diff options
author | slavomir.katuscak%sun.com <devnull@localhost> | 2008-09-18 12:45:58 +0000 |
---|---|---|
committer | slavomir.katuscak%sun.com <devnull@localhost> | 2008-09-18 12:45:58 +0000 |
commit | bded997bfc8227334a0385b24811bfcefb58f243 (patch) | |
tree | ed5423a309bf58f6661fe4bb7a0353d62fd3c343 | |
parent | c996188024c684915690db34893b40a1ecacaa27 (diff) | |
download | nss-hg-bded997bfc8227334a0385b24811bfcefb58f243.tar.gz |
Patch to reduce testing complexity. r=julien
-rwxr-xr-x | security/nss/tests/all.sh | 413 | ||||
-rw-r--r-- | security/nss/tests/common/init.sh | 8 | ||||
-rw-r--r-- | security/nss/tests/iopr/ssl_iopr.sh | 14 | ||||
-rwxr-xr-x | security/nss/tests/ssl/ssl.sh | 346 |
4 files changed, 484 insertions, 297 deletions
diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh index e4cc1c792..288ecb9de 100755 --- a/security/nss/tests/all.sh +++ b/security/nss/tests/all.sh @@ -21,6 +21,7 @@ # the Initial Developer. All Rights Reserved. # # Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or @@ -40,80 +41,296 @@ # # mozilla/security/nss/tests/all.sh # -# Script to start all available NSS QA suites on one machine -# this script is called or sourced by nssqa which runs on all required +# Script to start selected available NSS QA suites on one machine +# this script is called or sourced by NSS QA which runs on all required # platforms # -# needs to work on all Unix and Windows platforms -# -# currently available NSS QA suites: -# -------------------------------------------------- -# cert.sh - exercises certutil and creates certs necessary for all -# other tests -# ssl.sh - tests SSL V2 SSL V3 and TLS -# smime.sh - S/MIME testing -# crmf.sh - CRMF/CMMF testing -# sdr.sh - test NSS SDR -# cipher.sh - test NSS ciphers -# perf.sh - Nightly performance measurments -# tools.sh - Tests the majority of the NSS tools -# fips.sh - Tests basic functionallity of NSS in FIPS-compliant mode -# -# special strings +# Needs to work on all Unix and Windows platforms +# +# Currently available NSS QA suites: +# ---------------------------------- +# cipher.sh - tests NSS ciphers +# libpkix.sh - tests PKIX functionality +# cert.sh - exercises certutil and creates certs necessary for +# all other tests +# dbtests.sh - tests related to certificate databases +# tools.sh - tests the majority of the NSS tools +# fips.sh - tests basic functionallity of NSS in FIPS-compliant +# - mode +# sdr.sh - tests NSS SDR +# crmf.sh - CRMF/CMMF testing +# smime.sh - S/MIME testing +# ssl.sh - tests SSL V2 SSL V3 and TLS +# ocsp.sh - OCSP testing +# merge.sh - tests merging old and new shareable databases +# pkits.sh - NIST/PKITS tests +# dbupgrade.sh - upgrade databases to new shareable version (used +# only in upgrade test cycle) +# memleak.sh - memory leak testing (optional) +# +# NSS testing is now devided to 4 cycles: +# --------------------------------------- +# standard - run test suites with defaults settings +# pkix - run test suites with PKIX enabled +# upgradedb - upgrade existing certificate databases to shareable +# format (creates them if doesn't exist yet) and run +# test suites with those databases +# sharedb - run test suites with shareable database format +# enabled (databases are created directly to this +# format) +# +# Mandatory environment variables (to be set before testing): +# ----------------------------------------------------------- +# HOST - test machine host name +# DOMSUF - test machine domain name +# +# Optional environment variables to specify build to use: +# ------------------------------------------------------- +# BUILT_OPT - use optimized/debug build +# USE_64 - use 64bit/32bit build +# +# Optional environment variables to enable specific NSS features: +# --------------------------------------------------------------- +# NSS_ENABLE_ECC - enable ECC +# NSS_ECC_MORE_THAN_SUITE_B - enable extended ECC +# +# Optional environment variables to select which cycles/suites to test: +# --------------------------------------------------------------------- +# NSS_CYCLES - list of cycles to run (separated by space +# character) +# - by default all cycles are tested +# +# NSS_TESTS - list of all test suites to run (separated by space +# character, without trailing .sh) +# - this list can be reduced for individual test cycles +# +# NSS_SSL_TESTS - list of ssl tests to run (see ssl.sh) +# NSS_SSL_RUN - list of sss sub-tests to run (see ssl.sh) +# +# Testing schema: # --------------- +# all.sh ~ (main) +# | | +# +------------+------------+-----------+ ~ run_cycles +# | | | | | +# standard pkix upgradedb sharedb ~ run_cycle_* +# | | +# +------+------+------+-----> ~ run_tests +# | | | | | +# cert tools fips ssl ... ~ . *.sh +# +# Special strings: +# ---------------- # FIXME ... known problems, search for this string # NOTE .... unexpected behavior # # NOTE: # ----- -# Unlike the old QA this is based on files sourcing each other -# This is done to save time, since a great portion of time is lost -# in calling and sourcing the same things multiple times over the -# network. Also, this way all scripts have all shell function available -# and a completely common environment -# -# file tells the test suite that the output is going to a log, so any -# forked() children need to redirect their output to prevent them from -# being over written. +# Unlike the old QA this is based on files sourcing each other +# This is done to save time, since a great portion of time is lost +# in calling and sourcing the same things multiple times over the +# network. Also, this way all scripts have all shell function +# available and a completely common environment # ######################################################################## +############################## run_tests ############################### +# run test suites defined in TESTS variable, skip scripts defined in +# TESTS_SKIP variable +######################################################################## run_tests() { - for i in ${TESTS} - do - SCRIPTNAME=${i}.sh - if [ "$O_CRON" = "ON" ]; then - echo "Running tests for $i" >> ${LOGFILE} - echo "TIMESTAMP $i BEGIN: `date`" >> ${LOGFILE} - (cd ${QADIR}/$i ; . ./$SCRIPTNAME all file >> ${LOGFILE} 2>&1) - echo "TIMESTAMP $i END: `date`" >> ${LOGFILE} - else - echo "Running tests for $i" | tee -a ${LOGFILE} - echo "TIMESTAMP $i BEGIN: `date`" | tee -a ${LOGFILE} - (cd ${QADIR}/$i ; . ./$SCRIPTNAME all file 2>&1 | tee -a ${LOGFILE}) - echo "TIMESTAMP $i END: `date`" | tee -a ${LOGFILE} - fi - done + for TEST in ${TESTS} + do + echo "${TESTS_SKIP}" | grep "${TEST}" > /dev/null + if [ $? -eq 0 ]; then + continue + fi + + SCRIPTNAME=${TEST}.sh + echo "Running tests for ${TEST}" + echo "TIMESTAMP ${TEST} BEGIN: `date`" + (cd ${QADIR}/${TEST}; . ./${SCRIPTNAME} 2>&1) + echo "TIMESTAMP ${TEST} END: `date`" + done +} + +########################## run_cycle_standard ########################## +# run test suites with defaults settings (no PKIX, no sharedb) +######################################################################## +run_cycle_standard() +{ + TEST_MODE=STANDARD + + TESTS="${ALL_TESTS}" + TESTS_SKIP= + + run_tests +} + +############################ run_cycle_pkix ############################ +# run test suites with PKIX enabled +######################################################################## +run_cycle_pkix() +{ + TEST_MODE=PKIX + + TABLE_ARGS="bgcolor=cyan" + html_head "Testing with PKIX" + html "</TABLE><BR>" + + HOSTDIR="${HOSTDIR}/pkix" + mkdir -p "${HOSTDIR}" + init_directories + + NSS_ENABLE_PKIX_VERIFY="1" + export NSS_ENABLE_PKIX_VERIFY + + TESTS="${ALL_TESTS}" + TESTS_SKIP="cipher dbtests sdr crmf smime merge" + + echo "${NSS_SSL_TESTS}" | grep "_" > /dev/null + RET=$? + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/bypass//g" -e "s/fips//g" -e "s/_//g"` + [ ${RET} -eq 0 ] && NSS_SSL_TESTS="${NSS_SSL_TESTS} bypass_bypass" + + run_tests +} + +######################### run_cycle_upgrade_db ######################### +# upgrades certificate database to shareable format and run test suites +# with those databases +######################################################################## +run_cycle_upgrade_db() +{ + TEST_MODE=UPGRADE_DB + + TABLE_ARGS="bgcolor=pink" + html_head "Testing with upgraded library" + html "</TABLE><BR>" + + OLDHOSTDIR="${HOSTDIR}" + HOSTDIR="${HOSTDIR}/upgradedb" + mkdir -p "${HOSTDIR}" + init_directories + + if [ -r "${OLDHOSTDIR}/cert.log" ]; then + DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server fips SDR server serverCA tools/copydir cert.log cert.done tests.*" + for i in $DIRS + do + cp -r ${OLDHOSTDIR}/${i} ${HOSTDIR} #2> /dev/null + done + fi + + # upgrade certs dbs to shared db + TESTS="dbupgrade" + TESTS_SKIP= + + run_tests + + NSS_DEFAULT_DB_TYPE="sql" + export NSS_DEFAULT_DB_TYPE + + # run the subset of tests with the upgraded database + TESTS="${ALL_TESTS}" + TESTS_SKIP="cipher libpkix cert dbtests sdr ocsp pkits" + + echo "${NSS_SSL_TESTS}" | grep "_" > /dev/null + RET=$? + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/bypass//g" -e "s/fips//g" -e "s/_//g"` + [ ${RET} -eq 0 ] && NSS_SSL_TESTS="${NSS_SSL_TESTS} bypass_bypass" + NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"` + + run_tests +} + +########################## run_cycle_shared_db ######################### +# run test suites with certificate databases set to shareable format +######################################################################## +run_cycle_shared_db() +{ + TEST_MODE=SHARED_DB + + TABLE_ARGS="bgcolor=yellow" + html_head "Testing with shared library" + html "</TABLE><BR>" + + HOSTDIR="${HOSTDIR}/sharedb" + mkdir -p "${HOSTDIR}" + init_directories + + NSS_DEFAULT_DB_TYPE="sql" + export NSS_DEFAULT_DB_TYPE + + # run the tests for native sharedb support + TESTS="${ALL_TESTS}" + TESTS_SKIP="cipher libpkix dbupgrade sdr ocsp pkits" + + echo "${NSS_SSL_TESTS}" | grep "_" > /dev/null + RET=$? + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/bypass//g" -e "s/fips//g" -e "s/_//g"` + [ ${RET} -eq 0 ] && NSS_SSL_TESTS="${NSS_SSL_TESTS} bypass_bypass" + NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"` + + run_tests } -tests="cipher perf libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits" -if [ -z "$BUILD_LIBPKIX_TESTS" ] ; then - tests=`echo "${tests}" | sed -e "s/libpkix//"` +############################# run_cycles ############################### +# run test cycles defined in CYCLES variable +######################################################################## +run_cycles() +{ + for CYCLE in ${CYCLES} + do + case "${CYCLE}" in + "standard") + run_cycle_standard + ;; + "pkix") + run_cycle_pkix + ;; + "upgradedb") + run_cycle_upgrade_db + ;; + "sharedb") + run_cycle_shared_db + ;; + esac + . ${ENV_BACKUP} + done +} + +############################## main code ############################### + +cycles="standard pkix upgradedb sharedb" +CYCLES=${NSS_CYCLES:-$cycles} + +tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits" +TESTS=${NSS_TESTS:-$tests} + +# FIXME: move check for ${BUILD_LIBPKIX_TESTS} to libpkix.sh +if [ -z "${BUILD_LIBPKIX_TESTS}" ] ; then + TESTS=`echo "${TESTS}" | sed -e "s/libpkix//"` fi -TESTS=${TESTS:-$tests} ALL_TESTS=${TESTS} +nss_ssl_tests="crl bypass_normal normal_bypass fips_normal normal_fips iopr" +NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}" + +nss_ssl_run="cov auth stress" +NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}" + SCRIPTNAME=all.sh CLEANUP="${SCRIPTNAME}" -cd `dirname $0` # will cause problems if sourced +cd `dirname $0` # all.sh should be the first one to try to source the init if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then - cd common - . ./init.sh + cd common + . ./init.sh fi +# NOTE: # Since in make at the top level, modutil is the last file # created, we check for modutil to know whether the build # is complete. If a new file is created after that, the @@ -121,98 +338,22 @@ fi if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \ ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then - echo "Build Incomplete. Aborting test." >> ${LOGFILE} - html_head "Testing Initialization" - Exit "Checking for build" + echo "Build Incomplete. Aborting test." >> ${LOGFILE} + html_head "Testing Initialization" + Exit "Checking for build" fi -# backup selected environment variables +# NOTE: +# Lists of enabled tests and other settings are stored to ${ENV_BACKUP} +# file and are are restored after every test cycle. + ENV_BACKUP=${HOSTDIR}/env.sh env_backup > ${ENV_BACKUP} -# standard tests, no pkix, no sharedb -if [ -z "$NSS_TEST_DISABLE_STANDARD" ] ; then - TEST_MODE=STANDARD - run_tests -fi - -# PKIX tests -if [ -z "$NSS_TEST_DISABLE_PKIX" ] ; then - TABLE_ARGS="bgcolor=cyan" - html_head "Testing with PKIX" - html "</TABLE><BR>" - - HOSTDIR="${HOSTDIR}/pkix" - mkdir -p "${HOSTDIR}" - init_directories - - NSS_TEST_SERVER_CLIENT_BYPASS="1" - NSS_TEST_DISABLE_FIPS="1" - NSS_ENABLE_PKIX_VERIFY="1" - export NSS_ENABLE_PKIX_VERIFY - - TESTS=`echo "${ALL_TESTS}" | sed -e "s/cipher//" -e "s/libpkix//" \ - -e "s/dbupgrade//"` - TEST_MODE=PKIX - run_tests - - . ${ENV_BACKUP} -fi - -# upgrade cert dbs to shared db + run tests there -if [ -z "$NSS_TEST_DISABLE_UPGRADE_DB" ] ; then - TABLE_ARGS="bgcolor=pink" - html_head "Testing with upgraded library" - html "</TABLE><BR>" - - OLDHOSTDIR="${HOSTDIR}" - HOSTDIR="${HOSTDIR}/upgradedb" - mkdir -p "${HOSTDIR}" - init_directories - - if [ -r "${OLDHOSTDIR}/cert.log" ]; then - DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server fips SDR server serverCA tools/copydir cert.log" - for i in $DIRS - do - cp -r ${OLDHOSTDIR}/${i} ${HOSTDIR} #2> /dev/null - done - fi - - # upgrade certs dbs to shared db - TESTS="dbupgrade" - TEST_MODE=UPGRADE_DB - run_tests - - NSS_DEFAULT_DB_TYPE="sql" - export NSS_DEFAULT_DB_TYPE - - # run the subset of tests with the upgraded database - TESTS=`echo "${ALL_TESTS}" | sed -e "s/cipher//" -e "s/perf//" \ - -e "s/libpkix//" -e "s/cert//" -e "s/dbtests//" -e "s/dbupgrade//"` - run_tests - - . ${ENV_BACKUP} -fi - -# tests for native sharedb support -if [ -z "$NSS_TEST_DISABLE_SHARED_DB" ] ; then - TABLE_ARGS="bgcolor=yellow" - html_head "Testing with shared library" - html "</TABLE><BR>" - - HOSTDIR="${HOSTDIR}/sharedb" - mkdir -p "${HOSTDIR}" - init_directories - - NSS_DEFAULT_DB_TYPE="sql" - export NSS_DEFAULT_DB_TYPE - - # run the tests for native sharedb support - TESTS=`echo "${ALL_TESTS}" | sed -e "s/libpkix//" -e "s/dbupgrade//"` - TEST_MODE=SHARED_DB - run_tests - - . ${ENV_BACKUP} +if [ "${O_CRON}" = "ON" ]; then + run_cycles >> ${LOGFILE} +else + run_cycles | tee -a ${LOGFILE} fi SCRIPTNAME=all.sh diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh index 8b3bdd9a7..12be76841 100644 --- a/security/nss/tests/common/init.sh +++ b/security/nss/tests/common/init.sh @@ -156,12 +156,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then echo "HOSTDIR=\"${HOSTDIR}\"" echo "TABLE_ARGS=" echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}" - echo "NSS_TEST_DISABLE_CIPHERS=${NSS_TEST_DISABLE_CIPHERS}" - echo "NSS_TEST_DISABLE_BYPASS=${NSS_TEST_DISABLE_BYPASS}" - echo "NSS_TEST_DISABLE_CLIENT_BYPASS=${NSS_TEST_DISABLE_CLIENT_BYPASS}" - echo "NSS_TEST_DISABLE_SERVER_BYPASS=${NSS_TEST_DISABLE_SERVER_BYPASS}" - echo "NSS_TEST_SERVER_CLIENT_BYPASS=${NSS_TEST_SERVER_CLIENT_BYPASS}" - echo "NSS_TEST_DISABLE_FIPS=${NSS_TEST_DISABLE_FIPS}" + echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\"" + echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\"" echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}" echo "export NSS_DEFAULT_DB_TYPE" echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}" diff --git a/security/nss/tests/iopr/ssl_iopr.sh b/security/nss/tests/iopr/ssl_iopr.sh index e4ba29011..d8b592f30 100644 --- a/security/nss/tests/iopr/ssl_iopr.sh +++ b/security/nss/tests/iopr/ssl_iopr.sh @@ -393,6 +393,7 @@ ssl_iopr_cov_ext_client() kill_selfserv P_R_SERVERDIR=$OR_P_R_SERVERDIR + P_R_CLIENTDIR=$OR_P_R_CLIENTDIR rm -f ${TEST_IN} ${TEST_OUT} html "</TABLE><BR>" @@ -431,7 +432,7 @@ ssl_iopr_auth_ext_client() OR_P_R_SERVERDIR=$P_R_SERVERDIR P_R_SERVERDIR=${serDbDir} OR_P_R_CLIENTDIR=$P_R_CLIENTDIR - P_R_CLIENTDIR=$serDbDir + P_R_CLIENTDIR=${serDbDir} SSLAUTH_TMP=${TMP}/authin.tl.tmp @@ -486,7 +487,9 @@ ssl_iopr_auth_ext_client() kill_selfserv rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null done < ${SSLAUTH_TMP} + P_R_SERVERDIR=$OR_P_R_SERVERDIR + P_R_CLIENTDIR=$OR_P_R_CLIENTDIR rm -f ${SSLAUTH_TMP} ${TEST_IN} ${TEST_OUT} html "</TABLE><BR>" @@ -583,7 +586,9 @@ ssl_iopr_crl_ext_client() done kill_selfserv done < ${SSLAUTH_TMP} + P_R_SERVERDIR=$OR_P_R_SERVERDIR + P_R_CLIENTDIR=$OR_P_R_CLIENTDIR rm -f ${SSLAUTH_TMP} html "</TABLE><BR>" @@ -599,12 +604,13 @@ ssl_iopr_crl_ext_client() # Returns 1 if interoperability testing is off, 0 otherwise. # ssl_iopr_run() { - NO_ECC_CERTS=1 # disable ECC for interoperability tests - if [ "$IOPR" -ne 1 ]; then return 1 fi cd ${CLIENTDIR} + + ORIG_ECC_CERT=${NO_ECC_CERTS} + NO_ECC_CERTS=1 # disable ECC for interoperability tests num=1 IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` @@ -660,7 +666,7 @@ ssl_iopr_run() { num=`expr $num + 1` IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` done - NO_ECC_CERTS=0 + NO_ECC_CERTS=${ORIG_ECC_CERTS} return 0 } diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh index 1359e3c01..27a1aa6bd 100755 --- a/security/nss/tests/ssl/ssl.sh +++ b/security/nss/tests/ssl/ssl.sh @@ -119,6 +119,13 @@ ssl_init() ECC_STRING="" fi + CSHORT="-c ABCDEF:0041:0084cdefgijklmnvyz" + CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:0041:0084cdefgijklmnvyz" + + if [ "${OS_ARCH}" != "WINNT" ]; then + ulimit -n 1000 # make sure we have enough file descriptors + fi + cd ${CLIENTDIR} } @@ -249,13 +256,6 @@ start_selfserv() RET=$? fi - # Bug 348198 - temporary patch - # Print processes and list of open ports, in case that selfserv fails. - if [ ${RET} -ne 0 -a "${OS_NAME}" = "SunOS" ]; then - ps -ef - netstat -af inet - fi - # The PID $! returned by the MKS or Cygwin shell is not the PID of # the real background process, but rather the PID of a helper # process (sh.exe). MKS's kill command has a bug: invoking kill @@ -286,7 +286,7 @@ start_selfserv() ######################################################################## ssl_cov() { - html_head "SSL Cipher Coverage $NORM_EXT - $BYPASS_STRING $ECC_STRING" + html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" testname="" if [ -n "$NSS_ENABLE_ECC" ] ; then @@ -298,21 +298,19 @@ ssl_cov() mixed=0 start_selfserv # Launch the server - p="" - exec < ${SSLCOV} while read ectype tls param testname do - p=`echo "$testname" | sed -e "s/_.*//"` #sonmi, only run extended test on SSL3 and TLS - - echo "$testname" | grep EXPORT > /dev/null 2>&1 - exp=$? + echo "${testname}" | grep "EXPORT" > /dev/null + EXP=$? + echo "${testname}" | grep "SSL2" > /dev/null + SSL2=$? - if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then + if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then + elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then echo "$SCRIPTNAME: skipping $testname (ECC only)" - elif [ "$p" = "SSL2" -o "$exp" -eq 0 ] && [ "$BYPASS_STRING" = "Server FIPS" ] ; then + elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" elif [ "$ectype" != "#" ] ; then echo "$SCRIPTNAME: running $testname ----------------------------" @@ -350,11 +348,11 @@ ssl_cov() fi echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} \\" - echo " -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" + echo " -f -d ${P_R_CLIENTDIR} -w nss < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} -f \ - -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ + -d ${P_R_CLIENTDIR} -w nss < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? cat ${TMP}/$HOST.tmp.$$ @@ -373,19 +371,24 @@ ssl_cov() ######################################################################## ssl_auth() { - html_head "SSL Client Authentication $NORM_EXT - $BYPASS_STRING $ECC_STRING" + html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" exec < ${SSLAUTH} while read ectype value sparam cparam testname do - if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then + echo "${testname}" | grep "don't require client auth" > /dev/null + CAUTH=$? + + if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" + elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then echo "$SCRIPTNAME: skipping $testname (ECC only)" elif [ "$ectype" != "#" ]; then cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` start_selfserv echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} \\" - echo " ${cparam} < ${REQUEST_FILE}" + echo " ${cparam} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ @@ -394,6 +397,10 @@ ssl_auth() cat ${TMP}/$HOST.tmp.$$ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + #workaround for bug #402058 + [ $ret -ne 0 ] && ret=1 + [ $value -ne 0 ] && value=1 + html_msg $ret $value "${testname}" \ "produced a returncode of $ret, expected is $value" kill_selfserv @@ -409,7 +416,7 @@ ssl_auth() ######################################################################## ssl_stress() { - html_head "SSL Stress Test $NORM_EXT - $BYPASS_STRING $ECC_STRING" + html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" exec < ${SSLSTRESS} while read ectype value sparam cparam testname @@ -418,12 +425,19 @@ ssl_stress() # silently ignore blank lines continue fi - p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS - if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then + + echo "${testname}" | grep "SSL2" > /dev/null + SSL2=$? + echo "${testname}" | grep "client auth" > /dev/null + CAUTH=$? + + if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then echo "$SCRIPTNAME: skipping $testname (ECC only)" - elif [ "$p" = "SSL2" -a "$BYPASS_STRING" = "Server FIPS" ] ; then + elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" + elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" elif [ "$ectype" != "#" ]; then cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` @@ -464,10 +478,9 @@ ssl_stress() html "</TABLE><BR>" } -############################## ssl_crl ################################# +############################ ssl_crl_ssl ############################### # local shell function to perform SSL test with/out revoked certs tests ######################################################################## - ssl_crl_ssl() { html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING" @@ -540,11 +553,9 @@ ssl_crl_ssl() html "</TABLE><BR>" } -############################## ssl_crl ################################# -# local shell function to perform SSL test for crl cache functionality -# with/out revoked certs +############################# is_revoked ############################### +# local shell function to check if certificate is revoked ######################################################################## - is_revoked() { certNum=$1 currLoadedGrp=$2 @@ -575,6 +586,9 @@ is_revoked() { return 0 } +########################### load_group_crl ############################# +# local shell function to load CRL +######################################################################## load_group_crl() { group=$1 ectype=$2 @@ -644,7 +658,10 @@ _EOF_REQUEST_ echo "================= CRL Reloaded =============" } - +########################### ssl_crl_cache ############################## +# local shell function to perform SSL test for crl cache functionality +# with/out revoked certs +######################################################################## ssl_crl_cache() { html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING" @@ -765,17 +782,44 @@ ssl_cleanup() . common/cleanup.sh } +############################## ssl_run ################################# +# local shell function to run coverage, authentication and stress tests +######################################################################## +ssl_run() +{ + for SSL_RUN in ${NSS_SSL_RUN} + do + case "${SSL_RUN}" in + "cov") + ssl_cov + ;; + "auth") + ssl_auth + ;; + "stress") + ssl_stress + ;; + esac + done +} -############################## ssl_run ### ############################# +############################ ssl_run_all ############################### # local shell function to run both standard and extended ssl tests ######################################################################## -ssl_run() +ssl_run_all() { - ssl_init + ORIG_SERVERDIR=$SERVERDIR + ORIG_CLIENTDIR=$CLIENTDIR + ORIG_R_SERVERDIR=$R_SERVERDIR + ORIG_R_CLIENTDIR=$R_CLIENTDIR + ORIG_P_R_SERVERDIR=$P_R_SERVERDIR + ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR - ssl_cov - ssl_auth - ssl_stress + USER_NICKNAME=TestUser + NORM_EXT="" + cd ${CLIENTDIR} + + ssl_run SERVERDIR=$EXT_SERVERDIR CLIENTDIR=$EXT_CLIENTDIR @@ -783,12 +827,12 @@ ssl_run() R_CLIENTDIR=$R_EXT_CLIENTDIR P_R_SERVERDIR=$P_R_EXT_SERVERDIR P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR + USER_NICKNAME=ExtendedSSLUser NORM_EXT="Extended Test" cd ${CLIENTDIR} - ssl_cov - ssl_auth - ssl_stress + + ssl_run # the next round of ssl tests will only run if these vars are reset SERVERDIR=$ORIG_SERVERDIR @@ -797,6 +841,7 @@ ssl_run() R_CLIENTDIR=$ORIG_R_CLIENTDIR P_R_SERVERDIR=$ORIG_P_R_SERVERDIR P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR + USER_NICKNAME=TestUser NORM_EXT= cd ${QADIR}/ssl @@ -807,127 +852,126 @@ ssl_run() ######################################################################## ssl_set_fips() { - DBDIR=$1 - FIPSMODE=$2 - TESTNAME=$3 - MODUTIL="modutil" - - [ "${FIPSMODE}" = "true" ] - RET_EXP=$? - - echo "${SCRIPTNAME}: ${TESTNAME}" - - echo "${MODUTIL} -dbdir ${DBDIR} -fips ${FIPSMODE} -force" - ${BINDIR}/${MODUTIL} -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1 - RET=$? - html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \ - "produced a returncode of ${RET}, expected is 0" - - echo "${MODUTIL} -dbdir ${DBDIR} -list" - DBLIST=`${BINDIR}/${MODUTIL} -dbdir ${DBDIR} -list 2>&1` - RET=$? - html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \ - "produced a returncode of ${RET}, expected is 0" - - echo "${DBLIST}" | grep "FIPS PKCS #11" - RET=$? - html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \ - "produced a returncode of ${RET}, expected is ${RET_EXP}" -} - -################## main ################################################# - -#this script may be sourced from the distributed stress test - in this case do nothing... + CLTSRV=$1 + ONOFF=$2 -CSHORT="-c ABCDEF:0041:0084cdefgijklmnvyz" -CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:0041:0084cdefgijklmnvyz" - -if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then - - if [ "${OS_ARCH}" != "WINNT" ]; then - ulimit -n 1000 # make sure we have enough file descriptors + if [ ${CLTSRV} = "server" ]; then + DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}" + else + DBDIRS="${CLIETNDIR} ${EXT_CLIENTDIR}" fi - - ssl_init - - # save the directories as setup by init.sh - ORIG_SERVERDIR=$SERVERDIR - ORIG_CLIENTDIR=$CLIENTDIR - ORIG_R_SERVERDIR=$R_SERVERDIR - ORIG_R_CLIENTDIR=$R_CLIENTDIR - ORIG_P_R_SERVERDIR=$P_R_SERVERDIR - ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR - - if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then - ssl_crl_ssl - ssl_crl_cache + + if [ "${ONOFF}" = "on" ]; then + FIPSMODE=true + RET_EXP=0 else - echo "$SCRIPTNAME: Skipping CRL Client Tests" + FIPSMODE=false + RET_EXP=1 fi - # Test all combinations of client bypass and server bypass + html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}" - if [ -z "$NSS_TEST_DISABLE_CIPHERS" ] ; then - if [ -n "$NSS_TEST_DISABLE_BYPASS" ] ; then - SERVER_OPTIONS="" - CLIENT_OPTIONS="" - BYPASS_STRING="No Bypass" - ssl_run + for DBDIR in ${DBDIRS} + do + EXT_OPT= + echo ${DBDIR} | grep ext > /dev/null + if [ $? -eq 0 ]; then + EXT_OPT="extended " fi - if [ -z "$NSS_TEST_DISABLE_BYPASS" -a \ - -z "$NSS_TEST_DISABLE_CLIENT_BYPASS" -a \ - -z "$NSS_TEST_SERVER_CLIENT_BYPASS" ] ; then - CLIENT_OPTIONS="-B -s" - SERVER_OPTIONS="" - BYPASS_STRING="Client Bypass" - ssl_run - else - echo "$SCRIPTNAME: Skipping Cipher Coverage - Client Bypass Tests" - fi + echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}" - if [ -z "$NSS_TEST_DISABLE_BYPASS" -a \ - -z "$NSS_TEST_DISABLE_SERVER_BYPASS" -a \ - -z "$NSS_TEST_SERVER_CLIENT_BYPASS" ] ; then - SERVER_OPTIONS="-B -s" - CLIENT_OPTIONS="" - BYPASS_STRING="Server Bypass" - ssl_run - else - echo "$SCRIPTNAME: Skipping Cipher Coverage - Server Bypass Tests" - fi + echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force" + ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1 + RET=$? + html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \ + "produced a returncode of ${RET}, expected is 0" + + echo "modutil -dbdir ${DBDIR} -list" + DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1` + RET=$? + html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \ + "produced a returncode of ${RET}, expected is 0" + + echo "${DBLIST}" | grep "FIPS PKCS #11" + RET=$? + html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \ + "produced a returncode of ${RET}, expected is ${RET_EXP}" + done - if [ -n "$NSS_TEST_SERVER_CLIENT_BYPASS" -a \ - -z "$NSS_TEST_DISABLE_BYPASS" ] ; then - SERVER_OPTIONS="-B -s" - CLIENT_OPTIONS="-B -s" - BYPASS_STRING="Server Bypass/Client Bypass" - ssl_run - fi + html "</TABLE><BR>" +} - if [ -z "$NSS_TEST_DISABLE_FIPS" ] ; then - CLIENT_OPTIONS="" - SERVER_OPTIONS="" - BYPASS_STRING="Server FIPS" +############################ ssl_set_fips ############################## +# local shell function to run all tests set in NSS_SSL_TESTS variable +######################################################################## +ssl_run_tests() +{ + for SSL_TEST in ${NSS_SSL_TESTS} + do + case "${SSL_TEST}" in + "crl") + ssl_crl_ssl + ssl_crl_cache + ;; + "iopr") + ssl_iopr_run + ;; + *) + SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1` + CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2` + + case "${SERVER_MODE}" in + "normal") + SERVER_OPTIONS= + ;; + "bypass") + SERVER_OPTIONS="-B -s" + ;; + "fips") + SERVER_OPTIONS= + ssl_set_fips server on + ;; + *) + echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}" + continue + ;; + esac - html_head "SSL - FIPS mode on" - ssl_set_fips "${SERVERDIR}" "true" "Turning FIPS on for the server" - ssl_set_fips "${EXT_SERVERDIR}" "true" "Turning FIPS on for the extended server" - html "</TABLE><BR>" + case "${CLIENT_MODE}" in + "normal") + CLIENT_OPTIONS= + ;; + "bypass") + CLIENT_OPTIONS="-B -s" + ;; + "fips") + SERVER_OPTIONS= + ssl_set_fips client on + ;; + *) + echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}" + continue + ;; + esac - ssl_run + ssl_run_all - html_head "SSL - FIPS mode off" - ssl_set_fips "${SERVERDIR}" "false" "Turning FIPS off for the server" - ssl_set_fips "${EXT_SERVERDIR}" "false" "Turning FIPS off for the extended server" - html "</TABLE><BR>" - else - echo "$SCRIPTNAME: Skipping Cipher Coverage - FIPS Tests" - fi - else - echo "$SCRIPTNAME: Skipping Cipher Coverage Tests" - fi + if [ "${SERVER_MODE}" = "fips" ]; then + ssl_set_fips server off + fi + + if [ "${CLIENT_MODE}" = "fips" ]; then + ssl_set_fips client off + fi + ;; + esac + done +} + +################################# main ################################# + +ssl_init +ssl_run_tests +ssl_cleanup - ssl_iopr_run - ssl_cleanup -fi |