#! /bin/sh # # ***** BEGIN LICENSE BLOCK ***** # Version: MPL 1.1/GPL 2.0/LGPL 2.1 # # The contents of this file are subject to the Mozilla Public License Version # 1.1 (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # http://www.mozilla.org/MPL/ # # Software distributed under the License is distributed on an "AS IS" basis, # WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License # for the specific language governing rights and limitations under the # License. # # The Original Code is the Netscape security libraries. # # The Initial Developer of the Original Code is # Netscape Communications Corporation. # Portions created by the Initial Developer are Copyright (C) 1994-2000 # the Initial Developer. All Rights Reserved. # # Contributor(s): # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or # the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), # in which case the provisions of the GPL or the LGPL are applicable instead # of those above. If you wish to allow use of your version of this file only # under the terms of either the GPL or the LGPL, and not to allow others to # use your version of this file under the terms of the MPL, indicate your # decision by deleting the provisions above and replace them with the notice # and other provisions required by the GPL or the LGPL. If you do not delete # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** ######################################################################## # # mozilla/security/nss/tests/ssl/ssl.sh # # Script to test NSS SSL # # needs to work on all Unix and Windows platforms # # special strings # --------------- # FIXME ... known problems, search for this string # NOTE .... unexpected behavior # ######################################################################## ############################## ssl_init ################################ # local shell function to initialize this script ######################################################################## ssl_init() { SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for CLEANUP="${SCRIPTNAME}" # cleaning this script will do it fi if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then cd ../common . ./init.sh fi if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here cd ../cert . ./cert.sh fi SCRIPTNAME=ssl.sh echo "$SCRIPTNAME: SSL tests ===============================" grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null && grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || { html_head "SSL Test failure" Exit 8 "Fatal - SSL of cert.sh needs to pass first" } PORT=${PORT-8443} # Test case files SSLCOV=${QADIR}/ssl/sslcov.txt SSLAUTH=${QADIR}/ssl/sslauth.txt SSLSTRESS=${QADIR}/ssl/sslstress.txt REQUEST_FILE=${QADIR}/ssl/sslreq.dat #temparary files SERVEROUTFILE=${TMP}/tests_server.$$ SERVERPID=${TMP}/tests_pid.$$ R_SERVERPID=../tests_pid.$$ TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}" fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't #fileout=1 #verbose="-v" #FIXME - see where this is usefull USER_NICKNAME=TestUser NORM_EXT="" cd ${CLIENTDIR} } ########################### is_selfserv_alive ########################## # local shell function to exit with a fatal error if selfserver is not # running ######################################################################## is_selfserv_alive() { if [ ! -f "${SERVERPID}" ]; then echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist" sleep 5 if [ ! -f "${SERVERPID}" ]; then Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist" fi fi if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then PID=${SHELL_SERVERPID} else PID=`cat ${SERVERPID}` fi #if [ "${OS_ARCH}" = "Linux" ]; then kill -0 $PID >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" #else #$PS -e | grep $PID >/dev/null || \ #Exit 10 "Fatal - selfserv process not detectable" #fi } ########################### wait_for_selfserv ########################## # local shell function to wait until selfserver is running and initialized ######################################################################## wait_for_selfserv() { echo "tstclnt -p ${PORT} -h ${HOSTADDR} -q \\" echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" #echo "tstclnt -q started at `date`" tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} if [ $? -ne 0 ]; then html_failed " Wait for Server " echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} -q \\" echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} elif [ sparam = "-c ABCDEFabcdefghijklmnvy" ] ; then # "$1" = "cov" ] ; then html_passed " Wait for Server" fi is_selfserv_alive } ########################### kill_selfserv ############################## # local shell function to kill the selfserver after the tests are done ######################################################################## kill_selfserv() { if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then PID=${SHELL_SERVERPID} else PID=`cat ${SERVERPID}` fi ${KILL} ${PID} wait ${PID} if [ ${fileout} -eq 1 ]; then cat ${SERVEROUTFILE} fi # On Linux selfserv needs up to 30 seconds to fully die and free # the port. Wait until the port is free. (Bug 129701) if [ "${OS_ARCH}" = "Linux" ]; then until selfserv -b -p ${PORT} 2>/dev/null; do sleep 1 done fi rm ${SERVERPID} } ########################### start_selfserv ############################# # local shell function to start the selfserver with the parameters required # for this test and log information (parameters, start time) # also: wait until the server is up and running ######################################################################## start_selfserv() { if [ -n "$testname" ] ; then echo "$SCRIPTNAME: $testname ----" fi sparam=`echo $sparam | sed -e 's;_; ;g'` echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \\" echo " -w nss ${sparam} -i ${R_SERVERPID} $verbose &" echo "selfserv started at `date`" if [ ${fileout} -eq 1 ]; then selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \ -w nss ${sparam} -i ${R_SERVERPID} $verbose \ > ${SERVEROUTFILE} 2>&1 & else selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \ -w nss ${sparam} -i ${R_SERVERPID} $verbose & fi # The PID $! returned by the MKS or Cygwin shell is not the PID of # the real background process, but rather the PID of a helper # process (sh.exe). MKS's kill command has a bug: invoking kill # on the helper process does not terminate the real background # process. Our workaround has been to have selfserv save its PID # in the ${SERVERPID} file and "kill" that PID instead. But this # doesn't work under Cygwin; its kill command doesn't recognize # the PID of the real background process, but it does work on the # PID of the helper process. So we save the value of $! in the # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID} # file under Cygwin. (In fact, this should work in any shell # other than the MKS shell.) SHELL_SERVERPID=$! wait_for_selfserv } ############################## ssl_cov ################################# # local shell function to perform SSL Cipher Coverage tests ######################################################################## ssl_cov() { html_head "SSL Cipher Coverage $NORM_EXT" testname="" sparam="-c ABCDEFabcdefghijklmnvyz" start_selfserv # Launch the server p="" while read tls param testname do p=`echo "$testname" | sed -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" elif [ "$tls" != "#" ] ; then echo "$SCRIPTNAME: running $testname ----------------------------" TLS_FLAG=-T if [ $tls = "TLS" ]; then TLS_FLAG="" fi is_selfserv_alive echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} \\" echo " -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} -f \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? cat ${TMP}/$HOST.tmp.$$ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null html_msg $ret 0 "${testname}" fi done < ${SSLCOV} kill_selfserv html "
" } ############################## ssl_auth ################################ # local shell function to perform SSL Client Authentication tests ######################################################################## ssl_auth() { html_head "SSL Client Authentication $NORM_EXT" while read value sparam cparam testname do if [ $value != "#" ]; then cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` start_selfserv echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} \\" echo " ${cparam} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? cat ${TMP}/$HOST.tmp.$$ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null html_msg $ret $value "${testname}" \ "produced a returncode of $ret, expected is $value" kill_selfserv fi done < ${SSLAUTH} html "
" } ############################## ssl_stress ############################## # local shell function to perform SSL stress test ######################################################################## ssl_stress() { html_head "SSL Stress Test $NORM_EXT" while read value sparam cparam testname do p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" elif [ $value != "#" ]; then cparam=`echo $cparam | sed -e 's;_; ;g'` start_selfserv if [ `uname -n` = "sjsu" ] ; then echo "debugging disapering selfserv... ps -ef | grep selfserv" ps -ef | grep selfserv fi echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \\" echo " $verbose ${HOSTADDR}" echo "strsclnt started at `date`" strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \ $verbose ${HOSTADDR} ret=$? echo "strsclnt completed at `date`" html_msg $ret $value "${testname}" if [ `uname -n` = "sjsu" ] ; then echo "debugging disapering selfserv... ps -ef | grep selfserv" ps -ef | grep selfserv fi kill_selfserv fi done < ${SSLSTRESS} html "
" } ############################## ssl_crl ################################# # local shell function to perform SSL test with/out revoked certs tests ######################################################################## ssl_crl_ssl() { html_head "CRL SSL Client Tests $NORM_EXT" # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it. # Cert number $UNREVOKED_CERT_GRP_1 was not revoked CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN CRL_GROUP_RANGE=$CRL_GRP_1_RANGE UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1 while read value sparam cparam testname do if [ $value != "#" ]; then servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` pwd=`echo $cparam | grep nss` user=`echo $cparam | grep TestUser` _cparam=$cparam case $servarg in 1) if [ -z "$pwd" -o -z "$user" ]; then rev_modvalue=0 else rev_modvalue=254 fi ;; 2) rev_modvalue=254 ;; 3) if [ -z "$pwd" -o -z "$user" ]; then rev_modvalue=0 else rev_modvalue=1 fi ;; 4) rev_modvalue=1 ;; esac TEMP_NUM=0 while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ] do CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}` TEMP_NUM=`expr $TEMP_NUM + 1` USER_NICKNAME="TestUser${CURR_SER_NUM}" cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` start_selfserv echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\" echo " ${cparam} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ -d ${R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? cat ${TMP}/$HOST.tmp.$$ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then modvalue=$rev_modvalue testAddMsg="revoked" else testAddMsg="not revoked" modvalue=$value fi html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \ "produced a returncode of $ret, expected is $modvalue" kill_selfserv done fi done < ${SSLAUTH} html "
" } ############################## ssl_crl ################################# # local shell function to perform SSL test for crl cache functionality # with/out revoked certs ######################################################################## is_revoked() { certNum=$1 currLoadedGrp=$2 found=0 ownerGrp=1 while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ] do currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}` currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}` currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1` if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then found=1 else ownerGrp=`expr $ownerGrp + 1` fi done if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then return 1 fi if [ $found -eq 0 ]; then return 1 fi unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}` if [ $certNum -eq $unrevokedGrpCert ]; then return 1 fi return 0 } load_group_crl() { group=$1 OUTFILE_TMP=${TMP}/$HOST.tmp.$$ grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}` grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}` grpEnd=`expr $grpBegin + $grpRange - 1` if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then ret=1 return 1; fi if [ "$RELOAD_CRL" != "" ]; then if [ $group -eq 1 ]; then echo "==================== Resetting to group 1 crl ===================" kill_selfserv start_selfserv is_selfserv_alive fi echo "================= Reloading CRL for group $grpBegin - $grpEnd =============" echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\" echo " -w nss -n TestUser${UNREVOKED_CERT_GRP_1}" echo "Request:" echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}" echo "" echo "RELOAD time $i" tstclnt -p ${PORT} -h ${HOSTADDR} -f \ -d ${R_CLIENTDIR} -w nss -n TestUser${UNREVOKED_CERT_GRP_1} \ <<_EOF_REQUEST_ >${OUTFILE_TMP} 2>&1 GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd} _EOF_REQUEST_ cat ${OUTFILE_TMP} grep "CRL ReCache Error" ${OUTFILE_TMP} if [ $? -eq 0 ]; then ret=1 return 1 fi else echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv =====" kill_selfserv CU_ACTION="Importing CRL for groups $grpBegin - $grpEnd" crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd} \ -p ../tests.pw.928 ret=$? if [ "$ret" -eq 0 ]; then return 1 fi start_selfserv fi is_selfserv_alive ret=$? echo "================= CRL Reloaded =============" } ssl_crl_cache() { html_head "Cache CRL SSL Client Tests $NORM_EXT" SSLAUTH_TMP=${TMP}/authin.tl.tmp SERV_ARG=-r_-r rm -f ${SSLAUTH_TMP} echo ${SSLAUTH_TMP} grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP} echo $? while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ] do sparam=$SERV_ARG start_selfserv while read value sparam cparam testname do servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` pwd=`echo $cparam | grep nss` user=`echo $cparam | grep TestUser` _cparam=$cparam case $servarg in 1) if [ -z "$pwd" -o -z "$user" ]; then rev_modvalue=0 else rev_modvalue=254 fi ;; 2) rev_modvalue=254 ;; 3) if [ -z "$pwd" -o -z "$user" ]; then rev_modvalue=0 else rev_modvalue=1 fi ;; 4) rev_modvalue=1 ;; esac TEMP_NUM=0 LOADED_GRP=1 while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ] do while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ] do CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}` TEMP_NUM=`expr $TEMP_NUM + 1` USER_NICKNAME="TestUser${CURR_SER_NUM}" cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` echo "Server Args: $SERV_ARG" echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\" echo " ${cparam} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ -d ${R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? cat ${TMP}/$HOST.tmp.$$ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null is_revoked ${CURR_SER_NUM} ${LOADED_GRP} isRevoked=$? if [ $isRevoked -eq 0 ]; then modvalue=$rev_modvalue testAddMsg="revoked" else modvalue=$value testAddMsg="not revoked" fi is_selfserv_alive ss_status=$? if [ "$ss_status" -ne 0 ]; then html_msg $ret $modvalue \ "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ "produced a returncode of $ret, expected is $modvalue. " \ "selfserv is not alive!" else html_msg $ret $modvalue \ "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ "produced a returncode of $ret, expected is $modvalue" fi done LOADED_GRP=`expr $LOADED_GRP + 1` TEMP_NUM=0 if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then load_group_crl $LOADED_GRP html_msg $ret 0 "Load group $LOADED_GRP crl " \ "produced a returncode of $ret, expected is 0" fi done load_group_crl 1 done < ${SSLAUTH_TMP} kill_selfserv SERV_ARG="${SERV_ARG}_-r" rm -f ${SSLAUTH_TMP} grep -- " $SERV_ARG " ${SSLAUTH} | grep -v none | grep -v bogus > ${SSLAUTH_TMP} done TEMPFILES=${SSLAUTH_TMP} html "
" } ############################## ssl_cleanup ############################# # local shell function to finish this script (no exit since it might be # sourced) ######################################################################## ssl_cleanup() { rm $SERVERPID 2>/dev/null cd ${QADIR} . common/cleanup.sh } ################## main ################################################# #this script may be sourced from the distributed stress test - in this case do nothing... if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then ssl_init ssl_cov ssl_auth ssl_crl_ssl ssl_crl_cache ssl_stress SERVERDIR=$EXT_SERVERDIR CLIENTDIR=$EXT_CLIENTDIR R_SERVERDIR=$R_EXT_SERVERDIR R_CLIENTDIR=$R_EXT_CLIENTDIR P_R_SERVERDIR=$P_R_EXT_SERVERDIR P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR USER_NICKNAME=ExtendedSSLUser NORM_EXT="Extended test" cd ${CLIENTDIR} ssl_cov ssl_auth ssl_stress ssl_cleanup fi