|
|
isRevoked=$?
|
|
if [ $isRevoked -eq 0 ]; then
|
|
modvalue=$rev_modvalue
|
|
testAddMsg="revoked"
|
|
else
|
|
modvalue=$value
|
|
testAddMsg="not revoked"
|
|
fi
|
|
|
|
is_selfserv_alive
|
|
ss_status=$?
|
|
if [ "$ss_status" -ne 0 ]; then
|
|
html_msg $ret $modvalue \
|
|
"${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
|
|
"produced a returncode of $ret, expected is $modvalue. " \
|
|
"selfserv is not alive!"
|
|
else
|
|
html_msg $ret $modvalue \
|
|
"${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
|
|
"produced a returncode of $ret, expected is $modvalue"
|
|
fi
|
|
done
|
|
LOADED_GRP=`expr $LOADED_GRP + 1`
|
|
TEMP_NUM=0
|
|
if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
|
|
load_group_crl $LOADED_GRP $ectype
|
|
html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
|
|
"produced a returncode of $ret, expected is 0"
|
|
fi
|
|
done
|
|
# Restart selfserv to roll back to two initial group 1 crls
|
|
# TestCA CRL and TestCA-ec CRL
|
|
kill_selfserv
|
|
start_selfserv
|
|
fi
|
|
done
|
|
kill_selfserv
|
|
SERV_ARG="${SERV_ARG}_-r"
|
|
rm -f ${SSLAUTH_TMP}
|
|
grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
|
|
done
|
|
TEMPFILES=${SSLAUTH_TMP}
|
|
html "</TABLE><BR>"
|
|
}
|
|
|
|
|
|
############################## ssl_cleanup #############################
|
|
# local shell function to finish this script (no exit since it might be
|
|
# sourced)
|
|
########################################################################
|
|
ssl_cleanup()
|
|
{
|
|
rm $SERVERPID 2>/dev/null
|
|
cd ${QADIR}
|
|
. common/cleanup.sh
|
|
}
|
|
|
|
############################## ssl_run #################################
|
|
# local shell function to run coverage, authentication and stress tests
|
|
########################################################################
|
|
ssl_run()
|
|
{
|
|
for SSL_RUN in ${NSS_SSL_RUN}
|
|
do
|
|
case "${SSL_RUN}" in
|
|
"stapling")
|
|
ssl_stapling
|
|
;;
|
|
"cov")
|
|
ssl_cov
|
|
;;
|
|
"auth")
|
|
ssl_auth
|
|
;;
|
|
"stress")
|
|
ssl_stress
|
|
;;
|
|
esac
|
|
done
|
|
}
|
|
|
|
############################ ssl_run_all ###############################
|
|
# local shell function to run both standard and extended ssl tests
|
|
########################################################################
|
|
ssl_run_all()
|
|
{
|
|
ORIG_SERVERDIR=$SERVERDIR
|
|
ORIG_CLIENTDIR=$CLIENTDIR
|
|
ORIG_R_SERVERDIR=$R_SERVERDIR
|
|
ORIG_R_CLIENTDIR=$R_CLIENTDIR
|
|
ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
|
|
ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
|
|
|
|
USER_NICKNAME=TestUser
|
|
NORM_EXT=""
|
|
cd ${CLIENTDIR}
|
|
|
|
ssl_run
|
|
|
|
SERVERDIR=$EXT_SERVERDIR
|
|
CLIENTDIR=$EXT_CLIENTDIR
|
|
R_SERVERDIR=$R_EXT_SERVERDIR
|
|
R_CLIENTDIR=$R_EXT_CLIENTDIR
|
|
P_R_SERVERDIR=$P_R_EXT_SERVERDIR
|
|
P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
|
|
|
|
USER_NICKNAME=ExtendedSSLUser
|
|
NORM_EXT="Extended Test"
|
|
cd ${CLIENTDIR}
|
|
|
|
ssl_run
|
|
|
|
# the next round of ssl tests will only run if these vars are reset
|
|
SERVERDIR=$ORIG_SERVERDIR
|
|
CLIENTDIR=$ORIG_CLIENTDIR
|
|
R_SERVERDIR=$ORIG_R_SERVERDIR
|
|
R_CLIENTDIR=$ORIG_R_CLIENTDIR
|
|
P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
|
|
P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
|
|
|
|
USER_NICKNAME=TestUser
|
|
NORM_EXT=
|
|
cd ${QADIR}/ssl
|
|
}
|
|
|
|
############################ ssl_set_fips ##############################
|
|
# local shell function to set FIPS mode on/off
|
|
########################################################################
|
|
ssl_set_fips()
|
|
{
|
|
CLTSRV=$1
|
|
ONOFF=$2
|
|
|
|
if [ ${CLTSRV} = "server" ]; then
|
|
DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
|
|
else
|
|
DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}"
|
|
fi
|
|
|
|
if [ "${ONOFF}" = "on" ]; then
|
|
FIPSMODE=true
|
|
RET_EXP=0
|
|
else
|
|
FIPSMODE=false
|
|
RET_EXP=1
|
|
fi
|
|
|
|
html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
|
|
|
|
for DBDIR in ${DBDIRS}
|
|
do
|
|
EXT_OPT=
|
|
echo ${DBDIR} | grep ext > /dev/null
|
|
if [ $? -eq 0 ]; then
|
|
EXT_OPT="extended "
|
|
fi
|
|
|
|
echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
|
|
|
|
echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
|
|
${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
|
|
RET=$?
|
|
html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
|
|
"produced a returncode of ${RET}, expected is 0"
|
|
|
|
echo "modutil -dbdir ${DBDIR} -list"
|
|
DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
|
|
RET=$?
|
|
html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
|
|
"produced a returncode of ${RET}, expected is 0"
|
|
|
|
echo "${DBLIST}" | grep "FIPS PKCS #11"
|
|
RET=$?
|
|
html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
|
|
"produced a returncode of ${RET}, expected is ${RET_EXP}"
|
|
done
|
|
|
|
html "</TABLE><BR>"
|
|
}
|
|
|
|
############################ ssl_set_fips ##############################
|
|
# local shell function to run all tests set in NSS_SSL_TESTS variable
|
|
########################################################################
|
|
ssl_run_tests()
|
|
{
|
|
for SSL_TEST in ${NSS_SSL_TESTS}
|
|
do
|
|
case "${SSL_TEST}" in
|
|
"crl")
|
|
ssl_crl_ssl
|
|
ssl_crl_cache
|
|
;;
|
|
"iopr")
|
|
ssl_iopr_run
|
|
;;
|
|
*)
|
|
SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
|
|
CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
|
|
|
|
case "${SERVER_MODE}" in
|
|
"normal")
|
|
SERVER_OPTIONS=
|
|
;;
|
|
"bypass")
|
|
SERVER_OPTIONS="-B -s"
|
|
;;
|
|
"fips")
|
|
SERVER_OPTIONS=
|
|
ssl_set_fips server on
|
|
;;
|
|
*)
|
|
echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
|
|
continue
|
|
;;
|
|
esac
|
|
|
|
case "${CLIENT_MODE}" in
|
|
"normal")
|
|
CLIENT_OPTIONS=
|
|
;;
|
|
"bypass")
|
|
CLIENT_OPTIONS="-B -s"
|
|
;;
|
|
"fips")
|
|
SERVER_OPTIONS=
|
|
ssl_set_fips client on
|
|
;;
|
|
*)
|
|
echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
|
|
continue
|
|
;;
|
|
esac
|
|
|
|
ssl_run_all
|
|
|
|
if [ "${SERVER_MODE}" = "fips" ]; then
|
|
ssl_set_fips server off
|
|
fi
|
|
|
|
if [ "${CLIENT_MODE}" = "fips" ]; then
|
|
ssl_set_fips client off
|
|
fi
|
|
;;
|
|
esac
|
|
done
|
|
}
|
|
|
|
################################# main #################################
|
|
|
|
ssl_init
|
|
ssl_run_tests
|
|
ssl_cleanup
|
|
|