xref: /openbsd-src/regress/lib/libssl/ssl/testssl (revision 25c4e8bd056e974b28f4a0ffd39d76c190a56013) 
1#!/bin/sh
2
3key="$1"
4cert="$2"
5CA="-CAfile $3"
6ssltest="${4-./ssltest} -key $key -cert $cert -c_key $key -c_cert $cert"
7openssl=${5-openssl}
8extra="$6"
9
10$openssl version || exit 1
11
12if $openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
13  dsa_cert=YES
14else
15  dsa_cert=NO
16fi
17
18#############################################################################
19
20echo test sslv2/sslv3
21$ssltest $extra || exit 1
22
23echo test sslv2/sslv3 with server authentication
24$ssltest -server_auth $CA $extra || exit 1
25
26echo test sslv2/sslv3 with client authentication
27$ssltest -client_auth $CA $extra || exit 1
28
29echo test sslv2/sslv3 with both client and server authentication
30$ssltest -server_auth -client_auth $CA $extra || exit 1
31
32echo test sslv2/sslv3 via BIO pair
33$ssltest $extra || exit 1
34
35if [ $dsa_cert = NO ]; then
36  echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
37  $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
38fi
39
40echo test sslv2/sslv3 with 1024bit DHE via BIO pair
41$ssltest -bio_pair -dhe1024dsa -v $extra || exit 1
42
43echo test sslv2/sslv3 with server authentication
44$ssltest -bio_pair -server_auth $CA $extra || exit 1
45
46echo test sslv2/sslv3 with client authentication via BIO pair
47$ssltest -bio_pair -client_auth $CA $extra || exit 1
48
49echo test sslv2/sslv3 with both client and server authentication via BIO pair
50$ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
51
52echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
53$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
54
55echo "Testing ciphersuites"
56for protocol in SSLv3 TLSv1.2; do
57  echo "Testing ciphersuites for $protocol"
58  for cipher in `$openssl ciphers -v "$protocol+aRSA" |
59    awk "/ $protocol / { print \\$1 }"`; do
60    echo "Testing $cipher"
61    $ssltest -cipher $cipher -tls1_2
62    if [ $? -ne 0 ] ; then
63      echo "Failed $cipher"
64      exit 1
65    fi
66  done
67done
68for protocol in TLSv1.3; do
69  echo "Testing ciphersuites for $protocol at security level 2"
70  for cipher in `$openssl ciphers -v "$protocol" |
71    awk "/ $protocol / { print \\$1 }"`; do
72    echo "Testing $cipher"
73    $ssltest -cipher $cipher -seclevel 2
74    if [ $? -ne 0 ] ; then
75      echo "Failed $cipher"
76      exit 1
77    fi
78  done
79done
80for protocol in TLSv1.3; do
81  echo "Testing ciphersuites for $protocol at security level 3"
82  for cipher in `$openssl ciphers -v "$protocol" |
83    awk "/ $protocol / { print \\$1 }"`; do
84    echo "Testing $cipher"
85    $ssltest -cipher $cipher -seclevel 3
86    if [ $? -eq 0 ] ; then
87      echo "Failed $cipher should not have succeeded"
88      exit 1
89    fi
90  done
91done
92
93#############################################################################
94
95if $openssl no-dh; then
96  echo skipping anonymous DH tests
97else
98  echo test tls1 with 1024bit anonymous DH, multiple handshakes
99  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
100fi
101
102#if $openssl no-rsa; then
103#  echo skipping RSA tests
104#else
105#  echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
106#  ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
107#
108#  if $openssl no-dh; then
109#    echo skipping RSA+DHE tests
110#  else
111#    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
112#    ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
113#  fi
114#fi
115
116#
117# DTLS tests
118#
119
120echo test dtlsv1
121$ssltest -dtls1 $extra || exit 1
122
123echo test dtlsv1 with server authentication
124$ssltest -dtls1 -server_auth $CA $extra || exit 1
125
126echo test dtlsv1 with client authentication
127$ssltest -dtls1 -client_auth $CA $extra || exit 1
128
129echo test dtlsv1 with both client and server authentication
130$ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1
131
132echo "Testing DTLS ciphersuites"
133for protocol in SSLv3; do
134  echo "Testing ciphersuites for $protocol"
135  for cipher in `$openssl ciphers -v "RSA+$protocol" |
136    awk "/ $protocol / { print \\$1 }" |
137    grep -v RC4`; do
138    echo "Testing $cipher"
139    $ssltest -cipher $cipher -dtls1
140    if [ $? -ne 0 ] ; then
141      echo "Failed $cipher"
142      exit 1
143    fi
144  done
145done
146
147#
148# ALPN tests
149#
150echo "Testing ALPN..."
151$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1
152$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo \
153  -alpn_expected foo || exit 1
154$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo \
155  -alpn_expected foo || exit 1
156$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo \
157  -alpn_expected foo || exit 1
158$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar \
159  -alpn_expected foo || exit 1
160$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo \
161  -alpn_expected bar || exit 1
162$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo \
163  -alpn_expected bar || exit 1
164$ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1
165