2
0

testssl 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316
  1. #!/bin/sh
  2. if [ "$1" = "" ]; then
  3. key=../apps/server.pem
  4. else
  5. key="$1"
  6. fi
  7. if [ "$2" = "" ]; then
  8. cert=../apps/server.pem
  9. else
  10. cert="$2"
  11. fi
  12. ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
  13. if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
  14. dsa_cert=YES
  15. else
  16. dsa_cert=NO
  17. fi
  18. if [ "$3" = "" ]; then
  19. CA="-CApath ../certs"
  20. else
  21. CA="-CAfile $3"
  22. fi
  23. if [ "$4" = "" ]; then
  24. extra=""
  25. else
  26. extra="$4"
  27. fi
  28. serverinfo="./serverinfo.pem"
  29. #############################################################################
  30. echo test sslv2
  31. $ssltest -ssl2 $extra || exit 1
  32. echo test sslv2 with server authentication
  33. $ssltest -ssl2 -server_auth $CA $extra || exit 1
  34. if [ $dsa_cert = NO ]; then
  35. echo test sslv2 with client authentication
  36. $ssltest -ssl2 -client_auth $CA $extra || exit 1
  37. echo test sslv2 with both client and server authentication
  38. $ssltest -ssl2 -server_auth -client_auth $CA $extra || exit 1
  39. fi
  40. echo test sslv3
  41. $ssltest -ssl3 $extra || exit 1
  42. echo test sslv3 with server authentication
  43. $ssltest -ssl3 -server_auth $CA $extra || exit 1
  44. echo test sslv3 with client authentication
  45. $ssltest -ssl3 -client_auth $CA $extra || exit 1
  46. echo test sslv3 with both client and server authentication
  47. $ssltest -ssl3 -server_auth -client_auth $CA $extra || exit 1
  48. echo test sslv2/sslv3
  49. $ssltest $extra || exit 1
  50. echo test sslv2/sslv3 with server authentication
  51. $ssltest -server_auth $CA $extra || exit 1
  52. echo test sslv2/sslv3 with client authentication
  53. $ssltest -client_auth $CA $extra || exit 1
  54. echo test sslv2/sslv3 with both client and server authentication
  55. $ssltest -server_auth -client_auth $CA $extra || exit 1
  56. echo test sslv2 via BIO pair
  57. $ssltest -bio_pair -ssl2 $extra || exit 1
  58. echo test sslv2 with server authentication via BIO pair
  59. $ssltest -bio_pair -ssl2 -server_auth $CA $extra || exit 1
  60. if [ $dsa_cert = NO ]; then
  61. echo test sslv2 with client authentication via BIO pair
  62. $ssltest -bio_pair -ssl2 -client_auth $CA $extra || exit 1
  63. echo test sslv2 with both client and server authentication via BIO pair
  64. $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra || exit 1
  65. fi
  66. echo test sslv3 via BIO pair
  67. $ssltest -bio_pair -ssl3 $extra || exit 1
  68. echo test sslv3 with server authentication via BIO pair
  69. $ssltest -bio_pair -ssl3 -server_auth $CA $extra || exit 1
  70. echo test sslv3 with client authentication via BIO pair
  71. $ssltest -bio_pair -ssl3 -client_auth $CA $extra || exit 1
  72. echo test sslv3 with both client and server authentication via BIO pair
  73. $ssltest -bio_pair -ssl3 -server_auth -client_auth $CA $extra || exit 1
  74. echo test sslv2/sslv3 via BIO pair
  75. $ssltest $extra || exit 1
  76. echo test dtlsv1
  77. $ssltest -dtls1 $extra || exit 1
  78. echo test dtlsv1 with server authentication
  79. $ssltest -dtls1 -server_auth $CA $extra || exit 1
  80. echo test dtlsv1 with client authentication
  81. $ssltest -dtls1 -client_auth $CA $extra || exit 1
  82. echo test dtlsv1 with both client and server authentication
  83. $ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1
  84. echo test dtlsv1.2
  85. $ssltest -dtls12 $extra || exit 1
  86. echo test dtlsv1.2 with server authentication
  87. $ssltest -dtls12 -server_auth $CA $extra || exit 1
  88. echo test dtlsv1.2 with client authentication
  89. $ssltest -dtls12 -client_auth $CA $extra || exit 1
  90. echo test dtlsv1.2 with both client and server authentication
  91. $ssltest -dtls12 -server_auth -client_auth $CA $extra || exit 1
  92. if [ $dsa_cert = NO ]; then
  93. echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
  94. $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
  95. fi
  96. echo test sslv2/sslv3 with 1024bit DHE via BIO pair
  97. $ssltest -bio_pair -dhe1024dsa -v $extra || exit 1
  98. echo test sslv2/sslv3 with server authentication
  99. $ssltest -bio_pair -server_auth $CA $extra || exit 1
  100. echo test sslv2/sslv3 with client authentication via BIO pair
  101. $ssltest -bio_pair -client_auth $CA $extra || exit 1
  102. echo test sslv2/sslv3 with both client and server authentication via BIO pair
  103. $ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
  104. echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
  105. $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
  106. test_cipher() {
  107. _cipher=$1
  108. echo "Testing $_cipher"
  109. prot=""
  110. if [ $2 = "SSLv3" ] ; then
  111. prot="-ssl3"
  112. fi
  113. $ssltest -cipher $_cipher $prot
  114. if [ $? -ne 0 ] ; then
  115. echo "Failed $_cipher"
  116. exit 1
  117. fi
  118. }
  119. echo "Testing ciphersuites"
  120. for protocol in TLSv1.2 SSLv3; do
  121. echo "Testing ciphersuites for $protocol"
  122. for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
  123. test_cipher $cipher $protocol
  124. done
  125. if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
  126. echo "skipping RSA+DHE tests"
  127. else
  128. for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
  129. test_cipher $cipher $protocol
  130. done
  131. echo "testing connection with weak DH, expecting failure"
  132. if [ $protocol = "SSLv3" ] ; then
  133. $ssltest -cipher EDH -dhe512 -ssl3
  134. else
  135. $ssltest -cipher EDH -dhe512
  136. fi
  137. if [ $? -eq 0 ]; then
  138. echo "FAIL: connection with weak DH succeeded"
  139. exit 1
  140. fi
  141. fi
  142. if ../util/shlib_wrap.sh ../apps/openssl no-ec; then
  143. echo "skipping RSA+ECDHE tests"
  144. else
  145. for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EECDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
  146. test_cipher $cipher $protocol
  147. done
  148. fi
  149. done
  150. #############################################################################
  151. if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
  152. echo skipping anonymous DH tests
  153. else
  154. echo test tls1 with 1024bit anonymous DH, multiple handshakes
  155. $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
  156. fi
  157. if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  158. echo skipping RSA tests
  159. else
  160. echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
  161. ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
  162. if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
  163. echo skipping RSA+DHE tests
  164. else
  165. echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
  166. ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
  167. fi
  168. fi
  169. echo test tls1 with PSK
  170. $ssltest -tls1 -cipher PSK -psk abc123 $extra || exit 1
  171. echo test tls1 with PSK via BIO pair
  172. $ssltest -bio_pair -tls1 -cipher PSK -psk abc123 $extra || exit 1
  173. #############################################################################
  174. # Custom Extension tests
  175. echo test tls1 with custom extensions
  176. $ssltest -bio_pair -tls1 -custom_ext || exit 1
  177. #############################################################################
  178. # Serverinfo tests
  179. echo test tls1 with serverinfo
  180. $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo || exit 1
  181. $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo -serverinfo_sct || exit 1
  182. $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo -serverinfo_tack || exit 1
  183. $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo -serverinfo_sct -serverinfo_tack || exit 1
  184. $ssltest -bio_pair -tls1 -custom_ext -serverinfo_file $serverinfo -serverinfo_sct -serverinfo_tack || exit 1
  185. #############################################################################
  186. # SNI tests
  187. $ssltest -bio_pair -sn_client foo || exit 1
  188. $ssltest -bio_pair -sn_server1 foo || exit 1
  189. $ssltest -bio_pair -sn_client foo -sn_server1 foo -sn_expect1 || exit 1
  190. $ssltest -bio_pair -sn_client foo -sn_server1 bar -sn_expect1 || exit 1
  191. $ssltest -bio_pair -sn_client foo -sn_server1 foo -sn_server2 bar -sn_expect1 || exit 1
  192. $ssltest -bio_pair -sn_client bar -sn_server1 foo -sn_server2 bar -sn_expect2 || exit 1
  193. # Negative test - make sure it doesn't crash, and doesn't switch contexts
  194. $ssltest -bio_pair -sn_client foobar -sn_server1 foo -sn_server2 bar -sn_expect1 || exit 1
  195. #############################################################################
  196. # ALPN tests
  197. $ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1
  198. $ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo -alpn_expected foo || exit 1
  199. $ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo -alpn_expected foo || exit 1
  200. $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo -alpn_expected foo || exit 1
  201. $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar -alpn_expected foo || exit 1
  202. $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo -alpn_expected bar || exit 1
  203. $ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo -alpn_expected bar || exit 1
  204. $ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1
  205. #############################################################################
  206. # ALPN + SNI
  207. $ssltest -bio_pair -alpn_client foo,bar -sn_client alice -alpn_server1 foo,123 -sn_server1 alice -alpn_server2 bar,456 -sn_server2 bob -alpn_expected foo || exit 1
  208. $ssltest -bio_pair -alpn_client foo,bar -sn_client bob -alpn_server1 foo,123 -sn_server1 alice -alpn_server2 bar,456 -sn_server2 bob -alpn_expected bar || exit 1
  209. $ssltest -bio_pair -alpn_client foo,bar -sn_client bob -sn_server1 alice -alpn_server2 bar,456 -sn_server2 bob -alpn_expected bar || exit 1
  210. if ../util/shlib_wrap.sh ../apps/openssl no-srp; then
  211. echo skipping SRP tests
  212. else
  213. echo test tls1 with SRP
  214. $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123 || exit 1
  215. echo test tls1 with SRP via BIO pair
  216. $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123 || exit 1
  217. echo test tls1 with SRP auth
  218. $ssltest -tls1 -cipher aSRP -srpuser test -srppass abc123 || exit 1
  219. echo test tls1 with SRP auth via BIO pair
  220. $ssltest -bio_pair -tls1 -cipher aSRP -srpuser test -srppass abc123 || exit 1
  221. fi
  222. #############################################################################
  223. # Multi-buffer tests
  224. if [ -z "$extra" -a `uname -m` = "x86_64" ]; then
  225. $ssltest -cipher AES128-SHA -bytes 8m || exit 1
  226. $ssltest -cipher AES128-SHA256 -bytes 8m || exit 1
  227. fi
  228. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 no -c_ticket no -ticket_expect no || exit 1
  229. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 no -c_ticket yes -ticket_expect no || exit 1
  230. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 yes -c_ticket no -ticket_expect no || exit 1
  231. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 yes -c_ticket yes -ticket_expect no || exit 1
  232. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 no -c_ticket no -ticket_expect no || exit 1
  233. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 no -c_ticket yes -ticket_expect yes || exit 1
  234. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 yes -c_ticket no -ticket_expect no || exit 1
  235. $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 yes -c_ticket yes -ticket_expect yes || exit 1
  236. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 no -c_ticket no -ticket_expect no || exit 1
  237. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 no -c_ticket yes -ticket_expect no || exit 1
  238. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 yes -c_ticket no -ticket_expect no || exit 1
  239. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 yes -c_ticket yes -ticket_expect no || exit 1
  240. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 no -c_ticket no -ticket_expect no || exit 1
  241. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 no -c_ticket yes -ticket_expect no || exit 1
  242. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 yes -c_ticket no -ticket_expect no || exit 1
  243. $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 yes -c_ticket yes -ticket_expect yes || exit 1
  244. $ssltest -bio_pair -s_ticket1 broken -c_ticket yes -ticket_expect no || exit 1
  245. exit 0