Blob Blame History Raw
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
@@ -57,18 +57,23 @@ ssl_init()
   fi
 
   PORT=${PORT-8443}
   NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
   nss_ssl_run="stapling cov auth stress"
   NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
 
   # Test case files
-  SSLCOV=${QADIR}/ssl/sslcov.txt
+  SSLCOV=[ "${NSS_NO_SSL2}" = "1" ] \
+    && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \
+    || ${QADIR}/ssl/sslcov.txt
   SSLAUTH=${QADIR}/ssl/sslauth.txt
+  SSLSTRESS=[ "${NSS_NO_SSL2}" = "1" ] \
+    && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \
+    || ${QADIR}/ssl/sslstress.txt
   SSLSTRESS=${QADIR}/ssl/sslstress.txt
   REQUEST_FILE=${QADIR}/ssl/sslreq.dat
 
   #temparary files
   SERVEROUTFILE=${TMP}/tests_server.$$
   SERVERPID=${TMP}/tests_pid.$$
 
   R_SERVERPID=../tests_pid.$$
@@ -115,17 +120,21 @@ is_selfserv_alive()
   if [ "${OS_ARCH}" = "WINNT" ] && \
      [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
       PID=${SHELL_SERVERPID}
   else
       PID=`cat ${SERVERPID}`
   fi
 
   echo "kill -0 ${PID} >/dev/null 2>/dev/null" 
+  [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
+  echo "No server to kill"
+  else
   kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
+  fi
 
   echo "selfserv with PID ${PID} found at `date`"
 }
 
 ########################### wait_for_selfserv ##########################
 # local shell function to wait until selfserver is running and initialized
 ########################################################################
 wait_for_selfserv()
@@ -138,17 +147,21 @@ wait_for_selfserv()
   if [ $? -ne 0 ]; then
       sleep 5
       echo "retrying to connect to selfserv at `date`"
       echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
       echo "        -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
       ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
               -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
       if [ $? -ne 0 ]; then
+          if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
+              html_passed "Server never started"
+          else
           html_failed "Waiting for Server"
+          fi
       fi
   fi
   is_selfserv_alive
 }
 
 ########################### kill_selfserv ##############################
 # local shell function to kill the selfserver after the tests are done
 ########################################################################
@@ -273,16 +286,19 @@ ssl_cov()
   exec < ${SSLCOV}
   while read ectype testmax param testname
   do
       echo "${testname}" | grep "EXPORT" > /dev/null 
       EXP=$?
       echo "${testname}" | grep "SSL2" > /dev/null
       SSL2=$?
 
+      #  skip export and ssl2 tests when build has disabled SSL2
+      [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
+
       if [ "${SSL2}" -eq 0 ] ; then
           # We cannot use asynchronous cert verification with SSL2
           SSL2_FLAGS=-O
           VMIN="ssl2"
       else
           # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
           # default in libssl but it is enabled by default in tstclnt; we want
           # to test the libssl default whenever possible.
diff --git a/tests/ssl/sslcov.noSSL2orExport.txt b/tests/ssl/sslcov.noSSL2orExport.txt
new file mode 100644
--- /dev/null
+++ b/tests/ssl/sslcov.noSSL2orExport.txt
@@ -0,0 +1,134 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables test coverage of the various SSL ciphers
+#
+# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We
+# mix up the enable functions so we can tests boths paths.
+#
+# Enable Enable Cipher Test Name 
+#  EC     TLS
+#
+#
+  noECC  SSL3   c    SSL3_RSA_WITH_RC4_128_MD5
+  noECC  SSL3   d    SSL3_RSA_WITH_3DES_EDE_CBC_SHA
+  noECC  SSL3   e    SSL3_RSA_WITH_DES_CBC_SHA
+  noECC  SSL3   i    SSL3_RSA_WITH_NULL_MD5
+  noECC  SSL3   j    SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
+  noECC  SSL3   k    SSL3_RSA_FIPS_WITH_DES_CBC_SHA
+  noECC  SSL3   n    SSL3_RSA_WITH_RC4_128_SHA
+  noECC  SSL3   v    SSL3_RSA_WITH_AES_128_CBC_SHA
+  noECC  SSL3   y    SSL3_RSA_WITH_AES_256_CBC_SHA
+  noECC  SSL3   z    SSL3_RSA_WITH_NULL_SHA
+#  noECC  SSL3  :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+#  noECC  SSL3  :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#
+  noECC  TLS10   c    TLS_RSA_WITH_RC4_128_MD5
+  noECC  TLS10   d    TLS_RSA_WITH_3DES_EDE_CBC_SHA
+  noECC  TLS10   e    TLS_RSA_WITH_DES_CBC_SHA
+  noECC  TLS10   i    TLS_RSA_WITH_NULL_MD5
+  noECC  TLS10   j    TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
+  noECC  TLS10   k    TLS_RSA_FIPS_WITH_DES_CBC_SHA
+  noECC  TLS10   n    TLS_RSA_WITH_RC4_128_SHA
+  noECC  TLS10   v    TLS_RSA_WITH_AES_128_CBC_SHA
+  noECC  TLS10   y    TLS_RSA_WITH_AES_256_CBC_SHA
+  noECC  TLS10   z    TLS_RSA_WITH_NULL_SHA
+#  noECC  TLS10 :0041  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+#  noECC  TLS10 :0084  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#
+#
+  noECC  TLS11   c    TLS11_RSA_WITH_RC4_128_MD5
+  noECC  TLS11   d    TLS11_RSA_WITH_3DES_EDE_CBC_SHA
+  noECC  TLS11   e    TLS11_RSA_WITH_DES_CBC_SHA
+  noECC  TLS11   i    TLS11_RSA_WITH_NULL_MD5
+  noECC  TLS11   j    TLS11_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
+  noECC  TLS11   k    TLS11_RSA_FIPS_WITH_DES_CBC_SHA
+  noECC  TLS11   n    TLS11_RSA_WITH_RC4_128_SHA
+  noECC  TLS11   v    TLS11_RSA_WITH_AES_128_CBC_SHA
+  noECC  TLS11   y    TLS11_RSA_WITH_AES_256_CBC_SHA
+  noECC  TLS11   z    TLS11_RSA_WITH_NULL_SHA
+#
+  noECC  TLS12   c    TLS12_RSA_WITH_RC4_128_MD5
+  noECC  TLS12   d    TLS12_RSA_WITH_3DES_EDE_CBC_SHA
+  noECC  TLS12   e    TLS12_RSA_WITH_DES_CBC_SHA
+  noECC  TLS12   i    TLS12_RSA_WITH_NULL_MD5
+  noECC  TLS12   j    TLS12_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
+  noECC  TLS12   k    TLS12_RSA_FIPS_WITH_DES_CBC_SHA
+  noECC  TLS12   n    TLS12_RSA_WITH_RC4_128_SHA
+  noECC  TLS12   v    TLS12_RSA_WITH_AES_128_CBC_SHA
+  noECC  TLS12   y    TLS12_RSA_WITH_AES_256_CBC_SHA
+  noECC  TLS12   z    TLS12_RSA_WITH_NULL_SHA
+  noECC  TLS12 :003B  TLS12_RSA_WITH_NULL_SHA256
+  noECC  TLS12 :003C  TLS12_RSA_WITH_AES_128_CBC_SHA256
+  noECC  TLS12 :003D  TLS12_RSA_WITH_AES_256_CBC_SHA256
+  noECC  TLS12 :009C  TLS12_RSA_WITH_AES_128_GCM_SHA256
+#
+# ECC ciphers (TLS)
+#
+   ECC   TLS10  :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA
+   ECC   TLS10  :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+   ECC   TLS10  :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS10  :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   TLS10  :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   TLS10  :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA
+   ECC   TLS10  :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+   ECC   TLS10  :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS10  :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   TLS10  :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   TLS10  :C00B TLS_ECDH_RSA_WITH_NULL_SHA
+   ECC   TLS10  :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA
+   ECC   TLS10  :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS10  :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+   ECC   TLS10  :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+   ECC   TLS10  :C010 TLS_ECDHE_RSA_WITH_NULL_SHA
+   ECC   TLS10  :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA
+   ECC   TLS10  :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS10  :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+   ECC   TLS10  :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#
+   ECC   TLS11  :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA
+   ECC   TLS11  :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA
+   ECC   TLS11  :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS11  :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   TLS11  :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   TLS11  :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA
+   ECC   TLS11  :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA
+   ECC   TLS11  :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS11  :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   TLS11  :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   TLS11  :C00B TLS11_ECDH_RSA_WITH_NULL_SHA
+   ECC   TLS11  :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA
+   ECC   TLS11  :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS11  :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA
+   ECC   TLS11  :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA
+   ECC   TLS11  :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA
+   ECC   TLS11  :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA
+   ECC   TLS11  :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS11  :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA
+   ECC   TLS11  :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#
+   ECC   TLS12  :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA
+   ECC   TLS12  :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA
+   ECC   TLS12  :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS12  :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   TLS12  :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   TLS12  :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA
+   ECC   TLS12  :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA
+   ECC   TLS12  :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS12  :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   TLS12  :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   TLS12  :C00B TLS12_ECDH_RSA_WITH_NULL_SHA
+   ECC   TLS12  :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA
+   ECC   TLS12  :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS12  :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA
+   ECC   TLS12  :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA
+   ECC   TLS12  :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA
+   ECC   TLS12  :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA
+   ECC   TLS12  :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS12  :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA
+   ECC   TLS12  :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA
+   ECC   TLS12  :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+   ECC   TLS12  :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+   ECC   TLS12  :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+   ECC   TLS12  :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
diff --git a/tests/ssl/sslstress.noSSL2orExport.txt b/tests/ssl/sslstress.noSSL2orExport.txt
new file mode 100644
--- /dev/null
+++ b/tests/ssl/sslstress.noSSL2orExport.txt
@@ -0,0 +1,53 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file defines the stress tests for SSL/TLS.
+#
+#        expected
+# Enable  return  server     client                         Test Case name
+#  ECC    value   params     params
+# ------- ------  ------     ------                         ---------------
+  noECC     0      _         -c_1000_-C_c_-V_:ssl3               Stress SSL3 RC4 128 with MD5
+  noECC     0      _         -c_1000_-C_c                  Stress TLS  RC4 128 with MD5
+  noECC     0      _         -c_1000_-C_c_-g               Stress TLS  RC4 128 with MD5 (false start)
+  noECC     0      -u        -V_ssl3:_-c_1000_-C_c_-u            Stress TLS  RC4 128 with MD5 (session ticket)
+  noECC     0      -z        -V_ssl3:_-c_1000_-C_c_-z            Stress TLS  RC4 128 with MD5 (compression)
+  noECC     0      -u_-z     -V_ssl3:_-c_1000_-C_c_-u_-z         Stress TLS  RC4 128 with MD5 (session ticket, compression)
+  noECC     0      -u_-z     -V_ssl3:_-c_1000_-C_c_-u_-z_-g      Stress TLS  RC4 128 with MD5 (session ticket, compression, false start)
+  SNI       0      -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
+
+#
+# add client auth versions here...
+#
+  noECC     0      -r_-r     -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
+  noECC     0      -r_-r     -c_100_-C_c_-N_-n_TestUser    Stress TLS RC4 128 with MD5 (no reuse, client auth)
+  noECC     0      -r_-r_-u  -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
+  noECC     0      -r_-r_-z  -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
+  noECC     0      -r_-r_-z  -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
+  noECC     0   -r_-r_-u_-z  -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
+  noECC     0   -r_-r_-u_-z  -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
+  SNI       0   -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
+  SNI       0   -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
+
+#
+# ############################ ECC ciphers ############################
+#
+   ECC      0      -c_:C009  -V_ssl3:_-c_100_-C_:C009_-N  Stress TLS  ECDHE-ECDSA AES 128 CBC with SHA (no reuse)
+   ECC      0      -c_:C023  -V_ssl3:_-c_100_-C_:C023_-N  Stress TLS  ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse)
+   ECC      0      -c_:C02B  -V_ssl3:_-c_100_-C_:C02B_-N  Stress TLS  ECDHE-ECDSA AES 128 GCM (no reuse)
+   ECC      0      -c_:C004  -V_ssl3:_-c_100_-C_:C004_-N  Stress TLS  ECDH-ECDSA  AES 128 CBC with SHA (no reuse)
+   ECC      0      -c_:C00E  -V_ssl3:_-c_100_-C_:C00E_-N  Stress TLS  ECDH-RSA    AES 128 CBC with SHA (no reuse)
+   ECC      0      -c_:C013  -V_ssl3:_-c_1000_-C_:C013    Stress TLS  ECDHE-RSA   AES 128 CBC with SHA
+   ECC      0      -c_:C027  -V_ssl3:_-c_1000_-C_:C027    Stress TLS  ECDHE-RSA   AES 128 CBC with SHA256
+   ECC      0      -c_:C02F  -V_ssl3:_-c_1000_-C_:C02F    Stress TLS  ECDHE-RSA   AES 128 GCM
+   ECC      0   -c_:C004_-u  -V_ssl3:_-c_1000_-C_:C004_-u Stress TLS  ECDH-ECDSA  AES 128 CBC with SHA (session ticket)
+#
+# add client auth versions here...
+#
+   ECC      0      -r_-r_-c_:C009  -V_ssl3:_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth)
+   ECC      0      -r_-r_-c_:C013  -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth)
+   ECC      0      -r_-r_-c_:C004  -V_ssl3:_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth)
+   ECC      0      -r_-r_-c_:C00E  -V_ssl3:_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
+   ECC      0      -r_-r_-c_:C013  -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth)
+   ECC      0      -r_-r_-c_:C013_-u -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth)