ssl.sh (58974B)
1 #! /bin/bash 2 # 3 # This Source Code Form is subject to the terms of the Mozilla Public 4 # License, v. 2.0. If a copy of the MPL was not distributed with this 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/. 6 7 ######################################################################## 8 # 9 # mozilla/security/nss/tests/ssl/ssl.sh 10 # 11 # Script to test NSS SSL 12 # 13 # Needs to work on all Unix and Windows platforms 14 # 15 # Testing schema: 16 # --------------- 17 # all.sh ~ (main) 18 # | | 19 # +------------+------------+-----------+ ~ run_cycles 20 # | | | | | 21 # standard pkix upgradedb sharedb ~ run_cycle_* 22 # ... | ... ... | 23 # +------+------+-----> ~ run_tests 24 # | | | | 25 # ... ssl ... ~ ssl.sh 26 # | | 27 # +-------+-------+-----------------+ ~ ssl_run_tests 28 # | | | | | 29 # crl iopr policy permute(normal,fips) ~ ssl_run_test_* 30 # | | | | | 31 # +------+------+------+------+---+-+-+-+----> ~ ssl_run 32 # | | | | | | | 33 # stapling cov auth stress dtls ... ~ ssl_run_* 34 # 35 # special strings 36 # --------------- 37 # FIXME ... known problems, search for this string 38 # NOTE .... unexpected behavior 39 # 40 ######################################################################## 41 42 ############################## ssl_init ################################ 43 # local shell function to initialize this script 44 ######################################################################## 45 ssl_init() 46 { 47 SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh 48 49 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for 50 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it 51 fi 52 53 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then 54 cd ../common 55 . ./init.sh 56 fi 57 if [ -z "${IOPR_SSL_SOURCED}" ]; then 58 . ../iopr/ssl_iopr.sh 59 fi 60 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here 61 cd ../cert 62 . ./cert.sh 63 fi 64 SCRIPTNAME=ssl.sh 65 echo "$SCRIPTNAME: SSL tests ===============================" 66 67 grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || { 68 html_head "SSL Test failure" 69 Exit 8 "Fatal - cert.sh needs to pass first" 70 } 71 72 if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then 73 grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || { 74 html_head "SSL Test failure" 75 Exit 8 "Fatal - SSL of cert.sh needs to pass first" 76 } 77 fi 78 79 PORT=${PORT-8443} 80 # Avoid port conflicts when multiple tests are running on the same machine. 81 if [ -n "$NSS_TASKCLUSTER_MAC" ]; then 82 cwd=$(cd $(dirname $0); pwd -P) 83 padd=$(echo $cwd | cut -d "/" -f4 | sed 's/[^0-9]//g') 84 PORT=$(($PORT + $padd)) 85 fi 86 NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} 87 nss_ssl_run="stapling signed_cert_timestamps cov auth dtls scheme exporter" 88 NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} 89 90 # Test case files 91 SSLCOV=${QADIR}/ssl/sslcov.txt 92 SSLAUTH=${QADIR}/ssl/sslauth.txt 93 SSLSTRESS=${QADIR}/ssl/sslstress.txt 94 SSLPOLICY=${QADIR}/ssl/sslpolicy.txt 95 REQUEST_FILE=${QADIR}/ssl/sslreq.dat 96 97 #temparary files 98 SERVEROUTFILE=${TMP}/tests_server.$$ 99 SERVERPID=${TMP}/tests_pid.$$ 100 101 R_SERVERPID=../tests_pid.$$ 102 103 TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}" 104 105 fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't 106 #fileout=1 107 #verbose="-v" #FIXME - see where this is usefull 108 109 USER_NICKNAME=TestUser 110 NORM_EXT="" 111 112 EC_SUITES=":C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D" 113 EC_SUITES="${EC_SUITES}:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027" 114 EC_SUITES="${EC_SUITES}:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA" 115 116 NON_EC_SUITES=":0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B" 117 NON_EC_SUITES="${NON_EC_SUITES}:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdeinvyz" 118 TLS13_SUITES=":1301:1302:1303" 119 120 # List of cipher suites to test, including ECC cipher suites. 121 CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}" 122 TLS13_CIPHER_SUITES="-c ${TLS13_SUITES}${EC_SUITES}${NON_EC_SUITES}" 123 124 # in fips mode, turn off curve25519 until it's NIST approved 125 FIPS_OPTIONS="" 126 # in fips mode, turn off curve25519 until it's NIST approved 127 ALL_GROUPS="P256,P384,P521,x25519,FF2048,FF3072,FF4096,FF6144,FF8192,xyber768d00,x25519mlkem768,secp256r1mlkem768,secp384r1mlkem1024" 128 NON_PQ_GROUPS="P256,P384,P521,x25519,FF2048,FF3072,FF4096,FF6144,FF8192" 129 FIPS_GROUPS="P256,P384,P521,FF2048,FF3072,FF4096,FF6144,FF8192,mx25519mlkem768,secp256r1mlkem768,secp384r1mlkem1024" 130 FIPS_NON_PQ_GROUPS="P256,P384,P521,FF2048,FF3072,FF4096,FF6144,FF8192" 131 132 133 # in non-fips mode, tstclnt may run without the db password in some 134 # cases, but in fips mode it's always needed 135 CLIENT_PW="" 136 CLIENT_PW_FIPS="-w nss" 137 CLIENT_PW_NORMAL="" 138 139 if [ "${OS_ARCH}" != "WINNT" ]; then 140 ulimit -n 1000 # make sure we have enough file descriptors 141 fi 142 143 cd ${CLIENTDIR} 144 } 145 146 ########################### is_selfserv_alive ########################## 147 # local shell function to exit with a fatal error if selfserver is not 148 # running 149 ######################################################################## 150 is_selfserv_alive() 151 { 152 if [ ! -f "${SERVERPID}" ]; then 153 echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist" 154 sleep 5 155 if [ ! -f "${SERVERPID}" ]; then 156 Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist" 157 fi 158 fi 159 160 if [ "${OS_ARCH}" = "WINNT" ] && \ 161 [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then 162 PID=${SHELL_SERVERPID} 163 else 164 PID=`cat ${SERVERPID}` 165 fi 166 167 echo "kill -0 ${PID} >/dev/null 2>/dev/null" 168 kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" 169 170 echo "selfserv with PID ${PID} found at `date`" 171 } 172 173 ########################### wait_for_selfserv ########################## 174 # local shell function to wait until selfserver is running and initialized 175 ######################################################################## 176 wait_for_selfserv() 177 { 178 #verbose="-v" 179 echo "trying to connect to selfserv at `date`" 180 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" 181 echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}" 182 ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ 183 -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} 184 if [ $? -ne 0 ]; then 185 sleep 5 186 echo "retrying to connect to selfserv at `date`" 187 echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" 188 echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}" 189 ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ 190 -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} 191 if [ $? -ne 0 ]; then 192 html_failed "Waiting for Server" 193 fi 194 fi 195 is_selfserv_alive 196 } 197 198 ########################### kill_selfserv ############################## 199 # local shell function to kill the selfserver after the tests are done 200 ######################################################################## 201 kill_selfserv() 202 { 203 if [ "${OS_ARCH}" = "WINNT" ] && \ 204 [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then 205 PID=${SHELL_SERVERPID} 206 else 207 PID=`cat ${SERVERPID}` 208 fi 209 210 echo "trying to kill selfserv with PID ${PID} at `date`" 211 212 if [ "${OS_ARCH}" = "WINNT" ]; then 213 echo "${KILL} ${PID}" 214 ${KILL} ${PID} 215 else 216 echo "${KILL} -USR1 ${PID}" 217 ${KILL} -USR1 ${PID} 218 fi 219 wait ${PID} 220 if [ ${fileout} -eq 1 ]; then 221 cat ${SERVEROUTFILE} 222 fi 223 224 # On Linux selfserv needs up to 30 seconds to fully die and free 225 # the port. Wait until the port is free. (Bug 129701) 226 if [ "${OS_ARCH}" = "Linux" ]; then 227 echo "selfserv -b -p ${PORT} 2>/dev/null;" 228 until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do 229 echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;" 230 sleep 1 231 done 232 fi 233 234 echo "selfserv with PID ${PID} killed at `date`" 235 236 rm ${SERVERPID} 237 html_detect_core "kill_selfserv core detection step" 238 } 239 240 ########################### start_selfserv ############################# 241 # local shell function to start the selfserver with the parameters required 242 # for this test and log information (parameters, start time) 243 # also: wait until the server is up and running 244 ######################################################################## 245 start_selfserv() 246 { 247 if [ -n "$testname" ] ; then 248 echo "$SCRIPTNAME: $testname ----" 249 fi 250 if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then 251 ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec" 252 else 253 ECC_OPTIONS="" 254 fi 255 if [ -z "$RSA_PSS_CERT" -o "$RSA_PSS_CERT" != "1" ] ; then 256 RSA_OPTIONS="-n ${HOSTADDR}" 257 else 258 RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss" 259 fi 260 if [ -z "$NSS_DISABLE_DSA" ]; then 261 DSA_OPTIONS="-S ${HOSTADDR}-dsa" 262 else 263 DSA_OPTIONS="" 264 fi 265 266 SERVER_VMIN=${SERVER_VMIN-ssl3} 267 SERVER_VMAX=${SERVER_VMAX-tls1.2} 268 echo "selfserv starting at `date`" 269 echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\" 270 echo " ${ECC_OPTIONS} ${DSA_OPTIONS} -w nss "$@" -i ${R_SERVERPID}\\" 271 echo " -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 &" 272 if [ ${fileout} -eq 1 ]; then 273 ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ 274 ${ECC_OPTIONS} ${DSA_OPTIONS} -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 \ 275 > ${SERVEROUTFILE} 2>&1 & 276 RET=$? 277 else 278 ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ 279 ${ECC_OPTIONS} ${DSA_OPTIONS} -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 & 280 RET=$? 281 fi 282 283 # The PID $! returned by the MKS or Cygwin shell is not the PID of 284 # the real background process, but rather the PID of a helper 285 # process (sh.exe). MKS's kill command has a bug: invoking kill 286 # on the helper process does not terminate the real background 287 # process. Our workaround has been to have selfserv save its PID 288 # in the ${SERVERPID} file and "kill" that PID instead. But this 289 # doesn't work under Cygwin; its kill command doesn't recognize 290 # the PID of the real background process, but it does work on the 291 # PID of the helper process. So we save the value of $! in the 292 # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID} 293 # file under Cygwin. (In fact, this should work in any shell 294 # other than the MKS shell.) 295 SHELL_SERVERPID=$! 296 wait_for_selfserv 297 298 if [ "${OS_ARCH}" = "WINNT" ] && \ 299 [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then 300 PID=${SHELL_SERVERPID} 301 else 302 PID=`cat ${SERVERPID}` 303 fi 304 305 echo "selfserv with PID ${PID} started at `date`" 306 } 307 308 ############################## ssl_cov ################################# 309 # local shell function to perform SSL Cipher Coverage tests 310 ######################################################################## 311 ssl_cov() 312 { 313 verbose_save=${verbose} 314 verbose="-v" 315 html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 316 317 testname="" 318 319 SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} 320 if [ "${SERVER_MODE}" = "fips" ] ; then 321 SERVER_OPTIONS="${SERVER_OPTIONS} -I ${FIPS_GROUPS} ${FIPS_OPTIONS}" 322 fi 323 SAVE_CLIENT_OPTIONS=${CLIENT_OPTIONS} 324 CLIENT_GROUPS=${NON_PQ_GROUPS} 325 if [ "${CLIENT_MODE}" = "fips" ] ; then 326 CLIENT_GROUPS=${FIPS_NON_PQ_GROUPS} 327 CLIENT_OPTIONS="${CLIENT_OPTIONS} ${FIPS_OPTIONS}" 328 fi 329 330 start_selfserv $CIPHER_SUITES # Launch the server 331 332 VMIN="ssl3" 333 VMAX="tls1.1" 334 # can't use a pipe here, because we may have to restart selfserv, and 335 # doing so hides the server pid environment variable in the subshell in 336 # cygwin, which means we can't kill selfserv at the end here. 337 SSL_COV_TMP=$(mktemp /tmp/ssl_cov.XXXXXX) 338 ignore_blank_lines ${SSLCOV} > ${SSL_COV_TMP} 339 while read ectype testmax param sig testname 340 do 341 # RSA-PSS tests are handled in a separate function 342 if [ "$sig" = "RSA-PSS" ]; then 343 continue 344 fi 345 346 # skip DSA tests if they are disabled 347 if [ -n "$NSS_DISABLE_DSA" -a "$sig" = "DSA" ]; then 348 continue 349 fi 350 351 echo "$SCRIPTNAME: running $testname ----------------------------" 352 VMAX="ssl3" 353 if [ "$testmax" = "TLS10" ]; then 354 VMAX="tls1.0" 355 fi 356 if [ "$testmax" = "TLS11" ]; then 357 VMAX="tls1.1" 358 fi 359 if [ "$testmax" = "TLS12" ]; then 360 VMAX="tls1.2" 361 fi 362 if [ "$testmax" = "TLS13" ]; then 363 # if our selfserv can only do up to tls1.2 364 # restart it so it can do tls1.3, This requires 365 # moving VMIN up to tls1.0 because you can't enable SSL3 and 366 # TLS 1.3. 367 if [ "$VMIN" = "ssl3" ]; then 368 SERVER_VMIN="tls1.0" 369 SERVER_VMAX="tls1.3" 370 kill_selfserv 371 start_selfserv ${TLS13_CIPHER_SUITES} 372 unset SERVER_VMIN 373 unset SERVER_VMAX 374 VMIN="tls1.0" 375 fi 376 VMAX="tls1.3" 377 fi 378 # if we are testing ssl3 and our server can only do down to tls1.1, 379 # restart it to enable ssl3 380 if [ "$VMAX" = "ssl3" -a "$VMIN" = "tls1.1" ]; then 381 kill_selfserv 382 start_selfserv $CIPHER_SUITES 383 VMIN="ssl3" 384 fi 385 386 TLS_GROUPS=${CLIENT_GROUPS} 387 if [ "$ectype" = "XYBER" ]; then 388 TLS_GROUPS="xyber768d00" 389 elif [ "$ectype" = "MLKEM219" ]; then 390 TLS_GROUPS="x25519mlkem768" 391 elif [ "$ectype" = "MLKEM256" ]; then 392 TLS_GROUPS="secp256r1mlkem768" 393 elif [ "$ectype" = "MLKEM384" ]; then 394 TLS_GROUPS="secp384r1mlkem1024" 395 fi 396 397 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -I \"${TLS_GROUPS}\" -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" 398 echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" 399 400 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 401 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -I "${TLS_GROUPS}" -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ 402 -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ 403 >${TMP}/$HOST.tmp.$$ 2>&1 404 ret=$? 405 cat ${TMP}/$HOST.tmp.$$ 406 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 407 html_msg $ret 0 "${testname}" \ 408 "produced a returncode of $ret, expected is 0" 409 done < ${SSL_COV_TMP} 410 rm -f ${SSL_COV_TMP} 411 412 SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} 413 CLIENT_OPTIONS=${SAVE_CLIENT_OPTIONS} 414 verbose=${verbose_save} 415 kill_selfserv 416 html "</TABLE><BR>" 417 } 418 419 ssl_cov_rsa_pss() 420 { 421 #verbose="-v" 422 html_head "SSL Cipher Coverage (RSA-PSS) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 423 424 testname="" 425 426 if [ "$NORM_EXT" = "Extended Test" ] ; then 427 echo "$SCRIPTNAME: skipping SSL Cipher Coverage (RSA-PSS) for $NORM_EXT" 428 return 0 429 fi 430 431 RSA_PSS_CERT=1 432 NO_ECC_CERTS=1 433 start_selfserv $CIPHER_SUITES 434 RSA_PSS_CERT=0 435 NO_ECC_CERTS=0 436 437 VMIN="tls1.2" 438 VMAX="tls1.2" 439 440 ignore_blank_lines ${SSLCOV} | \ 441 while read ectype testmax param sig testname 442 do 443 # only PSS testa are handled here. 444 if [ "$sig" != "RSA-PSS" ]; then 445 continue 446 fi 447 448 echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------" 449 450 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" 451 echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" 452 453 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 454 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ 455 -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ 456 >${TMP}/$HOST.tmp.$$ 2>&1 457 ret=$? 458 cat ${TMP}/$HOST.tmp.$$ 459 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 460 html_msg $ret 0 "${testname}" \ 461 "produced a returncode of $ret, expected is 0" 462 done 463 464 kill_selfserv 465 html "</TABLE><BR>" 466 } 467 468 ############################## ssl_auth ################################ 469 # local shell function to perform SSL Client Authentication tests 470 ######################################################################## 471 ssl_auth() 472 { 473 #verbose="-v" 474 html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 475 476 ignore_blank_lines ${SSLAUTH} | \ 477 while read ectype value sparam cparam testname 478 do 479 echo "${testname}" | grep "don't require client auth" > /dev/null 480 CAUTH=$? 481 echo "${testname}" | grep "TLS 1.3" > /dev/null 482 TLS13=$? 483 484 if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then 485 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" 486 elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then 487 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" 488 else 489 cparam=`echo $cparam | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" ` 490 if [ "$ectype" = "SNI" ]; then 491 cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` 492 sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` 493 fi 494 # SSL3 cannot be used with TLS 1.3 495 unset SERVER_VMIN 496 unset SERVER_VMAX 497 if [ $TLS13 -eq 0 ] ; then 498 SERVER_VMIN=tls1.0 499 SERVER_VMAX=tls1.3 500 fi 501 start_selfserv `echo "$sparam" | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g'` 502 503 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" 504 echo " ${cparam} < ${REQUEST_FILE}" 505 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 506 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \ 507 -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ 508 >${TMP}/$HOST.tmp.$$ 2>&1 509 ret=$? 510 cat ${TMP}/$HOST.tmp.$$ 511 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 512 513 #workaround for bug #402058 514 [ $ret -ne 0 ] && ret=1 515 [ $value -ne 0 ] && value=1 516 517 html_msg $ret $value "${testname}" \ 518 "produced a returncode of $ret, expected is $value" 519 kill_selfserv 520 fi 521 done 522 523 html "</TABLE><BR>" 524 } 525 526 ssl_stapling_sub() 527 { 528 #verbose="-v" 529 testname=$1 530 SO=$2 531 value=$3 532 533 if [ "$NORM_EXT" = "Extended Test" ] ; then 534 # these tests use the ext_client directory for tstclnt, 535 # which doesn't contain the required "TestCA" for server cert 536 # verification, I don't know if it would be OK to add it... 537 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" 538 return 0 539 fi 540 541 SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} 542 SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}" 543 544 SAVE_P_R_SERVERDIR=${P_R_SERVERDIR} 545 P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/ 546 547 echo "${testname}" 548 549 start_selfserv 550 551 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" 552 echo " -c v -T -O -F -M 1 -V ssl3:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE}" 553 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 554 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ 555 -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE} \ 556 >${TMP}/$HOST.tmp.$$ 2>&1 557 ret=$? 558 cat ${TMP}/$HOST.tmp.$$ 559 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 560 561 # hopefully no workaround for bug #402058 needed here? 562 # (see commands in ssl_auth 563 564 html_msg $ret $value "${testname}" \ 565 "produced a returncode of $ret, expected is $value" 566 kill_selfserv 567 568 SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} 569 P_R_SERVERDIR=${SAVE_P_R_SERVERDIR} 570 } 571 572 ssl_stapling_stress() 573 { 574 testname="Stress OCSP stapling, server uses random status" 575 SO="-A TestCA -T random" 576 value=0 577 578 if [ "$NORM_EXT" = "Extended Test" ] ; then 579 # these tests use the ext_client directory for tstclnt, 580 # which doesn't contain the required "TestCA" for server cert 581 # verification, I don't know if it would be OK to add it... 582 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" 583 return 0 584 fi 585 586 SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} 587 SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}" 588 589 SAVE_P_R_SERVERDIR=${P_R_SERVERDIR} 590 P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/ 591 592 echo "${testname}" 593 start_selfserv 594 595 echo "strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\" 596 echo " -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}" 597 echo "strsclnt started at `date`" 598 ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \ 599 -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR} 600 ret=$? 601 602 echo "strsclnt completed at `date`" 603 html_msg $ret $value \ 604 "${testname}" \ 605 "produced a returncode of $ret, expected is $value." 606 kill_selfserv 607 608 SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} 609 P_R_SERVERDIR=${SAVE_P_R_SERVERDIR} 610 } 611 612 ############################ ssl_stapling ############################## 613 # local shell function to perform SSL Cert Status (OCSP Stapling) tests 614 ######################################################################## 615 ssl_stapling() 616 { 617 html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 618 619 # tstclnt Exit code: 620 # 0: have fresh and valid revocation data, status good 621 # 1: cert failed to verify, prior to revocation checking 622 # 2: missing, old or invalid revocation data 623 # 3: have fresh and valid revocation data, status revoked 624 625 # selfserv modes 626 # good, revoked, unkown: Include locally signed response. Requires: -A 627 # failure: Include OCSP failure status, such as "try later" (unsigned) 628 # badsig: use a good status but with an invalid signature 629 # corrupted: stapled cert status is an invalid block of data 630 631 ssl_stapling_sub "OCSP stapling, signed response, good status" "-A TestCA -T good" 0 632 ssl_stapling_sub "OCSP stapling, signed response, revoked status" "-A TestCA -T revoked" 3 633 ssl_stapling_sub "OCSP stapling, signed response, unknown status" "-A TestCA -T unknown" 2 634 ssl_stapling_sub "OCSP stapling, unsigned failure response" "-A TestCA -T failure" 2 635 ssl_stapling_sub "OCSP stapling, good status, bad signature" "-A TestCA -T badsig" 2 636 ssl_stapling_sub "OCSP stapling, invalid cert status data" "-A TestCA -T corrupted" 2 637 ssl_stapling_sub "Valid cert, Server doesn't staple" "" 2 638 639 ssl_stapling_stress 640 641 html "</TABLE><BR>" 642 } 643 644 ############################ ssl_signed_cert_timestamps ################# 645 # local shell function to perform SSL Signed Certificate Timestamp tests 646 ######################################################################### 647 ssl_signed_cert_timestamps() 648 { 649 #verbose="-v" 650 html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 651 652 testname="ssl_signed_cert_timestamps" 653 value=0 654 655 echo "${testname}" 656 657 start_selfserv 658 659 # Since we don't have server-side support, this test only covers advertising the 660 # extension in the client hello. 661 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" 662 echo " -U -V tls1.0:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE}" 663 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 664 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ 665 -d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE} \ 666 >${TMP}/$HOST.tmp.$$ 2>&1 667 ret=$? 668 cat ${TMP}/$HOST.tmp.$$ 669 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 670 671 html_msg $ret $value "${testname}" \ 672 "produced a returncode of $ret, expected is $value" 673 kill_selfserv 674 html "</TABLE><BR>" 675 } 676 677 678 ############################## ssl_stress ############################## 679 # local shell function to perform SSL stress test 680 ######################################################################## 681 ssl_stress() 682 { 683 html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 684 685 ignore_blank_lines ${SSLSTRESS} | \ 686 while read ectype value sparam cparam testname 687 do 688 echo "${testname}" | grep "client auth" > /dev/null 689 CAUTH=$? 690 echo "${testname}" | grep "no login" > /dev/null 691 NOLOGIN=$? 692 echo "${testname}" | grep "_DSS_" > /dev/null 693 IS_DSA=$? 694 695 if [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then 696 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" 697 elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then 698 echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" 699 elif [ "${NOLOGIN}" -eq 0 ] && \ 700 [ "${CLIENT_MODE}" = "fips" -o "$NORM_EXT" = "Extended Test" ] ; then 701 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" 702 elif [ -n "${NSS_DISABLE_DSA}" -a "$IS_DSA" -eq 0 ] ; then 703 echo "$SCRIPTNAME: skipping $testname for $NORM_EXT (DSA is disabled" 704 else 705 cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` 706 if [ "$ectype" = "SNI" ]; then 707 cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` 708 sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` 709 fi 710 711 start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` 712 713 if [ "`uname -n`" = "sjsu" ] ; then 714 echo "debugging disappearing selfserv... ps -ef | grep selfserv" 715 ps -ef | grep selfserv 716 fi 717 718 if [ "${NOLOGIN}" -eq 0 ] ; then 719 dbdir=${P_R_NOLOGINDIR} 720 else 721 dbdir=${P_R_CLIENTDIR} 722 fi 723 724 echo "strsclnt -4 -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \\" 725 echo " -V ssl3:tls1.2 $verbose ${HOSTADDR}" 726 echo "strsclnt started at `date`" 727 ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \ 728 -V ssl3:tls1.2 $verbose ${HOSTADDR} 729 ret=$? 730 echo "strsclnt completed at `date`" 731 html_msg $ret $value \ 732 "${testname}" \ 733 "produced a returncode of $ret, expected is $value. " 734 if [ "`uname -n`" = "sjsu" ] ; then 735 echo "debugging disapering selfserv... ps -ef | grep selfserv" 736 ps -ef | grep selfserv 737 fi 738 kill_selfserv 739 fi 740 done 741 742 html "</TABLE><BR>" 743 } 744 745 ############################ ssl_crl_ssl ############################### 746 # local shell function to perform SSL test with/out revoked certs tests 747 ######################################################################## 748 ssl_crl_ssl() 749 { 750 #verbose="-v" 751 html_head "CRL SSL Client Tests $NORM_EXT" 752 753 # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it. 754 # Cert number $UNREVOKED_CERT_GRP_1 was not revoked 755 CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN 756 CRL_GROUP_RANGE=$CRL_GRP_1_RANGE 757 UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1 758 759 ignore_blank_lines ${SSLAUTH} | \ 760 while read ectype value sparam cparam testname 761 do 762 echo "${testname}" | grep "TLS 1.3" > /dev/null 763 TLS13=$? 764 if [ "$ectype" = "SNI" ]; then 765 continue 766 else 767 # SSL3 cannot be used with TLS 1.3 768 unset SERVER_VMIN 769 unset SERVER_VMAX 770 if [ $TLS13 -eq 0 ] ; then 771 SERVER_VMIN=tls1.0 772 SERVER_VMAX=tls1.3 773 fi 774 servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` 775 pwd=`echo $cparam | grep nss` 776 # did we select TestUser? 777 user=`echo $cparam | grep TestUser` 778 # did we explicitly select a cert? 779 auto=`echo $cparam | grep '\\-n'` 780 _cparam=$cparam 781 case $servarg in 782 1) if [ -z "$pwd" -o -z "$user" ]; then 783 rev_modvalue=0 784 else 785 rev_modvalue=254 786 fi 787 ;; 788 2) if [ -z "$auto" ]; then 789 rev_modvalue=0 790 else 791 rev_modvalue=254 792 fi 793 ;; 794 3) if [ -z "$pwd" -o -z "$user" ]; then 795 rev_modvalue=0 796 else 797 rev_modvalue=1 798 fi 799 ;; 800 4) if [ -z "$auto" ]; then 801 rev_modvalue=0 802 else 803 rev_modvalue=1 804 fi 805 ;; 806 esac 807 TEMP_NUM=0 808 while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ] 809 do 810 CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}` 811 TEMP_NUM=`expr $TEMP_NUM + 1` 812 USER_NICKNAME="TestUser${CURR_SER_NUM}" 813 cparam=`echo $_cparam | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" ` 814 start_selfserv `echo "$sparam" | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g'` 815 816 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" 817 echo " ${cparam} < ${REQUEST_FILE}" 818 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 819 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ 820 -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ 821 >${TMP}/$HOST.tmp.$$ 2>&1 822 ret=$? 823 cat ${TMP}/$HOST.tmp.$$ 824 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 825 if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then 826 modvalue=$rev_modvalue 827 testAddMsg="revoked" 828 else 829 testAddMsg="not revoked" 830 modvalue=$value 831 fi 832 833 html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \ 834 "produced a returncode of $ret, expected is $modvalue" 835 kill_selfserv 836 done 837 fi 838 done 839 840 html "</TABLE><BR>" 841 } 842 843 ############################## ssl_policy ############################## 844 # local shell function to perform SSL Policy tests 845 ######################################################################## 846 ssl_policy() 847 { 848 #verbose="-v" 849 html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 850 851 testname="" 852 853 if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then 854 html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized" 855 return 1; 856 fi 857 858 echo "Saving pkcs11.txt" 859 save_pkcs11 ${P_R_CLIENTDIR} 860 861 start_selfserv $CIPHER_SUITES 862 863 ignore_blank_lines ${SSLPOLICY} | \ 864 while read value ectype testmax param policy testname 865 do 866 VMIN="ssl3" 867 868 echo "$SCRIPTNAME: running $testname ----------------------------" 869 VMAX="ssl3" 870 if [ "$testmax" = "TLS10" ]; then 871 VMAX="tls1.0" 872 fi 873 if [ "$testmax" = "TLS11" ]; then 874 VMAX="tls1.1" 875 fi 876 if [ "$testmax" = "TLS12" ]; then 877 VMAX="tls1.2" 878 fi 879 880 # load the policy 881 policy=`echo ${policy} | sed -e 's;_; ;g'` 882 setup_policy "$policy" ${P_R_CLIENTDIR} 883 884 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" 885 echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" 886 887 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 888 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ 889 -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ 890 >${TMP}/$HOST.tmp.$$ 2>&1 891 ret=$? 892 cat ${TMP}/$HOST.tmp.$$ 893 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 894 895 #workaround for bug #402058 896 [ $ret -ne 0 ] && ret=1 897 [ ${value} -ne 0 ] && value=1 898 899 html_msg $ret ${value} "${testname}" \ 900 "produced a returncode of $ret, expected is ${value}" 901 done 902 restore_pkcs11 ${P_R_CLIENTDIR} 903 904 kill_selfserv 905 html "</TABLE><BR>" 906 } 907 908 list_enabled_suites() 909 { 910 echo "SSL_DIR=${P_R_CLIENTDIR} ${BINDIR}/listsuites" 911 SSL_DIR="${P_R_CLIENTDIR}" ${BINDIR}/listsuites | tail -n+3 | \ 912 sed -n -e '/^TLS_/h' -e '/^ .*Enabled.*/{g;p}' | sed 's/:$//' 913 } 914 915 ############################## ssl_policy_listsuites ################### 916 # local shell function to perform SSL Policy tests, using listsuites 917 ######################################################################## 918 ssl_policy_listsuites() 919 { 920 #verbose="-v" 921 html_head "SSL POLICY LISTSUITES $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 922 923 testname="" 924 925 if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then 926 html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized" 927 return 1; 928 fi 929 930 echo "Saving pkcs11.txt" 931 cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav 932 933 # Disallow all explicitly 934 testname="listsuites with all cipher disallowed by policy" 935 setup_policy "disallow=all" ${P_R_CLIENTDIR} 936 RET_EXP=1 937 list_enabled_suites | grep '^TLS_' 938 RET=$? 939 html_msg $RET $RET_EXP "${testname}" \ 940 "produced a returncode of $RET, expected is $RET_EXP" 941 942 # Disallow RSA in key exchange explicitly 943 testname="listsuites with rsa cipher disallowed by policy" 944 setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_CLIENTDIR} 945 RET_EXP=1 946 list_enabled_suites | grep '^TLS_RSA_' 947 RET=$? 948 html_msg $RET $RET_EXP "${testname}" \ 949 "produced a returncode of $RET, expected is $RET_EXP" 950 951 # allow by policy, but disable by default 952 testname="listsuites with all ciphers enabled by policy but disabled by default" 953 setup_policy "allow=all disable=all" ${P_R_CLIENTDIR} 954 RET_EXP=1 955 list_enabled_suites | grep '^TLS_' 956 RET=$? 957 html_msg $RET $RET_EXP "${testname}" \ 958 "produced a returncode of $RET, expected is $RET_EXP" 959 960 # allow by policy, but disable by default just rsa-kea 961 testname="listsuites with all ciphers enabled by policy but rsa disabled by default" 962 setup_policy "allow=all disable=rsa/ssl-key-exchange" ${P_R_CLIENTDIR} 963 RET_EXP=1 964 list_enabled_suites | grep '^TLS_RSA_' 965 RET=$? 966 html_msg $RET $RET_EXP "${testname}" \ 967 "produced a returncode of $RET, expected is $RET_EXP" 968 969 # list_enabled_suites tries to set a policy value explicitly, This will 970 # cause list_enabled_suites to fail if we lock the policy 971 testname="listsuites with policy locked" 972 setup_policy "allow=all flags=policy-lock" ${P_R_CLIENTDIR} 973 RET_EXP=1 974 SSL_DIR="${P_R_CLIENTDIR}" ${BINDIR}/listsuites 975 RET=$? 976 html_msg $RET $RET_EXP "${testname}" \ 977 "produced a returncode of $RET, expected is $RET_EXP" 978 979 cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt 980 981 html "</TABLE><BR>" 982 } 983 984 ssl_policy_pkix_ocsp() 985 { 986 #verbose="-v" 987 html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 988 989 PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"} 990 unset NSS_DISABLE_LIBPKIX_VERIFY 991 992 testname="" 993 994 if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then 995 html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized" 996 return 1; 997 fi 998 999 echo "Saving pkcs11.txt" 1000 cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav 1001 1002 # Disallow sha1 explicitly. This will test if we are trying to verify the sha1 signature 1003 # on the GlobalSign root during OCSP processing 1004 setup_policy "disallow=sha1" ${P_R_SERVERDIR} 1005 RET_EXP=0 1006 echo " vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out" 1007 vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out 1008 # make sure we have the domain mismatch, not bad signature error 1009 echo "grep -E '12276|5961' ${P_R_SERVERDIR}/vfy.out" 1010 grep -E '12276|5961' ${P_R_SERVERDIR}/vfy.out 1011 RET=$? 1012 html_msg $RET $RET_EXP "${testname}" \ 1013 "produced a returncode of $RET, expected is $RET_EXP" 1014 1015 if [ "{PKIX_SAVE}" != "unset" ]; then 1016 export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE} 1017 fi 1018 1019 cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt 1020 1021 html "</TABLE><BR>" 1022 1023 } 1024 1025 ############################## ssl_policy_selfserv ##################### 1026 # local shell function to perform SSL Policy tests, using selfserv 1027 ######################################################################## 1028 ssl_policy_selfserv() 1029 { 1030 #verbose="-v" 1031 html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 1032 1033 testname="" 1034 1035 if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then 1036 html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized" 1037 return 1; 1038 fi 1039 1040 echo "Saving pkcs11.txt" 1041 cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav 1042 1043 # Disallow RSA in key exchange explicitly 1044 testname="Disallow RSA key exchange explicitly" 1045 setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR} 1046 1047 SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} 1048 # make sure policy is working in the multiprocess case is working on 1049 # UNIX-like OS's. Other OS's can't properly clean up the child processes 1050 # when our test suite kills the parent, so just use the single process 1051 # self serve for them 1052 # if [ "${OS_ARCH}" != "WINNT" ]; then 1053 # SERVER_OPTIONS="-M 3 ${SERVER_OPTIONS}" 1054 # fi 1055 1056 start_selfserv $CIPHER_SUITES 1057 1058 SERVER_OPTIONS="${SAVE_SERVER_OPTIONS}" 1059 VMIN="ssl3" 1060 VMAX="tls1.2" 1061 1062 # Try to connect to the server with a ciphersuite using RSA in key exchange 1063 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" 1064 echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" 1065 1066 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 1067 RET_EXP=254 1068 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ 1069 -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ 1070 >${TMP}/$HOST.tmp.$$ 2>&1 1071 RET=$? 1072 cat ${TMP}/$HOST.tmp.$$ 1073 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 1074 1075 html_msg $RET $RET_EXP "${testname}" \ 1076 "produced a returncode of $RET, expected is $RET_EXP" 1077 1078 cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt 1079 1080 kill_selfserv 1081 html "</TABLE><BR>" 1082 } 1083 1084 ############################# is_revoked ############################### 1085 # local shell function to check if certificate is revoked 1086 ######################################################################## 1087 is_revoked() { 1088 certNum=$1 1089 currLoadedGrp=$2 1090 1091 found=0 1092 ownerGrp=1 1093 while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ] 1094 do 1095 currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}` 1096 currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}` 1097 currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1` 1098 if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then 1099 found=1 1100 else 1101 ownerGrp=`expr $ownerGrp + 1` 1102 fi 1103 done 1104 if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then 1105 return 1 1106 fi 1107 if [ $found -eq 0 ]; then 1108 return 1 1109 fi 1110 unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}` 1111 if [ $certNum -eq $unrevokedGrpCert ]; then 1112 return 1 1113 fi 1114 return 0 1115 } 1116 1117 ########################### load_group_crl ############################# 1118 # local shell function to load CRL 1119 ######################################################################## 1120 load_group_crl() { 1121 #verbose="-v" 1122 group=$1 1123 ectype=$2 1124 1125 OUTFILE_TMP=${TMP}/$HOST.tmp.$$ 1126 grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}` 1127 grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}` 1128 grpEnd=`expr $grpBegin + $grpRange - 1` 1129 1130 if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then 1131 ret=1 1132 return 1; 1133 fi 1134 1135 # Add -ec suffix for ECC 1136 if [ "$ectype" = "ECC" ] ; then 1137 ecsuffix="-ec" 1138 eccomment="ECC " 1139 else 1140 ecsuffix="" 1141 eccomment="" 1142 fi 1143 1144 if [ "$RELOAD_CRL" != "" ]; then 1145 if [ $group -eq 1 ]; then 1146 echo "==================== Resetting to group 1 crl ===================" 1147 kill_selfserv 1148 start_selfserv 1149 is_selfserv_alive 1150 fi 1151 echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd =============" 1152 1153 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" 1154 echo " -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}" 1155 echo "Request:" 1156 echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}" 1157 echo "" 1158 echo "RELOAD time $i" 1159 1160 REQF=${R_CLIENTDIR}.crlreq 1161 cat > ${REQF} <<_EOF_REQUEST_ 1162 GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} 1163 1164 _EOF_REQUEST_ 1165 1166 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f \ 1167 -d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \ 1168 >${OUTFILE_TMP} 2>&1 < ${REQF} 1169 1170 cat ${OUTFILE_TMP} 1171 grep "CRL ReCache Error" ${OUTFILE_TMP} 1172 if [ $? -eq 0 ]; then 1173 ret=1 1174 return 1 1175 fi 1176 else 1177 echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv =====" 1178 1179 kill_selfserv 1180 CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd" 1181 crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \ 1182 -p ../tests.pw.928 1183 ret=$? 1184 if [ "$ret" -eq 0 ]; then 1185 html_passed "${CU_ACTION}" 1186 return 1 1187 fi 1188 start_selfserv 1189 fi 1190 is_selfserv_alive 1191 ret=$? 1192 echo "================= CRL Reloaded =============" 1193 } 1194 1195 1196 ########################### ssl_crl_cache ############################## 1197 # local shell function to perform SSL test for crl cache functionality 1198 # with/out revoked certs 1199 ######################################################################## 1200 ssl_crl_cache() 1201 { 1202 #verbose="-v" 1203 html_head "Cache CRL SSL Client Tests $NORM_EXT" 1204 SSLAUTH_TMP=${TMP}/authin.tl.tmp 1205 SERV_ARG=-r_-r 1206 rm -f ${SSLAUTH_TMP} 1207 echo ${SSLAUTH_TMP} 1208 1209 grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus | grep -v 'post hs' > ${SSLAUTH_TMP} 1210 echo $? 1211 while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ] 1212 do 1213 start_selfserv `echo $SERV_ARG | sed -e 's,_, ,g'` 1214 exec < ${SSLAUTH_TMP} 1215 while read ectype value sparam cparam testname 1216 do 1217 [ "$ectype" = "" ] && continue 1218 if [ "$ectype" = "SNI" ]; then 1219 continue 1220 else 1221 servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` 1222 pwd=`echo $cparam | grep nss` 1223 user=`echo $cparam | grep TestUser` 1224 _cparam=$cparam 1225 case $servarg in 1226 1) if [ -z "$pwd" -o -z "$user" ]; then 1227 rev_modvalue=0 1228 else 1229 rev_modvalue=254 1230 fi 1231 ;; 1232 2) rev_modvalue=254 ;; 1233 1234 3) if [ -z "$pwd" -o -z "$user" ]; then 1235 rev_modvalue=0 1236 else 1237 rev_modvalue=1 1238 fi 1239 ;; 1240 4) rev_modvalue=1 ;; 1241 esac 1242 TEMP_NUM=0 1243 LOADED_GRP=1 1244 while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ] 1245 do 1246 while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ] 1247 do 1248 CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}` 1249 TEMP_NUM=`expr $TEMP_NUM + 1` 1250 USER_NICKNAME="TestUser${CURR_SER_NUM}" 1251 cparam=`echo $_cparam | sed -e 's;\([^\]\)_;\1 ;g' -e 's;\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" ` 1252 1253 echo "Server Args: $SERV_ARG" 1254 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" 1255 echo " ${cparam} < ${REQUEST_FILE}" 1256 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 1257 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ 1258 -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ 1259 >${TMP}/$HOST.tmp.$$ 2>&1 1260 ret=$? 1261 cat ${TMP}/$HOST.tmp.$$ 1262 rm ${TMP}/$HOST.tmp.$$ 2>/dev/null 1263 is_revoked ${CURR_SER_NUM} ${LOADED_GRP} 1264 isRevoked=$? 1265 if [ $isRevoked -eq 0 ]; then 1266 modvalue=$rev_modvalue 1267 testAddMsg="revoked" 1268 else 1269 modvalue=$value 1270 testAddMsg="not revoked" 1271 fi 1272 1273 is_selfserv_alive 1274 ss_status=$? 1275 if [ "$ss_status" -ne 0 ]; then 1276 html_msg $ret $modvalue \ 1277 "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ 1278 "produced a returncode of $ret, expected is $modvalue. " \ 1279 "selfserv is not alive!" 1280 else 1281 html_msg $ret $modvalue \ 1282 "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ 1283 "produced a returncode of $ret, expected is $modvalue" 1284 fi 1285 done 1286 LOADED_GRP=`expr $LOADED_GRP + 1` 1287 TEMP_NUM=0 1288 if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then 1289 load_group_crl $LOADED_GRP $ectype 1290 html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \ 1291 "produced a returncode of $ret, expected is 0" 1292 fi 1293 done 1294 # Restart selfserv to roll back to two initial group 1 crls 1295 # TestCA CRL and TestCA-ec CRL 1296 kill_selfserv 1297 start_selfserv `echo "$sparam" | sed -e 's,_, ,g'` 1298 fi 1299 done 1300 kill_selfserv 1301 SERV_ARG="${SERV_ARG}_-r" 1302 rm -f ${SSLAUTH_TMP} 1303 grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP} 1304 done 1305 TEMPFILES=${SSLAUTH_TMP} 1306 html "</TABLE><BR>" 1307 } 1308 1309 ############################ ssl_dtls ################################### 1310 # local shell function to test tstclnt acting as client and server for DTLS 1311 ######################################################################### 1312 ssl_dtls() 1313 { 1314 #verbose="-v" 1315 html_head "SSL DTLS $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 1316 1317 testname="ssl_dtls" 1318 value=0 1319 1320 echo "${testname}" 1321 1322 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \\" 1323 echo " -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss < ${REQUEST_FILE} &" 1324 1325 (sleep 2; cat ${REQUEST_FILE}) | ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \ 1326 -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss 2>&1 & 1327 1328 PID=$! 1329 1330 sleep 1 1331 1332 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \\" 1333 echo " -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q ${CLIENT_PW} < ${REQUEST_FILE}" 1334 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ 1335 -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 1336 ret=$? 1337 html_msg $ret $value "${testname}" \ 1338 "produced a returncode of $ret, expected is $value" 1339 1340 kill ${PID} 1341 1342 html "</TABLE><BR>" 1343 } 1344 1345 ############################ ssl_scheme ################################### 1346 # local shell function to test tstclnt and selfserv handling of signature schemes 1347 ######################################################################### 1348 ssl_scheme() 1349 { 1350 html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 1351 1352 NO_ECC_CERTS=1 1353 schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256") 1354 for sscheme in "${schemes[@]}"; do 1355 for cscheme in "${schemes[@]}"; do 1356 testname="ssl_scheme server='$sscheme' client='$cscheme'" 1357 echo "${testname}" 1358 1359 start_selfserv -V tls1.2:tls1.2 -J "$sscheme" 1360 1361 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" 1362 echo " -V tls1.2:tls1.2 -J "$cscheme" ${CLIENT_PW} < ${REQUEST_FILE}" 1363 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ 1364 -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 1365 ret=$? 1366 # If both schemes include just one option and those options don't 1367 # match, then the test should fail; otherwise, assume that it works. 1368 if [ "${cscheme#*,}" = "$cscheme" -a \ 1369 "${sscheme#*,}" = "$sscheme" -a \ 1370 "$cscheme" != "$sscheme" ]; then 1371 expected=254 1372 else 1373 expected=0 1374 fi 1375 html_msg $ret $expected "${testname}" \ 1376 "produced a returncode of $ret, expected is $expected" 1377 kill_selfserv 1378 done 1379 done 1380 NO_ECC_CERTS=0 1381 1382 html "</TABLE><BR>" 1383 } 1384 1385 ############################ ssl_scheme_stress ########################## 1386 # local shell function to test strsclnt and selfserv handling of signature schemes 1387 ######################################################################### 1388 ssl_scheme_stress() 1389 { 1390 html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 1391 1392 NO_ECC_CERTS=1 1393 schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256") 1394 for sscheme in "${schemes[@]}"; do 1395 for cscheme in "${schemes[@]}"; do 1396 testname="ssl_scheme server='$sscheme' client='$cscheme'" 1397 echo "${testname}" 1398 1399 start_selfserv -V tls1.2:tls1.2 -J "$sscheme" 1400 1401 echo "strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" 1402 echo " -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} ${CLIENT_PW} < ${REQUEST_FILE}" 1403 ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} ${CLIENT_OPTIONS} \ 1404 -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 1405 ret=$? 1406 # If both schemes include just one option and those options don't 1407 # match, then the test should fail; otherwise, assume that it works. 1408 if [ "${cscheme#*,}" = "$cscheme" -a \ 1409 "${sscheme#*,}" = "$sscheme" -a \ 1410 "$cscheme" != "$sscheme" ]; then 1411 expected=1 1412 else 1413 expected=0 1414 fi 1415 html_msg $ret $expected "${testname}" \ 1416 "produced a returncode of $ret, expected is $expected" 1417 kill_selfserv 1418 done 1419 done 1420 NO_ECC_CERTS=0 1421 1422 html "</TABLE><BR>" 1423 } 1424 1425 ############################ ssl_exporter ################################### 1426 # local shell function to test tstclnt and selfserv handling of TLS exporter 1427 ######################################################################### 1428 ssl_exporter() 1429 { 1430 html_head "SSL EXPORTER $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" 1431 1432 save_fileout=${fileout} 1433 fileout=1 1434 SAVE_SERVEROUTFILE=${SERVEROUTFILE} 1435 SERVEROUTFILE=server.out 1436 exporters=("label" "label:10" "label:10:0xdeadbeef" "0x666f6f2c:10:0xdeadbeef" "label1:10:0xdeadbeef,label2:10") 1437 for exporter in "${exporters[@]}"; do 1438 start_selfserv -V tls1.2:tls1.2 -x "$exporter" 1439 1440 echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" 1441 echo " -V tls1.2:tls1.2 -x $exporter ${CLIENT_PW} < ${REQUEST_FILE}" 1442 ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ 1443 -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -x "$exporter" ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 > client.out 1444 kill_selfserv 1445 diff <(LC_ALL=C grep -A1 "^ *Keying Material:" server.out) \ 1446 <(LC_ALL=C grep -A1 "^ *Keying Material:" client.out) 1447 ret=$? 1448 html_msg $ret 0 "${testname}" \ 1449 "produced a returncode of $ret, expected is 0" 1450 done 1451 SERVEROUTFILE=${SAVE_SERVEROUTFILE} 1452 fileout=${save_fileout} 1453 1454 html "</TABLE><BR>" 1455 } 1456 1457 ############################## ssl_cleanup ############################# 1458 # local shell function to finish this script (no exit since it might be 1459 # sourced) 1460 ######################################################################## 1461 ssl_cleanup() 1462 { 1463 rm $SERVERPID 2>/dev/null 1464 cd ${QADIR} 1465 . common/cleanup.sh 1466 } 1467 1468 ############################## ssl_run ################################# 1469 # local shell function to run coverage, authentication and stress tests 1470 ######################################################################## 1471 ssl_run() 1472 { 1473 for SSL_RUN in ${NSS_SSL_RUN} 1474 do 1475 case "${SSL_RUN}" in 1476 "stapling") 1477 if [ -z "$NSS_DISABLE_LIBPKIX" ]; then 1478 ssl_stapling 1479 fi 1480 ;; 1481 "signed_cert_timestamps") 1482 ssl_signed_cert_timestamps 1483 ;; 1484 "cov") 1485 ssl_cov 1486 ssl_cov_rsa_pss 1487 ;; 1488 "auth") 1489 ssl_auth 1490 ;; 1491 "stress") 1492 ssl_stress 1493 ;; 1494 "dtls") 1495 ssl_dtls 1496 ;; 1497 "scheme") 1498 ssl_scheme 1499 ssl_scheme_stress 1500 ;; 1501 "exporter") 1502 ssl_exporter 1503 ;; 1504 esac 1505 done 1506 } 1507 1508 ############################ ssl_run_all ############################### 1509 # local shell function to run both standard and extended ssl tests 1510 ######################################################################## 1511 ssl_run_all() 1512 { 1513 ORIG_SERVERDIR=$SERVERDIR 1514 ORIG_CLIENTDIR=$CLIENTDIR 1515 ORIG_R_SERVERDIR=$R_SERVERDIR 1516 ORIG_R_CLIENTDIR=$R_CLIENTDIR 1517 ORIG_P_R_SERVERDIR=$P_R_SERVERDIR 1518 ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR 1519 1520 # Exercise PKCS#11 URI parsing. The token actually changes its name 1521 # in FIPS mode, so cope with that. Note there's also semicolon in here 1522 # but it doesn't need escaping/quoting; the shell copes. 1523 if [ "${CLIENT_MODE}" = "fips" ]; then 1524 USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser" 1525 else 1526 USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser" 1527 fi 1528 NORM_EXT="" 1529 cd ${CLIENTDIR} 1530 1531 ssl_run 1532 1533 SERVERDIR=$EXT_SERVERDIR 1534 CLIENTDIR=$EXT_CLIENTDIR 1535 R_SERVERDIR=$R_EXT_SERVERDIR 1536 R_CLIENTDIR=$R_EXT_CLIENTDIR 1537 P_R_SERVERDIR=$P_R_EXT_SERVERDIR 1538 P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR 1539 1540 # A different URI test; specify CKA_LABEL but not the token. 1541 USER_NICKNAME="pkcs11:object=ExtendedSSLUser" 1542 NORM_EXT="Extended Test" 1543 cd ${CLIENTDIR} 1544 1545 ssl_run 1546 1547 # the next round of ssl tests will only run if these vars are reset 1548 SERVERDIR=$ORIG_SERVERDIR 1549 CLIENTDIR=$ORIG_CLIENTDIR 1550 R_SERVERDIR=$ORIG_R_SERVERDIR 1551 R_CLIENTDIR=$ORIG_R_CLIENTDIR 1552 P_R_SERVERDIR=$ORIG_P_R_SERVERDIR 1553 P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR 1554 1555 USER_NICKNAME=TestUser 1556 NORM_EXT= 1557 cd ${QADIR}/ssl 1558 } 1559 1560 ############################ ssl_set_fips ############################## 1561 # local shell function to set FIPS mode on/off 1562 ######################################################################## 1563 ssl_set_fips() 1564 { 1565 CLTSRV=$1 1566 ONOFF=$2 1567 1568 if [ ${CLTSRV} = "server" ]; then 1569 DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}" 1570 else 1571 DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}" 1572 fi 1573 1574 if [ "${ONOFF}" = "on" ]; then 1575 FIPSMODE=true 1576 RET_EXP=0 1577 else 1578 FIPSMODE=false 1579 RET_EXP=1 1580 fi 1581 1582 html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}" 1583 1584 for DBDIR in ${DBDIRS} 1585 do 1586 EXT_OPT= 1587 echo ${DBDIR} | grep ext > /dev/null 1588 if [ $? -eq 0 ]; then 1589 EXT_OPT="extended " 1590 fi 1591 1592 echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}" 1593 1594 echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force" 1595 ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1 1596 RET=$? 1597 html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \ 1598 "produced a returncode of ${RET}, expected is 0" 1599 1600 echo "modutil -dbdir ${DBDIR} -list" 1601 DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1` 1602 RET=$? 1603 html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \ 1604 "produced a returncode of ${RET}, expected is 0" 1605 1606 echo "${DBLIST}" | grep "FIPS PKCS #11" 1607 RET=$? 1608 html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \ 1609 "produced a returncode of ${RET}, expected is ${RET_EXP}" 1610 done 1611 1612 html "</TABLE><BR>" 1613 } 1614 1615 ############################ ssl_set_fips ############################## 1616 # local shell function to run all tests set in NSS_SSL_TESTS variable 1617 ######################################################################## 1618 ssl_run_tests() 1619 { 1620 for SSL_TEST in ${NSS_SSL_TESTS} 1621 do 1622 case "${SSL_TEST}" in 1623 "policy") 1624 if using_sql ; then 1625 ssl_policy_listsuites 1626 ssl_policy_selfserv 1627 ssl_policy_pkix_ocsp 1628 ssl_policy 1629 fi 1630 ;; 1631 "crl") 1632 ssl_crl_ssl 1633 ssl_crl_cache 1634 ;; 1635 "iopr") 1636 ssl_iopr_run 1637 ;; 1638 *) 1639 SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1` 1640 CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2` 1641 1642 case "${SERVER_MODE}" in 1643 "normal") 1644 SERVER_OPTIONS= 1645 ;; 1646 "fips") 1647 SERVER_OPTIONS= 1648 ssl_set_fips server on 1649 ;; 1650 *) 1651 html_failed "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}" 1652 return 1 1653 ;; 1654 esac 1655 1656 case "${CLIENT_MODE}" in 1657 "normal") 1658 CLIENT_OPTIONS= 1659 CLIENT_PW=${CLIENT_PW_NORMAL} 1660 ;; 1661 "fips") 1662 CLIENT_OPTIONS= 1663 CLIENT_PW=${CLIENT_PW_FIPS} 1664 ssl_set_fips client on 1665 ;; 1666 *) 1667 html_failed "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}" 1668 return 1 1669 ;; 1670 esac 1671 1672 ssl_run_all 1673 1674 if [ "${SERVER_MODE}" = "fips" ]; then 1675 ssl_set_fips server off 1676 fi 1677 1678 if [ "${CLIENT_MODE}" = "fips" ]; then 1679 ssl_set_fips client off 1680 fi 1681 ;; 1682 esac 1683 done 1684 } 1685 1686 ################################# main ################################# 1687 1688 ssl_init 1689 ssl_run_tests 1690 ssl_cleanup