summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/ssl/ssl.sh
diff options
context:
space:
mode:
authorMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
committerMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
commit5f8de423f190bbb79a62f804151bc24824fa32d8 (patch)
tree10027f336435511475e392454359edea8e25895d /security/nss/tests/ssl/ssl.sh
parent49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff)
downloadUXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip
Add m-esr52 at 52.6.0
Diffstat (limited to 'security/nss/tests/ssl/ssl.sh')
-rwxr-xr-xsecurity/nss/tests/ssl/ssl.sh1199
1 files changed, 1199 insertions, 0 deletions
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh
new file mode 100755
index 000000000..b34c9c097
--- /dev/null
+++ b/security/nss/tests/ssl/ssl.sh
@@ -0,0 +1,1199 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/ssl/ssl.sh
+#
+# Script to test NSS SSL
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ssl_init ################################
+# local shell function to initialize this script
+########################################################################
+ssl_init()
+{
+ SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ -z "${IOPR_SSL_SOURCED}" ]; then
+ . ../iopr/ssl_iopr.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ../cert
+ . ./cert.sh
+ fi
+ SCRIPTNAME=ssl.sh
+ echo "$SCRIPTNAME: SSL tests ==============================="
+
+ grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
+ html_head "SSL Test failure"
+ Exit 8 "Fatal - cert.sh needs to pass first"
+ }
+
+ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+ grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
+ html_head "SSL Test failure"
+ Exit 8 "Fatal - SSL of cert.sh needs to pass first"
+ }
+ fi
+
+ PORT=${PORT-8443}
+ NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
+ nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
+ NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
+
+ # Test case files
+ SSLCOV=${QADIR}/ssl/sslcov.txt
+ SSLAUTH=${QADIR}/ssl/sslauth.txt
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
+ SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
+ REQUEST_FILE=${QADIR}/ssl/sslreq.dat
+
+ #temparary files
+ SERVEROUTFILE=${TMP}/tests_server.$$
+ SERVERPID=${TMP}/tests_pid.$$
+
+ R_SERVERPID=../tests_pid.$$
+
+ TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}"
+
+ fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
+ #fileout=1
+ #verbose="-v" #FIXME - see where this is usefull
+
+ USER_NICKNAME=TestUser
+ NORM_EXT=""
+
+ EC_SUITES=":C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D"
+ EC_SUITES="${EC_SUITES}:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027"
+ EC_SUITES="${EC_SUITES}:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA"
+
+ NON_EC_SUITES=":0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B"
+ NON_EC_SUITES="${NON_EC_SUITES}:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdeinvyz"
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ ECC_STRING=" - with ECC"
+ # List of cipher suites to test, including ECC cipher suites.
+ CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}"
+ else
+ ECC_STRING=""
+ # List of cipher suites to test, excluding ECC cipher suites.
+ CIPHER_SUITES="-c ${NON_EC_SUITES}"
+ fi
+
+ if [ "${OS_ARCH}" != "WINNT" ]; then
+ ulimit -n 1000 # make sure we have enough file descriptors
+ fi
+
+ cd ${CLIENTDIR}
+}
+
+########################### is_selfserv_alive ##########################
+# local shell function to exit with a fatal error if selfserver is not
+# running
+########################################################################
+is_selfserv_alive()
+{
+ if [ ! -f "${SERVERPID}" ]; then
+ echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
+ sleep 5
+ if [ ! -f "${SERVERPID}" ]; then
+ Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
+ fi
+ fi
+
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_SERVERPID}
+ else
+ PID=`cat ${SERVERPID}`
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
+
+ echo "selfserv with PID ${PID} found at `date`"
+}
+
+########################### wait_for_selfserv ##########################
+# local shell function to wait until selfserver is running and initialized
+########################################################################
+wait_for_selfserv()
+{
+ #verbose="-v"
+ echo "trying to connect to selfserv at `date`"
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+ echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
+ ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+ if [ $? -ne 0 ]; then
+ sleep 5
+ echo "retrying to connect to selfserv at `date`"
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+ echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
+ ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+ if [ $? -ne 0 ]; then
+ html_failed "Waiting for Server"
+ fi
+ fi
+ is_selfserv_alive
+}
+
+########################### kill_selfserv ##############################
+# local shell function to kill the selfserver after the tests are done
+########################################################################
+kill_selfserv()
+{
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_SERVERPID}
+ else
+ PID=`cat ${SERVERPID}`
+ fi
+
+ echo "trying to kill selfserv with PID ${PID} at `date`"
+
+ if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
+ echo "${KILL} ${PID}"
+ ${KILL} ${PID}
+ else
+ echo "${KILL} -USR1 ${PID}"
+ ${KILL} -USR1 ${PID}
+ fi
+ wait ${PID}
+ if [ ${fileout} -eq 1 ]; then
+ cat ${SERVEROUTFILE}
+ fi
+
+ # On Linux selfserv needs up to 30 seconds to fully die and free
+ # the port. Wait until the port is free. (Bug 129701)
+ if [ "${OS_ARCH}" = "Linux" ]; then
+ echo "selfserv -b -p ${PORT} 2>/dev/null;"
+ until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
+ echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
+ sleep 1
+ done
+ fi
+
+ echo "selfserv with PID ${PID} killed at `date`"
+
+ rm ${SERVERPID}
+ html_detect_core "kill_selfserv core detection step"
+}
+
+########################### start_selfserv #############################
+# local shell function to start the selfserver with the parameters required
+# for this test and log information (parameters, start time)
+# also: wait until the server is up and running
+########################################################################
+start_selfserv()
+{
+ if [ -n "$testname" ] ; then
+ echo "$SCRIPTNAME: $testname ----"
+ fi
+ sparam=`echo $sparam | sed -e 's;_; ;g'`
+ if [ -z "$NSS_DISABLE_ECC" ] && \
+ [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
+ ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec"
+ else
+ ECC_OPTIONS=""
+ fi
+ echo "selfserv starting at `date`"
+ echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
+ echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
+ echo " -V ssl3:tls1.2 $verbose -H 1 &"
+ if [ ${fileout} -eq 1 ]; then
+ ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \
+ > ${SERVEROUTFILE} 2>&1 &
+ RET=$?
+ else
+ ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 &
+ RET=$?
+ fi
+
+ # The PID $! returned by the MKS or Cygwin shell is not the PID of
+ # the real background process, but rather the PID of a helper
+ # process (sh.exe). MKS's kill command has a bug: invoking kill
+ # on the helper process does not terminate the real background
+ # process. Our workaround has been to have selfserv save its PID
+ # in the ${SERVERPID} file and "kill" that PID instead. But this
+ # doesn't work under Cygwin; its kill command doesn't recognize
+ # the PID of the real background process, but it does work on the
+ # PID of the helper process. So we save the value of $! in the
+ # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
+ # file under Cygwin. (In fact, this should work in any shell
+ # other than the MKS shell.)
+ SHELL_SERVERPID=$!
+ wait_for_selfserv
+
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_SERVERPID}
+ else
+ PID=`cat ${SERVERPID}`
+ fi
+
+ echo "selfserv with PID ${PID} started at `date`"
+}
+
+############################## ssl_cov #################################
+# local shell function to perform SSL Cipher Coverage tests
+########################################################################
+ssl_cov()
+{
+ #verbose="-v"
+ html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+ testname=""
+ sparam="$CIPHER_SUITES"
+
+ start_selfserv # Launch the server
+
+ VMIN="ssl3"
+ VMAX="tls1.1"
+
+ exec < ${SSLCOV}
+ while read ectype testmax param testname
+ do
+ echo "${testname}" | grep "EXPORT" > /dev/null
+ EXP=$?
+
+ if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
+ echo "$SCRIPTNAME: running $testname ----------------------------"
+ VMAX="ssl3"
+ if [ "$testmax" = "TLS10" ]; then
+ VMAX="tls1.0"
+ fi
+ if [ "$testmax" = "TLS11" ]; then
+ VMAX="tls1.1"
+ fi
+ if [ "$testmax" = "TLS12" ]; then
+ VMAX="tls1.2"
+ fi
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ html_msg $ret 0 "${testname}" \
+ "produced a returncode of $ret, expected is 0"
+ fi
+ done
+
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+
+############################## ssl_auth ################################
+# local shell function to perform SSL Client Authentication tests
+########################################################################
+ssl_auth()
+{
+ #verbose="-v"
+ html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+ exec < ${SSLAUTH}
+ while read ectype value sparam cparam testname
+ do
+ [ -z "$ectype" ] && continue
+ echo "${testname}" | grep "don't require client auth" > /dev/null
+ CAUTH=$?
+
+ if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+ cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+ if [ "$ectype" = "SNI" ]; then
+ cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+ sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+ fi
+ start_selfserv
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " ${cparam} < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ #workaround for bug #402058
+ [ $ret -ne 0 ] && ret=1
+ [ $value -ne 0 ] && value=1
+
+ html_msg $ret $value "${testname}" \
+ "produced a returncode of $ret, expected is $value"
+ kill_selfserv
+ fi
+ done
+
+ html "</TABLE><BR>"
+}
+
+ssl_stapling_sub()
+{
+ #verbose="-v"
+ testname=$1
+ SO=$2
+ value=$3
+
+ if [ "$NORM_EXT" = "Extended Test" ] ; then
+ # these tests use the ext_client directory for tstclnt,
+ # which doesn't contain the required "TestCA" for server cert
+ # verification, I don't know if it would be OK to add it...
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ return 0
+ fi
+ if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ return 0
+ fi
+
+ SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+ SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
+
+ SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
+ P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
+
+ echo "${testname}"
+
+ start_selfserv
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ # hopefully no workaround for bug #402058 needed here?
+ # (see commands in ssl_auth
+
+ html_msg $ret $value "${testname}" \
+ "produced a returncode of $ret, expected is $value"
+ kill_selfserv
+
+ SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+ P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
+}
+
+ssl_stapling_stress()
+{
+ testname="Stress OCSP stapling, server uses random status"
+ SO="-A TestCA -T random"
+ value=0
+
+ if [ "$NORM_EXT" = "Extended Test" ] ; then
+ # these tests use the ext_client directory for tstclnt,
+ # which doesn't contain the required "TestCA" for server cert
+ # verification, I don't know if it would be OK to add it...
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ return 0
+ fi
+ if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ return 0
+ fi
+
+ SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+ SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
+
+ SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
+ P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
+
+ echo "${testname}"
+ start_selfserv
+
+ echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"
+ echo " -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}"
+ echo "strsclnt started at `date`"
+ ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
+ -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}
+ ret=$?
+
+ echo "strsclnt completed at `date`"
+ html_msg $ret $value \
+ "${testname}" \
+ "produced a returncode of $ret, expected is $value."
+ kill_selfserv
+
+ SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+ P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
+}
+
+############################ ssl_stapling ##############################
+# local shell function to perform SSL Cert Status (OCSP Stapling) tests
+########################################################################
+ssl_stapling()
+{
+ html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+ # tstclnt Exit code:
+ # 0: have fresh and valid revocation data, status good
+ # 1: cert failed to verify, prior to revocation checking
+ # 2: missing, old or invalid revocation data
+ # 3: have fresh and valid revocation data, status revoked
+
+ # selfserv modes
+ # good, revoked, unkown: Include locally signed response. Requires: -A
+ # failure: Include OCSP failure status, such as "try later" (unsigned)
+ # badsig: use a good status but with an invalid signature
+ # corrupted: stapled cert status is an invalid block of data
+
+ ssl_stapling_sub "OCSP stapling, signed response, good status" "-A TestCA -T good" 0
+ ssl_stapling_sub "OCSP stapling, signed response, revoked status" "-A TestCA -T revoked" 3
+ ssl_stapling_sub "OCSP stapling, signed response, unknown status" "-A TestCA -T unknown" 2
+ ssl_stapling_sub "OCSP stapling, unsigned failure response" "-A TestCA -T failure" 2
+ ssl_stapling_sub "OCSP stapling, good status, bad signature" "-A TestCA -T badsig" 2
+ ssl_stapling_sub "OCSP stapling, invalid cert status data" "-A TestCA -T corrupted" 2
+ ssl_stapling_sub "Valid cert, Server doesn't staple" "" 2
+
+ ssl_stapling_stress
+
+ html "</TABLE><BR>"
+}
+
+############################ ssl_signed_cert_timestamps #################
+# local shell function to perform SSL Signed Certificate Timestamp tests
+#########################################################################
+ssl_signed_cert_timestamps()
+{
+ #verbose="-v"
+ html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+ testname="ssl_signed_cert_timestamps"
+ value=0
+
+ if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ return 0
+ fi
+
+ echo "${testname}"
+
+ start_selfserv
+
+ # Since we don't have server-side support, this test only covers advertising the
+ # extension in the client hello.
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " -U -V tls1.0:tls1.2 < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ html_msg $ret $value "${testname}" \
+ "produced a returncode of $ret, expected is $value"
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+
+
+############################## ssl_stress ##############################
+# local shell function to perform SSL stress test
+########################################################################
+ssl_stress()
+{
+ html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+ exec < ${SSLSTRESS}
+ while read ectype value sparam cparam testname
+ do
+ if [ -z "$ectype" ]; then
+ # silently ignore blank lines
+ continue
+ fi
+
+ echo "${testname}" | grep "client auth" > /dev/null
+ CAUTH=$?
+
+ if [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+ cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+ if [ "$ectype" = "SNI" ]; then
+ cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+ sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+ fi
+
+ start_selfserv
+
+ if [ "`uname -n`" = "sjsu" ] ; then
+ echo "debugging disapering selfserv... ps -ef | grep selfserv"
+ ps -ef | grep selfserv
+ fi
+
+ echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
+ echo " -V ssl3:tls1.2 $verbose ${HOSTADDR}"
+ echo "strsclnt started at `date`"
+ ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
+ -V ssl3:tls1.2 $verbose ${HOSTADDR}
+ ret=$?
+ echo "strsclnt completed at `date`"
+ html_msg $ret $value \
+ "${testname}" \
+ "produced a returncode of $ret, expected is $value. "
+ if [ "`uname -n`" = "sjsu" ] ; then
+ echo "debugging disapering selfserv... ps -ef | grep selfserv"
+ ps -ef | grep selfserv
+ fi
+ kill_selfserv
+ fi
+ done
+
+ html "</TABLE><BR>"
+}
+
+############################ ssl_crl_ssl ###############################
+# local shell function to perform SSL test with/out revoked certs tests
+########################################################################
+ssl_crl_ssl()
+{
+ #verbose="-v"
+ html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+
+ # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
+ # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
+ CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
+ CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
+ UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
+
+ exec < ${SSLAUTH}
+ while read ectype value sparam cparam testname
+ do
+ [ "$ectype" = "" ] && continue
+ if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "$ectype" = "SNI" ]; then
+ continue
+ elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+ servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+ pwd=`echo $cparam | grep nss`
+ user=`echo $cparam | grep TestUser`
+ _cparam=$cparam
+ case $servarg in
+ 1) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=254
+ fi
+ ;;
+ 2) rev_modvalue=254 ;;
+ 3) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=1
+ fi
+ ;;
+ 4) rev_modvalue=1 ;;
+ esac
+ TEMP_NUM=0
+ while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
+ do
+ CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
+ TEMP_NUM=`expr $TEMP_NUM + 1`
+ USER_NICKNAME="TestUser${CURR_SER_NUM}"
+ cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+ start_selfserv
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo " ${cparam} < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+ -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
+ modvalue=$rev_modvalue
+ testAddMsg="revoked"
+ else
+ testAddMsg="not revoked"
+ modvalue=$value
+ fi
+
+ html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue"
+ kill_selfserv
+ done
+ fi
+ done
+
+ html "</TABLE><BR>"
+}
+
+############################## ssl_cov #################################
+# local shell function to perform SSL Policy tests
+########################################################################
+ssl_policy()
+{
+ #verbose="-v"
+ html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+ testname=""
+ sparam="$CIPHER_SUITES"
+
+ if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
+ return;
+ fi
+
+ echo "Saving pkcs11.txt"
+ cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
+
+ start_selfserv # Launch the server
+
+ VMIN="ssl3"
+ VMAX="tls1.2"
+
+ exec < ${SSLPOLICY}
+ while read value ectype testmax param policy testname
+ do
+ VMIN="ssl3"
+
+ if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "`echo $value | cut -b 1`" != "#" ] ; then
+ echo "$SCRIPTNAME: running $testname ----------------------------"
+ VMAX="ssl3"
+ if [ "$testmax" = "TLS10" ]; then
+ VMAX="tls1.0"
+ fi
+ if [ "$testmax" = "TLS11" ]; then
+ VMAX="tls1.1"
+ fi
+ if [ "$testmax" = "TLS12" ]; then
+ VMAX="tls1.2"
+ fi
+
+ # load the policy
+ policy=`echo ${policy} | sed -e 's;_; ;g'`
+
+ cat > ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+++EOF++
+ echo "config=${policy}" >> ${P_R_CLIENTDIR}/pkcs11.txt
+ echo "" >> ${P_R_CLIENTDIR}/pkcs11.txt
+ echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so" >> ${P_R_CLIENTDIR}/pkcs11.txt >> ${P_R_CLIENTDIR}/pkcs11.txt
+ cat >> ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++
+name=RootCerts
+NSS=trustOrder=100
+++EOF++
+
+ echo "******************************Testing with: "
+ cat ${P_R_CLIENTDIR}/pkcs11.txt
+ echo "******************************"
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ #workaround for bug #402058
+ [ $ret -ne 0 ] && ret=1
+ [ ${value} -ne 0 ] && value=1
+
+ html_msg $ret ${value} "${testname}" \
+ "produced a returncode of $ret, expected is ${value}"
+ fi
+ done
+ cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt
+
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+############################# is_revoked ###############################
+# local shell function to check if certificate is revoked
+########################################################################
+is_revoked() {
+ certNum=$1
+ currLoadedGrp=$2
+
+ found=0
+ ownerGrp=1
+ while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
+ do
+ currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
+ currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
+ currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
+ if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
+ found=1
+ else
+ ownerGrp=`expr $ownerGrp + 1`
+ fi
+ done
+ if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
+ return 1
+ fi
+ if [ $found -eq 0 ]; then
+ return 1
+ fi
+ unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
+ if [ $certNum -eq $unrevokedGrpCert ]; then
+ return 1
+ fi
+ return 0
+}
+
+########################### load_group_crl #############################
+# local shell function to load CRL
+########################################################################
+load_group_crl() {
+ #verbose="-v"
+ group=$1
+ ectype=$2
+
+ OUTFILE_TMP=${TMP}/$HOST.tmp.$$
+ grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
+ grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
+ grpEnd=`expr $grpBegin + $grpRange - 1`
+
+ if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
+ ret=1
+ return 1;
+ fi
+
+ # Add -ec suffix for ECC
+ if [ "$ectype" = "ECC" ] ; then
+ ecsuffix="-ec"
+ eccomment="ECC "
+ else
+ ecsuffix=""
+ eccomment=""
+ fi
+
+ if [ "$RELOAD_CRL" != "" ]; then
+ if [ $group -eq 1 ]; then
+ echo "==================== Resetting to group 1 crl ==================="
+ kill_selfserv
+ start_selfserv
+ is_selfserv_alive
+ fi
+ echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo " -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
+ echo "Request:"
+ echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
+ echo ""
+ echo "RELOAD time $i"
+
+ REQF=${R_CLIENTDIR}.crlreq
+ cat > ${REQF} <<_EOF_REQUEST_
+GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
+
+_EOF_REQUEST_
+
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \
+ -d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
+ >${OUTFILE_TMP} 2>&1 < ${REQF}
+
+ cat ${OUTFILE_TMP}
+ grep "CRL ReCache Error" ${OUTFILE_TMP}
+ if [ $? -eq 0 ]; then
+ ret=1
+ return 1
+ fi
+ else
+ echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
+
+ kill_selfserv
+ CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
+ crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
+ -p ../tests.pw.928
+ ret=$?
+ if [ "$ret" -eq 0 ]; then
+ html_passed "${CU_ACTION}"
+ return 1
+ fi
+ start_selfserv
+ fi
+ is_selfserv_alive
+ ret=$?
+ echo "================= CRL Reloaded ============="
+}
+
+
+########################### ssl_crl_cache ##############################
+# local shell function to perform SSL test for crl cache functionality
+# with/out revoked certs
+########################################################################
+ssl_crl_cache()
+{
+ #verbose="-v"
+ html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+ SSLAUTH_TMP=${TMP}/authin.tl.tmp
+ SERV_ARG=-r_-r
+ rm -f ${SSLAUTH_TMP}
+ echo ${SSLAUTH_TMP}
+
+ grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
+ echo $?
+ while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
+ do
+ sparam=$SERV_ARG
+ start_selfserv
+ exec < ${SSLAUTH_TMP}
+ while read ectype value sparam cparam testname
+ do
+ [ "$ectype" = "" ] && continue
+ if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "$ectype" = "SNI" ]; then
+ continue
+ else
+ servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+ pwd=`echo $cparam | grep nss`
+ user=`echo $cparam | grep TestUser`
+ _cparam=$cparam
+ case $servarg in
+ 1) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=254
+ fi
+ ;;
+ 2) rev_modvalue=254 ;;
+
+ 3) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=1
+ fi
+ ;;
+ 4) rev_modvalue=1 ;;
+ esac
+ TEMP_NUM=0
+ LOADED_GRP=1
+ while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
+ do
+ while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
+ do
+ CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
+ TEMP_NUM=`expr $TEMP_NUM + 1`
+ USER_NICKNAME="TestUser${CURR_SER_NUM}"
+ cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+
+ echo "Server Args: $SERV_ARG"
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo " ${cparam} < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+ -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
+ isRevoked=$?
+ if [ $isRevoked -eq 0 ]; then
+ modvalue=$rev_modvalue
+ testAddMsg="revoked"
+ else
+ modvalue=$value
+ testAddMsg="not revoked"
+ fi
+
+ is_selfserv_alive
+ ss_status=$?
+ if [ "$ss_status" -ne 0 ]; then
+ html_msg $ret $modvalue \
+ "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue. " \
+ "selfserv is not alive!"
+ else
+ html_msg $ret $modvalue \
+ "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue"
+ fi
+ done
+ LOADED_GRP=`expr $LOADED_GRP + 1`
+ TEMP_NUM=0
+ if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
+ load_group_crl $LOADED_GRP $ectype
+ html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
+ "produced a returncode of $ret, expected is 0"
+ fi
+ done
+ # Restart selfserv to roll back to two initial group 1 crls
+ # TestCA CRL and TestCA-ec CRL
+ kill_selfserv
+ start_selfserv
+ fi
+ done
+ kill_selfserv
+ SERV_ARG="${SERV_ARG}_-r"
+ rm -f ${SSLAUTH_TMP}
+ grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
+ done
+ TEMPFILES=${SSLAUTH_TMP}
+ html "</TABLE><BR>"
+}
+
+
+############################## ssl_cleanup #############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+ssl_cleanup()
+{
+ rm $SERVERPID 2>/dev/null
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+############################## ssl_run #################################
+# local shell function to run coverage, authentication and stress tests
+########################################################################
+ssl_run()
+{
+ for SSL_RUN in ${NSS_SSL_RUN}
+ do
+ case "${SSL_RUN}" in
+ "stapling")
+ if [ -nz "$NSS_DISABLE_LIBPKIX" ]; then
+ ssl_stapling
+ fi
+ ;;
+ "signed_cert_timestamps")
+ ssl_signed_cert_timestamps
+ ;;
+ "cov")
+ ssl_cov
+ ;;
+ "auth")
+ ssl_auth
+ ;;
+ "stress")
+ ssl_stress
+ ;;
+ esac
+ done
+}
+
+############################ ssl_run_all ###############################
+# local shell function to run both standard and extended ssl tests
+########################################################################
+ssl_run_all()
+{
+ ORIG_SERVERDIR=$SERVERDIR
+ ORIG_CLIENTDIR=$CLIENTDIR
+ ORIG_R_SERVERDIR=$R_SERVERDIR
+ ORIG_R_CLIENTDIR=$R_CLIENTDIR
+ ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
+ ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
+
+ USER_NICKNAME=TestUser
+ NORM_EXT=""
+ cd ${CLIENTDIR}
+
+ ssl_run
+
+ SERVERDIR=$EXT_SERVERDIR
+ CLIENTDIR=$EXT_CLIENTDIR
+ R_SERVERDIR=$R_EXT_SERVERDIR
+ R_CLIENTDIR=$R_EXT_CLIENTDIR
+ P_R_SERVERDIR=$P_R_EXT_SERVERDIR
+ P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
+
+ USER_NICKNAME=ExtendedSSLUser
+ NORM_EXT="Extended Test"
+ cd ${CLIENTDIR}
+
+ ssl_run
+
+ # the next round of ssl tests will only run if these vars are reset
+ SERVERDIR=$ORIG_SERVERDIR
+ CLIENTDIR=$ORIG_CLIENTDIR
+ R_SERVERDIR=$ORIG_R_SERVERDIR
+ R_CLIENTDIR=$ORIG_R_CLIENTDIR
+ P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
+ P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
+
+ USER_NICKNAME=TestUser
+ NORM_EXT=
+ cd ${QADIR}/ssl
+}
+
+############################ ssl_set_fips ##############################
+# local shell function to set FIPS mode on/off
+########################################################################
+ssl_set_fips()
+{
+ CLTSRV=$1
+ ONOFF=$2
+
+ if [ ${CLTSRV} = "server" ]; then
+ DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
+ else
+ DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}"
+ fi
+
+ if [ "${ONOFF}" = "on" ]; then
+ FIPSMODE=true
+ RET_EXP=0
+ else
+ FIPSMODE=false
+ RET_EXP=1
+ fi
+
+ html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
+
+ for DBDIR in ${DBDIRS}
+ do
+ EXT_OPT=
+ echo ${DBDIR} | grep ext > /dev/null
+ if [ $? -eq 0 ]; then
+ EXT_OPT="extended "
+ fi
+
+ echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
+
+ echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
+ ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
+ RET=$?
+ html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
+ "produced a returncode of ${RET}, expected is 0"
+
+ echo "modutil -dbdir ${DBDIR} -list"
+ DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
+ RET=$?
+ html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
+ "produced a returncode of ${RET}, expected is 0"
+
+ echo "${DBLIST}" | grep "FIPS PKCS #11"
+ RET=$?
+ html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
+ "produced a returncode of ${RET}, expected is ${RET_EXP}"
+ done
+
+ html "</TABLE><BR>"
+}
+
+############################ ssl_set_fips ##############################
+# local shell function to run all tests set in NSS_SSL_TESTS variable
+########################################################################
+ssl_run_tests()
+{
+ for SSL_TEST in ${NSS_SSL_TESTS}
+ do
+ case "${SSL_TEST}" in
+ "policy")
+ if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+ ssl_policy
+ fi
+ ;;
+ "crl")
+ ssl_crl_ssl
+ ssl_crl_cache
+ ;;
+ "iopr")
+ ssl_iopr_run
+ ;;
+ *)
+ SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
+ CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
+
+ case "${SERVER_MODE}" in
+ "normal")
+ SERVER_OPTIONS=
+ ;;
+ "fips")
+ SERVER_OPTIONS=
+ ssl_set_fips server on
+ ;;
+ *)
+ echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
+ continue
+ ;;
+ esac
+
+ case "${CLIENT_MODE}" in
+ "normal")
+ CLIENT_OPTIONS=
+ ;;
+ "fips")
+ SERVER_OPTIONS=
+ ssl_set_fips client on
+ ;;
+ *)
+ echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
+ continue
+ ;;
+ esac
+
+ ssl_run_all
+
+ if [ "${SERVER_MODE}" = "fips" ]; then
+ ssl_set_fips server off
+ fi
+
+ if [ "${CLIENT_MODE}" = "fips" ]; then
+ ssl_set_fips client off
+ fi
+ ;;
+ esac
+ done
+}
+
+################################# main #################################
+
+ssl_init
+ssl_run_tests
+ssl_cleanup
+