xref: /openbsd/regress/lib/libssl/ssl/testssl (revision d415bd75) 
1#!/bin/sh
2
3key="$1"
4cert="$2"
5CA="-CAfile $3"
6ssltest="${4-./ssltest} -key $key -cert $cert -c_key $key -c_cert $cert"
7openssl=${5-openssl}
8extra="$6"
9
10$openssl version || exit 1
11
12if $openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
13  dsa_cert=YES
14else
15  dsa_cert=NO
16fi
17
18#############################################################################
19
20echo test sslv2/sslv3
21$ssltest $extra || exit 1
22
23echo test sslv2/sslv3 with server authentication
24$ssltest -server_auth $CA $extra || exit 1
25
26echo test sslv2/sslv3 with client authentication
27$ssltest -client_auth $CA $extra || exit 1
28
29echo test sslv2/sslv3 with both client and server authentication
30$ssltest -server_auth -client_auth $CA $extra || exit 1
31
32echo test sslv2/sslv3 via BIO pair
33$ssltest $extra || exit 1
34
35if [ $dsa_cert = NO ]; then
36  echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
37  $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
38fi
39
40echo test sslv2/sslv3 with 1024bit DHE via BIO pair
41$ssltest -bio_pair -dhe1024dsa -v $extra || exit 1
42
43echo test sslv2/sslv3 with server authentication
44$ssltest -bio_pair -server_auth $CA $extra || exit 1
45
46echo test sslv2/sslv3 with client authentication via BIO pair
47$ssltest -bio_pair -client_auth $CA $extra || exit 1
48
49echo test sslv2/sslv3 with both client and server authentication via BIO pair
50$ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
51
52echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
53$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
54
55echo "Testing ciphersuites"
56for protocol in SSLv3 TLSv1.2; do
57  echo "Testing ciphersuites for $protocol"
58  for cipher in `$openssl ciphers -v "$protocol+aRSA" |
59    awk "/ $protocol / { print \\$1 }"`; do
60    echo "Testing $cipher"
61    $ssltest -cipher $cipher -tls1_2
62    if [ $? -ne 0 ] ; then
63      echo "Failed $cipher"
64      exit 1
65    fi
66  done
67done
68for protocol in TLSv1.3; do
69  echo "Testing ciphersuites for $protocol at security level 2"
70  for cipher in `$openssl ciphers -v "$protocol" |
71    awk "/ $protocol / { print \\$1 }"`; do
72    echo "Testing $cipher"
73    $ssltest -cipher $cipher -seclevel 2
74    if [ $? -ne 0 ] ; then
75      echo "Failed $cipher"
76      exit 1
77    fi
78  done
79done
80for protocol in TLSv1.3; do
81  echo "Testing ciphersuites for $protocol at security level 3"
82  for cipher in `$openssl ciphers -v "$protocol" |
83    awk "/ $protocol / { print \\$1 }"`; do
84    echo "Testing $cipher"
85    $ssltest -cipher $cipher -seclevel 3
86    if [ $? -eq 0 ] ; then
87      echo "Failed $cipher should not have succeeded"
88      exit 1
89    fi
90  done
91done
92
93#############################################################################
94
95if $openssl no-dh; then
96  echo skipping anonymous DH tests
97else
98  echo skipping tls1 tests.
99fi
100
101#if $openssl no-rsa; then
102#  echo skipping RSA tests
103#else
104#  echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
105#  ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
106#
107#  if $openssl no-dh; then
108#    echo skipping RSA+DHE tests
109#  else
110#    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
111#    ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
112#  fi
113#fi
114
115#
116# DTLS tests
117#
118
119$ssltest -dtls1_2 $extra || exit 1
120
121echo test dtlsv1_2 with server authentication
122$ssltest -dtls1_2 -server_auth $CA $extra || exit 1
123
124echo test dtlsv1_2 with client authentication
125$ssltest -dtls1_2 -client_auth $CA $extra || exit 1
126
127echo test dtlsv1_2 with both client and server authentication
128$ssltest -dtls1_2 -server_auth -client_auth $CA $extra || exit 1
129
130echo "Testing DTLS ciphersuites"
131for protocol in SSLv3; do
132  echo "Testing ciphersuites for $protocol"
133  for cipher in `$openssl ciphers -v "RSA+$protocol" |
134    awk "/ $protocol / { print \\$1 }" |
135    grep -v RC4`; do
136    echo "Testing $cipher"
137    $ssltest -cipher $cipher -dtls1_2
138    if [ $? -ne 0 ] ; then
139      echo "Failed $cipher"
140      exit 1
141    fi
142  done
143done
144
145#
146# ALPN tests
147#
148echo "Testing ALPN..."
149$ssltest -bio_pair -alpn_client foo -alpn_server bar || exit 1
150$ssltest -bio_pair -alpn_client foo -alpn_server foo \
151  -alpn_expected foo || exit 1
152$ssltest -bio_pair -alpn_client foo,bar -alpn_server foo \
153  -alpn_expected foo || exit 1
154$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo \
155  -alpn_expected foo || exit 1
156$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo,bar \
157  -alpn_expected foo || exit 1
158$ssltest -bio_pair -alpn_client bar,foo -alpn_server bar,foo \
159  -alpn_expected bar || exit 1
160$ssltest -bio_pair -alpn_client foo,bar -alpn_server bar,foo \
161  -alpn_expected bar || exit 1
162$ssltest -bio_pair -alpn_client baz -alpn_server bar,foo || exit 1
163