xref: /openbsd-src/regress/lib/libssl/ssl/testssl (revision 521ba2f2ab0e0e89d1776559874b3ecc227442fc) 
1e90e4cafSjsing#!/bin/sh
2e90e4cafSjsing
3e90e4cafSjsingkey="$1"
4e90e4cafSjsingcert="$2"
5e90e4cafSjsingCA="-CAfile $3"
6aa735308Sbcookssltest="${4-./ssltest} -key $key -cert $cert -c_key $key -c_cert $cert"
7aa735308Sbcookopenssl=${5-openssl}
8aa735308Sbcookextra="$6"
9e90e4cafSjsing
10c3b42949Sbcook$openssl version || exit 1
11c3b42949Sbcook
12aa735308Sbcookif $openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
13e90e4cafSjsing  dsa_cert=YES
14e90e4cafSjsingelse
15e90e4cafSjsing  dsa_cert=NO
16e90e4cafSjsingfi
17e90e4cafSjsing
18e90e4cafSjsing#############################################################################
19e90e4cafSjsing
20e90e4cafSjsingecho test sslv2/sslv3
21e90e4cafSjsing$ssltest $extra || exit 1
22e90e4cafSjsing
23e90e4cafSjsingecho test sslv2/sslv3 with server authentication
24e90e4cafSjsing$ssltest -server_auth $CA $extra || exit 1
25e90e4cafSjsing
26e90e4cafSjsingecho test sslv2/sslv3 with client authentication
27e90e4cafSjsing$ssltest -client_auth $CA $extra || exit 1
28e90e4cafSjsing
29e90e4cafSjsingecho test sslv2/sslv3 with both client and server authentication
30e90e4cafSjsing$ssltest -server_auth -client_auth $CA $extra || exit 1
31e90e4cafSjsing
32e90e4cafSjsingecho test sslv2/sslv3 via BIO pair
33e90e4cafSjsing$ssltest $extra || exit 1
34e90e4cafSjsing
35e90e4cafSjsingif [ $dsa_cert = NO ]; then
36e90e4cafSjsing  echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
37e90e4cafSjsing  $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
38e90e4cafSjsingfi
39e90e4cafSjsing
40e90e4cafSjsingecho test sslv2/sslv3 with 1024bit DHE via BIO pair
41e90e4cafSjsing$ssltest -bio_pair -dhe1024dsa -v $extra || exit 1
42e90e4cafSjsing
43e90e4cafSjsingecho test sslv2/sslv3 with server authentication
44e90e4cafSjsing$ssltest -bio_pair -server_auth $CA $extra || exit 1
45e90e4cafSjsing
46e90e4cafSjsingecho test sslv2/sslv3 with client authentication via BIO pair
47e90e4cafSjsing$ssltest -bio_pair -client_auth $CA $extra || exit 1
48e90e4cafSjsing
49e90e4cafSjsingecho test sslv2/sslv3 with both client and server authentication via BIO pair
50e90e4cafSjsing$ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
51e90e4cafSjsing
52e90e4cafSjsingecho test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
53e90e4cafSjsing$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
54e90e4cafSjsing
55e90e4cafSjsingecho "Testing ciphersuites"
566a37ed6aSjsingfor protocol in SSLv3 TLSv1.2; do
57e90e4cafSjsing  echo "Testing ciphersuites for $protocol"
58be86402eSjsing  for cipher in `$openssl ciphers -v "$protocol+aRSA" |
59be86402eSjsing    awk "/ $protocol / { print \\$1 }"`; do
60e90e4cafSjsing    echo "Testing $cipher"
615bc6646eSjsing    $ssltest -cipher $cipher -tls1_2
62e90e4cafSjsing    if [ $? -ne 0 ] ; then
63e90e4cafSjsing      echo "Failed $cipher"
64e90e4cafSjsing      exit 1
65e90e4cafSjsing    fi
66e90e4cafSjsing  done
67e90e4cafSjsingdone
6826890145Sjsingfor protocol in TLSv1.3; do
6959aa5285Stb  echo "Testing ciphersuites for $protocol at security level 2"
7026890145Sjsing  for cipher in `$openssl ciphers -v "$protocol" |
7126890145Sjsing    awk "/ $protocol / { print \\$1 }"`; do
7226890145Sjsing    echo "Testing $cipher"
7359aa5285Stb    $ssltest -cipher $cipher -seclevel 2
7426890145Sjsing    if [ $? -ne 0 ] ; then
7526890145Sjsing      echo "Failed $cipher"
7626890145Sjsing      exit 1
7726890145Sjsing    fi
7826890145Sjsing  done
7926890145Sjsingdone
8059aa5285Stbfor protocol in TLSv1.3; do
8159aa5285Stb  echo "Testing ciphersuites for $protocol at security level 3"
8259aa5285Stb  for cipher in `$openssl ciphers -v "$protocol" |
8359aa5285Stb    awk "/ $protocol / { print \\$1 }"`; do
8459aa5285Stb    echo "Testing $cipher"
8559aa5285Stb    $ssltest -cipher $cipher -seclevel 3
8659aa5285Stb    if [ $? -eq 0 ] ; then
8759aa5285Stb      echo "Failed $cipher should not have succeeded"
8859aa5285Stb      exit 1
8959aa5285Stb    fi
9059aa5285Stb  done
9159aa5285Stbdone
92e90e4cafSjsing
93e90e4cafSjsing#############################################################################
94e90e4cafSjsing
95aa735308Sbcookif $openssl no-dh; then
96e90e4cafSjsing  echo skipping anonymous DH tests
97e90e4cafSjsingelse
98*521ba2f2Sbeck  echo skipping tls1 tests.
99e90e4cafSjsingfi
100e90e4cafSjsing
101aa735308Sbcook#if $openssl no-rsa; then
102e90e4cafSjsing#  echo skipping RSA tests
103e90e4cafSjsing#else
104e90e4cafSjsing#  echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
105e90e4cafSjsing#  ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
106e90e4cafSjsing#
107aa735308Sbcook#  if $openssl no-dh; then
108e90e4cafSjsing#    echo skipping RSA+DHE tests
109e90e4cafSjsing#  else
110e90e4cafSjsing#    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
111e90e4cafSjsing#    ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
112e90e4cafSjsing#  fi
113e90e4cafSjsing#fi
114e90e4cafSjsing
115c419fba1Sjsing#
1162011c60cSjsing# DTLS tests
117c419fba1Sjsing#
118c419fba1Sjsing
119*521ba2f2Sbeck$ssltest -dtls1_2 $extra || exit 1
120c419fba1Sjsing
121*521ba2f2Sbeckecho test dtlsv1_2 with server authentication
122*521ba2f2Sbeck$ssltest -dtls1_2 -server_auth $CA $extra || exit 1
123c419fba1Sjsing
124*521ba2f2Sbeckecho test dtlsv1_2 with client authentication
125*521ba2f2Sbeck$ssltest -dtls1_2 -client_auth $CA $extra || exit 1
126c419fba1Sjsing
127*521ba2f2Sbeckecho test dtlsv1_2 with both client and server authentication
128*521ba2f2Sbeck$ssltest -dtls1_2 -server_auth -client_auth $CA $extra || exit 1
129c419fba1Sjsing
130c419fba1Sjsingecho "Testing DTLS ciphersuites"
131c419fba1Sjsingfor protocol in SSLv3; do
132c419fba1Sjsing  echo "Testing ciphersuites for $protocol"
133be86402eSjsing  for cipher in `$openssl ciphers -v "RSA+$protocol" |
134be86402eSjsing    awk "/ $protocol / { print \\$1 }" |
135c419fba1Sjsing    grep -v RC4`; do
136c419fba1Sjsing    echo "Testing $cipher"
137*521ba2f2Sbeck    $ssltest -cipher $cipher -dtls1_2
138c419fba1Sjsing    if [ $? -ne 0 ] ; then
139c419fba1Sjsing      echo "Failed $cipher"
140c419fba1Sjsing      exit 1
141c419fba1Sjsing    fi
142c419fba1Sjsing  done
143c419fba1Sjsingdone
1442011c60cSjsing
1452011c60cSjsing#
14600422117Sjsing# ALPN tests
14700422117Sjsing#
14800422117Sjsingecho "Testing ALPN..."
149*521ba2f2Sbeck$ssltest -bio_pair -alpn_client foo -alpn_server bar || exit 1
150*521ba2f2Sbeck$ssltest -bio_pair -alpn_client foo -alpn_server foo \
15100422117Sjsing  -alpn_expected foo || exit 1
152*521ba2f2Sbeck$ssltest -bio_pair -alpn_client foo,bar -alpn_server foo \
15300422117Sjsing  -alpn_expected foo || exit 1
154*521ba2f2Sbeck$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo \
15500422117Sjsing  -alpn_expected foo || exit 1
156*521ba2f2Sbeck$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo,bar \
15700422117Sjsing  -alpn_expected foo || exit 1
158*521ba2f2Sbeck$ssltest -bio_pair -alpn_client bar,foo -alpn_server bar,foo \
15900422117Sjsing  -alpn_expected bar || exit 1
160*521ba2f2Sbeck$ssltest -bio_pair -alpn_client foo,bar -alpn_server bar,foo \
16100422117Sjsing  -alpn_expected bar || exit 1
162*521ba2f2Sbeck$ssltest -bio_pair -alpn_client baz -alpn_server bar,foo || exit 1
163