2010-02-07 14:54:28 +03:00
|
|
|
#! /bin/bash
|
2008-06-06 16:40:11 +04:00
|
|
|
#
|
2012-10-01 22:02:15 +04:00
|
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
2008-06-06 16:40:11 +04:00
|
|
|
|
|
|
|
########################################################################
|
|
|
|
#
|
|
|
|
# mozilla/security/nss/tests/iopr/ssl_iopr.sh
|
|
|
|
#
|
|
|
|
# NSS SSL interoperability QA. This file is included from ssl.sh
|
|
|
|
#
|
|
|
|
# needs to work on all Unix and Windows platforms
|
|
|
|
#
|
|
|
|
# special strings
|
|
|
|
# ---------------
|
|
|
|
# FIXME ... known problems, search for this string
|
|
|
|
# NOTE .... unexpected behavior
|
|
|
|
########################################################################
|
|
|
|
IOPR_SSL_SOURCED=1
|
|
|
|
|
|
|
|
########################################################################
|
|
|
|
# The functions works with variables defined in interoperability
|
|
|
|
# configuration file that was downloaded from a webserver.
|
|
|
|
# It tries to find unrevoked cert based on value of variable
|
|
|
|
# "SslClntValidCertName" defined in the configuration file.
|
|
|
|
# Params NONE.
|
|
|
|
# Returns 0 if found, 1 otherwise.
|
|
|
|
#
|
|
|
|
setValidCert() {
|
|
|
|
testUser=$SslClntValidCertName
|
|
|
|
[ -z "$testUser" ] && return 1
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
########################################################################
|
|
|
|
# The funtions works with variables defined in interoperability
|
|
|
|
# configuration file that was downloaded from a webserver.
|
|
|
|
# The function sets port, url, param and description test parameters
|
|
|
|
# that was defind for a particular type of testing.
|
|
|
|
# Params:
|
|
|
|
# $1 - supported types of testing. Currently have maximum
|
|
|
|
# of two: forward and reverse. But more can be defined.
|
|
|
|
# No return value
|
|
|
|
#
|
|
|
|
setTestParam() {
|
|
|
|
type=$1
|
|
|
|
sslPort=`eval 'echo $'${type}Port`
|
|
|
|
sslUrl=`eval 'echo $'${type}Url`
|
|
|
|
testParam=`eval 'echo $'${type}Param`
|
|
|
|
testDescription=`eval 'echo $'${type}Descr`
|
|
|
|
[ -z "$sslPort" ] && sslPort=443
|
|
|
|
[ -z "$sslUrl" ] && sslUrl="/iopr_test/test_pg.html"
|
|
|
|
[ "$sslUrl" = "/" ] && sslUrl="/test_pg.html"
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#######################################################################
|
|
|
|
# local shell function to perform SSL Cipher Suite Coverage tests
|
|
|
|
# in interoperability mode. Tests run against web server by using nss
|
|
|
|
# test client
|
|
|
|
# Params:
|
|
|
|
# $1 - supported type of testing.
|
|
|
|
# $2 - testing host
|
|
|
|
# $3 - nss db location
|
|
|
|
# No return value
|
|
|
|
#
|
|
|
|
ssl_iopr_cov_ext_server()
|
|
|
|
{
|
|
|
|
testType=$1
|
|
|
|
host=$2
|
|
|
|
dbDir=$3
|
|
|
|
|
|
|
|
setTestParam $testType
|
|
|
|
if [ "`echo $testParam | grep NOCOV`" != "" ]; then
|
|
|
|
echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \
|
|
|
|
"run by server configuration"
|
|
|
|
return 0
|
|
|
|
fi
|
|
|
|
|
|
|
|
html_head "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR" \
|
|
|
|
"$BYPASS_STRING $NORM_EXT): $testDescription"
|
|
|
|
|
|
|
|
setValidCert; ret=$?
|
|
|
|
if [ $ret -ne 0 ]; then
|
|
|
|
html_failed "Fail to find valid test cert(ws: $host)"
|
|
|
|
return $ret
|
|
|
|
fi
|
|
|
|
|
|
|
|
SSL_REQ_FILE=${TMP}/sslreq.dat.$$
|
|
|
|
echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
|
|
|
|
echo >> $SSL_REQ_FILE
|
|
|
|
|
|
|
|
while read ecc tls param testname therest; do
|
|
|
|
[ -z "$ecc" -o "$ecc" = "#" -o "`echo $testname | grep FIPS`" -o \
|
|
|
|
"$ecc" = "ECC" ] && continue;
|
|
|
|
|
|
|
|
echo "$SCRIPTNAME: running $testname ----------------------------"
|
|
|
|
TLS_FLAG=-T
|
|
|
|
if [ "$tls" = "TLS" ]; then
|
|
|
|
TLS_FLAG=""
|
|
|
|
fi
|
|
|
|
|
|
|
|
resFile=${TMP}/$HOST.tmpRes.$$
|
|
|
|
rm $resFile 2>/dev/null
|
|
|
|
|
|
|
|
echo "tstclnt -p ${sslPort} -h ${host} -c ${param} ${TLS_FLAG} \\"
|
2009-04-07 05:36:45 +04:00
|
|
|
echo " -n $testUser -v -w nss ${CLIEN_OPTIONS} -f \\"
|
2008-06-06 16:40:11 +04:00
|
|
|
echo " -d ${dbDir} < ${SSL_REQ_FILE} > $resFile"
|
|
|
|
|
2009-04-07 05:36:45 +04:00
|
|
|
${BINDIR}/tstclnt -p ${sslPort} -h ${host} -c ${param} \
|
|
|
|
${TLS_FLAG} ${CLIEN_OPTIONS} -f -n $testUser -v -w nss \
|
2008-06-06 16:40:11 +04:00
|
|
|
-d ${dbDir} < ${SSL_REQ_FILE} >$resFile 2>&1
|
|
|
|
ret=$?
|
|
|
|
grep "ACCESS=OK" $resFile
|
|
|
|
test $? -eq 0 -a $ret -eq 0
|
|
|
|
ret=$?
|
|
|
|
[ $ret -ne 0 ] && cat $resFile
|
|
|
|
rm -f $resFile 2>/dev/null
|
|
|
|
html_msg $ret 0 "${testname}"
|
|
|
|
done < ${SSLCOV}
|
|
|
|
rm -f $SSL_REQ_FILE 2>/dev/null
|
|
|
|
|
|
|
|
html "</TABLE><BR>"
|
|
|
|
}
|
|
|
|
|
|
|
|
#######################################################################
|
|
|
|
# local shell function to perform SSL Client Authentication tests
|
|
|
|
# in interoperability mode. Tests run against web server by using nss
|
|
|
|
# test client
|
|
|
|
# Params:
|
|
|
|
# $1 - supported type of testing.
|
|
|
|
# $2 - testing host
|
|
|
|
# $3 - nss db location
|
|
|
|
# No return value
|
|
|
|
#
|
|
|
|
ssl_iopr_auth_ext_server()
|
|
|
|
{
|
|
|
|
testType=$1
|
|
|
|
host=$2
|
|
|
|
dbDir=$3
|
|
|
|
|
|
|
|
setTestParam $testType
|
|
|
|
if [ "`echo $testParam | grep NOAUTH`" != "" ]; then
|
|
|
|
echo "SSL Client Authentication WebServ($IOPR_HOSTADDR) excluded from " \
|
|
|
|
"run by server configuration"
|
|
|
|
return 0
|
|
|
|
fi
|
|
|
|
|
|
|
|
html_head "SSL Client Authentication WebServ($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT):
|
|
|
|
$testDescription"
|
|
|
|
|
|
|
|
setValidCert;ret=$?
|
|
|
|
if [ $ret -ne 0 ]; then
|
|
|
|
html_failed "Fail to find valid test cert(ws: $host)"
|
|
|
|
return $ret
|
|
|
|
fi
|
|
|
|
|
|
|
|
SSL_REQ_FILE=${TMP}/sslreq.dat.$$
|
|
|
|
echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
|
|
|
|
echo >> $SSL_REQ_FILE
|
|
|
|
|
|
|
|
SSLAUTH_TMP=${TMP}/authin.tl.tmp
|
|
|
|
grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" > ${SSLAUTH_TMP}
|
|
|
|
|
|
|
|
while read ecc value sparam cparam testname; do
|
|
|
|
[ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
|
|
|
|
|
|
|
|
cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" `
|
|
|
|
|
|
|
|
echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \\"
|
2009-04-07 05:36:45 +04:00
|
|
|
echo " -d ${dbDir} -v < ${SSL_REQ_FILE}"
|
2008-06-06 16:40:11 +04:00
|
|
|
|
|
|
|
resFile=${TMP}/$HOST.tmp.$$
|
|
|
|
rm $rsFile 2>/dev/null
|
|
|
|
|
|
|
|
${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \
|
2009-04-07 05:36:45 +04:00
|
|
|
-d ${dbDir} -v < ${SSL_REQ_FILE} >$resFile 2>&1
|
2008-06-06 16:40:11 +04:00
|
|
|
ret=$?
|
|
|
|
grep "ACCESS=OK" $resFile
|
|
|
|
test $? -eq 0 -a $ret -eq 0
|
|
|
|
ret=$?
|
|
|
|
[ $ret -ne 0 ] && cat $resFile
|
|
|
|
rm $resFile 2>/dev/null
|
|
|
|
|
|
|
|
html_msg $ret $value "${testname}. Client params: $cparam"\
|
|
|
|
"produced a returncode of $ret, expected is $value"
|
|
|
|
done < ${SSLAUTH_TMP}
|
|
|
|
rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE}
|
|
|
|
|
|
|
|
html "</TABLE><BR>"
|
|
|
|
}
|
|
|
|
|
|
|
|
########################################################################
|
|
|
|
# local shell function to perform SSL interoperability test with/out
|
|
|
|
# revoked certs tests. Tests run against web server by using nss
|
|
|
|
# test client
|
|
|
|
# Params:
|
|
|
|
# $1 - supported type of testing.
|
|
|
|
# $2 - testing host
|
|
|
|
# $3 - nss db location
|
|
|
|
# No return value
|
|
|
|
#
|
|
|
|
ssl_iopr_crl_ext_server()
|
|
|
|
{
|
|
|
|
testType=$1
|
|
|
|
host=$2
|
|
|
|
dbDir=$3
|
|
|
|
|
|
|
|
setTestParam $testType
|
|
|
|
if [ "`echo $testParam | grep NOCRL`" != "" ]; then
|
|
|
|
echo "CRL SSL Client Tests of WebServerv($IOPR_HOSTADDR) excluded from " \
|
|
|
|
"run by server configuration"
|
|
|
|
return 0
|
|
|
|
fi
|
|
|
|
|
|
|
|
html_head "CRL SSL Client Tests of WebServer($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT): $testDescription"
|
|
|
|
|
|
|
|
SSL_REQ_FILE=${TMP}/sslreq.dat.$$
|
|
|
|
echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
|
|
|
|
echo >> $SSL_REQ_FILE
|
|
|
|
|
|
|
|
SSLAUTH_TMP=${TMP}/authin.tl.tmp
|
|
|
|
grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" | grep -v bogus | \
|
|
|
|
grep -v none > ${SSLAUTH_TMP}
|
|
|
|
|
|
|
|
while read ecc value sparam _cparam testname; do
|
|
|
|
[ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
|
|
|
|
|
|
|
|
rev_modvalue=254
|
|
|
|
for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
|
|
|
|
cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" `
|
|
|
|
|
|
|
|
echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} \\"
|
2009-04-07 05:36:45 +04:00
|
|
|
echo " -f -d ${dbDir} -v ${cparam} < ${SSL_REQ_FILE}"
|
2008-06-06 16:40:11 +04:00
|
|
|
resFile=${TMP}/$HOST.tmp.$$
|
|
|
|
rm -f $resFile 2>/dev/null
|
|
|
|
${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \
|
2009-04-07 05:36:45 +04:00
|
|
|
-d ${dbDir} -v < ${SSL_REQ_FILE} \
|
2008-06-06 16:40:11 +04:00
|
|
|
> $resFile 2>&1
|
|
|
|
ret=$?
|
|
|
|
grep "ACCESS=OK" $resFile
|
|
|
|
test $? -eq 0 -a $ret -eq 0
|
|
|
|
ret=$?
|
|
|
|
[ $ret -ne 0 ] && ret=$rev_modvalue;
|
|
|
|
[ $ret -ne 0 ] && cat $resFile
|
|
|
|
rm -f $resFile 2>/dev/null
|
|
|
|
|
|
|
|
if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
|
|
|
|
modvalue=$rev_modvalue
|
|
|
|
testAddMsg="revoked"
|
|
|
|
else
|
|
|
|
testAddMsg="not revoked"
|
|
|
|
modvalue=$value
|
|
|
|
fi
|
|
|
|
html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \
|
|
|
|
"produced a returncode of $ret, expected is $modvalue"
|
|
|
|
done
|
|
|
|
done < ${SSLAUTH_TMP}
|
|
|
|
rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE}
|
|
|
|
|
|
|
|
html "</TABLE><BR>"
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
########################################################################
|
|
|
|
# local shell function to perform SSL Cipher Coverage tests of nss server
|
|
|
|
# by invoking remote test client on web server side.
|
|
|
|
# Invoked only if reverse testing is supported by web server.
|
|
|
|
# Params:
|
|
|
|
# $1 - remote web server host
|
|
|
|
# $2 - open port to connect to invoke CGI script
|
|
|
|
# $3 - host where selfserv is running(name of the host nss tests
|
|
|
|
# are running)
|
|
|
|
# $4 - port where selfserv is running
|
|
|
|
# $5 - selfserv nss db location
|
|
|
|
# No return value
|
|
|
|
#
|
|
|
|
ssl_iopr_cov_ext_client()
|
|
|
|
{
|
|
|
|
host=$1
|
|
|
|
port=$2
|
|
|
|
sslHost=$3
|
|
|
|
sslPort=$4
|
|
|
|
serDbDir=$5
|
|
|
|
|
|
|
|
html_head "SSL Cipher Coverage of SelfServ $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
|
|
|
|
|
|
|
|
setValidCert
|
|
|
|
ret=$?
|
|
|
|
if [ $res -ne 0 ]; then
|
|
|
|
html_failed "Fail to find valid test cert(ws: $host)"
|
|
|
|
return $ret
|
|
|
|
fi
|
|
|
|
|
|
|
|
# P_R_SERVERDIR switch require for selfserv to work.
|
|
|
|
# Will be restored after test
|
|
|
|
OR_P_R_SERVERDIR=$P_R_SERVERDIR
|
|
|
|
P_R_SERVERDIR=$serDbDir
|
|
|
|
OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
|
|
|
|
P_R_CLIENTDIR=$serDbDir
|
|
|
|
testname=""
|
|
|
|
sparam="-vvvc ABCDEFcdefgijklmnvyz"
|
|
|
|
# Launch the server
|
|
|
|
start_selfserv
|
|
|
|
|
|
|
|
while read ecc tls param cipher therest; do
|
|
|
|
[ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
|
|
|
|
echo "============= Beginning of the test ===================="
|
|
|
|
echo
|
|
|
|
|
|
|
|
is_selfserv_alive
|
|
|
|
|
|
|
|
TEST_IN=${TMP}/${HOST}_IN.tmp.$$
|
|
|
|
TEST_OUT=${TMP}/$HOST.tmp.$$
|
|
|
|
rm -f $TEST_IN $TEST_OUT 2>/dev/null
|
|
|
|
|
|
|
|
echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser&cipher=$cipher HTTP/1.0" > $TEST_IN
|
|
|
|
echo >> $TEST_IN
|
|
|
|
|
|
|
|
echo "------- Request ----------------------"
|
|
|
|
cat $TEST_IN
|
|
|
|
echo "------- Command ----------------------"
|
2009-04-07 05:36:45 +04:00
|
|
|
echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
|
2008-06-06 16:40:11 +04:00
|
|
|
-h $host \< $TEST_IN \>\> $TEST_OUT
|
|
|
|
|
2009-04-07 05:36:45 +04:00
|
|
|
${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
|
2008-06-06 16:40:11 +04:00
|
|
|
-h $host <$TEST_IN > $TEST_OUT
|
|
|
|
|
|
|
|
echo "------- Server output Begin ----------"
|
|
|
|
cat $TEST_OUT
|
|
|
|
echo "------- Server output End ----------"
|
|
|
|
|
|
|
|
echo "Checking for errors in log file..."
|
|
|
|
grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
grep "cipher is not supported" $TEST_OUT 2>&1 >/dev/null
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
echo "Skiping test: no support for the cipher $cipher on server side"
|
|
|
|
continue
|
|
|
|
fi
|
|
|
|
|
|
|
|
grep -i "SERVER ERROR:" $TEST_OUT
|
|
|
|
ret=$?
|
|
|
|
if [ $ret -eq 0 ]; then
|
|
|
|
echo "Found problems. Reseting exit code to failure."
|
|
|
|
|
|
|
|
ret=1
|
|
|
|
else
|
|
|
|
ret=0
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
echo "Script was not executed. Reseting exit code to failure."
|
|
|
|
ret=11
|
|
|
|
fi
|
|
|
|
|
|
|
|
html_msg $ret 0 "Test ${cipher}. Server params: $sparam " \
|
|
|
|
" produced a returncode of $ret, expected is 0"
|
|
|
|
rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
|
|
|
|
done < ${SSLCOV}
|
|
|
|
kill_selfserv
|
|
|
|
|
|
|
|
P_R_SERVERDIR=$OR_P_R_SERVERDIR
|
2008-10-23 04:38:29 +04:00
|
|
|
P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
|
2008-06-06 16:40:11 +04:00
|
|
|
|
|
|
|
rm -f ${TEST_IN} ${TEST_OUT}
|
|
|
|
html "</TABLE><BR>"
|
|
|
|
}
|
|
|
|
|
|
|
|
########################################################################
|
|
|
|
# local shell function to perform SSL Authentication tests of nss server
|
|
|
|
# by invoking remove test client on web server side
|
|
|
|
# Invoked only if reverse testing is supported by web server.
|
|
|
|
# Params:
|
|
|
|
# $1 - remote web server host
|
|
|
|
# $2 - open port to connect to invoke CGI script
|
|
|
|
# $3 - host where selfserv is running(name of the host nss tests
|
|
|
|
# are running)
|
|
|
|
# $4 - port where selfserv is running
|
|
|
|
# $5 - selfserv nss db location
|
|
|
|
# No return value
|
|
|
|
#
|
|
|
|
ssl_iopr_auth_ext_client()
|
|
|
|
{
|
|
|
|
host=$1
|
|
|
|
port=$2
|
|
|
|
sslHost=$3
|
|
|
|
sslPort=$4
|
|
|
|
serDbDir=$5
|
|
|
|
|
|
|
|
html_head "SSL Client Authentication with Selfserv from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
|
|
|
|
|
|
|
|
setValidCert
|
|
|
|
ret=$?
|
|
|
|
if [ $res -ne 0 ]; then
|
|
|
|
html_failed "Fail to find valid test cert(ws: $host)"
|
|
|
|
return $ret
|
|
|
|
fi
|
|
|
|
|
|
|
|
OR_P_R_SERVERDIR=$P_R_SERVERDIR
|
|
|
|
P_R_SERVERDIR=${serDbDir}
|
|
|
|
OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
|
2008-10-23 04:38:29 +04:00
|
|
|
P_R_CLIENTDIR=${serDbDir}
|
2008-06-06 16:40:11 +04:00
|
|
|
|
|
|
|
SSLAUTH_TMP=${TMP}/authin.tl.tmp
|
|
|
|
|
|
|
|
grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP}
|
|
|
|
|
|
|
|
while read ecc value sparam cparam testname; do
|
|
|
|
[ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
|
|
|
|
|
|
|
|
echo "Server params: $sparam"
|
|
|
|
sparam=$sparam" -vvvc ABCDEFcdefgijklmnvyz"
|
|
|
|
start_selfserv
|
|
|
|
|
|
|
|
TEST_IN=${TMP}/$HOST_IN.tmp.$$
|
|
|
|
TEST_OUT=${TMP}/$HOST.tmp.$$
|
|
|
|
rm -f $TEST_IN $TEST_OUT 2>/dev/null
|
|
|
|
|
|
|
|
echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN
|
|
|
|
echo >> $TEST_IN
|
|
|
|
|
|
|
|
echo "------- Request ----------------------"
|
|
|
|
cat $TEST_IN
|
|
|
|
echo "------- Command ----------------------"
|
2009-04-07 05:36:45 +04:00
|
|
|
echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
|
2008-06-06 16:40:11 +04:00
|
|
|
-h $host \< $TEST_IN \>\> $TEST_OUT
|
|
|
|
|
2009-04-07 05:36:45 +04:00
|
|
|
${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
|
2008-06-06 16:40:11 +04:00
|
|
|
-h $host <$TEST_IN > $TEST_OUT
|
|
|
|
|
|
|
|
echo "------- Server output Begin ----------"
|
|
|
|
cat $TEST_OUT
|
|
|
|
echo "------- Server output End ----------"
|
|
|
|
|
|
|
|
echo "Checking for errors in log file..."
|
|
|
|
grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
echo "Checking for error in log file..."
|
|
|
|
grep -i "SERVER ERROR:" $TEST_OUT
|
|
|
|
ret=$?
|
|
|
|
if [ $ret -eq 0 ]; then
|
|
|
|
echo "Found problems. Reseting exit code to failure."
|
|
|
|
ret=1
|
|
|
|
else
|
|
|
|
ret=0
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
echo "Script was not executed. Reseting exit code to failure."
|
|
|
|
ret=11
|
|
|
|
fi
|
|
|
|
|
|
|
|
html_msg $ret $value "${testname}. Server params: $sparam"\
|
|
|
|
"produced a returncode of $ret, expected is $value"
|
|
|
|
kill_selfserv
|
|
|
|
rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
|
|
|
|
done < ${SSLAUTH_TMP}
|
2008-10-23 04:38:29 +04:00
|
|
|
|
2008-06-06 16:40:11 +04:00
|
|
|
P_R_SERVERDIR=$OR_P_R_SERVERDIR
|
2008-10-23 04:38:29 +04:00
|
|
|
P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
|
2008-06-06 16:40:11 +04:00
|
|
|
|
|
|
|
rm -f ${SSLAUTH_TMP} ${TEST_IN} ${TEST_OUT}
|
|
|
|
html "</TABLE><BR>"
|
|
|
|
}
|
|
|
|
|
|
|
|
#########################################################################
|
|
|
|
# local shell function to perform SSL CRL testing of nss server
|
|
|
|
# by invoking remote test client on web server side
|
|
|
|
# Invoked only if reverse testing is supported by web server.
|
|
|
|
# Params:
|
|
|
|
# $1 - remote web server host
|
|
|
|
# $2 - open port to connect to invoke CGI script
|
|
|
|
# $3 - host where selfserv is running(name of the host nss tests
|
|
|
|
# are running)
|
|
|
|
# $4 - port where selfserv is running
|
|
|
|
# $5 - selfserv nss db location
|
|
|
|
# No return value
|
|
|
|
#
|
|
|
|
ssl_iopr_crl_ext_client()
|
|
|
|
{
|
|
|
|
host=$1
|
|
|
|
port=$2
|
|
|
|
sslHost=$3
|
|
|
|
sslPort=$4
|
|
|
|
serDbDir=$5
|
|
|
|
|
|
|
|
html_head "CRL SSL Selfserv Tests from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
|
|
|
|
|
|
|
|
OR_P_R_SERVERDIR=$P_R_SERVERDIR
|
|
|
|
P_R_SERVERDIR=${serDbDir}
|
|
|
|
OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
|
|
|
|
P_R_CLIENTDIR=$serDbDir
|
|
|
|
|
|
|
|
SSLAUTH_TMP=${TMP}/authin.tl.tmp
|
|
|
|
grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP}
|
|
|
|
|
|
|
|
while read ecc value sparam _cparam testname; do
|
|
|
|
[ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
|
|
|
|
sparam="$sparam -vvvc ABCDEFcdefgijklmnvyz"
|
|
|
|
start_selfserv
|
|
|
|
|
|
|
|
for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
|
|
|
|
|
|
|
|
is_selfserv_alive
|
|
|
|
|
|
|
|
TEST_IN=${TMP}/${HOST}_IN.tmp.$$
|
|
|
|
TEST_OUT=${TMP}/$HOST.tmp.$$
|
|
|
|
rm -f $TEST_IN $TEST_OUT 2>/dev/null
|
|
|
|
|
|
|
|
echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN
|
|
|
|
echo >> $TEST_IN
|
|
|
|
|
|
|
|
echo "------- Request ----------------------"
|
|
|
|
cat $TEST_IN
|
|
|
|
echo "------- Command ----------------------"
|
2009-04-07 05:36:45 +04:00
|
|
|
echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
|
2008-06-06 16:40:11 +04:00
|
|
|
-h ${host} \< $TEST_IN \>\> $TEST_OUT
|
|
|
|
|
2009-04-07 05:36:45 +04:00
|
|
|
${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
|
2008-06-06 16:40:11 +04:00
|
|
|
-h ${host} <$TEST_IN > $TEST_OUT
|
|
|
|
echo "------- Request ----------------------"
|
|
|
|
cat $TEST_IN
|
|
|
|
echo "------- Server output Begin ----------"
|
|
|
|
cat $TEST_OUT
|
|
|
|
echo "------- Server output End ----------"
|
|
|
|
|
|
|
|
echo "Checking for errors in log file..."
|
|
|
|
grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
grep -i "SERVER ERROR:" $TEST_OUT
|
|
|
|
ret=$?
|
|
|
|
if [ $ret -eq 0 ]; then
|
|
|
|
echo "Found problems. Reseting exit code to failure."
|
|
|
|
ret=1
|
|
|
|
else
|
|
|
|
ret=0
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
echo "Script was not executed. Reseting exit code to failure."
|
|
|
|
ret=11
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
|
|
|
|
modvalue=1
|
|
|
|
testAddMsg="revoked"
|
|
|
|
else
|
|
|
|
testAddMsg="not revoked"
|
|
|
|
modvalue=0
|
|
|
|
fi
|
|
|
|
|
|
|
|
html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \
|
|
|
|
"produced a returncode of $ret, expected is $modvalue(selfserv args: $sparam)"
|
|
|
|
rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
|
|
|
|
done
|
|
|
|
kill_selfserv
|
|
|
|
done < ${SSLAUTH_TMP}
|
2008-10-23 04:38:29 +04:00
|
|
|
|
2008-06-06 16:40:11 +04:00
|
|
|
P_R_SERVERDIR=$OR_P_R_SERVERDIR
|
2008-10-23 04:38:29 +04:00
|
|
|
P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
|
2008-06-06 16:40:11 +04:00
|
|
|
|
|
|
|
rm -f ${SSLAUTH_TMP}
|
|
|
|
html "</TABLE><BR>"
|
|
|
|
}
|
|
|
|
|
|
|
|
#####################################################################
|
|
|
|
# Initial point for running ssl test againt multiple hosts involved in
|
|
|
|
# interoperability testing. Called from nss/tests/ssl/ssl.sh
|
|
|
|
# It will only proceed with test run for a specific host if environment variable
|
|
|
|
# IOPR_HOSTADDR_LIST was set, had the host name in the list
|
|
|
|
# and all needed file were successfully downloaded and installed for the host.
|
|
|
|
#
|
|
|
|
# Returns 1 if interoperability testing is off, 0 otherwise.
|
|
|
|
#
|
|
|
|
ssl_iopr_run() {
|
|
|
|
if [ "$IOPR" -ne 1 ]; then
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
cd ${CLIENTDIR}
|
2008-10-23 04:38:29 +04:00
|
|
|
|
|
|
|
ORIG_ECC_CERT=${NO_ECC_CERTS}
|
|
|
|
NO_ECC_CERTS=1 # disable ECC for interoperability tests
|
2008-06-06 16:40:11 +04:00
|
|
|
|
2010-02-07 14:54:28 +03:00
|
|
|
NSS_SSL_ENABLE_RENEGOTIATION=u
|
|
|
|
export NSS_SSL_ENABLE_RENEGOTIATION
|
|
|
|
|
2008-06-06 16:40:11 +04:00
|
|
|
num=1
|
|
|
|
IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
|
|
|
|
while [ "$IOPR_HOST_PARAM" ]; do
|
|
|
|
IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
|
|
|
|
IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
|
|
|
|
[ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443
|
|
|
|
|
|
|
|
. ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
|
|
|
|
RES=$?
|
|
|
|
|
|
|
|
if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then
|
|
|
|
num=`expr $num + 1`
|
|
|
|
IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
|
|
|
|
continue
|
|
|
|
fi
|
|
|
|
|
|
|
|
#=======================================================
|
|
|
|
# Check if server is capable to run ssl tests
|
|
|
|
#
|
|
|
|
[ -z "`echo ${supportedTests_new} | grep -i ssl`" ] && continue;
|
|
|
|
|
|
|
|
# Testing directories defined by webserver.
|
|
|
|
echo "Testing ssl interoperability.
|
|
|
|
Client: local(tstclnt).
|
|
|
|
Server: remote($IOPR_HOSTADDR:$IOPR_OPEN_PORT)"
|
|
|
|
|
|
|
|
for sslTestType in ${supportedTests_new}; do
|
|
|
|
if [ -z "`echo $sslTestType | grep -i ssl`" ]; then
|
|
|
|
continue
|
|
|
|
fi
|
|
|
|
ssl_iopr_cov_ext_server $sslTestType ${IOPR_HOSTADDR} \
|
|
|
|
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
|
|
|
|
ssl_iopr_auth_ext_server $sslTestType ${IOPR_HOSTADDR} \
|
|
|
|
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
|
|
|
|
ssl_iopr_crl_ext_server $sslTestType ${IOPR_HOSTADDR} \
|
|
|
|
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
|
|
# Testing selfserv with client located at the webserver.
|
|
|
|
echo "Testing ssl interoperability.
|
|
|
|
Client: remote($IOPR_HOSTADDR:$PORT)
|
|
|
|
Server: local(selfserv)"
|
|
|
|
ssl_iopr_cov_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
|
|
|
|
${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
|
|
|
|
ssl_iopr_auth_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
|
|
|
|
${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
|
|
|
|
ssl_iopr_crl_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
|
|
|
|
${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
|
|
|
|
echo "================================================"
|
|
|
|
echo "Done testing interoperability with $IOPR_HOSTADDR"
|
|
|
|
num=`expr $num + 1`
|
|
|
|
IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
|
|
|
|
done
|
2008-10-23 04:38:29 +04:00
|
|
|
NO_ECC_CERTS=${ORIG_ECC_CERTS}
|
2008-06-06 16:40:11 +04:00
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|