testssl 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329
  1. #!/bin/sh
  2. if [ "$1" = "" ]; then
  3. key=../apps/server.pem
  4. else
  5. key="$1"
  6. fi
  7. if [ "$2" = "" ]; then
  8. cert=../apps/server.pem
  9. else
  10. cert="$2"
  11. fi
  12. ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
  13. if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
  14. dsa_cert=YES
  15. else
  16. dsa_cert=NO
  17. fi
  18. if [ "$3" = "" ]; then
  19. CA="-CApath ../certs"
  20. else
  21. CA="-CAfile $3"
  22. fi
  23. if [ "$4" = "" ]; then
  24. extra=""
  25. else
  26. extra="$4"
  27. fi
  28. serverinfo="./serverinfo.pem"
  29. #############################################################################
  30. echo test sslv2
  31. $ssltest -ssl2 $extra || exit 1
  32. echo test sslv2 with server authentication
  33. $ssltest -ssl2 -server_auth $CA $extra || exit 1
  34. if [ $dsa_cert = NO ]; then
  35. echo test sslv2 with client authentication
  36. $ssltest -ssl2 -client_auth $CA $extra || exit 1
  37. echo test sslv2 with both client and server authentication
  38. $ssltest -ssl2 -server_auth -client_auth $CA $extra || exit 1
  39. fi
  40. echo test sslv3
  41. $ssltest -ssl3 $extra || exit 1
  42. echo test sslv3 with server authentication
  43. $ssltest -ssl3 -server_auth $CA $extra || exit 1
  44. echo test sslv3 with client authentication
  45. $ssltest -ssl3 -client_auth $CA $extra || exit 1
  46. echo test sslv3 with both client and server authentication
  47. $ssltest -ssl3 -server_auth -client_auth $CA $extra || exit 1
  48. echo test sslv2/sslv3
  49. $ssltest $extra || exit 1
  50. echo test sslv2/sslv3 with server authentication
  51. $ssltest -server_auth $CA $extra || exit 1
  52. echo test sslv2/sslv3 with client authentication
  53. $ssltest -client_auth $CA $extra || exit 1
  54. echo test sslv2/sslv3 with both client and server authentication
  55. $ssltest -server_auth -client_auth $CA $extra || exit 1
  56. echo test sslv2 via BIO pair
  57. $ssltest -bio_pair -ssl2 $extra || exit 1
  58. echo test sslv2 with server authentication via BIO pair
  59. $ssltest -bio_pair -ssl2 -server_auth $CA $extra || exit 1
  60. if [ $dsa_cert = NO ]; then
  61. echo test sslv2 with client authentication via BIO pair
  62. $ssltest -bio_pair -ssl2 -client_auth $CA $extra || exit 1
  63. echo test sslv2 with both client and server authentication via BIO pair
  64. $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra || exit 1
  65. fi
  66. echo test sslv3 via BIO pair
  67. $ssltest -bio_pair -ssl3 $extra || exit 1
  68. echo test sslv3 with server authentication via BIO pair
  69. $ssltest -bio_pair -ssl3 -server_auth $CA $extra || exit 1
  70. echo test sslv3 with client authentication via BIO pair
  71. $ssltest -bio_pair -ssl3 -client_auth $CA $extra || exit 1
  72. echo test sslv3 with both client and server authentication via BIO pair
  73. $ssltest -bio_pair -ssl3 -server_auth -client_auth $CA $extra || exit 1
  74. echo test sslv2/sslv3 via BIO pair
  75. $ssltest $extra || exit 1
  76. echo test dtlsv1
  77. $ssltest -dtls1 $extra || exit 1
  78. echo test dtlsv1 with server authentication
  79. $ssltest -dtls1 -server_auth $CA $extra || exit 1
  80. echo test dtlsv1 with client authentication
  81. $ssltest -dtls1 -client_auth $CA $extra || exit 1
  82. echo test dtlsv1 with both client and server authentication
  83. $ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1
  84. echo test dtlsv1.2
  85. $ssltest -dtls12 $extra || exit 1
  86. echo test dtlsv1.2 with server authentication
  87. $ssltest -dtls12 -server_auth $CA $extra || exit 1
  88. echo test dtlsv1.2 with client authentication
  89. $ssltest -dtls12 -client_auth $CA $extra || exit 1
  90. echo test dtlsv1.2 with both client and server authentication
  91. $ssltest -dtls12 -server_auth -client_auth $CA $extra || exit 1
  92. if [ $dsa_cert = NO ]; then
  93. echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
  94. $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
  95. fi
  96. echo test sslv2/sslv3 with 1024bit DHE via BIO pair
  97. $ssltest -bio_pair -dhe1024dsa -v $extra || exit 1
  98. echo test sslv2/sslv3 with server authentication
  99. $ssltest -bio_pair -server_auth $CA $extra || exit 1
  100. echo test sslv2/sslv3 with client authentication via BIO pair
  101. $ssltest -bio_pair -client_auth $CA $extra || exit 1
  102. echo test sslv2/sslv3 with both client and server authentication via BIO pair
  103. $ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
  104. echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
  105. $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
  106. test_cipher() {
  107. _cipher=$1
  108. echo "Testing $_cipher"
  109. prot=""
  110. if [ $2 = "SSLv3" ] ; then
  111. prot="-ssl3"
  112. fi
  113. $ssltest -cipher $_cipher $prot
  114. if [ $? -ne 0 ] ; then
  115. echo "Failed $_cipher"
  116. exit 1
  117. fi
  118. }
  119. echo "Testing ciphersuites"
  120. for protocol in TLSv1.2 SSLv3; do
  121. echo "Testing ciphersuites for $protocol"
  122. for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
  123. test_cipher $cipher $protocol
  124. done
  125. if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
  126. echo "skipping RSA+DHE tests"
  127. else
  128. for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
  129. test_cipher $cipher $protocol
  130. done
  131. echo "testing connection with weak DH, expecting failure"
  132. if [ $protocol = "SSLv3" ] && ../util/shlib_wrap.sh ../apps/openssl no-ssl3; then
  133. echo "skipping weak DH test for disabled protocol"
  134. else
  135. if [ $protocol = "SSLv3" ] ; then
  136. $ssltest -cipher EDH -dhe512 -ssl3
  137. else
  138. $ssltest -cipher EDH -dhe512
  139. fi
  140. if [ $? -eq 0 ]; then
  141. echo "FAIL: connection with weak DH succeeded"
  142. exit 1
  143. fi
  144. fi
  145. fi
  146. if ../util/shlib_wrap.sh ../apps/openssl no-ec; then
  147. echo "skipping RSA+ECDHE tests"
  148. else
  149. for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EECDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
  150. test_cipher $cipher $protocol
  151. done
  152. fi
  153. done
  154. #############################################################################
  155. if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
  156. echo skipping anonymous DH tests
  157. else
  158. echo test tls1 with 1024bit anonymous DH, multiple handshakes
  159. $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
  160. fi
  161. if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  162. echo skipping RSA tests
  163. else
  164. echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
  165. ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
  166. if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
  167. echo skipping RSA+DHE tests
  168. else
  169. echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
  170. ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
  171. fi
  172. fi
  173. echo test tls1 with PSK
  174. $ssltest -tls1 -cipher PSK -psk abc123 $extra || exit 1
  175. echo test tls1 with PSK via BIO pair
  176. $ssltest -bio_pair -tls1 -cipher PSK -psk abc123 $extra || exit 1
  177. #############################################################################
  178. # Custom Extension tests
  179. echo test tls1 with custom extensions
  180. $ssltest -bio_pair -tls1 -custom_ext || exit 1
  181. #############################################################################
  182. # Serverinfo tests
  183. echo test tls1 with serverinfo
  184. $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo || exit 1
  185. $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo -serverinfo_sct || exit 1
  186. $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo -serverinfo_tack || exit 1
  187. $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo -serverinfo_sct -serverinfo_tack || exit 1
  188. $ssltest -bio_pair -tls1 -custom_ext -serverinfo_file $serverinfo -serverinfo_sct -serverinfo_tack || exit 1
  189. #############################################################################
  190. # SNI tests
  191. $ssltest -bio_pair -sn_client foo || exit 1
  192. $ssltest -bio_pair -sn_server1 foo || exit 1
  193. $ssltest -bio_pair -sn_client foo -sn_server1 foo -sn_expect1 || exit 1
  194. $ssltest -bio_pair -sn_client foo -sn_server1 bar -sn_expect1 || exit 1
  195. $ssltest -bio_pair -sn_client foo -sn_server1 foo -sn_server2 bar -sn_expect1 || exit 1
  196. $ssltest -bio_pair -sn_client bar -sn_server1 foo -sn_server2 bar -sn_expect2 || exit 1
  197. # Negative test - make sure it doesn't crash, and doesn't switch contexts
  198. $ssltest -bio_pair -sn_client foobar -sn_server1 foo -sn_server2 bar -sn_expect1 || exit 1
  199. #############################################################################
  200. # ALPN tests
  201. $ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1
  202. $ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo -alpn_expected foo || exit 1
  203. $ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo -alpn_expected foo || exit 1
  204. $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo -alpn_expected foo || exit 1
  205. $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar -alpn_expected foo || exit 1
  206. $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo -alpn_expected bar || exit 1
  207. $ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo -alpn_expected bar || exit 1
  208. $ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1
  209. #############################################################################
  210. # ALPN + SNI
  211. $ssltest -bio_pair -alpn_client foo,bar -sn_client alice -alpn_server1 foo,123 -sn_server1 alice -alpn_server2 bar,456 -sn_server2 bob -alpn_expected foo || exit 1
  212. $ssltest -bio_pair -alpn_client foo,bar -sn_client bob -alpn_server1 foo,123 -sn_server1 alice -alpn_server2 bar,456 -sn_server2 bob -alpn_expected bar || exit 1
  213. $ssltest -bio_pair -alpn_client foo,bar -sn_client bob -sn_server1 alice -alpn_server2 bar,456 -sn_server2 bob -alpn_expected bar || exit 1
  214. if ../util/shlib_wrap.sh ../apps/openssl no-srp; then
  215. echo skipping SRP tests
  216. else
  217. echo test tls1 with SRP
  218. $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123 || exit 1
  219. echo test tls1 with SRP via BIO pair
  220. $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123 || exit 1
  221. echo test tls1 with SRP auth
  222. $ssltest -tls1 -cipher aSRP -srpuser test -srppass abc123 || exit 1
  223. echo test tls1 with SRP auth via BIO pair
  224. $ssltest -bio_pair -tls1 -cipher aSRP -srpuser test -srppass abc123 || exit 1
  225. fi
  226. #############################################################################
  227. # Multi-buffer tests
  228. if [ -z "$extra" -a `uname -m` = "x86_64" ]; then
  229. $ssltest -cipher AES128-SHA -bytes 8m || exit 1
  230. $ssltest -cipher AES128-SHA256 -bytes 8m || exit 1
  231. fi
  232. #############################################################################
  233. # Signature algorithms + SNI
  234. $ssltest -tls12 -sn_client server1 -sn_server1 server1 -sn_server2 server2 -sn_expect1 -client_sigalgs RSA+SHA256 -server_digest_expect SHA256 || exit 1
  235. $ssltest -tls12 -sn_client server1 -sn_server1 server1 -sn_server2 server2 -sn_expect1 -client_sigalgs RSA+SHA256 -server_digest_expect SHA256 -sni_in_cert_cb || exit 1
  236. # Switching SSL_CTX on SNI must not break signature algorithm negotiation.
  237. $ssltest -tls12 -sn_client server2 -sn_server1 server1 -sn_server2 server2 -sn_expect2 -client_sigalgs RSA+SHA256 -server_digest_expect SHA256 || exit 1
  238. $ssltest -tls12 -sn_client server2 -sn_server1 server1 -sn_server2 server2 -sn_expect2 -client_sigalgs RSA+SHA256 -server_digest_expect SHA256 -sni_in_cert_cb || exit 1
  239. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 no -c_ticket no -ticket_expect no || exit 1
  240. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 no -c_ticket yes -ticket_expect no || exit 1
  241. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 yes -c_ticket no -ticket_expect no || exit 1
  242. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 yes -c_ticket yes -ticket_expect no || exit 1
  243. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 no -c_ticket no -ticket_expect no || exit 1
  244. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 no -c_ticket yes -ticket_expect yes || exit 1
  245. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 yes -c_ticket no -ticket_expect no || exit 1
  246. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 yes -c_ticket yes -ticket_expect yes || exit 1
  247. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 no -c_ticket no -ticket_expect no || exit 1
  248. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 no -c_ticket yes -ticket_expect no || exit 1
  249. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 yes -c_ticket no -ticket_expect no || exit 1
  250. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 yes -c_ticket yes -ticket_expect no || exit 1
  251. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 no -c_ticket no -ticket_expect no || exit 1
  252. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 no -c_ticket yes -ticket_expect no || exit 1
  253. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 yes -c_ticket no -ticket_expect no || exit 1
  254. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 yes -c_ticket yes -ticket_expect yes || exit 1
  255. $ssltest -bio_pair -s_ticket1 broken -c_ticket yes -ticket_expect no || exit 1
  256. exit 0