Bommels05/Mozilla
Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Mozilla/mozilla/security/nss/tests/ssl/ssl.sh
alexei.volkov.bugs%sun.com 49473f3c50 Adding cert id and revocation indication to CRL SSL Client Tests results. 
git-svn-id: svn://10.0.0.236/trunk@172051 18797224-902f-48f8-a5cc-f745e15eee43
2005-04-13 00:23:09 +00:00

639 lines
21 KiB
Bash
Executable File
Raw Blame History

#! /bin/sh
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the Netscape security libraries.
#
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2000
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
########################################################################
#
# mozilla/security/nss/tests/ssl/ssl.sh
#
# Script to test NSS SSL
#
# needs to work on all Unix and Windows platforms
#
# special strings
# ---------------
# FIXME ... known problems, search for this string
# NOTE .... unexpected behavior
#
########################################################################
############################## ssl_init ################################
# local shell function to initialize this script
########################################################################
ssl_init()
{
SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
fi
if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
cd ../common
. ./init.sh
fi
if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
cd ../cert
. ./cert.sh
fi
SCRIPTNAME=ssl.sh
echo "$SCRIPTNAME: SSL tests ==============================="
grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null &&
grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
html_head "SSL Test failure"
Exit 8 "Fatal - SSL of cert.sh needs to pass first"
}
PORT=${PORT-8443}
# Test case files
SSLCOV=${QADIR}/ssl/sslcov.txt
SSLAUTH=${QADIR}/ssl/sslauth.txt
SSLSTRESS=${QADIR}/ssl/sslstress.txt
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
#temparary files
SERVEROUTFILE=${TMP}/tests_server.$$
SERVERPID=${TMP}/tests_pid.$$
R_SERVERPID=../tests_pid.$$
TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}"
fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
#fileout=1
#verbose="-v" #FIXME - see where this is usefull
USER_NICKNAME=TestUser
NORM_EXT=""
cd ${CLIENTDIR}
}
########################### is_selfserv_alive ##########################
# local shell function to exit with a fatal error if selfserver is not
# running
########################################################################
is_selfserv_alive()
{
if [ ! -f "${SERVERPID}" ]; then
echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
sleep 5
if [ ! -f "${SERVERPID}" ]; then
Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
fi
fi
if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
PID=${SHELL_SERVERPID}
else
PID=`cat ${SERVERPID}`
fi
#if [ "${OS_ARCH}" = "Linux" ]; then
kill -0 $PID >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
#else
#$PS -e | grep $PID >/dev/null || \
#Exit 10 "Fatal - selfserv process not detectable"
#fi
}
########################### wait_for_selfserv ##########################
# local shell function to wait until selfserver is running and initialized
########################################################################
wait_for_selfserv()
{
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -q \\"
echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
#echo "tstclnt -q started at `date`"
tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
if [ $? -ne 0 ]; then
html_failed "<TR><TD> Wait for Server "
echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} -q \\"
echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
elif [ sparam = "-c ABCDEFabcdefghijklmnvy" ] ; then # "$1" = "cov" ] ; then
html_passed "<TR><TD> Wait for Server"
fi
is_selfserv_alive
}
########################### kill_selfserv ##############################
# local shell function to kill the selfserver after the tests are done
########################################################################
kill_selfserv()
{
if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
PID=${SHELL_SERVERPID}
else
PID=`cat ${SERVERPID}`
fi
${KILL} ${PID}
wait ${PID}
if [ ${fileout} -eq 1 ]; then
cat ${SERVEROUTFILE}
fi
# On Linux selfserv needs up to 30 seconds to fully die and free
# the port. Wait until the port is free. (Bug 129701)
if [ "${OS_ARCH}" = "Linux" ]; then
until selfserv -b -p ${PORT} 2>/dev/null; do
sleep 1
done
fi
rm ${SERVERPID}
}
########################### start_selfserv #############################
# local shell function to start the selfserver with the parameters required
# for this test and log information (parameters, start time)
# also: wait until the server is up and running
########################################################################
start_selfserv()
{
if [ -n "$testname" ] ; then
echo "$SCRIPTNAME: $testname ----"
fi
sparam=`echo $sparam | sed -e 's;_; ;g'`
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \\"
echo " -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
echo "selfserv started at `date`"
if [ ${fileout} -eq 1 ]; then
selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \
-w nss ${sparam} -i ${R_SERVERPID} $verbose \
> ${SERVEROUTFILE} 2>&1 &
else
selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \
-w nss ${sparam} -i ${R_SERVERPID} $verbose &
fi
# The PID $! returned by the MKS or Cygwin shell is not the PID of
# the real background process, but rather the PID of a helper
# process (sh.exe). MKS's kill command has a bug: invoking kill
# on the helper process does not terminate the real background
# process. Our workaround has been to have selfserv save its PID
# in the ${SERVERPID} file and "kill" that PID instead. But this
# doesn't work under Cygwin; its kill command doesn't recognize
# the PID of the real background process, but it does work on the
# PID of the helper process. So we save the value of $! in the
# SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
# file under Cygwin. (In fact, this should work in any shell
# other than the MKS shell.)
SHELL_SERVERPID=$!
wait_for_selfserv
}
############################## ssl_cov #################################
# local shell function to perform SSL Cipher Coverage tests
########################################################################
ssl_cov()
{
html_head "SSL Cipher Coverage $NORM_EXT"
testname=""
sparam="-c ABCDEFabcdefghijklmnvyz"
start_selfserv # Launch the server
p=""
while read tls param testname
do
p=`echo "$testname" | sed -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS
if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
elif [ "$tls" != "#" ] ; then
echo "$SCRIPTNAME: running $testname ----------------------------"
TLS_FLAG=-T
if [ $tls = "TLS" ]; then
TLS_FLAG=""
fi
is_selfserv_alive
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} \\"
echo " -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} -f \
-d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
html_msg $ret 0 "${testname}"
fi
done < ${SSLCOV}
kill_selfserv
html "</TABLE><BR>"
}
############################## ssl_auth ################################
# local shell function to perform SSL Client Authentication tests
########################################################################
ssl_auth()
{
html_head "SSL Client Authentication $NORM_EXT"
while read value sparam cparam testname
do
if [ $value != "#" ]; then
cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
start_selfserv
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} \\"
echo " ${cparam} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
-d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
html_msg $ret $value "${testname}" \
"produced a returncode of $ret, expected is $value"
kill_selfserv
fi
done < ${SSLAUTH}
html "</TABLE><BR>"
}
############################## ssl_stress ##############################
# local shell function to perform SSL stress test
########################################################################
ssl_stress()
{
html_head "SSL Stress Test $NORM_EXT"
while read value sparam cparam testname
do
p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS
if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
elif [ $value != "#" ]; then
cparam=`echo $cparam | sed -e 's;_; ;g'`
start_selfserv
if [ `uname -n` = "sjsu" ] ; then
echo "debugging disapering selfserv... ps -ef | grep selfserv"
ps -ef | grep selfserv
fi
echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \\"
echo " $verbose ${HOSTADDR}"
echo "strsclnt started at `date`"
strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \
$verbose ${HOSTADDR}
ret=$?
echo "strsclnt completed at `date`"
html_msg $ret $value "${testname}"
if [ `uname -n` = "sjsu" ] ; then
echo "debugging disapering selfserv... ps -ef | grep selfserv"
ps -ef | grep selfserv
fi
kill_selfserv
fi
done < ${SSLSTRESS}
html "</TABLE><BR>"
}
############################## ssl_crl #################################
# local shell function to perform SSL test with/out revoked certs tests
########################################################################
ssl_crl_ssl()
{
html_head "CRL SSL Client Tests $NORM_EXT"
# Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
# Cert number $UNREVOKED_CERT_GRP_1 was not revoked
CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
while read value sparam cparam testname
do
if [ $value != "#" ]; then
servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
pwd=`echo $cparam | grep nss`
user=`echo $cparam | grep TestUser`
_cparam=$cparam
case $servarg in
1) if [ -z "$pwd" -o -z "$user" ]; then
rev_modvalue=0
else
rev_modvalue=254
fi
;;
2) rev_modvalue=254 ;;
3) if [ -z "$pwd" -o -z "$user" ]; then
rev_modvalue=0
else
rev_modvalue=1
fi
;;
4) rev_modvalue=1 ;;
esac
TEMP_NUM=0
while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
do
CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
TEMP_NUM=`expr $TEMP_NUM + 1`
USER_NICKNAME="TestUser${CURR_SER_NUM}"
cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
start_selfserv
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\"
echo " ${cparam} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
-d ${R_CLIENTDIR} < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
modvalue=$rev_modvalue
testAddMsg="revoked"
else
testAddMsg="not revoked"
modvalue=$value
fi
html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
"produced a returncode of $ret, expected is $modvalue"
kill_selfserv
done
fi
done < ${SSLAUTH}
html "</TABLE><BR>"
}
############################## ssl_crl #################################
# local shell function to perform SSL test for crl cache functionality
# with/out revoked certs
########################################################################
is_revoked() {
certNum=$1
currLoadedGrp=$2
found=0
ownerGrp=1
while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
do
currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
found=1
else
ownerGrp=`expr $ownerGrp + 1`
fi
done
if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
return 1
fi
if [ $found -eq 0 ]; then
return 1
fi
unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
if [ $certNum -eq $unrevokedGrpCert ]; then
return 1
fi
return 0
}
load_group_crl() {
group=$1
OUTFILE_TMP=${TMP}/$HOST.tmp.$$
grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
grpEnd=`expr $grpBegin + $grpRange - 1`
if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
ret=1
return 1;
fi
if [ "$RELOAD_CRL" != "" ]; then
if [ $group -eq 1 ]; then
echo "==================== Resetting to group 1 crl ==================="
kill_selfserv
start_selfserv
is_selfserv_alive
fi
echo "================= Reloading CRL for group $grpBegin - $grpEnd ============="
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\"
echo " -w nss -n TestUser${UNREVOKED_CERT_GRP_1}"
echo "Request:"
echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}"
echo ""
echo "RELOAD time $i"
tstclnt -p ${PORT} -h ${HOSTADDR} -f \
-d ${R_CLIENTDIR} -w nss -n TestUser${UNREVOKED_CERT_GRP_1} \
<<_EOF_REQUEST_ >${OUTFILE_TMP} 2>&1
GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}
_EOF_REQUEST_
cat ${OUTFILE_TMP}
grep "CRL ReCache Error" ${OUTFILE_TMP}
if [ $? -eq 0 ]; then
ret=1
return 1
fi
else
echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
kill_selfserv
CU_ACTION="Importing CRL for groups $grpBegin - $grpEnd"
crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd} \
-p ../tests.pw.928
ret=$?
if [ "$ret" -eq 0 ]; then
return 1
fi
start_selfserv
fi
is_selfserv_alive
ret=$?
echo "================= CRL Reloaded ============="
}
ssl_crl_cache()
{
html_head "Cache CRL SSL Client Tests $NORM_EXT"
SSLAUTH_TMP=${TMP}/authin.tl.tmp
SERV_ARG=-r_-r
rm -f ${SSLAUTH_TMP}
echo ${SSLAUTH_TMP}
grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
echo $?
while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
do
sparam=$SERV_ARG
start_selfserv
while read value sparam cparam testname
do
servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
pwd=`echo $cparam | grep nss`
user=`echo $cparam | grep TestUser`
_cparam=$cparam
case $servarg in
1) if [ -z "$pwd" -o -z "$user" ]; then
rev_modvalue=0
else
rev_modvalue=254
fi
;;
2) rev_modvalue=254 ;;
3) if [ -z "$pwd" -o -z "$user" ]; then
rev_modvalue=0
else
rev_modvalue=1
fi
;;
4) rev_modvalue=1 ;;
esac
TEMP_NUM=0
LOADED_GRP=1
while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
do
while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
do
CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
TEMP_NUM=`expr $TEMP_NUM + 1`
USER_NICKNAME="TestUser${CURR_SER_NUM}"
cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
echo "Server Args: $SERV_ARG"
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\"
echo " ${cparam} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
-d ${R_CLIENTDIR} < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
isRevoked=$?
if [ $isRevoked -eq 0 ]; then
modvalue=$rev_modvalue
testAddMsg="revoked"
else
modvalue=$value
testAddMsg="not revoked"
fi
is_selfserv_alive
ss_status=$?
if [ "$ss_status" -ne 0 ]; then
html_msg $ret $modvalue \
"${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
"produced a returncode of $ret, expected is $modvalue. " \
"selfserv is not alive!"
else
html_msg $ret $modvalue \
"${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
"produced a returncode of $ret, expected is $modvalue"
fi
done
LOADED_GRP=`expr $LOADED_GRP + 1`
TEMP_NUM=0
if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
load_group_crl $LOADED_GRP
html_msg $ret 0 "Load group $LOADED_GRP crl " \
"produced a returncode of $ret, expected is 0"
fi
done
load_group_crl 1
done < ${SSLAUTH_TMP}
kill_selfserv
SERV_ARG="${SERV_ARG}_-r"
rm -f ${SSLAUTH_TMP}
grep -- " $SERV_ARG " ${SSLAUTH} | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
done
TEMPFILES=${SSLAUTH_TMP}
html "</TABLE><BR>"
}
############################## ssl_cleanup #############################
# local shell function to finish this script (no exit since it might be
# sourced)
########################################################################
ssl_cleanup()
{
rm $SERVERPID 2>/dev/null
cd ${QADIR}
. common/cleanup.sh
}
################## main #################################################
#this script may be sourced from the distributed stress test - in this case do nothing...
if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then
ssl_init
ssl_cov
ssl_auth
ssl_crl_ssl
ssl_crl_cache
ssl_stress
SERVERDIR=$EXT_SERVERDIR
CLIENTDIR=$EXT_CLIENTDIR
R_SERVERDIR=$R_EXT_SERVERDIR
R_CLIENTDIR=$R_EXT_CLIENTDIR
P_R_SERVERDIR=$P_R_EXT_SERVERDIR
P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
USER_NICKNAME=ExtendedSSLUser
NORM_EXT="Extended test"
cd ${CLIENTDIR}
ssl_cov
ssl_auth
ssl_stress
ssl_cleanup
fi
Reference in New Issue View Git Blame Copy Permalink