1#! /bin/sh 2# Tests ECC cipher suites using ssltest. Requires one argument which could 3# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa. 4# A second optional argument can be one of ssl2 ssl3 or tls1 5 6if [ "$1" = "" ]; then 7 (echo "Usage: $0 test [ protocol ]" 8 echo " where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa" 9 echo " and protocol (optional) is one of ssl2, ssl3, tls1" 10 echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first." 11 ) >&2 12 exit 1 13fi 14 15 16OPENSSL_DIR=../.. 17CERTS_DIR=./Certs 18SSLTEST=$OPENSSL_DIR/test/ssltest 19# SSL protocol version to test (one of ssl2 ssl3 or tls1)" 20SSLVERSION= 21 22# These don't really require any certificates 23AECDH_CIPHER_LIST="AECDH-AES256-SHA AECDH-AES128-SHA AECDH-DES-CBC3-SHA AECDH-RC4-SHA AECDH-NULL-SHA" 24 25# These require ECC certificates signed with ECDSA 26# The EC public key must be authorized for key agreement. 27ECDH_ECDSA_CIPHER_LIST="ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA" 28 29# These require ECC certificates. 30# The EC public key must be authorized for digital signature. 31ECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-NULL-SHA" 32 33# These require ECC certificates signed with RSA. 34# The EC public key must be authorized for key agreement. 35ECDH_RSA_CIPHER_LIST="ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA" 36 37# These require RSA certificates. 38# The RSA public key must be authorized for digital signature. 39ECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-NULL-SHA" 40 41# List of Elliptic curves over which we wish to test generation of 42# ephemeral ECDH keys when using AECDH or ECDHE ciphers 43# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1 44#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1" 45ELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1" 46 47DEFAULT_CURVE="sect163r2" 48 49if [ "$2" = "" ]; then 50 if [ "$SSL_VERSION" = "" ]; then 51 SSL_VERSION="" 52 else 53 SSL_VERSION="-$SSL_VERSION" 54 fi 55else 56 SSL_VERSION="-$2" 57fi 58 59#============================================================== 60# Anonymous cipher suites do not require key or certificate files 61# but ssltest expects a cert file and complains if it can't 62# open the default one. 63SERVER_PEM=$OPENSSL_DIR/apps/server.pem 64 65if [ "$1" = "aecdh" ]; then 66for cipher in $AECDH_CIPHER_LIST 67do 68 echo "Testing $cipher" 69 $SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher 70done 71#-------------------------------------------------------------- 72for curve in $ELLIPTIC_CURVE_LIST 73do 74 echo "Testing AECDH-NULL-SHA (with $curve)" 75 $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ 76 -named_curve $curve -cipher AECDH-NULL-SHA 77done 78 79for curve in $ELLIPTIC_CURVE_LIST 80do 81 echo "Testing AECDH-RC4-SHA (with $curve)" 82 $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ 83 -named_curve $curve -cipher AECDH-RC4-SHA 84done 85fi 86 87#============================================================== 88# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require 89# the server to have an ECC certificate signed with ECDSA. 90CA_PEM=$CERTS_DIR/secp160r1TestCA.pem 91SERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem 92CLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem 93 94if [ "$1" = "ecdh-ecdsa" ]; then 95for cipher in $ECDH_ECDSA_CIPHER_LIST 96do 97 echo "Testing $cipher (with server authentication)" 98 $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 99 -cert $SERVER_PEM -server_auth \ 100 -cipher $cipher 101 102 echo "Testing $cipher (with server and client authentication)" 103 $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 104 -cert $SERVER_PEM -server_auth \ 105 -c_cert $CLIENT_PEM -client_auth \ 106 -cipher $cipher 107done 108fi 109 110#============================================================== 111if [ "$1" = "ecdhe-ecdsa" ]; then 112for cipher in $ECDHE_ECDSA_CIPHER_LIST 113do 114 echo "Testing $cipher (with server authentication)" 115 $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 116 -cert $SERVER_PEM -server_auth \ 117 -cipher $cipher -named_curve $DEFAULT_CURVE 118 119 echo "Testing $cipher (with server and client authentication)" 120 $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 121 -cert $SERVER_PEM -server_auth \ 122 -c_cert $CLIENT_PEM -client_auth \ 123 -cipher $cipher -named_curve $DEFAULT_CURVE 124done 125 126#-------------------------------------------------------------- 127for curve in $ELLIPTIC_CURVE_LIST 128do 129 echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)" 130 $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 131 -cert $SERVER_PEM -server_auth \ 132 -c_cert $CLIENT_PEM -client_auth \ 133 -cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve 134done 135fi 136 137#============================================================== 138# ECDH-RSA cipher suites require the server to have an ECC 139# certificate signed with RSA. 140CA_PEM=$CERTS_DIR/rsa1024TestCA.pem 141SERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem 142CLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem 143 144if [ "$1" = "ecdh-rsa" ]; then 145for cipher in $ECDH_RSA_CIPHER_LIST 146do 147 echo "Testing $cipher (with server authentication)" 148 $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 149 -cert $SERVER_PEM -server_auth \ 150 -cipher $cipher 151 152 echo "Testing $cipher (with server and client authentication)" 153 $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 154 -cert $SERVER_PEM -server_auth \ 155 -c_cert $CLIENT_PEM -client_auth \ 156 -cipher $cipher 157done 158fi 159 160#============================================================== 161# ECDHE-RSA cipher suites require the server to have an RSA cert. 162CA_PEM=$CERTS_DIR/rsa1024TestCA.pem 163SERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem 164CLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem 165 166if [ "$1" = "ecdhe-rsa" ]; then 167for cipher in $ECDHE_RSA_CIPHER_LIST 168do 169 echo "Testing $cipher (with server authentication)" 170 echo $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 171 -cert $SERVER_PEM -server_auth \ 172 -cipher $cipher -named_curve $DEFAULT_CURVE 173 $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 174 -cert $SERVER_PEM -server_auth \ 175 -cipher $cipher -named_curve $DEFAULT_CURVE 176 177 echo "Testing $cipher (with server and client authentication)" 178 $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 179 -cert $SERVER_PEM -server_auth \ 180 -c_cert $CLIENT_PEM -client_auth \ 181 -cipher $cipher -named_curve $DEFAULT_CURVE 182done 183fi 184#============================================================== 185 186 187 188 189